| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601 | package logicimport (	"context"	"encoding/json"	"errors"	"fmt"	"maps"	"net"	"sort"	"sync"	"time"	"github.com/gravitl/netmaker/database"	"github.com/gravitl/netmaker/db"	"github.com/gravitl/netmaker/models"	"github.com/gravitl/netmaker/schema"	"github.com/gravitl/netmaker/servercfg")// TODO: Write Diff Funcsvar IsNodeAllowedToCommunicate = isNodeAllowedToCommunicatevar GetFwRulesForNodeAndPeerOnGw = getFwRulesForNodeAndPeerOnGwvar GetFwRulesForUserNodesOnGw = func(node models.Node, nodes []models.Node) (rules []models.FwRule) { return }func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {	// fetch user access to static clients via policies	defer func() {		sort.Slice(rules, func(i, j int) bool {			if !rules[i].SrcIP.IP.Equal(rules[j].SrcIP.IP) {				return string(rules[i].SrcIP.IP.To16()) < string(rules[j].SrcIP.IP.To16())			}			return string(rules[i].DstIP.IP.To16()) < string(rules[j].DstIP.IP.To16())		})	}()	defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)	nodes, _ := GetNetworkNodes(node.Network)	nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...)	rules = GetFwRulesForUserNodesOnGw(node, nodes)	if defaultDevicePolicy.Enabled {		return	}	for _, nodeI := range nodes {		if !nodeI.IsStatic || nodeI.IsUserNode {			continue		}		// if nodeI.StaticNode.IngressGatewayID != node.ID.String() {		// 	continue		// }		if IsNodeAllowedToCommunicateWithAllRsrcs(nodeI) {			if nodeI.Address.IP != nil {				rules = append(rules, models.FwRule{					SrcIP: net.IPNet{						IP:   nodeI.Address.IP,						Mask: net.CIDRMask(32, 32),					},					Allow: true,				})				rules = append(rules, models.FwRule{					SrcIP: node.NetworkRange,					DstIP: net.IPNet{						IP:   nodeI.Address.IP,						Mask: net.CIDRMask(32, 32),					},					Allow: true,				})			}			if nodeI.Address6.IP != nil {				rules = append(rules, models.FwRule{					SrcIP: net.IPNet{						IP:   nodeI.Address6.IP,						Mask: net.CIDRMask(128, 128),					},					Allow: true,				})				rules = append(rules, models.FwRule{					SrcIP: node.NetworkRange6,					DstIP: net.IPNet{						IP:   nodeI.Address.IP,						Mask: net.CIDRMask(128, 128),					},					Allow: true,				})			}			continue		}		for _, peer := range nodes {			if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode {				continue			}			if nodeI.StaticNode.IngressGatewayID != node.ID.String() &&				((!peer.IsStatic && peer.ID.String() != node.ID.String()) ||					(peer.IsStatic && peer.StaticNode.IngressGatewayID != node.ID.String())) {				continue			}			if peer.IsStatic {				peer = peer.StaticNode.ConvertToStaticNode()			}			var allowedPolicies1 []models.Acl			var ok bool			if ok, allowedPolicies1 = IsNodeAllowedToCommunicate(nodeI.StaticNode.ConvertToStaticNode(), peer, true); ok {				rules = append(rules, GetFwRulesForNodeAndPeerOnGw(nodeI.StaticNode.ConvertToStaticNode(), peer, allowedPolicies1)...)			}			if ok, allowedPolicies2 := IsNodeAllowedToCommunicate(peer, nodeI.StaticNode.ConvertToStaticNode(), true); ok {				rules = append(rules,					GetFwRulesForNodeAndPeerOnGw(peer, nodeI.StaticNode.ConvertToStaticNode(),						getUniquePolicies(allowedPolicies1, allowedPolicies2))...)			}		}	}	if len(node.RelayedNodes) > 0 {		for _, relayedNodeID := range node.RelayedNodes {			relayedNode, err := GetNodeByID(relayedNodeID)			if err != nil {				continue			}			if relayedNode.Address.IP != nil {				relayedFwRule := models.FwRule{					AllowedProtocol: models.ALL,					AllowedPorts:    []string{},					Allow:           true,				}				relayedFwRule.DstIP = relayedNode.AddressIPNet4()				relayedFwRule.SrcIP = node.NetworkRange				rules = append(rules, relayedFwRule)			}			if relayedNode.Address6.IP != nil {				relayedFwRule := models.FwRule{					AllowedProtocol: models.ALL,					AllowedPorts:    []string{},					Allow:           true,				}				relayedFwRule.DstIP = relayedNode.AddressIPNet6()				relayedFwRule.SrcIP = node.NetworkRange6				rules = append(rules, relayedFwRule)			}		}	}	return}func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []models.Acl) (rules []models.FwRule) {	for _, policy := range allowedPolicies {		// if static peer dst rule not for ingress node -> skip		if node.Address.IP != nil {			rules = append(rules, models.FwRule{				SrcIP: net.IPNet{					IP:   node.Address.IP,					Mask: net.CIDRMask(32, 32),				},				DstIP: net.IPNet{					IP:   peer.Address.IP,					Mask: net.CIDRMask(32, 32),				},				Allow: true,			})		}		if node.Address6.IP != nil {			rules = append(rules, models.FwRule{				SrcIP: net.IPNet{					IP:   node.Address6.IP,					Mask: net.CIDRMask(128, 128),				},				DstIP: net.IPNet{					IP:   peer.Address6.IP,					Mask: net.CIDRMask(128, 128),				},				Allow: true,			})		}		if policy.AllowedDirection == models.TrafficDirectionBi {			if node.Address.IP != nil {				rules = append(rules, models.FwRule{					SrcIP: net.IPNet{						IP:   peer.Address.IP,						Mask: net.CIDRMask(32, 32),					},					DstIP: net.IPNet{						IP:   node.Address.IP,						Mask: net.CIDRMask(32, 32),					},					Allow: true,				})			}			if node.Address6.IP != nil {				rules = append(rules, models.FwRule{					SrcIP: net.IPNet{						IP:   peer.Address6.IP,						Mask: net.CIDRMask(128, 128),					},					DstIP: net.IPNet{						IP:   node.Address6.IP,						Mask: net.CIDRMask(128, 128),					},					Allow: true,				})			}		}		if len(node.StaticNode.ExtraAllowedIPs) > 0 {			for _, additionalAllowedIPNet := range node.StaticNode.ExtraAllowedIPs {				_, ipNet, err := net.ParseCIDR(additionalAllowedIPNet)				if err != nil {					continue				}				if ipNet.IP.To4() != nil && peer.Address.IP != nil {					rules = append(rules, models.FwRule{						SrcIP: net.IPNet{							IP:   peer.Address.IP,							Mask: net.CIDRMask(32, 32),						},						DstIP: *ipNet,						Allow: true,					})				} else if peer.Address6.IP != nil {					rules = append(rules, models.FwRule{						SrcIP: net.IPNet{							IP:   peer.Address6.IP,							Mask: net.CIDRMask(128, 128),						},						DstIP: *ipNet,						Allow: true,					})				}			}		}		if len(peer.StaticNode.ExtraAllowedIPs) > 0 {			for _, additionalAllowedIPNet := range peer.StaticNode.ExtraAllowedIPs {				_, ipNet, err := net.ParseCIDR(additionalAllowedIPNet)				if err != nil {					continue				}				if ipNet.IP.To4() != nil && node.Address.IP != nil {					rules = append(rules, models.FwRule{						SrcIP: net.IPNet{							IP:   node.Address.IP,							Mask: net.CIDRMask(32, 32),						},						DstIP: *ipNet,						Allow: true,					})				} else if node.Address6.IP != nil {					rules = append(rules, models.FwRule{						SrcIP: net.IPNet{							IP:   node.Address6.IP,							Mask: net.CIDRMask(128, 128),						},						DstIP: *ipNet,						Allow: true,					})				}			}		}		// add egress range rules		for _, dstI := range policy.Dst {			if dstI.ID == models.EgressID {				e := schema.Egress{ID: dstI.Value}				err := e.Get(db.WithContext(context.TODO()))				if err != nil {					continue				}				dstI.Value = e.Range				ip, cidr, err := net.ParseCIDR(dstI.Value)				if err == nil {					if ip.To4() != nil {						if node.Address.IP != nil {							rules = append(rules, models.FwRule{								SrcIP: net.IPNet{									IP:   node.Address.IP,									Mask: net.CIDRMask(32, 32),								},								DstIP: *cidr,								Allow: true,							})						}					} else {						if node.Address6.IP != nil {							rules = append(rules, models.FwRule{								SrcIP: net.IPNet{									IP:   node.Address6.IP,									Mask: net.CIDRMask(128, 128),								},								DstIP: *cidr,								Allow: true,							})						}					}				}			}		}	}	return}func getUniquePolicies(policies1, policies2 []models.Acl) []models.Acl {	policies1Map := make(map[string]struct{})	for _, policy1I := range policies1 {		policies1Map[policy1I.ID] = struct{}{}	}	for i := len(policies2) - 1; i >= 0; i-- {		if _, ok := policies1Map[policies2[i].ID]; ok {			policies2 = append(policies2[:i], policies2[i+1:]...)		}	}	return policies2}// Sort a slice of net.IP addressesfunc sortIPs(ips []net.IP) {	sort.Slice(ips, func(i, j int) bool {		ip1, ip2 := ips[i].To16(), ips[j].To16()		return string(ip1) < string(ip2) // Compare as byte slices	})}func GetStaticNodeIps(node models.Node) (ips []net.IP) {	defer func() {		sortIPs(ips)	}()	defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)	defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)	extclients := GetStaticNodesByNetwork(models.NetworkID(node.Network), false)	for _, extclient := range extclients {		if extclient.IsUserNode && defaultUserPolicy.Enabled {			continue		}		if !extclient.IsUserNode && defaultDevicePolicy.Enabled {			continue		}		if extclient.StaticNode.Address != "" {			ips = append(ips, extclient.StaticNode.AddressIPNet4().IP)		}		if extclient.StaticNode.Address6 != "" {			ips = append(ips, extclient.StaticNode.AddressIPNet6().IP)		}	}	return}var MigrateToGws = func() {	nodes, err := GetAllNodes()	if err != nil {		return	}	for _, node := range nodes {		if node.IsIngressGateway || node.IsRelay || node.IsInternetGateway {			node.IsGw = true			node.IsIngressGateway = true			node.IsRelay = true			if node.Tags == nil {				node.Tags = make(map[models.TagID]struct{})			}			UpsertNode(&node)		}	}}func CheckIfNodeHasAccessToAllResources(targetnode *models.Node, acls []models.Acl) bool {	var targetNodeTags = make(map[models.TagID]struct{})	if targetnode.Mutex != nil {		targetnode.Mutex.Lock()		targetNodeTags = maps.Clone(targetnode.Tags)		targetnode.Mutex.Unlock()	} else {		targetNodeTags = maps.Clone(targetnode.Tags)	