netbird/management/server/http/pat_handler.go

206 lines
5.6 KiB
Go
Raw Normal View History

package http
import (
"encoding/json"
"net/http"
"github.com/gorilla/mux"
"github.com/netbirdio/netbird/management/server"
"github.com/netbirdio/netbird/management/server/http/api"
"github.com/netbirdio/netbird/management/server/http/util"
"github.com/netbirdio/netbird/management/server/jwtclaims"
"github.com/netbirdio/netbird/management/server/status"
)
// PATHandler is the nameserver group handler of the account
type PATHandler struct {
accountManager server.AccountManager
claimsExtractor *jwtclaims.ClaimsExtractor
}
2023-03-29 15:06:54 +02:00
// NewPATsHandler creates a new PATHandler HTTP handler
func NewPATsHandler(accountManager server.AccountManager, authCfg AuthCfg) *PATHandler {
return &PATHandler{
accountManager: accountManager,
claimsExtractor: jwtclaims.NewClaimsExtractor(
jwtclaims.WithAudience(authCfg.Audience),
jwtclaims.WithUserIDClaim(authCfg.UserIDClaim),
),
}
}
2023-03-29 15:06:54 +02:00
// GetAllTokens is HTTP GET handler that returns a list of all personal access tokens for the given user
func (h *PATHandler) GetAllTokens(w http.ResponseWriter, r *http.Request) {
claims := h.claimsExtractor.FromRequestContext(r)
account, user, err := h.accountManager.GetAccountFromToken(claims)
if err != nil {
util.WriteError(err, w)
return
}
vars := mux.Vars(r)
userID := vars["userId"]
if len(userID) == 0 {
util.WriteError(status.Errorf(status.InvalidArgument, "invalid user ID"), w)
return
}
if userID != user.Id {
util.WriteErrorResponse("User not authorized to get tokens", http.StatusUnauthorized, w)
return
}
var pats []*api.PersonalAccessToken
for _, pat := range account.Users[userID].PATs {
pats = append(pats, toPATResponse(pat))
}
util.WriteJSONObject(w, pats)
}
2023-03-29 15:06:54 +02:00
// GetToken is HTTP GET handler that returns a personal access token for the given user
func (h *PATHandler) GetToken(w http.ResponseWriter, r *http.Request) {
claims := h.claimsExtractor.FromRequestContext(r)
account, user, err := h.accountManager.GetAccountFromToken(claims)
if err != nil {
util.WriteError(err, w)
return
}
vars := mux.Vars(r)
userID := vars["userId"]
if len(userID) == 0 {
util.WriteError(status.Errorf(status.InvalidArgument, "invalid user ID"), w)
return
}
if userID != user.Id {
util.WriteErrorResponse("User not authorized to get token", http.StatusUnauthorized, w)
return
}
tokenID := vars["tokenId"]
if len(tokenID) == 0 {
util.WriteError(status.Errorf(status.InvalidArgument, "invalid token ID"), w)
return
}
user = account.Users[userID]
if user == nil {
util.WriteError(status.Errorf(status.NotFound, "user not found"), w)
return
}
pat := user.PATs[tokenID]
if pat == nil {
util.WriteError(status.Errorf(status.NotFound, "PAT not found"), w)
return
}
util.WriteJSONObject(w, toPATResponse(pat))
}
2023-03-29 15:06:54 +02:00
// CreateToken is HTTP POST handler that creates a personal access token for the given user
func (h *PATHandler) CreateToken(w http.ResponseWriter, r *http.Request) {
claims := h.claimsExtractor.FromRequestContext(r)
account, user, err := h.accountManager.GetAccountFromToken(claims)
if err != nil {
util.WriteError(err, w)
return
}
vars := mux.Vars(r)
userID := vars["userId"]
if len(userID) == 0 {
util.WriteError(status.Errorf(status.InvalidArgument, "invalid user ID"), w)
return
}
if userID != user.Id {
util.WriteErrorResponse("User not authorized to create token", http.StatusUnauthorized, w)
return
}
var req api.PostApiUsersUserIdTokensJSONRequestBody
err = json.NewDecoder(r.Body).Decode(&req)
if err != nil {
util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
return
}
2023-03-27 17:28:24 +02:00
if req.Name == "" {
2023-03-27 17:42:05 +02:00
util.WriteErrorResponse("name can't be empty", http.StatusBadRequest, w)
2023-03-27 17:28:24 +02:00
return
}
if req.ExpiresIn < 1 || req.ExpiresIn > 365 {
2023-03-27 17:42:05 +02:00
util.WriteErrorResponse("expiration has to be between 1 and 365", http.StatusBadRequest, w)
2023-03-27 17:28:24 +02:00
return
}
pat, err := server.CreateNewPAT(req.Name, req.ExpiresIn, user.Id)
2023-03-28 14:54:06 +02:00
if err != nil {
util.WriteError(err, w)
return
}
err = h.accountManager.AddPATToUser(account.Id, userID, &pat.PersonalAccessToken)
if err != nil {
util.WriteError(err, w)
return
}
util.WriteJSONObject(w, toPATGeneratedResponse(pat))
}
2023-03-29 15:06:54 +02:00
// DeleteToken is HTTP DELETE handler that deletes a personal access token for the given user
func (h *PATHandler) DeleteToken(w http.ResponseWriter, r *http.Request) {
claims := h.claimsExtractor.FromRequestContext(r)
account, user, err := h.accountManager.GetAccountFromToken(claims)
if err != nil {
util.WriteError(err, w)
return
}
vars := mux.Vars(r)
userID := vars["userId"]
if len(userID) == 0 {
util.WriteError(status.Errorf(status.InvalidArgument, "invalid user ID"), w)
return
}
if userID != user.Id {
util.WriteErrorResponse("User not authorized to delete token", http.StatusUnauthorized, w)
return
}
tokenID := vars["tokenId"]
if len(tokenID) == 0 {
util.WriteError(status.Errorf(status.InvalidArgument, "invalid token ID"), w)
return
}
err = h.accountManager.DeletePAT(account.Id, userID, tokenID)
if err != nil {
util.WriteError(err, w)
return
}
util.WriteJSONObject(w, "")
}
func toPATResponse(pat *server.PersonalAccessToken) *api.PersonalAccessToken {
return &api.PersonalAccessToken{
CreatedAt: pat.CreatedAt,
CreatedBy: pat.CreatedBy,
Name: pat.Name,
ExpirationDate: pat.ExpirationDate,
Id: pat.ID,
LastUsed: pat.LastUsed,
}
}
func toPATGeneratedResponse(pat *server.PersonalAccessTokenGenerated) *api.PersonalAccessTokenGenerated {
return &api.PersonalAccessTokenGenerated{
PlainToken: pat.PlainToken,
PersonalAccessToken: *toPATResponse(&pat.PersonalAccessToken),
}
}