netbird/management/server/posture/geo_location.go

package posture

import (
	"fmt"

	nbpeer "github.com/netbirdio/netbird/management/server/peer"
)

type Location struct {
	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
	CountryCode string

	// CityName Commonly used English name of the city
	CityName string
}

var _ Check = (*GeoLocationCheck)(nil)

type GeoLocationCheck struct {
	// Locations list of geolocations, to which the policy applies
	Locations []Location

	// Action to take upon policy match
	Action string
}

func (g *GeoLocationCheck) Check(peer nbpeer.Peer) (bool, error) {
	// deny if the peer location is not evaluated
	if peer.Location.CountryCode == "" && peer.Location.CityName == "" {
		return false, fmt.Errorf("peer's location is not set")
	}

	for _, loc := range g.Locations {
		if loc.CountryCode == peer.Location.CountryCode {
			if loc.CityName == "" || loc.CityName == peer.Location.CityName {
				switch g.Action {
				case CheckActionDeny:
					return false, nil
				case CheckActionAllow:
					return true, nil
				default:
					return false, fmt.Errorf("invalid geo location action: %s", g.Action)
				}
			}
		}
	}
	// At this point, no location in the list matches the peer's location
	// For action deny and no location match, allow the peer
	if g.Action == CheckActionDeny {
		return true, nil
	}
	// For action allow and no location match, deny the peer
	if g.Action == CheckActionAllow {
		return false, nil
	}

	return false, fmt.Errorf("invalid geo location action: %s", g.Action)
}

func (g *GeoLocationCheck) Name() string {
	return GeoLocationCheckName
}
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks. 2024-02-20 09:59:56 +01:00			`package posture`

			`import (`
			`"fmt"`

			`nbpeer "github.com/netbirdio/netbird/management/server/peer"`
			`)`

			`type Location struct {`
			`// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country`
			`CountryCode string`

			`// CityName Commonly used English name of the city`
			`CityName string`
			`}`

			`var _ Check = (*GeoLocationCheck)(nil)`

			`type GeoLocationCheck struct {`
			`// Locations list of geolocations, to which the policy applies`
			`Locations []Location`

			`// Action to take upon policy match`
			`Action string`
			`}`

			`func (g *GeoLocationCheck) Check(peer nbpeer.Peer) (bool, error) {`
			`// deny if the peer location is not evaluated`
			`if peer.Location.CountryCode == "" && peer.Location.CityName == "" {`
			`return false, fmt.Errorf("peer's location is not set")`
			`}`

			`for _, loc := range g.Locations {`
			`if loc.CountryCode == peer.Location.CountryCode {`
			`if loc.CityName == "" \|\| loc.CityName == peer.Location.CityName {`
			`switch g.Action {`
Add private network posture check (#1606) * wip: Add PrivateNetworkCheck checks interface implementation * use generic CheckAction constant * Add private network check to posture checks * Fix copy function target in posture checks * Add network check functionality to posture package * regenerate the openapi specs * Update Posture Check actions in test file * Remove unused function * Refactor network address handling in PrivateNetworkCheck * Refactor Prefixes to Ranges in private network checks * Implement private network checks in posture checks handler tests * Add test for check copy * Add gorm serializer for network range 2024-02-22 17:22:43 +01:00			`case CheckActionDeny:`
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks. 2024-02-20 09:59:56 +01:00			`return false, nil`
Add private network posture check (#1606) * wip: Add PrivateNetworkCheck checks interface implementation * use generic CheckAction constant * Add private network check to posture checks * Fix copy function target in posture checks * Add network check functionality to posture package * regenerate the openapi specs * Update Posture Check actions in test file * Remove unused function * Refactor network address handling in PrivateNetworkCheck * Refactor Prefixes to Ranges in private network checks * Implement private network checks in posture checks handler tests * Add test for check copy * Add gorm serializer for network range 2024-02-22 17:22:43 +01:00			`case CheckActionAllow:`
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks. 2024-02-20 09:59:56 +01:00			`return true, nil`
			`default:`
			`return false, fmt.Errorf("invalid geo location action: %s", g.Action)`
			`}`
			`}`
			`}`
			`}`
			`// At this point, no location in the list matches the peer's location`
			`// For action deny and no location match, allow the peer`
Add private network posture check (#1606) * wip: Add PrivateNetworkCheck checks interface implementation * use generic CheckAction constant * Add private network check to posture checks * Fix copy function target in posture checks * Add network check functionality to posture package * regenerate the openapi specs * Update Posture Check actions in test file * Remove unused function * Refactor network address handling in PrivateNetworkCheck * Refactor Prefixes to Ranges in private network checks * Implement private network checks in posture checks handler tests * Add test for check copy * Add gorm serializer for network range 2024-02-22 17:22:43 +01:00			`if g.Action == CheckActionDeny {`
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks. 2024-02-20 09:59:56 +01:00			`return true, nil`
			`}`
			`// For action allow and no location match, deny the peer`
Add private network posture check (#1606) * wip: Add PrivateNetworkCheck checks interface implementation * use generic CheckAction constant * Add private network check to posture checks * Fix copy function target in posture checks * Add network check functionality to posture package * regenerate the openapi specs * Update Posture Check actions in test file * Remove unused function * Refactor network address handling in PrivateNetworkCheck * Refactor Prefixes to Ranges in private network checks * Implement private network checks in posture checks handler tests * Add test for check copy * Add gorm serializer for network range 2024-02-22 17:22:43 +01:00			`if g.Action == CheckActionAllow {`
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks. 2024-02-20 09:59:56 +01:00			`return false, nil`
			`}`

			`return false, fmt.Errorf("invalid geo location action: %s", g.Action)`
			`}`

			`func (g *GeoLocationCheck) Name() string {`
			`return GeoLocationCheckName`
			`}`