check acl policy on ext client

2025-09-10 15:14:22 +08:00 · 2024-10-18 11:21:32 +04:00 · 2024-10-18 11:21:32 +04:00 · aea26dfdf6
commit aea26dfdf6
parent 5418e9a13f
4 changed files with 29 additions and 2 deletions
--- a/logic/acls.go
+++ b/logic/acls.go
@ -323,8 +323,8 @@ func ListUserPolicies(u models.User) []models.Acl {
 	return acls
 }

-// ListUserPoliciesByNetwork - lists all acl user policies in a network
-func ListUserPoliciesByNetwork(netID models.NetworkID) []models.Acl {
+// listUserPoliciesByNetwork - lists all acl user policies in a network
+func listUserPoliciesByNetwork(netID models.NetworkID) []models.Acl {
 	data, err := database.FetchRecords(database.ACLS_TABLE_NAME)
 	if err != nil && !database.IsEmptyRecord(err) {
 		return []models.Acl{}
@ -391,6 +391,11 @@ func convAclTagToValueMap(acltags []models.AclPolicyTag) map[string]struct{} {
 	return aclValueMap
 }

+func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
+	listUserPoliciesByNetwork(models.NetworkID(peer.Network))
+	return true
+}
+
 // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer
 func IsNodeAllowedToCommunicate(node, peer models.Node) bool {
 	// check default policy if all allowed return true
--- a/logic/extpeers.go
+++ b/logic/extpeers.go
@ -413,6 +413,16 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
 		if !IsClientNodeAllowed(&extPeer, peer.ID.String()) {
 			continue
 		}
+		if extPeer.RemoteAccessClientID == "" {
+			if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), *peer) {
+				continue
+			}
+		} else {
+			if !IsUserAllowedToCommunicate(extPeer.OwnerID, *peer) {
+				continue
+			}
+		}
+
 		pubkey, err := wgtypes.ParseKey(extPeer.PublicKey)
 		if err != nil {
 			logger.Log(1, "error parsing ext pub key:", err.Error())
--- a/logic/peers.go
+++ b/logic/peers.go
@ -426,6 +426,7 @@ func GetAllowedIPs(node, peer *models.Node, metrics *models.Metrics) []net.IPNet
 			logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error())
 		}
 		for _, extPeer := range extPeers {
+
 			allowedips = append(allowedips, extPeer.AllowedIPs...)
 		}
 	}
--- a/models/extclient.go
+++ b/models/extclient.go
@ -36,3 +36,14 @@ type CustomExtClient struct {
 	PostDown             string              `json:"postdown" bson:"postdown" validate:"max=1024"`
 	Tags                 map[TagID]struct{}  `json:"tags"`
 }
+
+func (ext *ExtClient) ConvertToStaticNode() Node {
+
+	return Node{
+		CommonNode: CommonNode{
+			Network: ext.Network,
+		},
+		IsStatic:   true,
+		StaticNode: *ext,
+	}
+}