2022-05-03 16:02:51 +02:00
|
|
|
package server
|
|
|
|
|
|
2023-01-02 15:11:32 +01:00
|
|
|
import (
|
2024-07-03 11:33:02 +02:00
|
|
|
"context"
|
2024-08-08 17:01:38 +02:00
|
|
|
"errors"
|
2023-07-14 20:45:40 +02:00
|
|
|
"fmt"
|
2024-08-08 17:01:38 +02:00
|
|
|
"slices"
|
2023-07-14 20:45:40 +02:00
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
nbdns "github.com/netbirdio/netbird/dns"
|
|
|
|
|
"github.com/netbirdio/netbird/route"
|
2024-03-17 11:13:39 +01:00
|
|
|
"github.com/rs/xid"
|
2023-07-14 20:45:40 +02:00
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
|
|
2023-01-02 15:11:32 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/activity"
|
2024-03-27 18:48:48 +01:00
|
|
|
nbgroup "github.com/netbirdio/netbird/management/server/group"
|
2023-01-02 15:11:32 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/status"
|
|
|
|
|
)
|
2022-05-03 16:02:51 +02:00
|
|
|
|
2023-07-14 20:45:40 +02:00
|
|
|
type GroupLinkError struct {
|
|
|
|
|
Resource string
|
|
|
|
|
Name string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (e *GroupLinkError) Error() string {
|
|
|
|
|
return fmt.Sprintf("group has been linked to %s: %s", e.Resource, e.Name)
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-27 16:10:50 +02:00
|
|
|
// CheckGroupPermissions validates if a user has the necessary permissions to view groups
|
|
|
|
|
func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, accountID, userID string) error {
|
|
|
|
|
settings, err := am.Store.GetAccountSettings(ctx, LockingStrengthShare, accountID)
|
2022-05-03 16:02:51 +02:00
|
|
|
if err != nil {
|
2024-09-27 16:10:50 +02:00
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-09-27 16:10:50 +02:00
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2024-03-27 16:11:45 +01:00
|
|
|
if err != nil {
|
2024-09-27 16:10:50 +02:00
|
|
|
return err
|
2024-03-27 16:11:45 +01:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
|
return status.NewUserNotPartOfAccountError()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if user.IsRegularUser() && settings.RegularUsersViewBlocked {
|
|
|
|
|
return status.NewAdminPermissionError()
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-09-27 16:10:50 +02:00
|
|
|
return nil
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-09-27 16:10:50 +02:00
|
|
|
// GetGroup returns a specific group by groupID in an account
|
|
|
|
|
func (am *DefaultAccountManager) GetGroup(ctx context.Context, accountID, groupID, userID string) (*nbgroup.Group, error) {
|
|
|
|
|
if err := am.CheckGroupPermissions(ctx, accountID, userID); err != nil {
|
2024-03-27 16:11:45 +01:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2024-11-08 16:39:36 +01:00
|
|
|
return am.Store.GetGroupByID(ctx, LockingStrengthShare, accountID, groupID)
|
2024-09-27 16:10:50 +02:00
|
|
|
}
|
2024-03-27 16:11:45 +01:00
|
|
|
|
2024-09-27 16:10:50 +02:00
|
|
|
// GetAllGroups returns all groups in an account
|
|
|
|
|
func (am *DefaultAccountManager) GetAllGroups(ctx context.Context, accountID, userID string) ([]*nbgroup.Group, error) {
|
|
|
|
|
if err := am.CheckGroupPermissions(ctx, accountID, userID); err != nil {
|
|
|
|
|
return nil, err
|
2024-03-27 16:11:45 +01:00
|
|
|
}
|
2024-11-07 22:32:14 +01:00
|
|
|
return am.Store.GetAccountGroups(ctx, LockingStrengthShare, accountID)
|
2024-03-27 16:11:45 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-19 15:41:27 +01:00
|
|
|
// GetGroupByName filters all groups in an account by name and returns the one with the most peers
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) GetGroupByName(ctx context.Context, groupName, accountID string) (*nbgroup.Group, error) {
|
2024-11-08 16:39:36 +01:00
|
|
|
return am.Store.GetGroupByName(ctx, LockingStrengthShare, accountID, groupName)
|
2024-01-19 15:41:27 +01:00
|
|
|
}
|
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// SaveGroup object of the peers
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) SaveGroup(ctx context.Context, accountID, userID string, newGroup *nbgroup.Group) error {
|
2024-07-31 14:53:32 +02:00
|
|
|
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
2022-11-07 17:52:23 +01:00
|
|
|
defer unlock()
|
2024-07-15 16:04:06 +02:00
|
|
|
return am.SaveGroups(ctx, accountID, userID, []*nbgroup.Group{newGroup})
|
|
|
|
|
}
|
2022-05-03 16:02:51 +02:00
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
// SaveGroups adds new groups to the account.
