mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-10 07:05:28 +08:00
2e8d95e80e
* user mgmt models * define user roles * define models for new user mgmt and groups * oauth debug log * initialize user role after db conn * print oauth token in debug log * user roles CRUD apis * user groups CRUD Apis * additional api checks * add additional scopes * add additional scopes url * add additional scopes url * rm additional scopes url * setup middlleware permission checks * integrate permission check into middleware * integrate permission check into middleware * check for headers for subjects * refactor user role models * refactor user groups models * add new user to pending user via RAC login * untracked * allow multiple groups for an user * change json tag * add debug headers * refer network controls form roles, add debug headers * refer network controls form roles, add debug headers * replace auth checks, add network id to role model * nodes handler * migration funcs * invoke sync users migration func * add debug logs * comment middleware * fix get all nodes api * add debug logs * fix middleware error nil check * add new func to get username from jwt * fix jwt parsing * abort on error * allow multiple network roles * allow multiple network roles * add migration func * return err if jwt parsing fails * set global check to true when accessing user apis * set netid for acls api calls * set netid for acls api calls * update role and groups routes * add validation checks * add invite flow apis and magic links * add invited user via oauth signup automatically * create invited user on oauth signup, with groups in the invite * add group validation for user invite * update create user handler with new role mgmt * add validation checks * create user invites tables * add error logging for email invite * fix invite singup url * debug log * get query params from url * get query params from url * add query escape * debug log * debug log * fix user signup via invite api * set admin field for backward compatbility * use new role id for user apis * deprecate use of old admin fields * deprecate usage of old user fields * add user role as service user if empty * setup email sender * delete invite after user singup * add plaform user role * redirect on invite verification link * fix invite redirect * temporary redirect * fix invite redirect * point invite link to frontend * fix query params lookup * add resend support, configure email interface types * fix groups and user creation * validate user groups, add check for metrics api in middleware * add invite url to invite model * migrate rac apis to new user mgmt * handle network nodes * add platform user to default role * fix user role migration * add default on rag creation and cleanup after deletion * fix rac apis * change to invite code param * filter nodes and hosts based on user network access * extend create user group req to accomodate users * filter network based on user access * format oauth error * move user roles and groups * fix get user v1 api * move user mgmt func to pro * add user auth type to user model * fix roles init * remove platform role from group object * list only platform roles * add network roles to invite req * create default groups and roles * fix middleware for global access * create default role * fix nodes filter with global network roles * block selfupdate of groups and network roles * delete netID if net roles are empty * validate user roles nd groups on update * set extclient permission scope when rag vpn access is set * allow deletion of roles and groups * replace _ with - in role naming convention * fix failover middleware mgmt * format oauth templates * fetch route temaplate * return err if user wrong login type * check user groups on rac apis * fix rac apis * fix resp msg * add validation checks for admin invite * return oauth type * format group err msg * fix html tag * clean up default groups * create default rag role * add UI name to roles * remove default net group from user when deleted * reorder migration funcs * fix duplicacy of hosts * check old field for migration * from pro to ce make all secondary users admins * from pro to ce make all secondary users admins * revert: from pro to ce make all secondary users admins * make sure downgrades work * fix pending users approval * fix duplicate hosts * fix duplicate hosts entries * fix cache reference issue * feat: configure FRONTEND_URL during installation * disable user vpn access when network roles are modified * rm vpn acces when roles or groups are deleted * add http to frontend url * revert crypto version * downgrade crytpo version * add platform id check on user invites --------- Co-authored-by: the_aceix <aceixsmartx@gmail.com>
444 lines
11 KiB
Go
444 lines
11 KiB
Go
package logic
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/go-playground/validator/v10"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"golang.org/x/exp/slog"
|
|
|
|
"github.com/gravitl/netmaker/database"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/models"
|
|
)
|
|
|
