fix REST API permission checks (#209)

internal/app/wireguard/wireguard.go

@@ -47,7 +47,8 @@ func (m Manager) handleUserCreationEvent(user *domain.User) {
 	logrus.Errorf("handling new user event for %s", user.Identifier)
 
 	if m.cfg.Core.CreateDefaultPeer {
-		err := m.CreateDefaultPeer(context.Background(), user)
+		ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
+		err := m.CreateDefaultPeer(ctx, user)
 		if err != nil {
 			logrus.Errorf("failed to create default peer for %s: %v", user.Identifier, err)
 			return

internal/app/wireguard/wireguard_interfaces.go

@@ -13,6 +13,10 @@ import (
 )
 
 func (m Manager) GetImportableInterfaces(ctx context.Context) ([]domain.PhysicalInterface, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, err
+	}
+
 	physicalInterfaces, err := m.wg.GetInterfaces(ctx)
 	if err != nil {
 		return nil, err
@@ -22,14 +26,26 @@ func (m Manager) GetImportableInterfaces(ctx context.Context) ([]domain.Physical
 }
 
 func (m Manager) GetInterfaceAndPeers(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, []domain.Peer, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, nil, err
+	}
+
 	return m.db.GetInterfaceAndPeers(ctx, id)
 }
 
 func (m Manager) GetAllInterfaces(ctx context.Context) ([]domain.Interface, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, err
+	}
+
 	return m.db.GetAllInterfaces(ctx)
 }
 
 func (m Manager) GetAllInterfacesAndPeers(ctx context.Context) ([]domain.Interface, [][]domain.Peer, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, nil, err
+	}
+
 	interfaces, err := m.db.GetAllInterfaces(ctx)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to load all interfaces: %w", err)
@@ -48,6 +64,10 @@ func (m Manager) GetAllInterfacesAndPeers(ctx context.Context) ([]domain.Interfa
 }
 
 func (m Manager) ImportNewInterfaces(ctx context.Context, filter ...domain.InterfaceIdentifier) (int, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return 0, err
+	}
+
 	physicalInterfaces, err := m.wg.GetInterfaces(ctx)
 	if err != nil {
 		return 0, err
@@ -95,6 +115,10 @@ func (m Manager) ImportNewInterfaces(ctx context.Context, filter ...domain.Inter
 }
 
 func (m Manager) ApplyPeerDefaults(ctx context.Context, in *domain.Interface) error {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return err
+	}
+
 	existingInterface, err := m.db.GetInterface(ctx, in.Identifier)
 	if err != nil {
 		return fmt.Errorf("unable to load existing interface %s: %w", in.Identifier, err)
@@ -122,6 +146,10 @@ func (m Manager) ApplyPeerDefaults(ctx context.Context, in *domain.Interface) er
 }
 
 func (m Manager) RestoreInterfaceState(ctx context.Context, updateDbOnError bool, filter ...domain.InterfaceIdentifier) error {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return err
+	}
+
 	interfaces, err := m.db.GetAllInterfaces(ctx)
 	if err != nil {
 		return err
@@ -201,6 +229,10 @@ func (m Manager) RestoreInterfaceState(ctx context.Context, updateDbOnError bool
 }
 
 func (m Manager) PrepareInterface(ctx context.Context) (*domain.Interface, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, err
+	}
+
 	currentUser := domain.GetUserInfo(ctx)
 
 	kp, err := domain.NewFreshKeypair()
@@ -277,6 +309,10 @@ func (m Manager) PrepareInterface(ctx context.Context) (*domain.Interface, error
 }
 
 func (m Manager) CreateInterface(ctx context.Context, in *domain.Interface) (*domain.Interface, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, err
+	}
+
 	existingInterface, err := m.db.GetInterface(ctx, in.Identifier)
 	if err != nil && !errors.Is(err, domain.ErrNotFound) {
 		return nil, fmt.Errorf("unable to load existing interface %s: %w", in.Identifier, err)
@@ -298,6 +334,10 @@ func (m Manager) CreateInterface(ctx context.Context, in *domain.Interface) (*do
 }
 
