mirror of
https://github.com/gravitl/netmaker.git
synced 2025-10-03 18:35:01 +08:00
2e8d95e80e
* user mgmt models * define user roles * define models for new user mgmt and groups * oauth debug log * initialize user role after db conn * print oauth token in debug log * user roles CRUD apis * user groups CRUD Apis * additional api checks * add additional scopes * add additional scopes url * add additional scopes url * rm additional scopes url * setup middlleware permission checks * integrate permission check into middleware * integrate permission check into middleware * check for headers for subjects * refactor user role models * refactor user groups models * add new user to pending user via RAC login * untracked * allow multiple groups for an user * change json tag * add debug headers * refer network controls form roles, add debug headers * refer network controls form roles, add debug headers * replace auth checks, add network id to role model * nodes handler * migration funcs * invoke sync users migration func * add debug logs * comment middleware * fix get all nodes api * add debug logs * fix middleware error nil check * add new func to get username from jwt * fix jwt parsing * abort on error * allow multiple network roles * allow multiple network roles * add migration func * return err if jwt parsing fails * set global check to true when accessing user apis * set netid for acls api calls * set netid for acls api calls * update role and groups routes * add validation checks * add invite flow apis and magic links * add invited user via oauth signup automatically * create invited user on oauth signup, with groups in the invite * add group validation for user invite * update create user handler with new role mgmt * add validation checks * create user invites tables * add error logging for email invite * fix invite singup url * debug log * get query params from url * get query params from url * add query escape * debug log * debug log * fix user signup via invite api * set admin field for backward compatbility * use new role id for user apis * deprecate use of old admin fields * deprecate usage of old user fields * add user role as service user if empty * setup email sender * delete invite after user singup * add plaform user role * redirect on invite verification link * fix invite redirect * temporary redirect * fix invite redirect * point invite link to frontend * fix query params lookup * add resend support, configure email interface types * fix groups and user creation * validate user groups, add check for metrics api in middleware * add invite url to invite model * migrate rac apis to new user mgmt * handle network nodes * add platform user to default role * fix user role migration * add default on rag creation and cleanup after deletion * fix rac apis * change to invite code param * filter nodes and hosts based on user network access * extend create user group req to accomodate users * filter network based on user access * format oauth error * move user roles and groups * fix get user v1 api * move user mgmt func to pro * add user auth type to user model * fix roles init * remove platform role from group object * list only platform roles * add network roles to invite req * create default groups and roles * fix middleware for global access * create default role * fix nodes filter with global network roles * block selfupdate of groups and network roles * delete netID if net roles are empty * validate user roles nd groups on update * set extclient permission scope when rag vpn access is set * allow deletion of roles and groups * replace _ with - in