Merge branch 'develop' into fix_mem_prof

controllers/ext_client.go

@@ -470,8 +470,8 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 	extclient.IngressGatewayID = nodeid
 	extclient.Network = node.Network
 	extclient.Tags = make(map[models.TagID]struct{})
-	extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
-		models.RemoteAccessTagName))] = struct{}{}
+	// extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
+	// 	models.RemoteAccessTagName))] = struct{}{}
 	// set extclient dns to ingressdns if extclient dns is not explicitly set
 	if (extclient.DNS == "") && (node.IngressDNS != "") {
 		extclient.DNS = node.IngressDNS

controllers/server.go

@@ -146,26 +146,26 @@ func getStatus(w http.ResponseWriter, r *http.Request) {
 	if servercfg.ErrLicenseValidation != nil {
 		licenseErr = servercfg.ErrLicenseValidation.Error()
 	}
-	var trialEndDate time.Time
-	var err error
-	isOnTrial := false
-	if servercfg.IsPro &&
-		(servercfg.GetLicenseKey() == "" || servercfg.GetNetmakerTenantID() == "") {
-		trialEndDate, err = logic.GetTrialEndDate()
-		if err != nil {
-			slog.Error("failed to get trial end date", "error", err)
-		} else {
-			isOnTrial = true
-		}
-	}
+	//var trialEndDate time.Time
+	//var err error
+	// isOnTrial := false
+	// if servercfg.IsPro &&
+	// 	(servercfg.GetLicenseKey() == "" || servercfg.GetNetmakerTenantID() == "") {
+	// 	trialEndDate, err = logic.GetTrialEndDate()
+	// 	if err != nil {
+	// 		slog.Error("failed to get trial end date", "error", err)
+	// 	} else {
+	// 		isOnTrial = true
+	// 	}
+	// }
 	currentServerStatus := status{
 		DB:               database.IsConnected(),
 		Broker:           mq.IsConnected(),
 		IsBrokerConnOpen: mq.IsConnectionOpen(),
 		LicenseError:     licenseErr,
 		IsPro:            servercfg.IsPro,
-		TrialEndDate:     trialEndDate,
-		IsOnTrialLicense: isOnTrial,
+		//TrialEndDate:     trialEndDate,
+		//IsOnTrialLicense: isOnTrial,
 	}
 
 	w.Header().Set("Content-Type", "application/json")

controllers/tags.go

@@ -216,6 +216,11 @@ func deleteTag(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	// check if active policy is using the tag
+	if logic.CheckIfTagAsActivePolicy(tag.ID, tag.Network) {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("tag is currently in use by an active policy"), "badrequest"))
+		return
+	}
 	err = logic.DeleteTag(models.TagID(tagID), true)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))

logic/acls.go

@@ -621,6 +621,25 @@ func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
 	}
 }
 
+func CheckIfTagAsActivePolicy(tagID models.TagID, netID models.NetworkID) bool {
+	acls := listDevicePolicies(netID)
+	for _, acl := range acls {
+		for _, srcTagI := range acl.Src {
+			if srcTagI.ID == models.DeviceAclID {
+				if tagID.String() == srcTagI.Value {
+					return true
+				}
+			}
+		}
+		for _, dstTagI := range acl.Dst {
+			if dstTagI.ID == models.DeviceAclID {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // RemoveDeviceTagFromAclPolicies - remove device tag from acl policies
 func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID) error {
 	acls := listDevicePolicies(netID)

logic/acls/nodeacls/modify.go

@@ -25,6 +25,9 @@ func CreateNodeACL(networkID NetworkID, nodeID NodeID, defaultVal byte) (acls.AC
 	acls.AclMutex.Lock()
 	var newNodeACL = make(acls.ACL)
 	for existingNodeID := range currentNetworkACL {
+		if currentNetworkACL[existingNodeID] == nil {
+			currentNetworkACL[existingNodeID] = make(acls.ACL)
+		}
 		currentNetworkACL[existingNodeID][acls.AclID(nodeID)] = defaultVal // set the old nodes to default value for new node
 		newNodeACL[existingNodeID] = defaultVal                            // set the old nodes in new node ACL to default value
 	}

