2021-07-30 17:46:38 +02:00
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
2022-06-05 21:36:42 +02:00
|
|
|
"context"
|
2022-05-09 14:30:20 +02:00
|
|
|
"fmt"
|
2022-06-05 21:36:42 +02:00
|
|
|
"github.com/eko/gocache/v2/cache"
|
|
|
|
cacheStore "github.com/eko/gocache/v2/store"
|
2022-03-26 12:08:54 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/idp"
|
|
|
|
"github.com/netbirdio/netbird/management/server/jwtclaims"
|
2022-06-05 21:36:42 +02:00
|
|
|
gocache "github.com/patrickmn/go-cache"
|
2021-12-27 13:17:15 +01:00
|
|
|
"github.com/rs/xid"
|
2021-08-01 19:06:01 +02:00
|
|
|
log "github.com/sirupsen/logrus"
|
2021-07-30 17:46:38 +02:00
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
"google.golang.org/grpc/status"
|
2022-06-06 12:05:44 +02:00
|
|
|
"math/rand"
|
2022-06-05 21:36:42 +02:00
|
|
|
"reflect"
|
|
|
|
"strings"
|
|
|
|
"sync"
|
|
|
|
"time"
|
2021-07-30 17:46:38 +02:00
|
|
|
)
|
|
|
|
|
2022-03-01 15:22:18 +01:00
|
|
|
const (
|
2022-06-06 12:05:44 +02:00
|
|
|
PublicCategory = "public"
|
|
|
|
PrivateCategory = "private"
|
|
|
|
UnknownCategory = "unknown"
|
|
|
|
CacheExpirationMax = 7 * 24 * 3600 * time.Second // 7 days
|
|
|
|
CacheExpirationMin = 3 * 24 * 3600 * time.Second // 3 days
|
2022-03-01 15:22:18 +01:00
|
|
|
)
|
|
|
|
|
2022-02-22 11:28:19 +01:00
|
|
|
type AccountManager interface {
|
|
|
|
GetOrCreateAccountByUser(userId, domain string) (*Account, error)
|
|
|
|
GetAccountByUser(userId string) (*Account, error)
|
2022-05-21 15:21:39 +02:00
|
|
|
AddSetupKey(
|
|
|
|
accountId string,
|
|
|
|
keyName string,
|
|
|
|
keyType SetupKeyType,
|
2022-06-14 10:32:54 +02:00
|
|
|
expiresIn time.Duration,
|
2022-05-21 15:21:39 +02:00
|
|
|
) (*SetupKey, error)
|
2022-02-22 11:28:19 +01:00
|
|
|
RevokeSetupKey(accountId string, keyId string) (*SetupKey, error)
|
|
|
|
RenameSetupKey(accountId string, keyId string, newName string) (*SetupKey, error)
|
|
|
|
GetAccountById(accountId string) (*Account, error)
|
|
|
|
GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error)
|
2022-03-01 15:22:18 +01:00
|
|
|
GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error)
|
2022-05-25 18:26:50 +02:00
|
|
|
IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
|
2022-02-22 11:28:19 +01:00
|
|
|
AccountExists(accountId string) (*bool, error)
|
|
|
|
GetPeer(peerKey string) (*Peer, error)
|
|
|
|
MarkPeerConnected(peerKey string, connected bool) error
|
|
|
|
RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
|
|
|
|
DeletePeer(accountId string, peerKey string) (*Peer, error)
|
|
|
|
GetPeerByIP(accountId string, peerIP string) (*Peer, error)
|
|
|
|
GetNetworkMap(peerKey string) (*NetworkMap, error)
|
2022-06-24 21:30:51 +02:00
|
|
|
GetPeerNetwork(peerKey string) (*Network, error)
|
2022-05-05 20:02:15 +02:00
|
|
|
AddPeer(setupKey string, userId string, peer *Peer) (*Peer, error)
|
2022-05-23 13:03:57 +02:00
|
|
|
UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error
|
2022-06-23 17:04:53 +02:00
|
|
|
UpdatePeerSSHKey(peerKey string, sshKey string) error
|
2022-05-05 08:58:34 +02:00
|
|
|
GetUsersFromAccount(accountId string) ([]*UserInfo, error)
|
2022-05-03 16:02:51 +02:00
|
|
|
GetGroup(accountId, groupID string) (*Group, error)
|
|
|
|
SaveGroup(accountId string, group *Group) error
|
2022-06-14 10:32:54 +02:00
|
|
|
UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error)
|
2022-05-03 16:02:51 +02:00
|
|
|
DeleteGroup(accountId, groupID string) error
|
|
|
|
ListGroups(accountId string) ([]*Group, error)
|
|
|
|
GroupAddPeer(accountId, groupID, peerKey string) error
|
|
|
|
GroupDeletePeer(accountId, groupID, peerKey string) error
|
|
|
|
GroupListPeers(accountId, groupID string) ([]*Peer, error)
|
2022-05-21 15:21:39 +02:00
|
|
|
