netbird/management/server/posture/os_version.go

package posture

import (
	"fmt"
	"strings"

	"github.com/hashicorp/go-version"
	log "github.com/sirupsen/logrus"

	nbpeer "github.com/netbirdio/netbird/management/server/peer"
)

type MinVersionCheck struct {
	MinVersion string
}

type MinKernelVersionCheck struct {
	MinKernelVersion string
}

type OSVersionCheck struct {
	Android *MinVersionCheck
	Darwin  *MinVersionCheck
	Ios     *MinVersionCheck
	Linux   *MinKernelVersionCheck
	Windows *MinKernelVersionCheck
}

var _ Check = (*OSVersionCheck)(nil)

func (c *OSVersionCheck) Check(peer nbpeer.Peer) (bool, error) {
	peerGoOS := peer.Meta.GoOS
	switch peerGoOS {
	case "android":
		return checkMinVersion(peerGoOS, peer.Meta.OSVersion, c.Android)
	case "darwin":
		return checkMinVersion(peerGoOS, peer.Meta.OSVersion, c.Darwin)
	case "ios":
		return checkMinVersion(peerGoOS, peer.Meta.OSVersion, c.Ios)
	case "linux":
		kernelVersion := strings.Split(peer.Meta.KernelVersion, "-")[0]
		return checkMinKernelVersion(peerGoOS, kernelVersion, c.Linux)
	case "windows":
		return checkMinKernelVersion(peerGoOS, peer.Meta.KernelVersion, c.Windows)
	}
	return true, nil
}

func (c *OSVersionCheck) Name() string {
	return OSVersionCheckName
}

func (c *OSVersionCheck) Validate() error {
	emptyOS := c.Android == nil && c.Darwin == nil && c.Ios == nil &&
		c.Linux == nil && c.Windows == nil
	emptyMinVersion := c.Android != nil && c.Android.MinVersion == "" || c.Darwin != nil && c.Darwin.MinVersion == "" ||
		c.Ios != nil && c.Ios.MinVersion == "" || c.Linux != nil && c.Linux.MinKernelVersion == "" || c.Windows != nil &&
		c.Windows.MinKernelVersion == ""
	if emptyOS || emptyMinVersion {
		return fmt.Errorf("%s minimum version for at least one OS shouldn't be empty", c.Name())
	}

	if c.Android != nil && !isVersionValid(c.Android.MinVersion) {
		return fmt.Errorf("%s android version: %s is not valid", c.Name(), c.Android.MinVersion)
	}

	if c.Ios != nil && !isVersionValid(c.Ios.MinVersion) {
		return fmt.Errorf("%s ios version: %s is not valid", c.Name(), c.Ios.MinVersion)
	}

	if c.Darwin != nil && !isVersionValid(c.Darwin.MinVersion) {
		return fmt.Errorf("%s  darwin version: %s is not valid", c.Name(), c.Darwin.MinVersion)
	}

	if c.Linux != nil && !isVersionValid(c.Linux.MinKernelVersion) {
		return fmt.Errorf("%s  linux kernel version: %s is not valid", c.Name(),
			c.Linux.MinKernelVersion)
	}

	if c.Windows != nil && !isVersionValid(c.Windows.MinKernelVersion) {
		return fmt.Errorf("%s  windows kernel version: %s is not valid", c.Name(),
			c.Windows.MinKernelVersion)
	}
	return nil
}

func checkMinVersion(peerGoOS, peerVersion string, check *MinVersionCheck) (bool, error) {
	if check == nil {
		log.Debugf("peer %s OS is not allowed in the check", peerGoOS)
		return false, nil
	}

	peerNBVersion, err := version.NewVersion(peerVersion)
	if err != nil {
		return false, err
	}

	constraints, err := version.NewConstraint(">= " + check.MinVersion)
	if err != nil {
		return false, err
	}

	if constraints.Check(peerNBVersion) {
		return true, nil
	}

	log.Debugf("peer %s OS version %s is older than minimum allowed version %s", peerGoOS, peerVersion, check.MinVersion)

	return false, nil
}

func checkMinKernelVersion(peerGoOS, peerVersion string, check *MinKernelVersionCheck) (bool, error) {
	if check == nil {
		log.Debugf("peer %s OS is not allowed in the check", peerGoOS)
		return false, nil
	}

	peerNBVersion, err := version.NewVersion(peerVersion)
	if err != nil {
		return false, err
	}

	constraints, err := version.NewConstraint(">= " + check.MinKernelVersion)
	if err != nil {
		return false, err
	}

	if constraints.Check(peerNBVersion) {
		return true, nil
	}

	log.Debugf("peer %s kernel version %s is older than minimum allowed version %s", peerGoOS, peerVersion, check.MinKernelVersion)

	return false, nil
}