Página Principal Explorar Ajuda
Iniciar Sessão
golang
/
netmaker
mirror de https://github.com/gravitl/netmaker
2
0
Fork 0
Ficheiros Problemas 0 Wiki
Ver Fonte

fix default policy check on static node network

abhishek9686 há 10 meses atrás
pai
8e661eb59e
commit
20302f7701
2 ficheiros alterados com 73 adições e 62 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 15 13
      logic/acls.go
  2. 58 49
      logic/extpeers.go

+ 15 - 13
logic/acls.go
Ver Ficheiro 

@@ -441,6 +441,9 @@ func convAclTagToValueMap(acltags []models.AclPolicyTag) map[string]struct{} {
 
 
 // IsUserAllowedToCommunicate - check if user is allowed to communicate with peer
 
 func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
 
+	if peer.IsStatic {
 
+		peer = peer.StaticNode.ConvertToStaticNode()
 
+	}
 
 	acl, _ := GetDefaultPolicy(models.NetworkID(peer.Network), models.UserPolicy)
 
 	if acl.Enabled {
 
 		return true
 
@@ -449,9 +452,7 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
 
 	if err != nil {
 
 		return false
 
 	}
 
-	if peer.IsStatic {
 
-		peer = peer.StaticNode.ConvertToStaticNode()
 
-	}
 
+
 
 	policies := listPoliciesOfUser(*user, models.NetworkID(peer.Network))
 
 	for _, policy := range policies {
 
 		if !policy.Enabled {
 
@@ -473,6 +474,12 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
 
 
 // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer
 
 func IsNodeAllowedToCommunicate(node, peer models.Node) bool {
 
+	if node.IsStatic {
 
+		node = node.StaticNode.ConvertToStaticNode()
 
+	}
 
+	if peer.IsStatic {
 
+		peer = peer.StaticNode.ConvertToStaticNode()
 
+	}
 
 	// check default policy if all allowed return true
 
 	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 	if err == nil {
 
@@ -480,12 +487,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node) bool {
 
 			return true
 
 		}
 
 	}
 
-	if node.IsStatic {
 
-		node = node.StaticNode.ConvertToStaticNode()
 
-	}
 
-	if peer.IsStatic {
 
-		peer = peer.StaticNode.ConvertToStaticNode()
 
-	}
 
+
 
 	// list device policies
 
 	policies := listDevicePolicies(models.NetworkID(peer.Network))
 
 	for _, policy := range policies {
 
@@ -494,10 +496,10 @@ func IsNodeAllowedToCommunicate(node, peer models.Node) bool {
 
 		}
 
 		srcMap := convAclTagToValueMap(policy.Src)
 
 		dstMap := convAclTagToValueMap(policy.Dst)
 
-		fmt.Printf("\n======> SRCMAP: %+v\n", srcMap)
 
-		fmt.Printf("\n======> DSTMAP: %+v\n", dstMap)
 
-		fmt.Printf("\n======> node Tags: %+v\n", node.Tags)
 
-		fmt.Printf("\n======> peer Tags: %+v\n", peer.Tags)
 
+		// fmt.Printf("\n======> SRCMAP: %+v\n", srcMap)
 
+		// fmt.Printf("\n======> DSTMAP: %+v\n", dstMap)
 
+		// fmt.Printf("\n======> node Tags: %+v\n", node.Tags)
 
+		// fmt.Printf("\n======> peer Tags: %+v\n", peer.Tags)
 
 		for tagID := range node.Tags {
 
 			if _, ok := dstMap[tagID.String()]; ok {
 
 				if _, ok := srcMap["*"]; ok {

+ 58 - 49
logic/extpeers.go
Ver Ficheiro 

@@ -426,64 +426,73 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) {
 
 
 func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 	// fetch user access to static clients via policies
 
-	defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
+	//defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 	defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 	nodes, _ := GetNetworkNodes(node.Network)
 
 	nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...)
 
-	if !defaultUserPolicy.Enabled {
 
-		userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
 
-		for _, userNodeI := range userNodes {
 
-			for _, peer := range nodes {
 
-				if peer.IsUserNode {
 
-					continue
 
-				}
 
-				if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer) {
 
-					if peer.IsStatic {
 
-						if userNodeI.StaticNode.Address != "" {
 
-							rules = append(rules, models.FwRule{
 
-								SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
 
-								DstIP: peer.StaticNode.AddressIPNet4().IP,
 
-								Allow: true,
 
-							})
 
-							rules = append(rules, models.FwRule{
 
-								SrcIp: peer.StaticNode.AddressIPNet4().IP,
 
-								DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
 
-								Allow: true,
 
-							})
 
-						}
 
-						if userNodeI.StaticNode.Address6 != "" {
 
-							rules = append(rules, models.FwRule{
 
-								SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
 
-								DstIP: peer.StaticNode.AddressIPNet6().IP,
 
-								Allow: true,
 
-							})
 
-							rules = append(rules, models.FwRule{
 
-								SrcIp: peer.StaticNode.AddressIPNet6().IP,
 
-								DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
 
-								Allow: true,
 
-							})
 
-						}
 
-					} else {
 
-						if userNodeI.StaticNode.Address != "" {
 
-							rules = append(rules, models.FwRule{
 
-								SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
 
-								DstIP: peer.Address.IP,
 
-								Allow: true,
 
-							})
 
-						}
 
-						if userNodeI.StaticNode.Address6 != "" {
 
-							rules = append(rules, models.FwRule{
 
-								SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
 
-								DstIP: peer.Address6.IP,
 
-								Allow: true,
 
-							})
 
-						}
 
+	//fmt.Printf("=====> NODES: %+v \n\n", nodes)
 
+	userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
 
+	//fmt.Printf("=====> USER NODES %+v \n\n", userNodes)
 
+	for _, userNodeI := range userNodes {
 
+		for _, peer := range nodes {
 
+			if peer.IsUserNode {
 
+				continue
 
+			}
 
+
 
+			if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer) {
 
+				if peer.IsStatic {
 
+
 
+					if userNodeI.StaticNode.Address != "" {
 
+
 
+						rules = append(rules, models.FwRule{
 
+							SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
 
+							DstIP: peer.StaticNode.AddressIPNet4().IP,
 
+							Allow: true,
 
+						})
 
+
 
+						rules = append(rules, models.FwRule{
 
+							SrcIp: peer.StaticNode.AddressIPNet4().IP,
 
+							DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
 
+							Allow: true,
 
+						})
 
 					}
 
+					if userNodeI.StaticNode.Address6 != "" {
 
 
+						rules = append(rules, models.FwRule{
 
+							SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
 
+							DstIP: peer.StaticNode.AddressIPNet6().IP,
 
+							Allow: true,
 
+						})
 
+
 
+						rules = append(rules, models.FwRule{
 
+							SrcIp: peer.StaticNode.AddressIPNet6().IP,
 
+							DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
 
+							Allow: true,
 
+						})
 
+					}
 
+				} else {
 
+
 
+					if userNodeI.StaticNode.Address != "" {
 
+						rules = append(rules, models.FwRule{
 
+							SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
 
+							DstIP: peer.Address.IP,
 
+							Allow: true,
 
+						})
 
+					}
 
+
 
+					if userNodeI.StaticNode.Address6 != "" {
 
+						rules = append(rules, models.FwRule{
 
+							SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
 
+							DstIP: peer.Address6.IP,
 
+							Allow: true,
 
+						})
 
+					}
 
 				}
 
+
 
 			}
 
 		}
 
 	}
 
+
 
 	if defaultDevicePolicy.Enabled {
 
 		return
 
 	}