Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

NET-1932: remove addtional checks on Inet policy, optimise acl calls (#3480)

* move relevant acl and tag code to CE and Pro pkgs

* intialise pro acl funcs

* list gateways by user access

* check user gw access by policies

* filter out user policies on CE

* filter out tagged policies on CE

* fix ce acl comms

* allow gateways tag

* allow gateway tag  on CE, remove failover and gw check on acl policy

* add gw rules func to pro

* add inet gw support on CE

* add egress acl API

* add egress acl API

* fix(go): set is_gw when converting api node to server node;

* fix(go): set is_gw when converting api node to server node;

* fix policy validity checker for inet gws

* move dns option to host model

* fix node removal from egress policy on delete

* add migration logic for ManageDNS

* fix dns json field

* fix nil error on node tags

* add egress info to relayed nodes

* fix default network user policy

* fix egress migration

* fix egress migration

* add failover inet gw check

* optiomise egress calls

* auto create gw on inet egress node

* optimise egress calls

* add global user role check

* fix egress on inet gw

* remove addtional checks on inet policy

---------

Co-authored-by: Vishal Dalwadi <[email protected]>
Abhishek K 3 months ago
parent
599a9c6f4a
commit
44300590f8
5 changed files with 19 additions and 20 deletions
Split View Show Diff Stats
  1. 4 6
      logic/acls.go
  2. 6 6
      logic/egress.go
  3. 4 3
      logic/peers.go
  4. 3 1
      logic/relay.go
  5. 2 4
      pro/logic/acls.go

+ 4 - 6
logic/acls.go
View File 

@@ -43,8 +43,7 @@ var MigrateToGws = func() {
 
 
 }
 
 
-func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
 
-	acls := ListDevicePolicies(models.NetworkID(targetnode.Network))
 
+func CheckIfNodeHasAccessToAllResources(targetnode *models.Node, acls []models.Acl) bool {
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	if targetnode.Mutex != nil {
 
 		targetnode.Mutex.Lock()
 
@@ -62,7 +61,7 @@ func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
 
 		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetnode.Network, models.GwTagName))] = struct{}{}
 
 	}
 
 	for _, acl := range acls {
 
-		if !acl.Enabled {
 
+		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 
 			continue
 
 		}
 
 		srcTags := ConvAclTagToValueMap(acl.Src)
 
@@ -100,11 +99,11 @@ func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
 
 	return false
 
 }
 
 
-var CheckIfAnyPolicyisUniDirectional = func(targetNode models.Node) bool {
 
+var CheckIfAnyPolicyisUniDirectional = func(targetNode models.Node, acls []models.Acl) bool {
 
 	return false
 
 }
 
 
-var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node) bool {
 
+var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node, acls []models.Acl) bool {
 
 	if !targetNode.EgressDetails.IsEgressGateway {
 
 		return false
 
 	}
 
@@ -114,7 +113,6 @@ var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node) bool {
 
 	if targetNode.IsGw {
 
 		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetNode.Network, models.GwTagName))] = struct{}{}
 
 	}
 
-	acls, _ := ListAclsByNetwork(models.NetworkID(targetNode.Network))
 
 	for _, acl := range acls {
 
 		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 
 			continue

+ 6 - 6
logic/egress.go
View File 

@@ -64,7 +64,7 @@ func ValidateEgressReq(e *schema.Egress) error {
 
 	return nil
 
 }
 
 
-func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 
+func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []models.Acl) bool {
 
 	nodeTags := maps.Clone(node.Tags)
 
 	nodeTags[models.TagID(node.ID.String())] = struct{}{}
 
 	if !e.IsInetGw {
 
@@ -77,7 +77,6 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 
 			return true
 
 		}
 
 	}
 
-	acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
 
 	for _, acl := range acls {
 
 		if !acl.Enabled {
 
 			continue
 
@@ -121,7 +120,7 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 
 	return false
 
 }
 
 
-func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egress, isDefaultPolicyActive bool) {
 
+func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egress, acls []models.Acl, isDefaultPolicyActive bool) {
 
 
 	req := models.EgressGatewayRequest{
 
 		NodeID: targetNode.ID.String(),
 
@@ -136,14 +135,15 @@ func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egr
 
 			targetNode.Mutex.Unlock()
 
 		}
 
 	}()
 
