extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-07 16:54:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
db69a0cf9d
netbird/management/server/user.go

734 lines
22 KiB
Go
Raw Normal View History

Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
package server
import (
feat(ac): add access control middleware (#321)
2022-05-25 18:26:50 +02:00
"fmt"
add generating token (only frame for now, actual token is only dummy)
2023-03-01 20:12:04 +01:00
"strings"
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
"github.com/google/uuid"
add generating token (only frame for now, actual token is only dummy)
2023-03-01 20:12:04 +01:00
log "github.com/sirupsen/logrus"
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
"github.com/netbirdio/netbird/management/server/activity"
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
"github.com/netbirdio/netbird/management/server/idp"
using old isAdmin function to create account
2023-05-02 16:49:29 +02:00
"github.com/netbirdio/netbird/management/server/jwtclaims"
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
"github.com/netbirdio/netbird/management/server/status"
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
)
const (
Support user role update (#478)
2022-09-23 14:18:42 +02:00
UserRoleAdmin UserRole = "admin"
UserRoleUser UserRole = "user"
UserRoleUnknown UserRole = "unknown"
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
UserStatusActive UserStatus = "active"
UserStatusDisabled UserStatus = "disabled"
UserStatusInvited UserStatus = "invited"
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
)
Support user role update (#478)
2022-09-23 14:18:42 +02:00
// StrRoleToUserRole returns UserRole for a given strRole or UserRoleUnknown if the specified role is unknown
func StrRoleToUserRole(strRole string) UserRole {
switch strings.ToLower(strRole) {
case "admin":
return UserRoleAdmin
case "user":
return UserRoleUser
default:
return UserRoleUnknown
}
}
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
// UserStatus is the status of a User
type UserStatus string
// UserRole is the role of a User
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
type UserRole string
// User represents a user of the system
type User struct {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
Id string
Role UserRole
IsServiceUser bool
// ServiceUserName is only set if IsServiceUser is true
ServiceUserName string
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
// AutoGroups is a list of Group IDs to auto-assign to peers registered by this user
AutoGroups []string
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
PATs map[string]*PersonalAccessToken
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
// Blocked indicates whether the user is blocked. Blocked users can't use the system.
Blocked bool
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
// IsBlocked returns true if the user is blocked, false otherwise
func (u *User) IsBlocked() bool {
return u.Blocked
}
// IsAdmin returns true if the user is an admin, false otherwise
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
func (u *User) IsAdmin() bool {
return u.Role == UserRoleAdmin
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
// ToUserInfo converts a User object to a UserInfo object.
func (u *User) ToUserInfo(userData *idp.UserData) (*UserInfo, error) {
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
autoGroups := u.AutoGroups
if autoGroups == nil {
autoGroups = []string{}
}
if userData == nil {
return &UserInfo{
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
ID: u.Id,
Email: "",
Name: u.ServiceUserName,
Role: string(u.Role),
AutoGroups: u.AutoGroups,
Status: string(UserStatusActive),
IsServiceUser: u.IsServiceUser,
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
IsBlocked: u.Blocked,
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}, nil
}
if userData.ID != u.Id {
return nil, fmt.Errorf("wrong UserData provided for user %s", u.Id)
}
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
userStatus := UserStatusActive
Do not set wt_pending_invite when unnecessary (#515) wt_pending_invite property is set for every user on IdP. Avoid setting it when unnecessary.
