NM-103: User Acls fixes (#3638)

* fix all rsrcs comms

* fix static checks

* fix egress acls on CE

* check for all resources access on a node

* simplify egress acl rules

* merged ce and pro acl rule func

* fix uni direction acl rule for static nodes

* allow relayed nodes traffic

* remove anywhere dst rule on user node acls

* fix: broadcast  user groups update for acl changes

* add egress ranges to DST

* add all egress ranges for all resources

Author: abhishek9686

logic/acls.go

@@ -417,6 +417,33 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 			Dst:             []net.IPNet{targetnode.AddressIPNet4()},
 			Dst6:            []net.IPNet{targetnode.AddressIPNet6()},
 		}
+		e := schema.Egress{Network: targetnode.Network}
+		egressRanges4 := []net.IPNet{}
+		egressRanges6 := []net.IPNet{}
+		eli, _ := e.ListByNetwork(db.WithContext(context.Background()))
+		for _, eI := range eli {
+			if !eI.Status || len(eI.Nodes) == 0 {
+				continue
+			}
+			if _, ok := eI.Nodes[targetnode.ID.String()]; ok {
+				if eI.Range != "" {
+					_, cidr, err := net.ParseCIDR(eI.Range)
+					if err == nil {
+						if cidr.IP.To4() != nil {
+							egressRanges4 = append(egressRanges4, *cidr)
+						} else {
+							egressRanges6 = append(egressRanges6, *cidr)
+						}
+					}
+				}
+			}
+		}
+		if len(egressRanges4) > 0 {
+			aclRule.Dst = append(aclRule.Dst, egressRanges4...)
+		}
+		if len(egressRanges6) > 0 {
+			aclRule.Dst6 = append(aclRule.Dst6, egressRanges6...)
+		}
 		rules[aclRule.ID] = aclRule
 		return
 	}
@@ -446,16 +473,51 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 		}
 		srcTags := ConvAclTagToValueMap(acl.Src)
 		dstTags := ConvAclTagToValueMap(acl.Dst)
+		egressRanges4 := []net.IPNet{}
+		egressRanges6 := []net.IPNet{}
 		for _, dst := range acl.Dst {
+			if dst.Value == "*" {
+				e := schema.Egress{Network: targetnode.Network}
+				eli, _ := e.ListByNetwork(db.WithContext(context.Background()))
+				for _, eI := range eli {
+					if !eI.Status || len(eI.Nodes) == 0 {
+						continue
+					}
+					if _, ok := eI.Nodes[targetnode.ID.String()]; ok {
+						if eI.Range != "" {
+							_, cidr, err := net.ParseCIDR(eI.Range)
+							if err == nil {
+								if cidr.IP.To4() != nil {
+									egressRanges4 = append(egressRanges4, *cidr)
+								} else {
+									egressRanges6 = append(egressRanges6, *cidr)
+								}
+							}
+						}
+					}
+				}
+				break
+			}
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil && e.Status {
-					for nodeID := range e.Nodes {
-						dstTags[nodeID] = struct{}{}
+				if err == nil && e.Status && len(e.Nodes) > 0 {
+					if _, ok := e.Nodes[targetnode.ID.String()]; ok {
+						if e.Range != "" {
+							_, cidr, err := net.ParseCIDR(e.Range)
+							if err == nil {
+								if cidr.IP.To4() != nil {
+									egressRanges4 = append(egressRanges4, *cidr)
+								} else {
+									egressRanges6 = append(egressRanges6, *cidr)
+								}
+							}
+						}
 					}
+
 				}
 			}
+
 		}
 		_, srcAll := srcTags["*"]
 		_, dstAll := dstTags["*"]
@@ -468,6 +530,12 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 			Dst:             []net.IPNet{targetnode.AddressIPNet4()},
 			Dst6:            []net.IPNet{targetnode.AddressIPNet6()},
 		}
+		if len(egressRanges4) > 0 {
+			aclRule.Dst = append(aclRule.Dst, egressRanges4...)
+		}
+		if len(egressRanges6) > 0 {
+			aclRule.Dst6 = append(aclRule.Dst6, egressRanges6...)
+		}
 		for nodeTag := range targetNodeTags {
 			if acl.AllowedDirection == models.TrafficDirectionBi {
 				var existsInSrcTag bool

logic/extpeers.go

@@ -705,22 +705,6 @@ func GetExtclientAllowedIPs(client models.ExtClient) (allowedIPs []string) {
 	return
 }
 
