From 57378d255aab4cced2b8627e2d6aa2d06b4374ab Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Sat, 19 Oct 2024 13:16:52 +0400 Subject: [PATCH] fix user policies --- logic/acls.go | 20 ++++++++++++-------- pro/logic/user_mgmt.go | 11 ++++++----- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/logic/acls.go b/logic/acls.go index 380a618a..84fdd8d4 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -172,6 +172,9 @@ func IsAclPolicyValid(acl models.Acl) bool { if srcI.ID == "" || srcI.Value == "" { return false } + if srcI.Value == "*" { + continue + } if srcI.ID != models.UserAclID && srcI.ID != models.UserGroupAclID && srcI.ID != models.UserRoleAclID { return false @@ -183,18 +186,13 @@ func IsAclPolicyValid(acl models.Acl) bool { return false } } else if srcI.ID == models.UserRoleAclID { - if srcI.Value == "*" { - continue - } + _, err := GetRole(models.UserRoleID(srcI.Value)) if err != nil { return false } } else if srcI.ID == models.UserGroupAclID { - if srcI.Value == "*" { - continue - } err := IsGroupValid(models.UserGroupID(srcI.Value)) if err != nil { return false @@ -208,7 +206,7 @@ func IsAclPolicyValid(acl models.Acl) bool { return false } if dstI.ID == models.UserAclID || - dstI.ID == models.UserGroupAclID { + dstI.ID == models.UserGroupAclID || dstI.ID == models.UserRoleAclID { return false } if dstI.ID != models.DeviceAclID { @@ -359,6 +357,12 @@ func listPoliciesOfUser(user models.User, netID models.NetworkID) []models.Acl { acls = append(acls, acl) continue } + for netRole := range user.NetworkRoles { + if _, ok := srcMap[netRole.String()]; ok { + acls = append(acls, acl) + continue + } + } for userG := range user.UserGroups { if _, ok := srcMap[userG.String()]; ok { acls = append(acls, acl) @@ -458,7 +462,7 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool { } } - return true + return false } // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go index 2dab445c..5b338d16 100644 --- a/pro/logic/user_mgmt.go +++ b/pro/logic/user_mgmt.go @@ -956,8 +956,9 @@ func CreateDefaultUserPolicies(netID models.NetworkID) { Dst: []models.AclPolicyTag{ { ID: models.DeviceAclID, - Value: "*", - }}, + Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"), + }, + }, AllowedDirection: models.TrafficDirectionUni, Enabled: true, CreatedBy: "auto", @@ -980,7 +981,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) { Dst: []models.AclPolicyTag{ { ID: models.DeviceAclID, - Value: "*", + Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"), }}, AllowedDirection: models.TrafficDirectionUni, Enabled: true, @@ -1005,7 +1006,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) { Dst: []models.AclPolicyTag{ { ID: models.DeviceAclID, - Value: "*", + Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"), }}, AllowedDirection: models.TrafficDirectionUni, Enabled: true, @@ -1030,7 +1031,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) { Dst: []models.AclPolicyTag{ { ID: models.DeviceAclID, - Value: "*", + Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"), }}, AllowedDirection: models.TrafficDirectionUni, Enabled: true,