gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-08 14:15:25 +08:00
Code Issues Projects Releases Packages Wiki Activity
netmaker/pro/remote_access_client.go
Aceix 2df02f747e
Merge pull request #3504 from gravitl/depracate-rac-autodisable 
chore: deprecate rac autodisable flag
2025-06-24 23:43:44 +05:30

95 lines
2.6 KiB
Go
Raw Blame History

//go:build ee
// +build ee
package pro
import (
"fmt"
"time"
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/models"
"github.com/gravitl/netmaker/mq"
"golang.org/x/exp/slog"
)
const unauthorisedUserNodeCheckInterval = 3 * time.Minute
// AddUnauthorisedUserNodeHooks - adds hook to prevent access from unauthorised (expired) user nodes
func AddUnauthorisedUserNodeHooks() {
slog.Debug("adding unauthorisedUserNode hook")
logic.HookManagerCh <- models.HookDetails{
Hook: unauthorisedUserNodeHook,
Interval: unauthorisedUserNodeCheckInterval,
}
}
// unauthorisedUserNodeHook - checks if a user node should be disabled, using the user's last login time
func unauthorisedUserNodeHook() error {
slog.Debug("running unauthorisedUserNode hook")
users, err := logic.GetUsers()
if err != nil {
slog.Error("error getting users: ", "error", err)
return err
}
clients, err := logic.GetAllExtClients()
if err != nil {
slog.Error("error getting clients: ", "error", err)
return err
}
currentTime := time.Now()
validityDuration := logic.GetJwtValidityDuration()
for _, user := range users {
if user.PlatformRoleID == models.AdminRole ||
user.PlatformRoleID == models.SuperAdminRole {
continue
}
if !currentTime.After(user.LastLoginTime.Add(validityDuration)) {
continue
}
for _, client := range clients {
if client.RemoteAccessClientID == "" {
continue
}
if (client.OwnerID == user.UserName) &&
client.Enabled {
slog.Info(fmt.Sprintf("disabling user node %s for user %s: auth token expired", client.ClientID, client.OwnerID))
if err := disableExtClient(&client); err != nil {
slog.Error("error disabling user node", "error", err)
continue // dont return but try for other clients
}
}
}
}
slog.Debug("finished running unauthorisedUserNode hook")
return nil
}
func disableExtClient(client *models.ExtClient) error {
if newClient, err := logic.ToggleExtClientConnectivity(client, false); err != nil {
return err
} else {
// publish peer update to ingress gateway
if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
if err = mq.PublishPeerUpdate(false); err != nil {
slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
}
ingressHost, err := logic.GetHost(ingressNode.HostID.String())
if err != nil {
return err
}
nodes, err := logic.GetAllNodes()
if err != nil {
return err
}
go mq.PublishSingleHostPeerUpdate(ingressHost, nodes, nil, []models.ExtClient{*client}, false, nil)
} else {
return err
}
}
return nil
}
Reference in a new issue View git blame Copy permalink