extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-08-17 02:21:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Feat rego default policy (#700)

Browse Source 
Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.
This commit is contained in:
Givi Khojanashvili
2023-03-13 15:14:18 +01:00
committed by GitHub
parent 221934447e
commit 3bfa26b13b
25 changed files with 1740 additions and 890 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
management/server/peer_test.go
View File

@ -1,16 +1,16 @@
package server
import (
"github.com/stretchr/testify/assert"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/rs/xid"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)
func TestPeer_LoginExpired(t *testing.T) {
tt := []struct {
name string
expirationEnabled bool
@ -95,7 +95,6 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
Key: peerKey1.PublicKey().String(),
Meta: PeerSystemMeta{Hostname: "test-peer-1"},
})
if err != nil {
t.Errorf("expecting peer to be added, got failure %v", err)
return
@ -124,6 +123,7 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
if len(networkMap.Peers) != 1 {
t.Errorf("expecting Account NetworkMap to have 1 peers, got %v", len(networkMap.Peers))
return
}
if networkMap.Peers[0].Key != peerKey2.PublicKey().String() {
@ -135,7 +135,7 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
}
}
func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
func TestAccountManager_GetNetworkMapWithPolicy(t *testing.T) {
manager, err := createManager(t)
if err != nil {
t.Fatal(err)
@ -166,7 +166,6 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
Key: peerKey1.PublicKey().String(),
Meta: PeerSystemMeta{Hostname: "test-peer-1"},
})
if err != nil {
t.Errorf("expecting peer to be added, got failure %v", err)
return
@ -181,19 +180,18 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
Key: peerKey2.PublicKey().String(),
Meta: PeerSystemMeta{Hostname: "test-peer-2"},
})
if err != nil {
t.Errorf("expecting peer to be added, got failure %v", err)
return
}
rules, err := manager.ListRules(account.Id, userID)
policies, err := manager.ListPolicies(account.Id, userID)
if err != nil {
t.Errorf("expecting to get a list of rules, got failure %v", err)
return
}
err = manager.DeleteRule(account.Id, rules[0].ID, userID)
err = manager.DeletePolicy(account.Id, policies[0].ID, userID)
if err != nil {
t.Errorf("expecting to delete 1 group, got failure %v", err)
return
@ -201,14 +199,14 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
var (
group1 Group
group2 Group
rule Rule
policy Policy
)
group1.ID = xid.New().String()
group2.ID = xid.New().String()
group1.Name = "src"
group2.Name = "dst"
rule.ID = xid.New().String()
policy.ID = xid.New().String()
group1.Peers = append(group1.Peers, peer1.ID)
group2.Peers = append(group2.Peers, peer2.ID)
@ -223,11 +221,21 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
return
}
rule.Name = "test"
rule.Source = append(rule.Source, group1.ID)
rule.Destination = append(rule.Destination, group2.ID)
rule.Flow = TrafficFlowBidirect
err = manager.SaveRule(account.Id, userID, &rule)
policy.Name = "test"
policy.Enabled = true
policy.Rules = []*PolicyRule{
{
Enabled: true,
Sources: []string{group1.ID},
Destinations: []string{group2.ID},
Action: PolicyTrafficActionAccept,
},
}
if err := policy.UpdateQueryFromRules(); err != nil {
t.Errorf("expecting policy to be updated, got failure %v", err)
return
}
err = manager.SavePolicy(account.Id, userID, &policy)
if err != nil {
t.Errorf("expecting rule to be added, got failure %v", err)
return
@ -274,8 +282,8 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
)
}
rule.Disabled = true
err = manager.SaveRule(account.Id, userID, &rule)
policy.Enabled = false
err = manager.SavePolicy(account.Id, userID, &policy)
if err != nil {
t.Errorf("expecting rule to be added, got failure %v", err)
return
@ -333,7 +341,6 @@ func TestAccountManager_GetPeerNetwork(t *testing.T) {
Key: peerKey1.PublicKey().String(),
Meta: PeerSystemMeta{Hostname: "test-peer-1"},
})
if err != nil {
t.Errorf("expecting peer to be added, got failure %v", err)
return
@ -363,7 +370,6 @@ func TestAccountManager_GetPeerNetwork(t *testing.T) {
if account.Network.Id != network.Id {
t.Errorf("expecting Account Networks ID to be equal, got %s expected %s", network.Id, account.Network.Id)
}
}
func TestDefaultAccountManager_GetPeer(t *testing.T) {
@ -400,7 +406,6 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
Key: peerKey1.PublicKey().String(),
Meta: PeerSystemMeta{Hostname: "test-peer-2"},
})
if err != nil {
t.Errorf("expecting peer to be added, got failure %v", err)
return
@ -417,7 +422,6 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
Key: peerKey2.PublicKey().String(),
Meta: PeerSystemMeta{Hostname: "test-peer-2"},
})
if err != nil {
t.Fatal(err)
return
@ -439,9 +443,9 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
}
assert.NotNil(t, peer)
// delete the all-to-all rule so that user's peer1 has no access to peer2
for _, rule := range account.Rules {
err = manager.DeleteRule(accountID, rule.ID, adminUser)
// delete the all-to-all policy so that user's peer1 has no access to peer2
for _, policy := range account.Policies {
err = manager.DeletePolicy(accountID, policy.ID, adminUser)
if err != nil {
t.Fatal(err)
return
@ -466,11 +470,9 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
return
}
assert.NotNil(t, peer)
}
func getSetupKey(account *Account, keyType SetupKeyType) *SetupKey {
var setupKey *SetupKey
for _, key := range account.SetupKeys {
if key.Type == keyType {