zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-06 01:07:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added logging and user specific requests

Browse Source
This commit is contained in:
afeiszli
2021-07-14 16:47:05 -04:00
parent 4cf5aad2e7
commit d41207172c
9 changed files with 720 additions and 661 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
controllers/networkHttpController.go
View File

@@ -9,6 +9,7 @@ import (
"net/http"
"strings"
"time"
"github.com/go-playground/validator/v10"
"github.com/gorilla/mux"
"github.com/gravitl/netmaker/functions"
@@ -20,8 +21,11 @@ import (
"go.mongodb.org/mongo-driver/mongo/options"
)
const ALL_NETWORK_ACCESS = "THIS_USER_HAS_ALL"
const NO_NETWORKS_PRESENT = "THIS_USER_HAS_NONE"
func networkHandlers(r *mux.Router) {
r.HandleFunc("/api/networks", securityCheck(true, http.HandlerFunc(getNetworks))).Methods("GET")
r.HandleFunc("/api/networks", securityCheck(false, http.HandlerFunc(getNetworks))).Methods("GET")
r.HandleFunc("/api/networks", securityCheck(true, http.HandlerFunc(createNetwork))).Methods("POST")
r.HandleFunc("/api/networks/{networkname}", securityCheck(false, http.HandlerFunc(getNetwork))).Methods("GET")
r.HandleFunc("/api/networks/{networkname}", securityCheck(false, http.HandlerFunc(updateNetwork))).Methods("PUT")
@@ -30,7 +34,7 @@ func networkHandlers(r *mux.Router) {
r.HandleFunc("/api/networks/{networkname}/keyupdate", securityCheck(false, http.HandlerFunc(keyUpdate))).Methods("POST")
r.HandleFunc("/api/networks/{networkname}/keys", securityCheck(false, http.HandlerFunc(createAccessKey))).Methods("POST")
r.HandleFunc("/api/networks/{networkname}/keys", securityCheck(false, http.HandlerFunc(getAccessKeys))).Methods("GET")
r.HandleFunc("/api/networks/{networkname}/signuptoken", securityCheck(false, http.HandlerFunc(getSignupToken))).Methods("GET")
r.HandleFunc("/api/networks/{networkname}/signuptoken", securityCheck(false, http.HandlerFunc(getSignupToken))).Methods("GET")
r.HandleFunc("/api/networks/{networkname}/keys/{name}", securityCheck(false, http.HandlerFunc(deleteAccessKey))).Methods("DELETE")
}
@@ -45,7 +49,7 @@ func securityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
var params = mux.Vars(r)
bearerToken := r.Header.Get("Authorization")
err := SecurityCheck(reqAdmin, params["networkname"], bearerToken)
err, networks, username := SecurityCheck(reqAdmin, params["networkname"], bearerToken)
if err != nil {
if strings.Contains(err.Error(), "does not exist") {
errorResponse.Code = http.StatusNotFound
@@ -54,18 +58,26 @@ func securityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
returnErrorResponse(w, r, errorResponse)
return
}
networksJson, err := json.Marshal(&networks)
if err != nil {
errorResponse.Message = err.Error()
returnErrorResponse(w, r, errorResponse)
return
}
r.Header.Set("user", username)
r.Header.Set("networks", string(networksJson))
next.ServeHTTP(w, r)
}
}
func SecurityCheck(reqAdmin bool, netname, token string) error {
hasnetwork := netname != ""
func SecurityCheck(reqAdmin bool, netname, token string) (error, []string, string) {
networkexists, err := functions.NetworkExists(netname)
if err != nil {
return err
return err, nil, ""
}
if hasnetwork && !networkexists {
return errors.New("This network does not exist")
if netname != "" && !networkexists {
return errors.New("This network does not exist"), nil, ""
}
var hasBearer = true
@@ -77,23 +89,30 @@ func SecurityCheck(reqAdmin bool, netname, token string) error {
} else {
authToken = tokenSplit[1]
}
userNetworks := []string{}
//all endpoints here require master so not as complicated
if !hasBearer || !authenticateMaster(authToken) {
_, networks, isadmin, err := functions.VerifyUserToken(authToken)
isMasterAuthenticated := authenticateMaster(authToken)
username := ""
if !hasBearer || !isMasterAuthenticated {
userName, networks, isadmin, err := functions.VerifyUserToken(authToken)
username = userName
if err != nil {
return errors.New("Error verifying user token")
return errors.New("Error verifying user token"), nil, username
}
if !isadmin && reqAdmin {
return errors.New("You are unauthorized to access this endpoint")
} else if !isadmin && netname != ""{
if !functions.SliceContains(networks, netname){
return errors.New("You are unauthorized to access this endpoint")
}
} else if !isadmin {
return errors.New("You are unauthorized to access this endpoint")
return errors.New("You are unauthorized to access this endpoint"), nil, username
}
userNetworks = networks
if isadmin {
userNetworks = []string{ALL_NETWORK_ACCESS}
}
} else if isMasterAuthenticated {
userNetworks = []string{ALL_NETWORK_ACCESS}
}
return nil
if len(userNetworks) == 0 {
userNetworks = append(userNetworks, NO_NETWORKS_PRESENT)
}
return nil, userNetworks, username
}
//Consider a more secure way of setting master key
