gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-04 04:04:17 +08:00
Code Issues Projects Releases Packages Wiki Activity
netmaker/logic/extpeers.go
Abhishek K d7bad9865a
NET-2014: Audit Logging (#3455) 
* feat: api access tokens

* revoke all user tokens

* redefine access token api routes, add auto egress option to enrollment keys

* add server settings apis, add db table for settigs

* handle server settings updates

* switch to using settings from DB

* fix sever settings migration

* revet force migration for settings

* fix server settings database write

* egress model

* fix revoked tokens to be unauthorized

* update egress model

* remove unused functions

* convert access token to sql schema

* switch access token to sql schema

* fix merge conflicts

* fix server settings types

* bypass basic auth setting for super admin

* add TODO comment

* setup api handlers for egress revamp

* use single DB, fix update nat boolean field

* extend validaiton checks for egress ranges

* add migration to convert to new egress model

* fix panic interface conversion

* publish peer update on settings update

* revoke token generated by an user

* add user token creation restriction by user role

* add forbidden check for access token creation

* revoke user token when group or role is changed

* add default group to admin users on update

* chore(go): import style changes from migration branch;

1. Singular file names for table schema.
2. No table name method.
3. Use .Model instead of .Table.
4. No unnecessary tagging.

* remove nat check on egress gateway request

* Revert "remove nat check on egress gateway request"

This reverts commit 0aff12a189.

* remove nat check on egress gateway request

* feat(go): add db middleware;

* feat(go): restore method;

* feat(go): add user access token schema;

* add inet gw status to egress model

* fetch node ids in the tag, add inet gw info clients

* add inet gw info to node from egress list

* add migration logic internet gws

* create default acl policies

* add egress info

* add egress TODO

* add egress TODO

* fix user auth api:

* add reference id to acl policy

* add egress response from DB

* publish peer update on egress changes

* re initalise oauth and email config

* set verbosity

* normalise cidr on egress req

* add egress id to acl group

* change acls to use egress id

* resolve merge conflicts

* fix egress reference errors

* move egress model to schema

* add api context to DB

* sync auto update settings with hosts

* sync auto update settings with hosts

* check acl for egress node

* check for egress policy in the acl dst groups

* fix acl rules for egress policies with new models

* add status to egress model

* fix inet node func

* mask secret and convert jwt duration to minutes

* enable egress policies on creation

* convert jwt duration to minutes

* add relevant ranges to inet egress

* skip non active egress routes

* resolve merge conflicts

* fix static check

* notify peers after settings update

* define schema for activity, add api handler to list network activity

* setup event channel and logger

* setup event logger, add event for user login

* change activity model to event

* add api error constants

* add logout event

* log user crud events

* add login events for oauth

* add user related events

* log events for invites and user approvals

* order user activity event by timestamp

* fix logout api

* add user and network events api, add addtional events triggers

* add filters to all events api

* fix events filter

* add diff to event logs

* update user logout api

* log settigns updates

* log events for network and host updates

* check for diff on events

* log host del event

* add user loc info to desktop app connection events

* fix authorize middleware check

* add gateway events

* resolve merge conflicts

---------

Co-authored-by: Vishal Dalwadi <dalwadivishal26@gmail.com>
2025-05-21 13:13:20 +05:30

1089 lines
29 KiB
Go
Raw Blame History

package logic
import (
"context"
"encoding/json"
"errors"
"fmt"
"net"
"reflect"
"sort"
"strings"
"sync"
"time"
"github.com/goombaio/namegenerator"
"github.com/gravitl/netmaker/database"
"github.com/gravitl/netmaker/db"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/logic/acls"
"github.com/gravitl/netmaker/models"
"github.com/gravitl/netmaker/schema"
"github.com/gravitl/netmaker/servercfg"
"golang.org/x/exp/slog"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)
var (
extClientCacheMutex = &sync.RWMutex{}
extClientCacheMap = make(map[string]models.ExtClient)
)
func getAllExtClientsFromCache() (extClients []models.ExtClient) {
extClientCacheMutex.RLock()
for _, extclient := range extClientCacheMap {
if extclient.Mutex == nil {
extclient.Mutex = &sync.Mutex{}
}
extClients = append(extClients, extclient)
}
extClientCacheMutex.RUnlock()
return
}
func deleteExtClientFromCache(key string) {
extClientCacheMutex.Lock()
delete(extClientCacheMap, key)
extClientCacheMutex.Unlock()
}
func getExtClientFromCache(key string) (extclient models.ExtClient, ok bool) {
extClientCacheMutex.RLock()
extclient, ok = extClientCacheMap[key]
if extclient.Mutex == nil {
extclient.Mutex = &sync.Mutex{}
}
extClientCacheMutex.RUnlock()
return
}
func storeExtClientInCache(key string, extclient models.ExtClient) {
extClientCacheMutex.Lock()
if extclient.Mutex == nil {
extclient.Mutex = &sync.Mutex{}
}
extClientCacheMap[key] = extclient
extClientCacheMutex.Unlock()
}
// ExtClient.GetEgressRangesOnNetwork - returns the egress ranges on network of ext client
func GetEgressRangesOnNetwork(client *models.ExtClient) ([]string, error) {
var result []string
networkNodes, err := GetNetworkNodes(client.Network)
if err != nil {
return []string{}, err
}
// clientNode := client.ConvertToStaticNode()
for _, currentNode := range networkNodes {
if currentNode.Network != client.Network {
continue
}
GetNodeEgressInfo(&currentNode)
if currentNode.EgressDetails.IsInternetGateway && client.IngressGatewayID != currentNode.ID.String() {
continue
}
if currentNode.EgressDetails.IsEgressGateway { // add the egress gateway range(s) to the result
fmt.Println("EGRESSS EXTCLEINT: ", currentNode.EgressDetails)
if len(currentNode.EgressDetails.EgressGatewayRanges) > 0 {
result = append(result, currentNode.EgressDetails.EgressGatewayRanges...)
}
}
}
extclients, _ := GetNetworkExtClients(client.Network)
for _, extclient := range extclients {
if extclient.ClientID == client.ClientID {
continue
}
result = append(result, extclient.ExtraAllowedIPs...)
}
return result, nil
}
// DeleteExtClient - deletes an existing ext client
func DeleteExtClient(network string, clientid string) error {
key, err := GetRecordKey(clientid, network)
if err != nil {
return err
}
extClient, err := GetExtClient(clientid, network)
if err != nil {
return err
}
err = database.DeleteRecord(database.EXT_CLIENT_TABLE_NAME, key)
if err != nil {
return err
}
if servercfg.CacheEnabled() {
// recycle ip address
if extClient.Address != "" {
RemoveIpFromAllocatedIpMap(network, extClient.Address)
}
if extClient.Address6 != "" {
RemoveIpFromAllocatedIpMap(network, extClient.Address6)
}
deleteExtClientFromCache(key)
}
if extClient.RemoteAccessClientID != "" {
LogEvent(&models.Event{
Action: models.Disconnect,
Source: models.Subject{
ID: extClient.OwnerID,
Name: extClient.OwnerID,
Type: models.UserSub,
},
TriggeredBy: extClient.OwnerID,
Target: models.Subject{
ID: extClient.Network,
Name: extClient.Network,
Type: models.NetworkSub,
Info: extClient,
},
NetworkID: models.NetworkID(extClient.Network),
Origin: models.ClientApp,
})
}
