fix(NET-897): uniform client and node acls

gravitl · Jan 26, 2024 · 71bc24b · 71bc24b
1 parent 020c1b4
commit 71bc24b
Show file tree

Hide file tree

Showing 2 changed files with 266 additions and 2 deletions.
diff --git a/controllers/ext_client.go b/controllers/ext_client.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"reflect"
 	"strconv"
 
 	"github.com/gorilla/mux"
@@ -486,7 +487,7 @@ func updateExtClient(w http.ResponseWriter, r *http.Request) {
 	}
 	var changedID = update.ClientID != oldExtClient.ClientID
 
-	if len(update.DeniedACLs) != len(oldExtClient.DeniedACLs) {
+	if !reflect.DeepEqual(update.DeniedACLs, oldExtClient.DeniedACLs) {
 		sendPeerUpdate = true
 		logic.SetClientACLs(&oldExtClient, update.DeniedACLs)
 	}

diff --git a/controllers/network.go b/controllers/network.go
@@ -17,6 +17,7 @@ import (
 	"github.com/gravitl/netmaker/logic/acls"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/mq"
+	"github.com/gravitl/netmaker/servercfg"
 )
 
 func networkHandlers(r *mux.Router) {
@@ -27,7 +28,9 @@ func networkHandlers(r *mux.Router) {
 	r.HandleFunc("/api/networks/{networkname}", logic.SecurityCheck(true, http.HandlerFunc(updateNetwork))).Methods(http.MethodPut)
 	// ACLs
 	r.HandleFunc("/api/networks/{networkname}/acls", logic.SecurityCheck(true, http.HandlerFunc(updateNetworkACL))).Methods(http.MethodPut)
+	r.HandleFunc("/api/networks/{networkname}/acls/v2", logic.SecurityCheck(true, http.HandlerFunc(updateNetworkACLv2))).Methods(http.MethodPut)
 	r.HandleFunc("/api/networks/{networkname}/acls", logic.SecurityCheck(true, http.HandlerFunc(getNetworkACL))).Methods(http.MethodGet)
+	r.HandleFunc("/api/networks/{networkname}/acls/v2", logic.SecurityCheck(true, http.HandlerFunc(getNetworkACLv2))).Methods(http.MethodGet)
 }
 
 // swagger:route GET /api/networks networks getNetworks
@@ -129,14 +132,165 @@ func updateNetworkACL(w http.ResponseWriter, r *http.Request) {
 	// send peer updates
 	go func() {
 		if err = mq.PublishPeerUpdate(false); err != nil {
-			logger.Log(0, "failed to publish peer update after ACL update on", netname)
+			logger.Log(0, "failed to publish peer update after ACL update on network:", netname)
 		}
 	}()
 
 	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode(newNetACL)
 }
 
+// swagger:route PUT /api/networks/{networkname}/acls/v2 networks updateNetworkACL
+//
+// Update a network ACL (Access Control List).
+//
+//			Schemes: https
+//
+//			Security:
+//	  		oauth
+//
+//			Responses:
+//				200: aclContainerResponse
+func updateNetworkACLv2(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	var params = mux.Vars(r)
+	netname := params["networkname"]
+	var networkACLChange acls.ACLContainer
+	networkACLChange, err := networkACLChange.Get(acls.ContainerID(netname))
+	if err != nil {
+		logger.Log(0, r.Header.Get("user"),
+			fmt.Sprintf("failed to fetch ACLs for network [%s]: %v", netname, err))
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	err = json.NewDecoder(r.Body).Decode(&networkACLChange)
+	if err != nil {
+		logger.Log(0, r.Header.Get("user"), "error decoding request body: ",
+			err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
+
+	// clone req body to use as return data successful update
+	retData := make(acls.ACLContainer)
+	data, err := json.Marshal(networkACLChange)
+	if err != nil {
+		slog.Error("failed to marshal networkACLChange whiles cloning", "error", err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	err = json.Unmarshal(data, &retData)
+	if err != nil {
+		slog.Error("failed to unmarshal networkACLChange whiles cloning", "error", err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+
+	networkNodes, err := logic.GetNetworkNodes(netname)
+	if err != nil {
+		slog.Error("failed to fetch network nodes", "error", err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	networkNodesIdMap := make(map[string]struct{})
+	for _, node := range networkNodes {
+		networkNodesIdMap[node.ID.String()] = struct{}{}
+	}
+	networkClients, err := logic.GetNetworkExtClients(netname)
+	if err != nil {
+		slog.Error("failed to fetch network clients", "error", err.Error())
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	networkClientsMap := make(map[string]models.ExtClient)
+	for _, client := range networkClients {
+		networkClientsMap[client.ClientID] = client
+	}
+
+	// update client acls and then, remove client acls from req data to pass to existing functions
+	for id, acl := range networkACLChange {
+		// for node acls
+		if _, ok := networkNodesIdMap[string(id)]; ok {
+			nodeId := string(id)
+			// check acl update, then remove client entries
+			for id2 := range acl {
+				if _, ok := networkNodesIdMap[string(id2)]; !ok {
+					// update client acl
+					clientId := string(id2)
+					if client, ok := networkClientsMap[clientId]; ok {
+						if client.DeniedACLs == nil {
+							client.DeniedACLs = make(map[string]struct{})
+						}
+						if acl[acls.AclID(clientId)] == acls.NotAllowed {
+							client.DeniedACLs[nodeId] = struct{}{}
+						} else {
+							delete(client.DeniedACLs, string(nodeId))
+						}
+					}
+					delete(networkACLChange[acls.AclID(nodeId)], acls.AclID(clientId))
+				}
+			}
+		} else {
+			// for client acls
+			clientId := string(id)
+			for id2 := range acl {
+				if _, ok := networkNodesIdMap[string(id2)]; !ok {
+					// update client acl
+					clientId2 := string(id2)
+					if client, ok := networkClientsMap[clientId]; ok {
+						if client.DeniedACLs == nil {
+							client.DeniedACLs = make(map[string]struct{})
+						}
+						if acl[acls.AclID(clientId2)] == acls.NotAllowed {
+							client.DeniedACLs[clientId2] = struct{}{}
+						} else {
+							delete(client.DeniedACLs, clientId2)
+						}
+					}
+				}
+			}
+			delete(networkACLChange, acls.AclID(clientId))
+		}
+	}
+
+	// update each client in db for pro servers
+	if servercfg.IsPro {
+		for _, client := range networkClientsMap {
+			err := logic.DeleteExtClient(client.Network, client.ClientID)
+			if err != nil {
+				slog.Error("failed to delete client during update", "client", client.ClientID, "error", err.Error())
+				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+				return
+			}
+			err = logic.SaveExtClient(&client)
+			if err != nil {
+				slog.Error("failed to save client during update", "client", client.ClientID, "error", err.Error())
+				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+				return
+			}
+		}
+	}
+
+	_, err = networkACLChange.Save(acls.ContainerID(netname))
+	if err != nil {
+		logger.Log(0, r.Header.Get("user"),
+			fmt.Sprintf("failed to update ACLs for network [%s]: %v", netname, err))
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
+	logger.Log(1, r.Header.Get("user"), "updated ACLs for network", netname)
+
+	// send peer updates
+	go func() {
+		if err = mq.PublishPeerUpdate(false); err != nil {
+			logger.Log(0, "failed to publish peer update after ACL update on network:", netname)
+		}
+	}()
+
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(retData)
+}
+
 // swagger:route GET /api/networks/{networkname}/acls networks getNetworkACL
 //
 // Get a network ACL (Access Control List).
@@ -171,6 +325,115 @@ func getNetworkACL(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(networkACL)
 }
 
