NET-1932: remove addtional checks on Inet policy, optimise acl calls (#3480)

* move relevant acl and tag code to CE and Pro pkgs

* intialise pro acl funcs

* list gateways by user access

* check user gw access by policies

* filter out user policies on CE

* filter out tagged policies on CE

* fix ce acl comms

* allow gateways tag

* allow gateway tag  on CE, remove failover and gw check on acl policy

* add gw rules func to pro

* add inet gw support on CE

* add egress acl API

* add egress acl API

* fix(go): set is_gw when converting api node to server node;

* fix(go): set is_gw when converting api node to server node;

* fix policy validity checker for inet gws

* move dns option to host model

* fix node removal from egress policy on delete

* add migration logic for ManageDNS

* fix dns json field

* fix nil error on node tags

* add egress info to relayed nodes

* fix default network user policy

* fix egress migration

* fix egress migration

* add failover inet gw check

* optiomise egress calls

* auto create gw on inet egress node

* optimise egress calls

* add global user role check

* fix egress on inet gw

* remove addtional checks on inet policy

---------

Co-authored-by: Vishal Dalwadi <[email protected]>

logic/acls.go

@@ -43,8 +43,7 @@ var MigrateToGws = func() {
 
 }
 
-func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
-	acls := ListDevicePolicies(models.NetworkID(targetnode.Network))
+func CheckIfNodeHasAccessToAllResources(targetnode *models.Node, acls []models.Acl) bool {
 	var targetNodeTags = make(map[models.TagID]struct{})
 	if targetnode.Mutex != nil {
 		targetnode.Mutex.Lock()
@@ -62,7 +61,7 @@ func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
 		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetnode.Network, models.GwTagName))] = struct{}{}
 	}
 	for _, acl := range acls {
-		if !acl.Enabled {
+		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 			continue
 		}
 		srcTags := ConvAclTagToValueMap(acl.Src)
@@ -100,11 +99,11 @@ func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
 	return false
 }
 
-var CheckIfAnyPolicyisUniDirectional = func(targetNode models.Node) bool {
+var CheckIfAnyPolicyisUniDirectional = func(targetNode models.Node, acls []models.Acl) bool {
 	return false
 }
 
-var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node) bool {
+var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node, acls []models.Acl) bool {
 	if !targetNode.EgressDetails.IsEgressGateway {
 		return false
 	}
@@ -114,7 +113,6 @@ var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node) bool {
 	if targetNode.IsGw {
 		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetNode.Network, models.GwTagName))] = struct{}{}
 	}
-	acls, _ := ListAclsByNetwork(models.NetworkID(targetNode.Network))
 	for _, acl := range acls {
 		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 			continue

logic/egress.go

@@ -64,7 +64,7 @@ func ValidateEgressReq(e *schema.Egress) error {
 	return nil
 }
 
-func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
+func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []models.Acl) bool {
 	nodeTags := maps.Clone(node.Tags)
 	nodeTags[models.TagID(node.ID.String())] = struct{}{}
 	if !e.IsInetGw {
@@ -77,7 +77,6 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 			return true
 		}
 	}
-	acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
 	for _, acl := range acls {
 		if !acl.Enabled {
 			continue
@@ -121,7 +120,7 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 	return false
 }
 
-func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egress, isDefaultPolicyActive bool) {
+func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egress, acls []models.Acl, isDefaultPolicyActive bool) {
 
 	req := models.EgressGatewayRequest{
 		NodeID: targetNode.ID.String(),
@@ -136,14 +135,15 @@ func AddEgressInfoToPeerByAccess(node, targetNode *models.Node, eli []schema.Egr
 			targetNode.Mutex.Unlock()
 		}
 	}()
+
 	for _, e := range eli {
 		if !e.Status || e.Network != targetNode.Network {
 			continue
 		}
-		if !isDefaultPolicyActive {
-			if !DoesNodeHaveAccessToEgress(node, &e) {
+		if !isDefaultPolicyActive && !e.IsInetGw {
+			if !DoesNodeHaveAccessToEgress(node, &e, acls) {
 				if node.IsRelayed && node.RelayedBy == targetNode.ID.String() {
-					if !DoesNodeHaveAccessToEgress(targetNode, &e) {
+					if !DoesNodeHaveAccessToEgress(targetNode, &e, acls) {
 						continue
 					}
 				} else {