go RemoveNodeFromAclPolicy(extClient.ConvertToStaticNode())
return nil
}
// DeleteExtClientAndCleanup - deletes an existing ext client and update ACLs
func DeleteExtClientAndCleanup(extClient models.ExtClient) error {
//delete extClient record
err := DeleteExtClient(extClient.Network, extClient.ClientID)
if err != nil {
slog.Error("DeleteExtClientAndCleanup-remove extClient record: ", "Error", err.Error())
return err
}
//update ACLs
var networkAcls acls.ACLContainer
networkAcls, err = networkAcls.Get(acls.ContainerID(extClient.Network))
if err != nil {
slog.Error("DeleteExtClientAndCleanup-update network acls: ", "Error", err.Error())
return err
}
for objId := range networkAcls {
delete(networkAcls[objId], acls.AclID(extClient.ClientID))
}
delete(networkAcls, acls.AclID(extClient.ClientID))
if _, err = networkAcls.Save(acls.ContainerID(extClient.Network)); err != nil {
slog.Error("DeleteExtClientAndCleanup-update network acls:", "Error", err.Error())
return err
}
return nil
}
//TODO - enforce extclient-to-extclient on ingress gw
/* 1. fetch all non-user static nodes
a. check against each user node, if allowed add rule
*/
// GetNetworkExtClients - gets the ext clients of given network
func GetNetworkExtClients(network string) ([]models.ExtClient, error) {
var extclients []models.ExtClient
if servercfg.CacheEnabled() {
allextclients := getAllExtClientsFromCache()
if len(allextclients) != 0 {
for _, extclient := range allextclients {
if extclient.Network == network {
extclients = append(extclients, extclient)
}
}
return extclients, nil
}
}
records, err := database.FetchRecords(database.EXT_CLIENT_TABLE_NAME)
if err != nil {
if database.IsEmptyRecord(err) {
return extclients, nil
}
return extclients, err
}
for _, value := range records {
var extclient models.ExtClient
err = json.Unmarshal([]byte(value), &extclient)
if err != nil {
continue
}
key, err := GetRecordKey(extclient.ClientID, extclient.Network)
if err == nil {
if servercfg.CacheEnabled() {
storeExtClientInCache(key, extclient)
}
}
if extclient.Network == network {
extclients = append(extclients, extclient)
}
}
return extclients, err
}
// GetExtClient - gets a single ext client on a network
func GetExtClient(clientid string, network string) (models.ExtClient, error) {
var extclient models.ExtClient
key, err := GetRecordKey(clientid, network)
if err != nil {
return extclient, err
}
if servercfg.CacheEnabled() {
if extclient, ok := getExtClientFromCache(key); ok {
return extclient, nil
}
}
data, err := database.FetchRecord(database.EXT_CLIENT_TABLE_NAME, key)
if err != nil {
return extclient, err
}
err = json.Unmarshal([]byte(data), &extclient)
if servercfg.CacheEnabled() {
storeExtClientInCache(key, extclient)
}
return extclient, err
}
// GetGwExtclients - return all ext clients attached to the passed gw id
func GetGwExtclients(nodeID, network string) []models.ExtClient {
gwClients := []models.ExtClient{}
clients, err := GetNetworkExtClients(network)
if err != nil {
return gwClients
}
for _, client := range clients {
if client.IngressGatewayID == nodeID {
gwClients = append(gwClients, client)
}
}
return gwClients
}
// GetExtClient - gets a single ext client on a network
func GetExtClientByPubKey(publicKey string, network string) (*models.ExtClient, error) {
netClients, err := GetNetworkExtClients(network)
if err != nil {
return nil, err
}
for i := range netClients {
ec := netClients[i]
if ec.PublicKey == publicKey {
return &ec, nil
}
}
return nil, fmt.Errorf("no client found")
}
// CreateExtClient - creates and saves an extclient
func CreateExtClient(extclient *models.ExtClient) error {
// lock because we may need unique IPs and having it concurrent makes parallel calls result in same "unique" IPs
