2022-05-25 18:26:50 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2024-07-03 11:33:02 +02:00
|
|
|
"context"
|
2023-02-03 21:47:20 +01:00
|
|
|
"net/http"
|
2023-03-30 19:03:44 +02:00
|
|
|
"regexp"
|
|
|
|
|
|
|
|
log "github.com/sirupsen/logrus"
|
2023-02-03 21:47:20 +01:00
|
|
|
|
2023-05-11 18:09:36 +02:00
|
|
|
"github.com/netbirdio/netbird/management/server"
|
2024-02-22 12:27:08 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
|
2022-11-11 20:36:45 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/http/util"
|
|
|
|
"github.com/netbirdio/netbird/management/server/status"
|
2022-05-25 18:26:50 +02:00
|
|
|
|
|
|
|
"github.com/netbirdio/netbird/management/server/jwtclaims"
|
|
|
|
)
|
|
|
|
|
2024-09-18 16:03:04 +02:00
|
|
|
// GetUser function defines a function to fetch user from Account by jwtclaims.AuthorizationClaims
|
|
|
|
type GetUser func(ctx context.Context, claims jwtclaims.AuthorizationClaims) (*server.User, error)
|
2022-05-25 18:26:50 +02:00
|
|
|
|
2022-11-03 17:02:31 +01:00
|
|
|
// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only
|
|
|
|
type AccessControl struct {
|
2023-02-03 21:47:20 +01:00
|
|
|
claimsExtract jwtclaims.ClaimsExtractor
|
2023-05-11 18:09:36 +02:00
|
|
|
getUser GetUser
|
2022-05-25 18:26:50 +02:00
|
|
|
}
|
|
|
|
|
2022-11-03 17:02:31 +01:00
|
|
|
// NewAccessControl instance constructor
|
2023-05-11 18:09:36 +02:00
|
|
|
func NewAccessControl(audience, userIDClaim string, getUser GetUser) *AccessControl {
|
2022-11-03 17:02:31 +01:00
|
|
|
return &AccessControl{
|
2023-02-03 21:47:20 +01:00
|
|
|
claimsExtract: *jwtclaims.NewClaimsExtractor(
|
|
|
|
jwtclaims.WithAudience(audience),
|
|
|
|
jwtclaims.WithUserIDClaim(userIDClaim),
|
|
|
|
),
|
2023-05-11 18:09:36 +02:00
|
|
|
getUser: getUser,
|
2022-05-25 18:26:50 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-11-27 13:01:00 +01:00
|
|
|
var tokenPathRegexp = regexp.MustCompile(`^.*/api/users/.*/tokens.*$`)
|
|
|
|
|
2022-11-03 17:02:31 +01:00
|
|
|
// Handler method of the middleware which forbids all modify requests for non admin users
|
|
|
|
func (a *AccessControl) Handler(h http.Handler) http.Handler {
|
2022-05-25 18:26:50 +02:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2024-02-22 12:27:08 +01:00
|
|
|
|
|
|
|
if bypass.ShouldBypass(r.URL.Path, h, w, r) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-02-03 21:47:20 +01:00
|
|
|
claims := a.claimsExtract.FromRequestContext(r)
|
2022-05-25 18:26:50 +02:00
|
|
|
|
2024-09-18 16:03:04 +02:00
|
|
|
user, err := a.getUser(r.Context(), claims)
|
2023-03-30 19:03:44 +02:00
|
|
|
if err != nil {
|
2024-07-03 11:33:02 +02:00
|
|
|
log.WithContext(r.Context()).Errorf("failed to get user from claims: %s", err)
|
|
|
|
util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "invalid JWT"), w)
|
2023-03-30 19:03:44 +02:00
|
|
|
return
|
|
|
|
}
|
2023-05-11 18:09:36 +02:00
|
|
|
|
|
|
|
if user.IsBlocked() {
|
2024-07-03 11:33:02 +02:00
|
|
|
util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "the user has no access to the API or is blocked"), w)
|
2023-05-11 18:09:36 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-12-01 17:24:57 +01:00
|
|
|
if !user.HasAdminPower() {
|
2022-05-25 18:26:50 +02:00
|
|
|
switch r.Method {
|
|
|
|
case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
|
2023-03-31 12:03:53 +02:00
|
|
|
|
2023-11-27 13:01:00 +01:00
|
|
|
if tokenPathRegexp.MatchString(r.URL.Path) {
|
2024-07-03 11:33:02 +02:00
|
|
|
log.WithContext(r.Context()).Debugf("valid Path")
|
2023-03-31 12:03:53 +02:00
|
|
|
h.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-07-03 11:33:02 +02:00
|
|
|
util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "only users with admin power can perform this operation"), w)
|
2022-05-25 18:26:50 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
h.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|