mirror of
https://github.com/gravitl/netmaker.git
synced 2025-11-17 22:48:49 +08:00
fix rac apis
This commit is contained in:
abhishek9686
parent
560edcde44
commit
f6ae4788a1
7 changed files with 60 additions and 30 deletions
|
|
@ -54,7 +54,7 @@ func userMiddleWare(handler http.Handler) http.Handler {
|
|||
if keyID, ok := params["keyID"]; ok {
|
||||
r.Header.Set("TARGET_RSRC_ID", keyID)
|
||||
}
|
||||
if nodeID, ok := params["nodeid"]; ok {
|
||||
if nodeID, ok := params["nodeid"]; ok && r.Header.Get("TARGET_RSRC") != models.ExtClientsRsrc.String() {
|
||||
r.Header.Set("TARGET_RSRC_ID", nodeID)
|
||||
}
|
||||
if hostID, ok := params["hostid"]; ok {
|
||||
|
|
|
|||
|
|
@ -572,22 +572,22 @@ func createIngressGateway(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
// create network role for this gateway
|
||||
logic.CreateRole(models.UserRolePermissionTemplate{
|
||||
ID: models.UserRole(fmt.Sprintf("net-%s-rag-%s", node.Network, host.Name)),
|
||||
ID: models.GetRAGRoleName(node.Network, host.Name),
|
||||
NetworkID: node.Network,
|
||||
NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
|
||||
models.RemoteAccessGwRsrc: {
|
||||
models.RsrcID(node.ID.String()): models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Read: true,
|
||||
VPNaccess: true,
|
||||
},
|
||||
},
|
||||
models.ExtClientsRsrc: {
|
||||
models.AllExtClientsRsrcID: models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
VPNaccess: true,
|
||||
SelfOnly: true,
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
SelfOnly: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -645,7 +645,7 @@ func deleteIngressGateway(w http.ResponseWriter, r *http.Request) {
|
|||
for _, user := range users {
|
||||
// delete role from user
|
||||
if netRoles, ok := user.NetworkRoles[models.NetworkID(node.Network)]; ok {
|
||||
delete(netRoles, models.UserRole(fmt.Sprintf("net-%s-rag-%s", node.Network, host.Name)))
|
||||
delete(netRoles, models.GetRAGRoleName(node.Network, host.Name))
|
||||
user.NetworkRoles[models.NetworkID(node.Network)] = netRoles
|
||||
err = logic.UpsertUser(user)
|
||||
if err != nil {
|
||||
|
|
@ -656,7 +656,7 @@ func deleteIngressGateway(w http.ResponseWriter, r *http.Request) {
|
|||
} else {
|
||||
slog.Error("failed to get users", "error", err)
|
||||
}
|
||||
logic.DeleteRole(models.UserRole(fmt.Sprintf("net-%s-rag-%s", node.Network, host.Name)))
|
||||
logic.DeleteRole(models.GetRAGRoleName(node.Network, host.Name))
|
||||
}()
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -206,10 +206,12 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
|
|||
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
r.Header.Set("ismaster", "no")
|
||||
logger.Log(0, "next", r.URL.String())
|
||||
isGlobalAccesss := r.Header.Get("IS_GLOBAL_ACCESS") == "yes"
|
||||
bearerToken := r.Header.Get("Authorization")
|
||||
username, err := GetUserNameFromToken(bearerToken)
|
||||
if err != nil {
|
||||
logger.Log(0, "next 1", r.URL.String(), err.Error())
|
||||
ReturnErrorResponse(w, r, FormatError(err, err.Error()))
|
||||
return
|
||||
}
|
||||
|
|
@ -276,6 +278,7 @@ func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
|
|||
var params = mux.Vars(r)
|
||||
var requestedUser = params["username"]
|
||||
if requestedUser != r.Header.Get("user") {
|
||||
logger.Log(0, "next 2", r.URL.String(), errorResponse.Message)
|
||||
ReturnErrorResponse(w, r, errorResponse)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
"github.com/gravitl/netmaker/database"
|
||||
"github.com/gravitl/netmaker/logger"
|
||||
"github.com/gravitl/netmaker/models"
|
||||
)
|
||||
|
||||
|
|
@ -52,17 +53,17 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
|
|||
NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
|
||||
models.RemoteAccessGwRsrc: {
|
||||
models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Read: true,
|
||||
VPNaccess: true,
|
||||
},
|
||||
},
|
||||
models.ExtClientsRsrc: {
|
||||
models.AllExtClientsRsrcID: models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
VPNaccess: true,
|
||||
SelfOnly: true,
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
SelfOnly: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -378,13 +379,16 @@ func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, n
|
|||
return ok
|
||||
}
|
||||
func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
|
||||
logger.Log(0, "------------> 7. getUserRemoteAccessGwsV1")
|
||||
gws = make(map[string]models.Node)
|
||||
userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user)
|
||||
logger.Log(0, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope))
|
||||
_, allNetAccess := userGwAccessScope["*"]
|
||||
nodes, err := GetAllNodes()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
logger.Log(0, "------------> 8. getUserRemoteAccessGwsV1")
|
||||
for _, node := range nodes {
|
||||
if node.IsIngressGateway && !node.PendingDelete {
|
||||
if allNetAccess {
|
||||
|
|
@ -393,7 +397,7 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
|
|||
gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)]
|
||||
scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID]
|
||||
if !ok {
|
||||
if _, ok := gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
|
||||
if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
|
@ -404,12 +408,14 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
|
|||
}
|
||||