GetRule(accountId, ruleID string) (*Rule, error)
|
|
|
|
SaveRule(accountID string, rule *Rule) error
|
2022-06-14 10:32:54 +02:00
|
|
|
UpdateRule(accountID string, ruleID string, operations []RuleUpdateOperation) (*Rule, error)
|
2022-05-21 15:21:39 +02:00
|
|
|
DeleteRule(accountId, ruleID string) error
|
|
|
|
ListRules(accountId string) ([]*Rule, error)
|
2022-06-23 17:04:53 +02:00
|
|
|
UpdatePeer(accountID string, peer *Peer) (*Peer, error)
|
2022-02-22 11:28:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
type DefaultAccountManager struct {
|
2021-07-30 17:46:38 +02:00
|
|
|
Store Store
|
|
|
|
// mutex to synchronise account operations (e.g. generating Peer IP address inside the Network)
|
2021-09-07 18:36:46 +02:00
|
|
|
mux sync.Mutex
|
|
|
|
peersUpdateManager *PeersUpdateManager
|
2022-01-24 11:21:30 +01:00
|
|
|
idpManager idp.Manager
|
2022-06-05 21:36:42 +02:00
|
|
|
cacheManager cache.CacheInterface
|
|
|
|
ctx context.Context
|
2021-07-30 17:46:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Account represents a unique account of the system
|
|
|
|
type Account struct {
|
2021-12-27 13:17:15 +01:00
|
|
|
Id string
|
|
|
|
// User.Id it was created by
|
2022-03-01 15:22:18 +01:00
|
|
|
CreatedBy string
|
|
|
|
Domain string
|
|
|
|
DomainCategory string
|
|
|
|
IsDomainPrimaryAccount bool
|
|
|
|
SetupKeys map[string]*SetupKey
|
|
|
|
Network *Network
|
|
|
|
Peers map[string]*Peer
|
|
|
|
Users map[string]*User
|
2022-05-03 16:02:51 +02:00
|
|
|
Groups map[string]*Group
|
2022-05-21 15:21:39 +02:00
|
|
|
Rules map[string]*Rule
|
2021-12-27 13:17:15 +01:00
|
|
|
}
|
|
|
|
|
2022-05-05 08:58:34 +02:00
|
|
|
type UserInfo struct {
|
|
|
|
ID string `json:"id"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
Name string `json:"name"`
|
|
|
|
Role string `json:"role"`
|
|
|
|
}
|
|
|
|
|
2021-12-27 13:17:15 +01:00
|
|
|
func (a *Account) Copy() *Account {
|
|
|
|
peers := map[string]*Peer{}
|
|
|
|
for id, peer := range a.Peers {
|
|
|
|
peers[id] = peer.Copy()
|
|
|
|
}
|
|
|
|
|
|
|
|
users := map[string]*User{}
|
|
|
|
for id, user := range a.Users {
|
|
|
|
users[id] = user.Copy()
|
|
|
|
}
|
|
|
|
|
|
|
|
setupKeys := map[string]*SetupKey{}
|
|
|
|
for id, key := range a.SetupKeys {
|
|
|
|
setupKeys[id] = key.Copy()
|
|
|
|
}
|
|
|
|
|
2022-05-21 15:21:39 +02:00
|
|
|
groups := map[string]*Group{}
|
|
|
|
for id, group := range a.Groups {
|
|
|
|
groups[id] = group.Copy()
|
|
|
|
}
|
|
|
|
|
|
|
|
rules := map[string]*Rule{}
|
|
|
|
for id, rule := range a.Rules {
|
|
|
|
rules[id] = rule.Copy()
|
|
|
|
}
|
|
|
|
|
2021-12-27 13:17:15 +01:00
|
|
|
return &Account{
|
|
|
|
Id: a.Id,
|
|
|
|
CreatedBy: a.CreatedBy,
|
|
|
|
SetupKeys: setupKeys,
|
|
|
|
Network: a.Network.Copy(),
|
|
|
|
Peers: peers,
|
|
|
|
Users: users,
|
2022-05-21 15:21:39 +02:00
|
|
|
Groups: groups,
|
|
|
|
Rules: rules,
|
2021-12-27 13:17:15 +01:00
|
|
|
}
|
2021-07-30 17:46:38 +02:00
|
|
|
}
|
|
|
|
|
2022-05-21 15:21:39 +02:00
|
|
|
func (a *Account) GetGroupAll() (*Group, error) {
|
|
|
|
for _, g := range a.Groups {
|
|
|
|
if g.Name == "All" {
|
|
|
|
return g, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, fmt.Errorf("no group ALL found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// BuildManager creates a new DefaultAccountManager with a provided Store
|
|
|
|
func BuildManager(
|
|
|
|
store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager,
|
|
|
|
) (*DefaultAccountManager, error) {
|
2022-06-05 21:36:42 +02:00
|
|
|
am := &DefaultAccountManager{
|
2021-09-07 18:36:46 +02:00
|
|
|
Store: store,
|
|
|
|
mux: sync.Mutex{},
|
|
|
|
peersUpdateManager: peersUpdateManager,
|
2022-01-24 11:21:30 +01:00
|
|
|
idpManager: idpManager,
|
2022-06-05 21:36:42 +02:00
|
|
|
ctx: context.Background(),
|
2021-07-30 17:46:38 +02:00
|
|
|
}
|
2022-05-21 15:21:39 +02:00
|
|
|
|
2022-06-06 13:45:59 +02:00
|
|
|
// if account has not default group
|
|
|
|
// we create 'all' group and add all peers into it
|
|
|
|
// also we create default rule with source as destination
|
2022-05-21 15:21:39 +02:00
|
|
|
for _, account := range store.GetAllAccounts() {
|
2022-06-06 13:45:59 +02:00
|
|
|
_, err := account.GetGroupAll()
|
|
|
|
if err != nil {
|
2022-06-09 13:14:34 +02:00
|
|
|
addAllGroup(account)
|
2022-06-06 13:45:59 +02:00
|
|
|
if err := store.SaveAccount(account); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-05-21 15:21:39 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-06-06 12:05:44 +02:00
|
|
|
gocacheClient := gocache.New(CacheExpirationMax, 30*time.Minute)
|
2022-06-05 21:36:42 +02:00
|
|
|
gocacheStore := cacheStore.NewGoCache(gocacheClient, nil)
|
|
|
|
|
|
|
|
am.cacheManager = cache.NewLoadable(am.loadFromCache, cache.New(gocacheStore))
|
2022-06-06 12:05:44 +02:00
|
|
|
|
|
|
|
if !isNil(am.idpManager) {
|
|
|
|
go func() {
|
|
|
|
err := am.warmupIDPCache()
|
|
|
|
if err != nil {
|
|
|
|
log.Warnf("failed warming up cache due to error: %v", err)
|
|
|
|
//todo retry?
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
|
2022-06-05 21:36:42 +02:00
|
|
|
return am, nil
|
|
|
|
|
2021-07-30 17:46:38 +02:00
|
|
|
}
|
|
|
|
|
2022-06-20 18:20:43 +02:00
|
|
|
// newAccount creates a new Account with a generated ID and generated default setup keys.
|
|
|
|
// If ID is already in use (due to collision) we try one more time before returning error
|
|
|
|
func (am *DefaultAccountManager) newAccount(userID, domain string) (*Account, error) {
|
|
|
|
for i := 0; i < 2; i++ {
|
|
|
|
accountId := xid.New().String()
|
|
|
|
|
|
|
|
_, err := am.Store.GetAccount(accountId)
|
|
|
|
statusErr, _ := status.FromError(err)
|
|
|
|
if err == nil {
|
|
|
|
log.Warnf("an account with ID already exists, retrying...")
|
|
|
|
continue
|
|
|
|
} else if statusErr.Code() == codes.NotFound {
|
|
|
|
return newAccountWithId(accountId, userID, domain), nil
|
|
|
|
} else {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, status.Errorf(codes.Internal, "error while creating new account")
|
|
|
|
}
|
|
|
|
|
2022-06-06 12:05:44 +02:00
|
|
|
func (am *DefaultAccountManager) warmupIDPCache() error {
|
|
|
|
userData, err := am.idpManager.GetAllAccounts()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
for accountID, users := range userData {
|
|
|
|
rand.Seed(time.Now().UnixNano())
|
|
|
|
|
|
|
|
r := rand.Intn(int(CacheExpirationMax.Milliseconds()-CacheExpirationMin.Milliseconds())) + int(CacheExpirationMin.Milliseconds())
|
|
|
|
expiration := time.Duration(r) * time.Millisecond
|
|
|
|
err = am.cacheManager.Set(am.ctx, accountID, users, &cacheStore.Options{Expiration: expiration})
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Infof("warmed up IDP cache with %d entries", len(userData))
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// AddSetupKey generates a new setup key with a given name and type, and adds it to the specified account
|
|
|
|
func (am *DefaultAccountManager) AddSetupKey(
|
|
|
|
accountId string,
|
|
|
|
keyName string,
|
|
|
|
keyType SetupKeyType,
|
2022-06-14 10:32:54 +02:00
|
|
|
expiresIn time.Duration,
|
2022-05-03 16:02:51 +02:00
|
|
|
) (*SetupKey, error) {
|
2021-09-07 18:36:46 +02:00
|
|
|
am.mux.Lock()
|
|
|
|
defer am.mux.Unlock()
|
2021-08-20 22:33:43 +02:00
|
|
|
|
2021-10-31 12:06:44 +01:00
|
|
|
keyDuration := DefaultSetupKeyDuration
|
2022-06-14 10:32:54 +02:00
|
|
|
if expiresIn != 0 {
|
|
|
|
keyDuration = expiresIn
|
2021-10-31 12:06:44 +01:00
|
|
|
}
|
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
account, err := am.Store.GetAccount(accountId)
|
2021-08-20 22:33:43 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
|
|
}
|
|
|
|
|
2021-10-31 12:06:44 +01:00
|
|
|
setupKey := GenerateSetupKey(keyName, keyType, keyDuration)
|
2021-08-20 22:33:43 +02:00
|
|
|
account.SetupKeys[setupKey.Key] = setupKey
|
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
err = am.Store.SaveAccount(account)
|
2021-08-20 22:33:43 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.Internal, "failed adding account key")
|
|
|
|
}
|
|
|
|
|
|
|
|
return setupKey, nil
|
|
|
|
}
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// RevokeSetupKey marks SetupKey as revoked - becomes not valid anymore
|
2022-02-22 11:28:19 +01:00
|
|
|
func (am *DefaultAccountManager) RevokeSetupKey(accountId string, keyId string) (*SetupKey, error) {
|
2021-09-07 18:36:46 +02:00
|
|
|
am.mux.Lock()
|
|
|
|
defer am.mux.Unlock()
|
2021-08-20 22:33:43 +02:00
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
account, err := am.Store.GetAccount(accountId)
|
2021-08-20 22:33:43 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
setupKey := getAccountSetupKeyById(account, keyId)
|
|
|
|
if setupKey == nil {
|
|
|
|
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", keyId)
|
|
|
|
}
|
|
|
|
|
|
|
|
keyCopy := setupKey.Copy()
|
|
|
|
keyCopy.Revoked = true
|
|
|
|
account.SetupKeys[keyCopy.Key] = keyCopy
|
2021-09-07 18:36:46 +02:00
|
|
|
err = am.Store.SaveAccount(account)
|
2021-08-20 22:33:43 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.Internal, "failed adding account key")
|
|
|
|
}
|
|
|
|
|
|
|
|
return keyCopy, nil
|
|
|
|
}
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// RenameSetupKey renames existing setup key of the specified account.
|
|
|
|
func (am *DefaultAccountManager) RenameSetupKey(
|
|
|
|
accountId string,
|
|
|
|
keyId string,
|
|
|
|
newName string,
|
|
|
|
) (*SetupKey, error) {
|
2021-09-07 18:36:46 +02:00
|
|
|
am.mux.Lock()
|
|
|
|
defer am.mux.Unlock()
|
2021-08-20 22:33:43 +02:00
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
account, err := am.Store.GetAccount(accountId)
|
2021-08-20 22:33:43 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
setupKey := getAccountSetupKeyById(account, keyId)
|
|
|
|
if setupKey == nil {
|
|
|
|
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", keyId)
|
|
|
|
}
|
|
|
|
|
|
|
|
keyCopy := setupKey.Copy()
|
|
|
|
keyCopy.Name = newName
|
|
|
|
account.SetupKeys[keyCopy.Key] = keyCopy
|
2021-09-07 18:36:46 +02:00
|
|
|
err = am.Store.SaveAccount(account)
|
2021-08-20 22:33:43 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.Internal, "failed adding account key")
|
|
|
|
}
|
|
|
|
|
|
|
|
return keyCopy, nil
|
|
|
|
}
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist
|
2022-02-22 11:28:19 +01:00
|
|
|
func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error) {
|
2021-09-07 18:36:46 +02:00
|
|
|
am.mux.Lock()
|
|
|
|
defer am.mux.Unlock()
|
2021-08-12 12:49:10 +02:00
|
|
|
|
2021-09-07 18:36:46 +02:00
|
|
|
account, err := am.Store.GetAccount(accountId)
|
2021-08-12 12:49:10 +02:00
|
|
|
if err != nil {
|
2021-08-20 15:44:18 +02:00
|
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
2021-08-12 12:49:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return account, nil
|
|
|
|
}
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// GetAccountByUserOrAccountId look for an account by user or account Id, if no account is provided and
|
2022-01-24 11:21:30 +01:00
|
|
|
// user id doesn't have an account associated with it, one account is created
|
2022-05-21 15:21:39 +02:00
|
|
|
func (am *DefaultAccountManager) GetAccountByUserOrAccountId(
|
|
|
|
userId, accountId, domain string,
|
|
|
|
) (*Account, error) {
|
2022-01-24 11:21:30 +01:00
|
|
|
