mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-10 23:24:32 +08:00
check network admin policy for admins and superadmins
This commit is contained in:
abhishek9686
parent
8688f41485
commit
912d8dfa50
1 changed files with 49 additions and 3 deletions
|
|
@ -581,7 +581,13 @@ func CreateUserGroup(g *models.UserGroup) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
||||
err = database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// create default network gateway policies
|
||||
go CreateDefaultUserGroupNetworkPolicies(*g)
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetUserGroup - fetches user group
|
||||
|
|
@ -646,7 +652,11 @@ func UpdateUserGroup(g models.UserGroup) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
||||
err = database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeleteUserGroup - deletes user group
|
||||
|
|
@ -729,7 +739,10 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
|
|||
continue
|
||||
}
|
||||
if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
|
||||
gws[node.ID.String()] = node
|
||||
if ok, _ := IsUserAllowedToCommunicate(user.UserName, node); ok {
|
||||
gws[node.ID.String()] = node
|
||||
continue
|
||||
}
|
||||
} else {
|
||||
// check if user has network role assigned
|
||||
if roles, ok := user.NetworkRoles[models.NetworkID(node.Network)]; ok && len(roles) > 0 {
|
||||
|
|
@ -1200,6 +1213,39 @@ func UpdateUserGwAccess(currentUser, changeUser models.User) {
|
|||
|
||||
}
|
||||
|
||||
func CreateDefaultUserGroupNetworkPolicies(g models.UserGroup) {
|
||||
for netID := range g.NetworkRoles {
|
||||
if !logic.IsAclExists(fmt.Sprintf("%s.%s-grp", netID, g.ID.String())) {
|
||||
userGroupAcl := models.Acl{
|
||||
ID: fmt.Sprintf("%s.%s-grp", netID, g.ID.String()),
|
||||
Default: true,
|
||||
Name: "All Users",
|
||||
MetaData: "This policy gives access to everything in the network for an user",
|
||||
NetworkID: netID,
|
||||
Proto: models.ALL,
|
||||
ServiceType: models.Any,
|
||||
Port: []string{},
|
||||
RuleType: models.UserPolicy,
|
||||
Src: []models.AclPolicyTag{
|
||||
{
|
||||
ID: models.UserGroupAclID,
|
||||
Value: g.ID.String(),
|
||||
},
|
||||
},
|
||||
Dst: []models.AclPolicyTag{{
|
||||
ID: models.NodeTagID,
|
||||
Value: fmt.Sprintf("%s.%s", netID.String(), models.GwTagName),
|
||||
}},
|
||||
AllowedDirection: models.TrafficDirectionUni,
|
||||
Enabled: true,
|
||||
CreatedBy: "auto",
|
||||
CreatedAt: time.Now().UTC(),
|
||||
}
|
||||
logic.InsertAcl(userGroupAcl)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func CreateDefaultUserPolicies(netID models.NetworkID) {
|
||||
if netID.String() == "" {
|
||||
return
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue