Seperated template management and creation from Admin only. Created new

panel for "Creators"

Author: MaxwellCaron

internal/api/auth/auth_service.go

@@ -70,6 +70,24 @@ func (s *AuthService) IsAdmin(username string) (bool, error) {
 	return false, nil
 }
 
+func (s *AuthService) IsCreator(username string) (bool, error) {
+	// Get user's groups from Proxmox
+	userGroups, err := s.proxmoxService.GetUserGroups(username)
+	if err != nil {
+		return false, fmt.Errorf("failed to get user groups: %w", err)
+	}
+
+	// Get the creator group name from config
+	creatorGroupName := s.proxmoxService.Config.CreatorGroupName
+
+	// Check if user is in the creator group
+	if slices.Contains(userGroups, creatorGroupName) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func (s *AuthService) HealthCheck() error {
 	return s.ldapService.HealthCheck()
 }

internal/api/auth/types.go

@@ -13,6 +13,7 @@ type Service interface {
 	// Authentication
 	Authenticate(username, password string) (bool, error)
 	IsAdmin(username string) (bool, error)
+	IsCreator(username string) (bool, error)
 
 	// Health and Connection
 	HealthCheck() error

internal/api/handlers/auth_handler.go

@@ -48,6 +48,11 @@ func NewAuthHandler() (*AuthHandler, error) {
 	}, nil
 }
 
+// GetAuthService returns the auth service for use in middleware
+func (h *AuthHandler) GetAuthService() auth.Service {
+	return h.authService
+}
+
 // LoginHandler handles the login POST request
 func (h *AuthHandler) LoginHandler(c *gin.Context) {
 	var req UsernamePasswordRequest
@@ -80,15 +85,24 @@ func (h *AuthHandler) LoginHandler(c *gin.Context) {
 	}
 	session.Set("isAdmin", isAdmin)
 
+	// Check if user is creator
+	isCreator, err := h.authService.IsCreator(req.Username)
+	if err != nil {
+		log.Printf("Error checking creator status for user %s: %v", req.Username, err)
+		isCreator = false
+	}
+	session.Set("isCreator", isCreator)
+
 	if err := session.Save(); err != nil {
 		log.Printf("Failed to save session for user %s: %v", req.Username, err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to save session"})
 		return
 	}
 
 	c.JSON(http.StatusOK, gin.H{
-		"message": "Login successful",
-		"isAdmin": isAdmin,
+		"message":   "Login successful",
+		"isAdmin":   isAdmin,
+		"isCreator": isCreator,
 	})
 }
 
@@ -113,17 +127,24 @@ func (h *AuthHandler) SessionHandler(c *gin.Context) {
 	// Since this is under private routes, AuthRequired middleware ensures session exists
 	id := session.Get("id")
 	isAdmin := session.Get("isAdmin")
+	isCreator := session.Get("isCreator")
 
-	// Convert isAdmin to bool, defaulting to false if not set
+	// Convert to bool, defaulting to false if not set
 	adminStatus := false
 	if isAdmin != nil {
 		adminStatus = isAdmin.(bool)
 	}
 
+	creatorStatus := false
+	if isCreator != nil {
+		creatorStatus = isCreator.(bool)
+	}
+
 	c.JSON(http.StatusOK, gin.H{
 		"authenticated": true,
 		"username":      id.(string),
 		"isAdmin":       adminStatus,
+		"isCreator":     creatorStatus,
 	})
 }
 

internal/api/middleware/authorization.go

@@ -1,8 +1,10 @@
 package middleware
 
 import (
+	"log"
 	"net/http"
 
+	"github.com/cpp-cyber/proclone/internal/api/auth"
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
 )
@@ -19,23 +21,75 @@ func AuthRequired(c *gin.Context) {
 	c.Next()
 }
 
-func AdminRequired(c *gin.Context) {
-	session := sessions.Default(c)
-	id := session.Get("id")
-	if id == nil {
-		c.String(http.StatusUnauthorized, "Unauthorized")
-		c.Abort()
-		return
-	}
+func AdminRequired(authService auth.Service) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		session := sessions.Default(c)
+		id := session.Get("id")
+		if id == nil {
+			c.String(http.StatusUnauthorized, "Unauthorized")
+			c.Abort()
+			return
+		}
 
-	isAdmin := session.Get("isAdmin")
-	if isAdmin == nil || !isAdmin.(bool) {
-		c.String(http.StatusForbidden, "Admin access required")
-		c.Abort()
-		return
+		username := id.(string)
+
+		// Verify with Proxmox
+		isAdmin, err := authService.IsAdmin(username)
+		if err != nil {
+			log.Printf("Error verifying admin status for user %s: %v", username, err)
+			c.String(http.StatusInternalServerError, "Failed to verify permissions")
+			c.Abort()
+			return
+		}
+
+		if !isAdmin {
+			c.String(http.StatusForbidden, "Admin access required")
+			c.Abort()
+			return
+		}
+
+		c.Next()
 	}
+}
 
