mirror of
https://github.com/gravitl/netmaker.git
synced 2025-10-14 13:04:26 +08:00
single node acl group
This commit is contained in:
abhishek9686
@@ -45,12 +45,12 @@ func aclPolicyTypes(w http.ResponseWriter, r *http.Request) {
|
||||
SrcGroupTypes: []models.AclGroupType{
|
||||
models.UserAclID,
|
||||
models.UserGroupAclID,
|
||||
models.DeviceAclID,
|
||||
models.DeviceID,
|
||||
models.NodeTagID,
|
||||
models.NodeID,
|
||||
},
|
||||
DstGroupTypes: []models.AclGroupType{
|
||||
models.DeviceAclID,
|
||||
models.DeviceID,
|
||||
models.NodeTagID,
|
||||
models.NodeID,
|
||||
// models.NetmakerIPAclID,
|
||||
// models.NetmakerSubNetRangeAClID,
|
||||
},
|
||||
|
||||
@@ -50,12 +50,12 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
|
||||
RuleType: models.DevicePolicy,
|
||||
Src: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: "*",
|
||||
}},
|
||||
Dst: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: "*",
|
||||
}},
|
||||
AllowedDirection: models.TrafficDirectionBi,
|
||||
@@ -83,7 +83,7 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
|
||||
},
|
||||
},
|
||||
Dst: []models.AclPolicyTag{{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: "*",
|
||||
}},
|
||||
AllowedDirection: models.TrafficDirectionUni,
|
||||
@@ -106,13 +106,13 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
|
||||
RuleType: models.DevicePolicy,
|
||||
Src: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
||||
},
|
||||
},
|
||||
Dst: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: "*",
|
||||
},
|
||||
},
|
||||
@@ -267,7 +267,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
|
||||
if dstI.ID == "" || dstI.Value == "" {
|
||||
return false
|
||||
}
|
||||
if dstI.ID != models.DeviceAclID && dstI.ID != models.DeviceID {
|
||||
if dstI.ID != models.NodeTagID && dstI.ID != models.NodeID {
|
||||
return false
|
||||
}
|
||||
if dstI.Value == "*" {
|
||||
@@ -284,7 +284,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
|
||||
if srcI.ID == "" || srcI.Value == "" {
|
||||
return false
|
||||
}
|
||||
if srcI.ID != models.DeviceAclID && srcI.ID != models.DeviceID {
|
||||
if srcI.ID != models.NodeTagID && srcI.ID != models.NodeID {
|
||||
return false
|
||||
}
|
||||
if srcI.Value == "*" {
|
||||
@@ -301,7 +301,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
|
||||
if dstI.ID == "" || dstI.Value == "" {
|
||||
return false
|
||||
}
|
||||
if dstI.ID != models.DeviceAclID && dstI.ID != models.DeviceID {
|
||||
if dstI.ID != models.NodeTagID && dstI.ID != models.NodeID {
|
||||
return false
|
||||
}
|
||||
if dstI.Value == "*" {
|
||||
@@ -597,6 +597,22 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
|
||||
}
|
||||
srcMap = convAclTagToValueMap(policy.Src)
|
||||
dstMap = convAclTagToValueMap(policy.Dst)
|
||||
if checkTagGroupPolicy(srcMap, dstMap, node, peer) {
|
||||
return true
|
||||
}
|
||||
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func checkTagGroupPolicy(srcMap, dstMap map[string]struct{}, node, peer models.Node) bool {
|
||||
// check for node ID
|
||||
if _, ok := srcMap[node.ID.String()]; ok {
|
||||
return true
|
||||
}
|
||||
if _, ok := dstMap[node.ID.String()]; ok {
|
||||
return true
|
||||
}
|
||||
for tagID := range node.Tags {
|
||||
if _, ok := dstMap[tagID.String()]; ok {
|
||||
if _, ok := srcMap["*"]; ok {
|
||||
@@ -642,7 +658,6 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -678,6 +693,16 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
|
||||
}
|
||||
srcMap = convAclTagToValueMap(policy.Src)
|
||||
dstMap = convAclTagToValueMap(policy.Dst)
|
||||
