2024-02-20 09:59:56 +01:00
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
2024-07-03 11:33:02 +02:00
|
|
|
"context"
|
2024-11-28 11:13:01 +01:00
|
|
|
"errors"
|
2024-11-25 16:26:24 +01:00
|
|
|
"fmt"
|
2024-06-13 13:24:24 +02:00
|
|
|
"slices"
|
|
|
|
|
2024-11-28 11:13:01 +01:00
|
|
|
"github.com/rs/xid"
|
|
|
|
"golang.org/x/exp/maps"
|
|
|
|
|
2024-02-20 09:59:56 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/activity"
|
|
|
|
"github.com/netbirdio/netbird/management/server/posture"
|
|
|
|
"github.com/netbirdio/netbird/management/server/status"
|
|
|
|
)
|
|
|
|
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) GetPostureChecks(ctx context.Context, accountID, postureChecksID, userID string) (*posture.Checks, error) {
|
2024-09-27 16:10:50 +02:00
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2024-02-20 09:59:56 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
return nil, status.NewUserNotPartOfAccountError()
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if !user.HasAdminPower() {
|
|
|
|
return nil, status.NewAdminPermissionError()
|
|
|
|
}
|
|
|
|
|
|
|
|
return am.Store.GetPostureChecksByID(ctx, LockingStrengthShare, accountID, postureChecksID)
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// SavePostureChecks saves a posture check.
|
|
|
|
func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountID, userID string, postureChecks *posture.Checks) (*posture.Checks, error) {
|
2024-07-31 14:53:32 +02:00
|
|
|
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
2024-02-20 09:59:56 +01:00
|
|
|
defer unlock()
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2024-02-20 09:59:56 +01:00
|
|
|
if err != nil {
|
2024-11-25 16:26:24 +01:00
|
|
|
return nil, err
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
return nil, status.NewUserNotPartOfAccountError()
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if !user.HasAdminPower() {
|
2024-11-25 16:26:24 +01:00
|
|
|
return nil, status.NewAdminPermissionError()
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
var updateAccountPeers bool
|
|
|
|
var isUpdate = postureChecks.ID != ""
|
|
|
|
var action = activity.PostureCheckCreated
|
2024-02-20 09:59:56 +01:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
if err = validatePostureChecks(ctx, transaction, accountID, postureChecks); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if isUpdate {
|
|
|
|
updateAccountPeers, err = arePostureCheckChangesAffectPeers(ctx, transaction, accountID, postureChecks.ID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
action = activity.PostureCheckUpdated
|
|
|
|
}
|
|
|
|
|
|
|
|
postureChecks.AccountID = accountID
|
|
|
|
return transaction.SavePostureChecks(ctx, LockingStrengthUpdate, postureChecks)
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-07-03 11:33:02 +02:00
|
|
|
am.StoreEvent(ctx, userID, postureChecks.ID, accountID, action, postureChecks.EventMeta())
|
2024-10-23 12:05:02 +02:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if updateAccountPeers {
|
2024-11-15 18:09:32 +01:00
|
|
|
am.updateAccountPeers(ctx, accountID)
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
return postureChecks, nil
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// DeletePostureChecks deletes a posture check by ID.
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) DeletePostureChecks(ctx context.Context, accountID, postureChecksID, userID string) error {
|
2024-07-31 14:53:32 +02:00
|
|
|
unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
|
2024-02-20 09:59:56 +01:00
|
|
|
defer unlock()
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2024-02-20 09:59:56 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
return status.NewUserNotPartOfAccountError()
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if !user.HasAdminPower() {
|
2024-11-25 16:26:24 +01:00
|
|
|
return status.NewAdminPermissionError()
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
var postureChecks *posture.Checks
|
|
|
|
|
|
|
|
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
|
|
|
|
postureChecks, err = transaction.GetPostureChecksByID(ctx, LockingStrengthShare, accountID, postureChecksID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if err = isPostureCheckLinkedToPolicy(ctx, transaction, postureChecksID, accountID); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return transaction.DeletePostureChecks(ctx, LockingStrengthUpdate, accountID, postureChecksID)
|
|
|
|
})
|
|
|
|
if err != nil {
|
2024-02-20 09:59:56 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-07-03 11:33:02 +02:00
|
|
|
am.StoreEvent(ctx, userID, postureChecks.ID, accountID, activity.PostureCheckDeleted, postureChecks.EventMeta())
|
2024-02-20 09:59:56 +01:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// ListPostureChecks returns a list of posture checks.
|
2024-07-03 11:33:02 +02:00
|
|
|
func (am *DefaultAccountManager) ListPostureChecks(ctx context.Context, accountID, userID string) ([]*posture.Checks, error) {
|
2024-09-27 16:10:50 +02:00
|
|
|
user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
|
2024-02-20 09:59:56 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if user.AccountID != accountID {
|
|
|
|
return nil, status.NewUserNotPartOfAccountError()
|
|
|
|
}
|
|
|
|
|
|
|
|
if !user.HasAdminPower() {
|
|
|
|
return nil, status.NewAdminPermissionError()
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-09-27 16:10:50 +02:00
|
|
|
return am.Store.GetAccountPostureChecks(ctx, LockingStrengthShare, accountID)
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// getPeerPostureChecks returns the posture checks applied for a given peer.