2022-10-19 17:51:41 +02:00
if userData.AppMetadata.WTPendingInvite != nil && *userData.AppMetadata.WTPendingInvite {
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
userStatus = UserStatusInvited
}
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
return &UserInfo{
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
ID: u.Id,
Email: userData.Email,
Name: userData.Name,
Role: string(u.Role),
AutoGroups: autoGroups,
Status: string(userStatus),
IsServiceUser: u.IsServiceUser,
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
IsBlocked: u.Blocked,
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}, nil
}
// Copy the user
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
func (u *User) Copy() *User {
use slice copy
2023-03-16 11:32:55 +01:00
autoGroups := make([]string, len(u.AutoGroups))
copy(autoGroups, u.AutoGroups)
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
pats := make(map[string]*PersonalAccessToken, len(u.PATs))
for k, v := range u.PATs {
patCopy := new(PersonalAccessToken)
*patCopy = *v
pats[k] = patCopy
}
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
return &User{
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
Id: u.Id,
Role: u.Role,
AutoGroups: autoGroups,
IsServiceUser: u.IsServiceUser,
ServiceUserName: u.ServiceUserName,
PATs: pats,
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
Blocked: u.Blocked,
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
}
}
// NewUser creates a new user
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
func NewUser(id string, role UserRole, isServiceUser bool, serviceUserName string, autoGroups []string) *User {
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
return &User{
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
Id: id,
Role: role,
IsServiceUser: isServiceUser,
ServiceUserName: serviceUserName,
AutoGroups: autoGroups,
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
}
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
// NewRegularUser creates a new user with role UserRoleUser
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com>
2022-03-01 15:22:18 +01:00
func NewRegularUser(id string) *User {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return NewUser(id, UserRoleUser, false, "", []string{})
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com>
2022-03-01 15:22:18 +01:00
}
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
// NewAdminUser creates a new user with role UserRoleAdmin
func NewAdminUser(id string) *User {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return NewUser(id, UserRoleAdmin, false, "", []string{})
}
// createServiceUser creates a new service user under the given account.
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
func (am *DefaultAccountManager) createServiceUser(accountID string, initiatorUserID string, role UserRole, serviceUserName string, autoGroups []string) (*UserInfo, error) {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
return nil, status.Errorf(status.NotFound, "account %s doesn't exist", accountID)
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
executingUser := account.Users[initiatorUserID]
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if executingUser == nil {
return nil, status.Errorf(status.NotFound, "user not found")
}
if executingUser.Role != UserRoleAdmin {
return nil, status.Errorf(status.PermissionDenied, "only admins can create service users")
}
newUserID := uuid.New().String()
newUser := NewUser(newUserID, role, true, serviceUserName, autoGroups)
log.Debugf("New User: %v", newUser)
account.Users[newUserID] = newUser
err = am.Store.SaveAccount(account)
if err != nil {
return nil, err
}
meta := map[string]any{"name": newUser.ServiceUserName}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
am.storeEvent(initiatorUserID, newUser.Id, accountID, activity.ServiceUserCreated, meta)
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return &UserInfo{
ID: newUser.Id,
Email: "",
Name: newUser.ServiceUserName,
Role: string(newUser.Role),
AutoGroups: newUser.AutoGroups,
Status: string(UserStatusActive),
IsServiceUser: true,
}, nil
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
}
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
// CreateUser creates a new user under the given account. Effectively this is a user invite.
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
func (am *DefaultAccountManager) CreateUser(accountID, userID string, user *UserInfo) (*UserInfo, error) {
if user.IsServiceUser {
return am.createServiceUser(accountID, userID, StrRoleToUserRole(user.Role), user.Name, user.AutoGroups)
}
return am.inviteNewUser(accountID, userID, user)
}
// inviteNewUser Invites a USer to a given account and creates reference in datastore
func (am *DefaultAccountManager) inviteNewUser(accountID, userID string, invite *UserInfo) (*UserInfo, error) {
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
if am.idpManager == nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, status.Errorf(status.PreconditionFailed, "IdP manager must be enabled to send user invites")
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
if invite == nil {
return nil, fmt.Errorf("provided user update is nil")
}
account, err := am.Store.GetAccount(accountID)
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, status.Errorf(status.NotFound, "account %s doesn't exist", accountID)
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
// check if the user is already registered with this email => reject
user, err := am.lookupUserInCacheByEmail(invite.Email, accountID)
if err != nil {
return nil, err
}
if user != nil {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
return nil, status.Errorf(status.UserAlreadyExists, "can't invite a user with an existing NetBird account")
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
users, err := am.idpManager.GetUserByEmail(invite.Email)
if err != nil {
return nil, err
}
if len(users) > 0 {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
return nil, status.Errorf(status.UserAlreadyExists, "can't invite a user with an existing NetBird account")
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
idpUser, err := am.idpManager.CreateUser(invite.Email, invite.Name, accountID)
if err != nil {
return nil, err
}
role := StrRoleToUserRole(invite.Role)
newUser := &User{
Id: idpUser.ID,
Role: role,
AutoGroups: invite.AutoGroups,
}
account.Users[idpUser.ID] = newUser
err = am.Store.SaveAccount(account)
if err != nil {
return nil, err
}
_, err = am.refreshCache(account.Id)
if err != nil {
return nil, err
}
Simplify event storing with one generic method (#662) Use the generic storeEvent() funcion to store all activity events.
