create default user policies

2025-09-08 22:24:17 +08:00 · 2024-10-18 16:53:39 +04:00 · 2024-10-18 16:53:39 +04:00 · c37cf2b7e3
commit c37cf2b7e3
parent afbd725864
7 changed files with 148 additions and 10 deletions
--- a/controllers/acls.go
+++ b/controllers/acls.go
@ -44,6 +44,7 @@ func aclPolicyTypes(w http.ResponseWriter, r *http.Request) {
 		},
 		SrcGroupTypes: []models.AclGroupType{
 			models.UserAclID,
+			models.UserRoleAclID,
 			models.UserGroupAclID,
 			models.DeviceAclID,
 		},
--- a/logic/acls.go
+++ b/logic/acls.go
@ -56,6 +56,10 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
 					ID:    models.UserGroupAclID,
 					Value: "*",
 				},
+				{
+					ID:    models.UserRoleAclID,
+					Value: "*",
+				},
 			},
 			Dst: []models.AclPolicyTag{{
 				ID:    models.DeviceAclID,
@ -95,7 +99,7 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
 		}
 		InsertAcl(defaultUserAcl)
 	}
-
+	CreateDefaultUserPolicies(netID)
 }

 // DeleteDefaultNetworkPolicies - deletes all default network acl policies
@ -169,7 +173,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
 				return false
 			}
 			if srcI.ID != models.UserAclID &&
-				srcI.ID != models.UserGroupAclID {
+				srcI.ID != models.UserGroupAclID && srcI.ID != models.UserRoleAclID {
 				return false
 			}
 			// check if user group is valid
@ -178,6 +182,15 @@ func IsAclPolicyValid(acl models.Acl) bool {
 				if err != nil {
 					return false
 				}
+			} else if srcI.ID == models.UserRoleAclID {
+				if srcI.Value == "*" {
+					continue
+				}
+				_, err := GetRole(models.UserRoleID(srcI.Value))
+				if err != nil {
+					return false
+				}
+
 			} else if srcI.ID == models.UserGroupAclID {
 				if srcI.Value == "*" {
 					continue
@ -281,9 +294,13 @@ func DeleteAcl(a models.Acl) error {
 	return database.DeleteRecord(database.ACLS_TABLE_NAME, a.ID.String())
 }

-// GetDefaultNodesPolicy - fetches default policy in the network by ruleType
-func GetDefaultNodesPolicy(netID models.NetworkID, ruleType models.AclPolicyType) (models.Acl, error) {
-	acl, err := GetAcl(models.AclID(fmt.Sprintf("%s.%s", netID, "all-nodes")))
+// GetDefaultPolicy - fetches default policy in the network by ruleType
+func GetDefaultPolicy(netID models.NetworkID, ruleType models.AclPolicyType) (models.Acl, error) {
+	aclID := "all-users"
+	if ruleType == models.DevicePolicy {
+		aclID = "all-nodes"
+	}
+	acl, err := GetAcl(models.AclID(fmt.Sprintf("%s.%s", netID, aclID)))
 	if err != nil {
 		return models.Acl{}, errors.New("default rule not found")
 	}
@ -447,7 +464,7 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
 // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer
 func IsNodeAllowedToCommunicate(node, peer models.Node) bool {
 	// check default policy if all allowed return true
-	defaultPolicy, err := GetDefaultNodesPolicy(models.NetworkID(node.Network), models.DevicePolicy)
+	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 	if err == nil {
 		if defaultPolicy.Enabled {
 			return true
--- a/logic/user_mgmt.go
+++ b/logic/user_mgmt.go
@ -53,6 +53,7 @@ var UpdateRole = func(r models.UserRolePermissionTemplate) error { return nil }
 var InitialiseRoles = userRolesInit
 var DeleteNetworkRoles = func(netID string) {}
 var CreateDefaultNetworkRolesAndGroups = func(netID models.NetworkID) {}
+var CreateDefaultUserPolicies = func(netID models.NetworkID) {}

 // GetRole - fetches role template by id
 func GetRole(roleID models.UserRoleID) (models.UserRolePermissionTemplate, error) {
--- a/migrate/migrate.go
+++ b/migrate/migrate.go
@ -21,7 +21,7 @@ import (
 func Run() {
 	updateEnrollmentKeys()
 	assignSuperAdmin()
-	createDefaultTags()
+	createDefaultTagsAndPolicies()
 	removeOldUserGrps()
 	syncUsers()
 	updateHosts()
@ -459,7 +459,7 @@ func syncUsers() {
 	}
 }

-func createDefaultTags() {
+func createDefaultTagsAndPolicies() {
 	networks, err := logic.GetNetworks()
 	if err != nil {
 		return
--- a/models/acl.go
+++ b/models/acl.go
@ -46,6 +46,7 @@ type AclGroupType string
 const (
 	UserAclID                AclGroupType = "user"
 	UserGroupAclID           AclGroupType = "user-group"
+	UserRoleAclID            AclGroupType = "user-role"
 	DeviceAclID              AclGroupType = "tag"
 	NetmakerIPAclID          AclGroupType = "ip"
 	NetmakerSubNetRangeAClID AclGroupType = "ipset"
--- a/pro/initialize.go
+++ b/pro/initialize.go
@ -135,6 +135,7 @@ func InitPro() {
 	logic.IsNetworkRolesValid = proLogic.IsNetworkRolesValid
 	logic.InitialiseRoles = proLogic.UserRolesInit
 	logic.UpdateUserGwAccess = proLogic.UpdateUserGwAccess
+	logic.CreateDefaultUserPolicies = proLogic.CreateDefaultUserPolicies
 }

 func retrieveProLogo() string {
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"time"