@@ -107,16 +126,33 @@ func authenticateMaster(tokenString string) bool {
//simple get all networks function
func getNetworks(w http.ResponseWriter, r *http.Request) {
allnetworks, err := functions.ListNetworks()
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
headerNetworks := r.Header.Get("networks")
networksSlice := []string{}
marshalErr := json.Unmarshal([]byte(headerNetworks), &networksSlice)
if marshalErr != nil {
returnErrorResponse(w, r, formatError(marshalErr, "internal"))
return
}
allnetworks := []models.Network{}
err := errors.New("Networks Error")
if networksSlice[0] == ALL_NETWORK_ACCESS {
allnetworks, err = functions.ListNetworks()
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
} else {
for _, network := range networksSlice {
netObject, parentErr := functions.GetParentNetwork(network)
if parentErr == nil {
allnetworks = append(allnetworks, netObject)
}
}
}
networks := RemoveComms(allnetworks)
functions.PrintUserLog(r.Header.Get("user"), "fetched networks.", 2)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(networks)
return
}
func RemoveComms(networks []models.Network) []models.Network {
@@ -137,13 +173,13 @@ func RemoveComms(networks []models.Network) []models.Network {
func ValidateNetworkUpdate(network models.NetworkUpdate) error {
v := validator.New()
_ = v.RegisterValidation("netid_valid", func(fl validator.FieldLevel) bool {
if fl.Field().String() == "" {
_ = v.RegisterValidation("netid_valid", func(fl validator.FieldLevel) bool {
if fl.Field().String() == "" {
return true
}
inCharSet := functions.NameInNetworkCharSet(fl.Field().String())
return inCharSet
})
inCharSet := functions.NameInNetworkCharSet(fl.Field().String())
return inCharSet
})
// _ = v.RegisterValidation("addressrange_valid", func(fl validator.FieldLevel) bool {
// isvalid := fl.Field().String() == "" || functions.IsIpCIDR(fl.Field().String())
@@ -231,6 +267,7 @@ func getNetwork(w http.ResponseWriter, r *http.Request) {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "fetched network "+netname, 2)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(network)
}
@@ -257,6 +294,7 @@ func keyUpdate(w http.ResponseWriter, r *http.Request) {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "updated key on network "+netname, 2)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(network)
}
@@ -329,7 +367,8 @@ func updateNetwork(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
var params = mux.Vars(r)
var network models.Network
network, err := functions.GetParentNetwork(params["networkname"])
netname := params["networkname"]
network, err := functions.GetParentNetwork(netname)
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
@@ -359,45 +398,47 @@ func updateNetwork(w http.ResponseWriter, r *http.Request) {
return
}
functions.PrintUserLog(r.Header.Get("user"), "updated network "+netname, 1)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(returnednetwork)
}
func updateNetworkNodeLimit(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
var params = mux.Vars(r)
var network models.Network
network, err := functions.GetParentNetwork(params["networkname"])
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
var networkChange models.NetworkUpdate
_ = json.NewDecoder(r.Body).Decode(&networkChange)
collection := mongoconn.Client.Database("netmaker").Collection("networks")
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
filter := bson.M{"netid": network.NetID}
if networkChange.NodeLimit !=0 {
update := bson.D{
{"$set", bson.D{
{"nodelimit", networkChange.NodeLimit},
}},
}
err := collection.FindOneAndUpdate(ctx, filter, update).Decode(&network)
defer cancel()
if err != nil {
returnErrorResponse(w, r, formatError(err, "badrequest"))
return
}
w.Header().Set("Content-Type", "application/json")
var params = mux.Vars(r)
var network models.Network
netname := params["networkname"]
network, err := functions.GetParentNetwork(netname)
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(network)
}
var networkChange models.NetworkUpdate
_ = json.NewDecoder(r.Body).Decode(&networkChange)
collection := mongoconn.Client.Database("netmaker").Collection("networks")
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
filter := bson.M{"netid": network.NetID}
if networkChange.NodeLimit != 0 {
update := bson.D{
{"$set", bson.D{
{"nodelimit", networkChange.NodeLimit},
}},
}
err := collection.FindOneAndUpdate(ctx, filter, update).Decode(&network)
defer cancel()
if err != nil {
returnErrorResponse(w, r, formatError(err, "badrequest"))
return
}
}
functions.PrintUserLog(r.Header.Get("user"), "updated network node limit on, "+netname, 1)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(network)
}
func UpdateNetwork(networkChange models.NetworkUpdate, network models.Network) (models.Network, error) {
//NOTE: Network.NetID is intentionally NOT editable. It acts as a static ID for the network.
