mirror of
https://github.com/gravitl/netmaker.git
synced 2025-10-14 13:04:26 +08:00
single node acl group
This commit is contained in:
abhishek9686
@@ -45,12 +45,12 @@ func aclPolicyTypes(w http.ResponseWriter, r *http.Request) {
|
|||||||
SrcGroupTypes: []models.AclGroupType{
|
SrcGroupTypes: []models.AclGroupType{
|
||||||
models.UserAclID,
|
models.UserAclID,
|
||||||
models.UserGroupAclID,
|
models.UserGroupAclID,
|
||||||
models.DeviceAclID,
|
models.NodeTagID,
|
||||||
models.DeviceID,
|
models.NodeID,
|
||||||
},
|
},
|
||||||
DstGroupTypes: []models.AclGroupType{
|
DstGroupTypes: []models.AclGroupType{
|
||||||
models.DeviceAclID,
|
models.NodeTagID,
|
||||||
models.DeviceID,
|
models.NodeID,
|
||||||
// models.NetmakerIPAclID,
|
// models.NetmakerIPAclID,
|
||||||
// models.NetmakerSubNetRangeAClID,
|
// models.NetmakerSubNetRangeAClID,
|
||||||
},
|
},
|
||||||
|
|||||||
118
logic/acls.go
118
logic/acls.go
@@ -50,12 +50,12 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
|
|||||||
RuleType: models.DevicePolicy,
|
RuleType: models.DevicePolicy,
|
||||||
Src: []models.AclPolicyTag{
|
Src: []models.AclPolicyTag{
|
||||||
{
|
{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: "*",
|
Value: "*",
|
||||||
}},
|
}},
|
||||||
Dst: []models.AclPolicyTag{
|
Dst: []models.AclPolicyTag{
|
||||||
{
|
{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: "*",
|
Value: "*",
|
||||||
}},
|
}},
|
||||||
AllowedDirection: models.TrafficDirectionBi,
|
AllowedDirection: models.TrafficDirectionBi,
|
||||||
@@ -83,7 +83,7 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
Dst: []models.AclPolicyTag{{
|
Dst: []models.AclPolicyTag{{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: "*",
|
Value: "*",
|
||||||
}},
|
}},
|
||||||
AllowedDirection: models.TrafficDirectionUni,
|
AllowedDirection: models.TrafficDirectionUni,
|
||||||
@@ -106,13 +106,13 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
|
|||||||
RuleType: models.DevicePolicy,
|
RuleType: models.DevicePolicy,
|
||||||
Src: []models.AclPolicyTag{
|
Src: []models.AclPolicyTag{
|
||||||
{
|
{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Dst: []models.AclPolicyTag{
|
Dst: []models.AclPolicyTag{
|
||||||
{
|
{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: "*",
|
Value: "*",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -267,7 +267,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
|
|||||||
if dstI.ID == "" || dstI.Value == "" {
|
if dstI.ID == "" || dstI.Value == "" {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if dstI.ID != models.DeviceAclID && dstI.ID != models.DeviceID {
|
if dstI.ID != models.NodeTagID && dstI.ID != models.NodeID {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if dstI.Value == "*" {
|
if dstI.Value == "*" {
|
||||||
@@ -284,7 +284,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
|
|||||||
if srcI.ID == "" || srcI.Value == "" {
|
if srcI.ID == "" || srcI.Value == "" {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if srcI.ID != models.DeviceAclID && srcI.ID != models.DeviceID {
|
if srcI.ID != models.NodeTagID && srcI.ID != models.NodeID {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if srcI.Value == "*" {
|
if srcI.Value == "*" {
|
||||||
@@ -301,7 +301,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
|
|||||||
if dstI.ID == "" || dstI.Value == "" {
|
if dstI.ID == "" || dstI.Value == "" {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if dstI.ID != models.DeviceAclID && dstI.ID != models.DeviceID {
|
if dstI.ID != models.NodeTagID && dstI.ID != models.NodeID {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if dstI.Value == "*" {
|
if dstI.Value == "*" {
|
||||||
@@ -597,48 +597,63 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
|
|||||||
}
|
}
|
||||||
srcMap = convAclTagToValueMap(policy.Src)
|
srcMap = convAclTagToValueMap(policy.Src)
|
||||||
dstMap = convAclTagToValueMap(policy.Dst)
|
dstMap = convAclTagToValueMap(policy.Dst)
|
||||||
for tagID := range node.Tags {
|