|
|
|
|
|
// Note: This function does not acquire the global lock.
|
|
|
|
|
// It is the caller's responsibility to ensure proper locking is in place before invoking this method.
|
|
|
|
|
func (am *DefaultAccountManager) SaveGroups(ctx context.Context, accountID, userID string, newGroups []*nbgroup.Group) error {
|
2024-11-08 16:39:36 +01:00
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2022-05-03 16:02:51 +02:00
|
|
|
if err != nil {
|
2022-11-11 20:36:45 +01:00
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
2024-02-13 10:59:31 +01:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
|
return status.NewUserNotPartOfAccountError()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
eventsToStore []func()
|
|
|
|
|
groupsToSave []*nbgroup.Group
|
|
|
|
|
)
|
2024-03-17 11:13:39 +01:00
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
for _, newGroup := range newGroups {
|
|
|
|
|
if newGroup.ID == "" && newGroup.Issued != nbgroup.GroupIssuedAPI {
|
|
|
|
|
return status.Errorf(status.InvalidArgument, "%s group without ID set", newGroup.Issued)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if newGroup.ID == "" && newGroup.Issued == nbgroup.GroupIssuedAPI {
|
2024-11-08 16:39:36 +01:00
|
|
|
existingGroup, err := am.Store.GetGroupByName(ctx, LockingStrengthShare, accountID, newGroup.Name)
|
2024-07-15 16:04:06 +02:00
|
|
|
if err != nil {
|
|
|
|
|
s, ok := status.FromError(err)
|
|
|
|
|
if !ok || s.ErrorType != status.NotFound {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-03-17 11:13:39 +01:00
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
// Avoid duplicate groups only for the API issued groups.
|
|
|
|
|
// Integration or JWT groups can be duplicated as they are coming from the IdP that we don't have control of.
|
|
|
|
|
if existingGroup != nil {
|
|
|
|
|
return status.Errorf(status.AlreadyExists, "group with name %s already exists", newGroup.Name)
|
2024-03-17 11:13:39 +01:00
|
|
|
}
|
2024-07-15 16:04:06 +02:00
|
|
|
|
|
|
|
|
newGroup.ID = xid.New().String()
|
2024-03-17 11:13:39 +01:00
|
|
|
}
|
|
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
for _, peerID := range newGroup.Peers {
|
2024-11-08 16:39:36 +01:00
|
|
|
if _, err = am.Store.GetPeerByID(ctx, LockingStrengthShare, accountID, peerID); err != nil {
|
2024-07-15 16:04:06 +02:00
|
|
|
return status.Errorf(status.InvalidArgument, "peer with ID \"%s\" not found", peerID)
|
|
|
|
|
}
|
2024-03-17 11:13:39 +01:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
newGroup.AccountID = accountID
|
|
|
|
|
groupsToSave = append(groupsToSave, newGroup)
|
2024-03-17 11:13:39 +01:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
events := am.prepareGroupEvents(ctx, userID, accountID, newGroup)
|
2024-07-15 16:04:06 +02:00
|
|
|
eventsToStore = append(eventsToStore, events...)