if accountId != "" {
|
2022-02-11 17:18:18 +01:00
|
|
|
return am.GetAccountById(accountId)
|
2022-01-24 11:21:30 +01:00
|
|
|
} else if userId != "" {
|
2022-02-11 17:18:18 +01:00
|
|
|
account, err := am.GetOrCreateAccountByUser(userId, domain)
|
2022-01-24 11:21:30 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.NotFound, "account not found using user id: %s", userId)
|
|
|
|
}
|
2022-03-01 15:22:18 +01:00
|
|
|
err = am.updateIDPMetadata(userId, account.Id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2022-01-24 11:21:30 +01:00
|
|
|
}
|
|
|
|
return account, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, status.Errorf(codes.NotFound, "no valid user or account Id provided")
|
|
|
|
}
|
|
|
|
|
2022-05-05 08:58:34 +02:00
|
|
|
func isNil(i idp.Manager) bool {
|
|
|
|
return i == nil || reflect.ValueOf(i).IsNil()
|
|
|
|
}
|
|
|
|
|
2022-03-01 15:22:18 +01:00
|
|
|
// updateIDPMetadata update user's app metadata in idp manager
|
|
|
|
func (am *DefaultAccountManager) updateIDPMetadata(userId, accountID string) error {
|
2022-05-05 08:58:34 +02:00
|
|
|
if !isNil(am.idpManager) {
|
2022-03-01 15:22:18 +01:00
|
|
|
err := am.idpManager.UpdateUserAppMetadata(userId, idp.AppMetadata{WTAccountId: accountID})
|
|
|
|
if err != nil {
|
2022-05-03 16:02:51 +02:00
|
|
|
return status.Errorf(
|
|
|
|
codes.Internal,
|
|
|
|
"updating user's app metadata failed with: %v",
|
|
|
|
err,
|
|
|
|
)
|
2022-03-01 15:22:18 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-05-05 08:58:34 +02:00
|
|
|
func mergeLocalAndQueryUser(queried idp.UserData, local User) *UserInfo {
|
|
|
|
return &UserInfo{
|
|
|
|
ID: local.Id,
|
|
|
|
Email: queried.Email,
|
|
|
|
Name: queried.Name,
|
|
|
|
Role: string(local.Role),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-06-20 18:20:43 +02:00
|
|
|
func (am *DefaultAccountManager) loadFromCache(_ context.Context, accountID interface{}) (interface{}, error) {
|
2022-06-06 12:05:44 +02:00
|
|
|
return am.idpManager.GetAccount(fmt.Sprintf("%v", accountID))
|
2022-06-05 21:36:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func (am *DefaultAccountManager) lookupCache(accountUsers map[string]*User, accountID string) ([]*idp.UserData, error) {
|
|
|
|
data, err := am.cacheManager.Get(am.ctx, accountID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
userData := data.([]*idp.UserData)
|
|
|
|
|
|
|
|
userDataMap := make(map[string]struct{})
|
|
|
|
for _, datum := range userData {
|
|
|
|
userDataMap[datum.ID] = struct{}{}
|
|
|
|
}
|
|
|
|
|
|
|
|
// check whether we need to reload the cache
|
|
|
|
// the accountUsers ID list is the source of truth and all the users should be in the cache
|
|
|
|
reload := len(accountUsers) != len(userData)
|
|
|
|
for user := range accountUsers {
|
|
|
|
if _, ok := userDataMap[user]; !ok {
|
|
|
|
reload = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if reload {
|
|
|
|
// reload cache once avoiding loops
|
|
|
|
err := am.cacheManager.Delete(am.ctx, accountID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
data, err = am.cacheManager.Get(am.ctx, accountID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
userData = data.([]*idp.UserData)
|
|
|
|
}
|
|
|
|
|
|
|
|
return userData, err
|
|
|
|
}
|
|
|
|
|
2022-05-05 08:58:34 +02:00
|
|
|
// GetUsersFromAccount performs a batched request for users from IDP by account id
|
|
|
|
func (am *DefaultAccountManager) GetUsersFromAccount(accountID string) ([]*UserInfo, error) {
|
|
|
|
account, err := am.GetAccountById(accountID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
queriedUsers := make([]*idp.UserData, 0)
|
|
|
|
if !isNil(am.idpManager) {
|
2022-06-05 21:36:42 +02:00
|
|
|
queriedUsers, err = am.lookupCache(account.Users, accountID)
|
