mirror of
https://github.com/netbirdio/netbird.git
synced 2024-12-24 15:48:52 +01:00
49cca57565
Add check if user with account id metadata belongs to account
544 lines
16 KiB
Go
544 lines
16 KiB
Go
package server
|
|
|
|
import (
|
|
"fmt"
|
|
"reflect"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/netbirdio/netbird/management/server/idp"
|
|
"github.com/netbirdio/netbird/management/server/jwtclaims"
|
|
"github.com/netbirdio/netbird/util"
|
|
"github.com/rs/xid"
|
|
log "github.com/sirupsen/logrus"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
const (
|
|
PublicCategory = "public"
|
|
PrivateCategory = "private"
|
|
UnknownCategory = "unknown"
|
|
)
|
|
|
|
type AccountManager interface {
|
|
GetOrCreateAccountByUser(userId, domain string) (*Account, error)
|
|
GetAccountByUser(userId string) (*Account, error)
|
|
AddSetupKey(accountId string, keyName string, keyType SetupKeyType, expiresIn *util.Duration) (*SetupKey, error)
|
|
RevokeSetupKey(accountId string, keyId string) (*SetupKey, error)
|
|
RenameSetupKey(accountId string, keyId string, newName string) (*SetupKey, error)
|
|
GetAccountById(accountId string) (*Account, error)
|
|
GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error)
|
|
GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error)
|
|
AccountExists(accountId string) (*bool, error)
|
|
AddAccount(accountId, userId, domain string) (*Account, error)
|
|
GetPeer(peerKey string) (*Peer, error)
|
|
MarkPeerConnected(peerKey string, connected bool) error
|
|
RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
|
|
DeletePeer(accountId string, peerKey string) (*Peer, error)
|
|
GetPeerByIP(accountId string, peerIP string) (*Peer, error)
|
|
GetNetworkMap(peerKey string) (*NetworkMap, error)
|
|
AddPeer(setupKey string, userId string, peer *Peer) (*Peer, error)
|
|
GetUsersFromAccount(accountId string) ([]*UserInfo, error)
|
|
GetGroup(accountId, groupID string) (*Group, error)
|
|
SaveGroup(accountId string, group *Group) error
|
|
DeleteGroup(accountId, groupID string) error
|
|
ListGroups(accountId string) ([]*Group, error)
|
|
GroupAddPeer(accountId, groupID, peerKey string) error
|
|
GroupDeletePeer(accountId, groupID, peerKey string) error
|
|
GroupListPeers(accountId, groupID string) ([]*Peer, error)
|
|
}
|
|
|
|
type DefaultAccountManager struct {
|
|
Store Store
|
|
// mutex to synchronise account operations (e.g. generating Peer IP address inside the Network)
|
|
mux sync.Mutex
|
|
peersUpdateManager *PeersUpdateManager
|
|
idpManager idp.Manager
|
|
}
|
|
|
|
// Account represents a unique account of the system
|
|
type Account struct {
|
|
Id string
|
|
// User.Id it was created by
|
|
CreatedBy string
|
|
Domain string
|
|
DomainCategory string
|
|
IsDomainPrimaryAccount bool
|
|
SetupKeys map[string]*SetupKey
|
|
Network *Network
|
|
Peers map[string]*Peer
|
|
Users map[string]*User
|
|
Groups map[string]*Group
|
|
}
|
|
|
|
type UserInfo struct {
|
|
ID string `json:"id"`
|
|
Email string `json:"email"`
|
|
Name string `json:"name"`
|
|
Role string `json:"role"`
|
|
}
|
|
|
|
// NewAccount creates a new Account with a generated ID and generated default setup keys
|
|
func NewAccount(userId, domain string) *Account {
|
|
accountId := xid.New().String()
|
|
return newAccountWithId(accountId, userId, domain)
|
|
}
|
|
|
|
func (a *Account) Copy() *Account {
|
|
peers := map[string]*Peer{}
|
|
for id, peer := range a.Peers {
|
|
peers[id] = peer.Copy()
|
|
}
|
|
|
|
users := map[string]*User{}
|
|
for id, user := range a.Users {
|
|
users[id] = user.Copy()
|
|
}
|
|
|
|
setupKeys := map[string]*SetupKey{}
|
|
for id, key := range a.SetupKeys {
|
|
setupKeys[id] = key.Copy()
|
|
}
|
|
|
|
return &Account{
|
|
Id: a.Id,
|
|
CreatedBy: a.CreatedBy,
|
|
SetupKeys: setupKeys,
|
|
Network: a.Network.Copy(),
|
|
Peers: peers,
|
|
Users: users,
|
|
}
|
|
}
|
|
|
|
// NewManager creates a new DefaultAccountManager with a provided Store
|
|
func NewManager(store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager) *DefaultAccountManager {
|
|
return &DefaultAccountManager{
|
|
Store: store,
|
|
mux: sync.Mutex{},
|
|
peersUpdateManager: peersUpdateManager,
|
|
idpManager: idpManager,
|
|
}
|
|
}
|
|
|
|
