From 7b02e9c3a88ca3a6b56eaab9140e5ee0756a60e7 Mon Sep 17 00:00:00 2001 From: Pedro Costa <550684+pnmcosta@users.noreply.github.com> Date: Fri, 21 Feb 2025 15:36:00 +0000 Subject: [PATCH] [management] base manager --- go.mod | 5 +- .../server/http/middleware/access_control.go | 11 ++--- management/server/networks/manager.go | 49 +++++++------------ management/server/networks/manager_test.go | 3 ++ 4 files changed, 29 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index 62461adc9..67bd3ddd7 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,8 @@ require ( github.com/miekg/dns v1.1.59 github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/nadoo/ipset v0.5.0 - github.com/netbirdio/management-integrations/integrations v0.0.0-20250226165736-0ac3dc443266 + github.com/netbirdio/management-integrations/core v0.0.0-00010101000000-000000000000 + github.com/netbirdio/management-integrations/integrations v0.0.0-20250220173202-e599d83524fc github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20241010133937-e0df50df217d github.com/okta/okta-sdk-golang/v2 v2.18.0 github.com/oschwald/maxminddb-golang v1.12.0 @@ -254,3 +255,5 @@ replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-2023080111 replace github.com/pion/ice/v3 => github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 + +replace github.com/netbirdio/management-integrations/core => ../../management-integrations/core diff --git a/management/server/http/middleware/access_control.go b/management/server/http/middleware/access_control.go index 4ed90f47b..3408eeb68 100644 --- a/management/server/http/middleware/access_control.go +++ b/management/server/http/middleware/access_control.go @@ -34,7 +34,6 @@ var tokenPathRegexp = regexp.MustCompile(`^.*/api/users/.*/tokens.*$`) // Handler method of the middleware which forbids all modify requests for non admin users func (a *AccessControl) Handler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if bypass.ShouldBypass(r.URL.Path, h, w, r) { return } @@ -60,18 +59,16 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler { if !user.HasAdminPower() { switch r.Method { case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut: - - if tokenPathRegexp.MatchString(r.URL.Path) { - log.WithContext(r.Context()).Debugf("valid Path") - h.ServeHTTP(w, r) + if !tokenPathRegexp.MatchString(r.URL.Path) { + util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "only users with admin power can perform this operation"), w) return } - util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "only users with admin power can perform this operation"), w) - return + log.WithContext(r.Context()).Debugf("valid Path") } } + // @todo get account settings and set it and user to context h.ServeHTTP(w, r) }) } diff --git a/management/server/networks/manager.go b/management/server/networks/manager.go index 43f0ed0f8..2121ce4ff 100644 --- a/management/server/networks/manager.go +++ b/management/server/networks/manager.go @@ -6,13 +6,13 @@ import ( "github.com/rs/xid" + "github.com/netbirdio/management-integrations/core" "github.com/netbirdio/netbird/management/server/account" "github.com/netbirdio/netbird/management/server/activity" "github.com/netbirdio/netbird/management/server/networks/resources" "github.com/netbirdio/netbird/management/server/networks/routers" "github.com/netbirdio/netbird/management/server/networks/types" "github.com/netbirdio/netbird/management/server/permissions" - "github.com/netbirdio/netbird/management/server/status" "github.com/netbirdio/netbird/management/server/store" ) @@ -25,6 +25,7 @@ type Manager interface { } type managerImpl struct { + core.BaseManager store store.Store accountManager account.AccountManager permissionsManager permissions.Manager @@ -37,33 +38,28 @@ type mockManager struct { func NewManager(store store.Store, permissionsManager permissions.Manager, resourceManager resources.Manager, routersManager routers.Manager, accountManager account.AccountManager) Manager { return &managerImpl{ - store: store, - permissionsManager: permissionsManager, - resourcesManager: resourceManager, - routersManager: routersManager, - accountManager: accountManager, + BaseManager: core.NewBaseManager(core.Networks), + store: store, + // permissionsManager: permissionsManager, + resourcesManager: resourceManager, + routersManager: routersManager, + accountManager: accountManager, } } func (m *managerImpl) GetAllNetworks(ctx context.Context, accountID, userID string) ([]*types.Network, error) { - ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read) + err := m.ValidatePermissions(ctx, core.Read) if err != nil { - return nil, status.NewPermissionValidationError(err) - } - if !ok { - return nil, status.NewPermissionDeniedError() + return nil, err } return m.store.GetAccountNetworks(ctx, store.LockingStrengthShare, accountID) } func (m *managerImpl) CreateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error) { - ok, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, permissions.Networks, permissions.Write) + err := m.ValidatePermissions(ctx, core.Write) if err != nil { - return nil, status.NewPermissionValidationError(err) - } - if !ok { - return nil, status.NewPermissionDeniedError() + return nil, err } network.ID = xid.New().String() @@ -82,24 +78,18 @@ func (m *managerImpl) CreateNetwork(ctx context.Context, userID string, network } func (m *managerImpl) GetNetwork(ctx context.Context, accountID, userID, networkID string) (*types.Network, error) { - ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Read) + err := m.ValidatePermissions(ctx, core.Read) if err != nil { - return nil, status.NewPermissionValidationError(err) - } - if !ok { - return nil, status.NewPermissionDeniedError() + return nil, err } return m.store.GetNetworkByID(ctx, store.LockingStrengthShare, accountID, networkID) } func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error) { - ok, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, permissions.Networks, permissions.Write) + err := m.ValidatePermissions(ctx, core.Write) if err != nil { - return nil, status.NewPermissionValidationError(err) - } - if !ok { - return nil, status.NewPermissionDeniedError() + return nil, err } unlock := m.store.AcquireWriteLockByUID(ctx, network.AccountID) @@ -116,12 +106,9 @@ func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network } func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error { - ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, permissions.Networks, permissions.Write) + err := m.ValidatePermissions(ctx, core.Write) if err != nil { - return status.NewPermissionValidationError(err) - } - if !ok { - return status.NewPermissionDeniedError() + return err } network, err := m.store.GetNetworkByID(ctx, store.LockingStrengthUpdate, accountID, networkID) diff --git a/management/server/networks/manager_test.go b/management/server/networks/manager_test.go index edd830c25..a14ea3048 100644 --- a/management/server/networks/manager_test.go +++ b/management/server/networks/manager_test.go @@ -6,6 +6,7 @@ import ( "github.com/stretchr/testify/require" + nbcontext "github.com/netbirdio/netbird/management/server/context" "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/mock_server" "github.com/netbirdio/netbird/management/server/networks/resources" @@ -25,6 +26,7 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) { t.Fatal(err) } t.Cleanup(cleanUp) + am := mock_server.MockAccountManager{} permissionsManager := permissions.NewManagerMock() groupsManager := groups.NewManagerMock() @@ -32,6 +34,7 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) { resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am) manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am) + ctx = nbcontext.SetUserAuthInContext(ctx, nbcontext.UserAuth{AccountId: accountID, UserId: userID}) networks, err := manager.GetAllNetworks(ctx, accountID, userID) require.NoError(t, err) require.Len(t, networks, 1)