Merge pull request #3712 from gravitl/NM-159

NM-159: Improved old Acl deprecation flow

controllers/network.go

@@ -16,6 +16,7 @@ import (
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/logic/acls"
+	"github.com/gravitl/netmaker/logic/acls/nodeacls"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/mq"
 	"github.com/gravitl/netmaker/servercfg"
@@ -42,6 +43,8 @@ func networkHandlers(r *mux.Router) {
 	r.HandleFunc("/api/networks/{networkname}/acls", logic.SecurityCheck(true, http.HandlerFunc(getNetworkACL))).
 		Methods(http.MethodGet)
 	r.HandleFunc("/api/networks/{networkname}/egress_routes", logic.SecurityCheck(true, http.HandlerFunc(getNetworkEgressRoutes)))
+	r.HandleFunc("/api/networks/{networkname}/old_acl_status", logic.SecurityCheck(true, http.HandlerFunc(OldNetworkACLStatus))).
+		Methods(http.MethodGet)
 }
 
 // @Summary     Lists all networks
@@ -430,6 +433,40 @@ func getNetworkACL(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(networkACL)
 }
 
+// @Summary     Check a Old ACL Status (Access Control List)
+// @Router      /api/networks/{networkname}/old_acl_status [get]
+// @Tags        Networks
+// @Security    oauth
+// @Param       networkname path string true "Network name"
+// @Produce     json
+// @Success     200 {object} acls.ACLContainer
+// @Failure     500 {object} models.ErrorResponse
+func OldNetworkACLStatus(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	var params = mux.Vars(r)
+	netname := params["networkname"]
+	var networkACL acls.ACLContainer
+	networkACL, err := nodeacls.FetchAllACLs(nodeacls.NetworkID(netname))
+	if err != nil {
+		logic.ReturnSuccessResponse(w, r, "false")
+		return
+	}
+	disableOldAcls := true
+	for _, aclNode := range networkACL {
+		for _, allowed := range aclNode {
+			if allowed != acls.Allowed {
+				disableOldAcls = false
+				break
+			}
+		}
+	}
+	msg := "true"
+	if disableOldAcls {
+		msg = "false"
+	}
+	logic.ReturnSuccessResponse(w, r, msg)
+}
+
 // @Summary     Get a network Egress routes
 // @Router      /api/networks/{networkname}/egress_routes [get]
 // @Tags        Networks

logic/settings.go

@@ -11,6 +11,8 @@ import (
 
 	"github.com/gravitl/netmaker/config"
 	"github.com/gravitl/netmaker/database"
+	"github.com/gravitl/netmaker/logic/acls"
+	"github.com/gravitl/netmaker/logic/acls/nodeacls"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
 )
@@ -61,7 +63,10 @@ func UpsertServerSettings(s models.ServerSettings) error {
 		}
 	}
 	s.GroupFilters = groupFilters
-
+	if !s.OldAClsSupport {
+		// set defaults for old acl settings
+		go setDefaultsforOldAclCfg()
+	}
 	data, err := json.Marshal(s)
 	if err != nil {
 		return err
@@ -73,6 +78,36 @@ func UpsertServerSettings(s models.ServerSettings) error {
 	return nil
 }
 
+func setDefaultsforOldAclCfg() {
+	nets, _ := GetNetworks()
+	for _, netI := range nets {
+		if netI.DefaultACL != "yes" {
+			netI.DefaultACL = "yes"
+			UpsertNetwork(netI)
+		}
+		networkACL, err := nodeacls.FetchAllACLs(nodeacls.NetworkID(netI.NetID))
+		if err != nil {
+			continue
+		}
+		for id, aclNode := range networkACL {
+			for aclID, allowed := range aclNode {
+				if allowed != acls.Allowed {
+					aclNode.Allow(aclID)
+				}
+			}
+			networkACL.UpdateACL(id, aclNode)
+		}
+		networkACL.Save(acls.ContainerID(netI.NetID))
+	}
+	nodes, _ := GetAllNodes()
+	for _, node := range nodes {
+		if node.DefaultACL != "yes" {
+			node.DefaultACL = "yes"
+			UpsertNode(&node)
+		}
+	}
+}
+
 func GetUserSettings(userID string) models.UserSettings {
 	data, err := database.FetchRecord(database.SERVER_SETTINGS, userID)
 	if err != nil {
@@ -246,6 +281,7 @@ func GetServerInfo() models.ServerConfig {
 	cfg.StunServers = serverSettings.StunServers
 	cfg.DefaultDomain = serverSettings.DefaultDomain
 	cfg.EndpointDetection = serverSettings.EndpointDetection
+	cfg.PeerConnectionCheckInterval = serverSettings.PeerConnectionCheckInterval
 	key, _ := RetrievePublicTrafficKey()
 	cfg.TrafficKey = key
 	return cfg