2022-05-05 08:58:34 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
userInfo := make([]*UserInfo, 0)
|
|
|
|
|
|
|
|
// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
|
|
|
|
if len(queriedUsers) == 0 {
|
|
|
|
for _, user := range account.Users {
|
|
|
|
userInfo = append(userInfo, &UserInfo{
|
|
|
|
ID: user.Id,
|
|
|
|
Email: "",
|
|
|
|
Name: "",
|
|
|
|
Role: string(user.Role),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
return userInfo, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, queriedUser := range queriedUsers {
|
|
|
|
if localUser, contains := account.Users[queriedUser.ID]; contains {
|
|
|
|
userInfo = append(userInfo, mergeLocalAndQueryUser(*queriedUser, *localUser))
|
|
|
|
log.Debugf("Merged userinfo to send back; %v", userInfo)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return userInfo, nil
|
|
|
|
}
|
|
|
|
|
2022-03-01 15:22:18 +01:00
|
|
|
// updateAccountDomainAttributes updates the account domain attributes and then, saves the account
|
2022-05-03 16:02:51 +02:00
|
|
|
func (am *DefaultAccountManager) updateAccountDomainAttributes(
|
|
|
|
account *Account,
|
|
|
|
claims jwtclaims.AuthorizationClaims,
|
|
|
|
primaryDomain bool,
|
|
|
|
) error {
|
2022-03-01 15:22:18 +01:00
|
|
|
account.IsDomainPrimaryAccount = primaryDomain
|
2022-06-20 18:20:43 +02:00
|
|
|
|
|
|
|
lowerDomain := strings.ToLower(claims.Domain)
|
|
|
|
userObj := account.Users[claims.UserId]
|
|
|
|
if account.Domain != lowerDomain && userObj.Role == UserRoleAdmin {
|
|
|
|
account.Domain = lowerDomain
|
|
|
|
}
|
|
|
|
// prevent updating category for different domain until admin logs in
|
|
|
|
if account.Domain == lowerDomain {
|
|
|
|
account.DomainCategory = claims.DomainCategory
|
|
|
|
}
|
|
|
|
|
2022-03-01 15:22:18 +01:00
|
|
|
err := am.Store.SaveAccount(account)
|
|
|
|
if err != nil {
|
|
|
|
return status.Errorf(codes.Internal, "failed saving updated account")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// handleExistingUserAccount handles existing User accounts and update its domain attributes.
|
|
|
|
//
|
|
|
|
//
|
|
|
|
// If there is no primary domain account yet, we set the account as primary for the domain. Otherwise,
|
|
|
|
// we compare the account's ID with the domain account ID, and if they don't match, we set the account as
|
|
|
|
// non-primary account for the domain. We don't merge accounts at this stage, because of cases when a domain
|
|
|
|
// was previously unclassified or classified as public so N users that logged int that time, has they own account
|
|
|
|
// and peers that shouldn't be lost.
|
2022-05-03 16:02:51 +02:00
|
|
|
func (am *DefaultAccountManager) handleExistingUserAccount(
|
|
|
|
existingAcc *Account,
|
|
|
|
domainAcc *Account,
|
|
|
|
claims jwtclaims.AuthorizationClaims,
|
|
|
|
) error {
|
2022-03-01 15:22:18 +01:00
|
|
|
var err error
|
|
|
|
|
2022-03-10 13:47:36 +01:00
|
|
|
if domainAcc != nil && existingAcc.Id != domainAcc.Id {
|
2022-03-01 15:22:18 +01:00
|
|
|
err = am.updateAccountDomainAttributes(existingAcc, claims, false)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-03-10 13:47:36 +01:00
|
|
|
} else {
|
|
|
|
err = am.updateAccountDomainAttributes(existingAcc, claims, true)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-03-01 15:22:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// we should register the account ID to this user's metadata in our IDP manager
|
|
|
|
err = am.updateIDPMetadata(claims.UserId, existingAcc.Id)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// handleNewUserAccount validates if there is an existing primary account for the domain, if so it adds the new user to that account,
|
|
|
|
// otherwise it will create a new account and make it primary account for the domain.