|
const (
|
|
auth_key = "netmaker_auth"
|
|
)
|
|
|
|
var (
|
|
superUser = models.User{}
|
|
)
|
|
|
|
func ClearSuperUserCache() {
|
|
superUser = models.User{}
|
|
}
|
|
|
|
// HasSuperAdmin - checks if server has an superadmin/owner
|
|
func HasSuperAdmin() (bool, error) {
|
|
|
|
if superUser.IsSuperAdmin {
|
|
return true, nil
|
|
}
|
|
|
|
collection, err := database.FetchRecords(database.USERS_TABLE_NAME)
|
|
if err != nil {
|
|
if database.IsEmptyRecord(err) {
|
|
return false, nil
|
|
} else {
|
|
return true, err
|
|
}
|
|
}
|
|
for _, value := range collection { // filter for isadmin true
|
|
var user models.User
|
|
err = json.Unmarshal([]byte(value), &user)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
if user.PlatformRoleID == models.SuperAdminRole || user.IsSuperAdmin {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, err
|
|
}
|
|
|
|
// GetUsersDB - gets users
|
|
func GetUsersDB() ([]models.User, error) {
|
|
|
|
var users []models.User
|
|
|
|
collection, err := database.FetchRecords(database.USERS_TABLE_NAME)
|
|
|
|
if err != nil {
|
|
return users, err
|
|
}
|
|
|
|
for _, value := range collection {
|
|
|
|
var user models.User
|
|
err = json.Unmarshal([]byte(value), &user)
|
|
if err != nil {
|
|
continue // get users
|
|
}
|
|
users = append(users, user)
|
|
}
|
|
|
|
return users, err
|
|
}
|
|
|
|
// GetUsers - gets users
|
|
func GetUsers() ([]models.ReturnUser, error) {
|
|
|
|
var users []models.ReturnUser
|
|
|
|
collection, err := database.FetchRecords(database.USERS_TABLE_NAME)
|
|
|
|
if err != nil {
|
|
return users, err
|
|
}
|
|
|
|
for _, value := range collection {
|
|
|
|
var user models.ReturnUser
|
|
err = json.Unmarshal([]byte(value), &user)
|
|
if err != nil {
|
|
continue // get users
|
|
}
|
|
users = append(users, user)
|
|
}
|
|
|
|
return users, err
|
|
}
|
|
|
|
// IsOauthUser - returns
|
|
func IsOauthUser(user *models.User) error {
|
|
var currentValue, err = FetchPassValue("")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
var bCryptErr = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(currentValue))
|
|
return bCryptErr
|
|
}
|
|
|
|
func FetchPassValue(newValue string) (string, error) {
|
|
|
|
type valueHolder struct {
|
|
Value string `json:"value" bson:"value"`
|
|
}
|
|
newValueHolder := valueHolder{}
|
|
var currentValue, err = FetchAuthSecret()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
var unmarshErr = json.Unmarshal([]byte(currentValue), &newValueHolder)
|
|
if unmarshErr != nil {
|
|
return "", unmarshErr
|
|
}
|
|
|
|
var b64CurrentValue, b64Err = base64.StdEncoding.DecodeString(newValueHolder.Value)
|
|
if b64Err != nil {
|
|
logger.Log(0, "could not decode pass")
|
|
return "", nil
|
|
}
|
|
return string(b64CurrentValue), nil
|
|
}
|
|
|
|
// CreateUser - creates a user
|
|
func CreateUser(user *models.User) error {
|
|
// check if user exists
|
|
if _, err := GetUser(user.UserName); err == nil {
|
|
return errors.New("user exists")
|
|
}
|
|
SetUserDefaults(user)
|
|
if err := IsGroupsValid(user.UserGroups); err != nil {
|
|
return errors.New("invalid groups: " + err.Error())
|
|
}
|
|
if err := IsNetworkRolesValid(user.NetworkRoles); err != nil {
|
|
return errors.New("invalid network roles: " + err.Error())
|
|
}
|
|
|
|
var err = ValidateUser(user)
|
|
if err != nil {
|
|
logger.Log(0, "failed to validate user", err.Error())
|
|
return err
|
|
}
|
|
// encrypt that password so we never see it again
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 5)
|
|
if err != nil {
|
|
logger.Log(0, "error encrypting pass", err.Error())
|
|
return err
|
|
}
|
|
// set password to encrypted password
|
|
user.Password = string(hash)
|
|
user.AuthType = models.BasicAuth
|
|
if IsOauthUser(user) == nil {
|
|
user.AuthType = models.OAuth
|
|
}
|
|
_, err = CreateUserJWT(user.UserName, user.PlatformRoleID)
|
|
if err != nil {
|
|
logger.Log(0, "failed to generate token", err.Error())
|
|
return err
|
|
}
|
|
|
|
// connect db
|
|
data, err := json.Marshal(user)
|
|
if err != nil {
|
|
logger.Log(0, "failed to marshal", err.Error())
|
|
return err
|
|
}
|
|
err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME)
|
|
if err != nil {
|
|
logger.Log(0, "failed to insert user", err.Error())
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CreateSuperAdmin - creates an super admin user
|
|
func CreateSuperAdmin(u *models.User) error {
|
|
hassuperadmin, err := HasSuperAdmin()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if hassuperadmin {
|
|
return errors.New("superadmin user already exists")
|
|
}
|
|
u.PlatformRoleID = models.SuperAdminRole
|
|
return CreateUser(u)
|
|
}
|
|
|
|
// VerifyAuthRequest - verifies an auth request
|
|
func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
|
|
var result models.User
|
|
if authRequest.UserName == "" {
|
|
return "", errors.New("username can't be empty")
|
|
} else if authRequest.Password == "" {
|
|
return "", errors.New("password can't be empty")
|
|
}
|
|
// Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API until approved).
