mirror of
https://github.com/netbirdio/netbird.git
synced 2025-06-20 09:47:49 +02:00
[management] permission manager validate account access (#3444)
This commit is contained in:
Pedro Maia Costa
GitHub
parent
21464ac770
commit
cbec7bda80
@ -12,6 +12,7 @@ import (
|
|||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -91,13 +92,13 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
|
|||||||
|
|
||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
|
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -49,6 +49,7 @@ import (
|
|||||||
"github.com/netbirdio/netbird/management/server"
|
"github.com/netbirdio/netbird/management/server"
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -1438,6 +1439,8 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
|
|||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
@ -1446,7 +1449,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
|
|||||||
Return(&types.Settings{}, nil).
|
Return(&types.Settings{}, nil).
|
||||||
AnyTimes()
|
AnyTimes()
|
||||||
|
|
||||||
accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, "", err
|
return nil, "", err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -9,10 +9,11 @@ import (
|
|||||||
|
|
||||||
"github.com/golang/mock/gomock"
|
"github.com/golang/mock/gomock"
|
||||||
"github.com/netbirdio/management-integrations/integrations"
|
"github.com/netbirdio/management-integrations/integrations"
|
||||||
log "github.com/sirupsen/logrus"
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"go.opentelemetry.io/otel"
|
"go.opentelemetry.io/otel"
|
||||||
|
|
||||||
|
log "github.com/sirupsen/logrus"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
"google.golang.org/grpc/keepalive"
|
"google.golang.org/grpc/keepalive"
|
||||||
|
|
||||||
@ -23,6 +24,7 @@ import (
|
|||||||
"github.com/netbirdio/netbird/management/server"
|
"github.com/netbirdio/netbird/management/server"
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -198,11 +200,12 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
|
|||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, "", err
|
return nil, "", err
|
||||||
}
|
}
|
||||||
|
|||||||
2
go.mod
2
go.mod
@ -62,7 +62,7 @@ require (
|
|||||||
github.com/miekg/dns v1.1.59
|
github.com/miekg/dns v1.1.59
|
||||||
github.com/mitchellh/hashstructure/v2 v2.0.2
|
github.com/mitchellh/hashstructure/v2 v2.0.2
|
||||||
github.com/nadoo/ipset v0.5.0
|
github.com/nadoo/ipset v0.5.0
|
||||||
github.com/netbirdio/management-integrations/integrations v0.0.0-20250327214345-49bce94ab4d7
|
github.com/netbirdio/management-integrations/integrations v0.0.0-20250330143713-7901e0a82203
|
||||||
github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d
|
github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d
|
||||||
github.com/okta/okta-sdk-golang/v2 v2.18.0
|
github.com/okta/okta-sdk-golang/v2 v2.18.0
|
||||||
github.com/oschwald/maxminddb-golang v1.12.0
|
github.com/oschwald/maxminddb-golang v1.12.0
|
||||||
|
|||||||
4
go.sum
4
go.sum
@ -490,8 +490,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
|
|||||||
github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
|
github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
|
||||||
github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
|
github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
|
||||||
github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
|
github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
|
||||||
github.com/netbirdio/management-integrations/integrations v0.0.0-20250327214345-49bce94ab4d7 h1:Quma+ju/eiI6/p6XcHO9rBUtj4gdBPyA6AVIBym6Q0Y=
|
github.com/netbirdio/management-integrations/integrations v0.0.0-20250330143713-7901e0a82203 h1:uxxbLPXQgC9VO15epNPtrD6zazyd5rZeqC5hQSmCdZU=
|
||||||
github.com/netbirdio/management-integrations/integrations v0.0.0-20250327214345-49bce94ab4d7/go.mod h1:3LvBPnW+i06K9fQr1SYwsbhvnxQHtIC8vvO4PjLmmy0=
|
github.com/netbirdio/management-integrations/integrations v0.0.0-20250330143713-7901e0a82203/go.mod h1:2ZE6/tBBCKHQggPfO2UOQjyjXI7k+JDVl2ymorTOVQs=
|
||||||
github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
|
github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
|
||||||
github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
|
github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
|
||||||
github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d h1:bRq5TKgC7Iq20pDiuC54yXaWnAVeS5PdGpSokFTlR28=
|
github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d h1:bRq5TKgC7Iq20pDiuC54yXaWnAVeS5PdGpSokFTlR28=
|
||||||
|
|||||||
@ -14,6 +14,7 @@ import (
|
|||||||
"github.com/netbirdio/netbird/client/system"
|
"github.com/netbirdio/netbird/client/system"
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -74,6 +75,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
|
|||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
@ -87,7 +89,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
|
|||||||
Return(&types.Settings{}, nil).
|
Return(&types.Settings{}, nil).
|
||||||
AnyTimes()
|
AnyTimes()
|
||||||
|
|
||||||
accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -52,7 +52,6 @@ import (
|
|||||||
"github.com/netbirdio/netbird/management/server/networks"
|
"github.com/netbirdio/netbird/management/server/networks"
|
||||||
"github.com/netbirdio/netbird/management/server/networks/resources"
|
"github.com/netbirdio/netbird/management/server/networks/resources"
|
||||||
"github.com/netbirdio/netbird/management/server/networks/routers"
|
"github.com/netbirdio/netbird/management/server/networks/routers"
|
||||||
"github.com/netbirdio/netbird/management/server/permissions"
|
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -203,15 +202,14 @@ var (
|
|||||||
return fmt.Errorf("failed to initialize integrated peer validator: %v", err)
|
return fmt.Errorf("failed to initialize integrated peer validator: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsManager := integrations.InitPermissionsManager(store)
|
||||||
userManager := users.NewManager(store)
|
userManager := users.NewManager(store)
|
||||||
extraSettingsManager := integrations.NewManager(eventStore)
|
extraSettingsManager := integrations.NewManager(eventStore)
|
||||||
settingsManager := settings.NewManager(store, userManager, extraSettingsManager)
|
settingsManager := settings.NewManager(store, userManager, extraSettingsManager, permissionsManager)
|
||||||
permissionsManager := permissions.NewManager(userManager, settingsManager)
|
|
||||||
peersManager := peers.NewManager(store, permissionsManager)
|
peersManager := peers.NewManager(store, permissionsManager)
|
||||||
proxyController := integrations.NewController(store)
|
proxyController := integrations.NewController(store)
|
||||||
|
|
||||||
accountManager, err := server.BuildManager(ctx, store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
|
accountManager, err := server.BuildManager(ctx, store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
|
||||||
dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager)
|
dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to build default manager: %v", err)
|
return fmt.Errorf("failed to build default manager: %v", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -29,6 +29,7 @@ import (
|
|||||||
"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
|
"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/posture"
|
"github.com/netbirdio/netbird/management/server/posture"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/status"
|
"github.com/netbirdio/netbird/management/server/status"
|
||||||
@ -89,6 +90,8 @@ type DefaultAccountManager struct {
|
|||||||
integratedPeerValidator integrated_validator.IntegratedValidator
|
integratedPeerValidator integrated_validator.IntegratedValidator
|
||||||
|
|
||||||
metrics telemetry.AppMetrics
|
metrics telemetry.AppMetrics
|
||||||
|
|
||||||
|
permissionsManager permissions.Manager
|
||||||
}
|
}
|
||||||
|
|
||||||
// getJWTGroupsChanges calculates the changes needed to sync a user's JWT groups.
|
// getJWTGroupsChanges calculates the changes needed to sync a user's JWT groups.
|
||||||
@ -156,6 +159,7 @@ func BuildManager(
|
|||||||
metrics telemetry.AppMetrics,
|
metrics telemetry.AppMetrics,
|
||||||
proxyController port_forwarding.Controller,
|
proxyController port_forwarding.Controller,
|
||||||
settingsManager settings.Manager,
|
settingsManager settings.Manager,
|
||||||
|
permissionsManager permissions.Manager,
|
||||||
) (*DefaultAccountManager, error) {
|
) (*DefaultAccountManager, error) {
|
||||||
start := time.Now()
|
start := time.Now()
|
||||||
defer func() {
|
defer func() {
|
||||||
@ -180,6 +184,7 @@ func BuildManager(
|
|||||||
requestBuffer: NewAccountRequestBuffer(ctx, store),
|
requestBuffer: NewAccountRequestBuffer(ctx, store),
|
||||||
proxyController: proxyController,
|
proxyController: proxyController,
|
||||||
settingsManager: settingsManager,
|
settingsManager: settingsManager,
|
||||||
|
permissionsManager: permissionsManager,
|
||||||
}
|
}
|
||||||
accountsCounter, err := store.GetAccountsCounter(ctx)
|
accountsCounter, err := store.GetAccountsCounter(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -253,13 +258,13 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := account.FindUser(userID)
|
allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Settings, permissions.Write)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, fmt.Errorf("failed to validate user permissions: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !allowed {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "user is not allowed to update account")
|
return nil, status.NewPermissionDeniedError()
|
||||||
}
|
}
|
||||||
|
|
||||||
err = am.integratedPeerValidator.ValidateExtraSettings(ctx, newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID)
|
err = am.integratedPeerValidator.ValidateExtraSettings(ctx, newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID)
|
||||||
@ -503,16 +508,12 @@ func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, u
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := account.FindUser(userID)
|
allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Accounts, permissions.Write)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return fmt.Errorf("failed to validate user permissions: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !allowed {
|
||||||
return status.Errorf(status.PermissionDenied, "user is not allowed to delete account")
|
|
||||||
}
|
|
||||||
|
|
||||||
if user.Role != types.UserRoleOwner {
|
|
||||||
return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
|
return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -542,14 +543,12 @@ func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, u
|
|||||||
}
|
}
|
||||||
|
|
||||||
userInfo, ok := userInfosMap[userID]
|
userInfo, ok := userInfosMap[userID]
|
||||||
if !ok {
|
if ok {
|
||||||
return status.Errorf(status.NotFound, "user info not found for user %s", userID)
|
_, err = am.deleteRegularUser(ctx, accountID, userID, userInfo)
|
||||||
}
|
if err != nil {
|
||||||
|
log.WithContext(ctx).Errorf("failed deleting user %s. error: %s", userID, err)
|
||||||
_, err = am.deleteRegularUser(ctx, accountID, userID, userInfo)
|
return err
|
||||||
if err != nil {
|
}
|
||||||
log.WithContext(ctx).Errorf("failed deleting user %s. error: %s", userID, err)
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err = am.Store.DeleteAccount(ctx, account)
|
err = am.Store.DeleteAccount(ctx, account)
|
||||||
@ -1027,8 +1026,8 @@ func (am *DefaultAccountManager) GetAccountByID(ctx context.Context, accountID s
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "the user has no permission to access account data")
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return am.Store.GetAccount(ctx, accountID)
|
return am.Store.GetAccount(ctx, accountID)
|
||||||
@ -1061,8 +1060,8 @@ func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, u
|
|||||||
return accountID, user.Id, nil
|
return accountID, user.Id, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return "", "", status.Errorf(status.PermissionDenied, "user %s is not part of the account %s", userAuth.UserId, accountID)
|
return "", "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.IsServiceUser && userAuth.Invited {
|
if !user.IsServiceUser && userAuth.Invited {
|
||||||
@ -1521,7 +1520,11 @@ func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, account
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID || (!user.HasAdminPower() && !user.IsServiceUser) {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !user.HasAdminPower() && !user.IsServiceUser {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "the user has no permission to access account data")
|
return nil, status.Errorf(status.PermissionDenied, "the user has no permission to access account data")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1606,3 +1609,113 @@ func separateGroups(autoGroups []string, allGroups []*types.Group) ([]string, ma
|
|||||||
func (am *DefaultAccountManager) GetStore() store.Store {
|
func (am *DefaultAccountManager) GetStore() store.Store {
|
||||||
return am.Store
|
return am.Store
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Creates account by private domain.
