mirror of
https://github.com/gravitl/netmaker.git
synced 2024-09-20 07:16:06 +08:00
deprecate use of old admin fields
This commit is contained in:
parent
78da9fa901
commit
db3deba181
52
auth/auth.go
52
auth/auth.go
|
@ -3,13 +3,11 @@ package auth
|
|||
import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
"github.com/gravitl/netmaker/logger"
|
||||
"github.com/gravitl/netmaker/logic"
|
||||
"github.com/gravitl/netmaker/models"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"golang.org/x/exp/slog"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
|
@ -55,55 +53,11 @@ func FetchPassValue(newValue string) (string, error) {
|
|||
return string(b64CurrentValue), nil
|
||||
}
|
||||
|
||||
// == private ==
|
||||
|
||||
func addUser(email string) error {
|
||||
var hasSuperAdmin, err = logic.HasSuperAdmin()
|
||||
if err != nil {
|
||||
slog.Error("error checking for existence of admin user during OAuth login for", "email", email, "error", err)
|
||||
return err
|
||||
} // generate random password to adapt to current model
|
||||
var newPass, fetchErr = FetchPassValue("")
|
||||
if fetchErr != nil {
|
||||
slog.Error("failed to get password", "error", fetchErr.Error())
|
||||
return fetchErr
|
||||
}
|
||||
var newUser = models.User{
|
||||
UserName: email,
|
||||
Password: newPass,
|
||||
}
|
||||
if !hasSuperAdmin { // must be first attempt, create a superadmin
|
||||
logger.Log(0, "creating superadmin")
|
||||
if err = logic.CreateSuperAdmin(&newUser); err != nil {
|
||||
slog.Error("error creating super admin from user", "email", email, "error", err)
|
||||
} else {
|
||||
slog.Info("superadmin created from user", "email", email)
|
||||
}
|
||||
} else { // otherwise add to db as admin..?
|
||||
// TODO: add ability to add users with preemptive permissions
|
||||
newUser.IsAdmin = false
|
||||
if err = logic.CreateUser(&newUser); err != nil {
|
||||
logger.Log(0, "error creating user,", email, "; user not added", "error", err.Error())
|
||||
} else {
|
||||
logger.Log(0, "user created from ", email)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func isUserIsAllowed(username, network string, shouldAddUser bool) (*models.User, error) {
|
||||
func isUserIsAllowed(username, network string) (*models.User, error) {
|
||||
|
||||
user, err := logic.GetUser(username)
|
||||
if err != nil && shouldAddUser { // user must not exist, so try to make one
|
||||
if err = addUser(username); err != nil {
|
||||
logger.Log(0, "failed to add user", username, "during a node SSO network join on network", network)
|
||||
// response := returnErrTemplate(user.UserName, "failed to add user", state, reqKeyIf)
|
||||
// w.WriteHeader(http.StatusInternalServerError)
|
||||
// w.Write(response)
|
||||
return nil, fmt.Errorf("failed to add user to system")
|
||||
}
|
||||
logger.Log(0, "user", username, "was added during a node SSO network join on network", network)
|
||||
user, _ = logic.GetUser(username)
|
||||
if err != nil { // user must not exist, so try to make one
|
||||
return &models.User{}, err
|
||||
}
|
||||
|
||||
return user, nil
|
||||
|
|
|
@ -85,24 +85,24 @@ func SessionHandler(conn *websocket.Conn) {
|
|||
return
|
||||
}
|
||||
req.Pass = req.Host.ID.String()
|
||||
user, err := logic.GetUser(req.User)
|
||||
if err != nil {
|
||||
logger.Log(0, "failed to get user", req.User, "from database")
|
||||
err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
|
||||
if err != nil {
|
||||
logger.Log(0, "error during message writing:", err.Error())
|
||||
}
|
||||
return
|
||||
}
|
||||
if !user.IsAdmin && !user.IsSuperAdmin {
|
||||
logger.Log(0, "user", req.User, "is neither an admin or superadmin. denying registeration")
