netbird/management/server/http/middleware/access_control.go

package middleware

import (
	"net/http"
	"regexp"

	log "github.com/sirupsen/logrus"

	"github.com/netbirdio/netbird/management/server"
	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
	"github.com/netbirdio/netbird/management/server/http/util"
	"github.com/netbirdio/netbird/management/server/status"

	"github.com/netbirdio/netbird/management/server/jwtclaims"
)

// GetUser function defines a function to fetch user from Account by jwtclaims.AuthorizationClaims
type GetUser func(claims jwtclaims.AuthorizationClaims) (*server.User, error)

// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only
type AccessControl struct {
	claimsExtract jwtclaims.ClaimsExtractor
	getUser       GetUser
}

// NewAccessControl instance constructor
func NewAccessControl(audience, userIDClaim string, getUser GetUser) *AccessControl {
	return &AccessControl{
		claimsExtract: *jwtclaims.NewClaimsExtractor(
			jwtclaims.WithAudience(audience),
			jwtclaims.WithUserIDClaim(userIDClaim),
		),
		getUser: getUser,
	}
}

var tokenPathRegexp = regexp.MustCompile(`^.*/api/users/.*/tokens.*$`)

// Handler method of the middleware which forbids all modify requests for non admin users
func (a *AccessControl) Handler(h http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

		if bypass.ShouldBypass(r.URL.Path, h, w, r) {
			return
		}

		claims := a.claimsExtract.FromRequestContext(r)

		user, err := a.getUser(claims)
		if err != nil {
			log.Errorf("failed to get user from claims: %s", err)
			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
			return
		}

		if user.IsBlocked() {
			util.WriteError(status.Errorf(status.PermissionDenied, "the user has no access to the API or is blocked"), w)
			return
		}

		if !user.HasAdminPower() {
			switch r.Method {
			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:

				if tokenPathRegexp.MatchString(r.URL.Path) {
					log.Debugf("valid Path")
					h.ServeHTTP(w, r)
					return
				}

				util.WriteError(status.Errorf(status.PermissionDenied, "only users with admin power can perform this operation"), w)
				return
			}
		}

		h.ServeHTTP(w, r)
	})
}
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`package middleware`

			`import (`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`"net/http"`
disable access control for token endpoint 2023-03-30 19:03:44 +02:00			`"regexp"`

			`log "github.com/sirupsen/logrus"`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`"github.com/netbirdio/netbird/management/server"`
Add account usage logic (#1567) --------- Co-authored-by: Yury Gargay <yury.gargay@gmail.com> 2024-02-22 12:27:08 +01:00			`"github.com/netbirdio/netbird/management/server/http/middleware/bypass"`
Replace gRPC errors in business logic with internal ones (#558) 2022-11-11 20:36:45 +01:00			`"github.com/netbirdio/netbird/management/server/http/util"`
			`"github.com/netbirdio/netbird/management/server/status"`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00
			`"github.com/netbirdio/netbird/management/server/jwtclaims"`
			`)`

Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`// GetUser function defines a function to fetch user from Account by jwtclaims.AuthorizationClaims`
			`type GetUser func(claims jwtclaims.AuthorizationClaims) (*server.User, error)`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00
Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only`
			`type AccessControl struct {`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`claimsExtract jwtclaims.ClaimsExtractor`
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`getUser GetUser`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`}`

Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`// NewAccessControl instance constructor`
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`func NewAccessControl(audience, userIDClaim string, getUser GetUser) *AccessControl {`
Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`return &AccessControl{`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`claimsExtract: *jwtclaims.NewClaimsExtractor(`
			`jwtclaims.WithAudience(audience),`
			`jwtclaims.WithUserIDClaim(userIDClaim),`
			`),`
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`getUser: getUser,`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`}`
			`}`

Prepare regexps on compile time (#1327) 2023-11-27 13:01:00 +01:00			var tokenPathRegexp = regexp.MustCompile(`^./api/users/./tokens.*$`)

Hide setup key from non-admin users (#539) 2022-11-03 17:02:31 +01:00			`// Handler method of the middleware which forbids all modify requests for non admin users`
			`func (a *AccessControl) Handler(h http.Handler) http.Handler {`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Add account usage logic (#1567) --------- Co-authored-by: Yury Gargay <yury.gargay@gmail.com> 2024-02-22 12:27:08 +01:00
			`if bypass.ShouldBypass(r.URL.Path, h, w, r) {`
			`return`
			`}`

Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`claims := a.claimsExtract.FromRequestContext(r)`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`user, err := a.getUser(claims)`
disable access control for token endpoint 2023-03-30 19:03:44 +02:00			`if err != nil {`
Log access control error (#1299) 2023-11-09 17:15:59 +01:00			`log.Errorf("failed to get user from claims: %s", err)`
disable access control for token endpoint 2023-03-30 19:03:44 +02:00			`util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)`
			`return`
			`}`
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00
			`if user.IsBlocked() {`
			`util.WriteError(status.Errorf(status.PermissionDenied, "the user has no access to the API or is blocked"), w)`
			`return`
			`}`

add owner role support (#1340) This PR adds support to Owner roles. The owner role has a similar access level as the admin, but it has the power to delete the account. Besides that, the role has the following constraints: - The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user - It can't be assigned to users being invited - It can't be assigned to service users 2023-12-01 17:24:57 +01:00			`if !user.HasAdminPower() {`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`switch r.Method {`
			`case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:`
change order for access control checks and aquire account lock after global lock 2023-03-31 12:03:53 +02:00
Prepare regexps on compile time (#1327) 2023-11-27 13:01:00 +01:00			`if tokenPathRegexp.MatchString(r.URL.Path) {`
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field. 2023-05-11 18:09:36 +02:00			`log.Debugf("valid Path")`
change order for access control checks and aquire account lock after global lock 2023-03-31 12:03:53 +02:00			`h.ServeHTTP(w, r)`
			`return`
			`}`

add owner role support (#1340) This PR adds support to Owner roles. The owner role has a similar access level as the admin, but it has the power to delete the account. Besides that, the role has the following constraints: - The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user - It can't be assigned to users being invited - It can't be assigned to service users 2023-12-01 17:24:57 +01:00			`util.WriteError(status.Errorf(status.PermissionDenied, "only users with admin power can perform this operation"), w)`
feat(ac): add access control middleware (#321) 2022-05-25 18:26:50 +02:00			`return`
			`}`
			`}`

			`h.ServeHTTP(w, r)`
			`})`
			`}`