2023-01-24 10:17:24 +01:00
am.storeEvent(userID, newUser.Id, accountID, activity.UserInvited, nil)
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
return newUser.ToUserInfo(idpUser)
}
// GetUser looks up a user by provided authorization claims.
// It will also create an account if didn't exist for this user before.
func (am *DefaultAccountManager) GetUser(claims jwtclaims.AuthorizationClaims) (*User, error) {
account, _, err := am.GetAccountFromToken(claims)
if err != nil {
return nil, fmt.Errorf("failed to get account with token claims %v", err)
}
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
user, ok := account.Users[claims.UserId]
if !ok {
return nil, status.Errorf(status.NotFound, "user not found")
}
return user, nil
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
// DeleteUser deletes a user from the given account.
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
func (am *DefaultAccountManager) DeleteUser(accountID, initiatorUserID string, targetUserID string) error {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
return err
}
targetUser := account.Users[targetUserID]
if targetUser == nil {
return status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
executingUser := account.Users[initiatorUserID]
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if executingUser == nil {
return status.Errorf(status.NotFound, "user not found")
}
if executingUser.Role != UserRoleAdmin {
return status.Errorf(status.PermissionDenied, "only admins can delete service users")
}
if !targetUser.IsServiceUser {
return status.Errorf(status.PermissionDenied, "regular users can not be deleted")
}
meta := map[string]any{"name": targetUser.ServiceUserName}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
am.storeEvent(initiatorUserID, targetUserID, accountID, activity.ServiceUserDeleted, meta)
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
delete(account.Users, targetUserID)
err = am.Store.SaveAccount(account)
if err != nil {
return err
}
return nil
}
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
// CreatePAT creates a new PAT for the given user
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
func (am *DefaultAccountManager) CreatePAT(accountID string, initiatorUserID string, targetUserID string, tokenName string, expiresIn int) (*PersonalAccessTokenGenerated, error) {
storing and retrieving PATs
2023-03-16 15:57:44 +01:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
if tokenName == "" {
return nil, status.Errorf(status.InvalidArgument, "token name can't be empty")
}
if expiresIn < 1 || expiresIn > 365 {
return nil, status.Errorf(status.InvalidArgument, "expiration has to be between 1 and 365")
}
storing and retrieving PATs
2023-03-16 15:57:44 +01:00
account, err := am.Store.GetAccount(accountID)
if err != nil {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return nil, err
storing and retrieving PATs
2023-03-16 15:57:44 +01:00
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
targetUser := account.Users[targetUserID]
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
if targetUser == nil {
return nil, status.Errorf(status.NotFound, "targetUser not found")
storing and retrieving PATs
2023-03-16 15:57:44 +01:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
executingUser := account.Users[initiatorUserID]
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if targetUser == nil {
return nil, status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if !(initiatorUserID == targetUserID || (executingUser.IsAdmin() && targetUser.IsServiceUser)) {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return nil, status.Errorf(status.PermissionDenied, "no permission to create PAT for this user")
}
pat, err := CreateNewPAT(tokenName, expiresIn, executingUser.Id)
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
if err != nil {
return nil, status.Errorf(status.Internal, "failed to create PAT: %v", err)
}
targetUser.PATs[pat.ID] = &pat.PersonalAccessToken
err = am.Store.SaveAccount(account)
if err != nil {
return nil, status.Errorf(status.Internal, "failed to save account: %v", err)
}
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
meta := map[string]any{"name": pat.Name, "is_service_user": targetUser.IsServiceUser, "user_name": targetUser.ServiceUserName}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
am.storeEvent(initiatorUserID, targetUserID, accountID, activity.PersonalAccessTokenCreated, meta)
add activity events on PAT creation and deletion
2023-03-31 17:41:22 +02:00
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return pat, nil
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
}
add function comments, implement account mock functions and added error handling in tests
2023-03-20 16:38:17 +01:00
// DeletePAT deletes a specific PAT from a user
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
func (am *DefaultAccountManager) DeletePAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) error {