|
||||
conn.WriteMessage(messageType, []byte("cannot register with a non-admin or non-superadmin"))
|
||||
err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
|
||||
if err != nil {
|
||||
logger.Log(0, "error during message writing:", err.Error())
|
||||
}
|
||||
return
|
||||
}
|
||||
// user, err := logic.GetUser(req.User)
|
||||
// if err != nil {
|
||||
// logger.Log(0, "failed to get user", req.User, "from database")
|
||||
// err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
|
||||
// if err != nil {
|
||||
// logger.Log(0, "error during message writing:", err.Error())
|
||||
// }
|
||||
// return
|
||||
// }
|
||||
// if !user.IsAdmin && !user.IsSuperAdmin {
|
||||
// logger.Log(0, "user", req.User, "is neither an admin or superadmin. denying registeration")
|
||||
// conn.WriteMessage(messageType, []byte("cannot register with a non-admin or non-superadmin"))
|
||||
// err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
|
||||
// if err != nil {
|
||||
// logger.Log(0, "error during message writing:", err.Error())
|
||||
// }
|
||||
// return
|
||||
// }
|
||||
|
||||
if err = netcache.Set(stateStr, req); err != nil { // give the user's host access in the DB
|
||||
logger.Log(0, "machine failed to complete join on network,", registerMessage.Network, "-", err.Error())
|
||||
|
@ -201,7 +201,7 @@ func SessionHandler(conn *websocket.Conn) {
|
|||
for _, newNet := range currentNetworks {
|
||||
if !logic.StringSliceContains(hostNets, newNet) {
|
||||
if len(result.User) > 0 {
|
||||
_, err := isUserIsAllowed(result.User, newNet, false)
|
||||
_, err := isUserIsAllowed(result.User, newNet)
|
||||
if err != nil {
|
||||
logger.Log(0, "unauthorized user", result.User, "attempted to register to network", newNet)
|
||||
handleHostRegErr(conn, err)
|
||||
|
|
|
@ -403,7 +403,7 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
userName = caller.UserName
|
||||
if _, ok := caller.RemoteGwIDs[nodeid]; (!caller.IsAdmin && !caller.IsSuperAdmin) && !ok {
|
||||
if _, ok := caller.RemoteGwIDs[nodeid]; (caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole) && !ok {
|
||||
err = errors.New("permission denied")
|
||||
slog.Error("failed to create extclient", "error", err)
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
||||
|
|
|
@ -619,7 +619,7 @@ func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
|
|||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
||||
return
|
||||
}
|
||||
if !u.IsAdmin {
|
||||
if u.PlatformRoleID != models.AdminRole {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
|
||||
return
|
||||
}
|
||||
|
@ -628,16 +628,14 @@ func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
u.IsSuperAdmin = true
|
||||
u.IsAdmin = false
|
||||
u.PlatformRoleID = models.SuperAdminRole
|
||||
err = logic.UpsertUser(*u)
|
||||
if err != nil {
|
||||
slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
return
|
||||
}
|
||||
caller.IsSuperAdmin = false
|
||||
caller.IsAdmin = true
|
||||
caller.PlatformRoleID = models.AdminRole
|
||||
err = logic.UpsertUser(*caller)
|
||||
if err != nil {
|
||||
slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
|
||||
|
@ -666,11 +664,6 @@ func createUser(w http.ResponseWriter, r *http.Request) {
|
|||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
||||
return
|
||||
}
|
||||
callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
|
||||
if err != nil {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
||||
return
|
||||
}
|
||||
var user models.User
|
||||
err = json.NewDecoder(r.Body).Decode(&user)
|
||||
if err != nil {
|
||||
|