|
2024-02-13 10:59:31 +01:00
|
|
|
}
|
|
|
|
|
|
2024-10-23 12:05:02 +02:00
|
|
|
newGroupIDs := make([]string, 0, len(newGroups))
|
|
|
|
|
for _, newGroup := range newGroups {
|
|
|
|
|
newGroupIDs = append(newGroupIDs, newGroup.ID)
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
updateAccountPeers, err := am.areGroupChangesAffectPeers(ctx, accountID, newGroupIDs)
|
|
|
|
|
if err != nil {
|
2022-06-04 22:02:22 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err = transaction.SaveGroups(ctx, LockingStrengthUpdate, groupsToSave); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to save groups: %w", err)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2024-10-23 12:05:02 +02:00
|
|
|
}
|
2023-02-03 10:33:28 +01:00
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
for _, storeEvent := range eventsToStore {
|
|
|
|
|
storeEvent()
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if updateAccountPeers {
|
|
|
|
|
am.updateAccountPeers(ctx, accountID)
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// prepareGroupEvents prepares a list of event functions to be stored.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) prepareGroupEvents(ctx context.Context, userID string, accountID string, newGroup *nbgroup.Group) []func() {
|
2024-07-15 16:04:06 +02:00
|
|
|
var eventsToStore []func()
|
|
|
|
|
|
2023-01-02 15:11:32 +01:00
|
|
|
addedPeers := make([]string, 0)
|
|
|
|
|
removedPeers := make([]string, 0)
|
2024-07-15 16:04:06 +02:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
oldGroup, err := am.Store.GetGroupByID(ctx, LockingStrengthShare, accountID, newGroup.ID)
|
|
|
|
|
if err == nil && oldGroup != nil {
|
2023-01-02 15:11:32 +01:00
|
|
|
addedPeers = difference(newGroup.Peers, oldGroup.Peers)
|
|
|
|
|
removedPeers = difference(oldGroup.Peers, newGroup.Peers)
|
2023-01-24 10:17:24 +01:00
|
|
|
} else {
|
|
|
|
|
addedPeers = append(addedPeers, newGroup.Peers...)
|
2024-07-15 16:04:06 +02:00
|
|
|
eventsToStore = append(eventsToStore, func() {
|
|
|
|
|
am.StoreEvent(ctx, userID, newGroup.ID, accountID, activity.GroupCreated, newGroup.EventMeta())
|
|
|
|
|
})
|
2023-01-02 15:11:32 +01:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
for _, peerID := range addedPeers {
|
|
|
|
|
peer, err := am.Store.GetPeerByID(ctx, LockingStrengthShare, accountID, peerID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("peer %s not found under account %s while saving group", peerID, accountID)
|
2023-01-02 15:11:32 +01:00
|
|
|
continue
|
|
|
|
|
}
|
2024-11-08 16:39:36 +01:00
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
peerCopy := peer // copy to avoid closure issues
|
|
|
|
|
eventsToStore = append(eventsToStore, func() {
|
|
|
|
|
am.StoreEvent(ctx, userID, peerCopy.ID, accountID, activity.GroupAddedToPeer,
|
|
|
|
|
map[string]any{
|
|
|
|
|
"group": newGroup.Name, "group_id": newGroup.ID, "peer_ip": peerCopy.IP.String(),
|
|
|
|
|
"peer_fqdn": peerCopy.FQDN(am.GetDNSDomain()),
|
|
|
|
|
})
|
|
|
|
|
})
|
2023-01-02 15:11:32 +01:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
for _, peerID := range removedPeers {
|
|
|
|
|
peer, err := am.Store.GetPeerByID(ctx, LockingStrengthShare, accountID, peerID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("peer %s not found under account %s while saving group", peerID, accountID)
|
2023-01-02 15:11:32 +01:00
|
|
|
continue
|
|
|
|
|
}
|
2024-11-08 16:39:36 +01:00
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
peerCopy := peer // copy to avoid closure issues
|
|
|
|
|
eventsToStore = append(eventsToStore, func() {
|
|
|
|
|
am.StoreEvent(ctx, userID, peerCopy.ID, accountID, activity.GroupRemovedFromPeer,
|
|
|
|
|
map[string]any{
|
|
|
|
|
"group": newGroup.Name, "group_id": newGroup.ID, "peer_ip": peerCopy.IP.String(),
|
|
|
|
|
"peer_fqdn": peerCopy.FQDN(am.GetDNSDomain()),
|
|
|
|
|
})
|
|
|
|
|
})
|
2023-01-02 15:11:32 +01:00
|
|
|
}
|
|
|
|
|
|
2024-07-15 16:04:06 +02:00
|
|
|
return eventsToStore
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2023-01-02 15:11:32 +01:00
|
|
|
// difference returns the elements in `a` that aren't in `b`.
