|
|
@@ -581,7 +581,13 @@ func CreateUserGroup(g *models.UserGroup) error {
|
|
|
if err != nil {
|
|
|
return err
|
|
|
}
|
|
|
- return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
|
|
+ err = database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+ // create default network gateway policies
|
|
|
+ go CreateDefaultUserGroupNetworkPolicies(*g)
|
|
|
+ return nil
|
|
|
}
|
|
|
|
|
|
// GetUserGroup - fetches user group
|
|
|
@@ -646,7 +652,11 @@ func UpdateUserGroup(g models.UserGroup) error {
|
|
|
if err != nil {
|
|
|
return err
|
|
|
}
|
|
|
- return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
|
|
+ err = database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+ return nil
|
|
|
}
|
|
|
|
|
|
// DeleteUserGroup - deletes user group
|
|
|
@@ -729,7 +739,10 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
|
|
|
continue
|
|
|
}
|
|
|
if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
|
|
|
- gws[node.ID.String()] = node
|
|
|
+ if ok, _ := IsUserAllowedToCommunicate(user.UserName, node); ok {
|
|
|
+ gws[node.ID.String()] = node
|
|
|
+ continue
|
|
|
+ }
|
|
|
} else {
|
|
|
// check if user has network role assigned
|
|
|
if roles, ok := user.NetworkRoles[models.NetworkID(node.Network)]; ok && len(roles) > 0 {
|
|
|
@@ -1200,6 +1213,39 @@ func UpdateUserGwAccess(currentUser, changeUser models.User) {
|
|
|
|
|
|
}
|
|
|
|
|
|
+func CreateDefaultUserGroupNetworkPolicies(g models.UserGroup) {
|
|
|
+ for netID := range g.NetworkRoles {
|
|
|
+ if !logic.IsAclExists(fmt.Sprintf("%s.%s-grp", netID, g.ID.String())) {
|
|
|
+ userGroupAcl := models.Acl{
|
|
|
+ ID: fmt.Sprintf("%s.%s-grp", netID, g.ID.String()),
|
|
|
+ Default: true,
|
|
|
+ Name: "All Users",
|
|
|
+ MetaData: "This policy gives access to everything in the network for an user",
|
|
|
+ NetworkID: netID,
|
|
|
+ Proto: models.ALL,
|
|
|
+ ServiceType: models.Any,
|
|
|
+ Port: []string{},
|
|
|
+ RuleType: models.UserPolicy,
|
|
|
+ Src: []models.AclPolicyTag{
|
|
|
+ {
|
|
|
+ ID: models.UserGroupAclID,
|
|
|
+ Value: g.ID.String(),
|
|
|
+ },
|
|
|
+ },
|
|
|
+ Dst: []models.AclPolicyTag{{
|
|
|
+ ID: models.NodeTagID,
|
|
|
+ Value: fmt.Sprintf("%s.%s", netID.String(), models.GwTagName),
|
|
|
+ }},
|
|
|
+ AllowedDirection: models.TrafficDirectionUni,
|
|
|
+ Enabled: true,
|
|
|
+ CreatedBy: "auto",
|
|
|
+ CreatedAt: time.Now().UTC(),
|
|
|
+ }
|
|
|
+ logic.InsertAcl(userGroupAcl)
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
func CreateDefaultUserPolicies(netID models.NetworkID) {
|
|
|
if netID.String() == "" {
|
|
|
return
|
abhishek9686