gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-08 14:15:25 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix user policies

Browse source
This commit is contained in:
abhishek9686 2024-10-19 13:16:52 +04:00
parent 5be8939e6e
commit 57378d255a
2 changed files with 18 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
logic/acls.go
View file

@ -172,6 +172,9 @@ func IsAclPolicyValid(acl models.Acl) bool {
if srcI.ID == "" || srcI.Value == "" { if srcI.ID == "" || srcI.Value == "" {
return false return false
} }
if srcI.Value == "*" {
continue
}
if srcI.ID != models.UserAclID && if srcI.ID != models.UserAclID &&
srcI.ID != models.UserGroupAclID && srcI.ID != models.UserRoleAclID { srcI.ID != models.UserGroupAclID && srcI.ID != models.UserRoleAclID {
return false return false
@ -183,18 +186,13 @@ func IsAclPolicyValid(acl models.Acl) bool {
return false return false
} }
} else if srcI.ID == models.UserRoleAclID { } else if srcI.ID == models.UserRoleAclID {
if srcI.Value == "*" {
continue
}
_, err := GetRole(models.UserRoleID(srcI.Value)) _, err := GetRole(models.UserRoleID(srcI.Value))
if err != nil { if err != nil {
return false return false
} }
} else if srcI.ID == models.UserGroupAclID { } else if srcI.ID == models.UserGroupAclID {
if srcI.Value == "*" {
continue
}
err := IsGroupValid(models.UserGroupID(srcI.Value)) err := IsGroupValid(models.UserGroupID(srcI.Value))
if err != nil { if err != nil {
return false return false
@ -208,7 +206,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
return false return false
} }
if dstI.ID == models.UserAclID || if dstI.ID == models.UserAclID ||
dstI.ID == models.UserGroupAclID { dstI.ID == models.UserGroupAclID || dstI.ID == models.UserRoleAclID {
return false return false
} }
if dstI.ID != models.DeviceAclID { if dstI.ID != models.DeviceAclID {
@ -359,6 +357,12 @@ func listPoliciesOfUser(user models.User, netID models.NetworkID) []models.Acl {
acls = append(acls, acl) acls = append(acls, acl)
continue continue
} }
for netRole := range user.NetworkRoles {
if _, ok := srcMap[netRole.String()]; ok {
acls = append(acls, acl)
continue
}
}
for userG := range user.UserGroups { for userG := range user.UserGroups {
if _, ok := srcMap[userG.String()]; ok { if _, ok := srcMap[userG.String()]; ok {
acls = append(acls, acl) acls = append(acls, acl)
@ -458,7 +462,7 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
} }
} }
return true return false
} }
// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer

11
pro/logic/user_mgmt.go
View file

@ -956,8 +956,9 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
Dst: []models.AclPolicyTag{ Dst: []models.AclPolicyTag{
{ {
ID: models.DeviceAclID, ID: models.DeviceAclID,
Value: "*", Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
}}, },
},
AllowedDirection: models.TrafficDirectionUni, AllowedDirection: models.TrafficDirectionUni,
Enabled: true, Enabled: true,
CreatedBy: "auto", CreatedBy: "auto",
@ -980,7 +981,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
Dst: []models.AclPolicyTag{ Dst: []models.AclPolicyTag{
{ {
ID: models.DeviceAclID, ID: models.DeviceAclID,
Value: "*", Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
}}, }},
AllowedDirection: models.TrafficDirectionUni, AllowedDirection: models.TrafficDirectionUni,
Enabled: true, Enabled: true,
@ -1005,7 +1006,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
Dst: []models.AclPolicyTag{ Dst: []models.AclPolicyTag{
{ {
ID: models.DeviceAclID, ID: models.DeviceAclID,
Value: "*", Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
}}, }},
AllowedDirection: models.TrafficDirectionUni, AllowedDirection: models.TrafficDirectionUni,
Enabled: true, Enabled: true,
@ -1030,7 +1031,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
Dst: []models.AclPolicyTag{ Dst: []models.AclPolicyTag{
{ {
ID: models.DeviceAclID, ID: models.DeviceAclID,
Value: "*", Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
}}, }},
AllowedDirection: models.TrafficDirectionUni, AllowedDirection: models.TrafficDirectionUni,
Enabled: true, Enabled: true,