Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NET-260 REST API tests #2351

Closed
wants to merge 25 commits into from
Closed

NET-260 REST API tests #2351

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
fe4cd83
return 401 instead of 403
TobiaszCudnik May 22, 2023
e816a98
fixed http.StatusForbidden
TobiaszCudnik May 24, 2023
e9e2021
Tagged build version (temp)
TobiaszCudnik May 24, 2023
d1ed188
Unauthorized_Err when applicable
TobiaszCudnik May 25, 2023
d062bc2
Merge branch 'develop' into NET-163/403-insteadof-401
TobiaszCudnik May 25, 2023
abdd31b
untagged version
TobiaszCudnik May 25, 2023
dab361d
Merge branch 'develop' into NET-163/403-insteadof-401
TobiaszCudnik May 25, 2023
47543fd
fixed PUT /api/users/networks/user1
TobiaszCudnik May 25, 2023
381bb1d
- expired token redirs to login
TobiaszCudnik May 26, 2023
cec227a
Merge branch 'develop' into NET-152/enrollment-keys-for-non-admins
TobiaszCudnik May 26, 2023
577c696
handle user perms in `/hosts`
TobiaszCudnik May 29, 2023
79810a5
Merge branch 'develop' into NET-152/enrollment-keys-for-non-admins
TobiaszCudnik May 29, 2023
c619373
api test for enrollment keys
TobiaszCudnik May 29, 2023
dc5b373
removed debug
TobiaszCudnik May 29, 2023
ad4efdf
misc
TobiaszCudnik May 29, 2023
8953f41
- support masteradmin
TobiaszCudnik May 30, 2023
7551454
Merge branch 'NET-152/enrollment-keys-for-non-admins' into NET-260/re…
TobiaszCudnik May 30, 2023
4c5845b
- added masteradmin case
TobiaszCudnik May 30, 2023
06ad728
added `ismaster` to middleware
TobiaszCudnik May 30, 2023
cd662a6
Merge branch 'develop' into NET-152/enrollment-keys-for-non-admins
May 30, 2023
9096623
Merge branch 'NET-152/enrollment-keys-for-non-admins' into NET-260/re…
TobiaszCudnik May 30, 2023
908e253
inactive test for 403
TobiaszCudnik May 30, 2023
490902d
added comments
TobiaszCudnik May 31, 2023
14f1f54
Merge branch 'develop' into NET-260/rest-api-tests
May 31, 2023
513445e
Merge branch 'develop' into NET-260/rest-api-tests
Jun 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cli/functions/http_client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ retry:
if res.StatusCode == http.StatusUnauthorized && !retried && ctx.MasterKey == "" {
req.Header.Set("Authorization", "Bearer "+getAuthToken(ctx, true))
retried = true
// TODO add a retry limit, drop goto
goto retry
}
resBodyBytes, err := io.ReadAll(res.Body)
Expand Down
33 changes: 27 additions & 6 deletions controllers/enrollmentkeys.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (

func enrollmentKeyHandlers(r *mux.Router) {
r.HandleFunc("/api/v1/enrollment-keys", logic.SecurityCheck(true, http.HandlerFunc(createEnrollmentKey))).Methods(http.MethodPost)
r.HandleFunc("/api/v1/enrollment-keys", logic.SecurityCheck(true, http.HandlerFunc(getEnrollmentKeys))).Methods(http.MethodGet)
r.HandleFunc("/api/v1/enrollment-keys", logic.SecurityCheck(false, http.HandlerFunc(getEnrollmentKeys))).Methods(http.MethodGet)
r.HandleFunc("/api/v1/enrollment-keys/{keyID}", logic.SecurityCheck(true, http.HandlerFunc(deleteEnrollmentKey))).Methods(http.MethodDelete)
r.HandleFunc("/api/v1/host/register/{token}", http.HandlerFunc(handleHostRegister)).Methods(http.MethodPost)
}
Expand All @@ -34,24 +34,45 @@ func enrollmentKeyHandlers(r *mux.Router) {
// Responses:
// 200: getEnrollmentKeysSlice
func getEnrollmentKeys(w http.ResponseWriter, r *http.Request) {
currentKeys, err := logic.GetAllEnrollmentKeys()
keys, err := logic.GetAllEnrollmentKeys()
if err != nil {
logger.Log(0, r.Header.Get("user"), "failed to fetch enrollment keys: ", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
for i := range currentKeys {
currentKey := currentKeys[i]
if err = logic.Tokenize(currentKey, servercfg.GetAPIHost()); err != nil {
// handle masteradmin non-logged-in user
// TODO unify the user flow
headerNetworks, err := getHeaderNetworks(r)
if err != nil {
logger.Log(0, r.Header.Get("user"), "failed to parse networks: ", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
isMasterAdmin := len(headerNetworks) > 0 && headerNetworks[0] == logic.ALL_NETWORK_ACCESS
// regular user flow
user, err := logic.GetUser(r.Header.Get("user"))
if err != nil && !isMasterAdmin {
logger.Log(0, r.Header.Get("user"), "failed to fetch user: ", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
// TODO drop double pointer
ret := []*models.EnrollmentKey{}
for _, key := range keys {
if !isMasterAdmin && !logic.UserHasNetworksAccess(key.Networks, user) {
continue
}
if err = logic.Tokenize(key, servercfg.GetAPIHost()); err != nil {
logger.Log(0, r.Header.Get("user"), "failed to get token values for keys:", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
ret = append(ret, key)
}
// return JSON/API formatted keys
logger.Log(2, r.Header.Get("user"), "fetched enrollment keys")
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(currentKeys)
json.NewEncoder(w).Encode(ret)
}

