mirror of
https://github.com/gravitl/netmaker.git
synced 2026-04-23 00:17:10 +08:00
VishalDalwadi
296 lines
11 KiB
Go
296 lines
11 KiB
Go
//go:build ee
|
|
// +build ee
|
|
|
|
package pro
|
|
|
|
import (
|
|
"context"
|
|
"sync"
|
|
"time"
|
|
|
|
ch "github.com/gravitl/netmaker/clickhouse"
|
|
controller "github.com/gravitl/netmaker/controllers"
|
|
"github.com/gravitl/netmaker/db"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/logic"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/mq"
|
|
"github.com/gravitl/netmaker/pro/auth"
|
|
proControllers "github.com/gravitl/netmaker/pro/controllers"
|
|
"github.com/gravitl/netmaker/pro/email"
|
|
proLogic "github.com/gravitl/netmaker/pro/logic"
|
|
"github.com/gravitl/netmaker/schema"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
"golang.org/x/exp/slog"
|
|
)
|
|
|
|
// InitPro - Initialize Pro Logic
|
|
func InitPro() {
|
|
servercfg.IsPro = true
|
|
models.SetLogo(retrieveProLogo())
|
|
controller.HttpMiddlewares = append(
|
|
controller.HttpMiddlewares,
|
|
// TODO: try to add clickhouse middleware only if needed.
|
|
ch.Middleware,
|
|
proControllers.OnlyServerAPIWhenUnlicensedMiddleware,
|
|
)
|
|
controller.HttpHandlers = append(
|
|
controller.HttpHandlers,
|
|
proControllers.MetricHandlers,
|
|
proControllers.UserHandlers,
|
|
proControllers.FailOverHandlers,
|
|
proControllers.RacHandlers,
|
|
proControllers.EventHandlers,
|
|
proControllers.TagHandlers,
|
|
proControllers.NetworkHandlers,
|
|
proControllers.AutoRelayHandlers,
|
|
// TODO: try to add flow handler only if flow logs are enabled.
|
|
proControllers.FlowHandlers,
|
|
proControllers.PostureCheckHandlers,
|
|
proControllers.JITHandlers,
|
|
)
|
|
controller.ListRoles = proControllers.ListRoles
|
|
logic.EnterpriseCheckFuncs = append(logic.EnterpriseCheckFuncs, func(ctx context.Context, wg *sync.WaitGroup) {
|
|
// == License Handling ==
|
|
enableLicenseHook := true
|
|
// licenseKeyValue := servercfg.GetLicenseKey()
|
|
// netmakerTenantID := servercfg.GetNetmakerTenantID()
|
|
// if licenseKeyValue != "" && netmakerTenantID != "" {
|
|
// enableLicenseHook = true
|
|
// }
|
|
if !enableLicenseHook {
|
|
err := initTrial()
|
|
if err != nil {
|
|
logger.Log(0, "failed to init trial", err.Error())
|
|
enableLicenseHook = true
|
|
}
|
|
trialEndDate, err := getTrialEndDate()
|
|
if err != nil {
|
|
slog.Error("failed to get trial end date", "error", err)
|
|
enableLicenseHook = true
|
|
} else {
|
|
// check if trial ended
|
|
if time.Now().After(trialEndDate) {
|
|
// trial ended already
|
|
enableLicenseHook = true
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
if enableLicenseHook {
|
|
logger.Log(0, "starting license checker")
|
|
ClearLicenseCache()
|
|
if err := ValidateLicense(); err != nil {
|
|
slog.Error(err.Error())
|
|
return
|
|
}
|
|