if policy.AllowedDirection == models.TrafficDirectionBi {
|
||||
if _, ok := srcMap[node.ID.String()]; ok {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
}
|
||||
if _, ok := dstMap[node.ID.String()]; ok {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
for tagID := range node.Tags {
|
||||
allowed := false
|
||||
if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok {
|
||||
@@ -715,6 +740,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
for tagID := range peer.Tags {
|
||||
allowed := false
|
||||
if _, ok := dstMap[tagID.String()]; ok {
|
||||
@@ -775,7 +801,7 @@ func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
|
||||
update := false
|
||||
for _, acl := range acls {
|
||||
for i, srcTagI := range acl.Src {
|
||||
if srcTagI.ID == models.DeviceAclID {
|
||||
if srcTagI.ID == models.NodeTagID {
|
||||
if OldID.String() == srcTagI.Value {
|
||||
acl.Src[i].Value = newID.String()
|
||||
update = true
|
||||
@@ -783,7 +809,7 @@ func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
|
||||
}
|
||||
}
|
||||
for i, dstTagI := range acl.Dst {
|
||||
if dstTagI.ID == models.DeviceAclID {
|
||||
if dstTagI.ID == models.NodeTagID {
|
||||
if OldID.String() == dstTagI.Value {
|
||||
acl.Dst[i].Value = newID.String()
|
||||
update = true
|
||||
@@ -800,14 +826,14 @@ func CheckIfTagAsActivePolicy(tagID models.TagID, netID models.NetworkID) bool {
|
||||
acls := listDevicePolicies(netID)
|
||||
for _, acl := range acls {
|
||||
for _, srcTagI := range acl.Src {
|
||||
if srcTagI.ID == models.DeviceAclID {
|
||||
if srcTagI.ID == models.NodeTagID {
|
||||
if tagID.String() == srcTagI.Value {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
for _, dstTagI := range acl.Dst {
|
||||
if dstTagI.ID == models.DeviceAclID {
|
||||
if dstTagI.ID == models.NodeTagID {
|
||||
if tagID.String() == dstTagI.Value {
|
||||
return true
|
||||
}
|
||||
@@ -823,7 +849,7 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
|
||||
update := false
|
||||
for _, acl := range acls {
|
||||
for i, srcTagI := range acl.Src {
|
||||
if srcTagI.ID == models.DeviceAclID {
|
||||
if srcTagI.ID == models.NodeTagID {
|
||||
if tagID.String() == srcTagI.Value {
|
||||
acl.Src = append(acl.Src[:i], acl.Src[i+1:]...)
|
||||
update = true
|
||||
@@ -831,7 +857,7 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
|
||||
}
|
||||
}
|
||||
for i, dstTagI := range acl.Dst {
|
||||
if dstTagI.ID == models.DeviceAclID {
|
||||
if dstTagI.ID == models.NodeTagID {
|
||||
if tagID.String() == dstTagI.Value {
|
||||
acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)
|
||||
update = true
|
||||
|
||||
@@ -57,8 +57,8 @@ type AclGroupType string
|
||||
const (
|
||||
UserAclID AclGroupType = "user"
|
||||
UserGroupAclID AclGroupType = "user-group"
|
||||
DeviceAclID AclGroupType = "tag"
|
||||
DeviceID AclGroupType = "device"
|
||||
NodeTagID AclGroupType = "tag"
|
||||
NodeID AclGroupType = "node_id"
|
||||
NetmakerIPAclID AclGroupType = "ip"
|
||||
NetmakerSubNetRangeAClID AclGroupType = "ipset"
|
||||
)
|
||||
|
||||
@@ -1227,7 +1227,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
|
||||
},
|
||||
Dst: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
||||
}},
|
||||
AllowedDirection: models.TrafficDirectionUni,
|
||||
@@ -1261,7 +1261,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
|
||||
|
||||
Dst: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.DeviceAclID,
|
||||
ID: models.NodeTagID,
|
||||
Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
|
||||
}},
|
||||
AllowedDirection: models.TrafficDirectionUni,
|
||||
|
||||
Reference in New Issue
Block a user