zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-27 13:12:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent removing idp integration when oauth user is superadmin (#3589)

Browse Source 
* feat(go): prevent removing idp integration when oauth user is superadmin.

* feat(go): add suggestion for user;

* feat(go): remove usages of boolean fields on user;

* feat(go): set boolean fields correctly, but don't use;

* fix(go): static issues;

* feat(go): add suggestion for user;
This commit is contained in:
Vishal Dalwadi
2025-08-25 10:28:53 +05:30
committed by GitHub
parent c3498004c1
commit ec6e6c393a
7 changed files with 53 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
controllers/server.go
View File

@@ -4,6 +4,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt"
"github.com/gravitl/netmaker/db" "github.com/gravitl/netmaker/db"
"github.com/gravitl/netmaker/schema" "github.com/gravitl/netmaker/schema"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
@@ -274,6 +275,24 @@ func updateSettings(w http.ResponseWriter, r *http.Request) {
return return
} }
currSettings := logic.GetServerSettings() currSettings := logic.GetServerSettings()
if req.AuthProvider != currSettings.AuthProvider && req.AuthProvider == "" {
superAdmin, err := logic.GetSuperAdmin()
if err != nil {
err = fmt.Errorf("failed to get super admin: %v", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
if superAdmin.AuthType == models.OAuth {
err := fmt.Errorf(
"cannot remove IdP integration because an OAuth user has the super-admin role; transfer the super-admin role to another user first",
)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return
}
}
err := logic.UpsertServerSettings(req) err := logic.UpsertServerSettings(req)
if err != nil { if err != nil {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to update server settings "+err.Error()), "internal")) logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to update server settings "+err.Error()), "internal"))

5
controllers/user.go
View File

@@ -296,7 +296,7 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
return return
} }
if !user.IsSuperAdmin && !logic.IsBasicAuthEnabled() { if user.PlatformRoleID != models.SuperAdminRole && !logic.IsBasicAuthEnabled() {
logic.ReturnErrorResponse( logic.ReturnErrorResponse(
response, response,
request, request,
@@ -1124,6 +1124,7 @@ func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
return return
} }
u.IsSuperAdmin = true
u.PlatformRoleID = models.SuperAdminRole u.PlatformRoleID = models.SuperAdminRole
err = logic.UpsertUser(*u) err = logic.UpsertUser(*u)
if err != nil { if err != nil {
@@ -1131,6 +1132,8 @@ func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return return
} }
caller.IsSuperAdmin = false
caller.PlatformRoleID = models.AdminRole caller.PlatformRoleID = models.AdminRole
err = logic.UpsertUser(*caller) err = logic.UpsertUser(*caller)
if err != nil { if err != nil {

21
logic/auth.go
View File

@@ -30,25 +30,12 @@ const (
NetmakerDesktopApp = "netmaker-desktop" NetmakerDesktopApp = "netmaker-desktop"
) )
var (
superUser = models.User{}
)
func ClearSuperUserCache() {
superUser = models.User{}
}
var IsOAuthConfigured = func() bool { return false } var IsOAuthConfigured = func() bool { return false }
var ResetAuthProvider = func() {} var ResetAuthProvider = func() {}
var ResetIDPSyncHook = func() {} var ResetIDPSyncHook = func() {}
// HasSuperAdmin - checks if server has an superadmin/owner // HasSuperAdmin - checks if server has an superadmin/owner
func HasSuperAdmin() (bool, error) { func HasSuperAdmin() (bool, error) {
if superUser.IsSuperAdmin {
return true, nil
}
collection, err := database.FetchRecords(database.USERS_TABLE_NAME) collection, err := database.FetchRecords(database.USERS_TABLE_NAME)
if err != nil { if err != nil {
if database.IsEmptyRecord(err) { if database.IsEmptyRecord(err) {
@@ -63,7 +50,7 @@ func HasSuperAdmin() (bool, error) {
if err != nil { if err != nil {
continue continue
} }
if user.PlatformRoleID == models.SuperAdminRole || user.IsSuperAdmin { if user.PlatformRoleID == models.SuperAdminRole {
return true, nil return true, nil
} }
} }
@@ -215,6 +202,8 @@ func CreateSuperAdmin(u *models.User) error {
if hassuperadmin { if hassuperadmin {
return errors.New("superadmin user already exists") return errors.New("superadmin user already exists")
} }
u.IsSuperAdmin = true
u.IsAdmin = true
u.PlatformRoleID = models.SuperAdminRole u.PlatformRoleID = models.SuperAdminRole
return CreateUser(u) return CreateUser(u)
} }
@@ -282,9 +271,7 @@ func UpsertUser(user models.User) error {
slog.Error("error inserting user", "user", user.UserName, "error", err.Error()) slog.Error("error inserting user", "user", user.UserName, "error", err.Error())
return err return err
} }
if user.IsSuperAdmin {
superUser = user
}
return nil return nil
} }