|
2024-11-28 11:13:01 +01:00
|
|
|
func (am *DefaultAccountManager) getPeerPostureChecks(account *Account, peerID string) ([]*posture.Checks, error) {
|
2024-11-25 16:26:24 +01:00
|
|
|
peerPostureChecks := make(map[string]*posture.Checks)
|
|
|
|
|
2024-11-28 11:13:01 +01:00
|
|
|
if len(account.PostureChecks) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
|
2024-11-28 11:13:01 +01:00
|
|
|
for _, policy := range account.Policies {
|
|
|
|
if !policy.Enabled || len(policy.SourcePostureChecks) == 0 {
|
|
|
|
continue
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
|
2024-11-28 11:13:01 +01:00
|
|
|
if err := addPolicyPostureChecks(account, peerID, policy, peerPostureChecks); err != nil {
|
|
|
|
return nil, err
|
2024-11-25 16:26:24 +01:00
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
|
|
|
|
return maps.Values(peerPostureChecks), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// arePostureCheckChangesAffectPeers checks if the changes in posture checks are affecting peers.
|
|
|
|
func arePostureCheckChangesAffectPeers(ctx context.Context, transaction Store, accountID, postureCheckID string) (bool, error) {
|
|
|
|
policies, err := transaction.GetAccountPolicies(ctx, LockingStrengthShare, accountID)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, policy := range policies {
|
|
|
|
if slices.Contains(policy.SourcePostureChecks, postureCheckID) {
|
|
|
|
hasPeers, err := anyGroupHasPeers(ctx, transaction, accountID, policy.ruleGroups())
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if hasPeers {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
|
|
|
|
return false, nil
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// validatePostureChecks validates the posture checks.
|
|
|
|
func validatePostureChecks(ctx context.Context, transaction Store, accountID string, postureChecks *posture.Checks) error {
|
|
|
|
if err := postureChecks.Validate(); err != nil {
|
|
|
|
return status.Errorf(status.InvalidArgument, err.Error()) //nolint
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the posture check already has an ID, verify its existence in the store.
|
|
|
|
if postureChecks.ID != "" {
|
|
|
|
if _, err := transaction.GetPostureChecksByID(ctx, LockingStrengthShare, accountID, postureChecks.ID); err != nil {
|
|
|
|
return err
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
return nil
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
|
|
|
|
// For new posture checks, ensure no duplicates by name.
|
|
|
|
checks, err := transaction.GetAccountPostureChecks(ctx, LockingStrengthShare, accountID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
for _, check := range checks {
|
|
|
|
if check.Name == postureChecks.Name && check.ID != postureChecks.ID {
|
|
|
|
return status.Errorf(status.InvalidArgument, "posture checks with name %s already exists", postureChecks.Name)
|
|
|
|
}
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
postureChecks.ID = xid.New().String()
|
2024-02-20 09:59:56 +01:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
return nil
|
2024-02-20 09:59:56 +01:00
|
|
|
}
|
2024-06-13 13:24:24 +02:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// addPolicyPostureChecks adds posture checks from a policy to the peer posture checks map if the peer is in the policy's source groups.
|
2024-11-28 11:13:01 +01:00
|
|
|
func addPolicyPostureChecks(account *Account, peerID string, policy *Policy, peerPostureChecks map[string]*posture.Checks) error {
|
|
|
|
isInGroup, err := isPeerInPolicySourceGroups(account, peerID, policy)
|
2024-11-25 16:26:24 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2024-06-13 13:24:24 +02:00
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if !isInGroup {
|
2024-06-22 16:41:16 +02:00
|
|
|
return nil
|
2024-06-13 13:24:24 +02:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
for _, sourcePostureCheckID := range policy.SourcePostureChecks {
|
2024-11-28 11:13:01 +01:00
|
|
|
postureCheck := account.getPostureChecks(sourcePostureCheckID)
|
|
|
|
if postureCheck == nil {
|
|
|
|
return errors.New("failed to add policy posture checks: posture checks not found")
|
2024-06-13 13:24:24 +02:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
peerPostureChecks[sourcePostureCheckID] = postureCheck
|
2024-06-13 13:24:24 +02:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
return nil
|
2024-06-13 13:24:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// isPeerInPolicySourceGroups checks if a peer is present in any of the policy rule source groups.
|
2024-11-28 11:13:01 +01:00
|
|
|
func isPeerInPolicySourceGroups(account *Account, peerID string, policy *Policy) (bool, error) {
|
2024-06-13 13:24:24 +02:00
|
|
|
for _, rule := range policy.Rules {
|
|
|
|
if !rule.Enabled {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, sourceGroup := range rule.Sources {
|
2024-11-28 11:13:01 +01:00
|
|
|
group := account.GetGroup(sourceGroup)
|
|
|
|
if group == nil {
|
|
|
|
return false, fmt.Errorf("failed to check peer in policy source group: group not found")
|
2024-06-13 13:24:24 +02:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
if slices.Contains(group.Peers, peerID) {
|
|
|
|
return true, nil
|
2024-06-13 13:24:24 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2024-10-23 12:05:02 +02:00
|
|
|
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
// isPostureCheckLinkedToPolicy checks whether the posture check is linked to any account policy.
|
|
|
|
func isPostureCheckLinkedToPolicy(ctx context.Context, transaction Store, postureChecksID, accountID string) error {
|
|
|
|
policies, err := transaction.GetAccountPolicies(ctx, LockingStrengthShare, accountID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2024-10-23 12:05:02 +02:00
|
|
|
}
|
|
|
|
|
2024-11-25 16:26:24 +01:00
|
|
|
for _, policy := range policies {
|
|
|
|
if slices.Contains(policy.SourcePostureChecks, postureChecksID) {
|
|
|
|
return status.Errorf(status.PreconditionFailed, "posture checks have been linked to policy: %s", policy.Name)
|
|
|
|
}
|
2024-10-23 12:05:02 +02:00
|
|
|
}
|
2024-11-25 16:26:24 +01:00
|
|
|
|
|
|
|
return nil
|
2024-10-23 12:05:02 +02:00
|
|
|
}
|