Inicio Explorar Ayuda
Iniciar sesión
golang
/
netmaker
espejo de https://github.com/gravitl/netmaker
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

fix all rsrcs comms

abhishek9686 hace 1 semana
padre
ed913c1fb2
commit
f8aac03338
Se han modificado 3 ficheros con 40 adiciones y 298 borrados
Dividir vista Mostrar estadísticas de diff
  1. 40 74
      logic/acls.go
  2. 0 1
      pro/initialize.go
  3. 0 223
      pro/logic/acls.go

+ 40 - 74
logic/acls.go
Ver fichero 

@@ -18,10 +18,6 @@ import (
 
 	"github.com/gravitl/netmaker/servercfg"
 
 )
 
 
-// TODO: Write Diff Funcs
 
-
 
-var IsNodeAllowedToCommunicate = isNodeAllowedToCommunicate
 
-
 
 var GetFwRulesForNodeAndPeerOnGw = getFwRulesForNodeAndPeerOnGw
 
 
 var GetFwRulesForUserNodesOnGw = func(node models.Node, nodes []models.Node) (rules []models.FwRule) { return }
 
@@ -375,62 +371,6 @@ var MigrateToGws = func() {
 
 
 }
 
 
-func CheckIfNodeHasAccessToAllResources(targetnode *models.Node, acls []models.Acl) bool {
 
-	var targetNodeTags = make(map[models.TagID]struct{})
 
-	if targetnode.Mutex != nil {
 
-		targetnode.Mutex.Lock()
 
-		targetNodeTags = maps.Clone(targetnode.Tags)
 
-		targetnode.Mutex.Unlock()
 
-	} else {
 
-		targetNodeTags = maps.Clone(targetnode.Tags)
 
-	}
 
-	if targetNodeTags == nil {
 
-		targetNodeTags = make(map[models.TagID]struct{})
 
-	}
 
-	targetNodeTags[models.TagID(targetnode.ID.String())] = struct{}{}
 
-	targetNodeTags["*"] = struct{}{}
 
-	if targetnode.IsGw {
 
-		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetnode.Network, models.GwTagName))] = struct{}{}
 
-	}
 
-	for _, acl := range acls {
 
-		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 
-			continue
 
-		}
 
-		srcTags := ConvAclTagToValueMap(acl.Src)
 
-		dstTags := ConvAclTagToValueMap(acl.Dst)
 
-		_, srcAll := srcTags["*"]
 
-		_, dstAll := dstTags["*"]
 
-		for nodeTag := range targetNodeTags {
 
-
 
-			var existsInSrcTag bool
 
-			var existsInDstTag bool
 
-
 
-			if _, ok := srcTags[nodeTag.String()]; ok {
 
-				existsInSrcTag = true
 
-			}
 
-			if _, ok := srcTags[targetnode.ID.String()]; ok {
 
-				existsInSrcTag = true
 
-			}
 
-			if _, ok := dstTags[nodeTag.String()]; ok {
 
-				existsInDstTag = true
 
-			}
 
-			if _, ok := dstTags[targetnode.ID.String()]; ok {
 
-				existsInDstTag = true
 
-			}
 
-			if acl.AllowedDirection == models.TrafficDirectionBi {
 
-				if existsInSrcTag && dstAll || existsInDstTag && srcAll {
 
-					return true
 
-				}
 
-			} else {
 
-				if existsInDstTag && srcAll {
 
-					return true
 
-				}
 
-			}
 
-		}
 
-	}
 
-	return false
 
-}
 
-
 
 var CheckIfAnyPolicyisUniDirectional = func(targetNode models.Node, acls []models.Acl) bool {
 
 	return false
 
 }
 
@@ -935,11 +875,19 @@ func IsNodeAllowedToCommunicateWithAllRsrcs(node models.Node) bool {
 
 		nodeId = node.ID.String()
 
 	}
 
 	nodeTags := make(map[models.TagID]struct{})
 
-
 
-	nodeTags[models.TagID(nodeId)] = struct{}{}
 
-	if node.IsGw {
 
-		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}
 
+	if node.Mutex != nil {
 
+		node.Mutex.Lock()
 
+		nodeTags = maps.Clone(node.Tags)
 
+		node.Mutex.Unlock()
 
