diff --git a/management/server/http/handler.go b/management/server/http/handler.go index e4cc8585a..4e2faae4b 100644 --- a/management/server/http/handler.go +++ b/management/server/http/handler.go @@ -66,15 +66,13 @@ func NewAPIHandler( corsMiddleware := cors.AllowAll() - acMiddleware := middleware.NewAccessControl(accountManager.GetUserFromUserAuth) - rootRouter := mux.NewRouter() metricsMiddleware := appMetrics.HTTPMiddleware() prefix := apiPrefix router := rootRouter.PathPrefix(prefix).Subrouter() - router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler, acMiddleware.Handler) + router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler) if _, err := integrations.RegisterHandlers(ctx, prefix, router, accountManager, integratedValidator, appMetrics.GetMeter(), permissionsManager, peersManager, proxyController, settingsManager); err != nil { return nil, fmt.Errorf("register integrations endpoints: %w", err) diff --git a/management/server/http/middleware/access_control.go b/management/server/http/middleware/access_control.go deleted file mode 100644 index 4ed90f47b..000000000 --- a/management/server/http/middleware/access_control.go +++ /dev/null @@ -1,77 +0,0 @@ -package middleware - -import ( - "context" - "net/http" - "regexp" - - log "github.com/sirupsen/logrus" - - nbcontext "github.com/netbirdio/netbird/management/server/context" - "github.com/netbirdio/netbird/management/server/http/middleware/bypass" - "github.com/netbirdio/netbird/management/server/http/util" - "github.com/netbirdio/netbird/management/server/status" - "github.com/netbirdio/netbird/management/server/types" -) - -// GetUser function defines a function to fetch user from Account by jwtclaims.AuthorizationClaims -type GetUser func(ctx context.Context, userAuth nbcontext.UserAuth) (*types.User, error) - -// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only -type AccessControl struct { - getUser GetUser -} - -// NewAccessControl instance constructor -func NewAccessControl(getUser GetUser) *AccessControl { - return &AccessControl{ - getUser: getUser, - } -} - -var tokenPathRegexp = regexp.MustCompile(`^.*/api/users/.*/tokens.*$`) - -// Handler method of the middleware which forbids all modify requests for non admin users -func (a *AccessControl) Handler(h http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - - if bypass.ShouldBypass(r.URL.Path, h, w, r) { - return - } - - userAuth, err := nbcontext.GetUserAuthFromRequest(r) - if err != nil { - log.WithContext(r.Context()).Errorf("failed to get user auth from request: %s", err) - util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "invalid user auth"), w) - } - - user, err := a.getUser(r.Context(), userAuth) - if err != nil { - log.WithContext(r.Context()).Errorf("failed to get user: %s", err) - util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "invalid user auth"), w) - return - } - - if user.IsBlocked() { - util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "the user has no access to the API or is blocked"), w) - return - } - - if !user.HasAdminPower() { - switch r.Method { - case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut: - - if tokenPathRegexp.MatchString(r.URL.Path) { - log.WithContext(r.Context()).Debugf("valid Path") - h.ServeHTTP(w, r) - return - } - - util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "only users with admin power can perform this operation"), w) - return - } - } - - h.ServeHTTP(w, r) - }) -}