optimise acl cache with network map

logic/acls.go

@@ -14,10 +14,19 @@ import (
 )
 
 var (
-	aclCacheMutex = &sync.RWMutex{}
-	aclCacheMap   = make(map[string]models.Acl)
+	aclCacheMutex      = &sync.RWMutex{}
+	aclCacheMap        = make(map[string]models.Acl)
+	aclNetCacheMutex   = &sync.RWMutex{}
+	aclNetworkCacheMap = make(map[models.NetworkID]AclNetInfo)
 )
 
+type AclNetInfo struct {
+	DevicePolices       []models.Acl
+	UserPolicies        []models.Acl
+	DefaultDevicePolicy models.Acl
+	DefaultUserPolicy   models.Acl
+}
+
 func MigrateAclPolicies() {
 	acls := ListAcls()
 	for _, acl := range acls {
@@ -31,6 +40,34 @@ func MigrateAclPolicies() {
 
 }
 
+func loadNetworkAclsIntoCache() {
+	aclNetCacheMutex.Lock()
+	defer aclNetCacheMutex.Unlock()
+	aclNetworkCacheMap = make(map[models.NetworkID]AclNetInfo)
+	acls := ListAcls()
+	for _, acl := range acls {
+		aclNetInfo := aclNetworkCacheMap[acl.NetworkID]
+		if acl.RuleType == models.DevicePolicy {
+			aclNetInfo.DevicePolices = append(aclNetInfo.DevicePolices, acl)
+		} else {
+			aclNetInfo.UserPolicies = append(aclNetInfo.UserPolicies, acl)
+		}
+		aclNetworkCacheMap[acl.NetworkID] = aclNetInfo
+	}
+	for netID, aclNetInfo := range aclNetworkCacheMap {
+		defaultDevicePolicy, err := GetDefaultPolicy(models.NetworkID(netID), models.DevicePolicy)
+		if err == nil {
+			aclNetInfo.DefaultDevicePolicy = defaultDevicePolicy
+			aclNetworkCacheMap[netID] = aclNetInfo
+		}
+		defaultUserPolicy, err := GetDefaultPolicy(models.NetworkID(netID), models.UserPolicy)
+		if err == nil {
+			aclNetInfo.DefaultUserPolicy = defaultUserPolicy
+			aclNetworkCacheMap[netID] = aclNetInfo
+		}
+	}
+}
+
 // CreateDefaultAclNetworkPolicies - create default acl network policies
 func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
 	if netID.String() == "" {
@@ -163,12 +200,14 @@ func storeAclInCache(a models.Acl) {
 	aclCacheMutex.Lock()
 	defer aclCacheMutex.Unlock()
 	aclCacheMap[a.ID] = a
+	go loadNetworkAclsIntoCache()
 }
 
 func removeAclFromCache(a models.Acl) {
 	aclCacheMutex.Lock()
 	defer aclCacheMutex.Unlock()
 	delete(aclCacheMap, a.ID)
+	go loadNetworkAclsIntoCache()
 }
 
 func getAclFromCache(aID string) (a models.Acl, ok bool) {
@@ -368,6 +407,10 @@ func DeleteAcl(a models.Acl) error {
 
 // GetDefaultPolicy - fetches default policy in the network by ruleType
 func GetDefaultPolicy(netID models.NetworkID, ruleType models.AclPolicyType) (models.Acl, error) {
+	defaultPolicy := getDefaultPolicyFromNetCache(netID, ruleType)
+	if defaultPolicy.ID != "" {
+		return defaultPolicy, nil
+	}
 	aclID := "all-users"
 	if ruleType == models.DevicePolicy {
 		aclID = "all-nodes"
@@ -483,6 +526,35 @@ func listPoliciesOfUser(user models.User, netID models.NetworkID) []models.Acl {
 	return userAcls
 }
 
+func getDefaultPolicyFromNetCache(netID models.NetworkID, ruleType models.AclPolicyType) models.Acl {
+	aclNetCacheMutex.RLock()
+	defer aclNetCacheMutex.RUnlock()
+	if aclNetInfo, ok := aclNetworkCacheMap[netID]; ok {
+		if ruleType == models.DevicePolicy {
+			return aclNetInfo.DefaultDevicePolicy
+		} else {
+			return aclNetInfo.DefaultUserPolicy
+		}
+	}
+	return models.Acl{}
+}
+
+func listPolicesFromNetCache(netID models.NetworkID, ruleType models.AclPolicyType) []models.Acl {
+	aclNetCacheMutex.RLock()
+	defer aclNetCacheMutex.RUnlock()
+	if aclNetInfo, ok := aclNetworkCacheMap[netID]; ok {
+		if ruleType == models.DevicePolicy {
+			return aclNetInfo.DevicePolices
+		} else {
+			return aclNetInfo.UserPolicies
+		}
+	}
+	if ruleType == models.DevicePolicy {
+		return listDevicePolicies(netID)
+	}
+	return listUserPolicies(netID)
+}
+
 // listDevicePolicies - lists all device policies in a network
 func listDevicePolicies(netID models.NetworkID) []models.Acl {
 	allAcls := ListAcls()
@@ -582,9 +654,10 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
 				return true
 			}
 		}
+
 	}
 	// list device policies
-	policies := listDevicePolicies(models.NetworkID(peer.Network))
+	policies := listPolicesFromNetCache(models.NetworkID(node.Network), models.DevicePolicy)
 	srcMap := make(map[string]struct{})
 	dstMap := make(map[string]struct{})
 	defer func() {

logic/peers.go

@@ -295,15 +295,19 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 				peerConfig.Endpoint.IP = peer.LocalAddress.IP
 				peerConfig.Endpoint.Port = peerHost.ListenPort
 			}
-			allowedips := GetAllowedIPs(&node, &peer, nil)
-			allowedToComm := IsPeerAllowed(node, peer, false)
+			var allowedToComm bool
+			if defaultDevicePolicy.Enabled {
+				allowedToComm = true
+			} else {
+				allowedToComm = IsPeerAllowed(node, peer, false)
+			}
 			if peer.Action != models.NODE_DELETE &&
 				!peer.PendingDelete &&
 				peer.Connected &&
 				nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) &&
 				(defaultDevicePolicy.Enabled || allowedToComm) &&
 				(deletedNode == nil || (deletedNode != nil && peer.ID.String() != deletedNode.ID.String())) {
-				peerConfig.AllowedIPs = allowedips // only append allowed IPs if valid connection
+				peerConfig.AllowedIPs = GetAllowedIPs(&node, &peer, nil) // only append allowed IPs if valid connection
 			}
 
 			var nodePeer wgtypes.PeerConfig