|
||||||
|
// Expects domain value to be a valid and a private dns domain.
|
||||||
|
func (am *DefaultAccountManager) CreateAccountByPrivateDomain(ctx context.Context, initiatorId, domain string) (*types.Account, error) {
|
||||||
|
cancel := am.Store.AcquireGlobalLock(ctx)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
domain = strings.ToLower(domain)
|
||||||
|
|
||||||
|
count, err := am.Store.CountAccountsByPrivateDomain(ctx, domain)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if count > 0 {
|
||||||
|
return nil, status.Errorf(status.InvalidArgument, "account with private domain already exists")
|
||||||
|
}
|
||||||
|
|
||||||
|
// retry twice for new ID clashes
|
||||||
|
for range 2 {
|
||||||
|
accountId := xid.New().String()
|
||||||
|
|
||||||
|
exists, err := am.Store.AccountExists(ctx, store.LockingStrengthShare, accountId)
|
||||||
|
if err != nil || exists {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
network := types.NewNetwork()
|
||||||
|
peers := make(map[string]*nbpeer.Peer)
|
||||||
|
users := make(map[string]*types.User)
|
||||||
|
routes := make(map[route.ID]*route.Route)
|
||||||
|
setupKeys := map[string]*types.SetupKey{}
|
||||||
|
nameServersGroups := make(map[string]*nbdns.NameServerGroup)
|
||||||
|
|
||||||
|
dnsSettings := types.DNSSettings{
|
||||||
|
DisabledManagementGroups: make([]string, 0),
|
||||||
|
}
|
||||||
|
|
||||||
|
newAccount := &types.Account{
|
||||||
|
Id: accountId,
|
||||||
|
CreatedAt: time.Now().UTC(),
|
||||||
|
SetupKeys: setupKeys,
|
||||||
|
Network: network,
|
||||||
|
Peers: peers,
|
||||||
|
Users: users,
|
||||||
|
// @todo check if using the MSP owner id here is ok
|
||||||
|
CreatedBy: initiatorId,
|
||||||
|
Domain: domain,
|
||||||
|
DomainCategory: types.PrivateCategory,
|
||||||
|
IsDomainPrimaryAccount: false,
|
||||||
|
Routes: routes,
|
||||||
|
NameServerGroups: nameServersGroups,
|
||||||
|
DNSSettings: dnsSettings,
|
||||||
|
Settings: &types.Settings{
|
||||||
|
PeerLoginExpirationEnabled: true,
|
||||||
|
PeerLoginExpiration: types.DefaultPeerLoginExpiration,
|
||||||
|
GroupsPropagationEnabled: true,
|
||||||
|
RegularUsersViewBlocked: true,
|
||||||
|
|
||||||
|
PeerInactivityExpirationEnabled: false,
|
||||||
|
PeerInactivityExpiration: types.DefaultPeerInactivityExpiration,
|
||||||
|
RoutingPeerDNSResolutionEnabled: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := newAccount.AddAllGroup(); err != nil {
|
||||||
|
return nil, status.Errorf(status.Internal, "failed to add all group to new account by private domain")
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := am.Store.SaveAccount(ctx, newAccount); err != nil {
|
||||||
|
log.WithContext(ctx).Errorf("failed to save new account %s by private domain: %v", newAccount.Id, err)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
am.StoreEvent(ctx, initiatorId, newAccount.Id, accountId, activity.AccountCreated, nil)
|
||||||
|
return newAccount, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, status.Errorf(status.Internal, "failed to create new account by private domain")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error) {
|
||||||
|
account, err := am.Store.GetAccount(ctx, accountId)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if account.IsDomainPrimaryAccount {
|
||||||
|
return account, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// additional check to ensure there is only one account for this domain at the time of update
|
||||||
|
count, err := am.Store.CountAccountsByPrivateDomain(ctx, account.Domain)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if count > 1 {
|
||||||
|
return nil, status.Errorf(status.Internal, "more than one account exists with the same private domain")
|
||||||
|
}
|
||||||
|
|
||||||
|
account.IsDomainPrimaryAccount = true
|
||||||
|
|
||||||
|
if err := am.Store.SaveAccount(ctx, account); err != nil {
|
||||||
|
log.WithContext(ctx).Errorf("failed to update primary account %s by private domain: %v", account.Id, err)
|
||||||
|
return nil, status.Errorf(status.Internal, "failed to update primary account %s by private domain", account.Id)
|
||||||
|
}
|
||||||
|
|
||||||
|
return account, nil
|
||||||
|
}
|
||||||
|
|||||||
@ -111,4 +111,7 @@ type Manager interface {
|
|||||||
BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
|
BuildUserInfosForAccount(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
|
||||||
SyncUserJWTGroups(ctx context.Context, userAuth nbcontext.UserAuth) error
|
SyncUserJWTGroups(ctx context.Context, userAuth nbcontext.UserAuth) error
|
||||||
GetStore() store.Store
|
GetStore() store.Store
|
||||||
|
CreateAccountByPrivateDomain(ctx context.Context, initiatorId, domain string) (*types.Account, error)
|
||||||
|
UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error)
|
||||||
|
GetOwnerInfo(ctx context.Context, accountId string) (*types.UserInfo, error)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -17,6 +17,7 @@ import (
|
|||||||
|
|
||||||
nbAccount "github.com/netbirdio/netbird/management/server/account"
|
nbAccount "github.com/netbirdio/netbird/management/server/account"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/util"
|
"github.com/netbirdio/netbird/management/server/util"
|
||||||
|
|
||||||
@ -2815,6 +2816,8 @@ func createManager(t testing.TB) (*DefaultAccountManager, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
|
|
||||||
@ -2828,7 +2831,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, error) {
|
|||||||
Return(false, nil).
|
Return(false, nil).