role naming convention * fix failover middleware mgmt * format oauth templates * fetch route temaplate * return err if user wrong login type * check user groups on rac apis * fix rac apis * fix resp msg * add validation checks for admin invite * return oauth type * format group err msg * fix html tag * clean up default groups * create default rag role * add UI name to roles * remove default net group from user when deleted * reorder migration funcs * fix duplicacy of hosts * check old field for migration * from pro to ce make all secondary users admins * from pro to ce make all secondary users admins * revert: from pro to ce make all secondary users admins * make sure downgrades work * fix pending users approval * fix duplicate hosts * fix duplicate hosts entries * fix cache reference issue * feat: configure FRONTEND_URL during installation * disable user vpn access when network roles are modified * rm vpn acces when roles or groups are deleted * add http to frontend url * revert crypto version * downgrade crytpo version * add platform id check on user invites --------- Co-authored-by: the_aceix <aceixsmartx@gmail.com>
199 lines
6.8 KiB
Go
199 lines
6.8 KiB
Go
package models
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
jwt "github.com/golang-jwt/jwt/v4"
|
|
)
|
|
|
|
type NetworkID string
|
|
type RsrcType string
|
|
type RsrcID string
|
|
type UserRoleID string
|
|
type UserGroupID string
|
|
type AuthType string
|
|
|
|
var (
|
|
BasicAuth AuthType = "basic_auth"
|
|
OAuth AuthType = "oauth"
|
|
)
|
|
|
|
func (r RsrcType) String() string {
|
|
return string(r)
|
|
}
|
|
|
|
func (rid RsrcID) String() string {
|
|
return string(rid)
|
|
}
|
|
|
|
func GetRAGRoleName(netID, hostName string) string {
|
|
return fmt.Sprintf("netID-%s-rag-%s", netID, hostName)
|
|
}
|
|
|
|
func GetRAGRoleID(netID, hostID string) UserRoleID {
|
|
return UserRoleID(fmt.Sprintf("netID-%s-rag-%s", netID, hostID))
|
|
}
|
|
|
|
var RsrcTypeMap = map[RsrcType]struct{}{
|
|
HostRsrc: {},
|
|
RelayRsrc: {},
|
|
RemoteAccessGwRsrc: {},
|
|
ExtClientsRsrc: {},
|
|
InetGwRsrc: {},
|
|
EgressGwRsrc: {},
|
|
NetworkRsrc: {},
|
|
EnrollmentKeysRsrc: {},
|
|
UserRsrc: {},
|
|
AclRsrc: {},
|
|
DnsRsrc: {},
|
|
FailOverRsrc: {},
|
|
}
|
|
|
|
const AllNetworks NetworkID = "all_networks"
|
|
const (
|
|
HostRsrc RsrcType = "hosts"
|
|
RelayRsrc RsrcType = "relays"
|
|
RemoteAccessGwRsrc RsrcType = "remote_access_gw"
|
|
ExtClientsRsrc RsrcType = "extclients"
|
|
InetGwRsrc RsrcType = "inet_gw"
|
|
EgressGwRsrc RsrcType = "egress"
|
|
NetworkRsrc RsrcType = "networks"
|
|
EnrollmentKeysRsrc RsrcType = "enrollment_key"
|
|
UserRsrc RsrcType = "users"
|
|
AclRsrc RsrcType = "acl"
|
|
DnsRsrc RsrcType = "dns"
|
|
FailOverRsrc RsrcType = "fail_over"
|
|
MetricRsrc RsrcType = "metrics"
|
|
)
|
|
|
|
const (
|
|
AllHostRsrcID RsrcID = "all_host"
|
|
AllRelayRsrcID RsrcID = "all_relay"
|
|
AllRemoteAccessGwRsrcID RsrcID = "all_remote_access_gw"
|
|
AllExtClientsRsrcID RsrcID = "all_extclients"
|
|
AllInetGwRsrcID RsrcID = "all_inet_gw"
|
|
AllEgressGwRsrcID RsrcID = "all_egress"
|
|
AllNetworkRsrcID RsrcID = "all_network"
|
|
AllEnrollmentKeysRsrcID RsrcID = "all_enrollment_key"
|
|
AllUserRsrcID RsrcID = "all_user"
|
|
AllDnsRsrcID RsrcID = "all_dns"
|
|
AllFailOverRsrcID RsrcID = "all_fail_over"
|
|
AllAclsRsrcID RsrcID = "all_acls"
|
|
)
|
|
|
|
// Pre-Defined User Roles
|
|
|
|
const (
|
|
SuperAdminRole UserRoleID = "super-admin"
|
|
AdminRole UserRoleID = "admin"
|
|
ServiceUser UserRoleID = "service-user"
|
|
PlatformUser UserRoleID = "platform-user"
|
|
