gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-11 15:44:52 +08:00
Code Issues Projects Releases Packages Wiki Activity

avoid default policy for node

Browse source
This commit is contained in:
abhishek9686 2024-11-18 16:36:25 +04:00 committed by Max Ma
parent 0d801e032c
commit 74306d6ed1
4 changed files with 16 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
controllers/acls.go
View file

@ -69,7 +69,7 @@ func aclDebug(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest")) logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return return
} }
allowed := logic.IsNodeAllowedToCommunicate(node, peer) allowed := logic.IsNodeAllowedToCommunicate(node, peer, true)
logic.ReturnSuccessResponseWithJson(w, r, allowed, "fetched all acls in the network ") logic.ReturnSuccessResponseWithJson(w, r, allowed, "fetched all acls in the network ")
} }

4
logic/acls.go
View file

@ -517,13 +517,14 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
} }
// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer
func IsNodeAllowedToCommunicate(node, peer models.Node) bool { func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) bool {
if node.IsStatic { if node.IsStatic {
node = node.StaticNode.ConvertToStaticNode() node = node.StaticNode.ConvertToStaticNode()
} }
if peer.IsStatic { if peer.IsStatic {
peer = peer.StaticNode.ConvertToStaticNode() peer = peer.StaticNode.ConvertToStaticNode()
} }
if checkDefaultPolicy {
// check default policy if all allowed return true // check default policy if all allowed return true
defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
if err == nil { if err == nil {
@ -531,6 +532,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node) bool {
return true return true
} }
} }
}
// list device policies // list device policies
policies := listDevicePolicies(models.NetworkID(peer.Network)) policies := listDevicePolicies(models.NetworkID(peer.Network))

8
logic/extpeers.go
View file

@ -564,7 +564,7 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode { if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode {
continue continue
} }
if IsNodeAllowedToCommunicate(nodeI, peer) { if IsNodeAllowedToCommunicate(nodeI, peer, true) {
if peer.IsStatic { if peer.IsStatic {
if nodeI.StaticNode.Address != "" { if nodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
@ -650,7 +650,7 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
continue continue
} }
if extPeer.RemoteAccessClientID == "" { if extPeer.RemoteAccessClientID == "" {
if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), *peer) { if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), *peer, true) {
continue continue
} }
} else { } else {
@ -739,7 +739,7 @@ func getExtpeerEgressRanges(node models.Node) (ranges, ranges6 []net.IPNet) {
if len(extPeer.ExtraAllowedIPs) == 0 { if len(extPeer.ExtraAllowedIPs) == 0 {
continue continue
} }
if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node) { if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node, true) {
continue continue
} }
for _, allowedRange := range extPeer.ExtraAllowedIPs { for _, allowedRange := range extPeer.ExtraAllowedIPs {
@ -766,7 +766,7 @@ func getExtpeersExtraRoutes(node models.Node) (egressRoutes []models.EgressNetwo
if len(extPeer.ExtraAllowedIPs) == 0 { if len(extPeer.ExtraAllowedIPs) == 0 {
continue continue
} }
if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node) { if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node, true) {
continue continue
} }
egressRoutes = append(egressRoutes, getExtPeerEgressRoute(node, extPeer)...) egressRoutes = append(egressRoutes, getExtPeerEgressRoute(node, extPeer)...)

4
logic/peers.go
View file

@ -96,6 +96,8 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
if !node.Connected || node.PendingDelete || node.Action == models.NODE_DELETE { if !node.Connected || node.PendingDelete || node.Action == models.NODE_DELETE {
continue continue
} }
// check default policy if all allowed return true
defaultPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
if host.OS == models.OS_Types.IoT { if host.OS == models.OS_Types.IoT {
hostPeerUpdate.NodeAddrs = append(hostPeerUpdate.NodeAddrs, node.PrimaryAddressIPNet()) hostPeerUpdate.NodeAddrs = append(hostPeerUpdate.NodeAddrs, node.PrimaryAddressIPNet())
if node.IsRelayed { if node.IsRelayed {
@ -259,7 +261,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
!peer.PendingDelete && !peer.PendingDelete &&
peer.Connected && peer.Connected &&
nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) && nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) &&
IsNodeAllowedToCommunicate(node, peer) && (defaultPolicy.Enabled || IsNodeAllowedToCommunicate(node, peer, false)) &&
(deletedNode == nil || (deletedNode != nil && peer.ID.String() != deletedNode.ID.String())) { (deletedNode == nil || (deletedNode != nil && peer.ID.String() != deletedNode.ID.String())) {
peerConfig.AllowedIPs = allowedips // only append allowed IPs if valid connection peerConfig.AllowedIPs = allowedips // only append allowed IPs if valid connection
} }