logger.Log(0, "proceeding with Paid Tier license")
|
|
logic.SetFreeTierForTelemetry(false)
|
|
// == End License Handling ==
|
|
// License validation runs on all pods to avoid audit issues
|
|
AddLicenseHooks()
|
|
} else {
|
|
logger.Log(0, "starting trial license hook")
|
|
addTrialLicenseHook()
|
|
}
|
|
|
|
//AddUnauthorisedUserNodeHooks()
|
|
|
|
var authProvider = auth.InitializeAuthProvider()
|
|
if authProvider != "" {
|
|
slog.Info("OAuth provider,", authProvider+",", "initialized")
|
|
} else {
|
|
slog.Error("no OAuth provider found or not configured, continuing without OAuth")
|
|
}
|
|
proLogic.LoadNodeMetricsToCache()
|
|
proLogic.InitFailOverCache()
|
|
if servercfg.CacheEnabled() {
|
|
proLogic.InitAutoRelayCache()
|
|
}
|
|
|
|
// Only run singleton operations on master pod in HA setup
|
|
// These include IDP sync, posture checks, JIT expiry, and flow cleanup
|
|
if servercfg.IsMasterPod() {
|
|
auth.ResetIDPSyncHook()
|
|
proLogic.AddPostureCheckHook()
|
|
// Register JIT expiry hook with email notifications
|
|
addJitExpiryHookWithEmail()
|
|
|
|
if proLogic.GetFeatureFlags().EnableFlowLogs && logic.GetServerSettings().EnableFlowLogs {
|
|
err := ch.Initialize()
|
|
if err != nil {
|
|
logger.Log(0, "error connecting to clickhouse:", err.Error())
|
|
}
|
|
|
|
proLogic.StartFlowCleanupLoop()
|
|
|
|
wg.Add(1)
|
|
go func(ctx context.Context, wg *sync.WaitGroup) {
|
|
<-ctx.Done()
|
|
proLogic.StopFlowCleanupLoop()
|
|
ch.Close()
|
|
wg.Done()
|
|
}(ctx, wg)
|
|
}
|
|
}
|
|
|
|
// These can run on all pods
|
|
email.Init()
|
|
go proLogic.EventWatcher()
|
|
logic.GetMetricsMonitor().Start()
|
|
})
|
|
logic.ResetFailOver = proLogic.ResetFailOver
|
|
logic.ResetFailedOverPeer = proLogic.ResetFailedOverPeer
|
|
logic.FailOverExists = proLogic.FailOverExists
|
|
logic.CreateFailOver = proLogic.CreateFailOver
|
|
logic.GetFailOverPeerIps = proLogic.GetFailOverPeerIps
|
|
|
|
logic.ResetAutoRelay = proLogic.ResetAutoRelay
|
|
logic.ResetAutoRelayedPeer = proLogic.ResetAutoRelayedPeer
|
|
logic.SetAutoRelay = proLogic.SetAutoRelay
|
|
logic.GetAutoRelayPeerIps = proLogic.GetAutoRelayPeerIps
|
|
|
|
logic.GetMetrics = proLogic.GetMetrics
|
|
logic.UpdateMetrics = proLogic.UpdateMetrics
|
|
logic.DeleteMetrics = proLogic.DeleteMetrics
|
|
logic.GetTrialEndDate = getTrialEndDate
|
|
mq.UpdateMetrics = proLogic.MQUpdateMetrics
|
|
mq.UpdateMetricsFallBack = proLogic.MQUpdateMetricsFallBack
|
|
logic.GetFilteredNodesByUserAccess = proLogic.GetFilteredNodesByUserAccess
|
|
|
|
logic.DeleteRole = proLogic.DeleteRole
|
|
logic.NetworkPermissionsCheck = proLogic.NetworkPermissionsCheck
|
|
logic.GlobalPermissionsCheck = proLogic.GlobalPermissionsCheck
|
|
logic.DeleteNetworkRoles = proLogic.DeleteNetworkRoles
|
|
logic.CreateDefaultNetworkRolesAndGroups = proLogic.CreateDefaultNetworkRolesAndGroups
|
|
logic.FilterNetworksByRole = proLogic.FilterNetworksByRole
|
|
logic.IsGroupsValid = proLogic.IsGroupsValid
|
|
|
|
logic.InitialiseRoles = proLogic.UserRolesInit
|
|
logic.UpdateUserGwAccess = proLogic.UpdateUserGwAccess
|
|
logic.CreateDefaultUserPolicies = proLogic.CreateDefaultUserPolicies
|
|
logic.IntialiseGroups = proLogic.UserGroupsInit
|
|
logic.AddGlobalNetRolesToAdmins = proLogic.AddGlobalNetRolesToAdmins
|
|
|
|
logic.GetUserGroup = proLogic.GetUserGroup
|
|
logic.GetNodeStatus = proLogic.GetNodeStatus
|
|
logic.IsOAuthConfigured = auth.IsOAuthConfigured
|
|
logic.ResetAuthProvider = auth.ResetAuthProvider
|
|
logic.ResetIDPSyncHook = auth.ResetIDPSyncHook
|
|
logic.SyncFromIDP = auth.SyncFromIDP
|
|
logic.EmailInit = email.Init
|
|
logic.LogEvent = proLogic.LogEvent
|
|
logic.RemoveUserFromAclPolicy = proLogic.RemoveUserFromAclPolicy
|
|
logic.EnsureDefaultUserGroupNetworkPolicies = proLogic.EnsureDefaultUserGroupNetworkPolicies
|
|
logic.GetGroupNetworksMap = proLogic.GetGroupNetworksMap
|
|
logic.IsUserAllowedToCommunicate = proLogic.IsUserAllowedToCommunicate
|
|
logic.DeleteAllNetworkTags = proLogic.DeleteAllNetworkTags
|
|
logic.CreateDefaultTags = proLogic.CreateDefaultTags
|
|
logic.IsPeerAllowed = proLogic.IsPeerAllowed
|
|
logic.IsAclPolicyValid = proLogic.IsAclPolicyValid
|
|
logic.GetEgressUserRulesForNode = proLogic.GetEgressUserRulesForNode
|
|
logic.GetTagMapWithNodesByNetwork = proLogic.GetTagMapWithNodesByNetwork
|
|
logic.GetUserAclRulesForNode = proLogic.GetUserAclRulesForNode
|
|
logic.CheckIfAnyPolicyisUniDirectional = proLogic.CheckIfAnyPolicyisUniDirectional
|
|
logic.MigrateToGws = proLogic.MigrateToGws
|
|
logic.GetFwRulesForNodeAndPeerOnGw = proLogic.GetFwRulesForNodeAndPeerOnGw
|
|
logic.GetFwRulesForUserNodesOnGw = proLogic.GetFwRulesForUserNodesOnGw
|
|
logic.GetFeatureFlags = proLogic.GetFeatureFlags
|
|
logic.GetDeploymentMode = proLogic.GetDeploymentMode
|
|
logic.GetNameserversForHost = proLogic.GetNameserversForHost
|
|
logic.GetNameserversForNode = proLogic.GetNameserversForNode
|
|
logic.ValidateNameserverReq = proLogic.ValidateNameserverReq
|
|
logic.ValidateEgressReq = proLogic.ValidateEgressReq
|
|
logic.CheckPostureViolations = proLogic.CheckPostureViolations
|
|
logic.GetPostureCheckDeviceInfoByNode = proLogic.GetPostureCheckDeviceInfoByNode
|
|
logic.StartFlowCleanupLoop = proLogic.StartFlowCleanupLoop
|
|
logic.StopFlowCleanupLoop = proLogic.StopFlowCleanupLoop
|
|
// Expose JIT functions
|
|
logic.CheckJITAccess = proLogic.CheckJITAccess
|
|
logic.AssignVirtualRangeToEgress = proLogic.AssignVirtualRangeToEgress
|
|
}
|
|
|
|
// addJitExpiryHookWithEmail - registers a hook that expires JIT grants and sends email notifications
|
|
func addJitExpiryHookWithEmail() {
|
|
if !proLogic.GetFeatureFlags().EnableJIT {
|
|
return
|
|
}
|
|