addressLock.Lock()
defer addressLock.Unlock()
if len(extclient.PublicKey) == 0 {
privateKey, err := wgtypes.GeneratePrivateKey()
if err != nil {
return err
}
extclient.PrivateKey = privateKey.String()
extclient.PublicKey = privateKey.PublicKey().String()
} else if len(extclient.PrivateKey) == 0 && len(extclient.PublicKey) > 0 {
extclient.PrivateKey = "[ENTER PRIVATE KEY]"
}
if extclient.ExtraAllowedIPs == nil {
extclient.ExtraAllowedIPs = []string{}
}
parentNetwork, err := GetNetwork(extclient.Network)
if err != nil {
return err
}
if extclient.Address == "" {
if parentNetwork.IsIPv4 == "yes" {
newAddress, err := UniqueAddress(extclient.Network, true)
if err != nil {
return err
}
extclient.Address = newAddress.String()
}
}
if extclient.Address6 == "" {
if parentNetwork.IsIPv6 == "yes" {
addr6, err := UniqueAddress6(extclient.Network, true)
if err != nil {
return err
}
extclient.Address6 = addr6.String()
}
}
if extclient.ClientID == "" {
extclient.ClientID, err = GenerateNodeName(extclient.Network)
if err != nil {
return err
}
}
extclient.LastModified = time.Now().Unix()
return SaveExtClient(extclient)
}
// GenerateNodeName - generates a random node name
func GenerateNodeName(network string) (string, error) {
seed := time.Now().UTC().UnixNano()
nameGenerator := namegenerator.NewNameGenerator(seed)
var name string
cnt := 0
for {
if cnt > 10 {
return "", errors.New("couldn't generate random name, try again")
}
cnt += 1
name = nameGenerator.Generate()
if len(name) > 15 {
continue
}
_, err := GetExtClient(name, network)
if err == nil {
// config exists with same name
continue
}
break
}
return name, nil
}
// SaveExtClient - saves an ext client to database
func SaveExtClient(extclient *models.ExtClient) error {
key, err := GetRecordKey(extclient.ClientID, extclient.Network)
if err != nil {
return err
}
data, err := json.Marshal(&extclient)
if err != nil {
return err
}
if err = database.Insert(key, string(data), database.EXT_CLIENT_TABLE_NAME); err != nil {
return err
}
if servercfg.CacheEnabled() {
storeExtClientInCache(key, *extclient)
if _, ok := allocatedIpMap[extclient.Network]; ok {
if extclient.Address != "" {
AddIpToAllocatedIpMap(extclient.Network, net.ParseIP(extclient.Address))
}
if extclient.Address6 != "" {
AddIpToAllocatedIpMap(extclient.Network, net.ParseIP(extclient.Address6))
}
}
}
return SetNetworkNodesLastModified(extclient.Network)
}
// UpdateExtClient - updates an ext client with new values
func UpdateExtClient(old *models.ExtClient, update *models.CustomExtClient) models.ExtClient {
new := *old
new.ClientID = update.ClientID
if update.PublicKey != "" && old.PublicKey != update.PublicKey {
new.PublicKey = update.PublicKey
}
if update.DNS != old.DNS {
new.DNS = update.DNS
}
if update.Enabled != old.Enabled {
new.Enabled = update.Enabled
}
new.ExtraAllowedIPs = update.ExtraAllowedIPs
if update.DeniedACLs != nil && !reflect.DeepEqual(old.DeniedACLs, update.DeniedACLs) {
new.DeniedACLs = update.DeniedACLs
}
// replace any \r\n with \n in postup and postdown from HTTP request
new.PostUp = strings.Replace(update.PostUp, "\r\n", "\n", -1)
new.PostDown = strings.Replace(update.PostDown, "\r\n", "\n", -1)
new.Tags = update.Tags
return new
}
// GetExtClientsByID - gets the clients of attached gateway
func GetExtClientsByID(nodeid, network string) ([]models.ExtClient, error) {
var result []models.ExtClient
currentClients, err := GetNetworkExtClients(network)
if err != nil {
return result, err
}
for i := range currentClients {
if currentClients[i].IngressGatewayID == nodeid {
result = append(result, currentClients[i])
}
}
return result, nil