}	if targetNodeTags == nil {		targetNodeTags = make(map[models.TagID]struct{})	}	targetNodeTags[models.TagID(targetnode.ID.String())] = struct{}{}	targetNodeTags["*"] = struct{}{}	if targetnode.IsGw {		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetnode.Network, models.GwTagName))] = struct{}{}	}	for _, acl := range acls {		if !acl.Enabled || acl.RuleType != models.DevicePolicy {			continue		}		srcTags := ConvAclTagToValueMap(acl.Src)		dstTags := ConvAclTagToValueMap(acl.Dst)		_, srcAll := srcTags["*"]		_, dstAll := dstTags["*"]		for nodeTag := range targetNodeTags {			var existsInSrcTag bool			var existsInDstTag bool			if _, ok := srcTags[nodeTag.String()]; ok {				existsInSrcTag = true			}			if _, ok := srcTags[targetnode.ID.String()]; ok {				existsInSrcTag = true			}			if _, ok := dstTags[nodeTag.String()]; ok {				existsInDstTag = true			}			if _, ok := dstTags[targetnode.ID.String()]; ok {				existsInDstTag = true			}			if acl.AllowedDirection == models.TrafficDirectionBi {				if existsInSrcTag && dstAll || existsInDstTag && srcAll {					return true				}			} else {				if existsInDstTag && srcAll {					return true				}			}		}	}	return false}var CheckIfAnyPolicyisUniDirectional = func(targetNode models.Node, acls []models.Acl) bool {	return false}var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node, acls []models.Acl) bool {	if !targetNode.EgressDetails.IsEgressGateway {		return false	}	var targetNodeTags = make(map[models.TagID]struct{})	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}	targetNodeTags["*"] = struct{}{}	if targetNode.IsGw {		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetNode.Network, models.GwTagName))] = struct{}{}	}	for _, acl := range acls {		if !acl.Enabled || acl.RuleType != models.DevicePolicy {			continue		}		srcTags := ConvAclTagToValueMap(acl.Src)		for _, dst := range acl.Dst {			if dst.ID == models.EgressID {				e := schema.Egress{ID: dst.Value}				err := e.Get(db.WithContext(context.TODO()))				if err == nil && e.Status {					for nodeTag := range targetNodeTags {						if _, ok := srcTags[nodeTag.String()]; ok {							return true						}						if _, ok := srcTags[targetNode.ID.String()]; ok {							return true						}					}				}			}		}	}	return false}var GetAclRulesForNode = func(targetnodeI *models.Node) (rules map[string]models.AclRule) {	targetnode := *targetnodeI	rules = make(map[string]models.AclRule)	acls := ListDevicePolicies(models.NetworkID(targetnode.Network))	targetNodeTags := make(map[models.TagID]struct{})	targetNodeTags[models.TagID(targetnode.ID.String())] = struct{}{}	targetNodeTags["*"] = struct{}{}	for _, acl := range acls {		if !acl.Enabled {			continue		}		srcTags := ConvAclTagToValueMap(acl.Src)		dstTags := ConvAclTagToValueMap(acl.Dst)		nodes := []models.Node{}		for _, dst := range acl.Dst {			if dst.ID == models.EgressID {				e := schema.Egress{ID: dst.Value}				err := e.Get(db.WithContext(context.TODO()))				if err == nil && e.Status {					for nodeID := range e.Nodes {						dstTags[nodeID] = struct{}{}					}				}			}		}		_, srcAll := srcTags["*"]		_, dstAll := dstTags["*"]		aclRule := models.AclRule{			ID:              acl.ID,			AllowedProtocol: acl.Proto,			AllowedPorts:    acl.Port,			Direction:       acl.AllowedDirection,			Allowed:         true,		}		for nodeTag := range targetNodeTags {			if acl.AllowedDirection == models.TrafficDirectionBi {				var existsInSrcTag bool				var existsInDstTag bool				if _, ok := srcTags[nodeTag.String()]; ok || srcAll {					existsInSrcTag = true				}				if _, ok := srcTags[targetnode.ID.String()]; ok || srcAll {					existsInSrcTag = true				}				if _, ok := dstTags[nodeTag.String()]; ok || dstAll {					existsInDstTag = true				}				if _, ok := dstTags[targetnode.ID.String()]; ok || dstAll {					existsInDstTag = true				}				if existsInSrcTag /* && !existsInDstTag*/ {					// get all dst tags					for dst := range dstTags {						if dst == nodeTag.String() {							continue						}						// Get peers in the tags and add allowed rules						if dst != targetnode.ID.String() {							node, err := GetNodeByID(dst)							if err == nil {								nodes = append(nodes, node)							}						}					}					for _, node := range nodes {						if node.ID == targetnode.ID {							continue						}						if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {							continue						}						if node.Address.IP != nil {							aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())						}						if node.Address6.IP != nil {							aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())						}						if node.IsStatic && node.StaticNode.Address != "" {							aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())						}						if node.IsStatic && node.StaticNode.Address6 != "" {							aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())						}					}				}				if existsInDstTag /*&& !existsInSrcTag*/ {					// get all src tags					for src := range srcTags {						if src == nodeTag.String() {							continue						}						// Get peers in the tags and add allowed rules						if src != targetnode.ID.String() {							node, err := GetNodeByID(src)							if err == nil {								nodes = append(nodes, node)							}						}					}					for _, node := range nodes {						if node.ID == targetnode.ID {							continue						}						if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {							continue						}						if node.Address.IP != nil {							aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())						}						if node.Address6.IP != nil {							aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())						}						if node.IsStatic && node.StaticNode.Address != "" {							aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())						}						if node.IsStatic && node.StaticNode.Address6 != "" {							aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())						}					}				}			}		}		if len(aclRule.IPList) > 0 || len(aclRule.IP6List) > 0 {			aclRule.IPList = UniqueIPNetList(aclRule.IPList)			aclRule.IP6List = UniqueIPNetList(aclRule.IP6List)			rules[acl.ID] = aclRule		}	}	return rules}var GetEgressRulesForNode = func(targetnode models.Node) (rules map[string]models.AclRule) {	return}var GetAclRuleForInetGw = func(targetnode models.Node) (rules map[string]models.AclRule) {	return}// Compare two IPs and return true if ip1 < ip2func lessIP(ip1, ip2 net.IP) bool {	ip1 = ip1.To16() // Ensure IPv4 is converted to IPv6-mapped format	ip2 = ip2.To16()	return string(ip1) < string(ip2)}// Sort by IP first, then by prefix lengthfunc sortIPNets(ipNets []net.IPNet) {	sort.Slice(ipNets, func(i, j int) bool {		ip1, ip2 := ipNets[i].IP, ipNets[j].IP		mask1, _ := ipNets[i].Mask.Size()		mask2, _ := ipNets[j].Mask.Size()		// Compare IPs first		if ip1.Equal(ip2) {			return mask1 < mask2 // If same IP, sort by subnet mask size		}		return lessIP(ip1, ip2)	})}func UniqueIPNetList(ipnets []net.IPNet) []net.IPNet {	uniqueMap := make(map[string]net.IPNet)	for _, ipnet := range ipnets {		key := ipnet.String() // Uses CIDR notation as a unique key		if _, exists := uniqueMap[key]; !exists {			uniqueMap[key] = ipnet		}	}	// Convert map back to slice	uniqueList := make([]net.IPNet, 0, len(uniqueMap))	for _, ipnet := range uniqueMap {		uniqueList = append(uniqueList, ipnet)	}	sortIPNets(uniqueList)	return uniqueList}func checkIfAclTagisValid(a models.Acl, t models.AclPolicyTag, isSrc bool) (err error) {	switch t.ID {	case models.NodeID:		if a.RuleType == models.UserPolicy && isSrc {			return errors.New("user policy source mismatch")		}		_, nodeErr := GetNodeByID(t.Value)		if nodeErr != nil {			_, staticNodeErr := GetExtClient(t.Value, a.NetworkID.String())			if staticNodeErr != nil {				return errors.New("invalid node " + t.Value)			}		}	case models.EgressID, models.EgressRange:		e := schema.Egress{			ID: t.Value,		}		err := e.Get(db.WithContext(context.TODO()))		if err != nil {			return errors.New("invalid egress")		}	default:		return errors.New("invalid policy")	}	return nil}var IsAclPolicyValid = func(acl models.Acl) (err error) {	//check if src and dst are valid	if acl.AllowedDirection == models.TrafficDirectionUni {		return errors.New("uni traffic flow not allowed on CE")	}	switch acl.RuleType {	case models.DevicePolicy:		for _, srcI := range acl.Src {			if srcI.Value == "*" {				continue			}			if srcI.ID == models.NodeTagID && srcI.Value == fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName) {				continue			}			if err = checkIfAclTagisValid(acl, srcI, true); err != nil {				return err			}		}		for _, dstI := range acl.Dst {			if dstI.Value == "*" {				continue			}			if dstI.ID == models.NodeTagID && dstI.Value == fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName) {				continue			}			if err = checkIfAclTagisValid(acl, dstI, false); err != nil {				return			}		}	default:		return errors.New("unknown acl policy type " + string(acl.RuleType))	}	return nil}var IsPeerAllowed = func(node, peer models.Node, checkDefaultPolicy bool) bool {	var nodeId, peerId string	// if node.IsGw && peer.IsRelayed && peer.RelayedBy == node.ID.String() {	// 	return true	// }	// if peer.IsGw && node.IsRelayed && node.RelayedBy == peer.ID.String() {	// 	return true	// }	if node.IsStatic {		nodeId = node.StaticNode.ClientID		node = node.StaticNode.ConvertToStaticNode()	} else {		nodeId = node.ID.String()	}	if peer.IsStatic {		peerId = peer.StaticNode.ClientID		peer = peer.StaticNode.ConvertToStaticNode()	} else {		peerId = peer.ID.String()	}	peerTags := make(map[models.TagID]struct{})	nodeTags := make(map[models.TagID]struct{})	nodeTags[models.TagID(nodeId)] = struct{}{}	peerTags[models.TagID(peerId)] = struct{}{}	if peer.IsGw {		peerTags[models.TagID(fmt.Sprintf("%s.