Automatic disconnect by same url endpoint connect (#4876)

Signed-off-by: Thomas Quandt <[email protected]>

Author: thquad

src/frontend/packages/core/src/shared/components/list/list-types/endpoint/endpoint-list.helpers.ts

@@ -16,6 +16,7 @@ import {
   ConnectEndpointDialogComponent,
 } from '../../../../../features/endpoints/connect-endpoint-dialog/connect-endpoint-dialog.component';
 import { SessionService } from '../../../../../shared/services/session.service';
+import { UserProfileService } from '../../../../../core/user-profile.service';
 import { SnackBarService } from '../../../../services/snackbar.service';
 import { ConfirmationDialogConfig } from '../../../confirmation-dialog.config';
 import { ConfirmationDialogService } from '../../../confirmation-dialog.service';
@@ -68,6 +69,7 @@ export class EndpointListHelper {
     private confirmDialog: ConfirmationDialogService,
     private snackBarService: SnackBarService,
     private sessionService: SessionService,
+    private userProfileService: UserProfileService
   ) { }
 
   endpointActions(includeSeparators = false): IListAction<EndpointModel>[] {
@@ -137,11 +139,11 @@ export class EndpointListHelper {
         createVisible: (row$: Observable<EndpointModel>) => {
           return combineLatest([
             this.sessionService.userEndpointsNotDisabled(),
-            this.currentUserPermissionsService.can(StratosCurrentUserPermissions.EDIT_ADMIN_ENDPOINT),
+            this.userProfileService.userProfile$,
             row$
           ]).pipe(
-            map(([userEndpointsEnabled, isAdmin, row]) => {
-              if (userEndpointsEnabled && !row.creator.admin && isAdmin) {
+            map(([userEndpointsEnabled, profile, row]) => {
+              if (userEndpointsEnabled && !row.creator.system && profile.userName !== row.creator.name) {
                 // Disable connect for admins if the endpoint was not created by them. Otherwise this could result in an admin connecting to
                 // multiple user endpoints that all have the same url.
                 return false;

src/jetstream/authcnsi.go

@@ -151,18 +151,30 @@ func (p *portalProxy) DoLoginToCNSI(c echo.Context, cnsiGUID string, systemShare
 	}
 
 	// admins are note allowed to connect to user created endpoints
-	if p.GetConfig().UserEndpointsEnabled != config.UserEndpointsConfigEnum.Disabled && len(cnsiRecord.Creator) != 0 {
-		user, err := p.StratosAuthService.GetUser(userID)
+	if p.GetConfig().UserEndpointsEnabled != config.UserEndpointsConfigEnum.Disabled {
+
+		// search for system or personal endpoints and check if they are connected
+		// automatically disconnect other endpoint if already connected to same url
+		cnsiList, err := p.listCNSIByAPIEndpoint(cnsiRecord.APIEndpoint.String())
 		if err != nil {
-			return nil, echo.NewHTTPError(http.StatusUnauthorized, "Can not connect - could not check user")
+			return nil, echo.NewHTTPError(
+				http.StatusBadRequest,
+				"Failed to retrieve list of CNSIs",
+				"Failed to retrieve list of CNSIs: %v", err,
+			)
 		}
 
-		if user.Admin {
-			return nil, echo.NewHTTPError(http.StatusUnauthorized, "Can not connect - admins are not allowed to connect to user created endpoints")
+		for _, cnsi := range cnsiList {
+			if cnsi.Creator == userID || len(cnsi.Creator) == 0 {
+				_, ok := p.GetCNSITokenRecord(cnsi.GUID, userID)
+				if ok {
+					p.ClearCNSIToken(*cnsi, userID)
+				}
+			}
 		}
 
-		if cnsiRecord.Creator != userID {
-			return nil, echo.NewHTTPError(http.StatusUnauthorized, "Can not connect - non-admins are not allowed to connect to endpoints created by other non-admins")
+		if len(cnsiRecord.Creator) != 0 && cnsiRecord.Creator != userID {
+			return nil, echo.NewHTTPError(http.StatusUnauthorized, "Can not connect - users are not allowed to connect to personal endpoints created by other users")
 		}
 	}