fix user policy acls

2025-10-28 11:11:33 +08:00 · 2024-10-19 13:50:54 +04:00
parent 57378d255a
commit 6b93163bd5
4 changed files with 11 additions and 10 deletions
--- a/controllers/ext_client.go
+++ b/controllers/ext_client.go
@@ -452,7 +452,9 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 	extclient.OwnerID = userName
 	extclient.RemoteAccessClientID = customExtClient.RemoteAccessClientID
 	extclient.IngressGatewayID = nodeid
-
+	extclient.Tags = make(map[models.TagID]struct{})
 	extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
 		models.RemoteAccessTagName))] = struct{}{}
 	// set extclient dns to ingressdns if extclient dns is not explicitly set
 	if (extclient.DNS == "") && (node.IngressDNS != "") {
 		extclient.DNS = node.IngressDNS
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -83,7 +83,7 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
 			Src: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				},
 			},
 			Dst: []models.AclPolicyTag{
@@ -205,10 +205,6 @@ func IsAclPolicyValid(acl models.Acl) bool {
 			if dstI.ID == "" || dstI.Value == "" {
 				return false
 			}
 			if dstI.ID == models.UserAclID ||
 				dstI.ID == models.UserGroupAclID || dstI.ID == models.UserRoleAclID {
 				return false
 			}
 			if dstI.ID != models.DeviceAclID {
 				return false
 			}
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@@ -995,6 +995,9 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
 		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
 		}
 		userConf.Tags = make(map[models.TagID]struct{})
 		userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
 			models.RemoteAccessTagName))] = struct{}{}
 		if err = logic.CreateExtClient(&userConf); err != nil {
 			slog.Error(
 				"failed to create extclient",
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@@ -956,7 +956,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				},
 			},
 			AllowedDirection: models.TrafficDirectionUni,
@@ -981,7 +981,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				}},
 			AllowedDirection: models.TrafficDirectionUni,
 			Enabled:          true,
@@ -1006,7 +1006,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				}},
 			AllowedDirection: models.TrafficDirectionUni,
 			Enabled:          true,
@@ -1031,7 +1031,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				}},
 			AllowedDirection: models.TrafficDirectionUni,
 			Enabled:          true,