logic/extpeers.go

@@ -2,6 +2,7 @@ package logic
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net"
 	"reflect"
@@ -9,6 +10,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/goombaio/namegenerator"
 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic/acls"
@@ -281,13 +283,41 @@ func CreateExtClient(extclient *models.ExtClient) error {
 	}
 
 	if extclient.ClientID == "" {
-		extclient.ClientID = models.GenerateNodeName()
+		extclient.ClientID, err = GenerateNodeName(extclient.Network)
+		if err != nil {
+			return err
+		}
 	}
 
 	extclient.LastModified = time.Now().Unix()
 	return SaveExtClient(extclient)
 }
 
+// GenerateNodeName - generates a random node name
+func GenerateNodeName(network string) (string, error) {
+	seed := time.Now().UTC().UnixNano()
+	nameGenerator := namegenerator.NewNameGenerator(seed)
+	var name string
+	cnt := 0
+	for {
+		if cnt > 10 {
+			return "", errors.New("couldn't generate random name, try again")
+		}
+		cnt += 1
+		name = nameGenerator.Generate()
+		if len(name) > 15 {
+			continue
+		}
+		_, err := GetExtClient(name, network)
+		if err == nil {
+			// config exists with same name
+			continue
+		}
+		break
+	}
+	return name, nil
+}
+
 // SaveExtClient - saves an ext client to database
 func SaveExtClient(extclient *models.ExtClient) error {
 	key, err := GetRecordKey(extclient.ClientID, extclient.Network)
@@ -802,6 +832,7 @@ func GetStaticNodesByNetwork(network models.NetworkID, onlyWg bool) (staticNode
 	if err != nil {
 		return
 	}
+	SortExtClient(extClients[:])
 	for _, extI := range extClients {
 		if extI.Network == network.String() {
 			if onlyWg && extI.RemoteAccessClientID != "" {

logic/peers.go

@@ -227,6 +227,23 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 			} else if host.EndpointIPv6 != nil && peerHost.EndpointIPv6 != nil {
 				peerEndpoint = peerHost.EndpointIPv6
 			}
+			if host.EndpointIP == nil && peerEndpoint == nil {
+				if peerHost.EndpointIP != nil {
+					peerEndpoint = peerHost.EndpointIP
+				}
+			}
+			if host.EndpointIPv6 == nil && peerEndpoint == nil {
+				if peerHost.EndpointIPv6 != nil {
+					peerEndpoint = peerHost.EndpointIPv6
+				}
+			}
+			if node.IsRelay && peer.RelayedBy == node.ID.String() && !peer.IsStatic {
+				// don't set endpoint on relayed peer
+				peerEndpoint = nil
+			}
+			if isFailOverPeer && peer.FailedOverBy == node.ID && !peer.IsStatic {
+				peerEndpoint = nil
+			}
 
 			peerConfig.Endpoint = &net.UDPAddr{
 				IP:   peerEndpoint,

migrate/migrate.go

@@ -226,18 +226,6 @@ func updateNodes() {
 			}
 		}
 	}
-	extclients, _ := logic.GetAllExtClients()
-	for _, extclient := range extclients {
-		tagID := models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
-			models.RemoteAccessTagName))
-		if extclient.Tags == nil {
-			extclient.Tags = make(map[models.TagID]struct{})
-		}
-		if _, ok := extclient.Tags[tagID]; !ok {
-			extclient.Tags[tagID] = struct{}{}
-			logic.SaveExtClient(&extclient)
-		}
-	}
 }
 
 func removeInterGw(egressRanges []string) ([]string, bool) {

models/user_mgmt.go

@@ -80,7 +80,8 @@ const (
 	AllUserRsrcID           RsrcID = "all_user"
 	AllDnsRsrcID            RsrcID = "all_dns"
 	AllFailOverRsrcID       RsrcID = "all_fail_over"
-	AllAclsRsrcID           RsrcID = "all_acls"
+	AllAclsRsrcID           RsrcID = "all_acl"
+	AllTagsRsrcID           RsrcID = "all_tag"
 )
 