-	c.Next()
+// CreatorOrAdminRequired provides authorization middleware for template operations
+func CreatorOrAdminRequired(authService auth.Service) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		session := sessions.Default(c)
+		id := session.Get("id")
+		if id == nil {
+			c.String(http.StatusUnauthorized, "Unauthorized")
+			c.Abort()
+			return
+		}
+
+		username := id.(string)
+
+		// Verify with Proxmox for template operations
+		isAdmin, err := authService.IsAdmin(username)
+		if err != nil {
+			log.Printf("Error verifying admin status for user %s: %v", username, err)
+			c.String(http.StatusInternalServerError, "Failed to verify permissions")
+			c.Abort()
+			return
+		}
+
+		isCreator, err := authService.IsCreator(username)
+		if err != nil {
+			log.Printf("Error verifying creator status for user %s: %v", username, err)
+			c.String(http.StatusInternalServerError, "Failed to verify permissions")
+			c.Abort()
+			return
+		}
+
+		if !isAdmin && !isCreator {
+			c.String(http.StatusForbidden, "Creator or Admin access required")
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
 }
 
 func GetUser(c *gin.Context) string {

internal/api/routes/admin_routes.go

@@ -5,39 +5,38 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-// registerAdminRoutes defines all routes accessible to admin users
+// registerAdminRoutes defines all routes accessible ONLY to admin users
+// Template operations have been moved to creator routes (accessible by both admins and creators)
 func registerAdminRoutes(g *gin.RouterGroup, authHandler *handlers.AuthHandler, proxmoxHandler *handlers.ProxmoxHandler, cloningHandler *handlers.CloningHandler, dashboardHandler *handlers.DashboardHandler) {
-	// GET Requests
+	// Admin dashboard and cluster management
 	g.GET("/dashboard", dashboardHandler.GetAdminDashboardStatsHandler)
 	g.GET("/cluster", proxmoxHandler.GetClusterResourceUsageHandler)
-	g.GET("/users", proxmoxHandler.GetUsersHandler)
-	g.GET("/groups", proxmoxHandler.GetGroupsHandler)
-	g.GET("/vms", proxmoxHandler.GetVMsHandler)
 	g.GET("/vnets", proxmoxHandler.GetUsedVNetsHandler)
+	g.GET("/vms", proxmoxHandler.GetVMsHandler)
 	g.GET("/pods", cloningHandler.AdminGetPodsHandler)
-	g.GET("/templates", cloningHandler.AdminGetTemplatesHandler)
-	g.GET("/templates/unpublished", cloningHandler.GetUnpublishedTemplatesHandler)
-	g.GET("/templates/vms", proxmoxHandler.GetVMTemplatesHandler)
-	g.GET("/templates/proxmox", proxmoxHandler.GetProxmoxTemplatePoolsHandler)
 
-	// POST Requests
+	// User management (admin only)
+	g.GET("/users", proxmoxHandler.GetUsersHandler)
 	g.POST("/users/create", authHandler.CreateUsersHandler)
 	g.POST("/users/delete", authHandler.DeleteUsersHandler)
 	g.POST("/user/groups", proxmoxHandler.SetUserGroupsHandler)
+
+	// Group management (admin only)
+	g.GET("/groups", proxmoxHandler.GetGroupsHandler)
 	g.POST("/groups/create", proxmoxHandler.CreateGroupsHandler)
 	g.POST("/group/members/add", proxmoxHandler.AddUsersHandler)
 	g.POST("/group/members/remove", proxmoxHandler.RemoveUsersHandler)
 	g.POST("/group/edit", proxmoxHandler.EditGroupHandler)
 	g.POST("/groups/delete", proxmoxHandler.DeleteGroupsHandler)
+
+	// VM management (admin only)
 	g.POST("/vm/start", proxmoxHandler.StartVMHandler)
 	g.POST("/vm/shutdown", proxmoxHandler.ShutdownVMHandler)
 	g.POST("/vm/reboot", proxmoxHandler.RebootVMHandler)
+
+	// Pod management (admin only)
 	g.POST("/pods/delete", cloningHandler.AdminDeletePodHandler)
-	g.POST("/template/publish", cloningHandler.PublishTemplateHandler)
-	g.POST("/template/create", proxmoxHandler.CreateTemplateHandler)
-	g.POST("/template/edit", cloningHandler.EditTemplateHandler)
-	g.POST("/template/delete", cloningHandler.DeleteTemplateHandler)
-	g.POST("/template/visibility", cloningHandler.ToggleTemplateVisibilityHandler)
-	g.POST("/template/image/upload", cloningHandler.UploadTemplateImageHandler)
+
+	// Bulk template deployment (admin only)
 	g.POST("/templates/clone", cloningHandler.AdminCloneTemplateHandler)
 }

