mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-04 04:04:17 +08:00
307a3d1e4b
* feat: api access tokens
* revoke all user tokens
* redefine access token api routes, add auto egress option to enrollment keys
* add server settings apis, add db table for settigs
* handle server settings updates
* switch to using settings from DB
* fix sever settings migration
* revet force migration for settings
* fix server settings database write
* egress model
* fix revoked tokens to be unauthorized
* update egress model
* remove unused functions
* convert access token to sql schema
* switch access token to sql schema
* fix merge conflicts
* fix server settings types
* bypass basic auth setting for super admin
* add TODO comment
* setup api handlers for egress revamp
* use single DB, fix update nat boolean field
* extend validaiton checks for egress ranges
* add migration to convert to new egress model
* fix panic interface conversion
* publish peer update on settings update
* revoke token generated by an user
* add user token creation restriction by user role
* add forbidden check for access token creation
* revoke user token when group or role is changed
* add default group to admin users on update
* chore(go): import style changes from migration branch;
1. Singular file names for table schema.
2. No table name method.
3. Use .Model instead of .Table.
4. No unnecessary tagging.
* remove nat check on egress gateway request
* Revert "remove nat check on egress gateway request"
This reverts commit 0aff12a189.
* remove nat check on egress gateway request
* feat(go): add db middleware;
* feat(go): restore method;
* feat(go): add user access token schema;
* add inet gw status to egress model
* fetch node ids in the tag, add inet gw info clients
* add inet gw info to node from egress list
* add migration logic internet gws
* create default acl policies
* add egress info
* add egress TODO
* add egress TODO
* fix user auth api:
* add reference id to acl policy
* add egress response from DB
* publish peer update on egress changes
* re initalise oauth and email config
* set verbosity
* normalise cidr on egress req
* add egress id to acl group
* change acls to use egress id
* resolve merge conflicts
* fix egress reference errors
* move egress model to schema
* add api context to DB
* sync auto update settings with hosts
* sync auto update settings with hosts
* check acl for egress node
* check for egress policy in the acl dst groups
* fix acl rules for egress policies with new models
* add status to egress model
* fix inet node func
* mask secret and convert jwt duration to minutes
* enable egress policies on creation
* convert jwt duration to minutes
* add relevant ranges to inet egress
* skip non active egress routes
* resolve merge conflicts
* fix static check
* update gorm tag for primary key on egress model
* create user policies for egress resources
* resolve merge conflicts
* get egress info on failover apis, add egress src validation for inet gws
* add additional validation checks on egress req
* add additional validation checks on egress req
* skip all resources for inet policy
* delete associated egress acl policies
* fix failover of inetclient
* avoid setting inet client asd inet gw
* fix all resource egress policy
* fix inet gw egress rule
* check for node egress on relay req
* fix egress acl rules comms
* add new field for egress info on node
* check acl policy in failover ctx
* avoid default host to be set as inet client
* fix relayed egress node
* add valid error messaging for egress validate func
* return if inet default host
* jump port detection to 51821
* check host ports on pull
* check user access gws via acls
* add validation check for default host and failover for inet clients
* add error messaging for acl policy check
* fix inet gw status
* ignore failover req for peer using inet gw
* check for allowed egress ranges for a peer
* add egress routes to static nodes by access