|
2022-05-03 16:02:51 +02:00
|
|
|
func (am *DefaultAccountManager) handleNewUserAccount(
|
|
|
|
domainAcc *Account,
|
|
|
|
claims jwtclaims.AuthorizationClaims,
|
|
|
|
) (*Account, error) {
|
2022-03-01 15:22:18 +01:00
|
|
|
var (
|
2022-03-10 13:47:36 +01:00
|
|
|
account *Account
|
|
|
|
err error
|
2022-03-01 15:22:18 +01:00
|
|
|
)
|
|
|
|
lowerDomain := strings.ToLower(claims.Domain)
|
|
|
|
// if domain already has a primary account, add regular user
|
|
|
|
if domainAcc != nil {
|
|
|
|
account = domainAcc
|
|
|
|
account.Users[claims.UserId] = NewRegularUser(claims.UserId)
|
2022-05-09 14:30:20 +02:00
|
|
|
err = am.Store.SaveAccount(account)
|
|
|
|
if err != nil {
|
|
|
|
return nil, status.Errorf(codes.Internal, "failed saving updated account")
|
|
|
|
}
|
2022-03-01 15:22:18 +01:00
|
|
|
} else {
|
2022-06-20 18:20:43 +02:00
|
|
|
account, err = am.newAccount(claims.UserId, lowerDomain)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-03-10 13:47:36 +01:00
|
|
|
err = am.updateAccountDomainAttributes(account, claims, true)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-03-01 15:22:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
err = am.updateIDPMetadata(claims.UserId, account.Id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return account, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAccountWithAuthorizationClaims retrievs an account using JWT Claims.
|
|
|
|
// if domain is of the PrivateCategory category, it will evaluate
|
|
|
|
// if account is new, existing or if there is another account with the same domain
|
|
|
|
//
|
|
|
|
// Use cases:
|
|
|
|
//
|
|
|
|
// New user + New account + New domain -> create account, user role = admin (if private domain, index domain)
|
|
|
|
//
|
|
|
|
// New user + New account + Existing Private Domain -> add user to the existing account, user role = regular (not admin)
|
|
|
|
//
|
|
|
|
// New user + New account + Existing Public Domain -> create account, user role = admin
|
|
|
|
//
|
|
|
|
// Existing user + Existing account + Existing Domain -> Nothing changes (if private, index domain)
|
|
|
|
//
|
|
|
|
// Existing user + Existing account + Existing Indexed Domain -> Nothing changes
|
|
|
|
//
|
|
|
|
// Existing user + Existing account + Existing domain reclassified Domain as private -> Nothing changes (index domain)
|
2022-05-03 16:02:51 +02:00
|
|
|
func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(
|
|
|
|
claims jwtclaims.AuthorizationClaims,
|
|
|
|
) (*Account, error) {
|
2022-03-01 15:22:18 +01:00
|
|
|
// if Account ID is part of the claims
|
|
|
|
// it means that we've already classified the domain and user has an account
|
2022-03-09 13:31:42 +01:00
|
|
|
if claims.DomainCategory != PrivateCategory {
|
2022-03-01 15:22:18 +01:00
|
|
|
return am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
|
2022-03-09 13:31:42 +01:00
|
|
|
} else if claims.AccountId != "" {
|
2022-05-09 14:30:20 +02:00
|
|
|
accountFromID, err := am.GetAccountById(claims.AccountId)
|
2022-03-09 13:31:42 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-05-09 14:30:20 +02:00
|
|
|
if _, ok := accountFromID.Users[claims.UserId]; !ok {
|
|
|
|
return nil, fmt.Errorf("user %s is not part of the account id %s", claims.UserId, claims.AccountId)
|
|
|
|
}
|
2022-03-09 13:31:42 +01:00
|
|
|
if accountFromID.DomainCategory == PrivateCategory || claims.DomainCategory != PrivateCategory {
|
|
|
|
return accountFromID, nil
|
|
|
|
}
|
2022-03-01 15:22:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
am.mux.Lock()
|
|
|
|
defer am.mux.Unlock()
|
|
|
|
|
|
|
|
// We checked if the domain has a primary account already
|
|
|
|
domainAccount, err := am.Store.GetAccountByPrivateDomain(claims.Domain)
|
|
|
|
accStatus, _ := status.FromError(err)
|
|
|
|
if accStatus.Code() != codes.OK && accStatus.Code() != codes.NotFound {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
account, err := am.Store.GetUserAccount(claims.UserId)
|
|
|
|
if err == nil {
|
|
|
|
err = am.handleExistingUserAccount(account, domainAccount, claims)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return account, nil
|
|
|
|