internal/api/routes/creator_routes.go

@@ -0,0 +1,23 @@
+package routes
+
+import (
+	"github.com/cpp-cyber/proclone/internal/api/handlers"
+	"github.com/gin-gonic/gin"
+)
+
+// registerCreatorRoutes defines all routes accessible to both creators and admins
+func registerCreatorRoutes(g *gin.RouterGroup, proxmoxHandler *handlers.ProxmoxHandler, cloningHandler *handlers.CloningHandler) {
+	// Template management operations (create, publish, edit, delete)
+	g.POST("/template/publish", cloningHandler.PublishTemplateHandler)
+	g.POST("/template/create", proxmoxHandler.CreateTemplateHandler)
+	g.POST("/template/edit", cloningHandler.EditTemplateHandler)
+	g.POST("/template/delete", cloningHandler.DeleteTemplateHandler)
+	g.POST("/template/visibility", cloningHandler.ToggleTemplateVisibilityHandler)
+	g.POST("/template/image/upload", cloningHandler.UploadTemplateImageHandler)
+
+	// Template viewing operations
+	g.GET("/templates", cloningHandler.AdminGetTemplatesHandler)
+	g.GET("/templates/unpublished", cloningHandler.GetUnpublishedTemplatesHandler)
+	g.GET("/templates/vms", proxmoxHandler.GetVMTemplatesHandler)
+	g.GET("/templates/proxmox", proxmoxHandler.GetProxmoxTemplatePoolsHandler)
+}

internal/api/routes/routes.go

@@ -11,6 +11,9 @@ func RegisterRoutes(r *gin.Engine, authHandler *handlers.AuthHandler, proxmoxHan
 	// Create centralized dashboard handler
 	dashboardHandler := handlers.NewDashboardHandler(authHandler, proxmoxHandler, cloningHandler)
 
+	// Get auth service from handler for middleware
+	authService := authHandler.GetAuthService()
+
 	// Public routes (no authentication required)
 	public := r.Group("/api/v1")
 	registerPublicRoutes(public, authHandler, cloningHandler)
@@ -20,8 +23,15 @@ func RegisterRoutes(r *gin.Engine, authHandler *handlers.AuthHandler, proxmoxHan
 	private.Use(middleware.AuthRequired)
 	registerPrivateRoutes(private, authHandler, cloningHandler, dashboardHandler)
 
+	// Creator routes (authentication + creator OR admin privileges required)
+	// Template management operations accessible to both creators and admins
+	creator := r.Group("/api/v1/creator")
+	creator.Use(middleware.CreatorOrAdminRequired(authService))
+	registerCreatorRoutes(creator, proxmoxHandler, cloningHandler)
+
 	// Admin routes (authentication + admin privileges required)
+	// User/group management and system operations
 	admin := r.Group("/api/v1/admin")
-	admin.Use(middleware.AdminRequired)
+	admin.Use(middleware.AdminRequired(authService))
 	registerAdminRoutes(admin, authHandler, proxmoxHandler, cloningHandler, dashboardHandler)
 }

internal/ldap/users.go

@@ -150,8 +150,8 @@ func extractDomainFromDN(dn string) string {
 
 	for _, part := range parts {
 		part = strings.TrimSpace(part)
-		if strings.HasPrefix(part, "dc=") {
-			domainParts = append(domainParts, strings.TrimPrefix(part, "dc="))
+		if domain, found := strings.CutPrefix(part, "dc="); found {
+			domainParts = append(domainParts, domain)
 		}
 	}
 

internal/proxmox/types.go

@@ -18,7 +18,8 @@ type ProxmoxConfig struct {
 	Realm             string        `envconfig:"PROXMOX_REALM"`
 	NodesStr          string        `envconfig:"PROXMOX_NODES"`
 	StorageID         string        `envconfig:"PROXMOX_STORAGE_ID" default:"local-lvm"`
-	AdminGroupName    string        `envconfig:"PROXMOX_ADMIN_GROUP_NAME" default:"admin"`
+	AdminGroupName    string        `envconfig:"PROXMOX_ADMIN_GROUP_NAME" default:"Admin"`
+	CreatorGroupName  string        `envconfig:"PROXMOX_CREATOR_GROUP_NAME" default:"Creator"`
 	VMTemplatePool    string        `envconfig:"PROXMOX_VM_TEMPLATE_POOL" default:"Templates"`
 	RouterName        string        `envconfig:"PROXMOX_ROUTER_NAME" default:"1-1NAT-vyos"`
 	RouterNode        string        `envconfig:"PROXMOX_ROUTER_NODE"`