2
logic/gateway.go
View File

@@ -247,7 +247,7 @@ func GetIngressGwUsers(node models.Node) (models.IngressGwUsers, error) {
return gwUsers, err return gwUsers, err
} }
for _, user := range users { for _, user := range users {
if !user.IsAdmin && !user.IsSuperAdmin { if user.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID != models.AdminRole {
gwUsers.Users = append(gwUsers.Users, user) gwUsers.Users = append(gwUsers.Users, user)
} }
} }

2
logic/users.go
View File

@@ -82,7 +82,7 @@ func GetSuperAdmin() (models.ReturnUser, error) {
return models.ReturnUser{}, err return models.ReturnUser{}, err
} }
for _, user := range users { for _, user := range users {
if user.IsSuperAdmin || user.PlatformRoleID == models.SuperAdminRole { if user.PlatformRoleID == models.SuperAdminRole {
return user, nil return user, nil
} }
} }

24
migrate/migrate.go
View File

@@ -125,7 +125,15 @@ func assignSuperAdmin() {
return return
} }
for _, u := range users { for _, u := range users {
if u.IsAdmin { var isAdmin bool
if u.PlatformRoleID == models.AdminRole {
isAdmin = true
}
if u.PlatformRoleID == "" && u.IsAdmin {
isAdmin = true
}
if isAdmin {
user, err := logic.GetUser(u.UserName) user, err := logic.GetUser(u.UserName)
if err != nil { if err != nil {
slog.Error("error getting user", "user", u.UserName, "error", err.Error()) slog.Error("error getting user", "user", u.UserName, "error", err.Error())
@@ -530,11 +538,18 @@ func syncUsers() {
user := user user := user
if user.PlatformRoleID == models.AdminRole && !user.IsAdmin { if user.PlatformRoleID == models.AdminRole && !user.IsAdmin {
user.IsAdmin = true user.IsAdmin = true
user.IsSuperAdmin = false
logic.UpsertUser(user) logic.UpsertUser(user)
} }
if user.PlatformRoleID == models.SuperAdminRole && !user.IsSuperAdmin { if user.PlatformRoleID == models.SuperAdminRole && !user.IsSuperAdmin {
user.IsSuperAdmin = true user.IsSuperAdmin = true
user.IsAdmin = true
logic.UpsertUser(user)
}
if user.PlatformRoleID == models.PlatformUser || user.PlatformRoleID == models.ServiceUser {
user.IsSuperAdmin = false
user.IsAdmin = false
logic.UpsertUser(user)
} }
if user.PlatformRoleID.String() != "" { if user.PlatformRoleID.String() != "" {
logic.MigrateUserRoleAndGroups(user) logic.MigrateUserRoleAndGroups(user)
@@ -552,9 +567,12 @@ func syncUsers() {
if len(user.UserGroups) == 0 { if len(user.UserGroups) == 0 {
user.UserGroups = make(map[models.UserGroupID]struct{}) user.UserGroups = make(map[models.UserGroupID]struct{})
} }
// We reach here only if the platform role id has not been set.
//
// Thus, we use the boolean fields to assign the role.
if user.IsSuperAdmin { if user.IsSuperAdmin {
user.PlatformRoleID = models.SuperAdminRole user.PlatformRoleID = models.SuperAdminRole
} else if user.IsAdmin { } else if user.IsAdmin {
user.PlatformRoleID = models.AdminRole user.PlatformRoleID = models.AdminRole
} else { } else {

7
pro/controllers/users.go
View File

@@ -1935,11 +1935,10 @@ func removeIDPIntegration(w http.ResponseWriter, r *http.Request) {
} }
if superAdmin.AuthType == models.OAuth { if superAdmin.AuthType == models.OAuth {
logic.ReturnErrorResponse( err := fmt.Errorf(
w, "cannot remove IdP integration because an OAuth user has the super-admin role; transfer the super-admin role to another user first",
r,
logic.FormatError(fmt.Errorf("cannot remove idp integration with superadmin oauth user"), "badrequest"),
) )
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return return
} }