// Register JIT grant expiry hook with email notifications - runs every 5 minutes
|
|
logic.HookManagerCh <- models.HookDetails{
|
|
ID: "jit-expiry-hook",
|
|
Hook: logic.WrapHook(expireJITGrantsWithEmail),
|
|
Interval: 5 * time.Minute,
|
|
}
|
|
}
|
|
|
|
// expireJITGrantsWithEmail - expires JIT grants and sends email notifications
|
|
func expireJITGrantsWithEmail() error {
|
|
ctx := db.WithContext(context.Background())
|
|
|
|
// Get grants that are about to expire or just expired (within last 5 minutes)
|
|
// We check before expiring so we can send emails
|
|
grant := schema.JITGrant{}
|
|
allGrants, err := grant.ListExpired(ctx)
|
|
if err != nil {
|
|
slog.Warn("failed to list expired grants for email notification", "error", err)
|
|
// Continue with expiration even if listing fails
|
|
}
|
|
|
|
// Track grants that need email before we expire them
|
|
var grantsToEmail []struct {
|
|
Grant *schema.JITGrant
|
|
Request *schema.JITRequest
|
|
Network *schema.Network
|
|
}
|
|
|
|
fiveMinutesAgo := time.Now().Add(-5 * time.Minute)
|
|
for _, expiredGrant := range allGrants {
|
|
// Only send email for grants that expired recently (within last 5 minutes)
|
|
if expiredGrant.ExpiresAt.After(fiveMinutesAgo) && expiredGrant.RequestID != "" {
|
|
request := schema.JITRequest{ID: expiredGrant.RequestID}
|
|
if err := request.Get(ctx); err == nil {
|
|
network := &schema.Network{Name: expiredGrant.NetworkID}
|
|
err = network.Get(db.WithContext(context.TODO()))
|
|
if err == nil {
|
|
grantsToEmail = append(grantsToEmail, struct {
|
|
Grant *schema.JITGrant
|
|
Request *schema.JITRequest
|
|
Network *schema.Network
|
|
}{&expiredGrant, &request, network})
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// First, expire the grants (this handles the business logic)
|
|
if err := proLogic.ExpireJITGrants(); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Then, send email notifications for the grants we tracked
|
|
for _, item := range grantsToEmail {
|
|
if err := email.SendJITExpirationEmail(item.Grant, item.Request, item.Network, false, ""); err != nil {
|
|
slog.Warn("failed to send expiration email", "grant_id", item.Grant.ID, "user", item.Request.UserName, "error", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func retrieveProLogo() string {
|
|
return `
|
|
__ __ ______ ______ __ __ ______ __ __ ______ ______
|
|
/\ "-.\ \ /\ ___\ /\__ _\ /\ "-./ \ /\ __ \ /\ \/ / /\ ___\ /\ == \
|
|
\ \ \-. \ \ \ __\ \/_/\ \/ \ \ \-./\ \ \ \ __ \ \ \ _"-. \ \ __\ \ \ __<
|
|
\ \_\\"\_\ \ \_____\ \ \_\ \ \_\ \ \_\ \ \_\ \_\ \ \_\ \_\ \ \_____\ \ \_\ \_\
|
|
\/_/ \/_/ \/_____/ \/_/ \/_/ \/_/ \/_/\/_/ \/_/\/_/ \/_____/ \/_/ /_/
|
|
|
|
___ ___ ____
|
|
____ ____ ____ / _ \ / _ \ / __ \ ____ ____ ____
|
|
/___/ /___/ /___/ / ___/ / , _// /_/ / /___/ /___/ /___/
|
|
/___/ /___/ /___/ /_/ /_/|_| \____/ /___/ /___/ /___/
|
|
|
|
`
|
|
}
|