|
|
|
|
|
func difference(a, b []string) []string {
|
|
|
|
|
mb := make(map[string]struct{}, len(b))
|
|
|
|
|
for _, x := range b {
|
|
|
|
|
mb[x] = struct{}{}
|
|
|
|
|
}
|
|
|
|
|
var diff []string
|
|
|
|
|
for _, x := range a {
|
|
|
|
|
if _, found := mb[x]; !found {
|
|
|
|
|
diff = append(diff, x)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return diff
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
// DeleteGroup object of the peers.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) DeleteGroup(ctx context.Context, accountID, userID, groupID string) error {
|
|
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2022-05-03 16:02:51 +02:00
|
|
|
if err != nil {
|
2022-11-11 20:36:45 +01:00
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
|
return status.NewUserNotPartOfAccountError()
|
2023-07-14 20:45:40 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
group, err := am.Store.GetGroupByID(ctx, LockingStrengthShare, accountID, groupID)
|
2024-09-27 16:10:50 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if group.Name == "All" {
|
2024-09-27 16:10:50 +02:00
|
|
|
return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if err = am.validateDeleteGroup(ctx, group, userID); err != nil {
|
2024-08-08 17:01:38 +02:00
|
|
|
return err
|
2023-11-01 11:04:17 +01:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err = transaction.DeleteGroup(ctx, LockingStrengthUpdate, accountID, groupID); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to delete group: %w", err)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
2024-08-08 17:01:38 +02:00
|
|
|
return err
|
2023-07-14 20:45:40 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
am.StoreEvent(ctx, userID, groupID, accountID, activity.GroupDeleted, group.EventMeta())
|
2023-07-14 20:45:40 +02:00
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
2023-07-14 20:45:40 +02:00
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
// DeleteGroups deletes groups from an account.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, userID string, groupIDs []string) error {
|
|
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2024-08-08 17:01:38 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2023-07-14 20:45:40 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
|
return status.NewUserNotPartOfAccountError()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
allErrors error
|
|
|
|
|
groupIDsToDelete []string
|
|
|
|
|
deletedGroups []*nbgroup.Group
|
|
|
|
|
)
|
2023-07-14 20:45:40 +02:00
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
for _, groupID := range groupIDs {
|
2024-11-08 16:39:36 +01:00
|
|
|
group, err := am.Store.GetGroupByID(ctx, LockingStrengthShare, accountID, groupID)
|
|
|
|
|
if err != nil {
|
2024-08-08 17:01:38 +02:00
|
|
|
continue
|
2023-07-14 20:45:40 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if err := am.validateDeleteGroup(ctx, group, userID); err != nil {
|
2024-08-08 17:01:38 +02:00
|
|
|
allErrors = errors.Join(allErrors, fmt.Errorf("failed to delete group %s: %w", groupID, err))
|
|
|
|
|
continue
|
2024-03-27 18:48:48 +01:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
groupIDsToDelete = append(groupIDsToDelete, groupID)
|
2024-08-08 17:01:38 +02:00
|
|
|
deletedGroups = append(deletedGroups, group)
|
|
|
|
|
}
|
2022-05-03 16:02:51 +02:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-05-03 16:02:51 +02:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if err = transaction.DeleteGroups(ctx, LockingStrengthUpdate, accountID, groupIDsToDelete); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to delete group: %w", err)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
})
|
2022-05-03 16:02:51 +02:00
|
|
|
if err != nil {
|
2024-11-08 16:39:36 +01:00
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
for _, group := range deletedGroups {
|
|
|
|
|
am.StoreEvent(ctx, userID, group.ID, accountID, activity.GroupDeleted, group.EventMeta())
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
return allErrors
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GroupAddPeer appends peer to the group
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) GroupAddPeer(ctx context.Context, accountID, groupID, peerID string) error {