@@ -528,12 +569,13 @@ func deleteNetwork(w http.ResponseWriter, r *http.Request) {
if err != nil {
errtype := "badrequest"
if strings.Contains(err.Error(), "Node check failed"){
if strings.Contains(err.Error(), "Node check failed") {
errtype = "forbidden"
}
returnErrorResponse(w, r, formatError(err, errtype))
return
}
functions.PrintUserLog(r.Header.Get("user"), "deleted network "+network, 1)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(count)
}
@@ -585,6 +627,7 @@ func createNetwork(w http.ResponseWriter, r *http.Request) {
returnErrorResponse(w, r, formatError(err, "badrequest"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "created network "+network.NetID, 1)
w.WriteHeader(http.StatusOK)
//json.NewEncoder(w).Encode(result)
}
@@ -633,7 +676,8 @@ func createAccessKey(w http.ResponseWriter, r *http.Request) {
var params = mux.Vars(r)
var accesskey models.AccessKey
//start here
network, err := functions.GetParentNetwork(params["networkname"])
netname := params["networkname"]
network, err := functions.GetParentNetwork(netname)
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
@@ -648,6 +692,7 @@ func createAccessKey(w http.ResponseWriter, r *http.Request) {
returnErrorResponse(w, r, formatError(err, "badrequest"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "created access key "+netname, 1)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(key)
//w.Write([]byte(accesskey.AccessString))
@@ -666,10 +711,10 @@ func CreateAccessKey(accesskey models.AccessKey, network models.Network) (models
accesskey.Uses = 1
}
checkkeys, err := GetKeys(network.NetID)
if err != nil {
return models.AccessKey{}, errors.New("could not retrieve network keys")
}
checkkeys, err := GetKeys(network.NetID)
if err != nil {
return models.AccessKey{}, errors.New("could not retrieve network keys")
}
for _, key := range checkkeys {
if key.Name == accesskey.Name {
@@ -685,38 +730,38 @@ func CreateAccessKey(accesskey models.AccessKey, network models.Network) (models
netID := network.NetID
var accessToken models.AccessToken
s := servercfg.GetServerConfig()
w := servercfg.GetWGConfig()
var accessToken models.AccessToken
s := servercfg.GetServerConfig()
w := servercfg.GetWGConfig()
servervals := models.ServerConfig{
APIConnString: s.APIConnString,
APIHost: s.APIHost,
APIPort: s.APIPort,
GRPCConnString: s.GRPCConnString,
GRPCHost: s.GRPCHost,
GRPCPort: s.GRPCPort,
GRPCSSL: s.GRPCSSL,
}
APIConnString: s.APIConnString,
APIHost: s.APIHost,
APIPort: s.APIPort,
GRPCConnString: s.GRPCConnString,
GRPCHost: s.GRPCHost,
GRPCPort: s.GRPCPort,
GRPCSSL: s.GRPCSSL,
}
wgvals := models.WG{
GRPCWireGuard: w.GRPCWireGuard,
GRPCWGAddress: w.GRPCWGAddress,
GRPCWGPort: w.GRPCWGPort,
GRPCWGPubKey: w.GRPCWGPubKey,
GRPCWGEndpoint: s.APIHost,
}
GRPCWireGuard: w.GRPCWireGuard,
GRPCWGAddress: w.GRPCWGAddress,
GRPCWGPort: w.GRPCWGPort,
GRPCWGPubKey: w.GRPCWGPubKey,
GRPCWGEndpoint: s.APIHost,
}
accessToken.ServerConfig = servervals
accessToken.WG = wgvals
accessToken.ServerConfig = servervals
accessToken.WG = wgvals
accessToken.ClientConfig.Network = netID
accessToken.ClientConfig.Key = accesskey.Value
