Add initial support of device posture checks (#1540)

This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks.
2025-08-16 18:11:58 +02:00 · 2024-02-20 09:59:56 +01:00
parent db3cba5e0f
commit 9bc7b9e897
61 changed files with 5162 additions and 348 deletions
--- a/management/server/posture_checks.go
+++ b/management/server/posture_checks.go
@ -0,0 +1,178 @@
+package server
+
+import (
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/status"
+)
+
+func (am *DefaultAccountManager) GetPostureChecks(accountID, postureChecksID, userID string) (*posture.Checks, error) {
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
+	account, err := am.Store.GetAccount(accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := account.FindUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if !user.HasAdminPower() {
+		return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view posture checks")
+	}
+
+	for _, postureChecks := range account.PostureChecks {
+		if postureChecks.ID == postureChecksID {
+			return postureChecks, nil
+		}
+	}
+
+	return nil, status.Errorf(status.NotFound, "posture checks with ID %s not found", postureChecksID)
+}
+
+func (am *DefaultAccountManager) SavePostureChecks(accountID, userID string, postureChecks *posture.Checks) error {
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
+	account, err := am.Store.GetAccount(accountID)
+	if err != nil {
+		return err
+	}
+
+	user, err := account.FindUser(userID)
+	if err != nil {
+		return err
+	}
+
+	if !user.HasAdminPower() {
+		return status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view posture checks")
+	}
+
+	if err := postureChecks.Validate(); err != nil {
+		return status.Errorf(status.BadRequest, err.Error())
+	}
+
+	exists, uniqName := am.savePostureChecks(account, postureChecks)
+
+	// we do not allow create new posture checks with non uniq name
+	if !exists && !uniqName {
+		return status.Errorf(status.PreconditionFailed, "Posture check name should be unique")
+	}
+
+	action := activity.PostureCheckCreated
+	if exists {
+		action = activity.PostureCheckUpdated
+		account.Network.IncSerial()
+	}
+
+	if err = am.Store.SaveAccount(account); err != nil {
+		return err
+	}
+
+	am.StoreEvent(userID, postureChecks.ID, accountID, action, postureChecks.EventMeta())
+	if exists {
+		am.updateAccountPeers(account)
+	}
+
+	return nil
+}
+
+func (am *DefaultAccountManager) DeletePostureChecks(accountID, postureChecksID, userID string) error {
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
+	account, err := am.Store.GetAccount(accountID)
+	if err != nil {
+		return err
+	}
+
+	user, err := account.FindUser(userID)
+	if err != nil {
+		return err
+	}
+
+	if !user.HasAdminPower() {
+		return status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view posture checks")
+	}
+
+	postureChecks, err := am.deletePostureChecks(account, postureChecksID)
+	if err != nil {
+		return err
+	}
+
+	if err = am.Store.SaveAccount(account); err != nil {
+		return err
+	}
+
+	am.StoreEvent(userID, postureChecks.ID, accountID, activity.PostureCheckDeleted, postureChecks.EventMeta())
+
+	return nil
+}
+
+func (am *DefaultAccountManager) ListPostureChecks(accountID, userID string) ([]*posture.Checks, error) {
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
+	account, err := am.Store.GetAccount(accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := account.FindUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if !user.HasAdminPower() {
+		return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view posture checks")
+	}
+
+	return account.PostureChecks, nil
+}
+
+func (am *DefaultAccountManager) savePostureChecks(account *Account, postureChecks *posture.Checks) (exists, uniqName bool) {
+	uniqName = true
+	for i, p := range account.PostureChecks {
+		if !exists && p.ID == postureChecks.ID {
+			account.PostureChecks[i] = postureChecks
+			exists = true
+		}
+		if p.Name == postureChecks.Name {
+			uniqName = false
+		}
+	}
+	if !exists {
+		account.PostureChecks = append(account.PostureChecks, postureChecks)
+	}
+	return
+}
+
+func (am *DefaultAccountManager) deletePostureChecks(account *Account, postureChecksID string) (*posture.Checks, error) {
+	postureChecksIdx := -1
+	for i, postureChecks := range account.PostureChecks {
+		if postureChecks.ID == postureChecksID {
+			postureChecksIdx = i
+			break
+		}
+	}
+	if postureChecksIdx < 0 {
+		return nil, status.Errorf(status.NotFound, "posture checks with ID %s doesn't exist", postureChecksID)
+	}
+
+	// check policy links
+	for _, policy := range account.Policies {
+		for _, id := range policy.SourcePostureChecks {
+			if id == postureChecksID {
+				return nil, status.Errorf(status.PreconditionFailed, "posture checks have been linked to policy: %s", policy.Name)
+			}
+		}
+	}
+
+	postureChecks := account.PostureChecks[postureChecksIdx]
+	account.PostureChecks = append(account.PostureChecks[:postureChecksIdx], account.PostureChecks[postureChecksIdx+1:]...)
+
+	return postureChecks, nil
+}