* avoid setting failvoer as inet client
* fix egress error messaging
* fix extclients egress comms
* fix inet gw acting as inet client
* return formatted error on update acl validation
* add default route for static nodes on inetclient
* check relay node acting as inetclient
* move inet node info to separate field, fix all resouces policy
* remove debug logs
---------
Co-authored-by: Vishal Dalwadi <dalwadivishal26@gmail.com>
334 lines
9.4 KiB
Go
334 lines
9.4 KiB
Go
package logic
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"slices"
|
|
"sort"
|
|
"time"
|
|
|
|
"github.com/gravitl/netmaker/database"
|
|
"github.com/gravitl/netmaker/db"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/schema"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
)
|
|
|
|
// IsInternetGw - checks if node is acting as internet gw
|
|
func IsInternetGw(node models.Node) bool {
|
|
e := schema.Egress{
|
|
Network: node.Network,
|
|
}
|
|
egList, _ := e.ListByNetwork(db.WithContext(context.TODO()))
|
|
for _, egI := range egList {
|
|
if egI.IsInetGw {
|
|
if _, ok := egI.Nodes[node.ID.String()]; ok {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// GetInternetGateways - gets all the nodes that are internet gateways
|
|
func GetInternetGateways() ([]models.Node, error) {
|
|
nodes, err := GetAllNodes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
igs := make([]models.Node, 0)
|
|
for _, node := range nodes {
|
|
if node.EgressDetails.IsInternetGateway {
|
|
igs = append(igs, node)
|
|
}
|
|
}
|
|
return igs, nil
|
|
}
|
|
|
|
// GetAllIngresses - gets all the nodes that are ingresses
|
|
func GetAllIngresses() ([]models.Node, error) {
|
|
nodes, err := GetAllNodes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
ingresses := make([]models.Node, 0)
|
|
for _, node := range nodes {
|
|
if node.IsIngressGateway {
|
|
ingresses = append(ingresses, node)
|
|
}
|
|
}
|
|
return ingresses, nil
|
|
}
|
|
|
|
// GetAllEgresses - gets all the nodes that are egresses
|
|
func GetAllEgresses() ([]models.Node, error) {
|
|
nodes, err := GetAllNodes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
egresses := make([]models.Node, 0)
|
|
for _, node := range nodes {
|
|
if node.EgressDetails.IsEgressGateway {
|
|
egresses = append(egresses, node)
|
|
}
|
|
}
|
|
return egresses, nil
|
|
}
|
|
|
|
// CreateEgressGateway - creates an egress gateway
|
|
func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, error) {
|
|
node, err := GetNodeByID(gateway.NodeID)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
host, err := GetHost(node.HostID.String())
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
if host.OS != "linux" { // support for other OS to be added
|
|
return models.Node{}, errors.New(host.OS + " is unsupported for egress gateways")
|
|
}
|
|
if host.FirewallInUse == models.FIREWALL_NONE {
|
|
return models.Node{}, errors.New("please install iptables or nftables on the device")
|
|
}
|
|
if len(gateway.RangesWithMetric) == 0 && len(gateway.Ranges) > 0 {
|
|
for _, rangeI := range gateway.Ranges {
|
|
gateway.RangesWithMetric = append(gateway.RangesWithMetric, models.EgressRangeMetric{
|
|
Network: rangeI,
|
|
RouteMetric: 256,
|
|
})
|
|
}
|
|
}
|
|
for i := len(gateway.Ranges) - 1; i >= 0; i-- {
|
|
// check if internet gateway IPv4
|
|
if gateway.Ranges[i] == "0.0.0.0/0" || gateway.Ranges[i] == "::/0" {
|
|
// remove inet range
|
|
gateway.Ranges = append(gateway.Ranges[:i], gateway.Ranges[i+1:]...)
|
|
continue
|
|
}
|
|
normalized, err := NormalizeCIDR(gateway.Ranges[i])
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
gateway.Ranges[i] = normalized
|
|
|
|
}
|
|
rangesWithMetric := []string{}
|
|
for i := len(gateway.RangesWithMetric) - 1; i >= 0; i-- {
|
|
if gateway.RangesWithMetric[i].Network == "0.0.0.0/0" || gateway.RangesWithMetric[i].Network == "::/0" {
|
|
// remove inet range
|
|
gateway.RangesWithMetric = append(gateway.RangesWithMetric[:i], gateway.RangesWithMetric[i+1:]...)