}
// GetAllExtClients - gets all ext clients from DB
func GetAllExtClients() ([]models.ExtClient, error) {
var clients = []models.ExtClient{}
currentNetworks, err := GetNetworks()
if err != nil && database.IsEmptyRecord(err) {
return clients, nil
} else if err != nil {
return clients, err
}
for i := range currentNetworks {
netName := currentNetworks[i].NetID
netClients, err := GetNetworkExtClients(netName)
if err != nil {
continue
}
clients = append(clients, netClients...)
}
return clients, nil
}
// GetAllExtClientsWithStatus - returns all external clients with
// given status.
func GetAllExtClientsWithStatus(status models.NodeStatus) ([]models.ExtClient, error) {
extClients, err := GetAllExtClients()
if err != nil {
return nil, err
}
var validExtClients []models.ExtClient
for _, extClient := range extClients {
node := extClient.ConvertToStaticNode()
GetNodeCheckInStatus(&node, false)
if node.Status == status {
validExtClients = append(validExtClients, extClient)
}
}
return validExtClients, nil
}
// ToggleExtClientConnectivity - enables or disables an ext client
func ToggleExtClientConnectivity(client *models.ExtClient, enable bool) (models.ExtClient, error) {
update := models.CustomExtClient{
Enabled: enable,
ClientID: client.ClientID,
PublicKey: client.PublicKey,
DNS: client.DNS,
ExtraAllowedIPs: client.ExtraAllowedIPs,
DeniedACLs: client.DeniedACLs,
RemoteAccessClientID: client.RemoteAccessClientID,
}
// update in DB
newClient := UpdateExtClient(client, &update)
if err := DeleteExtClient(client.Network, client.ClientID); err != nil {
slog.Error("failed to delete ext client during update", "id", client.ClientID, "network", client.Network, "error", err)
return newClient, err
}
if err := SaveExtClient(&newClient); err != nil {
slog.Error("failed to save updated ext client during update", "id", newClient.ClientID, "network", newClient.Network, "error", err)
return newClient, err
}
return newClient, nil
}
// Sort a slice of net.IP addresses
func sortIPs(ips []net.IP) {
sort.Slice(ips, func(i, j int) bool {
ip1, ip2 := ips[i].To16(), ips[j].To16()
return string(ip1) < string(ip2) // Compare as byte slices
})
}
func GetStaticNodeIps(node models.Node) (ips []net.IP) {
defer func() {
sortIPs(ips)
}()
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
extclients := GetStaticNodesByNetwork(models.NetworkID(node.Network), false)
for _, extclient := range extclients {
if extclient.IsUserNode && defaultUserPolicy.Enabled {
continue
}
if !extclient.IsUserNode && defaultDevicePolicy.Enabled {
continue
}
if extclient.StaticNode.Address != "" {
ips = append(ips, extclient.StaticNode.AddressIPNet4().IP)
}
if extclient.StaticNode.Address6 != "" {
ips = append(ips, extclient.StaticNode.AddressIPNet6().IP)
}
}
return
}
func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []models.Acl) (rules []models.FwRule) {
for _, policy := range allowedPolicies {
// if static peer dst rule not for ingress node -> skip
if node.Address.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: node.Address.IP,
Mask: net.CIDRMask(32, 32),
},
DstIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
if node.Address6.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: node.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
DstIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
if policy.AllowedDirection == models.TrafficDirectionBi {
if node.Address.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
DstIP: net.IPNet{
IP: node.Address.IP,
Mask: net.CIDRMask(32, 32),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
if node.Address6.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
DstIP: net.IPNet{
