mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-07 13:44:17 +08:00
307a3d1e4b
* feat: api access tokens
* revoke all user tokens
* redefine access token api routes, add auto egress option to enrollment keys
* add server settings apis, add db table for settigs
* handle server settings updates
* switch to using settings from DB
* fix sever settings migration
* revet force migration for settings
* fix server settings database write
* egress model
* fix revoked tokens to be unauthorized
* update egress model
* remove unused functions
* convert access token to sql schema
* switch access token to sql schema
* fix merge conflicts
* fix server settings types
* bypass basic auth setting for super admin
* add TODO comment
* setup api handlers for egress revamp
* use single DB, fix update nat boolean field
* extend validaiton checks for egress ranges
* add migration to convert to new egress model
* fix panic interface conversion
* publish peer update on settings update
* revoke token generated by an user
* add user token creation restriction by user role
* add forbidden check for access token creation
* revoke user token when group or role is changed
* add default group to admin users on update
* chore(go): import style changes from migration branch;
1. Singular file names for table schema.
2. No table name method.
3. Use .Model instead of .Table.
4. No unnecessary tagging.
* remove nat check on egress gateway request
* Revert "remove nat check on egress gateway request"
This reverts commit 0aff12a189.
* remove nat check on egress gateway request
* feat(go): add db middleware;
* feat(go): restore method;
* feat(go): add user access token schema;
* add inet gw status to egress model
* fetch node ids in the tag, add inet gw info clients
* add inet gw info to node from egress list
* add migration logic internet gws
* create default acl policies
* add egress info
* add egress TODO
* add egress TODO
* fix user auth api:
* add reference id to acl policy
* add egress response from DB
* publish peer update on egress changes
* re initalise oauth and email config
* set verbosity
* normalise cidr on egress req
* add egress id to acl group
* change acls to use egress id
* resolve merge conflicts
* fix egress reference errors
* move egress model to schema
* add api context to DB
* sync auto update settings with hosts
* sync auto update settings with hosts
* check acl for egress node
* check for egress policy in the acl dst groups
* fix acl rules for egress policies with new models
* add status to egress model
* fix inet node func
* mask secret and convert jwt duration to minutes
* enable egress policies on creation
* convert jwt duration to minutes
* add relevant ranges to inet egress
* skip non active egress routes
* resolve merge conflicts
* fix static check
* update gorm tag for primary key on egress model
* create user policies for egress resources
* resolve merge conflicts
* get egress info on failover apis, add egress src validation for inet gws
* add additional validation checks on egress req
* add additional validation checks on egress req
* skip all resources for inet policy
* delete associated egress acl policies
* fix failover of inetclient
* avoid setting inet client asd inet gw
* fix all resource egress policy
* fix inet gw egress rule
* check for node egress on relay req
* fix egress acl rules comms
* add new field for egress info on node
* check acl policy in failover ctx
* avoid default host to be set as inet client
* fix relayed egress node
* add valid error messaging for egress validate func
* return if inet default host
* jump port detection to 51821
* check host ports on pull
* check user access gws via acls
* add validation check for default host and failover for inet clients
* add error messaging for acl policy check
* fix inet gw status
* ignore failover req for peer using inet gw
* check for allowed egress ranges for a peer
* add egress routes to static nodes by access
* avoid setting failvoer as inet client
* fix egress error messaging
* fix extclients egress comms
* fix inet gw acting as inet client
* return formatted error on update acl validation
* add default route for static nodes on inetclient
* check relay node acting as inetclient
* move inet node info to separate field, fix all resouces policy
* remove debug logs
---------
Co-authored-by: Vishal Dalwadi <dalwadivishal26@gmail.com>
220 lines
6.9 KiB
Go
220 lines
6.9 KiB
Go
package controller
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/gravitl/netmaker/database"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/logic"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/mq"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"golang.org/x/exp/slog"
|
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
|
)
|
|
|
|
// swagger:route PUT /api/v1/nodes/migrate nodes migrateData
|
|
//
|
|
// Used to migrate a legacy node.