NetworkAdmin UserRoleID = "network-admin"
|
|
NetworkUser UserRoleID = "network-user"
|
|
)
|
|
|
|
func (r UserRoleID) String() string {
|
|
return string(r)
|
|
}
|
|
|
|
func (g UserGroupID) String() string {
|
|
return string(g)
|
|
}
|
|
|
|
func (n NetworkID) String() string {
|
|
return string(n)
|
|
}
|
|
|
|
type RsrcPermissionScope struct {
|
|
Create bool `json:"create"`
|
|
Read bool `json:"read"`
|
|
Update bool `json:"update"`
|
|
Delete bool `json:"delete"`
|
|
VPNaccess bool `json:"vpn_access"`
|
|
SelfOnly bool `json:"self_only"`
|
|
}
|
|
|
|
type UserRolePermissionTemplate struct {
|
|
ID UserRoleID `json:"id"`
|
|
UiName string `json:"ui_name"`
|
|
Default bool `json:"default"`
|
|
DenyDashboardAccess bool `json:"deny_dashboard_access"`
|
|
FullAccess bool `json:"full_access"`
|
|
NetworkID NetworkID `json:"network_id"`
|
|
NetworkLevelAccess map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"`
|
|
GlobalLevelAccess map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"`
|
|
}
|
|
|
|
type CreateGroupReq struct {
|
|
Group UserGroup `json:"user_group"`
|
|
Members []string `json:"members"`
|
|
}
|
|
|
|
type UserGroup struct {
|
|
ID UserGroupID `json:"id"`
|
|
NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
|
|
MetaData string `json:"meta_data"`
|
|
}
|
|
|
|
// User struct - struct for Users
|
|
type User struct {
|
|
UserName string `json:"username" bson:"username" validate:"min=3,max=40,in_charset|email"`
|
|
Password string `json:"password" bson:"password" validate:"required,min=5"`
|
|
IsAdmin bool `json:"isadmin" bson:"isadmin"` // deprecated
|
|
IsSuperAdmin bool `json:"issuperadmin"` // deprecated
|
|
RemoteGwIDs map[string]struct{} `json:"remote_gw_ids"` // deprecated
|
|
AuthType AuthType `json:"auth_type"`
|
|
UserGroups map[UserGroupID]struct{} `json:"user_group_ids"`
|
|
PlatformRoleID UserRoleID `json:"platform_role_id"`
|
|
NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
|
|
LastLoginTime time.Time `json:"last_login_time"`
|
|
}
|
|
|
|
type ReturnUserWithRolesAndGroups struct {
|
|
ReturnUser
|
|
PlatformRole UserRolePermissionTemplate `json:"platform_role"`
|
|
}
|
|
|
|
// ReturnUser - return user struct
|
|
type ReturnUser struct {
|
|
UserName string `json:"username"`
|
|
IsAdmin bool `json:"isadmin"`
|
|
IsSuperAdmin bool `json:"issuperadmin"`
|
|
AuthType AuthType `json:"auth_type"`
|
|
RemoteGwIDs map[string]struct{} `json:"remote_gw_ids"` // deprecated
|
|
UserGroups map[UserGroupID]struct{} `json:"user_group_ids"`
|
|
PlatformRoleID UserRoleID `json:"platform_role_id"`
|
|
NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
|
|
LastLoginTime time.Time `json:"last_login_time"`
|
|
}
|
|
|
|
// UserAuthParams - user auth params struct
|
|
type UserAuthParams struct {
|
|
UserName string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
// UserClaims - user claims struct
|
|
type UserClaims struct {
|
|
Role UserRoleID
|
|
UserName string
|
|
jwt.RegisteredClaims
|
|
}
|
|
|
|
type InviteUsersReq struct {
|
|
UserEmails []string `json:"user_emails"`
|
|
PlatformRoleID string `json:"platform_role_id"`
|
|
UserGroups map[UserGroupID]struct{} `json:"user_group_ids"`
|
|
NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
|
|
}
|
|
|
|
// UserInvite - model for user invite
|
|
type UserInvite struct {
|
|
Email string `json:"email"`
|
|
PlatformRoleID string `json:"platform_role_id"`
|
|
UserGroups map[UserGroupID]struct{} `json:"user_group_ids"`
|
|
NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
|
|
InviteCode string `json:"invite_code"`
|
|
InviteURL string `json:"invite_url"`
|
|
}
|