IP: node.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
if len(node.StaticNode.ExtraAllowedIPs) > 0 {
for _, additionalAllowedIPNet := range node.StaticNode.ExtraAllowedIPs {
_, ipNet, err := net.ParseCIDR(additionalAllowedIPNet)
if err != nil {
continue
}
if ipNet.IP.To4() != nil && peer.Address.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
DstIP: *ipNet,
Allow: true,
})
} else if peer.Address6.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
DstIP: *ipNet,
Allow: true,
})
}
}
}
if len(peer.StaticNode.ExtraAllowedIPs) > 0 {
for _, additionalAllowedIPNet := range peer.StaticNode.ExtraAllowedIPs {
_, ipNet, err := net.ParseCIDR(additionalAllowedIPNet)
if err != nil {
continue
}
if ipNet.IP.To4() != nil && node.Address.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: node.Address.IP,
Mask: net.CIDRMask(32, 32),
},
DstIP: *ipNet,
Allow: true,
})
} else if node.Address6.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: node.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
DstIP: *ipNet,
Allow: true,
})
}
}
}
// add egress range rules
for _, dstI := range policy.Dst {
if dstI.ID == models.EgressID {
e := schema.Egress{ID: dstI.Value}
err := e.Get(db.WithContext(context.TODO()))
if err != nil {
continue
}
dstI.Value = e.Range
ip, cidr, err := net.ParseCIDR(dstI.Value)
if err == nil {
if ip.To4() != nil {
if node.Address.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: node.Address.IP,
Mask: net.CIDRMask(32, 32),
},
DstIP: *cidr,
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
} else {
if node.Address6.IP != nil {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: node.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
DstIP: *cidr,
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
}
}
}
return
}
func getFwRulesForUserNodesOnGw(node models.Node, nodes []models.Node) (rules []models.FwRule) {
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
for _, userNodeI := range userNodes {
for _, peer := range nodes {
if peer.IsUserNode {
continue
}
if ok, allowedPolicies := IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer); ok {
if peer.IsStatic {
peer = peer.StaticNode.ConvertToStaticNode()
}
if !defaultUserPolicy.Enabled {
for _, policy := range allowedPolicies {
if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet4(),
DstIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet6(),
DstIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
// add egress ranges
for _, dstI := range policy.Dst {
if dstI.ID == models.EgressID {
e := schema.Egress{ID: dstI.Value}
err := e.Get(db.WithContext(context.TODO()))
if err != nil {
continue
}
dstI.Value = e.Range
ip, cidr, err := net.ParseCIDR(dstI.Value)
if err == nil {
if ip.To4() != nil && userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet4(),
DstIP: *cidr,
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
} else if ip.To16() != nil && userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet6(),
DstIP: *cidr,
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
}
}
}
}
}
}
return
}
func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
// fetch user access to static clients via policies
defer func() {
sort.Slice(rules, func(i, j int) bool {
if !rules[i].SrcIP.IP.Equal(rules[j].SrcIP.IP) {
return string(rules[i].SrcIP.IP.To16()) < string(rules[j].SrcIP.IP.To16())
}
return string(rules[i].DstIP.IP.To16()) < string(rules[j].DstIP.IP.To16())
})
}()
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
nodes, _ := GetNetworkNodes(node.Network)
nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...)
rules = getFwRulesForUserNodesOnGw(node, nodes)
if defaultDevicePolicy.Enabled {