logic/peers.go

@@ -186,9 +186,10 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		}
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
+		acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
-			(!CheckIfAnyPolicyisUniDirectional(node) && !CheckIfAnyActiveEgressPolicy(node)) ||
-			CheckIfNodeHasAccessToAllResources(&node) {
+			(!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) ||
+			CheckIfNodeHasAccessToAllResources(&node, acls) {
 			aclRule := models.AclRule{
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 				AllowedProtocol: models.ALL,
@@ -240,7 +241,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 			}
 			GetNodeEgressInfo(&peer, eli)
 			if peer.EgressDetails.IsEgressGateway {
-				AddEgressInfoToPeerByAccess(&node, &peer, eli, defaultDevicePolicy.Enabled)
+				AddEgressInfoToPeerByAccess(&node, &peer, eli, acls, defaultDevicePolicy.Enabled)
 			}
 			_, isFailOverPeer := node.FailOverPeers[peer.ID.String()]
 			if peer.EgressDetails.IsEgressGateway {

logic/relay.go

@@ -223,7 +223,9 @@ func GetAllowedIpsForRelayed(relayed, relay *models.Node) (allowedIPs []net.IPNe
 		logger.Log(0, "error getting network clients", err.Error())
 		return
 	}
+	acls, _ := ListAclsByNetwork(models.NetworkID(relay.Network))
 	eli, _ := (&schema.Egress{Network: relay.Network}).ListByNetwork(db.WithContext(context.TODO()))
+	defaultPolicy, _ := GetDefaultPolicy(models.NetworkID(relay.Network), models.DevicePolicy)
 	for _, peer := range peers {
 		if peer.ID == relayed.ID || peer.ID == relay.ID {
 			continue
@@ -231,7 +233,7 @@ func GetAllowedIpsForRelayed(relayed, relay *models.Node) (allowedIPs []net.IPNe
 		if !IsPeerAllowed(*relayed, peer, true) {
 			continue
 		}
-		GetNodeEgressInfo(&peer, eli)
+		AddEgressInfoToPeerByAccess(relayed, &peer, eli, acls, defaultPolicy.Enabled)
 		if nodeacls.AreNodesAllowed(nodeacls.NetworkID(relayed.Network), nodeacls.NodeID(relayed.ID.String()), nodeacls.NodeID(peer.ID.String())) {
 			allowedIPs = append(allowedIPs, GetAllowedIPs(relayed, &peer, nil)...)
 		}

pro/logic/acls.go

@@ -1283,7 +1283,7 @@ func getUserAclRulesForNode(targetnode *models.Node,
 	return rules
 }
 
-func CheckIfAnyActiveEgressPolicy(targetNode models.Node) bool {
+func CheckIfAnyActiveEgressPolicy(targetNode models.Node, acls []models.Acl) bool {
 	if !targetNode.EgressDetails.IsEgressGateway {
 		return false
 	}
@@ -1300,7 +1300,6 @@ func CheckIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 	}
 	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 	targetNodeTags["*"] = struct{}{}
-	acls, _ := logic.ListAclsByNetwork(models.NetworkID(targetNode.Network))
 	for _, acl := range acls {
 		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 			continue
@@ -1326,7 +1325,7 @@ func CheckIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 	return false
 }
 
-func CheckIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
+func CheckIfAnyPolicyisUniDirectional(targetNode models.Node, acls []models.Acl) bool {
 	var targetNodeTags = make(map[models.TagID]struct{})
 	if targetNode.Mutex != nil {
 		targetNode.Mutex.Lock()
@@ -1340,7 +1339,6 @@ func CheckIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 	}
 	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 	targetNodeTags["*"] = struct{}{}
-	acls, _ := logic.ListAclsByNetwork(models.NetworkID(targetNode.Network))
 	for _, acl := range acls {
 		if !acl.Enabled {
 			continue