|
2024-11-08 16:39:36 +01:00
|
|
|
group, err := am.Store.GetGroupByID(ctx, LockingStrengthShare, accountID, groupID)
|
2022-05-03 16:02:51 +02:00
|
|
|
if err != nil {
|
2022-11-11 20:36:45 +01:00
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
add := true
|
|
|
|
|
for _, itemID := range group.Peers {
|
2023-02-03 10:33:28 +01:00
|
|
|
if itemID == peerID {
|
2022-05-03 16:02:51 +02:00
|
|
|
add = false
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if add {
|
2023-02-03 10:33:28 +01:00
|
|
|
group.Peers = append(group.Peers, peerID)
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
updateAccountPeers, err := am.areGroupChangesAffectPeers(ctx, accountID, []string{groupID})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err = transaction.SaveGroup(ctx, LockingStrengthUpdate, group); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to save group: %w", err)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
2022-06-04 22:02:22 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if updateAccountPeers {
|
|
|
|
|
am.updateAccountPeers(ctx, accountID)
|
2024-10-23 12:05:02 +02:00
|
|
|
}
|
2023-10-04 15:08:50 +02:00
|
|
|
|
|
|
|
|
return nil
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GroupDeletePeer removes peer from the group
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) GroupDeletePeer(ctx context.Context, accountID, groupID, peerID string) error {
|
2024-11-08 16:39:36 +01:00
|
|
|
group, err := am.Store.GetGroupByID(ctx, LockingStrengthShare, accountID, groupID)
|
2022-05-03 16:02:51 +02:00
|
|
|
if err != nil {
|
2022-11-11 20:36:45 +01:00
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
updated := false
|
2022-05-03 16:02:51 +02:00
|
|
|
for i, itemID := range group.Peers {
|
2023-09-28 14:32:36 +02:00
|
|
|
if itemID == peerID {
|
2022-05-03 16:02:51 +02:00
|
|
|
group.Peers = append(group.Peers[:i], group.Peers[i+1:]...)
|
2024-11-08 16:39:36 +01:00
|
|
|
updated = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !updated {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
updateAccountPeers, err := am.areGroupChangesAffectPeers(ctx, accountID, []string{groupID})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err = transaction.SaveGroup(ctx, LockingStrengthUpdate, group); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to save group: %w", err)
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
2024-11-08 16:39:36 +01:00
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if updateAccountPeers {
|
|
|
|
|
am.updateAccountPeers(ctx, accountID)
|
2024-10-23 12:05:02 +02:00
|
|
|
}
|
2023-10-04 15:08:50 +02:00
|
|
|
|
|
|
|
|
return nil
|
2022-05-03 16:02:51 +02:00
|
|
|
}
|
2024-08-08 17:01:38 +02:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) validateDeleteGroup(ctx context.Context, group *nbgroup.Group, userID string) error {
|
2024-08-08 17:01:38 +02:00
|
|
|
// disable a deleting integration group if the initiator is not an admin service user
|
|
|
|
|
if group.Issued == nbgroup.GroupIssuedIntegration {
|
2024-11-08 16:39:36 +01:00
|
|
|
executingUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
|
|
|
|
if err != nil {
|
2024-08-08 17:01:38 +02:00
|
|
|
return status.Errorf(status.NotFound, "user not found")
|
|
|
|
|
}
|
|
|
|
|
if executingUser.Role != UserRoleAdmin || !executingUser.IsServiceUser {
|
|
|
|
|
return status.Errorf(status.PermissionDenied, "only service users with admin power can delete integration group")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if isLinked, linkedRoute := am.isGroupLinkedToRoute(ctx, group.AccountID, group.ID); isLinked {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"route", string(linkedRoute.NetID)}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if isLinked, linkedDns := am.isGroupLinkedToDns(ctx, group.AccountID, group.ID); isLinked {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"name server groups", linkedDns.Name}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if isLinked, linkedPolicy := am.isGroupLinkedToPolicy(ctx, group.AccountID, group.ID); isLinked {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"policy", linkedPolicy.Name}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if isLinked, linkedSetupKey := am.isGroupLinkedToSetupKey(ctx, group.AccountID, group.ID); isLinked {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"setup key", linkedSetupKey.Name}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