return
}
for _, nodeI := range nodes {
if !nodeI.IsStatic || nodeI.IsUserNode {
continue
}
// if nodeI.StaticNode.IngressGatewayID != node.ID.String() {
// continue
// }
for _, peer := range nodes {
if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode {
continue
}
if nodeI.StaticNode.IngressGatewayID != node.ID.String() &&
((!peer.IsStatic && peer.ID.String() != node.ID.String()) ||
(peer.IsStatic && peer.StaticNode.IngressGatewayID != node.ID.String())) {
continue
}
if peer.IsStatic {
peer = peer.StaticNode.ConvertToStaticNode()
}
var allowedPolicies1 []models.Acl
var ok bool
if ok, allowedPolicies1 = IsNodeAllowedToCommunicateV1(nodeI.StaticNode.ConvertToStaticNode(), peer, true); ok {
rules = append(rules, getFwRulesForNodeAndPeerOnGw(nodeI.StaticNode.ConvertToStaticNode(), peer, allowedPolicies1)...)
}
if ok, allowedPolicies2 := IsNodeAllowedToCommunicateV1(peer, nodeI.StaticNode.ConvertToStaticNode(), true); ok {
rules = append(rules,
getFwRulesForNodeAndPeerOnGw(peer, nodeI.StaticNode.ConvertToStaticNode(),
GetUniquePolicies(allowedPolicies1, allowedPolicies2))...)
}
}
}
return
}
func GetUniquePolicies(policies1, policies2 []models.Acl) []models.Acl {
policies1Map := make(map[string]struct{})
for _, policy1I := range policies1 {
policies1Map[policy1I.ID] = struct{}{}
}
for i := len(policies2) - 1; i >= 0; i-- {
if _, ok := policies1Map[policies2[i].ID]; ok {
policies2 = append(policies2[:i], policies2[i+1:]...)
}
}
return policies2
}
func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, error) {
var peers []wgtypes.PeerConfig
var idsAndAddr []models.IDandAddr
var egressRoutes []models.EgressNetworkRoutes
extPeers, err := GetNetworkExtClients(node.Network)
if err != nil {
return peers, idsAndAddr, egressRoutes, err
}
host, err := GetHost(node.HostID.String())
if err != nil {
return peers, idsAndAddr, egressRoutes, err
}
for _, extPeer := range extPeers {
extPeer := extPeer
if !IsClientNodeAllowed(&extPeer, peer.ID.String()) {
continue
}
if extPeer.RemoteAccessClientID == "" {
if ok := IsPeerAllowed(extPeer.ConvertToStaticNode(), *peer, true); !ok {
continue
}
} else {
if ok, _ := IsUserAllowedToCommunicate(extPeer.OwnerID, *peer); !ok {
continue
}
}
pubkey, err := wgtypes.ParseKey(extPeer.PublicKey)
if err != nil {
logger.Log(1, "error parsing ext pub key:", err.Error())
continue
}
if host.PublicKey.String() == extPeer.PublicKey ||
extPeer.IngressGatewayID != node.ID.String() || !extPeer.Enabled {
continue
}
var allowedips []net.IPNet
var peer wgtypes.PeerConfig
if extPeer.Address != "" {
var peeraddr = net.IPNet{
IP: net.ParseIP(extPeer.Address),
Mask: net.CIDRMask(32, 32),
}
if peeraddr.IP != nil && peeraddr.Mask != nil {
allowedips = append(allowedips, peeraddr)
}
}
if extPeer.Address6 != "" {
var addr6 = net.IPNet{
IP: net.ParseIP(extPeer.Address6),
Mask: net.CIDRMask(128, 128),
}
if addr6.IP != nil && addr6.Mask != nil {
allowedips = append(allowedips, addr6)
}
}
for _, extraAllowedIP := range extPeer.ExtraAllowedIPs {
_, cidr, err := net.ParseCIDR(extraAllowedIP)
if err == nil {
allowedips = append(allowedips, *cidr)
}
}
egressRoutes = append(egressRoutes, getExtPeerEgressRoute(*node, extPeer)...)
primaryAddr := extPeer.Address
if primaryAddr == "" {
primaryAddr = extPeer.Address6
}
peer = wgtypes.PeerConfig{
PublicKey: pubkey,
ReplaceAllowedIPs: true,
AllowedIPs: allowedips,
}
peers = append(peers, peer)
idsAndAddr = append(idsAndAddr, models.IDandAddr{
ID: peer.PublicKey.String(),
Name: extPeer.ClientID,
Address: primaryAddr,
IsExtClient: true,
})
}
return peers, idsAndAddr, egressRoutes, nil
}
func getExtPeerEgressRoute(node models.Node, extPeer models.ExtClient) (egressRoutes []models.EgressNetworkRoutes) {
r := models.EgressNetworkRoutes{
PeerKey: extPeer.PublicKey,
EgressGwAddr: extPeer.AddressIPNet4(),
EgressGwAddr6: extPeer.AddressIPNet6(),
NodeAddr: node.Address,
NodeAddr6: node.Address6,
EgressRanges: extPeer.ExtraAllowedIPs,
}
for _, extraAllowedIP := range extPeer.ExtraAllowedIPs {
r.EgressRangesWithMetric = append(r.EgressRangesWithMetric, models.EgressRangeMetric{
Network: extraAllowedIP,
RouteMetric: 256,
})
}
egressRoutes = append(egressRoutes, r)
return
}
func getExtpeerEgressRanges(node models.Node) (ranges, ranges6 []net.IPNet) {
extPeers, err := GetNetworkExtClients(node.Network)
if err != nil {
return
}
for _, extPeer := range extPeers {
if len(extPeer.ExtraAllowedIPs) == 0 {
continue
}
if ok, _ := IsNodeAllowedToCommunicateV1(extPeer.ConvertToStaticNode(), node, true); !ok {
continue
}
for _, allowedRange := range extPeer.ExtraAllowedIPs {
_, ipnet, err := net.ParseCIDR(allowedRange)
if err == nil {
if ipnet.IP.To4() != nil {
ranges = append(ranges, *ipnet)
} else {
ranges6 = append(ranges6, *ipnet)
}
}
}
}
return
}
func getExtpeersExtraRoutes(node models.Node) (egressRoutes []models.EgressNetworkRoutes) {
extPeers, err := GetNetworkExtClients(node.Network)
if err != nil {
return
}
for _, extPeer := range extPeers {
if len(extPeer.ExtraAllowedIPs) == 0 {
continue
}
if ok, _ := IsNodeAllowedToCommunicateV1(extPeer.ConvertToStaticNode(), node, true); !ok {
continue
}
egressRoutes = append(egressRoutes, getExtPeerEgressRoute(node, extPeer)...)
}
return
}
func GetExtclientAllowedIPs(client models.ExtClient) (allowedIPs []string) {
gwnode, err := GetNodeByID(client.IngressGatewayID)
if err != nil {
logger.Log(0,
fmt.Sprintf("failed to get ingress gateway node [%s] info: %v", client.IngressGatewayID, err))
return
}
network, err := GetParentNetwork(client.Network)
if err != nil {
logger.Log(1, "Could not retrieve Ingress Gateway Network", client.Network)
return
}
if IsInternetGw(gwnode) {
egressrange := "0.0.0.0/0"
if gwnode.Address6.IP != nil && client.Address6 != "" {
egressrange += "," + "::/0"
}
allowedIPs = []string{egressrange}
} else {
allowedIPs = []string{network.AddressRange}
if network.AddressRange6 != "" {
allowedIPs = append(allowedIPs, network.AddressRange6)
}
if egressGatewayRanges, err := GetEgressRangesOnNetwork(&client); err == nil {
allowedIPs = append(allowedIPs, egressGatewayRanges...)
}
}
return
}
func GetStaticUserNodesByNetwork(network models.NetworkID) (staticNode []models.Node) {
extClients, err := GetAllExtClients()
if err != nil {
return
}
for _, extI := range extClients {
if extI.Network == network.String() {
if extI.RemoteAccessClientID != "" {
n := extI.ConvertToStaticNode()
staticNode = append(staticNode, n)
}
}
}
return
}
func GetStaticNodesByNetwork(network models.NetworkID, onlyWg bool) (staticNode []models.Node) {
extClients, err := GetAllExtClients()
if err != nil {
return
}
SortExtClient(extClients[:])
for _, extI := range extClients {
if extI.Network == network.String() {
if onlyWg && extI.RemoteAccessClientID != "" {
continue
}
n := models.Node{
IsStatic: true,
StaticNode: extI,
IsUserNode: extI.RemoteAccessClientID != "",
}
staticNode = append(staticNode, n)
}
}
return
}
func GetStaticNodesByGw(gwNode models.Node) (staticNode []models.Node) {
extClients, err := GetAllExtClients()
if err != nil {
return
}
for _, extI := range extClients {
if extI.IngressGatewayID == gwNode.ID.String() {
n := models.Node{
IsStatic: true,
StaticNode: extI,
IsUserNode: extI.RemoteAccessClientID != "",
}
staticNode = append(staticNode, n)
}
}
return
}
Reference in a new issue View git blame Copy permalink