// AddSetupKey generates a new setup key with a given name and type, and adds it to the specified account
|
|
func (am *DefaultAccountManager) AddSetupKey(
|
|
accountId string,
|
|
keyName string,
|
|
keyType SetupKeyType,
|
|
expiresIn *util.Duration,
|
|
) (*SetupKey, error) {
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
keyDuration := DefaultSetupKeyDuration
|
|
if expiresIn != nil {
|
|
keyDuration = expiresIn.Duration
|
|
}
|
|
|
|
account, err := am.Store.GetAccount(accountId)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
}
|
|
|
|
setupKey := GenerateSetupKey(keyName, keyType, keyDuration)
|
|
account.SetupKeys[setupKey.Key] = setupKey
|
|
|
|
err = am.Store.SaveAccount(account)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed adding account key")
|
|
}
|
|
|
|
return setupKey, nil
|
|
}
|
|
|
|
// RevokeSetupKey marks SetupKey as revoked - becomes not valid anymore
|
|
func (am *DefaultAccountManager) RevokeSetupKey(accountId string, keyId string) (*SetupKey, error) {
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountId)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
}
|
|
|
|
setupKey := getAccountSetupKeyById(account, keyId)
|
|
if setupKey == nil {
|
|
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", keyId)
|
|
}
|
|
|
|
keyCopy := setupKey.Copy()
|
|
keyCopy.Revoked = true
|
|
account.SetupKeys[keyCopy.Key] = keyCopy
|
|
err = am.Store.SaveAccount(account)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed adding account key")
|
|
}
|
|
|
|
return keyCopy, nil
|
|
}
|
|
|
|
// RenameSetupKey renames existing setup key of the specified account.
|
|
func (am *DefaultAccountManager) RenameSetupKey(
|
|
accountId string,
|
|
keyId string,
|
|
newName string,
|
|
) (*SetupKey, error) {
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountId)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
}
|
|
|
|
setupKey := getAccountSetupKeyById(account, keyId)
|
|
if setupKey == nil {
|
|
return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", keyId)
|
|
}
|
|
|
|
keyCopy := setupKey.Copy()
|
|
keyCopy.Name = newName
|
|
account.SetupKeys[keyCopy.Key] = keyCopy
|
|
err = am.Store.SaveAccount(account)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed adding account key")
|
|
}
|
|
|
|
return keyCopy, nil
|
|
}
|
|
|
|
// GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist
|
|
func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error) {
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountId)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.NotFound, "account not found")
|
|
}
|
|
|
|
return account, nil
|
|
}
|
|
|
|
// GetAccountByUserOrAccountId look for an account by user or account Id, if no account is provided and
|
|
// user id doesn't have an account associated with it, one account is created
|
|
func (am *DefaultAccountManager) GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error) {
|
|
if accountId != "" {
|
|
return am.GetAccountById(accountId)
|
|
} else if userId != "" {
|
|
account, err := am.GetOrCreateAccountByUser(userId, domain)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.NotFound, "account not found using user id: %s", userId)
|
|
}
|
|
err = am.updateIDPMetadata(userId, account.Id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return account, nil
|
|
}
|
|
|
|
return nil, status.Errorf(codes.NotFound, "no valid user or account Id provided")
|
|
}
|
|
|
|
func isNil(i idp.Manager) bool {
|
|
return i == nil || reflect.ValueOf(i).IsNil()
|
|
}
|
|
|
|
// updateIDPMetadata update user's app metadata in idp manager
|
|
func (am *DefaultAccountManager) updateIDPMetadata(userId, accountID string) error {
|
|
if !isNil(am.idpManager) {
|
|
err := am.idpManager.UpdateUserAppMetadata(userId, idp.AppMetadata{WTAccountId: accountID})
|
|
if err != nil {
|
|
return status.Errorf(
|
|
codes.Internal,
|
|
"updating user's app metadata failed with: %v",
|
|
err,
|
|
)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func mergeLocalAndQueryUser(queried idp.UserData, local User) *UserInfo {
|
|
return &UserInfo{
|
|
ID: local.Id,
|
|
Email: queried.Email,
|
|
Name: queried.Name,
|
|
Role: string(local.Role),
|
|
}
|
|
}
|
|
|
|
