mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-04 04:04:17 +08:00
1a1ba1ccf4
* Move ee code to ee package and unify ee status to IsPro * Consolidate naming for paid/professional/enterprise version as "pro". Notes: - Changes image tags - Changes build tags - Changes package names - Doesn't change links to docs that mention "ee" - Doesn't change parameters sent to PostHog that mention "ee" * Revert docker image tag being -pro, back to -ee * Revert go build tag being pro, back to ee * Add build tags for some ee content * [2] Revert go build tag being pro, back to ee * Fix test workflow * Add a json tag to be backwards compatible with frontend "IsEE" check * Add a json tag for the serverconfig struct for IsEE * Ammend json tag to Is_EE * fix ee tags --------- Co-authored-by: Abhishek Kondur <abhi281342@gmail.com>
214 lines
6 KiB
Go
214 lines
6 KiB
Go
package logic
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/gravitl/netmaker/database"
|
|
"github.com/gravitl/netmaker/logic/pro"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/models/promodels"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
)
|
|
|
|
const (
|
|
// ALL_NETWORK_ACCESS - represents all networks
|
|
ALL_NETWORK_ACCESS = "THIS_USER_HAS_ALL"
|
|
|
|
master_uname = "masteradministrator"
|
|
Forbidden_Msg = "forbidden"
|
|
Forbidden_Err = models.Error(Forbidden_Msg)
|
|
Unauthorized_Msg = "unauthorized"
|
|
Unauthorized_Err = models.Error(Unauthorized_Msg)
|
|
)
|
|
|
|
// SecurityCheck - Check if user has appropriate permissions
|
|
func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
var errorResponse = models.ErrorResponse{
|
|
Code: http.StatusForbidden, Message: Forbidden_Msg,
|
|
}
|
|
r.Header.Set("ismaster", "no")
|
|
|
|
var params = mux.Vars(r)
|
|
bearerToken := r.Header.Get("Authorization")
|
|
// to have a custom DNS service adding entries
|
|
// we should refactor this, but is for the special case of an external service to query the DNS api
|
|
if strings.Contains(r.RequestURI, "/dns") && strings.ToUpper(r.Method) == "GET" && authenticateDNSToken(bearerToken) {
|
|
// do dns stuff
|
|
r.Header.Set("user", "nameserver")
|
|
networks, _ := json.Marshal([]string{ALL_NETWORK_ACCESS})
|
|
r.Header.Set("networks", string(networks))
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
var networkName = params["networkname"]
|
|
if len(networkName) == 0 {
|
|
networkName = params["network"]
|
|
}
|
|
networks, username, err := UserPermissions(reqAdmin, networkName, bearerToken)
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
// detect masteradmin
|
|
if len(networks) > 0 && networks[0] == ALL_NETWORK_ACCESS {
|
|
r.Header.Set("ismaster", "yes")
|
|
}
|
|
networksJson, err := json.Marshal(&networks)
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
r.Header.Set("user", username)
|
|
r.Header.Set("networks", string(networksJson))
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
// NetUserSecurityCheck - Check if network user has appropriate permissions
|
|
func NetUserSecurityCheck(isNodes, isClients bool, next http.Handler) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
var errorResponse = models.ErrorResponse{
|
|
Code: http.StatusForbidden, Message: Forbidden_Msg,
|
|
}
|
|
r.Header.Set("ismaster", "no")
|
|
|
|
var params = mux.Vars(r)
|
|
var netUserName = params["networkuser"]
|
|
var network = params["network"]
|
|
|
|
bearerToken := r.Header.Get("Authorization")
|
|
|
|
var tokenSplit = strings.Split(bearerToken, " ")
|
|
var authToken = ""
|
|
|
|
if len(tokenSplit) < 2 {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
} else {
|
|
authToken = tokenSplit[1]
|
|
}
|
|
|
|
isMasterAuthenticated := authenticateMaster(authToken)
|
|
if isMasterAuthenticated {
|
|
r.Header.Set("user", "master token user")
|
|
r.Header.Set("ismaster", "yes")
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
userName, _, isadmin, err := VerifyUserToken(authToken)
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
r.Header.Set("user", userName)
|
|
|
|
if isadmin {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
if isNodes || isClients {
|
|
necessaryAccess := pro.NET_ADMIN
|
|
if isClients {
|
|
necessaryAccess = pro.CLIENT_ACCESS
|
|
}
|
|
if isNodes {
|
|
necessaryAccess = pro.NODE_ACCESS
|
|
}
|
|
u, err := pro.GetNetworkUser(network, promodels.NetworkUserID(userName))
|
|
if err != nil {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
if u.AccessLevel > necessaryAccess {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
} else if netUserName != userName {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
// UserPermissions - checks token stuff
|
|
func UserPermissions(reqAdmin bool, netname string, token string) ([]string, string, error) {
|
|
var tokenSplit = strings.Split(token, " ")
|
|
var authToken = ""
|
|
userNetworks := []string{}
|
|
|
|
if len(tokenSplit) < 2 {
|
|
return userNetworks, "", Unauthorized_Err
|
|
} else {
|
|
authToken = tokenSplit[1]
|
|
}
|
|
//all endpoints here require master so not as complicated
|
|
if authenticateMaster(authToken) {
|
|
// TODO log in as an actual admin user
|
|
return []string{ALL_NETWORK_ACCESS}, master_uname, nil
|
|
}
|
|
username, networks, isadmin, err := VerifyUserToken(authToken)
|
|
if err != nil {
|
|
return nil, username, Unauthorized_Err
|
|
}
|
|
if !isadmin && reqAdmin {
|
|
return nil, username, Forbidden_Err
|
|
}
|
|
userNetworks = networks
|
|
if isadmin {
|
|
return []string{ALL_NETWORK_ACCESS}, username, nil
|
|
}
|
|
// check network admin access
|
|
if len(netname) > 0 && (len(userNetworks) == 0 || !authenticateNetworkUser(netname, userNetworks)) {
|
|
return nil, username, Forbidden_Err
|
|
}
|
|
if servercfg.IsPro && len(netname) > 0 && !pro.IsUserNetAdmin(netname, username) {
|
|
return nil, "", Forbidden_Err
|
|
}
|
|
return userNetworks, username, nil
|
|
}
|
|
|
|
// Consider a more secure way of setting master key
|
|
func authenticateMaster(tokenString string) bool {
|
|
return tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != ""
|
|
}
|
|
|
|
func authenticateNetworkUser(network string, userNetworks []string) bool {
|
|
networkexists, err := NetworkExists(network)
|
|
if (err != nil && !database.IsEmptyRecord(err)) || !networkexists {
|
|
return false
|
|
}
|
|
return StringSliceContains(userNetworks, network)
|
|
}
|
|
|
|
// Consider a more secure way of setting master key
|
|
func authenticateDNSToken(tokenString string) bool {
|
|
tokens := strings.Split(tokenString, " ")
|
|
if len(tokens) < 2 {
|
|
return false
|
|
}
|
|
return len(servercfg.GetDNSKey()) > 0 && tokens[1] == servercfg.GetDNSKey()
|
|
}
|
|
|
|
func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
var errorResponse = models.ErrorResponse{
|
|
Code: http.StatusForbidden, Message: Forbidden_Msg,
|
|
}
|
|
var params = mux.Vars(r)
|
|
var requestedUser = params["username"]
|
|
if requestedUser != r.Header.Get("user") {
|
|
ReturnErrorResponse(w, r, errorResponse)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
}
|
|
}
|