mirror of
https://github.com/gravitl/netmaker.git
synced 2026-04-22 16:07:11 +08:00
Abhishek Kondur
b1f348e71d
* fix(go): set persistent keep alive when registering host using sso; * fix(go): run posture check violations on delete; * fix(go): upsert node on approving pending host; * fix(go): resolve concurrency issues during group delete cleanup; * fix(go): update doc links; * fix(go): add created and updated fields to host; * fix(go): skip delete and update superadmin on sync users; * fix(go): use conn directly for now; * fix(go): remove acl for idp groups; * fix(go): quote fields; * fix(go): use filters with count; * feat(go): add a search query; * fix(go): cleanup acls; * fix(go): review fixes; * fix(go): remove additional loop; * fix(go): fix * v1.5.1: separate out idp sync and reset signals for HA * v1.5.1: add grps with name for logging * v1.5.1: clear posture check violations when all checks are deleted * v1.5.1: set static when default host * v1.5.1: fix db status check * rm set max conns * v1.5.1: reset auto assigned gw when disconnected * fix(go): skip global network admin and user groups when splitting; * v1.5.1: fix update node call from client * fix(go): separate out migration from normal usage; * fix(go): skip default groups; * fix(go): create policies for existing groups on network create; * fix(go): skip fatal log on clickhouse conn; * fix(go): add posture check cleanup; * NM-288: populate relevant name for acl types for UI * NM-288: populate grp names for posture check apis * NM-228: add network grps api * NM-288: add network users api * now check each group's NetworkRoles for either the specific network ID or schema.AllNetworks (all_networks) * NM-288: check and unassign auto gw when node is disconnected from cli * NM-288: optimise network users api call * NM-288: block auto assign when set to use inet gw --------- Co-authored-by: VishalDalwadi <dalwadivishal26@gmail.com> Co-authored-by: Vishal Dalwadi <51291657+VishalDalwadi@users.noreply.github.com>
465 lines
13 KiB
Go
465 lines
13 KiB
Go
package controller
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/gorilla/mux"
|
|
"github.com/gravitl/netmaker/db"
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/logic"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/mq"
|
|
"github.com/gravitl/netmaker/schema"
|
|
)
|
|
|
|
func aclHandlers(r *mux.Router) {
|
|
r.HandleFunc("/api/v1/acls", logic.SecurityCheck(true, http.HandlerFunc(getAcls))).
|
|
Methods(http.MethodGet)
|
|
r.HandleFunc("/api/v1/acls/egress", logic.SecurityCheck(true, http.HandlerFunc(getEgressAcls))).
|
|
Methods(http.MethodGet)
|
|
r.HandleFunc("/api/v1/acls/policy_types", logic.SecurityCheck(true, http.HandlerFunc(aclPolicyTypes))).
|
|
Methods(http.MethodGet)
|
|
r.HandleFunc("/api/v1/acls", logic.SecurityCheck(true, http.HandlerFunc(createAcl))).
|
|
Methods(http.MethodPost)
|
|
r.HandleFunc("/api/v1/acls", logic.SecurityCheck(true, http.HandlerFunc(updateAcl))).
|
|
Methods(http.MethodPut)
|
|
r.HandleFunc("/api/v1/acls", logic.SecurityCheck(true, http.HandlerFunc(deleteAcl))).
|
|
Methods(http.MethodDelete)
|
|
r.HandleFunc("/api/v1/acls/debug", logic.SecurityCheck(true, http.HandlerFunc(aclDebug))).