|
|
record, err := database.FetchRecord(database.USERS_TABLE_NAME, authRequest.UserName)
|
|
if err != nil {
|
|
return "", errors.New("incorrect credentials")
|
|
}
|
|
if err = json.Unmarshal([]byte(record), &result); err != nil {
|
|
return "", errors.New("error unmarshalling user json: " + err.Error())
|
|
}
|
|
|
|
// compare password from request to stored password in database
|
|
// might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
|
|
// TODO: Consider a way of hashing the password client side before sending, or using certificates
|
|
if err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password)); err != nil {
|
|
return "", errors.New("incorrect credentials")
|
|
}
|
|
|
|
// Create a new JWT for the node
|
|
tokenString, err := CreateUserJWT(authRequest.UserName, result.PlatformRoleID)
|
|
if err != nil {
|
|
slog.Error("error creating jwt", "error", err)
|
|
return "", err
|
|
}
|
|
|
|
// update last login time
|
|
result.LastLoginTime = time.Now()
|
|
err = UpsertUser(result)
|
|
if err != nil {
|
|
slog.Error("error upserting user", "error", err)
|
|
return "", err
|
|
}
|
|
|
|
return tokenString, nil
|
|
}
|
|
|
|
// UpsertUser - updates user in the db
|
|
func UpsertUser(user models.User) error {
|
|
data, err := json.Marshal(&user)
|
|
if err != nil {
|
|
slog.Error("error marshalling user", "user", user.UserName, "error", err.Error())
|
|
return err
|
|
}
|
|
if err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME); err != nil {
|
|
slog.Error("error inserting user", "user", user.UserName, "error", err.Error())
|
|
return err
|
|
}
|
|
if user.IsSuperAdmin {
|
|
superUser = user
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// UpdateUser - updates a given user
|
|
func UpdateUser(userchange, user *models.User) (*models.User, error) {
|
|
// check if user exists
|
|
if _, err := GetUser(user.UserName); err != nil {
|
|
return &models.User{}, err
|
|
}
|
|
|
|
queryUser := user.UserName
|
|
if userchange.UserName != "" && user.UserName != userchange.UserName {
|
|
// check if username is available
|
|
if _, err := GetUser(userchange.UserName); err == nil {
|
|
return &models.User{}, errors.New("username exists already")
|
|
}
|
|
user.UserName = userchange.UserName
|
|
}
|
|
if userchange.Password != "" {
|
|
// encrypt that password so we never see it again
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(userchange.Password), 5)
|
|
|
|
if err != nil {
|
|
return userchange, err
|
|
}
|
|
// set password to encrypted password
|
|
userchange.Password = string(hash)
|
|
|
|
user.Password = userchange.Password
|
|
}
|
|
if err := IsGroupsValid(userchange.UserGroups); err != nil {
|
|
return userchange, errors.New("invalid groups: " + err.Error())
|
|
}
|
|
if err := IsNetworkRolesValid(userchange.NetworkRoles); err != nil {
|
|
return userchange, errors.New("invalid network roles: " + err.Error())
|
|
}
|
|
// Reset Gw Access for service users
|
|
go UpdateUserGwAccess(*user, *userchange)
|
|
user.PlatformRoleID = userchange.PlatformRoleID
|
|
user.UserGroups = userchange.UserGroups
|
|
user.NetworkRoles = userchange.NetworkRoles
|
|
err := ValidateUser(user)
|
|
if err != nil {
|
|
return &models.User{}, err
|
|
}
|
|
|
|
if err = database.DeleteRecord(database.USERS_TABLE_NAME, queryUser); err != nil {
|
|
return &models.User{}, err
|
|
}
|
|
data, err := json.Marshal(&user)
|
|
if err != nil {
|
|
return &models.User{}, err
|
|
}
|
|
