NM-80: Logic to Deprecate Legacy Acls if unused (#3662)

* check and deprecate old acls

* add egress ranges by access to users

* add egress ranges by access to users

* merge v1.1

* resolve merge conflict

logic/acls.go

@@ -1465,18 +1465,6 @@ func GetDefaultPolicy(netID models.NetworkID, ruleType models.AclPolicyType) (mo
 	return acl, nil
 }
 
-// ListUserPolicies - lists all user policies in a network
-func ListUserPolicies(netID models.NetworkID) []models.Acl {
-	allAcls := ListAcls()
-	userAcls := []models.Acl{}
-	for _, acl := range allAcls {
-		if acl.NetworkID == netID && acl.RuleType == models.UserPolicy {
-			userAcls = append(userAcls, acl)
-		}
-	}
-	return userAcls
-}
-
 // ListAcls - lists all acl policies
 func ListAclsByNetwork(netID models.NetworkID) ([]models.Acl, error) {
 
@@ -1522,6 +1510,18 @@ func ListDevicePolicies(netID models.NetworkID) []models.Acl {
 	return deviceAcls
 }
 
+// ListUserPolicies - lists all user policies in a network
+func ListUserPolicies(netID models.NetworkID) []models.Acl {
+	allAcls := ListAcls()
+	userAcls := []models.Acl{}
+	for _, acl := range allAcls {
+		if acl.NetworkID == netID && acl.RuleType == models.UserPolicy {
+			userAcls = append(userAcls, acl)
+		}
+	}
+	return userAcls
+}
+
 func ConvAclTagToValueMap(acltags []models.AclPolicyTag) map[string]struct{} {
 	aclValueMap := make(map[string]struct{})
 	for _, aclTagI := range acltags {

logic/egress.go

@@ -219,7 +219,7 @@ func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egr
 }
 
 func GetEgressDomainsByAccess(user *models.User, network models.NetworkID) (domains []string) {
-	acls, _ := ListAclsByNetwork(network)
+	acls := ListUserPolicies(network)
 	eli, _ := (&schema.Egress{Network: network.String()}).ListByNetwork(db.WithContext(context.TODO()))
 	defaultDevicePolicy, _ := GetDefaultPolicy(network, models.UserPolicy)
 	isDefaultPolicyActive := defaultDevicePolicy.Enabled

logic/settings.go

@@ -145,6 +145,7 @@ func GetServerSettingsFromEnv() (s models.ServerSettings) {
 		DefaultDomain:              servercfg.GetDefaultDomain(),
 		Stun:                       servercfg.IsStunEnabled(),
 		StunServers:                servercfg.GetStunServers(),
+		OldAClsSupport:             false,
 	}
 
 	return

migrate/migrate.go

@@ -18,6 +18,7 @@ import (
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/logic/acls"
+	"github.com/gravitl/netmaker/logic/acls/nodeacls"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/mq"
 	"github.com/gravitl/netmaker/schema"
@@ -35,6 +36,7 @@ func Run() {
 	syncUsers()
 	updateHosts()
 	updateNodes()
+	checkAndDeprecateOldAcls()
 	updateAcls()
 	updateNewAcls()
 	logic.MigrateToGws()
@@ -45,6 +47,30 @@ func Run() {
 	deleteOldExtclients()
 }
 
+func checkAndDeprecateOldAcls() {
+	// check if everything is allowed on old acl and disable old acls
+	nets, _ := logic.GetNetworks()
+	disableOldAcls := true
+	for _, netI := range nets {
+		networkACL, err := nodeacls.FetchAllACLs(nodeacls.NetworkID(netI.NetID))
+		if err != nil {
+			continue
+		}
+		for id, aclNode := range networkACL {
+			if !aclNode.IsAllowed(id) {
+				disableOldAcls = false
+			}
+		}
+
+	}
+	if disableOldAcls {
+		settings := logic.GetServerSettings()
+		settings.OldAClsSupport = false
+		logic.UpsertServerSettings(settings)
+	}
+
+}
+
 func updateNetworks() {
 	nets, _ := logic.GetNetworks()
 	for _, netI := range nets {
@@ -445,6 +471,9 @@ func removeInterGw(egressRanges []string) ([]string, bool) {
 
 func updateAcls() {
 	// get all networks
+	if !logic.GetServerSettings().OldAClsSupport {
+		return
+	}
 	networks, err := logic.GetNetworks()
 	if err != nil && !database.IsEmptyRecord(err) {
 		slog.Error("acls migration failed. error getting networks", "error", err)
@@ -822,11 +851,17 @@ func migrateToEgressV1() {
 }
 
 func migrateSettings() {
-	_, err := database.FetchRecord(database.SERVER_SETTINGS, logic.ServerSettingsDBKey)
+	settingsD := make(map[string]interface{})
+	data, err := database.FetchRecord(database.SERVER_SETTINGS, logic.ServerSettingsDBKey)
 	if database.IsEmptyRecord(err) {
 		logic.UpsertServerSettings(logic.GetServerSettingsFromEnv())
+	} else if err == nil {
+		json.Unmarshal([]byte(data), &settingsD)
 	}
 	settings := logic.GetServerSettings()
+	if _, ok := settingsD["old_acl_support"]; !ok {
+		settings.OldAClsSupport = servercfg.IsOldAclEnabled()
+	}
 	if settings.AuditLogsRetentionPeriodInDays == 0 {
 		settings.AuditLogsRetentionPeriodInDays = 7
 	}

models/settings.go

@@ -48,6 +48,7 @@ type ServerSettings struct {
 	Stun                           bool   `json:"stun"`
 	StunServers                    string `json:"stun_servers"`
 	AuditLogsRetentionPeriodInDays int    `json:"audit_logs_retention_period"`
+	OldAClsSupport                 bool   `json:"old_acl_support"`
 }
 
 type UserSettings struct {