// swagger:route DELETE /api/v1/enrollment-keys/{keyID} enrollmentKeys deleteEnrollmentKey
Expand Down
43 changes: 40 additions & 3 deletions controllers/hosts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import (
)

func hostHandlers(r *mux.Router) {
r.HandleFunc("/api/hosts", logic.SecurityCheck(true, http.HandlerFunc(getHosts))).Methods(http.MethodGet)
r.HandleFunc("/api/hosts", logic.SecurityCheck(false, http.HandlerFunc(getHosts))).Methods(http.MethodGet)
r.HandleFunc("/api/hosts/keys", logic.SecurityCheck(true, http.HandlerFunc(updateAllKeys))).Methods(http.MethodPut)
r.HandleFunc("/api/hosts/{hostid}/keys", logic.SecurityCheck(true, http.HandlerFunc(updateKeys))).Methods(http.MethodPut)
r.HandleFunc("/api/hosts/{hostid}", logic.SecurityCheck(true, http.HandlerFunc(updateHost))).Methods(http.MethodPut)
Expand Down Expand Up @@ -52,12 +52,49 @@ func getHosts(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
// handle masteradmin non-logged-in user
// TODO unify the user flow
headerNetworks, err := getHeaderNetworks(r)
if err != nil {
logger.Log(0, r.Header.Get("user"), "failed to parse networks: ", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
isMasterAdmin := len(headerNetworks) > 0 && headerNetworks[0] == logic.ALL_NETWORK_ACCESS
user, err := logic.GetUser(r.Header.Get("user"))
if err != nil && !isMasterAdmin {
logger.Log(0, r.Header.Get("user"), "failed to fetch user: ", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
// return JSON/API formatted hosts
ret := []models.ApiHost{}
apiHosts := logic.GetAllHostsAPI(currentHosts[:])
logger.Log(2, r.Header.Get("user"), "fetched all hosts")
logic.SortApiHosts(apiHosts[:])
for _, host := range apiHosts {
nodes := host.Nodes
// work on the copy
host.Nodes = []string{}
for _, nid := range nodes {
node, err := logic.GetNodeByID(nid)
if err != nil {
logger.Log(0, r.Header.Get("user"), "failed to fetch node: ", err.Error())
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
if !isMasterAdmin && !logic.UserHasNetworksAccess([]string{node.Network}, user) {
continue
}
host.Nodes = append(host.Nodes, nid)
}
// add to the response only if has perms to some nodes / networks
if len(host.Nodes) > 0 {
ret = append(ret, host)
}
}
logic.SortApiHosts(ret[:])
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(apiHosts)
json.NewEncoder(w).Encode(ret)
}

// swagger:route GET /api/v1/host pull pullHost
Expand Down
5 changes: 1 addition & 4 deletions controllers/network.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,7 @@ func networkHandlers(r *mux.Router) {
// Responses:
// 200: getNetworksSliceResponse
func getNetworks(w http.ResponseWriter, r *http.Request) {

headerNetworks := r.Header.Get("networks")
networksSlice := []string{}
marshalErr := json.Unmarshal([]byte(headerNetworks), &networksSlice)
networksSlice, marshalErr := getHeaderNetworks(r)
if marshalErr != nil {
logger.Log(0, r.Header.Get("user"), "error unmarshalling networks: ",
marshalErr.Error())
Expand Down
2 changes: 1 addition & 1 deletion controllers/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ func getStatus(w http.ResponseWriter, r *http.Request) {
func allowUsers(next http.Handler) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
var errorResponse = models.ErrorResponse{
Code: http.StatusInternalServerError, Message: logic.Forbidden_Msg,
Code: http.StatusUnauthorized, Message: logic.Unauthorized_Msg,
}
bearerToken := r.Header.Get("Authorization")
var tokenSplit = strings.Split(bearerToken, " ")
Expand Down
13 changes: 12 additions & 1 deletion controllers/user.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ func updateUserNetworks(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
var userChange *models.User
userChange := &models.User{}
// we decode our body request params
err = json.NewDecoder(r.Body).Decode(userChange)
if err != nil {
Expand Down Expand Up @@ -491,3 +491,14 @@ func socketHandler(w http.ResponseWriter, r *http.Request) {
// Start handling the session
go auth.SessionHandler(conn)
}

// getHeaderNetworks returns a slice of networks parsed form the request header.
func getHeaderNetworks(r *http.Request) ([]string, error) {
headerNetworks := r.Header.Get("networks")
networksSlice := []string{}
err := json.Unmarshal([]byte(headerNetworks), &networksSlice)
if err != nil {
return nil, err
}
return networksSlice, nil
}
12 changes: 11 additions & 1 deletion database/sqlite.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,17 @@ import (
)

// == sqlite ==
const dbFilename = "netmaker.db"
var dbFilename = "netmaker.db"

func init() {
for _, p := range os.Args {
// use a different DB for testing
if p == "-test.v" {
dbFilename = "netmaker-test.db"
return
}
}
}

// SqliteDB is the db object for sqlite database connections
var SqliteDB *sql.DB
Expand Down
15 changes: 15 additions & 0 deletions logic/enrollmentkey.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"encoding/json"
"errors"
"fmt"
"golang.org/x/exp/slices"
"time"

"github.com/gravitl/netmaker/database"
Expand Down Expand Up @@ -68,6 +69,7 @@ func CreateEnrollmentKey(uses int, expiration time.Time, networks, tags []string
}

// GetAllEnrollmentKeys - fetches all enrollment keys from DB
// TODO drop double pointer
func GetAllEnrollmentKeys() ([]*models.EnrollmentKey, error) {
currentKeys, err := getEnrollmentKeysMap()
if err != nil {
Expand Down Expand Up @@ -222,3 +224,16 @@ func getEnrollmentKeysMap() (map[string]*models.EnrollmentKey, error) {
}
return currentKeys, nil
}

// UserHasNetworksAccess - checks if a user `u` has access to all `networks`
func UserHasNetworksAccess(networks []string, u *models.User) bool {
if u.IsAdmin {
return true
}
for _, n := range networks {
if !slices.Contains(u.Networks, n) {
return false
}
}
return true
}
74 changes: 74 additions & 0 deletions logic/enrollmentkey_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,3 +204,77 @@ func TestDeTokenize_EnrollmentKeys(t *testing.T) {

removeAllEnrollments()
}

func TestHasNetworksAccess(t *testing.T) {
type Case struct {
// network names
n []string
u models.User
}
pass := []Case{
{
n: []string{"n1", "n2"},
u: models.User{
Networks: []string{"n1", "n2"},
IsAdmin: false,
},
},
{
n: []string{"n1", "n2"},
u: models.User{
Networks: []string{},
IsAdmin: true,
},
},
{
n: []string{"n1", "n2"},
u: models.User{
Networks: []string{"n1", "n2", "n3"},
IsAdmin: false,
},
},
{
n: []string{"n2"},
u: models.User{
Networks: []string{"n2"},
IsAdmin: false,
},
},
}
deny := []Case{
{
n: []string{"n1", "n2"},
u: models.User{
Networks: []string{"n2"},
IsAdmin: false,
},
},
{
n: []string{"n1", "n2"},
u: models.User{
Networks: []string{},
IsAdmin: false,
},
},
{
n: []string{"n1", "n2"},
u: models.User{
Networks: []string{"n3"},
IsAdmin: false,
},
},
{
n: []string{"n2"},
u: models.User{
Networks: []string{"n1"},
IsAdmin: false,
},
},
}
for _, tc := range pass {
assert.True(t, UserHasNetworksAccess(tc.n, &tc.u))
}
for _, tc := range deny {
assert.False(t, UserHasNetworksAccess(tc.n, &tc.u))
}
}
1 change: 1 addition & 0 deletions logic/security.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ func UserPermissions(reqAdmin bool, netname string, token string) ([]string, str
}
//all endpoints here require master so not as complicated
if authenticateMaster(authToken) {
// TODO log in as an actual admin user
return []string{ALL_NETWORK_ACCESS}, master_uname, nil
}
username, networks, isadmin, err := VerifyUserToken(authToken)
Expand Down
1 change: 1 addition & 0 deletions logic/users.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
)

// GetUser - gets a user
// TODO support "masteradmin"
func GetUser(username string) (*models.User, error) {

var user models.User
Expand Down
Loading