diff --git a/management/server/http/handler.go b/management/server/http/handler.go index 4e2faae4b..483bb989a 100644 --- a/management/server/http/handler.go +++ b/management/server/http/handler.go @@ -83,6 +83,8 @@ func NewAPIHandler( users.AddEndpoints(accountManager, router) setup_keys.AddEndpoints(accountManager, router) policies.AddEndpoints(accountManager, LocationManager, router) + policies.AddPostureCheckEndpoints(accountManager, LocationManager, router) + policies.AddLocationsEndpoints(accountManager, LocationManager, permissionsManager, router) groups.AddEndpoints(accountManager, router) routes.AddEndpoints(accountManager, router) dns.AddEndpoints(accountManager, router) diff --git a/management/server/http/handlers/policies/geolocation_handler_test.go b/management/server/http/handlers/policies/geolocation_handler_test.go index fbdc324d6..b7b53f53f 100644 --- a/management/server/http/handlers/policies/geolocation_handler_test.go +++ b/management/server/http/handlers/policies/geolocation_handler_test.go @@ -10,6 +10,7 @@ import ( "path/filepath" "testing" + "github.com/golang/mock/gomock" "github.com/gorilla/mux" "github.com/stretchr/testify/assert" @@ -17,6 +18,9 @@ import ( "github.com/netbirdio/netbird/management/server/geolocation" "github.com/netbirdio/netbird/management/server/http/api" "github.com/netbirdio/netbird/management/server/mock_server" + "github.com/netbirdio/netbird/management/server/permissions" + "github.com/netbirdio/netbird/management/server/permissions/modules" + "github.com/netbirdio/netbird/management/server/permissions/operations" "github.com/netbirdio/netbird/management/server/types" "github.com/netbirdio/netbird/util" ) @@ -41,6 +45,14 @@ func initGeolocationTestData(t *testing.T) *geolocationsHandler { assert.NoError(t, err) t.Cleanup(func() { _ = geo.Stop() }) + ctrl := gomock.NewController(t) + permissionsManagerMock := permissions.NewMockManager(ctrl) + permissionsManagerMock. + EXPECT(). + ValidateUserPermissions(gomock.Any(), gomock.Any(), gomock.Any(), modules.Policies, operations.Read). + Return(true, nil). + AnyTimes() + return &geolocationsHandler{ accountManager: &mock_server.MockAccountManager{ GetUserByIDFunc: func(ctx context.Context, id string) (*types.User, error) { @@ -48,6 +60,7 @@ func initGeolocationTestData(t *testing.T) *geolocationsHandler { }, }, geolocationManager: geo, + permissionsManager: permissionsManagerMock, } } diff --git a/management/server/http/handlers/policies/geolocations_handler.go b/management/server/http/handlers/policies/geolocations_handler.go index fb19887dc..84c8ea0aa 100644 --- a/management/server/http/handlers/policies/geolocations_handler.go +++ b/management/server/http/handlers/policies/geolocations_handler.go @@ -11,6 +11,9 @@ import ( "github.com/netbirdio/netbird/management/server/geolocation" "github.com/netbirdio/netbird/management/server/http/api" "github.com/netbirdio/netbird/management/server/http/util" + "github.com/netbirdio/netbird/management/server/permissions" + "github.com/netbirdio/netbird/management/server/permissions/modules" + "github.com/netbirdio/netbird/management/server/permissions/operations" "github.com/netbirdio/netbird/management/server/status" ) @@ -22,19 +25,21 @@ var ( type geolocationsHandler struct { accountManager account.Manager geolocationManager geolocation.Geolocation + permissionsManager permissions.Manager } -func addLocationsEndpoint(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) { - locationHandler := newGeolocationsHandlerHandler(accountManager, locationManager) +func AddLocationsEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, permissionsManager permissions.Manager, router *mux.Router) { + locationHandler := newGeolocationsHandlerHandler(accountManager, locationManager, permissionsManager) router.HandleFunc("/locations/countries", locationHandler.getAllCountries).Methods("GET", "OPTIONS") router.HandleFunc("/locations/countries/{country}/cities", locationHandler.getCitiesByCountry).Methods("GET", "OPTIONS") } // newGeolocationsHandlerHandler creates a new Geolocations handler -func newGeolocationsHandlerHandler(accountManager account.Manager, geolocationManager geolocation.Geolocation) *geolocationsHandler { +func newGeolocationsHandlerHandler(accountManager account.Manager, geolocationManager geolocation.Geolocation, permissionsManager permissions.Manager) *geolocationsHandler { return &geolocationsHandler{ accountManager: accountManager, geolocationManager: geolocationManager, + permissionsManager: permissionsManager, } } @@ -98,20 +103,22 @@ func (l *geolocationsHandler) getCitiesByCountry(w http.ResponseWriter, r *http. } func (l *geolocationsHandler) authenticateUser(r *http.Request) error { - userAuth, err := nbcontext.GetUserAuthFromContext(r.Context()) + ctx := r.Context() + + userAuth, err := nbcontext.GetUserAuthFromContext(ctx) if err != nil { return err } - _, userID := userAuth.AccountId, userAuth.UserId + accountID, userID := userAuth.AccountId, userAuth.UserId - user, err := l.accountManager.GetUserByID(r.Context(), userID) + allowed, err := l.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read) if err != nil { - return err + return status.NewPermissionValidationError(err) } - if !user.HasAdminPower() { - return status.Errorf(status.PermissionDenied, "user is not allowed to perform this action") + if !allowed { + return status.NewPermissionDeniedError() } return nil } diff --git a/management/server/http/handlers/policies/policies_handler.go b/management/server/http/handlers/policies/policies_handler.go index 01a09842a..02db2a13a 100644 --- a/management/server/http/handlers/policies/policies_handler.go +++ b/management/server/http/handlers/policies/policies_handler.go @@ -28,7 +28,6 @@ func AddEndpoints(accountManager account.Manager, locationManager geolocation.Ge router.HandleFunc("/policies/{policyId}", policiesHandler.updatePolicy).Methods("PUT", "OPTIONS") router.HandleFunc("/policies/{policyId}", policiesHandler.getPolicy).Methods("GET", "OPTIONS") router.HandleFunc("/policies/{policyId}", policiesHandler.deletePolicy).Methods("DELETE", "OPTIONS") - addPostureCheckEndpoint(accountManager, locationManager, router) } // newHandler creates a new policies handler diff --git a/management/server/http/handlers/policies/posture_checks_handler.go b/management/server/http/handlers/policies/posture_checks_handler.go index b99649dbc..310a1a2f9 100644 --- a/management/server/http/handlers/policies/posture_checks_handler.go +++ b/management/server/http/handlers/policies/posture_checks_handler.go @@ -21,14 +21,13 @@ type postureChecksHandler struct { geolocationManager geolocation.Geolocation } -func addPostureCheckEndpoint(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) { +func AddPostureCheckEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) { postureCheckHandler := newPostureChecksHandler(accountManager, locationManager) router.HandleFunc("/posture-checks", postureCheckHandler.getAllPostureChecks).Methods("GET", "OPTIONS") router.HandleFunc("/posture-checks", postureCheckHandler.createPostureCheck).Methods("POST", "OPTIONS") router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.updatePostureCheck).Methods("PUT", "OPTIONS") router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.getPostureCheck).Methods("GET", "OPTIONS") router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.deletePostureCheck).Methods("DELETE", "OPTIONS") - addLocationsEndpoint(accountManager, locationManager, router) } // newPostureChecksHandler creates a new PostureChecks handler