gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-11 23:54:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

check default user policy

Browse source
This commit is contained in:
abhishek9686 2024-10-23 15:29:47 +04:00
parent c0f107b302
commit d4da1774ff
3 changed files with 14 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
logic/acls.go
View file

@ -441,6 +441,10 @@ func convAclTagToValueMap(acltags []models.AclPolicyTag) map[string]struct{} {
// IsUserAllowedToCommunicate - check if user is allowed to communicate with peer // IsUserAllowedToCommunicate - check if user is allowed to communicate with peer
func IsUserAllowedToCommunicate(userName string, peer models.Node) bool { func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
acl, _ := GetDefaultPolicy(models.NetworkID(peer.Network), models.UserPolicy)
if acl.Enabled {
return true
}
user, err := GetUser(userName) user, err := GetUser(userName)
if err != nil { if err != nil {
return false return false

9
logic/extpeers.go
View file

@ -526,7 +526,6 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
var peers []wgtypes.PeerConfig var peers []wgtypes.PeerConfig
var idsAndAddr []models.IDandAddr var idsAndAddr []models.IDandAddr
var egressRoutes []models.EgressNetworkRoutes var egressRoutes []models.EgressNetworkRoutes
var extUserIps []net.IP
extPeers, err := GetNetworkExtClients(node.Network) extPeers, err := GetNetworkExtClients(node.Network)
if err != nil { if err != nil {
return peers, idsAndAddr, egressRoutes, err return peers, idsAndAddr, egressRoutes, err
@ -537,14 +536,6 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
} }
for _, extPeer := range extPeers { for _, extPeer := range extPeers {
extPeer := extPeer extPeer := extPeer
if extPeer.RemoteAccessClientID != "" {
if extPeer.AddressIPNet4().IP != nil {
extUserIps = append(extUserIps, extPeer.AddressIPNet4().IP)
}
if extPeer.AddressIPNet6().IP != nil {
extUserIps = append(extUserIps, extPeer.AddressIPNet6().IP)
}
}
if !IsClientNodeAllowed(&extPeer, peer.ID.String()) { if !IsClientNodeAllowed(&extPeer, peer.ID.String()) {
continue continue
} }

8
logic/peers.go
View file

@ -294,17 +294,17 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
if err == nil { if err == nil {
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy) defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
if defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled {
ingFwUpdate := models.IngressInfo{ ingFwUpdate := models.IngressInfo{
IngressID: node.ID.String(), IngressID: node.ID.String(),
Network: node.NetworkRange, Network: node.NetworkRange,
Network6: node.NetworkRange6, Network6: node.NetworkRange6,
AllowAll: defaultDevicePolicy.Enabled && defaultUserPolicy.Default, AllowAll: defaultDevicePolicy.Enabled && defaultUserPolicy.Default,
} StaticNodeIps: GetStaticNodeIps(node),
if !ingFwUpdate.AllowAll { Rules: GetFwRulesOnIngressGateway(node),
ingFwUpdate.StaticNodeIps = GetStaticNodeIps(node)
ingFwUpdate.Rules = GetFwRulesOnIngressGateway(node)
} }
hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = ingFwUpdate hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = ingFwUpdate
}
hostPeerUpdate.EgressRoutes = append(hostPeerUpdate.EgressRoutes, egressRoutes...) hostPeerUpdate.EgressRoutes = append(hostPeerUpdate.EgressRoutes, egressRoutes...)
hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...) hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...)
for _, extPeerIdAndAddr := range extPeerIDAndAddrs { for _, extPeerIdAndAddr := range extPeerIDAndAddrs {