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return status.Errorf(status.NotFound, "account not found: %s", err)
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
targetUser := account.Users[targetUserID]
if targetUser == nil {
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
return status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
executingUser := account.Users[initiatorUserID]
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if targetUser == nil {
return status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if !(initiatorUserID == targetUserID || (executingUser.IsAdmin() && targetUser.IsServiceUser)) {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return status.Errorf(status.PermissionDenied, "no permission to delete PAT for this user")
}
pat := targetUser.PATs[tokenID]
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
if pat == nil {
return status.Errorf(status.NotFound, "PAT not found")
}
err = am.Store.DeleteTokenID2UserIDIndex(pat.ID)
if err != nil {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return status.Errorf(status.Internal, "Failed to delete token id index: %s", err)
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
}
err = am.Store.DeleteHashedPAT2TokenIDIndex(pat.HashedToken)
if err != nil {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return status.Errorf(status.Internal, "Failed to delete hashed token index: %s", err)
switch PATs to map and add deletion
2023-03-20 16:14:55 +01:00
}
add activity events on PAT creation and deletion
2023-03-31 17:41:22 +02:00
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
meta := map[string]any{"name": pat.Name, "is_service_user": targetUser.IsServiceUser, "user_name": targetUser.ServiceUserName}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
am.storeEvent(initiatorUserID, targetUserID, accountID, activity.PersonalAccessTokenDeleted, meta)
add activity events on PAT creation and deletion
2023-03-31 17:41:22 +02:00
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
delete(targetUser.PATs, tokenID)
storing and retrieving PATs
2023-03-16 15:57:44 +01:00
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
err = am.Store.SaveAccount(account)
if err != nil {
return status.Errorf(status.Internal, "Failed to save account: %s", err)
}
return nil
}
// GetPAT returns a specific PAT from a user
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
func (am *DefaultAccountManager) GetPAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error) {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
return nil, status.Errorf(status.NotFound, "account not found: %s", err)
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
targetUser := account.Users[targetUserID]
if targetUser == nil {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return nil, status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
executingUser := account.Users[initiatorUserID]
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if targetUser == nil {
return nil, status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if !(initiatorUserID == targetUserID || (executingUser.IsAdmin() && targetUser.IsServiceUser)) {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this userser")
}
pat := targetUser.PATs[tokenID]
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
if pat == nil {
return nil, status.Errorf(status.NotFound, "PAT not found")
}
return pat, nil
}
// GetAllPATs returns all PATs for a user
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
func (am *DefaultAccountManager) GetAllPATs(accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error) {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
return nil, status.Errorf(status.NotFound, "account not found: %s", err)
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
targetUser := account.Users[targetUserID]
if targetUser == nil {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
return nil, status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
executingUser := account.Users[initiatorUserID]
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if targetUser == nil {
return nil, status.Errorf(status.NotFound, "user not found")
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if !(initiatorUserID == targetUserID || (executingUser.IsAdmin() && targetUser.IsServiceUser)) {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this user")
}
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
var pats []*PersonalAccessToken
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
for _, pat := range targetUser.PATs {
move validation into account manager + func for get requests
2023-03-30 13:58:44 +02:00
pats = append(pats, pat)
}
return pats, nil
storing and retrieving PATs
2023-03-16 15:57:44 +01:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
// SaveUser saves updates to the given user. If the user doesn't exit it will throw status.NotFound error.
// Only User.AutoGroups, User.Role, and User.Blocked fields are allowed to be updated for now.