|
|
Methods(http.MethodGet)
|
|
}
|
|
|
|
// @Summary List Acl Policy types
|
|
// @Router /api/v1/acls/policy_types [get]
|
|
// @Tags ACL
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Success 200 {object} models.AclPolicyTypes
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func aclPolicyTypes(w http.ResponseWriter, r *http.Request) {
|
|
resp := models.AclPolicyTypes{
|
|
RuleTypes: []models.AclPolicyType{
|
|
models.DevicePolicy,
|
|
models.UserPolicy,
|
|
},
|
|
SrcGroupTypes: []models.AclGroupType{
|
|
models.UserAclID,
|
|
models.UserGroupAclID,
|
|
models.NodeTagID,
|
|
models.NodeID,
|
|
},
|
|
DstGroupTypes: []models.AclGroupType{
|
|
models.NodeTagID,
|
|
models.NodeID,
|
|
models.EgressID,
|
|
// models.NetmakerIPAclID,
|
|
// models.NetmakerSubNetRangeAClID,
|
|
},
|
|
ProtocolTypes: []models.ProtocolType{
|
|
{
|
|
Name: models.Any,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.ALL,
|
|
},
|
|
PortRange: "All ports",
|
|
AllowPortSetting: false,
|
|
},
|
|
{
|
|
Name: models.Http,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.TCP,
|
|
},
|
|
PortRange: "80",
|
|
},
|
|
{
|
|
Name: models.Https,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.TCP,
|
|
},
|
|
PortRange: "443",
|
|
},
|
|
// {
|
|
// Name: "MySQL",
|
|
// AllowedProtocols: []models.Protocol{
|
|
// models.TCP,
|
|
// },
|
|
// PortRange: "3306",
|
|
// },
|
|
// {
|
|
// Name: "DNS TCP",
|
|
// AllowedProtocols: []models.Protocol{
|
|
// models.TCP,
|
|
// },
|
|
// PortRange: "53",
|
|
// },
|
|
// {
|
|
// Name: "DNS UDP",
|
|
// AllowedProtocols: []models.Protocol{
|
|
// models.UDP,
|
|
// },
|
|
// PortRange: "53",
|
|
// },
|
|
{
|
|
Name: models.AllTCP,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.TCP,
|
|
},
|
|
PortRange: "All ports",
|
|
},
|
|
{
|
|
Name: models.AllUDP,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.UDP,
|
|
},
|
|
PortRange: "All ports",
|
|
},
|
|
{
|
|
Name: models.ICMPService,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.ICMP,
|
|
},
|
|
PortRange: "",
|
|
},
|
|
{
|
|
Name: models.SSH,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.TCP,
|
|
},
|
|
PortRange: "22",
|
|
},
|
|
{
|
|
Name: models.Custom,
|
|
AllowedProtocols: []models.Protocol{
|
|
models.UDP,
|
|
models.TCP,
|
|
},
|
|
PortRange: "All ports",
|
|
AllowPortSetting: true,
|
|
},
|
|
},
|
|
}
|
|
logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched acls types")
|
|
}
|
|
|
|
func aclDebug(w http.ResponseWriter, r *http.Request) {
|
|
nodeID, _ := url.QueryUnescape(r.URL.Query().Get("node"))
|
|
peerID, _ := url.QueryUnescape(r.URL.Query().Get("peer"))
|
|
peerIsStatic, _ := url.QueryUnescape(r.URL.Query().Get("peer_is_static"))
|
|
node, err := logic.GetNodeByID(nodeID)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
var peer models.Node
|
|
if peerIsStatic == "true" {
|
|
extclient, err := logic.GetExtClient(peerID, node.Network)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
peer = extclient.ConvertToStaticNode()
|
|
|
|
} else {
|
|
peer, err = logic.GetNodeByID(peerID)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
}
|
|
type resp struct {
|
|
IsNodeAllowed bool
|
|
IsPeerAllowed bool
|
|
Policies []models.Acl
|
|
IngressRules []models.FwRule
|
|
NodeAllPolicy bool
|
|
EgressNets map[string]models.Node
|
|
}
|
|
|
|
allowed, ps := logic.IsNodeAllowedToCommunicate(node, peer, true)
|
|
isallowed := logic.IsPeerAllowed(node, peer, true)
|
|
re := resp{
|
|
IsNodeAllowed: allowed,
|
|
IsPeerAllowed: isallowed,
|
|
Policies: ps,
|
|
}
|
|
if peerIsStatic == "true" {
|
|
ingress, err := logic.GetNodeByID(peer.StaticNode.IngressGatewayID)
|
|
if err == nil {
|
|