 func (m Manager) UpdateInterface(ctx context.Context, in *domain.Interface) (*domain.Interface, []domain.Peer, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, nil, err
+	}
+
 	existingInterface, existingPeers, err := m.db.GetInterfaceAndPeers(ctx, in.Identifier)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to load existing interface %s: %w", in.Identifier, err)
@@ -316,6 +356,10 @@ func (m Manager) UpdateInterface(ctx context.Context, in *domain.Interface) (*do
 }
 
 func (m Manager) DeleteInterface(ctx context.Context, id domain.InterfaceIdentifier) error {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return err
+	}
+
 	existingInterface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return fmt.Errorf("unable to find interface %s: %w", id, err)

internal/app/wireguard/wireguard_peers.go

@@ -12,6 +12,10 @@ import (
 )
 
 func (m Manager) CreateDefaultPeer(ctx context.Context, user *domain.User) error {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return err
+	}
+
 	existingInterfaces, err := m.db.GetAllInterfaces(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to fetch all interfaces: %w", err)
@@ -49,10 +53,18 @@ func (m Manager) CreateDefaultPeer(ctx context.Context, user *domain.User) error
 }
 
 func (m Manager) GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error) {
+	if err := domain.ValidateUserAccessRights(ctx, id); err != nil {
+		return nil, err
+	}
+
 	return m.db.GetUserPeers(ctx, id)
 }
 
 func (m Manager) PreparePeer(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Peer, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, err // TODO: self provisioning?
+	}
+
 	currentUser := domain.GetUserInfo(ctx)
 
 	iface, err := m.db.GetInterface(ctx, id)
@@ -128,10 +140,18 @@ func (m Manager) GetPeer(ctx context.Context, id domain.PeerIdentifier) (*domain
 		return nil, fmt.Errorf("unable to find peer %s: %w", id, err)
 	}
 
+	if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
+		return nil, err
+	}
+
 	return peer, nil
 }
 
 func (m Manager) CreatePeer(ctx context.Context, peer *domain.Peer) (*domain.Peer, error) {
+	if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
+		return nil, err
+	}
+
 	existingPeer, err := m.db.GetPeer(ctx, peer.Identifier)
 	if err != nil && !errors.Is(err, domain.ErrNotFound) {
 		return nil, fmt.Errorf("unable to load existing peer %s: %w", peer.Identifier, err)
@@ -153,6 +173,10 @@ func (m Manager) CreatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 }
 
 func (m Manager) CreateMultiplePeers(ctx context.Context, interfaceId domain.InterfaceIdentifier, r *domain.PeerCreationRequest) ([]domain.Peer, error) {
+	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
+		return nil, err
+	}
+
 	var newPeers []*domain.Peer
 
 	for _, id := range r.UserIdentifiers {
@@ -192,6 +216,10 @@ func (m Manager) UpdatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		return nil, fmt.Errorf("unable to load existing peer %s: %w", peer.Identifier, err)
 	}
 
+	if err := domain.ValidateUserAccessRights(ctx, existingPeer.UserIdentifier); err != nil {
+		return nil, err
+	}
+
 	if err := m.validatePeerModifications(ctx, existingPeer, peer); err != nil {
 		return nil, fmt.Errorf("update not allowed: %w", err)
 	}
@@ -210,6 +238,10 @@ func (m Manager) DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 		return fmt.Errorf("unable to find peer %s: %w", id, err)
 	}
 
+	if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
+		return err
+	}
+
 	err = m.wg.DeletePeer(ctx, peer.InterfaceIdentifier, id)
 	if err != nil {
 		return fmt.Errorf("wireguard failed to delete peer %s: %w", id, err)
@@ -231,6 +263,10 @@ func (m Manager) GetPeerStats(ctx context.Context, id domain.InterfaceIdentifier
 
 	peerIds := make([]domain.PeerIdentifier, len(peers))
 	for i, peer := range peers {
+		if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
+			return nil, err
+		}
+
 		peerIds[i] = peer.Identifier
 	}
 
@@ -238,6 +274,10 @@ func (m Manager) GetPeerStats(ctx context.Context, id domain.InterfaceIdentifier
 }
 
 func (m Manager) GetUserPeerStats(ctx context.Context, id domain.UserIdentifier) ([]domain.PeerStatus, error) {
+	if err := domain.ValidateUserAccessRights(ctx, id); err != nil {
+		return nil, err
+	}
+
 	peers, err := m.db.GetUserPeers(ctx, id)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch peers for user %s: %w", id, err)