+	} else {
 
+		nodeTags = maps.Clone(node.Tags)
 
+	}
 
+	if nodeTags == nil {
 
+		nodeTags = make(map[models.TagID]struct{})
 
 	}
 
+	nodeTags[models.TagID(node.ID.String())] = struct{}{}
 
+	nodeTags["*"] = struct{}{}
 
+	nodeTags[models.TagID(nodeId)] = struct{}{}
 
 	// list device policies
 
 	policies := ListDevicePolicies(models.NetworkID(node.Network))
 
 	srcMap := make(map[string]struct{})
 
@@ -974,8 +922,14 @@ func IsNodeAllowedToCommunicateWithAllRsrcs(node models.Node) bool {
 
 }
 
 
 // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // ADD ALLOWED DIRECTION - 0 => node -> peer, 1 => peer-> node,
 
-func isNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) {
 
+func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) {
 
 	var nodeId, peerId string
 
+	// if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID {
 
+	// 	return true, []models.Acl{}
 
+	// }
 
+	// if node.IsFailOver && peer.FailedOverBy != uuid.Nil && peer.FailedOverBy == node.ID {
 
+	// 	return true, []models.Acl{}
 
+	// }
 
 	// if node.IsGw && peer.IsRelayed && peer.RelayedBy == node.ID.String() {
 
 	// 	return true, []models.Acl{}
 
 	// }
 
@@ -995,17 +949,29 @@ func isNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
 
 		peerId = peer.ID.String()
 
 	}
 
 
-	nodeTags := make(map[models.TagID]struct{})
 
-	peerTags := make(map[models.TagID]struct{})
 
-
 
-	nodeTags[models.TagID(nodeId)] = struct{}{}
 
-	peerTags[models.TagID(peerId)] = struct{}{}
 
-	if peer.IsGw {
 
-		peerTags[models.TagID(fmt.Sprintf("%s.%s", peer.Network, models.GwTagName))] = struct{}{}
 
+	var nodeTags, peerTags map[models.TagID]struct{}
 
+	if node.Mutex != nil {
 
+		node.Mutex.Lock()
 
+		nodeTags = maps.Clone(node.Tags)
 
+		node.Mutex.Unlock()
 
+	} else {
 
+		nodeTags = node.Tags
 
 	}
 
-	if node.IsGw {
 
-		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}
 
+	if peer.Mutex != nil {
 
+		peer.Mutex.Lock()
 
+		peerTags = maps.Clone(peer.Tags)
 
+		peer.Mutex.Unlock()
 
+	} else {
 
+		peerTags = peer.Tags
 
+	}
 
+	if nodeTags == nil {
 
+		nodeTags = make(map[models.TagID]struct{})
 
 	}
 
+	if peerTags == nil {
 
+		peerTags = make(map[models.TagID]struct{})
 
+	}
 
+	nodeTags[models.TagID(nodeId)] = struct{}{}
 
+	peerTags[models.TagID(peerId)] = struct{}{}
 
 	if checkDefaultPolicy {
 
 		// check default policy if all allowed return true
 
 		defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)

+ 0 - 1
pro/initialize.go
Ver fichero 

@@ -154,7 +154,6 @@ func InitPro() {
 
 	logic.CheckIfAnyActiveEgressPolicy = proLogic.CheckIfAnyActiveEgressPolicy
 
 	logic.CheckIfAnyPolicyisUniDirectional = proLogic.CheckIfAnyPolicyisUniDirectional
 
 	logic.MigrateToGws = proLogic.MigrateToGws
 
-	logic.IsNodeAllowedToCommunicate = proLogic.IsNodeAllowedToCommunicate
 
 	logic.GetFwRulesForNodeAndPeerOnGw = proLogic.GetFwRulesForNodeAndPeerOnGw
 
 	logic.GetFwRulesForUserNodesOnGw = proLogic.GetFwRulesForUserNodesOnGw
 
 	logic.GetHostLocInfo = proLogic.GetHostLocInfo

+ 0 - 223
pro/logic/acls.go
Ver fichero 

@@ -690,188 +690,6 @@ func RemoveUserFromAclPolicy(userName string) {
 
 	}
 
 }
 
 
-// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // ADD ALLOWED DIRECTION - 0 => node -> peer, 1 => peer-> node,
 