%s", peer.Network, models.GwTagName))] = struct{}{}	}	if node.IsGw {		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}	}	if checkDefaultPolicy {		// check default policy if all allowed return true		defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)		if err == nil {			if defaultPolicy.Enabled {				return true			}		}	}	// list device policies	policies := ListDevicePolicies(models.NetworkID(peer.Network))	srcMap := make(map[string]struct{})	dstMap := make(map[string]struct{})	defer func() {		srcMap = nil		dstMap = nil	}()	for _, policy := range policies {		if !policy.Enabled {			continue		}		srcMap = ConvAclTagToValueMap(policy.Src)		dstMap = ConvAclTagToValueMap(policy.Dst)		for _, dst := range policy.Dst {			if dst.ID == models.EgressID {				e := schema.Egress{ID: dst.Value}				err := e.Get(db.WithContext(context.TODO()))				if err == nil && e.Status {					for nodeID := range e.Nodes {						dstMap[nodeID] = struct{}{}					}				}			}		}		if CheckTagGroupPolicy(srcMap, dstMap, node, peer, nodeTags, peerTags) {			return true		}	}	return false}func CheckTagGroupPolicy(srcMap, dstMap map[string]struct{}, node, peer models.Node,	nodeTags, peerTags map[models.TagID]struct{}) bool {	// check for node ID	if _, ok := srcMap[node.ID.String()]; ok {		if _, ok = dstMap[peer.ID.String()]; ok {			return true		}	}	if _, ok := dstMap[node.ID.String()]; ok {		if _, ok = srcMap[peer.ID.String()]; ok {			return true		}	}	for tagID := range nodeTags {		if _, ok := dstMap[tagID.String()]; ok {			if _, ok := srcMap["*"]; ok {				return true			}			for tagID := range peerTags {				if _, ok := srcMap[tagID.String()]; ok {					return true				}			}		}		if _, ok := srcMap[tagID.String()]; ok {			if _, ok := dstMap["*"]; ok {				return true			}			for tagID := range peerTags {				if _, ok := dstMap[tagID.String()]; ok {					return true				}			}		}	}	for tagID := range peerTags {		if _, ok := dstMap[tagID.String()]; ok {			if _, ok := srcMap["*"]; ok {				return true			}			for tagID := range nodeTags {				if _, ok := srcMap[tagID.String()]; ok {					return true				}			}		}		if _, ok := srcMap[tagID.String()]; ok {			if _, ok := dstMap["*"]; ok {				return true			}			for tagID := range nodeTags {				if _, ok := dstMap[tagID.String()]; ok {					return true				}			}		}	}	return false}var GetInetClientsFromAclPolicies = func(eID string) (inetClientIDs []string) {	e := schema.Egress{ID: eID}	err := e.Get(db.WithContext(context.TODO()))	if err != nil || !e.Status {		return	}	acls, _ := ListAclsByNetwork(models.NetworkID(e.Network))	for _, acl := range acls {		for _, dstI := range acl.Dst {			if dstI.ID == models.EgressID {				if dstI.Value != eID {					continue				}				for _, srcI := range acl.Src {					if srcI.Value == "*" {						continue					}					if srcI.ID == models.NodeID {						inetClientIDs = append(inetClientIDs, srcI.Value)					}				}			}		}	}	return}var (	CreateDefaultTags = func(netID models.NetworkID) {}	DeleteAllNetworkTags = func(networkID models.NetworkID) {}	IsUserAllowedToCommunicate = func(userName string, peer models.Node) (bool, []models.Acl) {		return false, []models.Acl{}	}	RemoveUserFromAclPolicy = func(userName string) {})var (	aclCacheMutex = &sync.RWMutex{}	aclCacheMap   = make(map[string]models.Acl))func MigrateAclPolicies() {	acls := ListAcls()	for _, acl := range acls {		if acl.Proto.String() == "" {			acl.Proto = models.ALL			acl.ServiceType = models.Any			acl.Port = []string{}			UpsertAcl(acl)		}	}}func IsNodeAllowedToCommunicateWithAllRsrcs(node models.Node) bool {	// check default policy if all allowed return true	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)	if err == nil {		if defaultPolicy.Enabled {			return true		}	}	var nodeId string	if node.IsStatic {		nodeId = node.StaticNode.ClientID		node = node.StaticNode.ConvertToStaticNode()	} else {		nodeId = node.ID.String()	}	nodeTags := make(map[models.TagID]struct{})	nodeTags[models.TagID(nodeId)] = struct{}{}	if node.IsGw {		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}	}	// list device policies	policies := ListDevicePolicies(models.NetworkID(node.Network))	srcMap := make(map[string]struct{})	dstMap := make(map[string]struct{})	defer func() {		srcMap = nil		dstMap = nil	}()	for _, policy := range policies {		if !policy.Enabled {			continue		}		srcMap = ConvAclTagToValueMap(policy.Src)		dstMap = ConvAclTagToValueMap(policy.Dst)		_, srcAll := srcMap["*"]		_, dstAll := dstMap["*"]		for tagID := range nodeTags {			if srcAll {				if _, ok := dstMap[tagID.String()]; ok {					return true				}			}			if dstAll {				if _, ok := srcMap[tagID.String()]; ok {					return true				}			}		}	}	return false}// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // ADD ALLOWED DIRECTION - 0 => node -> peer, 1 => peer-> node,func isNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) {	var nodeId, peerId string	// if node.IsGw && peer.IsRelayed && peer.RelayedBy == node.ID.String() {	// 	return true, []models.Acl{}	// }	// if peer.IsGw && node.IsRelayed && node.RelayedBy == peer.ID.String() {	// 	return true, []models.Acl{}	// }	if node.IsStatic {		nodeId = node.StaticNode.ClientID		node = node.StaticNode.ConvertToStaticNode()	} else {		nodeId = node.ID.String()	}	if peer.IsStatic {		peerId = peer.StaticNode.ClientID		peer = peer.StaticNode.ConvertToStaticNode()	} else {		peerId = peer.ID.String()	}	nodeTags := make(map[models.TagID]struct{})	peerTags := make(map[models.TagID]struct{})	nodeTags[models.TagID(nodeId)] = struct{}{}	peerTags[models.TagID(peerId)] = struct{}{}	if peer.IsGw {		peerTags[models.TagID(fmt.Sprintf("%s.%s", peer.Network, models.GwTagName))] = struct{}{}	}	if node.IsGw {		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}	}	if checkDefaultPolicy {		// check default policy if all allowed return true		defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)		if err == nil {			if defaultPolicy.Enabled {				return true, []models.Acl{defaultPolicy}			}		}	}	allowedPolicies := []models.Acl{}	defer func() {		allowedPolicies = UniquePolicies(allowedPolicies)	}()	// list device policies	policies := ListDevicePolicies(models.NetworkID(peer.Network))	srcMap := make(map[string]struct{})	dstMap := make(map[string]struct{})	defer func() {		srcMap = nil		dstMap = nil	}()	for _, policy := range policies {		if !policy.Enabled {			continue		}		allowed := false		srcMap = ConvAclTagToValueMap(policy.Src)		dstMap = ConvAclTagToValueMap(policy.Dst)		for _, dst := range policy.Dst {			if dst.ID == models.EgressID {				e := schema.Egress{ID: dst.Value}				err := e.Get(db.WithContext(context.TODO()))				if err == nil && e.Status {					for nodeID := range e.Nodes {						dstMap[nodeID] = struct{}{}					}				}			}		}		_, srcAll := srcMap["*"]		_, dstAll := dstMap["*"]		if policy.AllowedDirection == models.TrafficDirectionBi {			if _, ok := srcMap[nodeId]; ok || srcAll {				if _, ok := dstMap[peerId]; ok || dstAll {					allowedPolicies = append(allowedPolicies, policy)					continue				}			}			if _, ok := dstMap[nodeId]; ok || dstAll {				if _, ok := srcMap[peerId]; ok || srcAll {					allowedPolicies = append(allowedPolicies, policy)					continue				}			}		}		if _, ok := dstMap[peerId]; ok || dstAll {			if _, ok := srcMap[nodeId]; ok || srcAll {				allowedPolicies = append(allowedPolicies, policy)				continue			}		}		if policy.AllowedDirection == models.TrafficDirectionBi {			for tagID := range nodeTags {				if _, ok := dstMap[tagID.String()]; ok || dstAll {					if srcAll {						allowed = true						break					}					for tagID := range peerTags {						if _, ok := srcMap[tagID.String()]; ok {							allowed = true							break						}					}				}				if allowed {					allowedPolicies = append(allowedPolicies, policy)					break				}				if _, ok := srcMap[tagID.String()]; ok || srcAll {					if dstAll {						allowed = true						break					}					for tagID := range peerTags {						if _, ok := dstMap[tagID.String()]; ok {							allowed = true							break						}					}				}				if allowed {					break				}			}			if allowed {				allowedPolicies = append(allowedPolicies, policy)				continue			}		}		for tagID := range peerTags {			if _, ok := dstMap[tagID.String()]; ok || dstAll {				if srcAll {					allowed = true					break				}				for tagID := range nodeTags {					if _, ok := srcMap[tagID.String()]; ok {						allowed = true						break					}				}			}			if allowed {				break			}		}		if allowed {			allowedPolicies = append(allowedPolicies, policy)		}	}	if len(allowedPolicies) > 0 {		return true, allowedPolicies	}	return false, allowedPolicies}// GetDefaultPolicy - fetches default policy in the network by ruleTypefunc GetDefaultPolicy(netID models.NetworkID, ruleType models.AclPolicyType) (models.Acl, error) {	aclID := "all-users"	if ruleType == models.DevicePolicy {		aclID = "all-nodes"	}	acl, err := GetAcl(fmt.Sprintf("%s.