diff --git a/logic/acls.go b/logic/acls.go index 01163952..2ca68217 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -42,40 +42,59 @@ func IsAclPolicyValid(acl models.Acl) bool { if len(userTagLi) < 2 { break } - if userTagLi[0] != models.UserAcl.String() && - userTagLi[0] != models.UserGroupAcl.String() { + if userTagLi[0] != models.UserAclID.String() && + userTagLi[0] != models.UserGroupAclID.String() { break } + // check if user group is valid + if userTagLi[0] == models.UserAclID.String() { + _, err := GetUser(userTagLi[1]) + if err != nil { + break + } + } else if userTagLi[0] == models.UserGroupAclID.String() { + err := IsGroupValid(models.UserGroupID(userTagLi[1])) + if err != nil { + break + } + } + } for _, dstI := range acl.Dst { dstILi := strings.Split(dstI, ":") if len(dstILi) < 2 { break } - if dstILi[0] == models.UserAcl.String() || - dstILi[0] == models.UserGroupAcl.String() { + if dstILi[0] == models.UserAclID.String() || + dstILi[0] == models.UserGroupAclID.String() { + break + } + if dstILi[0] != models.DeviceAclID.String() { + break + } + // check if tag is valid + _, err := GetTag(models.TagID(dstILi[1])) + if err != nil { break } } isValid = true case models.DevicePolicy: for _, srcI := range acl.Src { - userTagLi := strings.Split(srcI, ":") - if len(userTagLi) < 2 { + deviceTagLi := strings.Split(srcI, ":") + if len(deviceTagLi) < 2 { break } - if userTagLi[0] == models.UserAcl.String() || - userTagLi[0] == models.UserGroupAcl.String() { + if deviceTagLi[0] != models.DeviceAclID.String() { break } } for _, dstI := range acl.Dst { - dstILi := strings.Split(dstI, ":") - if len(dstILi) < 2 { + deviceTagLi := strings.Split(dstI, ":") + if len(deviceTagLi) < 2 { break } - if dstILi[0] == models.UserAcl.String() || - dstILi[0] == models.UserGroupAcl.String() { + if deviceTagLi[0] != models.DeviceAclID.String() { break } } diff --git a/logic/user_mgmt.go b/logic/user_mgmt.go index 8727cb57..31cba66c 100644 --- a/logic/user_mgmt.go +++ b/logic/user_mgmt.go @@ -39,6 +39,9 @@ var FilterNetworksByRole = func(allnetworks []models.Network, user models.User) var IsGroupsValid = func(groups map[models.UserGroupID]struct{}) error { return nil } +var IsGroupValid = func(groupID models.UserGroupID) error { + return nil +} var IsNetworkRolesValid = func(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error { return nil } diff --git a/models/acl.go b/models/acl.go index 761d641e..50468117 100644 --- a/models/acl.go +++ b/models/acl.go @@ -26,8 +26,11 @@ const ( type AclGroupType string const ( - UserAcl AclGroupType = "user" - UserGroupAcl AclGroupType = "user-group" + UserAclID AclGroupType = "user" + UserGroupAclID AclGroupType = "user-group" + DeviceAclID AclGroupType = "tag" + NetmakerIPAclID AclGroupType = "ip" + NetmakerSubNetRangeAClID AclGroupType = "ipset" ) func (g AclGroupType) String() string { diff --git a/pro/initialize.go b/pro/initialize.go index 1c6ba8a1..3dfae580 100644 --- a/pro/initialize.go +++ b/pro/initialize.go @@ -130,6 +130,7 @@ func InitPro() { logic.CreateDefaultNetworkRolesAndGroups = proLogic.CreateDefaultNetworkRolesAndGroups logic.FilterNetworksByRole = proLogic.FilterNetworksByRole logic.IsGroupsValid = proLogic.IsGroupsValid + logic.IsGroupValid = proLogic.IsGroupValid logic.IsNetworkRolesValid = proLogic.IsNetworkRolesValid logic.InitialiseRoles = proLogic.UserRolesInit logic.UpdateUserGwAccess = proLogic.UpdateUserGwAccess diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go index 84c5987b..af4d4c79 100644 --- a/pro/logic/user_mgmt.go +++ b/pro/logic/user_mgmt.go @@ -789,6 +789,16 @@ func IsGroupsValid(groups map[models.UserGroupID]struct{}) error { return nil } +func IsGroupValid(groupID models.UserGroupID) error { + + _, err := GetUserGroup(groupID) + if err != nil { + return fmt.Errorf("user group `%s` not found", groupID) + } + + return nil +} + func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error { for netID, netRoles := range networkRoles {