-func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) {
 
-	var nodeId, peerId string
 
-	// if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID {
 
-	// 	return true, []models.Acl{}
 
-	// }
 
-	// if node.IsFailOver && peer.FailedOverBy != uuid.Nil && peer.FailedOverBy == node.ID {
 
-	// 	return true, []models.Acl{}
 
-	// }
 
-	// if node.IsGw && peer.IsRelayed && peer.RelayedBy == node.ID.String() {
 
-	// 	return true, []models.Acl{}
 
-	// }
 
-	// if peer.IsGw && node.IsRelayed && node.RelayedBy == peer.ID.String() {
 
-	// 	return true, []models.Acl{}
 
-	// }
 
-	if node.IsStatic {
 
-		nodeId = node.StaticNode.ClientID
 
-		node = node.StaticNode.ConvertToStaticNode()
 
-	} else {
 
-		nodeId = node.ID.String()
 
-	}
 
-	if peer.IsStatic {
 
-		peerId = peer.StaticNode.ClientID
 
-		peer = peer.StaticNode.ConvertToStaticNode()
 
-	} else {
 
-		peerId = peer.ID.String()
 
-	}
 
-
 
-	var nodeTags, peerTags map[models.TagID]struct{}
 
-	if node.Mutex != nil {
 
-		node.Mutex.Lock()
 
-		nodeTags = maps.Clone(node.Tags)
 
-		node.Mutex.Unlock()
 
-	} else {
 
-		nodeTags = node.Tags
 
-	}
 
-	if peer.Mutex != nil {
 
-		peer.Mutex.Lock()
 
-		peerTags = maps.Clone(peer.Tags)
 
-		peer.Mutex.Unlock()
 
-	} else {
 
-		peerTags = peer.Tags
 
-	}
 
-	if nodeTags == nil {
 
-		nodeTags = make(map[models.TagID]struct{})
 
-	}
 
-	if peerTags == nil {
 
-		peerTags = make(map[models.TagID]struct{})
 
-	}
 
-	nodeTags[models.TagID(nodeId)] = struct{}{}
 
-	peerTags[models.TagID(peerId)] = struct{}{}
 
-	if checkDefaultPolicy {
 
-		// check default policy if all allowed return true
 
-		defaultPolicy, err := logic.GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
-		if err == nil {
 
-			if defaultPolicy.Enabled {
 
-				return true, []models.Acl{defaultPolicy}
 
-			}
 
-		}
 
-	}
 
-	allowedPolicies := []models.Acl{}
 
-	defer func() {
 
-		allowedPolicies = logic.UniquePolicies(allowedPolicies)
 
-	}()
 
-	// list device policies
 
-	policies := logic.ListDevicePolicies(models.NetworkID(peer.Network))
 
-	srcMap := make(map[string]struct{})
 
-	dstMap := make(map[string]struct{})
 
-	defer func() {
 
-		srcMap = nil
 
-		dstMap = nil
 
-	}()
 
-	for _, policy := range policies {
 
-		if !policy.Enabled {
 
-			continue
 
-		}
 
-		allowed := false
 
-		srcMap = logic.ConvAclTagToValueMap(policy.Src)
 
-		dstMap = logic.ConvAclTagToValueMap(policy.Dst)
 
-		for _, dst := range policy.Dst {
 
-			if dst.ID == models.EgressID {
 
-				e := schema.Egress{ID: dst.Value}
 
-				err := e.Get(db.WithContext(context.TODO()))
 
-				if err == nil && e.Status {
 
-					for nodeID := range e.Nodes {
 
-						dstMap[nodeID] = struct{}{}
 
-					}
 
-				}
 
-			}
 
-		}
 
-		_, srcAll := srcMap["*"]
 
-		_, dstAll := dstMap["*"]
 
-		if policy.AllowedDirection == models.TrafficDirectionBi {
 
-			if _, ok := srcMap[nodeId]; ok || srcAll {
 
-				if _, ok := dstMap[peerId]; ok || dstAll {
 
-					allowedPolicies = append(allowedPolicies, policy)
 
-					continue
 
-				}
 
-
 
-			}
 
-			if _, ok := dstMap[nodeId]; ok || dstAll {
 
-				if _, ok := srcMap[peerId]; ok || srcAll {
 
-					allowedPolicies = append(allowedPolicies, policy)
 