|
||||||
AnyTimes()
|
AnyTimes()
|
||||||
|
|
||||||
manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -3150,3 +3153,51 @@ func BenchmarkLoginPeer_NewPeer(b *testing.B) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Test_CreateAccountByPrivateDomain(t *testing.T) {
|
||||||
|
manager, err := createManager(t)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx := context.Background()
|
||||||
|
initiatorId := "test-user"
|
||||||
|
domain := "example.com"
|
||||||
|
|
||||||
|
account, err := manager.CreateAccountByPrivateDomain(ctx, initiatorId, domain)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
assert.False(t, account.IsDomainPrimaryAccount)
|
||||||
|
assert.Equal(t, domain, account.Domain)
|
||||||
|
assert.Equal(t, types.PrivateCategory, account.DomainCategory)
|
||||||
|
assert.Equal(t, initiatorId, account.CreatedBy)
|
||||||
|
assert.Equal(t, 1, len(account.Groups))
|
||||||
|
assert.Equal(t, 0, len(account.Users))
|
||||||
|
assert.Equal(t, 0, len(account.SetupKeys))
|
||||||
|
|
||||||
|
// retry should fail
|
||||||
|
_, err = manager.CreateAccountByPrivateDomain(ctx, initiatorId, domain)
|
||||||
|
assert.Error(t, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_UpdateToPrimaryAccount(t *testing.T) {
|
||||||
|
manager, err := createManager(t)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx := context.Background()
|
||||||
|
initiatorId := "test-user"
|
||||||
|
domain := "example.com"
|
||||||
|
|
||||||
|
account, err := manager.CreateAccountByPrivateDomain(ctx, initiatorId, domain)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.False(t, account.IsDomainPrimaryAccount)
|
||||||
|
|
||||||
|
// retry should fail
|
||||||
|
account, err = manager.UpdateToPrimaryAccount(ctx, account.Id)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.True(t, account.IsDomainPrimaryAccount)
|
||||||
|
}
|
||||||
|
|||||||
@ -67,8 +67,8 @@ func (am *DefaultAccountManager) GetDNSSettings(ctx context.Context, accountID s
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -89,8 +89,8 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !user.HasAdminPower() {
|
||||||
|
|||||||
@ -13,6 +13,7 @@ import (
|
|||||||
|
|
||||||
nbdns "github.com/netbirdio/netbird/dns"
|
nbdns "github.com/netbirdio/netbird/dns"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -210,13 +211,14 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
|
|||||||
|
|
||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
|
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
}
|
}
|
||||||
|
|
||||||
func createDNSStore(t *testing.T) (store.Store, error) {
|
func createDNSStore(t *testing.T) (store.Store, error) {
|
||||||
|
|||||||
@ -10,6 +10,8 @@ import (
|
|||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/status"
|
"github.com/netbirdio/netbird/management/server/status"
|
||||||
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
|
"github.com/netbirdio/netbird/management/server/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
func isEnabled() bool {
|
func isEnabled() bool {
|
||||||
@ -19,16 +21,12 @@ func isEnabled() bool {
|
|||||||
|
|
||||||
// GetEvents returns a list of activity events of an account
|
// GetEvents returns a list of activity events of an account
|
||||||
func (am *DefaultAccountManager) GetEvents(ctx context.Context, accountID, userID string) ([]*activity.Event, error) {
|
func (am *DefaultAccountManager) GetEvents(ctx context.Context, accountID, userID string) ([]*activity.Event, error) {
|
||||||
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, userID)
|
||||||
defer unlock()
|
|
||||||
|
|
||||||
account, err := am.Store.GetAccount(ctx, accountID)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := account.FindUser(userID)
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -58,6 +56,11 @@ func (am *DefaultAccountManager) GetEvents(ctx context.Context, accountID, userI
|
|||||||
filtered = append(filtered, event)
|
filtered = append(filtered, event)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = am.fillEventsWithUserInfo(ctx, events, accountID, user)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
return filtered, nil
|
return filtered, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -79,3 +82,156 @@ func (am *DefaultAccountManager) StoreEvent(ctx context.Context, initiatorID, ta
|
|||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type eventUserInfo struct {
|
||||||
|
email string
|
||||||
|
name string
|
||||||
|
accountId string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (am *DefaultAccountManager) fillEventsWithUserInfo(ctx context.Context, events []*activity.Event, accountId string, user *types.User) error {
|
||||||
|
eventUserInfo, err := am.getEventsUserInfo(ctx, events, accountId, user)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, event := range events {
|
||||||
|
if !fillEventInitiatorInfo(eventUserInfo, event) {
|
||||||
|
log.WithContext(ctx).Warnf("failed to resolve user info for initiator: %s", event.InitiatorID)
|
||||||
|
}
|
||||||
|
|
||||||
|
fillEventTargetInfo(eventUserInfo, event)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (am *DefaultAccountManager) getEventsUserInfo(ctx context.Context, events []*activity.Event, accountId string, user *types.User) (map[string]eventUserInfo, error) {
|
||||||
|
accountUsers, err := am.Store.GetAccountUsers(ctx, store.LockingStrengthShare, accountId)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// @note check whether using a external initiator user here is an issue
|
||||||
|
userInfos, err := am.BuildUserInfosForAccount(ctx, accountId, user.Id, accountUsers)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
eventUserInfos := make(map[string]eventUserInfo)
|
||||||
|
for i, k := range userInfos {
|
||||||
|
eventUserInfos[i] = eventUserInfo{
|
||||||
|
email: k.Email,
|
||||||
|
name: k.Name,
|
||||||
|
accountId: accountId,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
externalUserIds := []string{}
|
||||||
|
for _, event := range events {
|
||||||
|
if _, ok := eventUserInfos[event.InitiatorID]; ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if event.InitiatorID == activity.SystemInitiator ||
|
||||||
|
event.InitiatorID == accountId ||
|
||||||
|
event.Activity == activity.PeerAddedWithSetupKey {
|
||||||
|
// @todo other events to be excluded if never initiated by a user
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
externalUserIds = append(externalUserIds, event.InitiatorID)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(externalUserIds) == 0 {
|
||||||
|
return eventUserInfos, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return am.getEventsExternalUserInfo(ctx, externalUserIds, eventUserInfos, user)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (am *DefaultAccountManager) getEventsExternalUserInfo(ctx context.Context, externalUserIds []string, eventUserInfos map[string]eventUserInfo, user *types.User) (map[string]eventUserInfo, error) {
|
||||||
|
externalAccountId := ""
|
||||||
|
fetched := make(map[string]struct{})
|
||||||
|
externalUsers := []*types.User{}
|
||||||
|
for _, id := range externalUserIds {
|
||||||
|
if _, ok := fetched[id]; ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
externalUser, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, id)
|
||||||
|
if err != nil {
|
||||||
|
// @todo consider logging
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if externalAccountId != "" && externalAccountId != externalUser.AccountID {
|
||||||
|
return nil, fmt.Errorf("multiple external user accounts in events")
|
||||||
|
}
|
||||||
|
|
||||||
|
if externalAccountId == "" {
|
||||||
|
externalAccountId = externalUser.AccountID
|
||||||
|
}
|
||||||
|
|
||||||
|
fetched[id] = struct{}{}
|
||||||
|
externalUsers = append(externalUsers, externalUser)
|
||||||
|
}
|
||||||
|
|
||||||
|
// if we couldn't determine an account, return what we have
|
||||||
|
if externalAccountId == "" {
|
||||||
|
log.WithContext(ctx).Warnf("failed to determine external user account from users: %v", externalUserIds)
|
||||||
|
return eventUserInfos, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
externalUserInfos, err := am.BuildUserInfosForAccount(ctx, externalAccountId, user.Id, externalUsers)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, k := range externalUserInfos {
|
||||||
|
eventUserInfos[i] = eventUserInfo{
|
||||||
|
email: k.Email,
|
||||||
|
name: k.Name,
|
||||||
|
accountId: externalAccountId,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return eventUserInfos, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func fillEventTargetInfo(eventUserInfo map[string]eventUserInfo, event *activity.Event) {
|
||||||
|
userInfo, ok := eventUserInfo[event.TargetID]
|
||||||
|
if !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if event.Meta == nil {
|
||||||
|
event.Meta = make(map[string]any)
|
||||||
|
}
|
||||||
|
|
||||||
|
event.Meta["email"] = userInfo.email
|
||||||
|
event.Meta["username"] = userInfo.name
|
||||||
|
}
|
||||||
|
|
||||||
|
func fillEventInitiatorInfo(eventUserInfo map[string]eventUserInfo, event *activity.Event) bool {
|
||||||
|
userInfo, ok := eventUserInfo[event.InitiatorID]
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if event.InitiatorEmail == "" {
|
||||||
|
event.InitiatorEmail = userInfo.email
|
||||||
|
}
|
||||||
|
|
||||||
|
if event.InitiatorName == "" {
|
||||||
|
event.InitiatorName = userInfo.name
|
||||||
|
}
|
||||||
|
|
||||||
|
if event.AccountID != userInfo.accountId {
|
||||||
|
if event.Meta == nil {
|
||||||
|
event.Meta = make(map[string]any)
|
||||||
|
}
|
||||||
|
|
||||||
|
event.Meta["external"] = true
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|||||||
@ -35,8 +35,8 @@ func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, acco
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -83,8 +83,8 @@ func (am *DefaultAccountManager) SaveGroups(ctx context.Context, accountID, user
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -215,8 +215,8 @@ func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, us
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
|
|||||||
@ -11,7 +11,6 @@ import (
|
|||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
"github.com/netbirdio/management-integrations/integrations"
|
|
||||||
nbdns "github.com/netbirdio/netbird/dns"
|
nbdns "github.com/netbirdio/netbird/dns"
|
||||||
"github.com/netbirdio/netbird/management/server/groups"
|
"github.com/netbirdio/netbird/management/server/groups"
|
||||||
"github.com/netbirdio/netbird/management/server/networks"
|
"github.com/netbirdio/netbird/management/server/networks"
|
||||||
@ -20,10 +19,8 @@ import (
|
|||||||
routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
|
routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
|
||||||
networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
|
networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
|
||||||
"github.com/netbirdio/netbird/management/server/permissions"
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
|
||||||
"github.com/netbirdio/netbird/management/server/status"