+// swagger:route GET /api/networks/{networkname}/acls/v2 networks getNetworkACL
+//
+// Get a network ACL (Access Control List).
+//
+//			Schemes: https
+//
+//			Security:
+//	  		oauth
+//
+//			Responses:
+//				200: aclContainerResponse
+func getNetworkACLv2(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	var params = mux.Vars(r)
+	netname := params["networkname"]
+	var networkACL acls.ACLContainer
+	networkACL, err := networkACL.Get(acls.ContainerID(netname))
+	if err != nil {
+		if database.IsEmptyRecord(err) {
+			networkACL = acls.ACLContainer{}
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(networkACL)
+			return
+		}
+		logger.Log(0, r.Header.Get("user"),
+			fmt.Sprintf("failed to fetch ACLs for network [%s]: %v", netname, err))
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	// TODO: add caching for this expensive operation
+	// TODO: optimise O(n^2) operation
+	clients, err := logic.GetNetworkExtClients(netname)
+	if err != nil {
+		logger.Log(0, r.Header.Get("user"),
+			fmt.Sprintf("failed to fetch clients for network [%s]: %v", netname, err))
+		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to get client acls: %w", err), "internal"))
+		return
+	}
+	nodeIdsMap := make(map[string]struct{})
+	for nodeId := range networkACL {
+		nodeIdsMap[string(nodeId)] = struct{}{}
+	}
+	/*
+		initially, networkACL has only node acls to we add client acls to it
+		final shape:
+		{
+			"node1": {
+				"node2": 2,
+				"client1": 2,
+				"client2": 1,
+			},
+			"node2": {
+				"node1": 2,
+				"client1": 2,
+				"client2": 1,
+			},
+			"client1": {
+				"node1": 2,
+				"node2": 2,
+				"client2": 1,
+			},
+			"client2": {
+				"node1": 1,
+				"node2": 1,
+				"client1": 1,
+			},
+		}
+	*/
+	for _, client := range clients {
+		networkACL[acls.AclID(client.ClientID)] = acls.ACL{}
+		// add client values to node acls and create client acls with node values
+		for id, nodeAcl := range networkACL {
+			// skip if not a node
+			if _, ok := nodeIdsMap[string(id)]; !ok {
+				continue
+			}
+			if nodeAcl == nil {
+				slog.Warn("bad data: nil node acl", "node", id, "network", netname)
+				continue
+			}
+			nodeAcl[acls.AclID(client.ClientID)] = acls.Allowed
+			networkACL[acls.AclID(client.ClientID)][id] = acls.Allowed
+			if client.DeniedACLs == nil {
+				continue
+			} else if _, ok := client.DeniedACLs[string(id)]; ok {
+				nodeAcl[acls.AclID(client.ClientID)] = acls.NotAllowed
+				networkACL[acls.AclID(client.ClientID)][id] = acls.NotAllowed
+			}
+		}
+		// add clients to client acls response
+		for _, c := range clients {
+			if c.ClientID == client.ClientID {
+				continue
+			}
+			networkACL[acls.AclID(client.ClientID)][acls.AclID(c.ClientID)] = acls.Allowed
+			if client.DeniedACLs == nil {
+				continue
+			} else if _, ok := client.DeniedACLs[c.ClientID]; ok {
+				networkACL[acls.AclID(client.ClientID)][acls.AclID(c.ClientID)] = acls.NotAllowed
+			}
+		}
+		// delete oneself from its own acl
+		delete(networkACL[acls.AclID(client.ClientID)], acls.AclID(client.ClientID))
+	}
+	logger.Log(2, r.Header.Get("user"), "fetched acl for network", netname)
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(networkACL)
+}
+
 // swagger:route DELETE /api/networks/{networkname} networks deleteNetwork
 //
 // Delete a network.  Will not delete if there are any nodes that belong to the network.