if err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME); err != nil {
|
|
return &models.User{}, err
|
|
}
|
|
logger.Log(1, "updated user", queryUser)
|
|
return user, nil
|
|
}
|
|
|
|
// ValidateUser - validates a user model
|
|
func ValidateUser(user *models.User) error {
|
|
|
|
// check if role is valid
|
|
_, err := GetRole(user.PlatformRoleID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
v := validator.New()
|
|
_ = v.RegisterValidation("in_charset", func(fl validator.FieldLevel) bool {
|
|
isgood := user.NameInCharSet()
|
|
return isgood
|
|
})
|
|
err = v.Struct(user)
|
|
|
|
if err != nil {
|
|
for _, e := range err.(validator.ValidationErrors) {
|
|
logger.Log(2, e.Error())
|
|
}
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
// DeleteUser - deletes a given user
|
|
func DeleteUser(user string) (bool, error) {
|
|
|
|
if userRecord, err := database.FetchRecord(database.USERS_TABLE_NAME, user); err != nil || len(userRecord) == 0 {
|
|
return false, errors.New("user does not exist")
|
|
}
|
|
|
|
err := database.DeleteRecord(database.USERS_TABLE_NAME, user)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
func SetAuthSecret(secret string) error {
|
|
type valueHolder struct {
|
|
Value string `json:"value" bson:"value"`
|
|
}
|
|
record, err := FetchAuthSecret()
|
|
if err == nil {
|
|
v := valueHolder{}
|
|
json.Unmarshal([]byte(record), &v)
|
|
if v.Value != "" {
|
|
return nil
|
|
}
|
|
}
|
|
var b64NewValue = base64.StdEncoding.EncodeToString([]byte(secret))
|
|
newValueHolder := valueHolder{
|
|
Value: b64NewValue,
|
|
}
|
|
d, _ := json.Marshal(newValueHolder)
|
|
return database.Insert(auth_key, string(d), database.GENERATED_TABLE_NAME)
|
|
}
|
|
|
|
// FetchAuthSecret - manages secrets for oauth
|
|
func FetchAuthSecret() (string, error) {
|
|
var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, auth_key)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return record, nil
|
|
}
|
|
|
|
// GetState - gets an SsoState from DB, if expired returns error
|
|
func GetState(state string) (*models.SsoState, error) {
|
|
var s models.SsoState
|
|
record, err := database.FetchRecord(database.SSO_STATE_CACHE, state)
|
|
if err != nil {
|
|
return &s, err
|
|
}
|
|
|
|
if err = json.Unmarshal([]byte(record), &s); err != nil {
|
|
return &s, err
|
|
}
|
|
|
|
if s.IsExpired() {
|
|
return &s, fmt.Errorf("state expired")
|
|
}
|
|
|
|
return &s, nil
|
|
}
|
|
|
|
// SetState - sets a state with new expiration
|
|
func SetState(state string) error {
|
|
s := models.SsoState{
|
|
Value: state,
|
|
Expiration: time.Now().Add(models.DefaultExpDuration),
|
|
}
|
|
|
|
data, err := json.Marshal(&s)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return database.Insert(state, string(data), database.SSO_STATE_CACHE)
|
|
}
|
|
|
|
// IsStateValid - checks if given state is valid or not
|
|
// deletes state after call is made to clean up, should only be called once per sign-in
|
|
func IsStateValid(state string) (string, bool) {
|
|
s, err := GetState(state)
|
|
if err != nil {
|
|
logger.Log(2, "error retrieving oauth state:", err.Error())
|
|
return "", false
|
|
}
|
|
if s.Value != "" {
|
|
if err = delState(state); err != nil {
|
|
logger.Log(2, "error deleting oauth state:", err.Error())
|
|
return "", false
|
|
}
|
|
}
|
|
return s.Value, true
|
|
}
|
|
|
|
// delState - removes a state from cache/db
|
|
func delState(state string) error {
|
|
return database.DeleteRecord(database.SSO_STATE_CACHE, state)
|
|
}
|