-func GetStaticUserNodesByNetwork(network models.NetworkID) (staticNode []models.Node) {
-	extClients, err := GetAllExtClients()
-	if err != nil {
-		return
-	}
-	for _, extI := range extClients {
-		if extI.Network == network.String() {
-			if extI.RemoteAccessClientID != "" {
-				n := extI.ConvertToStaticNode()
-				staticNode = append(staticNode, n)
-			}
-		}
-	}
-	return
-}
-
 func GetStaticNodesByNetwork(network models.NetworkID, onlyWg bool) (staticNode []models.Node) {
 	extClients, err := GetAllExtClients()
 	if err != nil {

pro/controllers/users.go

@@ -566,7 +566,7 @@ func updateUserGroup(w http.ResponseWriter, r *http.Request) {
 		},
 		Origin: models.Dashboard,
 	})
-
+	replacePeers := false
 	go func() {
 		networksAdded := make([]models.NetworkID, 0)
 		networksRemoved := make([]models.NetworkID, 0)
@@ -617,6 +617,7 @@ func updateUserGroup(w http.ResponseWriter, r *http.Request) {
 				CreatedAt:        time.Now().UTC(),
 			}
 			_ = logic.InsertAcl(acl)
+			replacePeers = true
 		}
 
 		// since this group doesn't have a role for this network,
@@ -648,13 +649,15 @@ func updateUserGroup(w http.ResponseWriter, r *http.Request) {
 						acl.Src = newAclSrc
 						_ = logic.UpsertAcl(acl)
 					}
+					replacePeers = true
 				}
 			}
 		}
 	}()
 
 	// reset configs for service user
 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userGroup.ID, currUserG.NetworkRoles, userGroup.NetworkRoles)
+	go mq.PublishPeerUpdate(replacePeers)
 	logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
 }
 
@@ -826,7 +829,7 @@ func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
 		},
 		Origin: models.Dashboard,
 	})
-
+	replacePeers := false
 	go func() {
 		for networkID := range userG.NetworkRoles {
 			acls, err := logic.ListAclsByNetwork(networkID)
@@ -854,13 +857,14 @@ func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
 						acl.Src = newAclSrc
 						_ = logic.UpsertAcl(acl)
 					}
+					replacePeers = true
 				}
 			}
 		}
 	}()
 
 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userG.ID, userG.NetworkRoles, make(map[models.NetworkID]map[models.UserRoleID]struct{}))
-	go mq.PublishPeerUpdate(false)
+	go mq.PublishPeerUpdate(replacePeers)
 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
 }
 

pro/logic/acls.go

@@ -12,9 +12,25 @@ import (
 	"github.com/gravitl/netmaker/schema"
 )
 
+func getStaticUserNodesByNetwork(network models.NetworkID) (staticNode []models.Node) {
+	extClients, err := logic.GetAllExtClients()
+	if err != nil {
+		return
+	}
+	for _, extI := range extClients {
+		if extI.Network == network.String() {
+			if extI.RemoteAccessClientID != "" {
+				n := extI.ConvertToStaticNode()
+				staticNode = append(staticNode, n)
+			}
+		}
+	}
+	return
+}
+
 func GetFwRulesForUserNodesOnGw(node models.Node, nodes []models.Node) (rules []models.FwRule) {
 	defaultUserPolicy, _ := logic.GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
-	userNodes := logic.GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
+	userNodes := getStaticUserNodesByNetwork(models.NetworkID(node.Network))
 	for _, userNodeI := range userNodes {
 		if defaultUserPolicy.Enabled {
 			if userNodeI.StaticNode.Address != "" {
@@ -767,7 +783,7 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
 
 func GetEgressUserRulesForNode(targetnode *models.Node,
 	rules map[string]models.AclRule) map[string]models.AclRule {
-	userNodes := logic.GetStaticUserNodesByNetwork(models.NetworkID(targetnode.Network))
+	userNodes := getStaticUserNodesByNetwork(models.NetworkID(targetnode.Network))
 	userGrpMap := GetUserGrpMap()
 	allowedUsers := make(map[string][]models.Acl)
 	acls := listUserPolicies(models.NetworkID(targetnode.Network))
@@ -896,7 +912,6 @@ func GetEgressUserRulesForNode(targetnode *models.Node,
 						if err != nil {
 							continue
 						}
-
 						ip, cidr, err := net.ParseCIDR(e.Range)
 						if err == nil {
 							if ip.To4() != nil {
@@ -927,7 +942,7 @@ func GetEgressUserRulesForNode(targetnode *models.Node,
 
