mirror of
https://github.com/netbirdio/netbird.git
synced 2025-01-07 14:39:10 +01:00
765aba2c1c
propagate context from all the API calls and log request ID, account ID and peer ID --------- Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
90 lines
2.3 KiB
Go
90 lines
2.3 KiB
Go
package posture
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"slices"
|
|
|
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
|
)
|
|
|
|
type Location struct {
|
|
// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
|
|
CountryCode string
|
|
|
|
// CityName Commonly used English name of the city
|
|
CityName string
|
|
}
|
|
|
|
var _ Check = (*GeoLocationCheck)(nil)
|
|
|
|
type GeoLocationCheck struct {
|
|
// Locations list of geolocations, to which the policy applies
|
|
Locations []Location
|
|
|
|
// Action to take upon policy match
|
|
Action string
|
|
}
|
|
|
|
func (g *GeoLocationCheck) Check(_ context.Context, peer nbpeer.Peer) (bool, error) {
|
|
// deny if the peer location is not evaluated
|
|
if peer.Location.CountryCode == "" && peer.Location.CityName == "" {
|
|
return false, fmt.Errorf("peer's location is not set")
|
|
}
|
|
|
|
for _, loc := range g.Locations {
|
|
if loc.CountryCode == peer.Location.CountryCode {
|
|
if loc.CityName == "" || loc.CityName == peer.Location.CityName {
|
|
switch g.Action {
|
|
case CheckActionDeny:
|
|
return false, nil
|
|
case CheckActionAllow:
|
|
return true, nil
|
|
default:
|
|
return false, fmt.Errorf("invalid geo location action: %s", g.Action)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
// At this point, no location in the list matches the peer's location
|
|
// For action deny and no location match, allow the peer
|
|
if g.Action == CheckActionDeny {
|
|
return true, nil
|
|
}
|
|
// For action allow and no location match, deny the peer
|
|
if g.Action == CheckActionAllow {
|
|
return false, nil
|
|
}
|
|
|
|
return false, fmt.Errorf("invalid geo location action: %s", g.Action)
|
|
}
|
|
|
|
func (g *GeoLocationCheck) Name() string {
|
|
return GeoLocationCheckName
|
|
}
|
|
|
|
func (g *GeoLocationCheck) Validate() error {
|
|
if g.Action == "" {
|
|
return fmt.Errorf("%s action shouldn't be empty", g.Name())
|
|
}
|
|
|
|
allowedActions := []string{CheckActionAllow, CheckActionDeny}
|
|
if !slices.Contains(allowedActions, g.Action) {
|
|
return fmt.Errorf("%s action is not valid", g.Name())
|
|
}
|
|
|
|
if len(g.Locations) == 0 {
|
|
return fmt.Errorf("%s locations shouldn't be empty", g.Name())
|
|
}
|
|
|
|
for _, loc := range g.Locations {
|
|
if loc.CountryCode == "" {
|
|
return fmt.Errorf("%s country code shouldn't be empty", g.Name())
|
|
}
|
|
if !countryCodeRegex.MatchString(loc.CountryCode) {
|
|
return fmt.Errorf("%s country code must be 2 letters (ISO 3166-1 alpha-2 format)", g.Name())
|
|
}
|
|
}
|
|
return nil
|
|
}
|