gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-05 20:54:18 +08:00
Code Issues Projects Releases Packages Wiki Activity
netmaker/models/acl.go
Abhishek K 307a3d1e4b
NET-1932: Merge egress and internet gateways (#3436) 
* feat: api access tokens

* revoke all user tokens

* redefine access token api routes, add auto egress option to enrollment keys

* add server settings apis, add db table for settigs

* handle server settings updates

* switch to using settings from DB

* fix sever settings migration

* revet force migration for settings

* fix server settings database write

* egress model

* fix revoked tokens to be unauthorized

* update egress model

* remove unused functions

* convert access token to sql schema

* switch access token to sql schema

* fix merge conflicts

* fix server settings types

* bypass basic auth setting for super admin

* add TODO comment

* setup api handlers for egress revamp

* use single DB, fix update nat boolean field

* extend validaiton checks for egress ranges

* add migration to convert to new egress model

* fix panic interface conversion

* publish peer update on settings update

* revoke token generated by an user

* add user token creation restriction by user role

* add forbidden check for access token creation

* revoke user token when group or role is changed

* add default group to admin users on update

* chore(go): import style changes from migration branch;

1. Singular file names for table schema.
2. No table name method.
3. Use .Model instead of .Table.
4. No unnecessary tagging.

* remove nat check on egress gateway request

* Revert "remove nat check on egress gateway request"

This reverts commit 0aff12a189.

* remove nat check on egress gateway request

* feat(go): add db middleware;

* feat(go): restore method;

* feat(go): add user access token schema;

* add inet gw status to egress model

* fetch node ids in the tag, add inet gw info clients

* add inet gw info to node from egress list

* add migration logic internet gws

* create default acl policies

* add egress info

* add egress TODO

* add egress TODO

* fix user auth api:

* add reference id to acl policy

* add egress response from DB

* publish peer update on egress changes

* re initalise oauth and email config

* set verbosity

* normalise cidr on egress req

* add egress id to acl group

* change acls to use egress id

* resolve merge conflicts

* fix egress reference errors

* move egress model to schema

* add api context to DB

* sync auto update settings with hosts

* sync auto update settings with hosts

* check acl for egress node

* check for egress policy in the acl dst groups

* fix acl rules for egress policies with new models

* add status to egress model

* fix inet node func

* mask secret and convert jwt duration to minutes

* enable egress policies on creation

* convert jwt duration to minutes

* add relevant ranges to inet egress

* skip non active egress routes

* resolve merge conflicts

* fix static check

* update gorm tag for primary key on egress model

* create user policies for egress resources

* resolve merge conflicts

* get egress info on failover apis, add egress src validation for inet gws

* add additional validation checks on egress req

* add additional validation checks on egress req

* skip all resources for inet policy

* delete associated egress acl policies

* fix failover of inetclient

* avoid setting inet client asd inet gw

* fix all resource egress policy

* fix inet gw egress rule

* check for node egress on relay req

* fix egress acl rules comms

* add new field for egress info on node

* check acl policy in failover ctx

* avoid default host to be set as inet client

* fix relayed egress node

* add valid error messaging for egress validate func

* return if inet default host

* jump port detection to 51821

* check host ports on pull

* check user access gws via acls

* add validation check for default host and failover for inet clients

* add error messaging for acl policy check

* fix inet gw status

* ignore failover req for peer using inet gw

* check for allowed egress ranges for a peer

* add egress routes to static nodes by access

* avoid setting failvoer as inet client

* fix egress error messaging

* fix extclients egress comms

* fix inet gw acting as inet client

* return formatted error on update acl validation

* add default route for static nodes on inetclient

* check relay node acting as inetclient

* move inet node info to separate field, fix all resouces policy

* remove debug logs

---------

Co-authored-by: Vishal Dalwadi <dalwadivishal26@gmail.com>
2025-05-21 12:50:21 +05:30

124 lines
3.6 KiB
Go
Raw Permalink Blame History

package models
import (
"net"
"time"
)
// AllowedTrafficDirection - allowed direction of traffic
type AllowedTrafficDirection int
const (
// TrafficDirectionUni implies traffic is only allowed in one direction (src --> dst)
TrafficDirectionUni AllowedTrafficDirection = iota
// TrafficDirectionBi implies traffic is allowed both direction (src <--> dst )
TrafficDirectionBi
)
// Protocol - allowed protocol
type Protocol string
const (
ALL Protocol = "all"
UDP Protocol = "udp"
TCP Protocol = "tcp"
ICMP Protocol = "icmp"
)
const (
Http = "HTTP"
Https = "HTTPS"
AllTCP = "All TCP"
AllUDP = "All UDP"
ICMPService = "ICMP"
SSH = "SSH"
Custom = "Custom"
Any = "Any"
)
func (p Protocol) String() string {
return string(p)
}
type AclPolicyType string
const (
UserPolicy AclPolicyType = "user-policy"
DevicePolicy AclPolicyType = "device-policy"
)
type AclPolicyTag struct {
ID AclGroupType `json:"id"`
Value string `json:"value"`
}
type AclGroupType string
const (
UserAclID AclGroupType = "user"
UserGroupAclID AclGroupType = "user-group"
NodeTagID AclGroupType = "tag"
NodeID AclGroupType = "device"
EgressRange AclGroupType = "egress-range"
EgressID AclGroupType = "egress-id"
NetmakerIPAclID AclGroupType = "ip"
NetmakerSubNetRangeAClID AclGroupType = "ipset"
)
func (g AclGroupType) String() string {
return string(g)
}
type UpdateAclRequest struct {
Acl
NewName string `json:"new_name"`
}
type AclPolicy struct {
TypeID AclPolicyType
PrefixTagUser AclGroupType
}
type Acl struct {
ID string `json:"id"`
Default bool `json:"default"`
MetaData string `json:"meta_data"`
Name string `json:"name"`
NetworkID NetworkID `json:"network_id"`
RuleType AclPolicyType `json:"policy_type"`
Src []AclPolicyTag `json:"src_type"`
Dst []AclPolicyTag `json:"dst_type"`
Proto Protocol `json:"protocol"` // tcp, udp, etc.
ServiceType string `json:"type"`
Port []string `json:"ports"`
AllowedDirection AllowedTrafficDirection `json:"allowed_traffic_direction"`
Enabled bool `json:"enabled"`
CreatedBy string `json:"created_by"`
CreatedAt time.Time `json:"created_at"`
}
type AclPolicyTypes struct {
ProtocolTypes []ProtocolType
RuleTypes []AclPolicyType `json:"policy_types"`
SrcGroupTypes []AclGroupType `json:"src_grp_types"`
DstGroupTypes []AclGroupType `json:"dst_grp_types"`
}
type ProtocolType struct {
Name string `json:"name"`
AllowedProtocols []Protocol `json:"allowed_protocols"`
PortRange string `json:"port_range"`
AllowPortSetting bool `json:"allow_port_setting"`
}
type AclRule struct {
ID string `json:"id"`
IPList []net.IPNet `json:"ip_list"`
IP6List []net.IPNet `json:"ip6_list"`
AllowedProtocol Protocol `json:"allowed_protocols"` // tcp, udp, etc.
AllowedPorts []string `json:"allowed_ports"`
Direction AllowedTrafficDirection `json:"direction"` // single or two-way
Dst []net.IPNet `json:"dst"`
Dst6 []net.IPNet `json:"dst6"`
Allowed bool
}
Reference in a new issue View git blame Copy permalink