@ -707,20 +700,17 @@ func createUser(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if callerUserRole.ID != models.SuperAdminRole && user.IsAdmin {
|
||||
if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
|
||||
err = errors.New("only superadmin can create admin users")
|
||||
slog.Error("error creating new user: ", "user", user.UserName, "error", err)
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
||||
return
|
||||
}
|
||||
|
||||
if !servercfg.IsPro && !user.IsAdmin {
|
||||
if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
|
||||
return
|
||||
}
|
||||
if userRole.ID == models.AdminRole {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
err = logic.CreateUser(&user)
|
||||
if err != nil {
|
||||
slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
|
||||
|
@ -1134,9 +1124,6 @@ func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
|
|||
user.PlatformRoleID = userG.PlatformRole
|
||||
user.UserGroups[inviteGroupID] = struct{}{}
|
||||
}
|
||||
if user.PlatformRoleID == models.AdminRole {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
user.NetworkRoles = make(map[models.NetworkID]map[models.UserRole]struct{})
|
||||
user.IsSuperAdmin = false
|
||||
err = logic.CreateUser(&user)
|
||||
|
|
|
@ -114,7 +114,7 @@ func CreateUser(user *models.User) error {
|
|||
// set password to encrypted password
|
||||
user.Password = string(hash)
|
||||
|
||||
tokenString, _ := CreateUserJWT(user.UserName, user.IsSuperAdmin, user.IsAdmin)
|
||||
tokenString, _ := CreateUserJWT(user.UserName, user.PlatformRoleID)
|
||||
if tokenString == "" {
|
||||
logger.Log(0, "failed to generate token", err.Error())
|
||||
return err
|
||||
|
@ -147,8 +147,6 @@ func CreateSuperAdmin(u *models.User) error {
|
|||
return errors.New("superadmin user already exists")
|
||||
}
|
||||
u.PlatformRoleID = models.SuperAdminRole
|
||||
u.IsSuperAdmin = true
|
||||
u.IsAdmin = false
|
||||
return CreateUser(u)
|
||||
}
|
||||
|
||||
|
@ -177,7 +175,7 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
|
|||
}
|
||||
|
||||
// Create a new JWT for the node
|
||||
tokenString, err := CreateUserJWT(authRequest.UserName, result.IsSuperAdmin, result.IsAdmin)
|
||||
tokenString, err := CreateUserJWT(authRequest.UserName, result.PlatformRoleID)
|
||||
if err != nil {
|
||||
slog.Error("error creating jwt", "error", err)
|
||||
return "", err
|
||||
|
|
|
@ -264,7 +264,7 @@ func IsUserAllowedAccessToExtClient(username string, client models.ExtClient) bo
|
|||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if !user.IsAdmin && !user.IsSuperAdmin {
|
||||
if user.PlatformRoleID != models.AdminRole && user.PlatformRoleID != models.SuperAdminRole {
|
||||
if user.UserName != client.OwnerID {
|
||||
return false
|
||||
}
|
||||
|
|
|
@ -53,12 +53,11 @@ func CreateJWT(uuid string, macAddress string, network string) (response string,
|
|||
}
|
||||
|
||||
// CreateUserJWT - creates a user jwt token
|
||||
func CreateUserJWT(username string, issuperadmin, isadmin bool) (response string, err error) {
|
||||
func CreateUserJWT(username string, role models.UserRole) (response string, err error) {
|
||||
expirationTime := time.Now().Add(servercfg.GetServerConfig().JwtValidityDuration)
|
||||
claims := &models.UserClaims{
|
||||
UserName: username,
|
||||
IsSuperAdmin: issuperadmin,
|
||||
IsAdmin: isadmin,
|
||||
UserName: username,
|
||||
Role: role,
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
Issuer: "Netmaker",
|
||||
Subject: fmt.Sprintf("user|%s", username),
|
||||
|
@ -145,7 +144,8 @@ func VerifyUserToken(tokenString string) (username string, issuperadmin, isadmin
|
|||
return "", false, false, err
|
||||
}
|
||||
if user.UserName != "" {
|
||||
return user.UserName, user.IsSuperAdmin, user.IsAdmin, nil
|
||||
return user.UserName, user.PlatformRoleID == models.SuperAdminRole,
|
||||
user.PlatformRoleID == models.AdminRole, nil
|
||||
}
|
||||
err = errors.New("user does not exist")
|
||||
}
|
||||
|
|
|
@ -41,10 +41,12 @@ func GetReturnUser(username string) (models.ReturnUser, error) {
|
|||
// ToReturnUser - gets a user as a return user
|
||||
func ToReturnUser(user models.User) models.ReturnUser {
|
||||
return models.ReturnUser{
|
||||
UserName: user.UserName,
|
||||
IsSuperAdmin: user.IsSuperAdmin,
|
||||
IsAdmin: user.IsAdmin,
|
||||
RemoteGwIDs: user.RemoteGwIDs,
|
||||
UserName: user.UserName,
|
||||
PlatformRoleID: user.PlatformRoleID,
|
||||
UserGroups: user.UserGroups,
|
||||
NetworkRoles: user.NetworkRoles,
|
||||
RemoteGwIDs: user.RemoteGwIDs,
|
||||
LastLoginTime: user.LastLoginTime,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -44,8 +44,7 @@ func assignSuperAdmin() {
|
|||
if err != nil {
|
||||
log.Fatal("error getting user", "user", owner, "error", err.Error())
|
||||
}
|
||||
user.IsSuperAdmin = true
|
||||
user.IsAdmin = false
|
||||
user.PlatformRoleID = models.SuperAdminRole
|
||||
err = logic.UpsertUser(*user)
|
||||
if err != nil {
|
||||
log.Fatal(
|
||||
|
@ -65,8 +64,7 @@ func assignSuperAdmin() {
|
|||
slog.Error("error getting user", "user", u.UserName, "error", err.Error())
|
||||
continue
|
||||
}
|
||||
user.IsSuperAdmin = true
|
||||
user.IsAdmin = false
|
||||
user.PlatformRoleID = models.SuperAdminRole
|
||||
err = logic.UpsertUser(*user)
|
||||
if err != nil {
|
||||
slog.Error(
|
||||
|
|
|
@ -126,9 +126,8 @@ type UserAuthParams struct {
|
|||
|
||||
// UserClaims - user claims struct
|
||||
type UserClaims struct {
|
||||
IsAdmin bool
|
||||
IsSuperAdmin bool
|
||||
UserName string
|
||||
Role UserRole
|
||||
UserName string
|
||||
jwt.RegisteredClaims
|
||||
}
|
||||
|
||||
|
|
|
@ -107,9 +107,6 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
|
|||
user.PlatformRoleID = userG.PlatformRole
|
||||
user.UserGroups[inviteGroupID] = struct{}{}
|
||||
}
|
||||
if user.PlatformRoleID == models.AdminRole {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
if err = logic.CreateUser(user); err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
|
@ -136,7 +133,12 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
|
|||
handleOauthUserNotFound(w)
|
||||
return
|
||||
}
|
||||
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||
userRole, err := logic.GetRole(user.PlatformRoleID)
|
||||
if err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
}
|
||||
if userRole.DenyDashboardAccess {
|
||||
handleOauthUserNotAllowed(w)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -107,9 +107,6 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
|
|||
user.PlatformRoleID = userG.PlatformRole
|
||||
user.UserGroups[inviteGroupID] = struct{}{}
|
||||
}
|
||||
if user.PlatformRoleID == models.AdminRole {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
if err = logic.CreateUser(user); err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
|
@ -136,7 +133,12 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
|
|||
handleOauthUserNotFound(w)
|
||||
return
|
||||
}
|
||||
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||
userRole, err := logic.GetRole(user.PlatformRoleID)
|
||||
if err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
}
|
||||
if userRole.DenyDashboardAccess {
|
||||
handleOauthUserNotAllowed(w)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -108,9 +108,6 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
|
|||
user.PlatformRoleID = userG.PlatformRole
|
||||
user.UserGroups[inviteGroupID] = struct{}{}
|
||||
}
|
||||
if user.PlatformRoleID == models.AdminRole {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
if err = logic.CreateUser(user); err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
|
@ -139,7 +136,12 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
|
|||
handleOauthUserNotFound(w)
|
||||
return
|
||||
}
|
||||
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||
userRole, err := logic.GetRole(user.PlatformRoleID)
|
||||
if err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
}
|
||||
if userRole.DenyDashboardAccess {
|
||||
handleOauthUserNotAllowed(w)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -119,9 +119,6 @@ func handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
|
|||
user.PlatformRoleID = userG.PlatformRole
|
||||
user.UserGroups[inviteGroupID] = struct{}{}
|
||||
}
|
||||
if user.PlatformRoleID == models.AdminRole {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
if err = logic.CreateUser(user); err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
|
@ -148,7 +145,12 @@ func handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
|
|||
handleOauthUserNotFound(w)
|
||||
return
|
||||
}
|
||||
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||
userRole, err := logic.GetRole(user.PlatformRoleID)
|
||||
if err != nil {
|
||||
handleSomethingWentWrong(w)
|
||||
return
|
||||
}
|
||||
if userRole.DenyDashboardAccess {
|
||||
handleOauthUserNotAllowed(w)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -10,6 +10,7 @@ import (
|
|||
"github.com/gravitl/netmaker/logger"
|
||||
"github.com/gravitl/netmaker/logic"
|
||||
"github.com/gravitl/netmaker/logic/pro/netcache"
|
||||
"github.com/gravitl/netmaker/models"
|
||||
)
|
||||
|
||||
var (
|
||||
|
@ -73,7 +74,7 @@ func HandleHostSSOCallback(w http.ResponseWriter, r *http.Request) {
|
|||
handleOauthUserNotFound(w)
|
||||
return
|
||||
}
|
||||
if !user.IsAdmin && !user.IsSuperAdmin {
|
||||
if user.PlatformRoleID != models.AdminRole && user.PlatformRoleID != models.SuperAdminRole {
|
||||
response := returnErrTemplate(userClaims.getUserName(), "only admin users can register using SSO", state, reqKeyIf)
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
w.Write(response)
|
||||
|
|
|
@ -55,7 +55,7 @@ func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
|
|||
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
|
||||
return
|
||||
}
|
||||
if user.IsAdmin || user.IsSuperAdmin {
|
||||
if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("superadmins/admins have access to all gateways"), "badrequest"))
|
||||
return
|
||||
}
|
||||
|
@ -219,7 +219,7 @@ func getUserRemoteAccessGws(w http.ResponseWriter, r *http.Request) {
|
|||
slog.Error("failed to get node network", "error", err)
|
||||
}
|
||||
|
||||
if _, ok := user.RemoteGwIDs[node.ID.String()]; (!user.IsAdmin && !user.IsSuperAdmin) && ok {
|
||||
if _, ok := user.RemoteGwIDs[node.ID.String()]; (user.PlatformRoleID != models.AdminRole && user.PlatformRoleID != models.SuperAdminRole) && ok {
|
||||
gws := userGws[node.Network]
|
||||
extClient.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
|
||||
gws = append(gws, models.UserRemoteGws{
|
||||
|
@ -260,7 +260,7 @@ func getUserRemoteAccessGws(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
// add remaining gw nodes to resp
|
||||
if !user.IsAdmin && !user.IsSuperAdmin {
|
||||
if user.PlatformRoleID != models.AdminRole && user.PlatformRoleID != models.SuperAdminRole {
|
||||
for gwID := range user.RemoteGwIDs {
|
||||
node, err := logic.GetNodeByID(gwID)
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in a new issue