remove * on default grp, add admins to admin net groups by default

gravitl · Oct 30, 2024 · 167d29a · 167d29a
1 parent 56d5c85
commit 167d29a
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 4 deletions.
diff --git a/controllers/acls.go b/controllers/acls.go
@@ -28,7 +28,6 @@ func aclHandlers(r *mux.Router) {
 		Methods(http.MethodDelete)
 	r.HandleFunc("/api/v1/acls/debug", logic.SecurityCheck(true, http.HandlerFunc(aclDebug))).
 		Methods(http.MethodGet)
-
 }
 
 // @Summary     List Acl Policy types

diff --git a/logic/acls.go b/logic/acls.go
@@ -183,6 +183,11 @@ func IsAclPolicyValid(acl models.Acl) bool {
 				if err != nil {
 					return false
 				}
+				// check if group belongs to this network
+				netGrps := GetUserGroupsInNetwork(acl.NetworkID)
+				if _, ok := netGrps[models.UserGroupID(srcI.Value)]; !ok {
+					return false
+				}
 			}
 
 		}

diff --git a/logic/user_mgmt.go b/logic/user_mgmt.go
@@ -59,6 +59,8 @@ var IntialiseGroups = func() {}
 var DeleteNetworkRoles = func(netID string) {}
 var CreateDefaultNetworkRolesAndGroups = func(netID models.NetworkID) {}
 var CreateDefaultUserPolicies = func(netID models.NetworkID) {}
+var GetUserGroupsInNetwork = func(netID models.NetworkID) (networkGrps map[models.UserGroupID]models.UserGroup) { return }
+var AddGlobalNetRolesToAdmins = func(u *models.User) {}
 
 // GetRole - fetches role template by id
 func GetRole(roleID models.UserRoleID) (models.UserRolePermissionTemplate, error) {

diff --git a/logic/users.go b/logic/users.go
@@ -62,6 +62,7 @@ func SetUserDefaults(user *models.User) {
 	if len(user.UserGroups) == 0 {
 		user.UserGroups = make(map[models.UserGroupID]struct{})
 	}
+	AddGlobalNetRolesToAdmins(user)
 }
 
 // SortUsers - Sorts slice of Users by username

diff --git a/migrate/migrate.go b/migrate/migrate.go
@@ -398,6 +398,8 @@ func syncUsers() {
 	if err == nil {
 		for _, user := range users {
 			user := user
+			logic.AddGlobalNetRolesToAdmins(&user)
+			logic.UpsertUser(user)
 			if user.PlatformRoleID == models.AdminRole && !user.IsAdmin {
 				user.IsAdmin = true
 				logic.UpsertUser(user)

diff --git a/pro/controllers/users.go b/pro/controllers/users.go
@@ -496,6 +496,10 @@ func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to fetch group details"), "badrequest"))
 		return
 	}
+	if userG.Default {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default user group"), "badrequest"))
+		return
+	}
 	err = proLogic.DeleteUserGroup(models.UserGroupID(gid))
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))

diff --git a/pro/initialize.go b/pro/initialize.go
@@ -138,6 +138,7 @@ func InitPro() {
 	logic.CreateDefaultUserPolicies = proLogic.CreateDefaultUserPolicies
 	logic.MigrateUserRoleAndGroups = proLogic.MigrateUserRoleAndGroups
 	logic.IntialiseGroups = proLogic.UserGroupsInit
+	logic.AddGlobalNetRolesToAdmins = proLogic.AddGlobalNetRolesToAdmins
 }
 
 func retrieveProLogo() string {

diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go
@@ -97,7 +97,7 @@ func UserGroupsInit() {
 		Name:    "All Networks User Group",
 		Default: true,
 		NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
-			models.NetworkID("*"): {
+			models.NetworkID(models.AllNetworks): {
 				models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)): {},
 			},
 		},
@@ -1156,7 +1156,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 				},
 				{
 					ID:    models.UserGroupAclID,
-					Value: "global-network-admin-grp",
+					Value: fmt.Sprintf("global-%s-grp", models.NetworkAdmin),
 				},
 			},
 			Dst: []models.AclPolicyTag{
@@ -1187,7 +1187,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 				},
 				{
 					ID:    models.UserGroupAclID,
-					Value: "global-network-user-grp",
+					Value: fmt.Sprintf("global-%s-grp", models.NetworkUser),
 				},
 			},
 
@@ -1205,3 +1205,28 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 	}
 
 }
+
+func GetUserGroupsInNetwork(netID models.NetworkID) (networkGrps map[models.UserGroupID]models.UserGroup) {
+	groups, _ := ListUserGroups()
+	networkGrps = make(map[models.UserGroupID]models.UserGroup)
+	for _, grp := range groups {
+		if _, ok := grp.NetworkRoles[models.AllNetworks]; ok {
+			networkGrps[grp.ID] = grp
+			continue
+		}
+		if _, ok := grp.NetworkRoles[netID]; ok {
+			networkGrps[grp.ID] = grp
+		}
+	}
+	return
+}
+
+func AddGlobalNetRolesToAdmins(u *models.User) {
+	if u.PlatformRoleID != models.SuperAdminRole && u.PlatformRoleID != models.AdminRole {
+		return
+	}
+	if u.UserGroups == nil {
+		u.UserGroups = make(map[models.UserGroupID]struct{})
+	}
+	u.UserGroups[models.UserGroupID(fmt.Sprintf("global-%s-grp", models.NetworkAdmin))] = struct{}{}
+}