re.IngressRules = logic.GetFwRulesOnIngressGateway(ingress)
|
|
}
|
|
}
|
|
logic.ReturnSuccessResponseWithJson(w, r, re, "fetched all acls in the network ")
|
|
}
|
|
|
|
// @Summary List Acls in a network
|
|
// @Router /api/v1/acls [get]
|
|
// @Tags ACL
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param network query string true "Network ID"
|
|
// @Success 200 {array} models.Acl
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func getAcls(w http.ResponseWriter, r *http.Request) {
|
|
netID := r.URL.Query().Get("network")
|
|
if netID == "" {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network id param is missing"), "badrequest"))
|
|
return
|
|
}
|
|
// check if network exists
|
|
err := (&schema.Network{Name: netID}).Get(r.Context())
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
acls, err := logic.ListAclsByNetwork(schema.NetworkID(netID))
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"), "failed to get all network acl entries: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
logic.SortAclEntrys(acls[:])
|
|
logic.PopulateAclPolicyTagNames(acls)
|
|
logic.ReturnSuccessResponseWithJson(w, r, acls, "fetched all acls in the network "+netID)
|
|
}
|
|
|
|
// @Summary List Egress Acls
|
|
// @Router /api/v1/acls/egress [get]
|
|
// @Tags ACL
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param egress_id query string true "Egress ID"
|
|
// @Success 200 {array} models.Acl
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func getEgressAcls(w http.ResponseWriter, r *http.Request) {
|
|
eID := r.URL.Query().Get("egress_id")
|
|
if eID == "" {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("egress id param is missing"), "badrequest"))
|
|
return
|
|
}
|
|
e := schema.Egress{ID: eID}
|
|
// check if network exists
|
|
err := e.Get(db.WithContext(r.Context()))
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
acls, err := logic.ListEgressAcls(eID)
|
|
if err != nil {
|
|
logger.Log(0, r.Header.Get("user"), "failed to get all network acl entries: ", err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
logic.SortAclEntrys(acls[:])
|
|
logic.PopulateAclPolicyTagNames(acls)
|
|
logic.ReturnSuccessResponseWithJson(w, r, acls, "fetched acls for egress"+e.Name)
|
|
}
|
|
|
|
// @Summary Create Acl
|
|
// @Router /api/v1/acls [post]
|
|
// @Tags ACL
|
|
// @Security oauth
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param body body models.Acl true "ACL policy details"
|
|
// @Success 200 {object} models.Acl
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func createAcl(w http.ResponseWriter, r *http.Request) {
|
|
var req models.Acl
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
logger.Log(0, "error decoding request body: ",
|
|
err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
user := &schema.User{Username: r.Header.Get("user")}
|
|
err = user.Get(r.Context())
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
err = logic.ValidateCreateAclReq(req)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
|
|
acl := req
|
|
acl.ID = uuid.New().String()
|
|
acl.CreatedBy = user.Username
|
|
acl.CreatedAt = time.Now().UTC()
|
|
acl.Default = false
|
|
if acl.ServiceType == models.Any {
|
|
acl.Port = []string{}
|
|
acl.Proto = models.ALL
|
|
}
|
|
// validate create acl policy
|
|
if err := logic.IsAclPolicyValid(acl); err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
err = logic.InsertAcl(acl)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
acl, err = logic.GetAcl(acl.ID)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
return
|
|
}
|
|
logic.LogEvent(&models.Event{
|
|
Action: schema.Create,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: acl.ID,
|
|
Name: acl.Name,
|
|