}
|
||||
}
|
||||
logger.Log(0, "------------> 9. getUserRemoteAccessGwsV1")
|
||||
return
|
||||
}
|
||||
|
||||
// GetUserNetworkRoles - get user network roles
|
||||
func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) {
|
||||
gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope)
|
||||
logger.Log(0, "------------> 7.1 getUserRemoteAccessGwsV1")
|
||||
platformRole, err := GetRole(user.PlatformRoleID)
|
||||
if err != nil {
|
||||
return
|
||||
|
|
@ -418,6 +424,7 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
|
|||
gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
||||
return
|
||||
}
|
||||
logger.Log(0, "------------> 7.2 getUserRemoteAccessGwsV1")
|
||||
for netID, roleMap := range user.NetworkRoles {
|
||||
for roleID := range roleMap {
|
||||
role, err := GetRole(roleID)
|
||||
|
|
@ -427,9 +434,16 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
|
|||
models.AllRemoteAccessGwRsrcID: {
|
||||
Create: true,
|
||||
Read: true,
|
||||
Update: true,
|
||||
VPNaccess: true,
|
||||
Delete: true,
|
||||
},
|
||||
models.AllExtClientsRsrcID: {
|
||||
Create: true,
|
||||
Read: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
},
|
||||
}
|
||||
break
|
||||
}
|
||||
|
|
@ -443,6 +457,9 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
|
|||
} else {
|
||||
for gwID, scope := range rsrcsMap {
|
||||
if scope.VPNaccess {
|
||||
if len(gwAccess[netID]) == 0 {
|
||||
gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
|
||||
}
|
||||
gwAccess[netID][gwID] = scope
|
||||
}
|
||||
}
|
||||
|
|
@ -453,5 +470,6 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
|
|||
}
|
||||
}
|
||||
}
|
||||
logger.Log(0, "------------> 7.3 getUserRemoteAccessGwsV1")
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -323,22 +323,22 @@ func syncUsers() {
|
|||
h, err := logic.GetHost(networkNodeI.HostID.String())
|
||||
if err == nil {
|
||||
logic.CreateRole(models.UserRolePermissionTemplate{
|
||||
ID: models.UserRole(fmt.Sprintf("net-%s-rag-%s", netI.NetID, h.Name)),
|
||||
ID: models.GetRAGRoleName(networkNodeI.Network, h.Name),
|
||||
NetworkID: netI.NetID,
|
||||
NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
|
||||
models.RemoteAccessGwRsrc: {
|
||||
models.RsrcID(networkNodeI.ID.String()): models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Read: true,
|
||||
VPNaccess: true,
|
||||
},
|
||||
},
|
||||
models.ExtClientsRsrc: {
|
||||
models.AllExtClientsRsrcID: models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
VPNaccess: true,
|
||||
SelfOnly: true,
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
SelfOnly: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -383,7 +383,7 @@ func syncUsers() {
|
|||
if err != nil {
|
||||
continue
|
||||
}
|
||||
r, err := logic.GetRole(models.UserRole(fmt.Sprintf("net-%s-rag-%s", gwNode.Network, h.Name)))
|
||||
r, err := logic.GetRole(models.GetRAGRoleName(gwNode.Network, h.Name))
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package models
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
jwt "github.com/golang-jwt/jwt/v4"
|
||||
|
|
@ -20,6 +21,10 @@ func (rid RsrcID) String() string {
|
|||
return string(rid)
|
||||
}
|
||||
|
||||
func GetRAGRoleName(netID, hostName string) UserRole {
|
||||
return UserRole(fmt.Sprintf("netID-%s-rag-%s", netID, hostName))
|
||||
}
|
||||
|
||||
var RsrcTypeMap = map[RsrcType]struct{}{
|
||||
HostRsrc: {},
|
||||
RelayRsrc: {},
|
||||
|
|
|
|||
|
|
@ -148,19 +148,21 @@ func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
|
|||
func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
|
||||
// set header.
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
|
||||
logger.Log(0, "------------> 1. getUserRemoteAccessGwsV1")
|
||||
var params = mux.Vars(r)
|
||||
username := params["username"]
|
||||
if username == "" {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
|
||||
return
|
||||
}
|
||||
logger.Log(0, "------------> 2. getUserRemoteAccessGwsV1")
|
||||
user, err := logic.GetUser(username)
|
||||
if err != nil {
|
||||
logger.Log(0, username, "failed to fetch user: ", err.Error())
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
|
||||
return
|
||||
}
|
||||
logger.Log(0, "------------> 3. getUserRemoteAccessGwsV1")
|
||||
remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
|
||||
var req models.UserRemoteGwsReq
|
||||
if remoteAccessClientID == "" {
|
||||
|
|
@ -171,6 +173,7 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
}
|
||||
logger.Log(0, "------------> 4. getUserRemoteAccessGwsV1")
|
||||
reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
|
||||
if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
|
||||
|
|
@ -180,12 +183,13 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
|
|||
req.RemoteAccessClientID = remoteAccessClientID
|
||||
}
|
||||
userGws := make(map[string][]models.UserRemoteGws)
|
||||
|
||||
logger.Log(0, "------------> 5. getUserRemoteAccessGwsV1")
|
||||
allextClients, err := logic.GetAllExtClients()
|
||||
if err != nil {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
return
|
||||
}
|
||||
logger.Log(0, "------------> 6. getUserRemoteAccessGwsV1")
|
||||
userGwNodes := logic.GetUserRAGNodes(*user)
|
||||
logger.Log(0, fmt.Sprintf("1. User Gw Nodes: %+v", userGwNodes))
|
||||
for _, extClient := range allextClients {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue