NET-260 REST API tests

cli/functions/http_client.go

@@ -148,6 +148,7 @@ retry:
 	if res.StatusCode == http.StatusUnauthorized && !retried && ctx.MasterKey == "" {
 		req.Header.Set("Authorization", "Bearer "+getAuthToken(ctx, true))
 		retried = true
+		// TODO add a retry limit, drop goto
 		goto retry
 	}
 	resBodyBytes, err := io.ReadAll(res.Body)

controllers/enrollmentkeys.go

@@ -17,7 +17,7 @@ import (
 
 func enrollmentKeyHandlers(r *mux.Router) {
 	r.HandleFunc("/api/v1/enrollment-keys", logic.SecurityCheck(true, http.HandlerFunc(createEnrollmentKey))).Methods(http.MethodPost)
-	r.HandleFunc("/api/v1/enrollment-keys", logic.SecurityCheck(true, http.HandlerFunc(getEnrollmentKeys))).Methods(http.MethodGet)
+	r.HandleFunc("/api/v1/enrollment-keys", logic.SecurityCheck(false, http.HandlerFunc(getEnrollmentKeys))).Methods(http.MethodGet)
 	r.HandleFunc("/api/v1/enrollment-keys/{keyID}", logic.SecurityCheck(true, http.HandlerFunc(deleteEnrollmentKey))).Methods(http.MethodDelete)
 	r.HandleFunc("/api/v1/host/register/{token}", http.HandlerFunc(handleHostRegister)).Methods(http.MethodPost)
 }
@@ -34,24 +34,35 @@ func enrollmentKeyHandlers(r *mux.Router) {
 //			Responses:
 //				200: getEnrollmentKeysSlice
 func getEnrollmentKeys(w http.ResponseWriter, r *http.Request) {
-	currentKeys, err := logic.GetAllEnrollmentKeys()
+	user, err := logic.GetUser(r.Header.Get("user"))
+	if err != nil {
+		logger.Log(0, r.Header.Get("user"), "failed to fetch user: ", err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	keys, err := logic.GetAllEnrollmentKeys()
+	// TODO drop double pointer
+	accessKeys := []*models.EnrollmentKey{}
 	if err != nil {
 		logger.Log(0, r.Header.Get("user"), "failed to fetch enrollment keys: ", err.Error())
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	for i := range currentKeys {
-		currentKey := currentKeys[i]
-		if err = logic.Tokenize(currentKey, servercfg.GetAPIHost()); err != nil {
+	for _, key := range keys {
+		if !logic.UserHasNetworksAccess(key.Networks, user) {
+			continue
+		}
+		if err = logic.Tokenize(key, servercfg.GetAPIHost()); err != nil {
 			logger.Log(0, r.Header.Get("user"), "failed to get token values for keys:", err.Error())
 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 			return
 		}
+		accessKeys = append(accessKeys, key)
 	}
 	// return JSON/API formatted keys
 	logger.Log(2, r.Header.Get("user"), "fetched enrollment keys")
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(currentKeys)
+	json.NewEncoder(w).Encode(accessKeys)
 }
 
 // swagger:route DELETE /api/v1/enrollment-keys/{keyID} enrollmentKeys deleteEnrollmentKey

controllers/hosts.go

@@ -19,7 +19,7 @@ import (
 )
 
 func hostHandlers(r *mux.Router) {
-	r.HandleFunc("/api/hosts", logic.SecurityCheck(true, http.HandlerFunc(getHosts))).Methods(http.MethodGet)
+	r.HandleFunc("/api/hosts", logic.SecurityCheck(false, http.HandlerFunc(getHosts))).Methods(http.MethodGet)
 	r.HandleFunc("/api/hosts/keys", logic.SecurityCheck(true, http.HandlerFunc(updateAllKeys))).Methods(http.MethodPut)
 	r.HandleFunc("/api/hosts/{hostid}/keys", logic.SecurityCheck(true, http.HandlerFunc(updateKeys))).Methods(http.MethodPut)
 	r.HandleFunc("/api/hosts/{hostid}", logic.SecurityCheck(true, http.HandlerFunc(updateHost))).Methods(http.MethodPut)
@@ -52,12 +52,26 @@ func getHosts(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
+	user, err := logic.GetUser(r.Header.Get("user"))
+	if err != nil {
+		logger.Log(0, r.Header.Get("user"), "failed to fetch user: ", err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
 	// return JSON/API formatted hosts
+	ret := []models.ApiHost{}
 	apiHosts := logic.GetAllHostsAPI(currentHosts[:])
 	logger.Log(2, r.Header.Get("user"), "fetched all hosts")
-	logic.SortApiHosts(apiHosts[:])
+	for _, host := range apiHosts {
+		networks := logic.GetHostNetworks(host.ID)
+		if !logic.UserHasNetworksAccess(networks, user) {
+			continue
+		}
+		ret = append(ret, host)
+	}
+	logic.SortApiHosts(ret[:])
 	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(apiHosts)
+	json.NewEncoder(w).Encode(ret)
 }
 
 // swagger:route GET /api/v1/host pull pullHost

controllers/server.go

@@ -56,7 +56,7 @@ func getStatus(w http.ResponseWriter, r *http.Request) {
 func allowUsers(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
-			Code: http.StatusInternalServerError, Message: logic.Forbidden_Msg,
+			Code: http.StatusUnauthorized, Message: logic.Unauthorized_Msg,
 		}
 		bearerToken := r.Header.Get("Authorization")
 		var tokenSplit = strings.Split(bearerToken, " ")

controllers/user.go

@@ -290,7 +290,7 @@ func updateUserNetworks(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	var userChange *models.User
+	userChange := &models.User{}
 	// we decode our body request params
 	err = json.NewDecoder(r.Body).Decode(userChange)
 	if err != nil {

database/sqlite.go

@@ -3,14 +3,23 @@ package database
 import (
 	"database/sql"
 	"errors"
+	_ "github.com/mattn/go-sqlite3" // need to blank import this package
 	"os"
 	"path/filepath"
-
-	_ "github.com/mattn/go-sqlite3" // need to blank import this package
 )
 
 // == sqlite ==
-const dbFilename = "netmaker.db"
+var dbFilename = "netmaker.db"
+
+func init() {
+	for _, p := range os.Args {
+		// use a different DB for testing
+		if p == "-test.v" {
+			dbFilename = "netmaker-test.db"
+			return
+		}
+	}
+}
 
 // SqliteDB is the db object for sqlite database connections
 var SqliteDB *sql.DB

logic/enrollmentkey.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"golang.org/x/exp/slices"
 	"time"
 
 	"github.com/gravitl/netmaker/database"
@@ -68,6 +69,7 @@ func CreateEnrollmentKey(uses int, expiration time.Time, networks, tags []string
 }
 
 // GetAllEnrollmentKeys - fetches all enrollment keys from DB
+// TODO drop double pointer
 func GetAllEnrollmentKeys() ([]*models.EnrollmentKey, error) {
 	currentKeys, err := getEnrollmentKeysMap()
 	if err != nil {
@@ -222,3 +224,16 @@ func getEnrollmentKeysMap() (map[string]*models.EnrollmentKey, error) {
 	}
 	return currentKeys, nil
 }
+
+// UserHasNetworksAccess - checks if a user `u` has access to all `networks`
+func UserHasNetworksAccess(networks []string, u *models.User) bool {
+	if u.IsAdmin {
+		return true
+	}
+	for _, n := range networks {
+		if !slices.Contains(u.Networks, n) {
+			return false
+		}
+	}
+	return true
+}

logic/enrollmentkey_test.go

@@ -204,3 +204,77 @@ func TestDeTokenize_EnrollmentKeys(t *testing.T) {
 
 	removeAllEnrollments()
 }
+
+func TestHasNetworksAccess(t *testing.T) {
+	type Case struct {
+		// network names
+		n []string
+		u models.User
+	}
+	pass := []Case{
+		{
+			n: []string{"n1", "n2"},
+			u: models.User{
+				Networks: []string{"n1", "n2"},
+				IsAdmin:  false,
+			},
+		},
+		{
+			n: []string{"n1", "n2"},
+			u: models.User{
+				Networks: []string{},
+				IsAdmin:  true,
+			},
+		},
+		{
+			n: []string{"n1", "n2"},
+			u: models.User{
+				Networks: []string{"n1", "n2", "n3"},
+				IsAdmin:  false,
+			},
+		},
+		{
+			n: []string{"n2"},
+			u: models.User{
+				Networks: []string{"n2"},
+				IsAdmin:  false,
+			},
+		},
+	}
+	deny := []Case{
+		{
+			n: []string{"n1", "n2"},
+			u: models.User{
+				Networks: []string{"n2"},
+				IsAdmin:  false,
+			},
+		},
+		{
+			n: []string{"n1", "n2"},
+			u: models.User{
+				Networks: []string{},
+				IsAdmin:  false,
+			},
+		},
+		{
+			n: []string{"n1", "n2"},
+			u: models.User{
+				Networks: []string{"n3"},
+				IsAdmin:  false,
+			},
+		},
+		{
+			n: []string{"n2"},
+			u: models.User{
+				Networks: []string{"n1"},
+				IsAdmin:  false,
+			},
+		},
+	}
+	for _, tc := range pass {
+		assert.True(t, UserHasNetworksAccess(tc.n, &tc.u))
+	}
+	for _, tc := range deny {
+		assert.False(t, UserHasNetworksAccess(tc.n, &tc.u))
+	}
+}

test/enrollmentkey_test.go

@@ -0,0 +1,110 @@
+//go:build integration
+// +build integration
+
+package test
+
+import (
+	"context"
+	"github.com/gravitl/netmaker/cli/config"
+	"github.com/gravitl/netmaker/cli/functions"
+	controller "github.com/gravitl/netmaker/controllers"
+	"github.com/gravitl/netmaker/database"
+	"github.com/gravitl/netmaker/logic"
+	"github.com/gravitl/netmaker/models"
+	"github.com/gravitl/netmaker/servercfg"
+	"github.com/stretchr/testify/assert"
+	"sync"
+	"testing"
+	"time"
+)
+
+func DBInit() {
+	database.InitializeDatabase()
+	database.DeleteAllRecords(database.USERS_TABLE_NAME)
+	database.DeleteAllRecords(database.NETWORKS_TABLE_NAME)
+	database.DeleteAllRecords(database.NETWORK_USER_TABLE_NAME)
+	database.DeleteAllRecords(database.ENROLLMENT_KEYS_TABLE_NAME)
+	// TODO rest
+}
+
+func TestHasNetworksAccessAPI(t *testing.T) {
+	// setup / teardown (TODO extract)
+	DBInit()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		wg.Wait()
+		defer database.CloseDB()
+	}()
+	var err error
+	port := servercfg.GetAPIPort()
+	userPass := "bar123"
+	user := &models.User{
+		UserName: "foo",
+		Password: userPass,
+		// TODO should be handled in fixtures?
+		Networks: []string{"network-1"},
+		IsAdmin:  false,
+		Groups:   nil,
+	}
+	err = logic.CreateUser(user)
+	if err != nil {
+		t.Error("Error creating a user ", err)
+	}
+	configCtx := config.Context{
+		Endpoint: "http://localhost:" + port,
+		Username: user.UserName,
+		Password: userPass,
+	}
+	config.SetContext("test-ctx-1", configCtx)
+	config.SetCurrentContext("test-ctx-1")
+
+	// fixtures
+	n1 := models.Network{
+		AddressRange:        "10.101.0.0/16",
+		NetID:               "network-1",
+		NodesLastModified:   1685013908,
+		NetworkLastModified: 1684474527,
+		DefaultInterface:    "nm-netmaker",
+		DefaultListenPort:   51821,
+		NodeLimit:           999999999,
+		DefaultPostDown:     "",
+		DefaultKeepalive:    20,
+		AllowManualSignUp:   "no",
+		IsIPv4:              "yes",
+		IsIPv6:              "no",
+		DefaultUDPHolePunch: "no",
+		DefaultMTU:          1280,
+		DefaultACL:          "yes",
+		ProSettings:         nil,
+	}
+	_, err = logic.CreateNetwork(n1)
+	if err != nil {
+		t.Error("Error creating a network ", err)
+	}
+	// copy
+	n2 := n1
+	n2.NetID = "network-2"
+	_, err = logic.CreateNetwork(n2)
+	if err != nil {
+		t.Error("Error creating a network ", err)
+	}
+	k1, _ := logic.CreateEnrollmentKey(0, time.Time{}, []string{n1.NetID}, nil, true)
+	if err = logic.Tokenize(k1, servercfg.GetAPIHost()); err != nil {
+		t.Error("failed to get token values for keys:", err)
+	}
+	_, _ = logic.CreateEnrollmentKey(0, time.Time{}, []string{n2.NetID}, nil, true)
+	_, _ = logic.CreateEnrollmentKey(0, time.Time{}, []string{n1.NetID, n2.NetID}, nil, true)
+
+	go controller.HandleRESTRequests(&wg, ctx)
+	// TODO make sure that HTTP is up
+	time.Sleep(1 * time.Second)
+	keys := *functions.GetEnrollmentKeys()
+
+	assert.Len(t, keys, 1, "1 key expected")
+	assert.Len(t, keys[0].Networks, 1, "Key with 1 network expected")
+	assert.Equal(t, keys[0].Networks[0], n1.NetID, "Network ID matches")
+	assert.Equal(t, keys[0].Token, k1.Token, "Token matches")
+}