%s", netID, aclID))	if err != nil {		return models.Acl{}, errors.New("default rule not found")	}	if acl.Enabled {		return acl, nil	}	// check if there are any custom all policies	srcMap := make(map[string]struct{})	dstMap := make(map[string]struct{})	defer func() {		srcMap = nil		dstMap = nil	}()	policies, _ := ListAclsByNetwork(netID)	for _, policy := range policies {		if !policy.Enabled {			continue		}		if policy.RuleType == ruleType {			dstMap = ConvAclTagToValueMap(policy.Dst)			srcMap = ConvAclTagToValueMap(policy.Src)			if _, ok := srcMap["*"]; ok {				if _, ok := dstMap["*"]; ok {					return policy, nil				}			}		}	}	return acl, nil}// ListAcls - lists all acl policiesfunc ListAclsByNetwork(netID models.NetworkID) ([]models.Acl, error) {	allAcls := ListAcls()	netAcls := []models.Acl{}	for _, acl := range allAcls {		if !servercfg.IsPro && acl.RuleType == models.UserPolicy {			continue		}		if acl.NetworkID == netID {			netAcls = append(netAcls, acl)		}	}	return netAcls, nil}// ListEgressAcls - list egress acl policiesfunc ListEgressAcls(eID string) ([]models.Acl, error) {	allAcls := ListAcls()	egressAcls := []models.Acl{}	for _, acl := range allAcls {		if !servercfg.IsPro && acl.RuleType == models.UserPolicy {			continue		}		for _, dst := range acl.Dst {			if dst.ID == models.EgressID && dst.Value == eID {				egressAcls = append(egressAcls, acl)			}		}	}	return egressAcls, nil}// ListDevicePolicies - lists all device policies in a networkfunc ListDevicePolicies(netID models.NetworkID) []models.Acl {	allAcls := ListAcls()	deviceAcls := []models.Acl{}	for _, acl := range allAcls {		if acl.NetworkID == netID && acl.RuleType == models.DevicePolicy {			deviceAcls = append(deviceAcls, acl)		}	}	return deviceAcls}func ConvAclTagToValueMap(acltags []models.AclPolicyTag) map[string]struct{} {	aclValueMap := make(map[string]struct{})	for _, aclTagI := range acltags {		aclValueMap[aclTagI.Value] = struct{}{}	}	return aclValueMap}func UniqueAclPolicyTags(tags []models.AclPolicyTag) []models.AclPolicyTag {	seen := make(map[string]bool)	var result []models.AclPolicyTag	for _, tag := range tags {		key := fmt.Sprintf("%v-%s", tag.ID, tag.Value)		if !seen[key] {			seen[key] = true			result = append(result, tag)		}	}	return result}// UpdateAcl - updates allowed fields on acls and commits to DBfunc UpdateAcl(newAcl, acl models.Acl) error {	if !acl.Default {		acl.Name = newAcl.Name		acl.Src = newAcl.Src		acl.Dst = newAcl.Dst		acl.AllowedDirection = newAcl.AllowedDirection		acl.Port = newAcl.Port		acl.Proto = newAcl.Proto		acl.ServiceType = newAcl.ServiceType	}	if newAcl.ServiceType == models.Any {		acl.Port = []string{}		acl.Proto = models.ALL	}	acl.Enabled = newAcl.Enabled	d, err := json.Marshal(acl)	if err != nil {		return err	}	err = database.Insert(acl.ID, string(d), database.ACLS_TABLE_NAME)	if err == nil && servercfg.CacheEnabled() {		storeAclInCache(acl)	}	return err}// UpsertAcl - upserts aclfunc UpsertAcl(acl models.Acl) error {	d, err := json.Marshal(acl)	if err != nil {		return err	}	err = database.Insert(acl.ID, string(d), database.ACLS_TABLE_NAME)	if err == nil && servercfg.CacheEnabled() {		storeAclInCache(acl)	}	return err}// DeleteAcl - deletes acl policyfunc DeleteAcl(a models.Acl) error {	err := database.DeleteRecord(database.ACLS_TABLE_NAME, a.ID)	if err == nil && servercfg.CacheEnabled() {		removeAclFromCache(a)	}	return err}func ListAcls() (acls []models.Acl) {	if servercfg.CacheEnabled() && len(aclCacheMap) > 0 {		return listAclFromCache()	}	data, err := database.FetchRecords(database.ACLS_TABLE_NAME)	if err != nil && !database.IsEmptyRecord(err) {		return []models.Acl{}	}	for _, dataI := range data {		acl := models.Acl{}		err := json.Unmarshal([]byte(dataI), &acl)		if err != nil {			continue		}		if !servercfg.IsPro {			if acl.RuleType == models.UserPolicy {				continue			}			skip := false			for _, srcI := range acl.Src {				if srcI.ID == models.NodeTagID && (srcI.Value != "*" && srcI.Value != fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName)) {					skip = true					break				}			}			if skip {				continue			}			for _, dstI := range acl.Dst {				if dstI.ID == models.NodeTagID && (dstI.Value != "*" && dstI.Value != fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName)) {					skip = true					break				}			}			if skip {				continue			}		}		acls = append(acls, acl)		if servercfg.CacheEnabled() {			storeAclInCache(acl)		}	}	return}func UniquePolicies(items []models.Acl) []models.Acl {	if len(items) == 0 {		return items	}	seen := make(map[string]bool)	var result []models.Acl	for _, item := range items {		if !seen[item.ID] {			seen[item.ID] = true			result = append(result, item)		}	}	return result}// DeleteNetworkPolicies - deletes all default network acl policiesfunc DeleteNetworkPolicies(netId models.NetworkID) {	acls, _ := ListAclsByNetwork(netId)	for _, acl := range acls {		if acl.NetworkID == netId {			DeleteAcl(acl)		}	}}// SortTagEntrys - Sorts slice of Tag entries by their idfunc SortAclEntrys(acls []models.Acl) {	sort.Slice(acls, func(i, j int) bool {		return acls[i].Name < acls[j].Name	})}// ValidateCreateAclReq - validates create req for aclfunc ValidateCreateAclReq(req models.Acl) error {	// check if acl network exists	_, err := GetNetwork(req.NetworkID.String())	if err != nil {		return errors.New("failed to get network details for " + req.NetworkID.String())	}	// err = CheckIDSyntax(req.Name)	// if err != nil {	// 	return err	// }	return nil}func listAclFromCache() (acls []models.Acl) {	aclCacheMutex.RLock()	defer aclCacheMutex.RUnlock()	for _, acl := range aclCacheMap {		acls = append(acls, acl)	}	return}func storeAclInCache(a models.Acl) {	aclCacheMutex.Lock()	defer aclCacheMutex.Unlock()	aclCacheMap[a.ID] = a}func removeAclFromCache(a models.Acl) {	aclCacheMutex.Lock()	defer aclCacheMutex.Unlock()	delete(aclCacheMap, a.ID)}func getAclFromCache(aID string) (a models.Acl, ok bool) {	aclCacheMutex.RLock()	defer aclCacheMutex.RUnlock()	a, ok = aclCacheMap[aID]	return}// InsertAcl - creates acl policyfunc InsertAcl(a models.Acl) error {	d, err := json.Marshal(a)	if err != nil {		return err	}	err = database.Insert(a.ID, string(d), database.ACLS_TABLE_NAME)	if err == nil && servercfg.CacheEnabled() {		storeAclInCache(a)	}	return err}// GetAcl - gets acl info by idfunc GetAcl(aID string) (models.Acl, error) {	a := models.Acl{}	if servercfg.CacheEnabled() {		var ok bool		a, ok = getAclFromCache(aID)		if ok {			return a, nil		}	}	d, err := database.FetchRecord(database.ACLS_TABLE_NAME, aID)	if err != nil {		return a, err	}	err = json.Unmarshal([]byte(d), &a)	if err != nil {		return a, err	}	if servercfg.CacheEnabled() {		storeAclInCache(a)	}	return a, nil}// IsAclExists - checks if acl existsfunc IsAclExists(aclID string) bool {	_, err := GetAcl(aclID)	return err == nil}func RemoveNodeFromAclPolicy(node models.Node) {	var nodeID string	if node.IsStatic {		nodeID = node.StaticNode.ClientID	} else {		nodeID = node.ID.String()	}	acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))	for _, acl := range acls {		delete := false		update := false		if acl.RuleType == models.DevicePolicy {			for i := len(acl.Src) - 1; i >= 0; i-- {				if acl.Src[i].ID == models.NodeID && acl.Src[i].Value == nodeID {					if len(acl.Src) == 1 {						// delete policy						delete = true						break					} else {						acl.Src = append(acl.Src[:i], acl.Src[i+1:]...)						update = true					}				}			}			if delete {				DeleteAcl(acl)				continue			}			for i := len(acl.Dst) - 1; i >= 0; i-- {				if acl.Dst[i].ID == models.NodeID && acl.Dst[i].Value == nodeID {					if len(acl.Dst) == 1 {						// delete policy						delete = true						break					} else {						acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)						update = true					}				}			}			if delete {				DeleteAcl(acl)				continue			}			if update {				UpsertAcl(acl)			}		}		if acl.RuleType == models.UserPolicy {			for i := len(acl.Dst) - 1; i >= 0; i-- {				if acl.Dst[i].ID == models.NodeID && acl.Dst[i].Value == nodeID {					if len(acl.Dst) == 1 {						// delete policy						delete = true						break					} else {						acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)						update = true					}				}			}			if delete {				DeleteAcl(acl)				continue			}			if update {				UpsertAcl(acl)			}		}	}}// CreateDefaultAclNetworkPolicies - create default acl network policiesfunc CreateDefaultAclNetworkPolicies(netID models.NetworkID) {	if netID.String() == "" {		return	}	_, _ = ListAclsByNetwork(netID)	if !IsAclExists(fmt.Sprintf("%s.%s", netID, "all-nodes")) {		defaultDeviceAcl := models.Acl{			ID:          fmt.Sprintf("%s.%s", netID, "all-nodes"),			Name:        "All Nodes",			MetaData:    "This Policy allows all nodes in the network to communicate with each other",			Default:     true,			NetworkID:   netID,			Proto:       models.ALL,			ServiceType: models.Any,			Port:        []string{},			RuleType:    models.DevicePolicy,			Src: []models.AclPolicyTag{				{					ID:    models.NodeTagID,					Value: "*",				}},			Dst: []models.AclPolicyTag{				{					ID:    models.NodeTagID,					Value: "*",				}},			AllowedDirection: models.TrafficDirectionBi,			Enabled:          true,			CreatedBy:        "auto",			CreatedAt:        time.Now().UTC(),		}		InsertAcl(defaultDeviceAcl)	}	if !IsAclExists(fmt.Sprintf("%s.%s", netID, "all-gateways")) {		defaultUserAcl := models.Acl{			ID:          fmt.Sprintf("%s.%s", netID, "all-gateways"),			Default:     true,			Name:        "All Gateways",			NetworkID:   netID,			Proto:       models.ALL,			ServiceType: models.Any,			Port:        []string{},			RuleType:    models.DevicePolicy,			Src: []models.AclPolicyTag{				{					ID:    models.NodeTagID,					Value: fmt.Sprintf("%s.%s", netID, models.GwTagName),				},			},			Dst: []models.AclPolicyTag{				{					ID:    models.NodeTagID,					Value: "*",				},			},			AllowedDirection: models.TrafficDirectionBi,			Enabled:          true,			CreatedBy:        "auto",			CreatedAt:        time.Now().UTC(),		}		InsertAcl(defaultUserAcl)	}	CreateDefaultUserPolicies(netID)}
 |