if checkTagGroupPolicy(srcMap, dstMap, node, peer) {
|
||||||
if _, ok := dstMap[tagID.String()]; ok {
|
return true
|
||||||
if _, ok := srcMap["*"]; ok {
|
}
|
||||||
return true
|
|
||||||
}
|
}
|
||||||
for tagID := range peer.Tags {
|
return false
|
||||||
if _, ok := srcMap[tagID.String()]; ok {
|
}
|
||||||
return true
|
|
||||||
}
|
func checkTagGroupPolicy(srcMap, dstMap map[string]struct{}, node, peer models.Node) bool {
|
||||||
}
|
// check for node ID
|
||||||
|
if _, ok := srcMap[node.ID.String()]; ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if _, ok := dstMap[node.ID.String()]; ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
for tagID := range node.Tags {
|
||||||
|
if _, ok := dstMap[tagID.String()]; ok {
|
||||||
|
if _, ok := srcMap["*"]; ok {
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
if _, ok := srcMap[tagID.String()]; ok {
|
for tagID := range peer.Tags {
|
||||||
if _, ok := dstMap["*"]; ok {
|
if _, ok := srcMap[tagID.String()]; ok {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
for tagID := range peer.Tags {
|
|
||||||
if _, ok := dstMap[tagID.String()]; ok {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for tagID := range peer.Tags {
|
if _, ok := srcMap[tagID.String()]; ok {
|
||||||
if _, ok := dstMap[tagID.String()]; ok {
|
if _, ok := dstMap["*"]; ok {
|
||||||
if _, ok := srcMap["*"]; ok {
|
return true
|
||||||
|
}
|
||||||
|
for tagID := range peer.Tags {
|
||||||
|
if _, ok := dstMap[tagID.String()]; ok {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
for tagID := range node.Tags {
|
|
||||||
|
|
||||||
if _, ok := srcMap[tagID.String()]; ok {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if _, ok := srcMap[tagID.String()]; ok {
|
}
|
||||||
if _, ok := dstMap["*"]; ok {
|
}
|
||||||
|
for tagID := range peer.Tags {
|
||||||
|
if _, ok := dstMap[tagID.String()]; ok {
|
||||||
|
if _, ok := srcMap["*"]; ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
for tagID := range node.Tags {
|
||||||
|
|
||||||
|
if _, ok := srcMap[tagID.String()]; ok {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
for tagID := range node.Tags {
|
}
|
||||||
if _, ok := dstMap[tagID.String()]; ok {
|
}
|
||||||
return true
|
if _, ok := srcMap[tagID.String()]; ok {
|
||||||
}
|
if _, ok := dstMap["*"]; ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
for tagID := range node.Tags {
|
||||||
|
if _, ok := dstMap[tagID.String()]; ok {
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -678,6 +693,16 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
|
|||||||
}
|
}
|
||||||
srcMap = convAclTagToValueMap(policy.Src)
|
srcMap = convAclTagToValueMap(policy.Src)
|
||||||
dstMap = convAclTagToValueMap(policy.Dst)
|
dstMap = convAclTagToValueMap(policy.Dst)
|
||||||
|
if policy.AllowedDirection == models.TrafficDirectionBi {
|
||||||
|
if _, ok := srcMap[node.ID.String()]; ok {
|
||||||
|
allowedPolicies = append(allowedPolicies, policy)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if _, ok := dstMap[node.ID.String()]; ok {
|
||||||
|
allowedPolicies = append(allowedPolicies, policy)
|
||||||
|
break
|
||||||
|
}
|
||||||
for tagID := range node.Tags {
|
for tagID := range node.Tags {
|
||||||
allowed := false
|
allowed := false
|
||||||
if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok {
|
if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok {
|
||||||
@@ -715,6 +740,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for tagID := range peer.Tags {
|
for tagID := range peer.Tags {
|
||||||
allowed := false
|
allowed := false
|
||||||
if _, ok := dstMap[tagID.String()]; ok {
|
if _, ok := dstMap[tagID.String()]; ok {
|
||||||
@@ -775,7 +801,7 @@ func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
|
|||||||
update := false
|
update := false
|
||||||
for _, acl := range acls {
|
for _, acl := range acls {
|
||||||
for i, srcTagI := range acl.Src {
|
for i, srcTagI := range acl.Src {
|
||||||
if srcTagI.ID == models.DeviceAclID {
|
if srcTagI.ID == models.NodeTagID {