accessToken.ClientConfig.LocalRange = privAddr
tokenjson, err := json.Marshal(accessToken)
if err != nil {
return accesskey, err
}
tokenjson, err := json.Marshal(accessToken)
if err != nil {
return accesskey, err
}
accesskey.AccessString = base64.StdEncoding.EncodeToString([]byte(tokenjson))
accesskey.AccessString = base64.StdEncoding.EncodeToString([]byte(tokenjson))
//validate accesskey
v := validator.New()
@@ -752,52 +797,51 @@ func GetSignupToken(netID string) (models.AccessKey, error) {
var accesskey models.AccessKey
var accessToken models.AccessToken
s := servercfg.GetServerConfig()
w := servercfg.GetWGConfig()
servervals := models.ServerConfig{
APIConnString: s.APIConnString,
APIHost: s.APIHost,
APIPort: s.APIPort,
GRPCConnString: s.GRPCConnString,
GRPCHost: s.GRPCHost,
GRPCPort: s.GRPCPort,
GRPCSSL: s.GRPCSSL,
}
wgvals := models.WG{
GRPCWireGuard: w.GRPCWireGuard,
GRPCWGAddress: w.GRPCWGAddress,
GRPCWGPort: w.GRPCWGPort,
GRPCWGPubKey: w.GRPCWGPubKey,
GRPCWGEndpoint: s.APIHost,
}
s := servercfg.GetServerConfig()
w := servercfg.GetWGConfig()
servervals := models.ServerConfig{
APIConnString: s.APIConnString,
APIHost: s.APIHost,
APIPort: s.APIPort,
GRPCConnString: s.GRPCConnString,
GRPCHost: s.GRPCHost,
GRPCPort: s.GRPCPort,
GRPCSSL: s.GRPCSSL,
}
wgvals := models.WG{
GRPCWireGuard: w.GRPCWireGuard,
GRPCWGAddress: w.GRPCWGAddress,
GRPCWGPort: w.GRPCWGPort,
GRPCWGPubKey: w.GRPCWGPubKey,
GRPCWGEndpoint: s.APIHost,
}
accessToken.ServerConfig = servervals
accessToken.WG = wgvals
accessToken.ServerConfig = servervals
accessToken.WG = wgvals
tokenjson, err := json.Marshal(accessToken)
if err != nil {
return accesskey, err
}
if err != nil {
return accesskey, err
}
accesskey.AccessString = base64.StdEncoding.EncodeToString([]byte(tokenjson))
return accesskey, nil
accesskey.AccessString = base64.StdEncoding.EncodeToString([]byte(tokenjson))
return accesskey, nil
}
func getSignupToken(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
var params = mux.Vars(r)
netID := params["networkname"]
w.Header().Set("Content-Type", "application/json")
var params = mux.Vars(r)
netID := params["networkname"]
token, err := GetSignupToken(netID)
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(token)
if err != nil {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "got signup token "+netID, 2)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(token)
}
//pretty simple get
func getAccessKeys(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
@@ -808,6 +852,7 @@ func getAccessKeys(w http.ResponseWriter, r *http.Request) {
returnErrorResponse(w, r, formatError(err, "internal"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "fetched access keys on network "+network, 2)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(keys)
}
@@ -836,6 +881,7 @@ func deleteAccessKey(w http.ResponseWriter, r *http.Request) {
returnErrorResponse(w, r, formatError(err, "badrequest"))
return
}
functions.PrintUserLog(r.Header.Get("user"), "deleted access key "+keyname+" on network "+netname, 1)
w.WriteHeader(http.StatusOK)
}
func DeleteKey(keyname, netname string) error {