package logic import ( "encoding/json" "errors" "fmt" "github.com/gravitl/netmaker/database" "github.com/gravitl/netmaker/logger" "github.com/gravitl/netmaker/logic" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/mq" "github.com/gravitl/netmaker/servercfg" "golang.org/x/exp/slog" ) var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.ServiceUser, Default: true, FullAccess: false, DenyDashboardAccess: true, } var PlatformUserUserPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.PlatformUser, Default: true, FullAccess: false, } var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)), Default: true, FullAccess: true, NetworkID: models.AllNetworks, } var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)), Default: true, FullAccess: false, NetworkID: models.AllNetworks, NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ models.RemoteAccessGwRsrc: { models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{ Read: true, VPNaccess: true, }, }, models.ExtClientsRsrc: { models.AllExtClientsRsrcID: models.RsrcPermissionScope{ Read: true, Create: true, Update: true, Delete: true, SelfOnly: true, }, }, }, } func UserRolesInit() { d, _ := json.Marshal(logic.SuperAdminPermissionTemplate) database.Insert(logic.SuperAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) d, _ = json.Marshal(logic.AdminPermissionTemplate) database.Insert(logic.AdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) d, _ = json.Marshal(ServiceUserPermissionTemplate) database.Insert(ServiceUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) d, _ = json.Marshal(PlatformUserUserPermissionTemplate) database.Insert(PlatformUserUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) d, _ = json.Marshal(NetworkAdminAllPermissionTemplate) database.Insert(NetworkAdminAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) d, _ = json.Marshal(NetworkUserAllPermissionTemplate) database.Insert(NetworkUserAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) } func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) { var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)), Default: true, NetworkID: netID, FullAccess: true, NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), } var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)), Default: true, FullAccess: false, NetworkID: netID, DenyDashboardAccess: false, NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ models.RemoteAccessGwRsrc: { models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{ Read: true, VPNaccess: true, }, }, models.ExtClientsRsrc: { models.AllExtClientsRsrcID: models.RsrcPermissionScope{ Read: true, Create: true, Update: true, Delete: true, SelfOnly: true, }, }, }, } d, _ := json.Marshal(NetworkAdminPermissionTemplate) database.Insert(NetworkAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) d, _ = json.Marshal(NetworkUserPermissionTemplate) database.Insert(NetworkUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) // create default network groups var NetworkAdminGroup = models.UserGroup{ ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)), NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ netID: { models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)): {}, }, }, MetaData: "The network role was automatically created by Netmaker.", } var NetworkUserGroup = models.UserGroup{ ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)), NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ netID: { models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)): {}, }, }, MetaData: "The network role was automatically created by Netmaker.", } d, _ = json.Marshal(NetworkAdminGroup) database.Insert(NetworkAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) d, _ = json.Marshal(NetworkUserGroup) database.Insert(NetworkUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) } func DeleteNetworkRoles(netID string) { users, err := logic.GetUsersDB() if err != nil { return } defaultUserGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser) defaultAdminGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin) for _, user := range users { var upsert bool if _, ok := user.NetworkRoles[models.NetworkID(netID)]; ok { delete(user.NetworkRoles, models.NetworkID(netID)) upsert = true } if _, ok := user.UserGroups[models.UserGroupID(defaultUserGrp)]; ok { delete(user.UserGroups, models.UserGroupID(defaultUserGrp)) upsert = true } if _, ok := user.UserGroups[models.UserGroupID(defaultAdminGrp)]; ok { delete(user.UserGroups, models.UserGroupID(defaultAdminGrp)) upsert = true } if upsert { logic.UpsertUser(user) } } database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultUserGrp) database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultAdminGrp) userGs, _ := ListUserGroups() for _, userGI := range userGs { if _, ok := userGI.NetworkRoles[models.NetworkID(netID)]; ok { delete(userGI.NetworkRoles, models.NetworkID(netID)) UpdateUserGroup(userGI) } } roles, _ := ListNetworkRoles() for _, role := range roles { if role.NetworkID.String() == netID { database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, role.ID.String()) } } } // ListNetworkRoles - lists user network roles permission templates func ListNetworkRoles() ([]models.UserRolePermissionTemplate, error) { data, err := database.FetchRecords(database.USER_PERMISSIONS_TABLE_NAME) if err != nil && !database.IsEmptyRecord(err) { return []models.UserRolePermissionTemplate{}, err } userRoles := []models.UserRolePermissionTemplate{} for _, dataI := range data { userRole := models.UserRolePermissionTemplate{} err := json.Unmarshal([]byte(dataI), &userRole) if err != nil { continue } if userRole.NetworkID == "" { continue } userRoles = append(userRoles, userRole) } return userRoles, nil } func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error { // check if role exists with this id _, err := logic.GetRole(userRole.ID) if err == nil { return fmt.Errorf("role with id `%s` exists already", userRole.ID.String()) } if len(userRole.NetworkLevelAccess) > 0 { for rsrcType := range userRole.NetworkLevelAccess { if _, ok := models.RsrcTypeMap[rsrcType]; !ok { return errors.New("invalid rsrc type " + rsrcType.String()) } if rsrcType == models.RemoteAccessGwRsrc { userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc] var vpnAccess bool for _, scope := range userRsrcPermissions { if scope.VPNaccess { vpnAccess = true break } } if vpnAccess { userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{ models.AllExtClientsRsrcID: { Read: true, Create: true, Update: true, Delete: true, SelfOnly: true, }, } } } } } if userRole.NetworkID == "" { return errors.New("only network roles are allowed to be created") } return nil } func ValidateUpdateRoleReq(userRole *models.UserRolePermissionTemplate) error { roleInDB, err := logic.GetRole(userRole.ID) if err != nil { return err } if roleInDB.NetworkID != userRole.NetworkID { return errors.New("network id mismatch") } if roleInDB.Default { return errors.New("cannot update default role") } if len(userRole.NetworkLevelAccess) > 0 { for rsrcType := range userRole.NetworkLevelAccess { if _, ok := models.RsrcTypeMap[rsrcType]; !ok { return errors.New("invalid rsrc type " + rsrcType.String()) } if rsrcType == models.RemoteAccessGwRsrc { userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc] var vpnAccess bool for _, scope := range userRsrcPermissions { if scope.VPNaccess { vpnAccess = true break } } if vpnAccess { userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{ models.AllExtClientsRsrcID: { Read: true, Create: true, Update: true, Delete: true, SelfOnly: true, }, } } } } } return nil } // CreateRole - inserts new role into DB func CreateRole(r models.UserRolePermissionTemplate) error { // check if role already exists if r.ID.String() == "" { return errors.New("role id cannot be empty") } _, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, r.ID.String()) if err == nil { return errors.New("role already exists") } d, err := json.Marshal(r) if err != nil { return err } return database.Insert(r.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) } // UpdateRole - updates role template func UpdateRole(r models.UserRolePermissionTemplate) error { if r.ID.String() == "" { return errors.New("role id cannot be empty") } _, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, r.ID.String()) if err != nil { return err } d, err := json.Marshal(r) if err != nil { return err } return database.Insert(r.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) } // DeleteRole - deletes user role func DeleteRole(rid models.UserRoleID, force bool) error { if rid.String() == "" { return errors.New("role id cannot be empty") } users, err := logic.GetUsersDB() if err != nil { return err } role, err := logic.GetRole(rid) if err != nil { return err } if role.NetworkID == "" { return errors.New("cannot delete platform role") } // allow deletion of default network roles if network doesn't exist if role.NetworkID == models.AllNetworks { return errors.New("cannot delete default network role") } // check if network exists exists, _ := logic.NetworkExists(role.NetworkID.String()) if role.Default { if exists && !force { return errors.New("cannot delete default role") } } for _, user := range users { for userG := range user.UserGroups { ug, err := GetUserGroup(userG) if err == nil { if role.NetworkID != "" { for netID, networkRoles := range ug.NetworkRoles { if _, ok := networkRoles[rid]; ok { delete(networkRoles, rid) ug.NetworkRoles[netID] = networkRoles UpdateUserGroup(ug) } } } } } if user.PlatformRoleID == rid { err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting") return err } if role.NetworkID != "" { for netID, networkRoles := range user.NetworkRoles { if _, ok := networkRoles[rid]; ok { delete(networkRoles, rid) user.NetworkRoles[netID] = networkRoles logic.UpsertUser(user) } } } } return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String()) } func ValidateCreateGroupReq(g models.UserGroup) error { // check if network roles are valid for _, roleMap := range g.NetworkRoles { for roleID := range roleMap { role, err := logic.GetRole(roleID) if err != nil { return