|
||||||
if OldID.String() == srcTagI.Value {
|
if OldID.String() == srcTagI.Value {
|
||||||
acl.Src[i].Value = newID.String()
|
acl.Src[i].Value = newID.String()
|
||||||
update = true
|
update = true
|
||||||
@@ -783,7 +809,7 @@ func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
for i, dstTagI := range acl.Dst {
|
for i, dstTagI := range acl.Dst {
|
||||||
if dstTagI.ID == models.DeviceAclID {
|
if dstTagI.ID == models.NodeTagID {
|
||||||
if OldID.String() == dstTagI.Value {
|
if OldID.String() == dstTagI.Value {
|
||||||
acl.Dst[i].Value = newID.String()
|
acl.Dst[i].Value = newID.String()
|
||||||
update = true
|
update = true
|
||||||
@@ -800,14 +826,14 @@ func CheckIfTagAsActivePolicy(tagID models.TagID, netID models.NetworkID) bool {
|
|||||||
acls := listDevicePolicies(netID)
|
acls := listDevicePolicies(netID)
|
||||||
for _, acl := range acls {
|
for _, acl := range acls {
|
||||||
for _, srcTagI := range acl.Src {
|
for _, srcTagI := range acl.Src {
|
||||||
if srcTagI.ID == models.DeviceAclID {
|
if srcTagI.ID == models.NodeTagID {
|
||||||
if tagID.String() == srcTagI.Value {
|
if tagID.String() == srcTagI.Value {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, dstTagI := range acl.Dst {
|
for _, dstTagI := range acl.Dst {
|
||||||
if dstTagI.ID == models.DeviceAclID {
|
if dstTagI.ID == models.NodeTagID {
|
||||||
if tagID.String() == dstTagI.Value {
|
if tagID.String() == dstTagI.Value {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
@@ -823,7 +849,7 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
|
|||||||
update := false
|
update := false
|
||||||
for _, acl := range acls {
|
for _, acl := range acls {
|
||||||
for i, srcTagI := range acl.Src {
|
for i, srcTagI := range acl.Src {
|
||||||
if srcTagI.ID == models.DeviceAclID {
|
if srcTagI.ID == models.NodeTagID {
|
||||||
if tagID.String() == srcTagI.Value {
|
if tagID.String() == srcTagI.Value {
|
||||||
acl.Src = append(acl.Src[:i], acl.Src[i+1:]...)
|
acl.Src = append(acl.Src[:i], acl.Src[i+1:]...)
|
||||||
update = true
|
update = true
|
||||||
@@ -831,7 +857,7 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
for i, dstTagI := range acl.Dst {
|
for i, dstTagI := range acl.Dst {
|
||||||
if dstTagI.ID == models.DeviceAclID {
|
if dstTagI.ID == models.NodeTagID {
|
||||||
if tagID.String() == dstTagI.Value {
|
if tagID.String() == dstTagI.Value {
|
||||||
acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)
|
acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)
|
||||||
update = true
|
update = true
|
||||||
|
|||||||
@@ -57,8 +57,8 @@ type AclGroupType string
|
|||||||
const (
|
const (
|
||||||
UserAclID AclGroupType = "user"
|
UserAclID AclGroupType = "user"
|
||||||
UserGroupAclID AclGroupType = "user-group"
|
UserGroupAclID AclGroupType = "user-group"
|
||||||
DeviceAclID AclGroupType = "tag"
|
NodeTagID AclGroupType = "tag"
|
||||||
DeviceID AclGroupType = "device"
|
NodeID AclGroupType = "node_id"
|
||||||
NetmakerIPAclID AclGroupType = "ip"
|
NetmakerIPAclID AclGroupType = "ip"
|
||||||
NetmakerSubNetRangeAClID AclGroupType = "ipset"
|
NetmakerSubNetRangeAClID AclGroupType = "ipset"
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1227,7 +1227,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
|
|||||||
},
|
},
|
||||||
Dst: []models.AclPolicyTag{
|
Dst: []models.AclPolicyTag{
|
||||||
{
|
{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
||||||
}},
|
}},
|
||||||
AllowedDirection: models.TrafficDirectionUni,
|
AllowedDirection: models.TrafficDirectionUni,
|
||||||
@@ -1261,7 +1261,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
|
|||||||
|
|
||||||
Dst: []models.AclPolicyTag{
|
Dst: []models.AclPolicyTag{
|
||||||
{
|
{
|
||||||
ID: models.DeviceAclID,
|
ID: models.NodeTagID,
|
||||||
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
||||||
}},
|
}},
|
||||||
AllowedDirection: models.TrafficDirectionUni,
|
AllowedDirection: models.TrafficDirectionUni,
|
||||||
|
|||||||
Reference in New Issue
Block a user