func (am *DefaultAccountManager) SaveUser(accountID, initiatorUserID string, update *User) (*UserInfo, error) {
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
unlock := am.Store.AcquireAccountLock(accountID)
defer unlock()
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if update == nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, status.Errorf(status.InvalidArgument, "provided user update is nil")
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
account, err := am.Store.GetAccount(accountID)
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, err
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
initiatorUser, err := account.FindUser(initiatorUserID)
if err != nil {
return nil, err
}
if !initiatorUser.IsAdmin() || initiatorUser.IsBlocked() {
return nil, status.Errorf(status.PermissionDenied, "only admins are authorized to perform user update operations")
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
oldUser := account.Users[update.Id]
if oldUser == nil {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
return nil, status.Errorf(status.NotFound, "user to update doesn't exist")
}
if initiatorUser.IsAdmin() && initiatorUserID == update.Id && oldUser.Blocked != update.Blocked {
return nil, status.Errorf(status.PermissionDenied, "admins can't block or unblock themselves")
}
if initiatorUser.IsAdmin() && initiatorUserID == update.Id && update.Role != UserRoleAdmin {
return nil, status.Errorf(status.PermissionDenied, "admins can't change their role")
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
// only auto groups, revoked status, and name can be updated for now
newUser := oldUser.Copy()
Support user role update (#478)
2022-09-23 14:18:42 +02:00
newUser.Role = update.Role
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
newUser.Blocked = update.Blocked
for _, newGroupID := range update.AutoGroups {
if _, ok := account.Groups[newGroupID]; !ok {
return nil, status.Errorf(status.InvalidArgument, "provided group ID %s in the user %s update doesn't exist",
newGroupID, update.Id)
}
}
newUser.AutoGroups = update.AutoGroups
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
account.Users[newUser.Id] = newUser
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if !oldUser.IsBlocked() && update.IsBlocked() {
// expire peers that belong to the user who's getting blocked
blockedPeers, err := account.FindUserPeers(update.Id)
if err != nil {
return nil, err
}
var peerIDs []string
for _, peer := range blockedPeers {
peerIDs = append(peerIDs, peer.ID)
peer.MarkLoginExpired(true)
account.UpdatePeer(peer)
err = am.Store.SavePeerStatus(account.Id, peer.ID, *peer.Status)
if err != nil {
log.Errorf("failed saving peer status while expiring peer %s", peer.ID)
return nil, err
}
}
am.peersUpdateManager.CloseChannels(peerIDs)
err = am.updateAccountPeers(account)
if err != nil {
log.Errorf("failed updating account peers while expiring peers of a blocked user %s", accountID)
return nil, err
}
}
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if err = am.Store.SaveAccount(account); err != nil {
return nil, err
}
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
defer func() {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
// store activity logs
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
if oldUser.Role != newUser.Role {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
am.storeEvent(initiatorUserID, oldUser.Id, accountID, activity.UserRoleUpdated, map[string]any{"role": newUser.Role})
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if update.AutoGroups != nil {
removedGroups := difference(oldUser.AutoGroups, update.AutoGroups)
addedGroups := difference(newUser.AutoGroups, oldUser.AutoGroups)
for _, g := range removedGroups {
group := account.GetGroup(g)
if group != nil {
am.storeEvent(initiatorUserID, oldUser.Id, accountID, activity.GroupRemovedFromUser,
map[string]any{"group": group.Name, "group_id": group.ID, "is_service_user": newUser.IsServiceUser, "user_name": newUser.ServiceUserName})
} else {
log.Errorf("group %s not found while saving user activity event of account %s", g, account.Id)
}
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
}
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
for _, g := range addedGroups {
group := account.GetGroup(g)
if group != nil {
am.storeEvent(initiatorUserID, oldUser.Id, accountID, activity.GroupAddedToUser,
map[string]any{"group": group.Name, "group_id": group.ID, "is_service_user": newUser.IsServiceUser, "user_name": newUser.ServiceUserName})
}
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
}
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
}()
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if !isNil(am.idpManager) && !newUser.IsServiceUser {
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
userData, err := am.lookupUserInCache(newUser.Id, account)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if err != nil {
return nil, err
}
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
if userData == nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, status.Errorf(status.NotFound, "user %s not found in the IdP", newUser.Id)
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
return newUser.ToUserInfo(userData)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
return newUser.ToUserInfo(nil)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
// GetOrCreateAccountByUser returns an existing account for a given user id or creates a new one if doesn't exist
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
func (am *DefaultAccountManager) GetOrCreateAccountByUser(userID, domain string) (*Account, error) {
unlock := am.Store.AcquireGlobalLock()
defer unlock()
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com>
2022-03-01 15:22:18 +01:00
lowerDomain := strings.ToLower(domain)
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
account, err := am.Store.GetAccountByUser(userID)
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