if isLinked, linkedUser := am.isGroupLinkedToUser(ctx, group.AccountID, group.ID); isLinked {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"user", linkedUser.Id}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
dnsSettings, err := am.Store.GetAccountDNSSettings(ctx, LockingStrengthShare, group.AccountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if slices.Contains(dnsSettings.DisabledManagementGroups, group.ID) {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"disabled DNS management groups", group.Name}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
settings, err := am.Store.GetAccountSettings(ctx, LockingStrengthShare, group.AccountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if settings.Extra != nil {
|
|
|
|
|
if slices.Contains(settings.Extra.IntegratedValidatorGroups, group.ID) {
|
2024-08-08 17:01:38 +02:00
|
|
|
return &GroupLinkError{"integrated validator", group.Name}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToRoute checks if a group is linked to any route in the account.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) isGroupLinkedToRoute(ctx context.Context, accountID string, groupID string) (bool, *route.Route) {
|
|
|
|
|
routes, err := am.Store.GetAccountRoutes(ctx, LockingStrengthShare, accountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("error retrieving routes while checking group linkage: %v", err)
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
for _, r := range routes {
|
|
|
|
|
if slices.Contains(r.Groups, groupID) || slices.Contains(r.PeerGroups, groupID) {
|
|
|
|
|
return true, r
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-11-08 16:39:36 +01:00
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToPolicy checks if a group is linked to any policy in the account.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) isGroupLinkedToPolicy(ctx context.Context, accountID string, groupID string) (bool, *Policy) {
|
|
|
|
|
policies, err := am.Store.GetAccountPolicies(ctx, LockingStrengthShare, accountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("error retrieving policies while checking group linkage: %v", err)
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
for _, policy := range policies {
|
|
|
|
|
for _, rule := range policy.Rules {
|
|
|
|
|
if slices.Contains(rule.Sources, groupID) || slices.Contains(rule.Destinations, groupID) {
|
|
|
|
|
return true, policy
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToDns checks if a group is linked to any nameserver group in the account.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) isGroupLinkedToDns(ctx context.Context, accountID string, groupID string) (bool, *nbdns.NameServerGroup) {
|
|
|
|
|
nameServerGroups, err := am.Store.GetAccountNameServerGroups(ctx, LockingStrengthShare, accountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("error retrieving name server groups while checking group linkage: %v", err)
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
for _, dns := range nameServerGroups {
|
|
|
|
|
for _, g := range dns.Groups {
|
|
|
|
|
if g == groupID {
|
|
|
|
|
return true, dns
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-11-08 16:39:36 +01:00
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToSetupKey checks if a group is linked to any setup key in the account.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) isGroupLinkedToSetupKey(ctx context.Context, accountID string, groupID string) (bool, *SetupKey) {
|
|
|
|
|
setupKeys, err := am.Store.GetAccountSetupKeys(ctx, LockingStrengthShare, accountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("error retrieving setup keys while checking group linkage: %v", err)
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
for _, setupKey := range setupKeys {
|
|
|
|
|
if slices.Contains(setupKey.AutoGroups, groupID) {
|
|
|
|
|
return true, setupKey
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToUser checks if a group is linked to any user in the account.