} else if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
|
|
|
|
return am.handleNewUserAccount(domainAccount, claims)
|
|
|
|
} else {
|
|
|
|
// other error
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-03 16:02:51 +02:00
|
|
|
// AccountExists checks whether account exists (returns true) or not (returns false)
|
2022-02-22 11:28:19 +01:00
|
|
|
func (am *DefaultAccountManager) AccountExists(accountId string) (*bool, error) {
|
2021-09-07 18:36:46 +02:00
|
|
|
am.mux.Lock()
|
|
|
|
defer am.mux.Unlock()
|
2021-08-12 12:49:10 +02:00
|
|
|
|
|
|
|
var res bool
|
2021-09-07 18:36:46 +02:00
|
|
|
_, err := am.Store.GetAccount(accountId)
|
2021-08-12 12:49:10 +02:00
|
|
|
if err != nil {
|
|
|
|
if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
|
|
|
|
res = false
|
|
|
|
return &res, nil
|
|
|
|
} else {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
res = true
|
|
|
|
return &res, nil
|
|
|
|
}
|
|
|
|
|
2022-06-06 13:45:59 +02:00
|
|
|
// addAllGroup to account object if it doesn't exists
|
2022-06-09 13:14:34 +02:00
|
|
|
func addAllGroup(account *Account) {
|
2022-05-21 15:21:39 +02:00
|
|
|
if len(account.Groups) == 0 {
|
|
|
|
allGroup := &Group{
|
|
|
|
ID: xid.New().String(),
|
|
|
|
Name: "All",
|
|
|
|
}
|
|
|
|
for _, peer := range account.Peers {
|
|
|
|
allGroup.Peers = append(allGroup.Peers, peer.Key)
|
|
|
|
}
|
|
|
|
account.Groups = map[string]*Group{allGroup.ID: allGroup}
|
|
|
|
|
|
|
|
defaultRule := &Rule{
|
|
|
|
ID: xid.New().String(),
|
2022-06-14 10:32:54 +02:00
|
|
|
Name: DefaultRuleName,
|
|
|
|
Description: DefaultRuleDescription,
|
|
|
|
Disabled: false,
|
2022-05-21 15:21:39 +02:00
|
|
|
Source: []string{allGroup.ID},
|
|
|
|
Destination: []string{allGroup.ID},
|
|
|
|
}
|
|
|
|
account.Rules = map[string]*Rule{defaultRule.ID: defaultRule}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-12 12:49:10 +02:00
|
|
|
// newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
|
2022-02-11 17:18:18 +01:00
|
|
|
func newAccountWithId(accountId, userId, domain string) *Account {
|
2021-08-01 19:06:01 +02:00
|
|
|
log.Debugf("creating new account")
|
|
|
|
|
|
|
|
setupKeys := make(map[string]*SetupKey)
|
2021-09-07 18:36:46 +02:00
|
|
|
defaultKey := GenerateDefaultSetupKey()
|
|
|
|
oneOffKey := GenerateSetupKey("One-off key", SetupKeyOneOff, DefaultSetupKeyDuration)
|
|
|
|
setupKeys[defaultKey.Key] = defaultKey
|
|
|
|
setupKeys[oneOffKey.Key] = oneOffKey
|
2022-01-14 14:34:27 +01:00
|
|
|
network := NewNetwork()
|
2021-08-01 19:06:01 +02:00
|
|
|
peers := make(map[string]*Peer)
|
2021-12-27 13:17:15 +01:00
|
|
|
users := make(map[string]*User)
|
2022-06-09 13:14:34 +02:00
|
|
|
users[userId] = NewAdminUser(userId)
|
2021-09-07 18:36:46 +02:00
|
|
|
log.Debugf("created new account %s with setup key %s", accountId, defaultKey.Key)
|
2021-08-01 19:06:01 +02:00
|
|
|
|
2022-06-09 13:14:34 +02:00
|
|
|
acc := &Account{
|
2022-02-11 17:18:18 +01:00
|
|
|
Id: accountId,
|
|
|
|
SetupKeys: setupKeys,
|
|
|
|
Network: network,
|
|
|
|
Peers: peers,
|
|
|
|
Users: users,
|
|
|
|
CreatedBy: userId,
|
|
|
|
Domain: domain,
|
|
|
|
}
|
2022-06-09 13:14:34 +02:00
|
|
|
|
|
|
|
addAllGroup(acc)
|
|
|
|
return acc
|
2021-08-12 12:49:10 +02:00
|
|
|
}
|
2021-08-20 22:33:43 +02:00
|
|
|
|
|
|
|
func getAccountSetupKeyById(acc *Account, keyId string) *SetupKey {
|
|
|
|
for _, k := range acc.SetupKeys {
|
|
|
|
if keyId == k.Id {
|
|
|
|
return k
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getAccountSetupKeyByKey(acc *Account, key string) *SetupKey {
|
|
|
|
for _, k := range acc.SetupKeys {
|
|
|
|
if key == k.Key {
|
|
|
|
return k
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2022-06-14 10:32:54 +02:00
|
|
|
|
|
|
|
func removeFromList(inputList []string, toRemove []string) []string {
|
|
|
|
toRemoveMap := make(map[string]struct{})
|
|
|
|
for _, item := range toRemove {
|
|
|
|
toRemoveMap[item] = struct{}{}
|
|
|
|
}
|
|
|
|
|
|
|
|
var resultList []string
|
|
|
|
for _, item := range inputList {
|
|
|
|
_, ok := toRemoveMap[item]
|
|
|
|
if !ok {
|
|
|
|
resultList = append(resultList, item)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return resultList
|
|
|
|
}
|