-					continue
 
-				}
 
-			}
 
-		}
 
-		if _, ok := dstMap[peerId]; ok || dstAll {
 
-			if _, ok := srcMap[nodeId]; ok || srcAll {
 
-				allowedPolicies = append(allowedPolicies, policy)
 
-				continue
 
-			}
 
-		}
 
-		if policy.AllowedDirection == models.TrafficDirectionBi {
 
-
 
-			for tagID := range nodeTags {
 
-
 
-				if _, ok := dstMap[tagID.String()]; ok || dstAll {
 
-					if srcAll {
 
-						allowed = true
 
-						break
 
-					}
 
-					for tagID := range peerTags {
 
-						if _, ok := srcMap[tagID.String()]; ok {
 
-							allowed = true
 
-							break
 
-						}
 
-					}
 
-				}
 
-				if allowed {
 
-					allowedPolicies = append(allowedPolicies, policy)
 
-					break
 
-				}
 
-				if _, ok := srcMap[tagID.String()]; ok || srcAll {
 
-					if dstAll {
 
-						allowed = true
 
-						break
 
-					}
 
-					for tagID := range peerTags {
 
-						if _, ok := dstMap[tagID.String()]; ok {
 
-							allowed = true
 
-							break
 
-						}
 
-					}
 
-				}
 
-				if allowed {
 
-					break
 
-				}
 
-			}
 
-			if allowed {
 
-				allowedPolicies = append(allowedPolicies, policy)
 
-				continue
 
-			}
 
-		}
 
-		for tagID := range peerTags {
 
-			if _, ok := dstMap[tagID.String()]; ok || dstAll {
 
-				if srcAll {
 
-					allowed = true
 
-					break
 
-				}
 
-				for tagID := range nodeTags {
 
-					if _, ok := srcMap[tagID.String()]; ok {
 
-						allowed = true
 
-						break
 
-					}
 
-				}
 
-			}
 
-			if allowed {
 
-				break
 
-			}
 
-		}
 
-		if allowed {
 
-			allowedPolicies = append(allowedPolicies, policy)
 
-		}
 
-	}
 
-
 
-	if len(allowedPolicies) > 0 {
 
-		return true, allowedPolicies
 
-	}
 
-	return false, allowedPolicies
 
-}
 
-
 
 // UpdateDeviceTag - updates device tag on acl policies
 
 func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
 
 	acls := logic.ListDevicePolicies(netID)
 
@@ -1465,47 +1283,6 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 
 						}
 
 					}
 
 				}
 
-				// if existsInDstTag && existsInSrcTag {
 
-				// 	nodes := taggedNodes[nodeTag]
 
-				// 	for srcID := range srcTags {
 
-				// 		if srcID == targetnode.ID.String() {
 
-				// 			continue
 
-				// 		}
 
-				// 		node, err := GetNodeByID(srcID)
 
-				// 		if err == nil {
 
-				// 			nodes = append(nodes, node)
 
-				// 		}
 
-				// 	}
 
-				// 	for dstID := range dstTags {
 
-				// 		if dstID == targetnode.ID.String() {
 
-				// 			continue
 
-				// 		}
 
-				// 		node, err := GetNodeByID(dstID)
 
-				// 		if err == nil {
 
-				// 			nodes = append(nodes, node)
 
-				// 		}
 
-				// 	}
 
-				// 	for _, node := range nodes {
 
-				// 		if node.ID == targetnode.ID {
 
-				// 			continue
 
-				// 		}
 
-				// 		if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {
 
-				// 			continue
 
-				// 		}
 
-				// 		if node.Address.IP != nil {
 
-				// 			aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
 
-				// 		}
 
-				// 		if node.Address6.IP != nil {
 
-				// 			aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
 
-				// 		}
 
-				// 		if node.IsStatic && node.StaticNode.Address != "" {
 
-				// 			aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())
 
-				// 		}
 
-				// 		if node.IsStatic && node.StaticNode.Address6 != "" {
 
-				// 			aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())
 
-				// 		}
 
-				// 	}
 
-				// }
 
 			} else {
 
 				_, all := dstTags["*"]
 
 				if _, ok := dstTags[nodeTag.String()]; ok || all {