|
"github.com/netbirdio/netbird/management/server/status"
|
||||||
"github.com/netbirdio/netbird/management/server/types"
|
"github.com/netbirdio/netbird/management/server/types"
|
||||||
"github.com/netbirdio/netbird/management/server/users"
|
|
||||||
"github.com/netbirdio/netbird/route"
|
"github.com/netbirdio/netbird/route"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -691,10 +688,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
|
|||||||
|
|
||||||
// Saving a group linked to network router should update account peers and send peer update
|
// Saving a group linked to network router should update account peers and send peer update
|
||||||
t.Run("saving group linked to network router", func(t *testing.T) {
|
t.Run("saving group linked to network router", func(t *testing.T) {
|
||||||
userManager := users.NewManager(manager.Store)
|
permissionsManager := permissions.NewManager(manager.Store)
|
||||||
extraSettingsManager := integrations.NewManager(nil)
|
|
||||||
settingsManager := settings.NewManager(manager.Store, userManager, extraSettingsManager)
|
|
||||||
permissionsManager := permissions.NewManager(userManager, settingsManager)
|
|
||||||
groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
|
groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
|
||||||
resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager)
|
resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager)
|
||||||
routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
|
routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
|
||||||
|
|||||||
@ -1,7 +1,6 @@
|
|||||||
package events
|
package events
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
@ -47,66 +46,15 @@ func (h *handler) getAllEvents(w http.ResponseWriter, r *http.Request) {
|
|||||||
util.WriteError(r.Context(), err, w)
|
util.WriteError(r.Context(), err, w)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
events := make([]*api.Event, len(accountEvents))
|
events := make([]*api.Event, len(accountEvents))
|
||||||
for i, e := range accountEvents {
|
for i, e := range accountEvents {
|
||||||
events[i] = toEventResponse(e)
|
events[i] = toEventResponse(e)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = h.fillEventsWithUserInfo(r.Context(), events, accountID, userID)
|
|
||||||
if err != nil {
|
|
||||||
util.WriteError(r.Context(), err, w)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
util.WriteJSONObject(r.Context(), w, events)
|
util.WriteJSONObject(r.Context(), w, events)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *handler) fillEventsWithUserInfo(ctx context.Context, events []*api.Event, accountId, userId string) error {
|
|
||||||
// build email, name maps based on users
|
|
||||||
userInfos, err := h.accountManager.GetUsersFromAccount(ctx, accountId, userId)
|
|
||||||
if err != nil {
|
|
||||||
log.WithContext(ctx).Errorf("failed to get users from account: %s", err)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
emails := make(map[string]string)
|
|
||||||
names := make(map[string]string)
|
|
||||||
for _, ui := range userInfos {
|
|
||||||
emails[ui.ID] = ui.Email
|
|
||||||
names[ui.ID] = ui.Name
|
|
||||||
}
|
|
||||||
|
|
||||||
var ok bool
|
|
||||||
for _, event := range events {
|
|
||||||
// fill initiator
|
|
||||||
if event.InitiatorEmail == "" {
|
|
||||||
event.InitiatorEmail, ok = emails[event.InitiatorId]
|
|
||||||
if !ok {
|
|
||||||
log.WithContext(ctx).Warnf("failed to resolve email for initiator: %s", event.InitiatorId)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if event.InitiatorName == "" {
|
|
||||||
// here to allowed to be empty because in the first release we did not store the name
|
|
||||||
event.InitiatorName = names[event.InitiatorId]
|
|
||||||
}
|
|
||||||
|
|
||||||
// fill target meta
|
|
||||||
email, ok := emails[event.TargetId]
|
|
||||||
if !ok {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
event.Meta["email"] = email
|
|
||||||
|
|
||||||
username, ok := names[event.TargetId]
|
|
||||||
if !ok {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
event.Meta["username"] = username
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func toEventResponse(event *activity.Event) *api.Event {
|
func toEventResponse(event *activity.Event) *api.Event {
|
||||||
meta := make(map[string]string)
|
meta := make(map[string]string)
|
||||||
if event.Meta != nil {
|
if event.Meta != nil {
|
||||||
|
|||||||
@ -250,7 +250,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := account.FindUser(userID)
|
user, err := h.accountManager.GetUserByID(r.Context(), userID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
util.WriteError(r.Context(), err, w)
|
util.WriteError(r.Context(), err, w)
|
||||||
return
|
return
|
||||||
@ -258,7 +258,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
// If the user is regular user and does not own the peer
|
// If the user is regular user and does not own the peer
|
||||||
// with the given peerID return an empty list
|
// with the given peerID return an empty list
|
||||||
if !user.HasAdminPower() && !user.IsServiceUser {
|
if !user.HasAdminPower() && !user.IsServiceUser && !userAuth.IsChild {
|
||||||
peer, ok := account.Peers[peerID]
|
peer, ok := account.Peers[peerID]
|
||||||
if !ok {
|
if !ok {
|
||||||
util.WriteError(r.Context(), status.Errorf(status.NotFound, "peer not found"), w)
|
util.WriteError(r.Context(), status.Errorf(status.NotFound, "peer not found"), w)
|
||||||
|
|||||||
@ -122,6 +122,18 @@ func initTestMetaData(peers ...*nbpeer.Peer) *Handler {
|
|||||||
}
|
}
|
||||||
return p, nil
|
return p, nil
|
||||||
},
|
},
|
||||||
|
GetUserByIDFunc: func(ctx context.Context, id string) (*types.User, error) {
|
||||||
|
switch id {
|
||||||
|
case adminUser:
|
||||||
|
return account.Users[adminUser], nil
|
||||||
|
case regularUser:
|
||||||
|
return account.Users[regularUser], nil
|
||||||
|
case serviceUser:
|
||||||
|
return account.Users[serviceUser], nil
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("user not found")
|
||||||
|
}
|
||||||
|
},
|
||||||
GetPeersFunc: func(_ context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
|
GetPeersFunc: func(_ context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
|
||||||
return peers, nil
|
return peers, nil
|
||||||
},
|
},
|
||||||
|
|||||||
@ -301,7 +301,7 @@ func (h *handler) getRoute(w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
foundRoute, err := h.accountManager.GetRoute(r.Context(), accountID, route.ID(routeID), userID)
|
foundRoute, err := h.accountManager.GetRoute(r.Context(), accountID, route.ID(routeID), userID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
util.WriteError(r.Context(), status.Errorf(status.NotFound, "route not found"), w)
|
util.WriteError(r.Context(), err, w)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -16,19 +16,18 @@ import (
|
|||||||
|
|
||||||
"github.com/golang-jwt/jwt"
|
"github.com/golang-jwt/jwt"
|
||||||
|
|
||||||
"github.com/netbirdio/management-integrations/integrations"
|
|
||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/account"
|
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
|
||||||
"github.com/netbirdio/netbird/management/server/users"
|
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
||||||
|
|
||||||
|
"github.com/netbirdio/management-integrations/integrations"
|
||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/peers"
|
"github.com/netbirdio/netbird/management/server/peers"
|
||||||
"github.com/netbirdio/netbird/management/server/permissions"
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
|
"github.com/netbirdio/netbird/management/server/users"
|
||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server"
|
"github.com/netbirdio/netbird/management/server"
|
||||||
|
"github.com/netbirdio/netbird/management/server/account"
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/auth"
|
"github.com/netbirdio/netbird/management/server/auth"
|
||||||
nbcontext "github.com/netbirdio/netbird/management/server/context"
|
nbcontext "github.com/netbirdio/netbird/management/server/context"
|
||||||
@ -124,8 +123,9 @@ func BuildApiBlackBoxWithDBState(t TB, sqlFile string, expectedPeerUpdate *serve
|
|||||||
validatorMock := server.MocIntegratedValidator{}
|
validatorMock := server.MocIntegratedValidator{}
|
||||||
proxyController := integrations.NewController(store)
|
proxyController := integrations.NewController(store)
|
||||||
userManager := users.NewManager(store)
|
userManager := users.NewManager(store)
|
||||||
settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}))
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
am, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager)
|
settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManagerMock)
|
||||||
|
am, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManagerMock)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Failed to create manager: %v", err)
|
t.Fatalf("Failed to create manager: %v", err)
|
||||||
}
|
}
|
||||||
@ -143,7 +143,6 @@ func BuildApiBlackBoxWithDBState(t TB, sqlFile string, expectedPeerUpdate *serve
|
|||||||
resourcesManagerMock := resources.NewManagerMock()
|
resourcesManagerMock := resources.NewManagerMock()
|
||||||
routersManagerMock := routers.NewManagerMock()
|
routersManagerMock := routers.NewManagerMock()
|
||||||
groupsManagerMock := groups.NewManagerMock()
|
groupsManagerMock := groups.NewManagerMock()
|
||||||
permissionsManagerMock := permissions.NewManagerMock()
|
|
||||||
peersManager := peers.NewManager(store, permissionsManagerMock)
|
peersManager := peers.NewManager(store, permissionsManagerMock)
|
||||||
|
|
||||||
apiHandler, err := nbhttp.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManagerMock, peersManager, settingsManager)
|
apiHandler, err := nbhttp.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManagerMock, peersManager, settingsManager)
|
||||||
|
|||||||
@ -25,6 +25,7 @@ import (
|
|||||||
mgmtProto "github.com/netbirdio/netbird/management/proto"
|
mgmtProto "github.com/netbirdio/netbird/management/proto"
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -431,6 +432,8 @@ func startManagementForTest(t *testing.T, testFile string, config *types.Config)
|
|||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
@ -441,7 +444,7 @@ func startManagementForTest(t *testing.T, testFile string, config *types.Config)
|
|||||||
Return(&types.Settings{}, nil)
|
Return(&types.Settings{}, nil)
|
||||||
|
|
||||||
accountManager, err := BuildManager(ctx, store, peersUpdateManager, nil, "", "netbird.selfhosted",
|
accountManager, err := BuildManager(ctx, store, peersUpdateManager, nil, "", "netbird.selfhosted",
|
||||||
eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
cleanup()
|
cleanup()
|
||||||
|
|||||||
@ -24,6 +24,7 @@ import (
|
|||||||
"github.com/netbirdio/netbird/management/server"
|
"github.com/netbirdio/netbird/management/server"
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -194,6 +195,7 @@ func startServer(
|
|||||||
Return(&types.Settings{}, nil).
|
Return(&types.Settings{}, nil).