// GetUsersFromAccount performs a batched request for users from IDP by account id
|
|
func (am *DefaultAccountManager) GetUsersFromAccount(accountID string) ([]*UserInfo, error) {
|
|
account, err := am.GetAccountById(accountID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
queriedUsers := make([]*idp.UserData, 0)
|
|
if !isNil(am.idpManager) {
|
|
queriedUsers, err = am.idpManager.GetBatchedUserData(accountID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
userInfo := make([]*UserInfo, 0)
|
|
|
|
// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
|
|
if len(queriedUsers) == 0 {
|
|
for _, user := range account.Users {
|
|
userInfo = append(userInfo, &UserInfo{
|
|
ID: user.Id,
|
|
Email: "",
|
|
Name: "",
|
|
Role: string(user.Role),
|
|
})
|
|
}
|
|
return userInfo, nil
|
|
}
|
|
|
|
for _, queriedUser := range queriedUsers {
|
|
if localUser, contains := account.Users[queriedUser.ID]; contains {
|
|
userInfo = append(userInfo, mergeLocalAndQueryUser(*queriedUser, *localUser))
|
|
log.Debugf("Merged userinfo to send back; %v", userInfo)
|
|
}
|
|
}
|
|
|
|
return userInfo, nil
|
|
}
|
|
|
|
// updateAccountDomainAttributes updates the account domain attributes and then, saves the account
|
|
func (am *DefaultAccountManager) updateAccountDomainAttributes(
|
|
account *Account,
|
|
claims jwtclaims.AuthorizationClaims,
|
|
primaryDomain bool,
|
|
) error {
|
|
account.IsDomainPrimaryAccount = primaryDomain
|
|
account.Domain = strings.ToLower(claims.Domain)
|
|
account.DomainCategory = claims.DomainCategory
|
|
err := am.Store.SaveAccount(account)
|
|
if err != nil {
|
|
return status.Errorf(codes.Internal, "failed saving updated account")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// handleExistingUserAccount handles existing User accounts and update its domain attributes.
|
|
//
|
|
//
|
|
// If there is no primary domain account yet, we set the account as primary for the domain. Otherwise,
|
|
// we compare the account's ID with the domain account ID, and if they don't match, we set the account as
|
|
// non-primary account for the domain. We don't merge accounts at this stage, because of cases when a domain
|
|
// was previously unclassified or classified as public so N users that logged int that time, has they own account
|
|
// and peers that shouldn't be lost.
|
|
func (am *DefaultAccountManager) handleExistingUserAccount(
|
|
existingAcc *Account,
|
|
domainAcc *Account,
|
|
claims jwtclaims.AuthorizationClaims,
|
|
) error {
|
|
var err error
|
|
|
|
if domainAcc != nil && existingAcc.Id != domainAcc.Id {
|
|
err = am.updateAccountDomainAttributes(existingAcc, claims, false)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
err = am.updateAccountDomainAttributes(existingAcc, claims, true)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// we should register the account ID to this user's metadata in our IDP manager
|
|
err = am.updateIDPMetadata(claims.UserId, existingAcc.Id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// handleNewUserAccount validates if there is an existing primary account for the domain, if so it adds the new user to that account,
|
|
// otherwise it will create a new account and make it primary account for the domain.
|
|
func (am *DefaultAccountManager) handleNewUserAccount(
|
|
domainAcc *Account,
|
|
claims jwtclaims.AuthorizationClaims,
|
|
) (*Account, error) {
|
|
var (
|
|
account *Account
|
|
err error
|
|
)
|
|
lowerDomain := strings.ToLower(claims.Domain)
|
|
// if domain already has a primary account, add regular user
|
|
if domainAcc != nil {
|
|
account = domainAcc
|
|
account.Users[claims.UserId] = NewRegularUser(claims.UserId)
|
|
err = am.Store.SaveAccount(account)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed saving updated account")
|
|
}
|
|
} else {
|
|
account = NewAccount(claims.UserId, lowerDomain)
|
|
account.Users[claims.UserId] = NewAdminUser(claims.UserId)
|
|
err = am.updateAccountDomainAttributes(account, claims, true)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
err = am.updateIDPMetadata(claims.UserId, account.Id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return account, nil
|
|
}
|
|
|
|
// GetAccountWithAuthorizationClaims retrievs an account using JWT Claims.