fmt.Errorf("invalid network role %s", roleID) } if role.NetworkID == "" { return errors.New("platform role cannot be used as network role") } } } return nil } func ValidateUpdateGroupReq(g models.UserGroup) error { for networkID := range g.NetworkRoles { userRolesMap := g.NetworkRoles[networkID] for roleID := range userRolesMap { netRole, err := logic.GetRole(roleID) if err != nil { err = fmt.Errorf("invalid network role") return err } if netRole.NetworkID == "" { return errors.New("platform role cannot be used as network role") } } } return nil } // CreateUserGroup - creates new user group func CreateUserGroup(g models.UserGroup) error { // check if role already exists if g.ID == "" { return errors.New("group id cannot be empty") } _, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, g.ID.String()) if err == nil { return errors.New("group already exists") } d, err := json.Marshal(g) if err != nil { return err } return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) } // GetUserGroup - fetches user group func GetUserGroup(gid models.UserGroupID) (models.UserGroup, error) { d, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, gid.String()) if err != nil { return models.UserGroup{}, err } var ug models.UserGroup err = json.Unmarshal([]byte(d), &ug) if err != nil { return ug, err } return ug, nil } // ListUserGroups - lists user groups func ListUserGroups() ([]models.UserGroup, error) { data, err := database.FetchRecords(database.USER_GROUPS_TABLE_NAME) if err != nil && !database.IsEmptyRecord(err) { return []models.UserGroup{}, err } userGroups := []models.UserGroup{} for _, dataI := range data { userGroup := models.UserGroup{} err := json.Unmarshal([]byte(dataI), &userGroup) if err != nil { continue } userGroups = append(userGroups, userGroup) } return userGroups, nil } // UpdateUserGroup - updates new user group func UpdateUserGroup(g models.UserGroup) error { // check if group exists if g.ID == "" { return errors.New("group id cannot be empty") } _, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, g.ID.String()) if err != nil { return err } d, err := json.Marshal(g) if err != nil { return err } return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) } // DeleteUserGroup - deletes user group func DeleteUserGroup(gid models.UserGroupID) error { users, err := logic.GetUsersDB() if err != nil { return err } for _, user := range users { delete(user.UserGroups, gid) logic.UpsertUser(user) } return database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, gid.String()) } func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, netid string, rsrcType models.RsrcType, rsrcID models.RsrcID, op string) bool { if permissionTemplate.FullAccess { return true } rsrcScope, ok := permissionTemplate.NetworkLevelAccess[rsrcType] if !ok { return false } _, ok = rsrcScope[rsrcID] return ok } func GetUserRAGNodes(user models.User) (gws map[string]models.Node) { gws = make(map[string]models.Node) userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user) logger.Log(3, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope)) _, allNetAccess := userGwAccessScope["*"] nodes, err := logic.GetAllNodes() if err != nil { return } for _, node := range nodes { if node.IsIngressGateway && !node.PendingDelete { if allNetAccess { gws[node.ID.String()] = node } else { gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)] scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID] if !ok { if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok { continue } } if scope.VPNaccess { gws[node.ID.String()] = node } } } } return } // GetUserNetworkRoles - get user network roles func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) { gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) platformRole, err := logic.GetRole(user.PlatformRoleID) if err != nil { return } if platformRole.FullAccess { gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope) return } if _, ok := user.NetworkRoles[models.AllNetworks]; ok { gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope) } if len(user.UserGroups) > 0 { for gID := range user.UserGroups { userG, err := GetUserGroup(gID) if err != nil { continue } for netID, roleMap := range userG.NetworkRoles { for roleID := range roleMap { role, err := logic.GetRole(roleID) if err == nil { if role.FullAccess { gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{ models.AllRemoteAccessGwRsrcID: { Create: true, Read: true, Update: true, VPNaccess: true, Delete: true, }, models.AllExtClientsRsrcID: { Create: true, Read: true, Update: true, Delete: true, }, } break } if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok { if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess { if len(gwAccess[netID]) == 0 { gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) } gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions break } else { for gwID, scope := range rsrcsMap { if scope.VPNaccess { if len(gwAccess[netID]) == 0 { gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) } gwAccess[netID][gwID] = scope } } } } } } } } } for netID, roleMap := range user.NetworkRoles { for roleID := range roleMap { role, err := logic.GetRole(roleID) if err == nil { if role.FullAccess { gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{ models.AllRemoteAccessGwRsrcID: { Create: true, Read: true, Update: true, VPNaccess: true, Delete: true, }, models.AllExtClientsRsrcID: { Create: true, Read: true, Update: true, Delete: true, }, } break } if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok { if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess { if len(gwAccess[netID]) == 0 { gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) } gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions break } else { for gwID, scope := range rsrcsMap { if scope.VPNaccess { if len(gwAccess[netID]) == 0 { gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) } gwAccess[netID][gwID] = scope } } } } } } } return } func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) { nodesMap := make(map[string]struct{}) allNetworkRoles := make(map[models.UserRoleID]struct{}) if len(user.NetworkRoles) > 0 { for _, netRoles := range user.NetworkRoles { for netRoleI := range netRoles { allNetworkRoles[netRoleI] = struct{}{} } } } if _, ok := user.NetworkRoles[models.AllNetworks]; ok { return nodes } if len(user.UserGroups) > 0 { for userGID := range user.UserGroups { userG, err := GetUserGroup(userGID) if err == nil { if len(userG.NetworkRoles) > 0 { if _, ok := userG.NetworkRoles[models.AllNetworks]; ok { return nodes } for _, netRoles := range userG.NetworkRoles { for netRoleI := range netRoles { allNetworkRoles[netRoleI] = struct{}{} } } } } } } for networkRoleID := range allNetworkRoles { userPermTemplate, err := logic.GetRole(networkRoleID) if err != nil { continue } networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String()) if userPermTemplate.FullAccess { for _, node := range networkNodes { if _, ok := nodesMap[node.ID.String()]; ok { continue } nodesMap[node.ID.String()] = struct{}{} filteredNodes = append(filteredNodes, node) } continue } if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok { if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok { for _, node := range networkNodes { if _, ok := nodesMap[node.ID.String()]; ok { continue } if node.IsIngressGateway { nodesMap[node.ID.String()] = struct{}{} filteredNodes = append(filteredNodes, node) } } } else { for gwID, scope := range rsrcPerms { if _, ok := nodesMap[gwID.String()]; ok { continue } if scope.Read { gwNode, err := logic.GetNodeByID(gwID.String()) if err == nil && gwNode.IsIngressGateway { nodesMap[gwNode.ID.String()] = struct{}{} filteredNodes = append(filteredNodes, gwNode) } } } } } } return } func FilterNetworksByRole(allnetworks []models.Network, user models.User) []models.Network { platformRole, err := logic.GetRole(user.PlatformRoleID) if err != nil { return []models.Network{} } if !platformRole.FullAccess { allNetworkRoles := make(map[models.NetworkID]struct{}) if len(user.NetworkRoles) > 0 { for netID := range user.NetworkRoles { if netID == models.AllNetworks { return allnetworks } allNetworkRoles[netID] = struct{}{} } } if len(user.UserGroups) > 0 { for userGID := range user.UserGroups { userG, err := GetUserGroup(userGID) if err == nil { if len(userG.NetworkRoles) > 0 { for netID := range userG.NetworkRoles { if netID == models.AllNetworks { return allnetworks } allNetworkRoles[netID] = struct{}{} } } } } } filteredNetworks := []models.Network{} for _, networkI := range allnetworks { if _, ok := allNetworkRoles[models.NetworkID(networkI.NetID)]; ok { filteredNetworks = append(filteredNetworks, networkI) } } allnetworks = filteredNetworks } return allnetworks } func IsGroupsValid(groups map[models.UserGroupID]struct{}) error { for groupID := range groups { _, err := GetUserGroup(groupID) if err != nil { return fmt.Errorf("user group `%s` not found", groupID) } } return nil } func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error { for netID, netRoles := range networkRoles { if netID != models.AllNetworks { _, err := logic.GetNetwork(netID.String()) if err != nil { return fmt.Errorf("failed to fetch network %s ", netID) } } for netRoleID := range netRoles { role, err := logic.GetRole(netRoleID) if err != nil { return fmt.Errorf("failed to fetch role %s ", netRoleID) } if role.NetworkID == "" { return fmt.Errorf("cannot use platform as network role %s", netRoleID) } } } return nil } // PrepareOauthUserFromInvite - init oauth user before create func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) { var newPass, fetchErr = logic.FetchPassValue("") if fetchErr != nil { return models.User{}, fetchErr } user := models.User{ UserName: in.Email, Password: newPass, } user.UserGroups = in.UserGroups user.NetworkRoles = in.NetworkRoles user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID) if user.PlatformRoleID == "" { user.PlatformRoleID = models.ServiceUser } return user, nil } func UpdatesUserGwAccessOnRoleUpdates(currNetworkAccess, changeNetworkAccess map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope, netID string) { networkChangeMap := make(map[models.RsrcID]models.RsrcPermissionScope) for rsrcType, RsrcPermsMap := range currNetworkAccess { if rsrcType != models.RemoteAccessGwRsrc { continue } if _, ok := changeNetworkAccess[rsrcType]; !ok { for rsrcID, scope := range RsrcPermsMap { networkChangeMap[rsrcID] = scope } } else { for rsrcID, scope := range RsrcPermsMap { if _, ok := changeNetworkAccess[rsrcType][rsrcID]; !ok { networkChangeMap[rsrcID] = scope } } } } extclients, err := logic.GetAllExtClients() if err != nil { slog.Error("failed to fetch extclients", "error", err) return } userMap, err := logic.GetUserMap() if err != nil { return } for _, extclient := range extclients { if extclient.Network != netID { continue } if _, ok := networkChangeMap[models.AllRemoteAccessGwRsrcID]; ok { if user, ok := userMap[extclient.OwnerID]; ok { if user.PlatformRoleID != models.ServiceUser { continue } err = logic.DeleteExtClientAndCleanup(extclient) if err != nil { slog.Error("failed to delete extclient", "id", extclient.ClientID, "owner", user.UserName, "error", err) } else { if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { slog.Error("error setting ext peers: " + err.Error()) } } } continue } if _, ok := networkChangeMap[models.RsrcID(extclient.IngressGatewayID)]; ok { if user, ok := userMap[extclient.OwnerID]; ok { if user.PlatformRoleID != models.ServiceUser { continue } err = logic.DeleteExtClientAndCleanup(extclient) if err != nil { slog.Error("failed to delete extclient", "id", extclient.ClientID, "owner", user.UserName, "error", err) } else { if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { slog.Error("error setting ext peers: " + err.Error()) } } } } } if servercfg.IsDNSMode() { logic.SetDNS() } } func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) { networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{}) for netID, networkUserRoles := range currNetworkRoles { if _, ok := changeNetworkRoles[netID]; !ok { for netRoleID := range networkUserRoles { if _, ok := networkChangeMap[netID]; !ok { networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) } networkChangeMap[netID][netRoleID] = struct{}{} } } else { for netRoleID := range networkUserRoles { if _, ok := changeNetworkRoles[netID][netRoleID]; !ok { if _, ok := networkChangeMap[netID]; !ok { networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) } networkChangeMap[netID][netRoleID] = struct{}{} } } } } extclients, err := logic.GetAllExtClients() if err != nil { slog.Error("failed to fetch extclients", "error", err) return } userMap, err := logic.GetUserMap() if err != nil { return } for _, extclient := range extclients { if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok { if user, ok := userMap[extclient.OwnerID]; ok { if user.PlatformRoleID != models.ServiceUser { continue } err = logic.DeleteExtClientAndCleanup(extclient) if err != nil { slog.Error("failed to delete extclient", "id", extclient.ClientID, "owner", user.UserName, "error", err) } else { if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { slog.Error("error setting ext peers: " + err.Error()) } } } } } if servercfg.IsDNSMode() { logic.SetDNS() } } func UpdateUserGwAccess(currentUser, changeUser models.User) { if changeUser.PlatformRoleID != models.ServiceUser { return } networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{}) for netID, networkUserRoles := range currentUser.NetworkRoles { if _, ok := changeUser.NetworkRoles[netID]; !ok { for netRoleID := range networkUserRoles { if _, ok := networkChangeMap[netID]; !ok { networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) } networkChangeMap[netID][netRoleID] = struct{}{} } } else { for netRoleID := range networkUserRoles { if _, ok := changeUser.NetworkRoles[netID][netRoleID]; !ok { if _, ok := networkChangeMap[netID]; !ok { networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) } networkChangeMap[netID][netRoleID] = struct{}{} } } } } for gID := range currentUser.UserGroups { if _, ok := changeUser.UserGroups[gID]; ok { continue } userG, err := GetUserGroup(gID) if err == nil { for netID, networkUserRoles := range userG.NetworkRoles { for netRoleID := range networkUserRoles { if _, ok := networkChangeMap[netID]; !ok { networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) } networkChangeMap[netID][netRoleID] = struct{}{} } } } } if len(networkChangeMap) == 0 { return } // TODO - cleanup gw access when role and groups are updated //removedGwAccess extclients, err := logic.GetAllExtClients() if err != nil { slog.Error("failed to fetch extclients", "error", err) return } for _, extclient := range extclients { if extclient.OwnerID == currentUser.UserName { if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok { err = logic.DeleteExtClientAndCleanup(extclient) if err != nil { slog.Error("failed to delete extclient", "id", extclient.ClientID, "owner", changeUser.UserName, "error", err) } else { if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { slog.Error("error setting ext peers: " + err.Error()) } } } } } if servercfg.IsDNSMode() { logic.SetDNS() } }