 func GetUserAclRulesForNode(targetnode *models.Node,
 	rules map[string]models.AclRule) map[string]models.AclRule {
-	userNodes := logic.GetStaticUserNodesByNetwork(models.NetworkID(targetnode.Network))
+	userNodes := getStaticUserNodesByNetwork(models.NetworkID(targetnode.Network))
 	userGrpMap := GetUserGrpMap()
 	allowedUsers := make(map[string][]models.Acl)
 	acls := listUserPolicies(models.NetworkID(targetnode.Network))
@@ -953,6 +968,17 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 			_, all := dstTags["*"]
 			addUsers := false
 			if !all {
+				for _, dst := range acl.Dst {
+					if dst.ID == models.EgressID {
+						e := schema.Egress{ID: dst.Value}
+						err := e.Get(db.WithContext(context.TODO()))
+						if err == nil && e.Status && len(e.Nodes) > 0 {
+							if _, ok := e.Nodes[targetnode.ID.String()]; ok {
+								dstTags[targetnode.ID.String()] = struct{}{}
+							}
+						}
+					}
+				}
 				for nodeTag := range targetNodeTags {
 					if _, ok := dstTags[nodeTag.String()]; ok {
 						addUsers = true
@@ -1017,13 +1043,68 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 				if !acl.Enabled {
 					continue
 				}
+				egressRanges4 := []net.IPNet{}
+				egressRanges6 := []net.IPNet{}
+
+				for _, dst := range acl.Dst {
+					if dst.Value == "*" {
+						e := schema.Egress{Network: targetnode.Network}
+						eli, _ := e.ListByNetwork(db.WithContext(context.Background()))
+						for _, eI := range eli {
+							if !eI.Status || len(eI.Nodes) == 0 {
+								continue
+							}
+							if _, ok := eI.Nodes[targetnode.ID.String()]; ok {
+								if eI.Range != "" {
+									_, cidr, err := net.ParseCIDR(eI.Range)
+									if err == nil {
+										if cidr.IP.To4() != nil {
+											egressRanges4 = append(egressRanges4, *cidr)
+										} else {
+											egressRanges6 = append(egressRanges6, *cidr)
+										}
+									}
+								}
+							}
+						}
+						break
+					}
+					if dst.ID == models.EgressID {
+						e := schema.Egress{ID: dst.Value}
+						err := e.Get(db.WithContext(context.TODO()))
+						if err == nil && e.Status && len(e.Nodes) > 0 {
+							if _, ok := e.Nodes[targetnode.ID.String()]; ok {
+								if e.Range != "" {
+									_, cidr, err := net.ParseCIDR(e.Range)
+									if err == nil {
+										if cidr.IP.To4() != nil {
+											egressRanges4 = append(egressRanges4, *cidr)
+										} else {
+											egressRanges6 = append(egressRanges6, *cidr)
+										}
+									}
+								}
+							}
+
+						}
+					}
+
+				}
 				r := models.AclRule{
 					ID:              acl.ID,
 					AllowedProtocol: acl.Proto,
 					AllowedPorts:    acl.Port,
 					Direction:       acl.AllowedDirection,
+					Dst:             []net.IPNet{targetnode.AddressIPNet4()},
+					Dst6:            []net.IPNet{targetnode.AddressIPNet6()},
 					Allowed:         true,
 				}
+				if len(egressRanges4) > 0 {
+					r.Dst = append(r.Dst, egressRanges4...)
+				}
+				if len(egressRanges6) > 0 {
+					r.Dst6 = append(r.Dst6, egressRanges6...)
+				}
 				// Get peers in the tags and add allowed rules
 				if userNode.StaticNode.Address != "" {
 					r.IPList = append(r.IPList, userNode.StaticNode.AddressIPNet4())
@@ -1032,14 +1113,26 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 					r.IP6List = append(r.IP6List, userNode.StaticNode.AddressIPNet6())
 				}
 				if aclRule, ok := rules[acl.ID]; ok {
+
 					aclRule.IPList = append(aclRule.IPList, r.IPList...)
 					aclRule.IP6List = append(aclRule.IP6List, r.IP6List...)
+
+					aclRule.Dst = append(aclRule.Dst, r.Dst...)
+					aclRule.Dst6 = append(aclRule.Dst6, r.Dst6...)
+
 					aclRule.IPList = logic.UniqueIPNetList(aclRule.IPList)
 					aclRule.IP6List = logic.UniqueIPNetList(aclRule.IP6List)
+
+					aclRule.Dst = logic.UniqueIPNetList(aclRule.Dst)
+					aclRule.Dst6 = logic.UniqueIPNetList(aclRule.Dst6)
+
 					rules[acl.ID] = aclRule
 				} else {
 					r.IPList = logic.UniqueIPNetList(r.IPList)
 					r.IP6List = logic.UniqueIPNetList(r.IP6List)
+
+					r.Dst = logic.UniqueIPNetList(r.Dst)
+					r.Dst6 = logic.UniqueIPNetList(r.Dst6)
 					rules[acl.ID] = r
 				}
 			}