+
 
 	for _, e := range eli {
 
 		if !e.Status || e.Network != targetNode.Network {
 
 			continue
 
 		}
 
-		if !isDefaultPolicyActive {
 
-			if !DoesNodeHaveAccessToEgress(node, &e) {
 
+		if !isDefaultPolicyActive && !e.IsInetGw {
 
+			if !DoesNodeHaveAccessToEgress(node, &e, acls) {
 
 				if node.IsRelayed && node.RelayedBy == targetNode.ID.String() {
 
-					if !DoesNodeHaveAccessToEgress(targetNode, &e) {
 
+					if !DoesNodeHaveAccessToEgress(targetNode, &e, acls) {
 
 						continue
 
 					}
 
 				} else {

+ 4 - 3
logic/peers.go
View File 

@@ -186,9 +186,10 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		}
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
+		acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
 
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
 
-			(!CheckIfAnyPolicyisUniDirectional(node) && !CheckIfAnyActiveEgressPolicy(node)) ||
 
-			CheckIfNodeHasAccessToAllResources(&node) {
 
+			(!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) ||
 
+			CheckIfNodeHasAccessToAllResources(&node, acls) {
 
 			aclRule := models.AclRule{
 
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 
 				AllowedProtocol: models.ALL,
 
@@ -240,7 +241,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 			}
 
 			GetNodeEgressInfo(&peer, eli)
 
 			if peer.EgressDetails.IsEgressGateway {
 
-				AddEgressInfoToPeerByAccess(&node, &peer, eli, defaultDevicePolicy.Enabled)
 
+				AddEgressInfoToPeerByAccess(&node, &peer, eli, acls, defaultDevicePolicy.Enabled)
 
 			}
 
 			_, isFailOverPeer := node.FailOverPeers[peer.ID.String()]
 
 			if peer.EgressDetails.IsEgressGateway {

+ 3 - 1
logic/relay.go
View File 

@@ -223,7 +223,9 @@ func GetAllowedIpsForRelayed(relayed, relay *models.Node) (allowedIPs []net.IPNe
 
 		logger.Log(0, "error getting network clients", err.Error())
 
 		return
 
 	}
 
+	acls, _ := ListAclsByNetwork(models.NetworkID(relay.Network))
 
 	eli, _ := (&schema.Egress{Network: relay.Network}).ListByNetwork(db.WithContext(context.TODO()))
 
+	defaultPolicy, _ := GetDefaultPolicy(models.NetworkID(relay.Network), models.DevicePolicy)
 
 	for _, peer := range peers {
 
 		if peer.ID == relayed.ID || peer.ID == relay.ID {
 
 			continue
 
@@ -231,7 +233,7 @@ func GetAllowedIpsForRelayed(relayed, relay *models.Node) (allowedIPs []net.IPNe
 
 		if !IsPeerAllowed(*relayed, peer, true) {
 
 			continue
 
 		}
 
-		GetNodeEgressInfo(&peer, eli)
 
+		AddEgressInfoToPeerByAccess(relayed, &peer, eli, acls, defaultPolicy.Enabled)
 
 		if nodeacls.AreNodesAllowed(nodeacls.NetworkID(relayed.Network), nodeacls.NodeID(relayed.ID.String()), nodeacls.NodeID(peer.ID.String())) {
 
 			allowedIPs = append(allowedIPs, GetAllowedIPs(relayed, &peer, nil)...)
 
 		}

+ 2 - 4
pro/logic/acls.go
View File 

@@ -1283,7 +1283,7 @@ func getUserAclRulesForNode(targetnode *models.Node,
 
 	return rules
 
 }
 
 
-func CheckIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 
+func CheckIfAnyActiveEgressPolicy(targetNode models.Node, acls []models.Acl) bool {
 
 	if !targetNode.EgressDetails.IsEgressGateway {
 
 		return false
 
 	}
 
@@ -1300,7 +1300,6 @@ func CheckIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 
 	}
 
 	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 
 	targetNodeTags["*"] = struct{}{}
 
-	acls, _ := logic.ListAclsByNetwork(models.NetworkID(targetNode.Network))
 
 	for _, acl := range acls {
 
 		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 
 			continue
 
@@ -1326,7 +1325,7 @@ func CheckIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 
 	return false
 
 }
 
 
-func CheckIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
+func CheckIfAnyPolicyisUniDirectional(targetNode models.Node, acls []models.Acl) bool {
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	if targetNode.Mutex != nil {
 
 		targetNode.Mutex.Lock()
 
@@ -1340,7 +1339,6 @@ func CheckIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
 	}
 
 	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 
 	targetNodeTags["*"] = struct{}{}
 
-	acls, _ := logic.ListAclsByNetwork(models.NetworkID(targetNode.Network))
 
 	for _, acl := range acls {
 
 		if !acl.Enabled {
 
 			continue