migrate/migrate.go

@@ -56,10 +56,12 @@ func checkAndDeprecateOldAcls() {
 		if err != nil {
 			continue
 		}
-		for id, aclNode := range networkACL {
-			if !aclNode.IsAllowed(id) {
-				disableOldAcls = false
-				break
+		for _, aclNode := range networkACL {
+			for _, allowed := range aclNode {
+				if allowed != acls.Allowed {
+					disableOldAcls = false
+					break
+				}
 			}
 		}
 		if disableOldAcls {
@@ -869,6 +871,9 @@ func migrateSettings() {
 	if _, ok := settingsD["old_acl_support"]; !ok {
 		settings.OldAClsSupport = servercfg.IsOldAclEnabled()
 	}
+	if settings.PeerConnectionCheckInterval == "" {
+		settings.PeerConnectionCheckInterval = "15"
+	}
 	if settings.AuditLogsRetentionPeriodInDays == 0 {
 		settings.AuditLogsRetentionPeriodInDays = 7
 	}

models/settings.go

@@ -49,6 +49,7 @@ type ServerSettings struct {
 	StunServers                    string `json:"stun_servers"`
 	AuditLogsRetentionPeriodInDays int    `json:"audit_logs_retention_period"`
 	OldAClsSupport                 bool   `json:"old_acl_support"`
+	PeerConnectionCheckInterval    string `json:"peer_connection_check_interval"`
 }
 
 type UserSettings struct {

models/structs.go

@@ -292,27 +292,28 @@ type NodeJoinResponse struct {
 
 // ServerConfig - struct for dealing with the server information for a netclient
 type ServerConfig struct {
-	CoreDNSAddr       string `yaml:"corednsaddr"`
-	API               string `yaml:"api"`
-	APIHost           string `yaml:"apihost"`
-	APIPort           string `yaml:"apiport"`
-	DNSMode           string `yaml:"dnsmode"`
-	Version           string `yaml:"version"`
-	MQPort            string `yaml:"mqport"`
-	MQUserName        string `yaml:"mq_username"`
-	MQPassword        string `yaml:"mq_password"`
-	BrokerType        string `yaml:"broker_type"`
-	Server            string `yaml:"server"`
-	Broker            string `yaml:"broker"`
-	IsPro             bool   `yaml:"isee" json:"Is_EE"`
-	TrafficKey        []byte `yaml:"traffickey"`
-	MetricInterval    string `yaml:"metric_interval"`
-	MetricsPort       int    `yaml:"metrics_port"`
-	ManageDNS         bool   `yaml:"manage_dns"`
-	Stun              bool   `yaml:"stun"`
-	StunServers       string `yaml:"stun_servers"`
-	EndpointDetection bool   `yaml:"endpoint_detection"`
-	DefaultDomain     string `yaml:"default_domain"`
+	CoreDNSAddr                 string `yaml:"corednsaddr"`
+	API                         string `yaml:"api"`
+	APIHost                     string `yaml:"apihost"`
+	APIPort                     string `yaml:"apiport"`
+	DNSMode                     string `yaml:"dnsmode"`
+	Version                     string `yaml:"version"`
+	MQPort                      string `yaml:"mqport"`
+	MQUserName                  string `yaml:"mq_username"`
+	MQPassword                  string `yaml:"mq_password"`
+	BrokerType                  string `yaml:"broker_type"`
+	Server                      string `yaml:"server"`
+	Broker                      string `yaml:"broker"`
+	IsPro                       bool   `yaml:"isee" json:"Is_EE"`
+	TrafficKey                  []byte `yaml:"traffickey"`
+	MetricInterval              string `yaml:"metric_interval"`
+	MetricsPort                 int    `yaml:"metrics_port"`
+	ManageDNS                   bool   `yaml:"manage_dns"`
+	Stun                        bool   `yaml:"stun"`
+	StunServers                 string `yaml:"stun_servers"`
+	EndpointDetection           bool   `yaml:"endpoint_detection"`
+	DefaultDomain               string `yaml:"default_domain"`
+	PeerConnectionCheckInterval string `yaml:"peer_connection_check_interval"`
 }
 
 // User.NameInCharset - returns if name is in charset below or not