Type: schema.AclSub,
|
|
},
|
|
NetworkID: acl.NetworkID,
|
|
Origin: schema.Dashboard,
|
|
})
|
|
go mq.PublishPeerUpdate(true)
|
|
acls := []models.Acl{acl}
|
|
logic.PopulateAclPolicyTagNames(acls)
|
|
logic.ReturnSuccessResponseWithJson(w, r, acls[0], "created acl successfully")
|
|
}
|
|
|
|
// @Summary Update Acl
|
|
// @Router /api/v1/acls [put]
|
|
// @Tags ACL
|
|
// @Security oauth
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param body body models.UpdateAclRequest true "ACL update details"
|
|
// @Success 200 {object} models.SuccessResponse
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func updateAcl(w http.ResponseWriter, r *http.Request) {
|
|
var updateAcl models.UpdateAclRequest
|
|
err := json.NewDecoder(r.Body).Decode(&updateAcl)
|
|
if err != nil {
|
|
logger.Log(0, "error decoding request body: ",
|
|
err.Error())
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
|
|
acl, err := logic.GetAcl(updateAcl.ID)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
if err := logic.IsAclPolicyValid(updateAcl.Acl); err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
if updateAcl.Acl.NetworkID != acl.NetworkID {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid policy, network id mismatch"), "badrequest"))
|
|
return
|
|
}
|
|
if !acl.Default && updateAcl.NewName != "" {
|
|
//check if policy exists with same name
|
|
updateAcl.Acl.Name = updateAcl.NewName
|
|
}
|
|
err = logic.UpdateAcl(updateAcl.Acl, acl)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
logic.LogEvent(&models.Event{
|
|
Action: schema.Update,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: acl.ID,
|
|
Name: acl.Name,
|
|
Type: schema.AclSub,
|
|
},
|
|
Diff: models.Diff{
|
|
Old: acl,
|
|
New: updateAcl.Acl,
|
|
},
|
|
NetworkID: acl.NetworkID,
|
|
Origin: schema.Dashboard,
|
|
})
|
|
go mq.PublishPeerUpdate(true)
|
|
updatedAcl, err := logic.GetAcl(acl.ID)
|
|
if err != nil {
|
|
logic.ReturnSuccessResponse(w, r, "updated acl "+acl.Name)
|
|
return
|
|
}
|
|
acls := []models.Acl{updatedAcl}
|
|
logic.PopulateAclPolicyTagNames(acls)
|
|
logic.ReturnSuccessResponseWithJson(w, r, acls[0], "updated acl "+acl.Name)
|
|
}
|
|
|
|
// @Summary Delete Acl
|
|
// @Router /api/v1/acls [delete]
|
|
// @Tags ACL
|
|
// @Security oauth
|
|
// @Produce json
|
|
// @Param acl_id query string true "ACL ID"
|
|
// @Success 200 {object} models.SuccessResponse
|
|
// @Failure 400 {object} models.ErrorResponse
|
|
// @Failure 500 {object} models.ErrorResponse
|
|
func deleteAcl(w http.ResponseWriter, r *http.Request) {
|
|
aclID, _ := url.QueryUnescape(r.URL.Query().Get("acl_id"))
|
|
if aclID == "" {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("acl id is required"), "badrequest"))
|
|
return
|
|
}
|
|
acl, err := logic.GetAcl(aclID)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
|
return
|
|
}
|
|
if acl.Default {
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default policy"), "badrequest"))
|
|
return
|
|
}
|
|
err = logic.DeleteAcl(acl)
|
|
if err != nil {
|
|
logic.ReturnErrorResponse(w, r,
|
|
logic.FormatError(errors.New("cannot delete default policy"), "internal"))
|
|
return
|
|
}
|
|
logic.LogEvent(&models.Event{
|
|
Action: schema.Delete,
|
|
Source: models.Subject{
|
|
ID: r.Header.Get("user"),
|
|
Name: r.Header.Get("user"),
|
|
Type: schema.UserSub,
|
|
},
|
|
TriggeredBy: r.Header.Get("user"),
|
|
Target: models.Subject{
|
|
ID: acl.ID,
|
|
Name: acl.Name,
|
|
Type: schema.AclSub,
|
|
},
|
|
NetworkID: acl.NetworkID,
|
|
Origin: schema.Dashboard,
|
|
Diff: models.Diff{
|
|
Old: acl,
|
|
New: nil,
|
|
},
|
|
})
|
|
go mq.PublishPeerUpdate(true)
|
|
logic.ReturnSuccessResponse(w, r, "deleted acl "+acl.Name)
|
|
}
|