Merge pull request #3755 from gravitl/v1.2.0-legacy-acl-fix

v1.2.0: add safe nil check for legacy acls

logic/clients.go

@@ -26,6 +26,10 @@ var (
 	}
 	SetClientDefaultACLs = func(ec *models.ExtClient) error {
 		// allow all on CE
+		if !GetServerSettings().OldAClsSupport {
+			ec.DeniedACLs = make(map[string]struct{})
+			return nil
+		}
 		networkAcls := acls.ACLContainer{}
 		networkAcls, err := networkAcls.Get(acls.ContainerID(ec.Network))
 		if err != nil {
@@ -34,6 +38,9 @@ var (
 		}
 		networkAcls[acls.AclID(ec.ClientID)] = make(acls.ACL)
 		for objId := range networkAcls {
+			if networkAcls[objId] == nil {
+				networkAcls[objId] = make(acls.ACL)
+			}
 			networkAcls[objId][acls.AclID(ec.ClientID)] = acls.Allowed
 			networkAcls[acls.AclID(ec.ClientID)][objId] = acls.Allowed
 		}

pro/logic/ext_acls.go

@@ -48,6 +48,10 @@ func RemoveDeniedNodeFromClient(ec *models.ExtClient, clientOrNodeID string) boo
 
 // SetClientDefaultACLs - set's a client's default ACLs based on network and nodes in network
 func SetClientDefaultACLs(ec *models.ExtClient) error {
+	if !logic.GetServerSettings().OldAClsSupport {
+		ec.DeniedACLs = make(map[string]struct{})
+		return nil
+	}
 	networkNodes, err := logic.GetNetworkNodes(ec.Network)
 	if err != nil {
 		return err
@@ -65,14 +69,18 @@ func SetClientDefaultACLs(ec *models.ExtClient) error {
 	networkAcls[acls.AclID(ec.ClientID)] = make(acls.ACL)
 	for i := range networkNodes {
 		currNode := networkNodes[i]
+		nodeID := acls.AclID(currNode.ID.String())
+		if networkAcls[nodeID] == nil {
+			networkAcls[nodeID] = make(acls.ACL)
+		}
 		if network.DefaultACL == "no" || currNode.DefaultACL == "no" {
 			DenyClientNode(ec, currNode.ID.String())
-			networkAcls[acls.AclID(ec.ClientID)][acls.AclID(currNode.ID.String())] = acls.NotAllowed
-			networkAcls[acls.AclID(currNode.ID.String())][acls.AclID(ec.ClientID)] = acls.NotAllowed
+			networkAcls[acls.AclID(ec.ClientID)][nodeID] = acls.NotAllowed
+			networkAcls[nodeID][acls.AclID(ec.ClientID)] = acls.NotAllowed
 		} else {
 			RemoveDeniedNodeFromClient(ec, currNode.ID.String())
-			networkAcls[acls.AclID(ec.ClientID)][acls.AclID(currNode.ID.String())] = acls.Allowed
-			networkAcls[acls.AclID(currNode.ID.String())][acls.AclID(ec.ClientID)] = acls.Allowed
+			networkAcls[acls.AclID(ec.ClientID)][nodeID] = acls.Allowed
+			networkAcls[nodeID][acls.AclID(ec.ClientID)] = acls.Allowed
 		}
 	}
 	networkClients, err := logic.GetNetworkExtClients(ec.Network)
@@ -82,6 +90,9 @@ func SetClientDefaultACLs(ec *models.ExtClient) error {
 	}
 	for _, client := range networkClients {
 		// TODO: revisit when client-client acls are supported
+		if networkAcls[acls.AclID(client.ClientID)] == nil {
+			networkAcls[acls.AclID(client.ClientID)] = make(acls.ACL)
+		}
 		networkAcls[acls.AclID(ec.ClientID)][acls.AclID(client.ClientID)] = acls.Allowed
 		networkAcls[acls.AclID(client.ClientID)][acls.AclID(ec.ClientID)] = acls.Allowed
 	}