|
|
continue
|
|
}
|
|
normalized, err := NormalizeCIDR(gateway.RangesWithMetric[i].Network)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
gateway.RangesWithMetric[i].Network = normalized
|
|
rangesWithMetric = append(rangesWithMetric, gateway.RangesWithMetric[i].Network)
|
|
if gateway.RangesWithMetric[i].RouteMetric <= 0 || gateway.RangesWithMetric[i].RouteMetric > 999 {
|
|
gateway.RangesWithMetric[i].RouteMetric = 256
|
|
}
|
|
}
|
|
sort.Strings(gateway.Ranges)
|
|
sort.Strings(rangesWithMetric)
|
|
if !slices.Equal(gateway.Ranges, rangesWithMetric) {
|
|
return models.Node{}, errors.New("invalid ranges")
|
|
}
|
|
if gateway.NatEnabled == "" {
|
|
gateway.NatEnabled = "yes"
|
|
}
|
|
err = ValidateEgressGateway(gateway)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
if gateway.Ranges == nil {
|
|
gateway.Ranges = make([]string, 0)
|
|
}
|
|
node.EgressDetails.IsEgressGateway = true
|
|
node.EgressDetails.EgressGatewayRanges = gateway.Ranges
|
|
node.EgressDetails.EgressGatewayNatEnabled = models.ParseBool(gateway.NatEnabled)
|
|
|
|
node.EgressDetails.EgressGatewayRequest = gateway // store entire request for use when preserving the egress gateway
|
|
node.SetLastModified()
|
|
if err = UpsertNode(&node); err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
return node, nil
|
|
}
|
|
|
|
// ValidateEgressGateway - validates the egress gateway model
|
|
func ValidateEgressGateway(gateway models.EgressGatewayRequest) error {
|
|
return nil
|
|
}
|
|
|
|
// DeleteEgressGateway - deletes egress from node
|
|
func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
|
|
node, err := GetNodeByID(nodeid)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
node.EgressDetails.IsEgressGateway = false
|
|
node.EgressDetails.EgressGatewayRanges = []string{}
|
|
node.EgressDetails.EgressGatewayRequest = models.EgressGatewayRequest{} // remove preserved request as the egress gateway is gone
|
|
node.SetLastModified()
|
|
if err = UpsertNode(&node); err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
return node, nil
|
|
}
|
|
|
|
// CreateIngressGateway - creates an ingress gateway
|
|
func CreateIngressGateway(netid string, nodeid string, ingress models.IngressRequest) (models.Node, error) {
|
|
|
|
node, err := GetNodeByID(nodeid)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
if node.IsRelayed {
|
|
return models.Node{}, errors.New("gateway cannot be created on a relayed node")
|
|
}
|
|
host, err := GetHost(node.HostID.String())
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
if host.OS != "linux" {
|
|
return models.Node{}, errors.New("gateway can only be created on linux based node")
|
|
}
|
|
|
|
network, err := GetParentNetwork(netid)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
node.IsIngressGateway = true
|
|
node.IsGw = true
|
|
if !servercfg.IsPro {
|
|
node.EgressDetails.IsInternetGateway = ingress.IsInternetGateway
|
|
}
|
|
node.IngressGatewayRange = network.AddressRange
|
|
node.IngressGatewayRange6 = network.AddressRange6
|
|
node.IngressDNS = ingress.ExtclientDNS
|
|
if node.EgressDetails.IsInternetGateway && node.IngressDNS == "" {
|
|
node.IngressDNS = "1.1.1.1"
|
|
}
|
|
node.IngressPersistentKeepalive = 20
|
|
if ingress.PersistentKeepalive != 0 {
|
|
node.IngressPersistentKeepalive = ingress.PersistentKeepalive
|
|
}
|
|
node.IngressMTU = 1420
|
|
if ingress.MTU != 0 {
|
|
node.IngressMTU = ingress.MTU