|
||||||
AnyTimes()
|
AnyTimes()
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
accountManager, err := server.BuildManager(
|
accountManager, err := server.BuildManager(
|
||||||
context.Background(),
|
context.Background(),
|
||||||
str,
|
str,
|
||||||
@ -208,6 +210,7 @@ func startServer(
|
|||||||
metrics,
|
metrics,
|
||||||
port_forwarding.NewControllerMock(),
|
port_forwarding.NewControllerMock(),
|
||||||
settingsMockManager,
|
settingsMockManager,
|
||||||
|
permissionsManagerMock,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("failed creating an account manager: %v", err)
|
t.Fatalf("failed creating an account manager: %v", err)
|
||||||
|
|||||||
@ -112,6 +112,9 @@ type MockAccountManager struct {
|
|||||||
DeleteSetupKeyFunc func(ctx context.Context, accountID, userID, keyID string) error
|
DeleteSetupKeyFunc func(ctx context.Context, accountID, userID, keyID string) error
|
||||||
BuildUserInfosForAccountFunc func(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
|
BuildUserInfosForAccountFunc func(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
|
||||||
GetStoreFunc func() store.Store
|
GetStoreFunc func() store.Store
|
||||||
|
CreateAccountByPrivateDomainFunc func(ctx context.Context, initiatorId, domain string) (*types.Account, error)
|
||||||
|
UpdateToPrimaryAccountFunc func(ctx context.Context, accountId string) (*types.Account, error)
|
||||||
|
GetOwnerInfoFunc func(ctx context.Context, accountID string) (*types.UserInfo, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (am *MockAccountManager) UpdateAccountPeers(ctx context.Context, accountID string) {
|
func (am *MockAccountManager) UpdateAccountPeers(ctx context.Context, accountID string) {
|
||||||
@ -847,3 +850,24 @@ func (am *MockAccountManager) GetStore() store.Store {
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (am *MockAccountManager) CreateAccountByPrivateDomain(ctx context.Context, initiatorId, domain string) (*types.Account, error) {
|
||||||
|
if am.CreateAccountByPrivateDomainFunc != nil {
|
||||||
|
return am.CreateAccountByPrivateDomainFunc(ctx, initiatorId, domain)
|
||||||
|
}
|
||||||
|
return nil, status.Errorf(codes.Unimplemented, "method CreateAccountByPrivateDomain is not implemented")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (am *MockAccountManager) UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error) {
|
||||||
|
if am.UpdateToPrimaryAccountFunc != nil {
|
||||||
|
return am.UpdateToPrimaryAccountFunc(ctx, accountId)
|
||||||
|
}
|
||||||
|
return nil, status.Errorf(codes.Unimplemented, "method UpdateToPrimaryAccount is not implemented")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (am *MockAccountManager) GetOwnerInfo(ctx context.Context, accountId string) (*types.UserInfo, error) {
|
||||||
|
if am.GetOwnerInfoFunc != nil {
|
||||||
|
return am.GetOwnerInfoFunc(ctx, accountId)
|
||||||
|
}
|
||||||
|
return nil, status.Errorf(codes.Unimplemented, "method GetOwnerInfo is not implemented")
|
||||||
|
}
|
||||||
|
|||||||
@ -25,8 +25,8 @@ func (am *DefaultAccountManager) GetNameServerGroup(ctx context.Context, account
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -46,8 +46,8 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
newNSGroup := &nbdns.NameServerGroup{
|
newNSGroup := &nbdns.NameServerGroup{
|
||||||
@ -108,8 +108,8 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
var updateAccountPeers bool
|
var updateAccountPeers bool
|
||||||
@ -159,8 +159,8 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
var nsGroup *nbdns.NameServerGroup
|
var nsGroup *nbdns.NameServerGroup
|
||||||
@ -203,8 +203,8 @@ func (am *DefaultAccountManager) ListNameServerGroups(ctx context.Context, accou
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
|
|||||||
@ -14,6 +14,7 @@ import (
|
|||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -774,11 +775,12 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {
|
|||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
}
|
}
|
||||||
|
|
||||||
func createNSStore(t *testing.T) (store.Store, error) {
|
func createNSStore(t *testing.T) (store.Store, error) {
|
||||||
|
|||||||
@ -37,8 +37,8 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthShare, accountID)
|
settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthShare, accountID)
|
||||||
@ -188,8 +188,8 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var peer *nbpeer.Peer
|
var peer *nbpeer.Peer
|
||||||
@ -321,8 +321,8 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -621,7 +621,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, setupKey, userID s
|
|||||||
if addedByUser {
|
if addedByUser {
|
||||||
err := transaction.SaveUserLastLogin(ctx, accountID, userID, newPeer.GetLastLogin())
|
err := transaction.SaveUserLastLogin(ctx, accountID, userID, newPeer.GetLastLogin())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to update user last login: %w", err)
|
log.WithContext(ctx).Debugf("failed to update user last login: %v", err)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
err = transaction.IncrementSetupKeyUsage(ctx, setupKeyID)
|
err = transaction.IncrementSetupKeyUsage(ctx, setupKeyID)
|
||||||
@ -1054,7 +1054,7 @@ func (am *DefaultAccountManager) handleExpiredPeer(ctx context.Context, transact
|
|||||||
|
|
||||||
err = transaction.SaveUserLastLogin(ctx, user.AccountID, user.Id, peer.GetLastLogin())
|
err = transaction.SaveUserLastLogin(ctx, user.AccountID, user.Id, peer.GetLastLogin())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
log.WithContext(ctx).Debugf("failed to update user last login: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
am.StoreEvent(ctx, user.Id, peer.ID, user.AccountID, activity.UserLoggedInPeer, peer.EventMeta(am.GetDNSDomain()))
|
am.StoreEvent(ctx, user.Id, peer.ID, user.AccountID, activity.UserLoggedInPeer, peer.EventMeta(am.GetDNSDomain()))
|
||||||
@ -1099,8 +1099,8 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthShare, accountID)
|
settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthShare, accountID)
|
||||||
|
|||||||
@ -20,9 +20,10 @@ import (
|
|||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
||||||
|
|
||||||
|
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
|
|
||||||
"github.com/netbirdio/netbird/management/server/util"
|
"github.com/netbirdio/netbird/management/server/util"
|
||||||
|
|
||||||
resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
|
resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
|
||||||
@ -1264,7 +1265,8 @@ func Test_RegisterPeerByUser(t *testing.T) {
|
|||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
|
existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
|
||||||
@ -1332,7 +1334,8 @@ func Test_RegisterPeerBySetupKey(t *testing.T) {
|
|||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
|
existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
|
||||||
@ -1403,7 +1406,8 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {
|
|||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
settingsMockManager := settings.NewMockManager(ctrl)
|
settingsMockManager := settings.NewMockManager(ctrl)
|
||||||
|
|
||||||
am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
|
existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
|
||||||
|
|||||||
@ -5,10 +5,9 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/status"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/types"
|
"github.com/netbirdio/netbird/management/server/types"
|
||||||
"github.com/netbirdio/netbird/management/server/users"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type Module string
|
type Module string
|
||||||
@ -17,6 +16,8 @@ const (
|
|||||||
Networks Module = "networks"
|
Networks Module = "networks"
|
||||||
Peers Module = "peers"
|
Peers Module = "peers"
|
||||||
Groups Module = "groups"
|
Groups Module = "groups"
|
||||||
|
Settings Module = "settings"
|
||||||
|
Accounts Module = "accounts"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Operation string
|
type Operation string
|
||||||
@ -28,42 +29,50 @@ const (
|
|||||||
|
|
||||||
type Manager interface {
|
type Manager interface {
|
||||||
ValidateUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error)
|
ValidateUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error)
|
||||||
|
ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) error
|
||||||
}
|
}
|
||||||
|
|
||||||
type managerImpl struct {
|
type managerImpl struct {
|
||||||
userManager users.Manager
|
store store.Store
|
||||||
settingsManager settings.Manager
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type managerMock struct {
|
type managerMock struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewManager(userManager users.Manager, settingsManager settings.Manager) Manager {
|
func NewManager(store store.Store) Manager {
|
||||||
return &managerImpl{
|
return &managerImpl{
|
||||||
userManager: userManager,
|
store: store,
|
||||||
settingsManager: settingsManager,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *managerImpl) ValidateUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error) {
|
func (m *managerImpl) ValidateUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error) {
|
||||||
user, err := m.userManager.GetUser(ctx, userID)
|
user, err := m.store.GetUserByUserID(ctx, store.LockingStrengthShare, userID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user == nil {
|
if user == nil {
|
||||||
return false, errors.New("user not found")
|
return false, status.NewUserNotFoundError(userID)
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := m.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return false, errors.New("user does not belong to account")
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch module {
|
||||||
|
case Accounts:
|
||||||
|
if operation == Write && user.Role != types.UserRoleOwner {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
default:
|
||||||
}
|
}
|
||||||
|
|
||||||
switch user.Role {
|
switch user.Role {
|
||||||
case types.UserRoleAdmin, types.UserRoleOwner:
|
case types.UserRoleAdmin, types.UserRoleOwner:
|
||||||
return true, nil
|
return true, nil
|
||||||
case types.UserRoleUser:
|
case types.UserRoleUser:
|
||||||
return m.validateRegularUserPermissions(ctx, accountID, userID, module, operation)
|
return m.validateRegularUserPermissions(ctx, accountID, module, operation)
|
||||||
case types.UserRoleBillingAdmin:
|
case types.UserRoleBillingAdmin:
|
||||||
return false, nil
|
return false, nil
|
||||||
default:
|
default:
|
||||||
@ -71,8 +80,8 @@ func (m *managerImpl) ValidateUserPermissions(ctx context.Context, accountID, us
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *managerImpl) validateRegularUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error) {
|
func (m *managerImpl) validateRegularUserPermissions(ctx context.Context, accountID string, module Module, operation Operation) (bool, error) {
|
||||||
settings, err := m.settingsManager.GetSettings(ctx, accountID, activity.SystemInitiator)
|
settings, err := m.store.GetAccountSettings(ctx, store.LockingStrengthShare, accountID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, fmt.Errorf("failed to get settings: %w", err)
|
return false, fmt.Errorf("failed to get settings: %w", err)
|
||||||
}
|
}
|
||||||
@ -91,13 +100,30 @@ func (m *managerImpl) validateRegularUserPermissions(ctx context.Context, accoun
|
|||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (m *managerImpl) ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) error {
|
||||||
|
if user.AccountID != accountID {
|
||||||
|
return status.NewUserNotPartOfAccountError()
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func NewManagerMock() Manager {
|
func NewManagerMock() Manager {
|
||||||
return &managerMock{}
|
return &managerMock{}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *managerMock) ValidateUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error) {
|
func (m *managerMock) ValidateUserPermissions(ctx context.Context, accountID, userID string, module Module, operation Operation) (bool, error) {
|
||||||
if userID == "allowedUser" {
|
switch userID {
|
||||||
|
case "a23efe53-63fb-11ec-90d6-0242ac120003", "allowedUser", "testingUser", "account_creator", "serviceUserID", "test_user":
|
||||||
return true, nil
|
return true, nil
|
||||||
|
default:
|
||||||
|
return false, nil
|
||||||
}
|
}
|
||||||
return false, nil
|
}
|
||||||
|
|
||||||
|
func (m *managerMock) ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) error {
|
||||||
|
// @note managers explicitly checked this, so should the mock
|
||||||
|
if user.AccountID != accountID {
|
||||||
|
return status.NewUserNotPartOfAccountError()
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@ -22,8 +22,8 @@ func (am *DefaultAccountManager) GetPolicy(ctx context.Context, accountID, polic
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -43,8 +43,8 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -100,8 +100,8 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -148,8 +148,8 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
|
|||||||
@ -22,8 +22,8 @@ func (am *DefaultAccountManager) GetPostureChecks(ctx context.Context, accountID
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !user.HasAdminPower() {
|
||||||
@ -43,8 +43,8 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !user.HasAdminPower() {
|
||||||
@ -99,8 +99,8 @@ func (am *DefaultAccountManager) DeletePostureChecks(ctx context.Context, accoun
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !user.HasAdminPower() {
|
||||||
@ -141,8 +141,8 @@ func (am *DefaultAccountManager) ListPostureChecks(ctx context.Context, accountI
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !user.HasAdminPower() {
|
||||||
|
|||||||
@ -25,7 +25,11 @@ func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string,
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.IsAdminOrServiceUser() || user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !user.IsAdminOrServiceUser() {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -119,6 +123,15 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
|
|||||||
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
||||||
defer unlock()
|
defer unlock()
|
||||||
|
|
||||||
|
user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, userID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
account, err := am.Store.GetAccount(ctx, accountID)
|
account, err := am.Store.GetAccount(ctx, accountID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -236,6 +249,15 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
|
|||||||
return status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d", route.MaxNetIDChar)
|
return status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d", route.MaxNetIDChar)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, userID)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
account, err := am.Store.GetAccount(ctx, accountID)
|
account, err := am.Store.GetAccount(ctx, accountID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -310,6 +332,15 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
|
|||||||
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
||||||
defer unlock()
|
defer unlock()
|
||||||
|
|
||||||
|
user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, userID)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
account, err := am.Store.GetAccount(ctx, accountID)
|
account, err := am.Store.GetAccount(ctx, accountID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -342,7 +373,11 @@ func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, user
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.IsAdminOrServiceUser() || user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !user.IsAdminOrServiceUser() {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -21,6 +21,7 @@ import (
|
|||||||
routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
|
routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
|
||||||
networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
|
networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
|
||||||
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/settings"
|
"github.com/netbirdio/netbird/management/server/settings"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/telemetry"
|
"github.com/netbirdio/netbird/management/server/telemetry"
|
||||||
@ -1259,6 +1260,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, error) {
|
|||||||
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
ctrl := gomock.NewController(t)
|
ctrl := gomock.NewController(t)
|
||||||
t.Cleanup(ctrl.Finish)
|
t.Cleanup(ctrl.Finish)
|
||||||
|
|
||||||
@ -1281,7 +1283,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, error) {
|
|||||||
AnyTimes().