|
|
//
|
|
// Schemes: https
|
|
//
|
|
// Security:
|
|
// oauth
|
|
//
|
|
// Responses:
|
|
// 200: hostPull
|
|
func migrate(w http.ResponseWriter, r *http.Request) {
|
|
data := models.MigrationData{}
|
|
host := models.Host{}
|
|
node := models.Node{}
|
|
nodes := []models.Node{}
|
|
server := models.ServerConfig{}
|
|
err := json.NewDecoder(r.Body).Decode(&data)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"), "error decoding request body: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
for i, legacy := range data.LegacyNodes {
|
|
record, err := database.FetchRecord(database.NODES_TABLE_NAME, legacy.ID)
|
|
if err != nil {
|
|
slog.Error("legacy node not found", "error", err)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("legacy node not found %w", err), "badrequest"))
|
|
return
|
|
}
|
|
var legacyNode models.LegacyNode
|
|
if err = json.Unmarshal([]byte(record), &legacyNode); err != nil {
|
|
slog.Error("decoding legacy node", "error", err)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("decode legacy node %w", err), "badrequest"))
|
|
return
|
|
}
|
|
if err := bcrypt.CompareHashAndPassword([]byte(legacyNode.Password), []byte(legacy.Password)); err != nil {
|
|
slog.Error("legacy node invalid password", "error", err)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("invalid password %w", err), "unauthorized"))
|
|
return
|
|
}
|
|
if i == 0 {
|
|
host, node = convertLegacyHostNode(legacy)
|
|
host.Name = data.HostName
|
|
host.HostPass = data.Password
|
|
host.OS = data.OS
|
|
if err := logic.CreateHost(&host); err != nil {
|
|
slog.Error("create host", "error", err)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
server = logic.GetServerInfo()
|
|
key, keyErr := logic.RetrievePublicTrafficKey()
|
|
if keyErr != nil {
|
|
slog.Error("retrieving traffickey", "error", keyErr)
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(keyErr, "internal"))
|
|
return
|
|
}
|
|
server.TrafficKey = key
|
|
} else {
|
|
node = convertLegacyNode(legacyNode, host.ID)
|
|
}
|
|
if err := logic.UpsertNode(&node); err != nil {
|
|
slog.Error("update node", "error", err)
|
|
continue
|
|
}
|
|
host.Nodes = append(host.Nodes, node.ID.String())
|
|
|
|
nodes = append(nodes, node)
|
|
}
|
|
if err := logic.UpsertHost(&host); err != nil {
|
|
slog.Error("save host", "error", err)
|
|
}
|
|
go mq.PublishPeerUpdate(false)
|
|
response := models.HostPull{
|
|
Host: host,
|
|
Nodes: nodes,
|
|
ServerConfig: server,
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
json.NewEncoder(w).Encode(&response)
|
|
|
|
slog.Info("migrated nodes")
|
|
// check for gateways
|
|
for _, node := range data.LegacyNodes {
|
|
if node.IsEgressGateway == "yes" {
|
|
egressGateway := models.EgressGatewayRequest{
|
|
NodeID: node.ID,
|
|
Ranges: node.EgressGatewayRanges,
|
|
NatEnabled: node.EgressGatewayNatEnabled,
|
|
}
|
|
if _, err := logic.CreateEgressGateway(egressGateway); err != nil {
|
|
logger.Log(0, "error creating egress gateway for node", node.ID, err.Error())
|
|
}
|
|
}
|
|
if node.IsIngressGateway == "yes" {
|
|
ingressGateway := models.IngressRequest{}
|
|
ingressNode, err := logic.CreateIngressGateway(node.Network, node.ID, ingressGateway)
|
|
if err != nil {
|
|
logger.Log(0, "error creating ingress gateway for node", node.ID, err.Error())
|
|
}
|
|
go func() {
|
|
if err := mq.NodeUpdate(&ingressNode); err != nil {