 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/logger"
@ -138,6 +139,7 @@ func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) {
 	database.Insert(NetworkAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
 	d, _ = json.Marshal(NetworkUserGroup)
 	database.Insert(NetworkUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
+
 }

 func DeleteNetworkRoles(netID string) {
@ -514,14 +516,25 @@ func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, n

 func GetUserRAGNodesV1(user models.User) (gws map[string]models.Node) {
 	gws = make(map[string]models.Node)
-
 	tagNodesMap := logic.GetTagMapWithNodes()
 	accessPolices := logic.ListUserPolicies(user)
 	for _, policyI := range accessPolices {
 		for _, dstI := range policyI.Dst {
+			if dstI.Value == "*" {
+				nodes, _ := logic.GetAllNodes()
+				for _, node := range nodes {
+					if node.IsIngressGateway {
+						gws[node.ID.String()] = node
+					}
+				}
+				return
+			}
 			if nodes, ok := tagNodesMap[models.TagID(dstI.Value)]; ok {
 				for _, node := range nodes {
-					gws[node.ID.String()] = node
+					if node.IsIngressGateway {
+						gws[node.ID.String()] = node
+					}
+
 				}
 			}
 		}
@ -1091,3 +1104,107 @@ func UpdateUserGwAccess(currentUser, changeUser models.User) {
 	}

 }
+
+func CreateDefaultUserPolicies(netID models.NetworkID) {
+	if netID.String() == "" {
+		return
+	}
+	if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkAdmin))) {
+		defaultUserAcl := models.Acl{
+			ID:        models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkAdmin)),
+			Name:      models.NetworkAdmin.String(),
+			Default:   true,
+			NetworkID: netID,
+			RuleType:  models.UserPolicy,
+			Src: []models.AclPolicyTag{
+				{
+					ID:    models.UserRoleAclID,
+					Value: fmt.Sprintf("%s-%s", netID, models.NetworkAdmin),
+				}},
+			Dst: []models.AclPolicyTag{
+				{
+					ID:    models.DeviceAclID,
+					Value: "*",
+				}},
+			AllowedDirection: models.TrafficDirectionUni,
+			Enabled:          true,
+			CreatedBy:        "auto",
+			CreatedAt:        time.Now().UTC(),
+		}
+		logic.InsertAcl(defaultUserAcl)
+	}
+	if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkUser))) {
+		defaultUserAcl := models.Acl{
+			ID:        models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkUser)),
+			Name:      models.NetworkUser.String(),
+			Default:   true,
+			NetworkID: netID,
+			RuleType:  models.UserPolicy,
+			Src: []models.AclPolicyTag{
+				{
+					ID:    models.UserRoleAclID,
+					Value: fmt.Sprintf("%s-%s", netID, models.NetworkUser),
+				}},
+			Dst: []models.AclPolicyTag{
+				{
+					ID:    models.DeviceAclID,
+					Value: "*",
+				}},
+			AllowedDirection: models.TrafficDirectionUni,
+			Enabled:          true,
+			CreatedBy:        "auto",
+			CreatedAt:        time.Now().UTC(),
+		}
+		logic.InsertAcl(defaultUserAcl)
+	}
+
+	if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s-grp", netID, models.NetworkAdmin))) {
+		defaultUserAcl := models.Acl{
+			ID:        models.AclID(fmt.Sprintf("%s.%s-grp", netID, models.NetworkAdmin)),
+			Name:      fmt.Sprintf("%s-grp", models.NetworkAdmin),
+			Default:   true,
+			NetworkID: netID,
+			RuleType:  models.UserPolicy,
+			Src: []models.AclPolicyTag{
+				{
+					ID:    models.UserGroupAclID,
+					Value: fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin),
+				}},
+			Dst: []models.AclPolicyTag{
+				{
+					ID:    models.DeviceAclID,
+					Value: "*",
+				}},
+			AllowedDirection: models.TrafficDirectionUni,
+			Enabled:          true,
+			CreatedBy:        "auto",
+			CreatedAt:        time.Now().UTC(),
+		}
+		logic.InsertAcl(defaultUserAcl)
+	}
+
+	if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s-grp", netID, models.NetworkUser))) {
+		defaultUserAcl := models.Acl{
+			ID:        models.AclID(fmt.Sprintf("%s.%s-grp", netID, models.NetworkUser)),
+			Name:      fmt.Sprintf("%s-grp", models.NetworkUser),
+			Default:   true,
+			NetworkID: netID,
+			RuleType:  models.UserPolicy,
+			Src: []models.AclPolicyTag{
+				{
+					ID:    models.UserGroupAclID,
+					Value: fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser),
+				}},
+			Dst: []models.AclPolicyTag{
+				{
+					ID:    models.DeviceAclID,
+					Value: "*",
+				}},
+			AllowedDirection: models.TrafficDirectionUni,
+			Enabled:          true,
+			CreatedBy:        "auto",
+			CreatedAt:        time.Now().UTC(),
+		}
+		logic.InsertAcl(defaultUserAcl)
+	}
+}