diff --git a/management/server/http/middleware/auth_middleware.go b/management/server/http/middleware/auth_middleware.go index 6f0d1556f..f2732fbf8 100644 --- a/management/server/http/middleware/auth_middleware.go +++ b/management/server/http/middleware/auth_middleware.go @@ -167,6 +167,11 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, auth []string) (*h IsPAT: true, } + if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 { + userAuth.AccountId = impersonate[0] + userAuth.IsChild = ok + } + return nbcontext.SetUserAuthInRequest(r, userAuth), nil } diff --git a/management/server/http/middleware/auth_middleware_test.go b/management/server/http/middleware/auth_middleware_test.go index 410ff7e15..2285ed244 100644 --- a/management/server/http/middleware/auth_middleware_test.go +++ b/management/server/http/middleware/auth_middleware_test.go @@ -242,14 +242,15 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) { }, }, { - name: "Valid PAT Token ignores child", + name: "Valid PAT Token accesses child", path: "/test?account=xyz", authHeader: "Token " + PAT, expectedUserAuth: &nbcontext.UserAuth{ - AccountId: accountID, + AccountId: "xyz", UserId: userID, Domain: testAccount.Domain, DomainCategory: testAccount.DomainCategory, + IsChild: true, IsPAT: true, }, }, diff --git a/management/server/permissions/roles/auditor.go b/management/server/permissions/roles/auditor.go new file mode 100644 index 000000000..33d8651f4 --- /dev/null +++ b/management/server/permissions/roles/auditor.go @@ -0,0 +1,16 @@ +package roles + +import ( + "github.com/netbirdio/netbird/management/server/permissions/operations" + "github.com/netbirdio/netbird/management/server/types" +) + +var Auditor = RolePermissions{ + Role: types.UserRoleAuditor, + AutoAllowNew: map[operations.Operation]bool{ + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, +} diff --git a/management/server/permissions/roles/network_admin.go b/management/server/permissions/roles/network_admin.go new file mode 100644 index 000000000..761933386 --- /dev/null +++ b/management/server/permissions/roles/network_admin.go @@ -0,0 +1,91 @@ +package roles + +import ( + "github.com/netbirdio/netbird/management/server/permissions/modules" + "github.com/netbirdio/netbird/management/server/permissions/operations" + "github.com/netbirdio/netbird/management/server/types" +) + +var NetworkAdmin = RolePermissions{ + Role: types.UserRoleNetworkAdmin, + AutoAllowNew: map[operations.Operation]bool{ + operations.Read: false, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + Permissions: Permissions{ + modules.Networks: { + operations.Read: true, + operations.Create: true, + operations.Update: true, + operations.Delete: true, + }, + modules.Groups: { + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + modules.Settings: { + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + modules.Accounts: { + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + modules.Dns: { + operations.Read: true, + operations.Create: true, + operations.Update: true, + operations.Delete: true, + }, + modules.Nameservers: { + operations.Read: true, + operations.Create: true, + operations.Update: true, + operations.Delete: true, + }, + modules.Events: { + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + modules.Policies: { + operations.Read: true, + operations.Create: true, + operations.Update: true, + operations.Delete: true, + }, + modules.Routes: { + operations.Read: true, + operations.Create: true, + operations.Update: true, + operations.Delete: true, + }, + modules.Users: { + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + modules.SetupKeys: { + operations.Read: true, + operations.Create: false, + operations.Update: false, + operations.Delete: false, + }, + modules.Pats: { + operations.Read: true, + operations.Create: true, + operations.Update: true, + operations.Delete: true, + }, + }, +} diff --git a/management/server/permissions/roles/role_permissions.go b/management/server/permissions/roles/role_permissions.go index dda7e6b99..754e568f5 100644 --- a/management/server/permissions/roles/role_permissions.go +++ b/management/server/permissions/roles/role_permissions.go @@ -15,7 +15,9 @@ type RolePermissions struct { type Permissions map[modules.Module]map[operations.Operation]bool var RolesMap = map[types.UserRole]RolePermissions{ - types.UserRoleOwner: Owner, - types.UserRoleAdmin: Admin, - types.UserRoleUser: User, + types.UserRoleOwner: Owner, + types.UserRoleAdmin: Admin, + types.UserRoleUser: User, + types.UserRoleAuditor: Auditor, + types.UserRoleNetworkAdmin: NetworkAdmin, } diff --git a/management/server/types/user.go b/management/server/types/user.go index f1d00f548..e425f580b 100644 --- a/management/server/types/user.go +++ b/management/server/types/user.go @@ -15,6 +15,8 @@ const ( UserRoleUser UserRole = "user" UserRoleUnknown UserRole = "unknown" UserRoleBillingAdmin UserRole = "billing_admin" + UserRoleAuditor UserRole = "auditor" + UserRoleNetworkAdmin UserRole = "network_admin" UserStatusActive UserStatus = "active" UserStatusDisabled UserStatus = "disabled" @@ -35,6 +37,8 @@ func StrRoleToUserRole(strRole string) UserRole { return UserRoleUser case "billing_admin": return UserRoleBillingAdmin + case "auditor": + return UserRoleAuditor default: return UserRoleUnknown }