|
|
slog.Error("error publishing node update to node", "node", ingressNode.ID, "error", err)
|
|
}
|
|
}()
|
|
}
|
|
}
|
|
}
|
|
|
|
func convertLegacyHostNode(legacy models.LegacyNode) (models.Host, models.Node) {
|
|
//convert host
|
|
host := models.Host{}
|
|
host.ID = uuid.New()
|
|
host.IPForwarding = models.ParseBool(legacy.IPForwarding)
|
|
host.AutoUpdate = logic.AutoUpdateEnabled()
|
|
host.Interface = "netmaker"
|
|
host.ListenPort = int(legacy.ListenPort)
|
|
if host.ListenPort == 0 {
|
|
host.ListenPort = 51821
|
|
}
|
|
host.MTU = int(legacy.MTU)
|
|
host.PublicKey, _ = wgtypes.ParseKey(legacy.PublicKey)
|
|
host.MacAddress = net.HardwareAddr(legacy.MacAddress)
|
|
host.TrafficKeyPublic = legacy.TrafficKeys.Mine
|
|
host.Nodes = append([]string{}, legacy.ID)
|
|
host.Interfaces = legacy.Interfaces
|
|
//host.DefaultInterface = legacy.Defaul
|
|
host.EndpointIP = net.ParseIP(legacy.Endpoint)
|
|
host.IsDocker = models.ParseBool(legacy.IsDocker)
|
|
host.IsK8S = models.ParseBool(legacy.IsK8S)
|
|
host.IsStaticPort = models.ParseBool(legacy.IsStatic)
|
|
host.IsStatic = models.ParseBool(legacy.IsStatic)
|
|
host.PersistentKeepalive = time.Duration(legacy.PersistentKeepalive) * time.Second
|
|
if host.PersistentKeepalive == 0 {
|
|
host.PersistentKeepalive = models.DefaultPersistentKeepAlive
|
|
}
|
|
|
|
node := convertLegacyNode(legacy, host.ID)
|
|
return host, node
|
|
}
|
|
|
|
func convertLegacyNode(legacy models.LegacyNode, hostID uuid.UUID) models.Node {
|
|
//convert node
|
|
node := models.Node{}
|
|
node.ID, _ = uuid.Parse(legacy.ID)
|
|
node.HostID = hostID
|
|
node.Network = legacy.Network
|
|
valid4 := true
|
|
valid6 := true
|
|
_, cidr4, err := net.ParseCIDR(legacy.NetworkSettings.AddressRange)
|
|
if err != nil {
|
|
valid4 = false
|
|
slog.Warn("parsing address range", "error", err)
|
|
} else {
|
|
node.NetworkRange = *cidr4
|
|
}
|
|
_, cidr6, err := net.ParseCIDR(legacy.NetworkSettings.AddressRange6)
|
|
if err != nil {
|
|
valid6 = false
|
|
slog.Warn("parsing address range6", "error", err)
|
|
} else {
|
|
node.NetworkRange6 = *cidr6
|
|
}
|
|
node.Server = servercfg.GetServer()
|
|
node.Connected = models.ParseBool(legacy.Connected)
|
|
if valid4 {
|
|
node.Address = net.IPNet{
|
|
IP: net.ParseIP(legacy.Address),
|
|
Mask: cidr4.Mask,
|
|
}
|
|
}
|
|
if valid6 {
|
|
node.Address6 = net.IPNet{
|
|
IP: net.ParseIP(legacy.Address6),
|
|
Mask: cidr6.Mask,
|
|
}
|
|
}
|
|
node.Action = models.NODE_NOOP
|
|
node.LocalAddress = net.IPNet{
|
|
IP: net.ParseIP(legacy.LocalAddress),
|
|
}
|
|
node.IsEgressGateway = models.ParseBool(legacy.IsEgressGateway)
|
|
node.EgressGatewayRanges = legacy.EgressGatewayRanges
|
|
node.IsIngressGateway = models.ParseBool(legacy.IsIngressGateway)
|
|
node.IsRelayed = false
|
|
node.IsRelay = false
|
|
node.RelayedNodes = []string{}
|
|
node.DNSOn = models.ParseBool(legacy.DNSOn)
|
|
node.LastModified = time.Now().UTC()
|
|
node.ExpirationDateTime = time.Unix(legacy.ExpirationDateTime, 0)
|
|
node.EgressGatewayNatEnabled = models.ParseBool(legacy.EgressGatewayNatEnabled)
|
|
node.EgressGatewayRequest = legacy.EgressGatewayRequest
|
|
node.IngressGatewayRange = legacy.IngressGatewayRange
|
|
node.IngressGatewayRange6 = legacy.IngressGatewayRange6
|
|
node.DefaultACL = legacy.DefaultACL
|
|
node.OwnerID = legacy.OwnerID
|
|
return node
|
|
}
|