|
2024-11-08 16:39:36 +01:00
|
|
|
func (am *DefaultAccountManager) isGroupLinkedToUser(ctx context.Context, accountID string, groupID string) (bool, *User) {
|
|
|
|
|
users, err := am.Store.GetAccountUsers(ctx, LockingStrengthShare, accountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.WithContext(ctx).Errorf("error retrieving users while checking group linkage: %v", err)
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-08 17:01:38 +02:00
|
|
|
for _, user := range users {
|
|
|
|
|
if slices.Contains(user.AutoGroups, groupID) {
|
|
|
|
|
return true, user
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
2024-10-23 12:05:02 +02:00
|
|
|
|
2024-11-08 16:39:36 +01:00
|
|
|
// areGroupChangesAffectPeers checks if any changes to the specified groups will affect peers.
|
|
|
|
|
func (am *DefaultAccountManager) areGroupChangesAffectPeers(ctx context.Context, accountID string, groupIDs []string) (bool, error) {
|
|
|
|
|
if len(groupIDs) == 0 {
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dnsSettings, err := am.Store.GetAccountDNSSettings(ctx, LockingStrengthShare, accountID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, groupID := range groupIDs {
|
|
|
|
|
if slices.Contains(dnsSettings.DisabledManagementGroups, groupID) {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
if linked, _ := am.isGroupLinkedToDns(ctx, accountID, groupID); linked {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
if linked, _ := am.isGroupLinkedToPolicy(ctx, accountID, groupID); linked {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
if linked, _ := am.isGroupLinkedToRoute(ctx, accountID, groupID); linked {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToRoute checks if a group is linked to any route in the account.
|
|
|
|
|
func isGroupLinkedToRoute(routes map[route.ID]*route.Route, groupID string) (bool, *route.Route) {
|
|
|
|
|
for _, r := range routes {
|
|
|
|
|
if slices.Contains(r.Groups, groupID) || slices.Contains(r.PeerGroups, groupID) {
|
|
|
|
|
return true, r
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToPolicy checks if a group is linked to any policy in the account.
|
|
|
|
|
func isGroupLinkedToPolicy(policies []*Policy, groupID string) (bool, *Policy) {
|
|
|
|
|
for _, policy := range policies {
|
|
|
|
|
for _, rule := range policy.Rules {
|
|
|
|
|
if slices.Contains(rule.Sources, groupID) || slices.Contains(rule.Destinations, groupID) {
|
|
|
|
|
return true, policy
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// isGroupLinkedToDns checks if a group is linked to any nameserver group in the account.
|
|
|
|
|
func isGroupLinkedToDns(nameServerGroups map[string]*nbdns.NameServerGroup, groupID string) (bool, *nbdns.NameServerGroup) {
|
|
|
|
|
for _, dns := range nameServerGroups {
|
|
|
|
|
for _, g := range dns.Groups {
|
|
|
|
|
if g == groupID {
|
|
|
|
|
return true, dns
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-23 12:05:02 +02:00
|
|
|
// anyGroupHasPeers checks if any of the given groups in the account have peers.
|
|
|
|
|
func anyGroupHasPeers(account *Account, groupIDs []string) bool {
|
|
|
|
|
for _, groupID := range groupIDs {
|
|
|
|
|
if group, exists := account.Groups[groupID]; exists && group.HasPeers() {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func areGroupChangesAffectPeers(account *Account, groupIDs []string) bool {
|
|
|
|
|
for _, groupID := range groupIDs {
|
|
|
|
|
if slices.Contains(account.DNSSettings.DisabledManagementGroups, groupID) {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if linked, _ := isGroupLinkedToDns(account.NameServerGroups, groupID); linked {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if linked, _ := isGroupLinkedToPolicy(account.Policies, groupID); linked {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if linked, _ := isGroupLinkedToRoute(account.Routes, groupID); linked {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