account, err = am.newAccount(userID, lowerDomain)
Check if new account ID is already being used (#364)
2022-06-20 18:20:43 +02:00
if err != nil {
return nil, err
}
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
err = am.Store.SaveAccount(account)
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, err
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
}
} else {
// other error
return nil, err
}
}
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
userObj := account.Users[userID]
Check if new account ID is already being used (#364)
2022-06-20 18:20:43 +02:00
if account.Domain != lowerDomain && userObj.Role == UserRoleAdmin {
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com>
2022-03-01 15:22:18 +01:00
account.Domain = lowerDomain
Store domain information (#217) * extract claim information from JWT * get account function * Store domain * tests missing domain * update existing account with domain * add store domain tests
2022-02-11 17:18:18 +01:00
err = am.Store.SaveAccount(account)
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, status.Errorf(status.Internal, "failed updating account with domain")
Store domain information (#217) * extract claim information from JWT * get account function * Store domain * tests missing domain * update existing account with domain * add store domain tests
2022-02-11 17:18:18 +01:00
}
}
Refactor: support multiple users under the same account (#170) * feature: add User entity to Account * test: new file store creation test * test: add FileStore persist-restore tests * test: add GetOrCreateAccountByUser Accountmanager test * refactor: rename account manager users file * refactor: use userId instead of accountId when handling Management HTTP API * fix: new account creation for every request * fix: golint * chore: add account creator to Account Entity to identify who created the account. * chore: use xid ID generator for account IDs * fix: test failures * test: check that CreatedBy is stored when account is stored * chore: add account copy method * test: remove test for non existent GetOrCreateAccount func * chore: add accounts conversion function * fix: golint * refactor: simplify admin user creation * refactor: move migration script to a separate package
2021-12-27 13:17:15 +01:00
return account, nil
}
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
// GetUsersFromAccount performs a batched request for users from IDP by account ID apply filter on what data to return
// based on provided user role.
func (am *DefaultAccountManager) GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error) {
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
account, err := am.Store.GetAccount(accountID)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if err != nil {
return nil, err
}
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
user, err := account.FindUser(userID)
if err != nil {
return nil, err
}
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
queriedUsers := make([]*idp.UserData, 0)
if !isNil(am.idpManager) {
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
users := make(map[string]struct{}, len(account.Users))
for _, user := range account.Users {
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
if !user.IsServiceUser {
users[user.Id] = struct{}{}
}
Super user invites (#483) This PR brings user invites logic to the Management service via HTTP API. The POST /users/ API endpoint creates a new user in the Idp and then in the local storage. Once the invited user signs ups, the account invitation is redeemed. There are a few limitations. This works only with an enabled IdP manager. Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
}
queriedUsers, err = am.lookupCache(users, accountID)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if err != nil {
return nil, err
}
}
userInfos := make([]*UserInfo, 0)
// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
if len(queriedUsers) == 0 {
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
for _, accountUser := range account.Users {
if !user.IsAdmin() && user.Id != accountUser.Id {
// if user is not an admin then show only current user and do not show other users
continue
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
info, err := accountUser.ToUserInfo(nil)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if err != nil {
return nil, err
}
userInfos = append(userInfos, info)
}
return userInfos, nil
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
for _, localUser := range account.Users {
if !user.IsAdmin() && user.Id != localUser.Id {
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
// if user is not an admin then show only current user and do not show other users
continue
}
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
var info *UserInfo
if queriedUser, contains := findUserInIDPUserdata(localUser.Id, queriedUsers); contains {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
info, err = localUser.ToUserInfo(queriedUser)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
if err != nil {
return nil, err
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
} else {
name := ""
if localUser.IsServiceUser {
name = localUser.ServiceUserName
}
info = &UserInfo{
ID: localUser.Id,
Email: "",
Name: name,
Role: string(localUser.Role),
AutoGroups: localUser.AutoGroups,
Status: string(UserStatusActive),
IsServiceUser: localUser.IsServiceUser,
}
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
userInfos = append(userInfos, info)
Add auto-assign groups to the User API (#467)
2022-09-22 09:06:32 +02:00
}
return userInfos, nil
}
Merging full service user feature into main (#819) Merging full feature branch into main. Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
func findUserInIDPUserdata(userID string, userData []*idp.UserData) (*idp.UserData, bool) {
for _, user := range userData {
if user.ID == userID {
return user, true
}
}
return nil, false
}
Reference in New Issue Copy Permalink