|
AnyTimes().
|
||||||
Return(&types.ExtraSettings{}, nil)
|
Return(&types.ExtraSettings{}, nil)
|
||||||
|
|
||||||
return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager)
|
return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
|
||||||
}
|
}
|
||||||
|
|
||||||
func createRouterStore(t *testing.T) (store.Store, error) {
|
func createRouterStore(t *testing.T) (store.Store, error) {
|
||||||
|
|||||||
@ -8,6 +8,7 @@ import (
|
|||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
"github.com/netbirdio/netbird/management/server/integrations/extra_settings"
|
"github.com/netbirdio/netbird/management/server/integrations/extra_settings"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/status"
|
"github.com/netbirdio/netbird/management/server/status"
|
||||||
"github.com/netbirdio/netbird/management/server/store"
|
"github.com/netbirdio/netbird/management/server/store"
|
||||||
"github.com/netbirdio/netbird/management/server/types"
|
"github.com/netbirdio/netbird/management/server/types"
|
||||||
@ -25,13 +26,15 @@ type managerImpl struct {
|
|||||||
store store.Store
|
store store.Store
|
||||||
extraSettingsManager extra_settings.Manager
|
extraSettingsManager extra_settings.Manager
|
||||||
userManager users.Manager
|
userManager users.Manager
|
||||||
|
permissionsManager permissions.Manager
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewManager(store store.Store, userManager users.Manager, extraSettingsManager extra_settings.Manager) Manager {
|
func NewManager(store store.Store, userManager users.Manager, extraSettingsManager extra_settings.Manager, permissionsManager permissions.Manager) Manager {
|
||||||
return &managerImpl{
|
return &managerImpl{
|
||||||
store: store,
|
store: store,
|
||||||
extraSettingsManager: extraSettingsManager,
|
extraSettingsManager: extraSettingsManager,
|
||||||
userManager: userManager,
|
userManager: userManager,
|
||||||
|
permissionsManager: permissionsManager,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -41,13 +44,12 @@ func (m *managerImpl) GetExtraSettingsManager() extra_settings.Manager {
|
|||||||
|
|
||||||
func (m *managerImpl) GetSettings(ctx context.Context, accountID, userID string) (*types.Settings, error) {
|
func (m *managerImpl) GetSettings(ctx context.Context, accountID, userID string) (*types.Settings, error) {
|
||||||
if userID != activity.SystemInitiator {
|
if userID != activity.SystemInitiator {
|
||||||
user, err := m.userManager.GetUser(ctx, userID)
|
ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Settings, permissions.Read)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("get user: %w", err)
|
return nil, status.NewPermissionValidationError(err)
|
||||||
}
|
}
|
||||||
|
if !ok {
|
||||||
if user.AccountID != accountID || (!user.HasAdminPower() && !user.IsServiceUser) {
|
return nil, status.NewPermissionDeniedError()
|
||||||
return nil, status.Errorf(status.PermissionDenied, "the user has no permission to access account data")
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -61,8 +61,8 @@ func (am *DefaultAccountManager) CreateSetupKey(ctx context.Context, accountID s
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -118,8 +118,8 @@ func (am *DefaultAccountManager) SaveSetupKey(ctx context.Context, accountID str
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -180,8 +180,8 @@ func (am *DefaultAccountManager) ListSetupKeys(ctx context.Context, accountID, u
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -198,8 +198,8 @@ func (am *DefaultAccountManager) GetSetupKey(ctx context.Context, accountID, use
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
@ -226,8 +226,8 @@ func (am *DefaultAccountManager) DeleteSetupKey(ctx context.Context, accountID,
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.IsRegularUser() {
|
if user.IsRegularUser() {
|
||||||
|
|||||||
@ -183,7 +183,7 @@ func NewPermissionDeniedError() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func NewPermissionValidationError(err error) error {
|
func NewPermissionValidationError(err error) error {
|
||||||
return Errorf(PermissionDenied, "failed to vlidate user permissions: %s", err)
|
return Errorf(PermissionDenied, "failed to validate user permissions: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewResourceNotPartOfNetworkError(resourceID, networkID string) error {
|
func NewResourceNotPartOfNetworkError(resourceID, networkID string) error {
|
||||||
|
|||||||
@ -586,6 +586,19 @@ func (s *SqlStore) GetAccountUsers(ctx context.Context, lockStrength LockingStre
|
|||||||
return users, nil
|
return users, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *SqlStore) GetAccountOwner(ctx context.Context, lockStrength LockingStrength, accountID string) (*types.User, error) {
|
||||||
|
var user types.User
|
||||||
|
result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).First(&user, "account_id = ? AND role = ?", accountID, types.UserRoleOwner)
|
||||||
|
if result.Error != nil {
|
||||||
|
if errors.Is(result.Error, gorm.ErrRecordNotFound) {
|
||||||
|
return nil, status.Errorf(status.NotFound, "account owner not found: index lookup failed")
|
||||||
|
}
|
||||||
|
return nil, status.Errorf(status.Internal, "failed to get account owner from the store")
|
||||||
|
}
|
||||||
|
|
||||||
|
return &user, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (s *SqlStore) GetAccountGroups(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*types.Group, error) {
|
func (s *SqlStore) GetAccountGroups(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*types.Group, error) {
|
||||||
var groups []*types.Group
|
var groups []*types.Group
|
||||||
result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).Find(&groups, accountIDCondition, accountID)
|
result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).Find(&groups, accountIDCondition, accountID)
|
||||||
@ -2194,3 +2207,17 @@ func (s *SqlStore) GetPeerByIP(ctx context.Context, lockStrength LockingStrength
|
|||||||
|
|
||||||
return &peer, nil
|
return &peer, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *SqlStore) CountAccountsByPrivateDomain(ctx context.Context, domain string) (int64, error) {
|
||||||
|
var count int64
|
||||||
|
result := s.db.Model(&types.Account{}).
|
||||||
|
Where("domain = ? AND domain_category = ?",
|
||||||
|
strings.ToLower(domain), types.PrivateCategory,
|
||||||
|
).Count(&count)
|
||||||
|
if result.Error != nil {
|
||||||
|
log.WithContext(ctx).Errorf("failed to count accounts by private domain %s: %s", domain, result.Error)
|
||||||
|
return 0, status.Errorf(status.Internal, "failed to count accounts by private domain")
|
||||||
|
}
|
||||||
|
|
||||||
|
return count, nil
|
||||||
|
}
|
||||||
|
|||||||
@ -69,10 +69,12 @@ type Store interface {
|
|||||||
DeleteAccount(ctx context.Context, account *types.Account) error
|
DeleteAccount(ctx context.Context, account *types.Account) error
|
||||||
UpdateAccountDomainAttributes(ctx context.Context, accountID string, domain string, category string, isPrimaryDomain bool) error
|
UpdateAccountDomainAttributes(ctx context.Context, accountID string, domain string, category string, isPrimaryDomain bool) error
|
||||||
SaveDNSSettings(ctx context.Context, lockStrength LockingStrength, accountID string, settings *types.DNSSettings) error
|
SaveDNSSettings(ctx context.Context, lockStrength LockingStrength, accountID string, settings *types.DNSSettings) error
|
||||||
|
CountAccountsByPrivateDomain(ctx context.Context, domain string) (int64, error)
|
||||||
|
|
||||||
GetUserByPATID(ctx context.Context, lockStrength LockingStrength, patID string) (*types.User, error)
|
GetUserByPATID(ctx context.Context, lockStrength LockingStrength, patID string) (*types.User, error)
|
||||||
GetUserByUserID(ctx context.Context, lockStrength LockingStrength, userID string) (*types.User, error)
|
GetUserByUserID(ctx context.Context, lockStrength LockingStrength, userID string) (*types.User, error)
|
||||||
GetAccountUsers(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*types.User, error)
|
GetAccountUsers(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*types.User, error)
|
||||||
|
GetAccountOwner(ctx context.Context, lockStrength LockingStrength, accountID string) (*types.User, error)
|
||||||
SaveUsers(ctx context.Context, lockStrength LockingStrength, users []*types.User) error
|
SaveUsers(ctx context.Context, lockStrength LockingStrength, users []*types.User) error
|
||||||
SaveUser(ctx context.Context, lockStrength LockingStrength, user *types.User) error
|
SaveUser(ctx context.Context, lockStrength LockingStrength, user *types.User) error
|
||||||
SaveUserLastLogin(ctx context.Context, accountID, userID string, lastLogin time.Time) error
|
SaveUserLastLogin(ctx context.Context, accountID, userID string, lastLogin time.Time) error
|
||||||
|
|||||||
@ -30,8 +30,8 @@ func (am *DefaultAccountManager) createServiceUser(ctx context.Context, accountI
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !initiatorUser.HasAdminPower() {
|
if !initiatorUser.HasAdminPower() {
|
||||||
@ -93,8 +93,8 @@ func (am *DefaultAccountManager) inviteNewUser(ctx context.Context, accountID, u
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
inviterID := userID
|
inviterID := userID
|
||||||
@ -142,12 +142,21 @@ func (am *DefaultAccountManager) inviteNewUser(ctx context.Context, accountID, u
|
|||||||
|
|
||||||
// createNewIdpUser validates the invite and creates a new user in the IdP
|
// createNewIdpUser validates the invite and creates a new user in the IdP
|
||||||
func (am *DefaultAccountManager) createNewIdpUser(ctx context.Context, accountID string, inviterID string, invite *types.UserInfo) (*idp.UserData, error) {
|
func (am *DefaultAccountManager) createNewIdpUser(ctx context.Context, accountID string, inviterID string, invite *types.UserInfo) (*idp.UserData, error) {
|
||||||
|
inviter, err := am.GetUserByID(ctx, inviterID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to get inviter user: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
// inviterUser is the one who is inviting the new user
|
// inviterUser is the one who is inviting the new user
|
||||||
inviterUser, err := am.lookupUserInCache(ctx, inviterID, accountID)
|
inviterUser, err := am.lookupUserInCache(ctx, inviterID, inviter.AccountID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Errorf(status.NotFound, "inviter user with ID %s doesn't exist in IdP", inviterID)
|
return nil, status.Errorf(status.NotFound, "inviter user with ID %s doesn't exist in IdP", inviterID)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if inviterUser == nil {
|
||||||
|
return nil, status.Errorf(status.NotFound, "inviter user with ID %s is empty", inviterID)
|
||||||
|
}
|
||||||
|
|
||||||
// check if the user is already registered with this email => reject
|
// check if the user is already registered with this email => reject
|
||||||
user, err := am.lookupUserInCacheByEmail(ctx, invite.Email, accountID)
|
user, err := am.lookupUserInCacheByEmail(ctx, invite.Email, accountID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -188,7 +197,7 @@ func (am *DefaultAccountManager) GetUserFromUserAuth(ctx context.Context, userAu
|
|||||||
|
|
||||||
err = am.Store.SaveUserLastLogin(ctx, userAuth.AccountId, userAuth.UserId, userAuth.LastLogin)
|
err = am.Store.SaveUserLastLogin(ctx, userAuth.AccountId, userAuth.UserId, userAuth.LastLogin)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.WithContext(ctx).Errorf("failed saving user last login: %v", err)
|
log.WithContext(ctx).Debugf("failed to update user last login: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if newLogin {
|
if newLogin {
|
||||||
@ -228,8 +237,8 @@ func (am *DefaultAccountManager) DeleteUser(ctx context.Context, accountID, init
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !initiatorUser.HasAdminPower() {
|
if !initiatorUser.HasAdminPower() {
|
||||||
@ -290,8 +299,8 @@ func (am *DefaultAccountManager) InviteUser(ctx context.Context, accountID strin
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if the user is already registered with this ID
|
// check if the user is already registered with this ID
|
||||||
@ -338,8 +347,8 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
targetUser, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, targetUserID)
|
targetUser, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthShare, targetUserID)
|
||||||
@ -376,8 +385,8 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return status.NewUserNotPartOfAccountError()
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
|
if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
|
||||||
@ -411,8 +420,8 @@ func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, i
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
|
if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
|
||||||
@ -429,8 +438,8 @@ func (am *DefaultAccountManager) GetAllPATs(ctx context.Context, accountID strin
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
|
if initiatorUserID != targetUserID && initiatorUser.IsRegularUser() {
|
||||||
@ -476,8 +485,8 @@ func (am *DefaultAccountManager) SaveOrAddUsers(ctx context.Context, accountID,
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !initiatorUser.HasAdminPower() || initiatorUser.IsBlocked() {
|
if !initiatorUser.HasAdminPower() || initiatorUser.IsBlocked() {
|
||||||
@ -511,7 +520,7 @@ func (am *DefaultAccountManager) SaveOrAddUsers(ctx context.Context, accountID,
|
|||||||
}
|
}
|
||||||
|
|
||||||
userHadPeers, updatedUser, userPeersToExpire, userEvents, err := am.processUserUpdate(
|
userHadPeers, updatedUser, userPeersToExpire, userEvents, err := am.processUserUpdate(
|
||||||
ctx, transaction, groupsMap, initiatorUser, update, addIfNotExists, settings,
|
ctx, transaction, groupsMap, accountID, initiatorUser, update, addIfNotExists, settings,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to process user update: %w", err)
|
return fmt.Errorf("failed to process user update: %w", err)
|
||||||
@ -597,13 +606,13 @@ func (am *DefaultAccountManager) prepareUserUpdateEvents(ctx context.Context, ac
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transaction store.Store, groupsMap map[string]*types.Group,
|
func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transaction store.Store, groupsMap map[string]*types.Group,
|
||||||
initiatorUser, update *types.User, addIfNotExists bool, settings *types.Settings) (bool, *types.User, []*nbpeer.Peer, []func(), error) {
|
accountID string, initiatorUser, update *types.User, addIfNotExists bool, settings *types.Settings) (bool, *types.User, []*nbpeer.Peer, []func(), error) {
|
||||||
|
|
||||||
if update == nil {
|
if update == nil {
|
||||||
return false, nil, nil, nil, status.Errorf(status.InvalidArgument, "provided user update is nil")
|
return false, nil, nil, nil, status.Errorf(status.InvalidArgument, "provided user update is nil")
|
||||||
}
|
}
|
||||||
|
|
||||||
oldUser, err := getUserOrCreateIfNotExists(ctx, transaction, update, addIfNotExists)
|
oldUser, err := getUserOrCreateIfNotExists(ctx, transaction, accountID, update, addIfNotExists)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, nil, nil, nil, err
|
return false, nil, nil, nil, err
|
||||||
}
|
}
|
||||||
@ -614,7 +623,6 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
|
|||||||
|
|
||||||
// only auto groups, revoked status, and integration reference can be updated for now
|
// only auto groups, revoked status, and integration reference can be updated for now
|
||||||
updatedUser := oldUser.Copy()
|
updatedUser := oldUser.Copy()
|
||||||
updatedUser.AccountID = initiatorUser.AccountID
|
|
||||||
updatedUser.Role = update.Role
|
updatedUser.Role = update.Role
|
||||||
updatedUser.Blocked = update.Blocked
|
updatedUser.Blocked = update.Blocked
|
||||||
updatedUser.AutoGroups = update.AutoGroups
|
updatedUser.AutoGroups = update.AutoGroups
|
||||||
@ -657,17 +665,23 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
|
|||||||
}
|
}
|
||||||
|
|
||||||
// getUserOrCreateIfNotExists retrieves the existing user or creates a new one if it doesn't exist.
|
// getUserOrCreateIfNotExists retrieves the existing user or creates a new one if it doesn't exist.
|
||||||
func getUserOrCreateIfNotExists(ctx context.Context, transaction store.Store, update *types.User, addIfNotExists bool) (*types.User, error) {
|
func getUserOrCreateIfNotExists(ctx context.Context, transaction store.Store, accountID string, update *types.User, addIfNotExists bool) (*types.User, error) {
|
||||||
existingUser, err := transaction.GetUserByUserID(ctx, store.LockingStrengthShare, update.Id)
|
existingUser, err := transaction.GetUserByUserID(ctx, store.LockingStrengthShare, update.Id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
|
if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
|
||||||
if !addIfNotExists {
|
if !addIfNotExists {
|
||||||
return nil, status.Errorf(status.NotFound, "user to update doesn't exist: %s", update.Id)
|
return nil, status.Errorf(status.NotFound, "user to update doesn't exist: %s", update.Id)
|
||||||
}
|
}
|
||||||
|
update.AccountID = accountID
|
||||||
return update, nil // use all fields from update if addIfNotExists is true
|
return update, nil // use all fields from update if addIfNotExists is true
|
||||||
}
|
}
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if existingUser.AccountID != accountID {
|
||||||
|
return nil, status.Errorf(status.InvalidArgument, "user account ID mismatch")
|
||||||
|
}
|
||||||
|
|
||||||
return existingUser, nil
|
return existingUser, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -705,6 +719,7 @@ func (am *DefaultAccountManager) getUserInfo(ctx context.Context, user *types.Us
|
|||||||
|
|
||||||
// validateUserUpdate validates the update operation for a user.
|
// validateUserUpdate validates the update operation for a user.
|
||||||
func validateUserUpdate(groupsMap map[string]*types.Group, initiatorUser, oldUser, update *types.User) error {
|
func validateUserUpdate(groupsMap map[string]*types.Group, initiatorUser, oldUser, update *types.User) error {
|
||||||
|
// @todo double check these
|
||||||
if initiatorUser.HasAdminPower() && initiatorUser.Id == update.Id && oldUser.Blocked != update.Blocked {
|
if initiatorUser.HasAdminPower() && initiatorUser.Id == update.Id && oldUser.Blocked != update.Blocked {
|
||||||
return status.Errorf(status.PermissionDenied, "admins can't block or unblock themselves")
|
return status.Errorf(status.PermissionDenied, "admins can't block or unblock themselves")
|
||||||
}
|
}
|
||||||
@ -790,8 +805,8 @@ func (am *DefaultAccountManager) GetUsersFromAccount(ctx context.Context, accoun
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if initiatorUser.AccountID != accountID {
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
return nil, status.NewUserNotPartOfAccountError()
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return am.BuildUserInfosForAccount(ctx, accountID, initiatorUserID, accountUsers)
|
return am.BuildUserInfosForAccount(ctx, accountID, initiatorUserID, accountUsers)
|
||||||
@ -967,6 +982,10 @@ func (am *DefaultAccountManager) DeleteRegularUsers(ctx context.Context, account
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, initiatorUser, false); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
if !initiatorUser.HasAdminPower() {
|
if !initiatorUser.HasAdminPower() {
|
||||||
return status.NewAdminPermissionError()
|
return status.NewAdminPermissionError()
|
||||||
}
|
}
|
||||||
@ -1081,6 +1100,25 @@ func (am *DefaultAccountManager) deleteRegularUser(ctx context.Context, accountI
|
|||||||
return updateAccountPeers, nil
|
return updateAccountPeers, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetOwnerInfo retrieves the owner information for a given account ID.
|
||||||
|
func (am *DefaultAccountManager) GetOwnerInfo(ctx context.Context, accountID string) (*types.UserInfo, error) {
|
||||||
|
owner, err := am.Store.GetAccountOwner(ctx, store.LockingStrengthShare, accountID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if owner == nil {
|
||||||
|
return nil, status.Errorf(status.NotFound, "owner not found")
|
||||||
|
}
|
||||||
|
|
||||||
|
userInfo, err := am.getUserInfo(ctx, owner, accountID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return userInfo, nil
|
||||||
|
}
|
||||||
|
|
||||||
// updateUserPeersInGroups updates the user's peers in the specified groups by adding or removing them.
|
// updateUserPeersInGroups updates the user's peers in the specified groups by adding or removing them.