|
|
}
|
|
if servercfg.IsPro {
|
|
if _, exists := FailOverExists(node.Network); exists {
|
|
ResetFailedOverPeer(&node)
|
|
}
|
|
}
|
|
node.SetLastModified()
|
|
node.Metadata = ingress.Metadata
|
|
if node.Metadata == "" {
|
|
node.Metadata = "This host can be used for remote access"
|
|
}
|
|
if node.Tags == nil {
|
|
node.Tags = make(map[models.TagID]struct{})
|
|
}
|
|
node.Tags[models.TagID(fmt.Sprintf("%s.%s", netid, models.GwTagName))] = struct{}{}
|
|
err = UpsertNode(&node)
|
|
if err != nil {
|
|
return models.Node{}, err
|
|
}
|
|
err = SetNetworkNodesLastModified(netid)
|
|
return node, err
|
|
}
|
|
|
|
// GetIngressGwUsers - lists the users having to access to ingressGW
|
|
func GetIngressGwUsers(node models.Node) (models.IngressGwUsers, error) {
|
|
|
|
gwUsers := models.IngressGwUsers{
|
|
NodeID: node.ID.String(),
|
|
Network: node.Network,
|
|
}
|
|
users, err := GetUsers()
|
|
if err != nil {
|
|
return gwUsers, err
|
|
}
|
|
for _, user := range users {
|
|
if !user.IsAdmin && !user.IsSuperAdmin {
|
|
gwUsers.Users = append(gwUsers.Users, user)
|
|
}
|
|
}
|
|
return gwUsers, nil
|
|
}
|
|
|
|
// DeleteIngressGateway - deletes an ingress gateway
|
|
func DeleteIngressGateway(nodeid string) (models.Node, []models.ExtClient, error) {
|
|
removedClients := []models.ExtClient{}
|
|
node, err := GetNodeByID(nodeid)
|
|
if err != nil {
|
|
return models.Node{}, removedClients, err
|
|
}
|
|
clients, err := GetExtClientsByID(nodeid, node.Network)
|
|
if err != nil && !database.IsEmptyRecord(err) {
|
|
return models.Node{}, removedClients, err
|
|
}
|
|
|
|
removedClients = clients
|
|
|
|
// delete ext clients belonging to ingress gateway
|
|
if err = DeleteGatewayExtClients(node.ID.String(), node.Network); err != nil {
|
|
return models.Node{}, removedClients, err
|
|
}
|
|
logger.Log(3, "deleting ingress gateway")
|
|
node.LastModified = time.Now().UTC()
|
|
node.IsIngressGateway = false
|
|
if !servercfg.IsPro {
|
|
node.EgressDetails.IsInternetGateway = false
|
|
}
|
|
delete(node.Tags, models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName)))
|
|
node.IngressGatewayRange = ""
|
|
node.Metadata = ""
|
|
err = UpsertNode(&node)
|
|
if err != nil {
|
|
return models.Node{}, removedClients, err
|
|
}
|
|
|
|
err = SetNetworkNodesLastModified(node.Network)
|
|
return node, removedClients, err
|
|
}
|
|
|
|
// DeleteGatewayExtClients - deletes ext clients based on gateway (mac) of ingress node and network
|
|
func DeleteGatewayExtClients(gatewayID string, networkName string) error {
|
|
currentExtClients, err := GetNetworkExtClients(networkName)
|
|
if database.IsEmptyRecord(err) {
|
|
return nil
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, extClient := range currentExtClients {
|
|
if extClient.IngressGatewayID == gatewayID {
|
|
if err = DeleteExtClient(networkName, extClient.ClientID); err != nil {
|
|
logger.Log(1, "failed to remove ext client", extClient.ClientID)
|
|
continue
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// IsUserAllowedAccessToExtClient - checks if user has permission to access extclient
|
|
func IsUserAllowedAccessToExtClient(username string, client models.ExtClient) bool {
|
|
if username == MasterUser {
|
|
return true
|
|
}
|
|
user, err := GetUser(username)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
if user.UserName != client.OwnerID {
|
|
return false
|
|
}
|
|
return true
|
|
}
|