 // Pre-Defined User Roles

pro/controllers/failover.go

@@ -219,6 +219,14 @@ func failOverME(w http.ResponseWriter, r *http.Request) {
 		)
 		return
 	}
+	if peerNode.IsFailOver {
+		logic.ReturnErrorResponse(
+			w,
+			r,
+			logic.FormatError(errors.New("peer is acting as failover"), "badrequest"),
+		)
+		return
+	}
 	if node.IsRelayed && node.RelayedBy == peerNode.ID.String() {
 		logic.ReturnErrorResponse(
 			w,

pro/controllers/users.go

@@ -1006,8 +1006,8 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
 		}
 		userConf.Tags = make(map[models.TagID]struct{})
-		userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
-			models.RemoteAccessTagName))] = struct{}{}
+		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
+		// 	models.RemoteAccessTagName))] = struct{}{}
 		if err = logic.CreateExtClient(&userConf); err != nil {
 			slog.Error(
 				"failed to create extclient",

pro/logic/failover.go

@@ -3,6 +3,7 @@ package logic
 import (
 	"errors"
 	"net"
+	"sync"
 
 	"github.com/google/uuid"
 	"github.com/gravitl/netmaker/logger"
@@ -11,8 +12,11 @@ import (
 	"golang.org/x/exp/slog"
 )
 
-func SetFailOverCtx(failOverNode, victimNode, peerNode models.Node) error {
+var failOverCtxMutex = &sync.RWMutex{}
 
+func SetFailOverCtx(failOverNode, victimNode, peerNode models.Node) error {
+	failOverCtxMutex.Lock()
+	defer failOverCtxMutex.Unlock()
 	if peerNode.FailOverPeers == nil {
 		peerNode.FailOverPeers = make(map[string]struct{})
 	}

pro/logic/metrics.go

@@ -17,7 +17,7 @@ import (
 
 var (
 	metricsCacheMutex = &sync.RWMutex{}
-	metricsCacheMap   map[string]models.Metrics
+	metricsCacheMap   = make(map[string]models.Metrics)
 )
 
 func getMetricsFromCache(key string) (metrics models.Metrics, ok bool) {

pro/logic/user_mgmt.go

@@ -60,6 +60,36 @@ var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{
 				SelfOnly: true,
 			},
 		},
+		models.DnsRsrc: {
+			models.AllDnsRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.AclRsrc: {
+			models.AllAclsRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.EgressGwRsrc: {
+			models.AllEgressGwRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.InetGwRsrc: {
+			models.AllInetGwRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.RelayRsrc: {
+			models.AllRelayRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
+		models.TagRsrc: {
+			models.AllTagsRsrcID: models.RsrcPermissionScope{
+				Read: true,
+			},
+		},
 	},
 }
 
@@ -147,6 +177,36 @@ func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) {
 					SelfOnly: true,
 				},
 			},
+			models.DnsRsrc: {
+				models.AllDnsRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.AclRsrc: {
+				models.AllAclsRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.EgressGwRsrc: {
+				models.AllEgressGwRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.InetGwRsrc: {
+				models.AllInetGwRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.RelayRsrc: {
+				models.AllRelayRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
+			models.TagRsrc: {
+				models.AllTagsRsrcID: models.RsrcPermissionScope{
+					Read: true,
+				},
+			},
 		},
 	}
 	d, _ := json.Marshal(NetworkAdminPermissionTemplate)