|
||||||
func updateUserPeersInGroups(accountGroups map[string]*types.Group, peers []*nbpeer.Peer, groupsToAdd, groupsToRemove []string) (groupsToUpdate []*types.Group, err error) {
|
func updateUserPeersInGroups(accountGroups map[string]*types.Group, peers []*nbpeer.Peer, groupsToAdd, groupsToRemove []string) (groupsToUpdate []*types.Group, err error) {
|
||||||
if len(groupsToAdd) == 0 && len(groupsToRemove) == 0 {
|
if len(groupsToAdd) == 0 && len(groupsToRemove) == 0 {
|
||||||
|
|||||||
@ -8,11 +8,11 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/google/go-cmp/cmp"
|
"github.com/google/go-cmp/cmp"
|
||||||
|
|
||||||
"golang.org/x/exp/maps"
|
"golang.org/x/exp/maps"
|
||||||
|
|
||||||
nbcache "github.com/netbirdio/netbird/management/server/cache"
|
nbcache "github.com/netbirdio/netbird/management/server/cache"
|
||||||
nbcontext "github.com/netbirdio/netbird/management/server/context"
|
nbcontext "github.com/netbirdio/netbird/management/server/context"
|
||||||
|
"github.com/netbirdio/netbird/management/server/permissions"
|
||||||
"github.com/netbirdio/netbird/management/server/util"
|
"github.com/netbirdio/netbird/management/server/util"
|
||||||
|
|
||||||
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
||||||
@ -59,9 +59,11 @@ func TestUser_CreatePAT_ForSameUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: s,
|
Store: s,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
pat, err := am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenName, mockExpiresIn)
|
pat, err := am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenName, mockExpiresIn)
|
||||||
@ -107,9 +109,11 @@ func TestUser_CreatePAT_ForDifferentUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockTargetUserId, mockTokenName, mockExpiresIn)
|
_, err = am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockTargetUserId, mockTokenName, mockExpiresIn)
|
||||||
@ -133,9 +137,11 @@ func TestUser_CreatePAT_ForServiceUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
pat, err := am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockTargetUserId, mockTokenName, mockExpiresIn)
|
pat, err := am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockTargetUserId, mockTokenName, mockExpiresIn)
|
||||||
@ -160,9 +166,11 @@ func TestUser_CreatePAT_WithWrongExpiration(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenName, mockWrongExpiresIn)
|
_, err = am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenName, mockWrongExpiresIn)
|
||||||
@ -183,9 +191,11 @@ func TestUser_CreatePAT_WithEmptyName(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockEmptyTokenName, mockExpiresIn)
|
_, err = am.CreatePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockEmptyTokenName, mockExpiresIn)
|
||||||
@ -214,9 +224,11 @@ func TestUser_DeletePAT(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
err = am.DeletePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenID1)
|
err = am.DeletePAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenID1)
|
||||||
@ -255,9 +267,11 @@ func TestUser_GetPAT(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
pat, err := am.GetPAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenID1)
|
pat, err := am.GetPAT(context.Background(), mockAccountID, mockUserID, mockUserID, mockTokenID1)
|
||||||
@ -296,9 +310,11 @@ func TestUser_GetAllPATs(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
pats, err := am.GetAllPATs(context.Background(), mockAccountID, mockUserID, mockUserID)
|
pats, err := am.GetAllPATs(context.Background(), mockAccountID, mockUserID, mockUserID)
|
||||||
@ -390,9 +406,11 @@ func TestUser_CreateServiceUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := am.createServiceUser(context.Background(), mockAccountID, mockUserID, mockRole, mockServiceUserName, false, []string{"group1", "group2"})
|
user, err := am.createServiceUser(context.Background(), mockAccountID, mockUserID, mockRole, mockServiceUserName, false, []string{"group1", "group2"})
|
||||||
@ -435,9 +453,11 @@ func TestUser_CreateUser_ServiceUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := am.CreateUser(context.Background(), mockAccountID, mockUserID, &types.UserInfo{
|
user, err := am.CreateUser(context.Background(), mockAccountID, mockUserID, &types.UserInfo{
|
||||||
@ -481,9 +501,11 @@ func TestUser_CreateUser_RegularUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = am.CreateUser(context.Background(), mockAccountID, mockUserID, &types.UserInfo{
|
_, err = am.CreateUser(context.Background(), mockAccountID, mockUserID, &types.UserInfo{
|
||||||
@ -510,10 +532,12 @@ func TestUser_InviteNewUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
cacheLoading: map[string]chan struct{}{},
|
cacheLoading: map[string]chan struct{}{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
cs, err := nbcache.NewStore(context.Background(), nbcache.DefaultIDPCacheExpirationMax, nbcache.DefaultIDPCacheCleanupInterval)
|
cs, err := nbcache.NewStore(context.Background(), nbcache.DefaultIDPCacheExpirationMax, nbcache.DefaultIDPCacheCleanupInterval)
|
||||||
@ -616,9 +640,11 @@ func TestUser_DeleteUser_ServiceUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
err = am.DeleteUser(context.Background(), mockAccountID, mockUserID, mockServiceUserID)
|
err = am.DeleteUser(context.Background(), mockAccountID, mockUserID, mockServiceUserID)
|
||||||
@ -652,9 +678,11 @@ func TestUser_DeleteUser_SelfDelete(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
err = am.DeleteUser(context.Background(), mockAccountID, mockUserID, mockUserID)
|
err = am.DeleteUser(context.Background(), mockAccountID, mockUserID, mockUserID)
|
||||||
@ -704,10 +732,12 @@ func TestUser_DeleteUser_regularUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
integratedPeerValidator: MocIntegratedValidator{},
|
integratedPeerValidator: MocIntegratedValidator{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
@ -812,10 +842,12 @@ func TestUser_DeleteUser_RegularUsers(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
integratedPeerValidator: MocIntegratedValidator{},
|
integratedPeerValidator: MocIntegratedValidator{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
@ -921,9 +953,11 @@ func TestDefaultAccountManager_GetUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
claims := nbcontext.UserAuth{
|
claims := nbcontext.UserAuth{
|
||||||
@ -957,9 +991,11 @@ func TestDefaultAccountManager_ListUsers(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
users, err := am.ListUsers(context.Background(), mockAccountID)
|
users, err := am.ListUsers(context.Background(), mockAccountID)
|
||||||
@ -1044,9 +1080,11 @@ func TestDefaultAccountManager_ListUsers_DashboardPermissions(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
users, err := am.ListUsers(context.Background(), mockAccountID)
|
users, err := am.ListUsers(context.Background(), mockAccountID)
|
||||||
@ -1087,11 +1125,13 @@ func TestDefaultAccountManager_ExternalCache(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
idpManager: &idp.GoogleWorkspaceManager{}, // empty manager
|
idpManager: &idp.GoogleWorkspaceManager{}, // empty manager
|
||||||
cacheLoading: map[string]chan struct{}{},
|
cacheLoading: map[string]chan struct{}{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
cacheStore, err := nbcache.NewStore(context.Background(), nbcache.DefaultIDPCacheExpirationMax, nbcache.DefaultIDPCacheCleanupInterval)
|
cacheStore, err := nbcache.NewStore(context.Background(), nbcache.DefaultIDPCacheExpirationMax, nbcache.DefaultIDPCacheCleanupInterval)
|
||||||
@ -1148,9 +1188,11 @@ func TestUser_GetUsersFromAccount_ForAdmin(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
users, err := am.GetUsersFromAccount(context.Background(), mockAccountID, mockUserID)
|
users, err := am.GetUsersFromAccount(context.Background(), mockAccountID, mockUserID)
|
||||||
@ -1180,9 +1222,11 @@ func TestUser_GetUsersFromAccount_ForUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when saving account: %s", err)
|
t.Fatalf("Error when saving account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
permissionsMananagerMock := permissions.NewManagerMock()
|
||||||
am := DefaultAccountManager{
|
am := DefaultAccountManager{
|
||||||
Store: store,
|
Store: store,
|
||||||
eventStore: &activity.InMemoryEventStore{},
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
permissionsManager: permissionsMananagerMock,
|
||||||
}
|
}
|
||||||
|
|
||||||
users, err := am.GetUsersFromAccount(context.Background(), mockAccountID, mockServiceUserID)
|
users, err := am.GetUsersFromAccount(context.Background(), mockAccountID, mockServiceUserID)
|
||||||
@ -1525,3 +1569,41 @@ func TestUserAccountPeersUpdate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestSaveOrAddUser_PreventAccountSwitch(t *testing.T) {
|
||||||
|
s, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Error when creating store: %s", err)
|
||||||
|
}
|
||||||
|
t.Cleanup(cleanup)
|
||||||
|
|
||||||
|
account1 := newAccountWithId(context.Background(), "account1", "ownerAccount1", "")
|
||||||
|
targetId := "user2"
|
||||||
|
account1.Users[targetId] = &types.User{
|
||||||
|
Id: targetId,
|
||||||
|
AccountID: account1.Id,
|
||||||
|
ServiceUserName: "user2username",
|
||||||
|
}
|
||||||
|
require.NoError(t, s.SaveAccount(context.Background(), account1))
|
||||||
|
|
||||||
|
account2 := newAccountWithId(context.Background(), "account2", "ownerAccount2", "")
|
||||||
|
require.NoError(t, s.SaveAccount(context.Background(), account2))
|
||||||
|
|
||||||
|
permissionsManagerMock := permissions.NewManagerMock()
|
||||||
|
am := DefaultAccountManager{
|
||||||
|
Store: s,
|
||||||
|
eventStore: &activity.InMemoryEventStore{},
|
||||||
|
idpManager: nil,
|
||||||
|
cacheLoading: map[string]chan struct{}{},
|
||||||
|
permissionsManager: permissionsManagerMock,
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = am.SaveOrAddUser(context.Background(), "account2", "ownerAccount2", account1.Users[targetId], true)
|
||||||
|
assert.Error(t, err, "update user to another account should fail")
|
||||||
|
|
||||||
|
user, err := s.GetUserByUserID(context.Background(), store.LockingStrengthShare, targetId)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.Equal(t, account1.Users[targetId].Id, user.Id)
|
||||||
|
assert.Equal(t, account1.Users[targetId].AccountID, user.AccountID)
|
||||||
|
assert.Equal(t, account1.Users[targetId].AutoGroups, user.AutoGroups)
|
||||||
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user