[management] add permissions manager to geolocation handler (#3665)

2025-06-20 17:58:02 +02:00 · 2025-04-14 17:57:58 +01:00 · 2025-04-14 17:57:58 +01:00 · 4134b857b4
commit 4134b857b4
parent 7839d2c169
5 changed files with 32 additions and 12 deletions
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@ -83,6 +83,8 @@ func NewAPIHandler(
 	users.AddEndpoints(accountManager, router)
 	setup_keys.AddEndpoints(accountManager, router)
 	policies.AddEndpoints(accountManager, LocationManager, router)
 	policies.AddPostureCheckEndpoints(accountManager, LocationManager, router)
 	policies.AddLocationsEndpoints(accountManager, LocationManager, permissionsManager, router)
 	groups.AddEndpoints(accountManager, router)
 	routes.AddEndpoints(accountManager, router)
 	dns.AddEndpoints(accountManager, router)
--- a/management/server/http/handlers/policies/geolocation_handler_test.go
+++ b/management/server/http/handlers/policies/geolocation_handler_test.go
@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"testing"
 	"github.com/golang/mock/gomock"
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
@ -17,6 +18,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/util"
 )
@ -41,6 +45,14 @@ func initGeolocationTestData(t *testing.T) *geolocationsHandler {
 	assert.NoError(t, err)
 	t.Cleanup(func() { _ = geo.Stop() })
 	ctrl := gomock.NewController(t)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 	permissionsManagerMock.
 		EXPECT().
 		ValidateUserPermissions(gomock.Any(), gomock.Any(), gomock.Any(), modules.Policies, operations.Read).
 		Return(true, nil).
 		AnyTimes()
 	return &geolocationsHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetUserByIDFunc: func(ctx context.Context, id string) (*types.User, error) {
@ -48,6 +60,7 @@ func initGeolocationTestData(t *testing.T) *geolocationsHandler {
 			},
 		},
 		geolocationManager: geo,
 		permissionsManager: permissionsManagerMock,
 	}
 }
--- a/management/server/http/handlers/policies/geolocations_handler.go
+++ b/management/server/http/handlers/policies/geolocations_handler.go
@ -11,6 +11,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/status"
 )
@ -22,19 +25,21 @@ var (
 type geolocationsHandler struct {
 	accountManager     account.Manager
 	geolocationManager geolocation.Geolocation
 	permissionsManager permissions.Manager
 }
-func addLocationsEndpoint(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) {
+func AddLocationsEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, permissionsManager permissions.Manager, router *mux.Router) {
-	locationHandler := newGeolocationsHandlerHandler(accountManager, locationManager)
+	locationHandler := newGeolocationsHandlerHandler(accountManager, locationManager, permissionsManager)
 	router.HandleFunc("/locations/countries", locationHandler.getAllCountries).Methods("GET", "OPTIONS")
 	router.HandleFunc("/locations/countries/{country}/cities", locationHandler.getCitiesByCountry).Methods("GET", "OPTIONS")
 }
 // newGeolocationsHandlerHandler creates a new Geolocations handler
-func newGeolocationsHandlerHandler(accountManager account.Manager, geolocationManager geolocation.Geolocation) *geolocationsHandler {
+func newGeolocationsHandlerHandler(accountManager account.Manager, geolocationManager geolocation.Geolocation, permissionsManager permissions.Manager) *geolocationsHandler {
 	return &geolocationsHandler{
 		accountManager:     accountManager,
 		geolocationManager: geolocationManager,
 		permissionsManager: permissionsManager,
 	}
 }
@ -98,20 +103,22 @@ func (l *geolocationsHandler) getCitiesByCountry(w http.ResponseWriter, r *http.
 }
 func (l *geolocationsHandler) authenticateUser(r *http.Request) error {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	ctx := r.Context()
 	userAuth, err := nbcontext.GetUserAuthFromContext(ctx)
 	if err != nil {
 		return err
 	}
-	_, userID := userAuth.AccountId, userAuth.UserId
+	accountID, userID := userAuth.AccountId, userAuth.UserId
-	user, err := l.accountManager.GetUserByID(r.Context(), userID)
+	allowed, err := l.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
 	if err != nil {
-		return err
+		return status.NewPermissionValidationError(err)
 	}
-	if !user.HasAdminPower() {
+	if !allowed {
-		return status.Errorf(status.PermissionDenied, "user is not allowed to perform this action")
+		return status.NewPermissionDeniedError()
 	}
 	return nil
 }
--- a/management/server/http/handlers/policies/policies_handler.go
+++ b/management/server/http/handlers/policies/policies_handler.go
@ -28,7 +28,6 @@ func AddEndpoints(accountManager account.Manager, locationManager geolocation.Ge
 	router.HandleFunc("/policies/{policyId}", policiesHandler.updatePolicy).Methods("PUT", "OPTIONS")
 	router.HandleFunc("/policies/{policyId}", policiesHandler.getPolicy).Methods("GET", "OPTIONS")
 	router.HandleFunc("/policies/{policyId}", policiesHandler.deletePolicy).Methods("DELETE", "OPTIONS")
 	addPostureCheckEndpoint(accountManager, locationManager, router)
 }
 // newHandler creates a new policies handler
--- a/management/server/http/handlers/policies/posture_checks_handler.go
+++ b/management/server/http/handlers/policies/posture_checks_handler.go
@ -21,14 +21,13 @@ type postureChecksHandler struct {
 	geolocationManager geolocation.Geolocation
 }
-func addPostureCheckEndpoint(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) {
+func AddPostureCheckEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) {
 	postureCheckHandler := newPostureChecksHandler(accountManager, locationManager)
 	router.HandleFunc("/posture-checks", postureCheckHandler.getAllPostureChecks).Methods("GET", "OPTIONS")
 	router.HandleFunc("/posture-checks", postureCheckHandler.createPostureCheck).Methods("POST", "OPTIONS")
 	router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.updatePostureCheck).Methods("PUT", "OPTIONS")
 	router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.getPostureCheck).Methods("GET", "OPTIONS")
 	router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.deletePostureCheck).Methods("DELETE", "OPTIONS")
 	addLocationsEndpoint(accountManager, locationManager, router)
 }
 // newPostureChecksHandler creates a new PostureChecks handler