|
|
// if domain is of the PrivateCategory category, it will evaluate
|
|
// if account is new, existing or if there is another account with the same domain
|
|
//
|
|
// Use cases:
|
|
//
|
|
// New user + New account + New domain -> create account, user role = admin (if private domain, index domain)
|
|
//
|
|
// New user + New account + Existing Private Domain -> add user to the existing account, user role = regular (not admin)
|
|
//
|
|
// New user + New account + Existing Public Domain -> create account, user role = admin
|
|
//
|
|
// Existing user + Existing account + Existing Domain -> Nothing changes (if private, index domain)
|
|
//
|
|
// Existing user + Existing account + Existing Indexed Domain -> Nothing changes
|
|
//
|
|
// Existing user + Existing account + Existing domain reclassified Domain as private -> Nothing changes (index domain)
|
|
func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(
|
|
claims jwtclaims.AuthorizationClaims,
|
|
) (*Account, error) {
|
|
// if Account ID is part of the claims
|
|
// it means that we've already classified the domain and user has an account
|
|
if claims.DomainCategory != PrivateCategory {
|
|
return am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
|
|
} else if claims.AccountId != "" {
|
|
accountFromID, err := am.GetAccountById(claims.AccountId)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if _, ok := accountFromID.Users[claims.UserId]; !ok {
|
|
return nil, fmt.Errorf("user %s is not part of the account id %s", claims.UserId, claims.AccountId)
|
|
}
|
|
if accountFromID.DomainCategory == PrivateCategory || claims.DomainCategory != PrivateCategory {
|
|
return accountFromID, nil
|
|
}
|
|
}
|
|
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
// We checked if the domain has a primary account already
|
|
domainAccount, err := am.Store.GetAccountByPrivateDomain(claims.Domain)
|
|
accStatus, _ := status.FromError(err)
|
|
if accStatus.Code() != codes.OK && accStatus.Code() != codes.NotFound {
|
|
return nil, err
|
|
}
|
|
|
|
account, err := am.Store.GetUserAccount(claims.UserId)
|
|
if err == nil {
|
|
err = am.handleExistingUserAccount(account, domainAccount, claims)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return account, nil
|
|
} else if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
|
|
return am.handleNewUserAccount(domainAccount, claims)
|
|
} else {
|
|
// other error
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
// AccountExists checks whether account exists (returns true) or not (returns false)
|
|
func (am *DefaultAccountManager) AccountExists(accountId string) (*bool, error) {
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
var res bool
|
|
_, err := am.Store.GetAccount(accountId)
|
|
if err != nil {
|
|
if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
|
|
res = false
|
|
return &res, nil
|
|
} else {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
res = true
|
|
return &res, nil
|
|
}
|
|
|
|
// AddAccount generates a new Account with a provided accountId and userId, saves to the Store
|
|
func (am *DefaultAccountManager) AddAccount(accountId, userId, domain string) (*Account, error) {
|
|
am.mux.Lock()
|
|
defer am.mux.Unlock()
|
|
|
|
return am.createAccount(accountId, userId, domain)
|
|
}
|
|
|
|
func (am *DefaultAccountManager) createAccount(accountId, userId, domain string) (*Account, error) {
|
|
account := newAccountWithId(accountId, userId, domain)
|
|
|
|
err := am.Store.SaveAccount(account)
|
|
if err != nil {
|
|
return nil, status.Errorf(codes.Internal, "failed creating account")
|
|
}
|
|
|
|
return account, nil
|
|
}
|
|
|
|
// newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
|
|
func newAccountWithId(accountId, userId, domain string) *Account {
|
|
log.Debugf("creating new account")
|
|
|
|
setupKeys := make(map[string]*SetupKey)
|
|
defaultKey := GenerateDefaultSetupKey()
|
|
oneOffKey := GenerateSetupKey("One-off key", SetupKeyOneOff, DefaultSetupKeyDuration)
|
|
setupKeys[defaultKey.Key] = defaultKey
|
|
setupKeys[oneOffKey.Key] = oneOffKey
|
|
network := NewNetwork()
|
|
peers := make(map[string]*Peer)
|
|
users := make(map[string]*User)
|
|
|
|
log.Debugf("created new account %s with setup key %s", accountId, defaultKey.Key)
|
|
|
|
return &Account{
|
|
Id: accountId,
|
|
SetupKeys: setupKeys,
|
|
Network: network,
|
|
Peers: peers,
|
|
Users: users,
|
|
CreatedBy: userId,
|
|
Domain: domain,
|
|
}
|
|
}
|
|
|
|
func getAccountSetupKeyById(acc *Account, keyId string) *SetupKey {
|
|
for _, k := range acc.SetupKeys {
|
|
if keyId == k.Id {
|
|
return k
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getAccountSetupKeyByKey(acc *Account, key string) *SetupKey {
|
|
for _, k := range acc.SetupKeys {
|
|
if key == k.Key {
|
|
return k
|
|
}
|
|
}
|
|
return nil
|
|
}
|