mirror of
https://github.com/netbirdio/netbird.git
synced 2025-01-25 23:38:42 +01:00
d78b652ff7
* Rename PrivateNetworkCheck to PeerNetworkRangeCheck * update description and example --------- Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
195 lines
5.4 KiB
Go
195 lines
5.4 KiB
Go
package posture
|
|
|
|
import (
|
|
"fmt"
|
|
"net/netip"
|
|
|
|
"github.com/hashicorp/go-version"
|
|
|
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
|
)
|
|
|
|
const (
|
|
NBVersionCheckName = "NBVersionCheck"
|
|
OSVersionCheckName = "OSVersionCheck"
|
|
GeoLocationCheckName = "GeoLocationCheck"
|
|
PeerNetworkRangeCheckName = "PeerNetworkRangeCheck"
|
|
|
|
CheckActionAllow string = "allow"
|
|
CheckActionDeny string = "deny"
|
|
)
|
|
|
|
// Check represents an interface for performing a check on a peer.
|
|
type Check interface {
|
|
Check(peer nbpeer.Peer) (bool, error)
|
|
Name() string
|
|
}
|
|
|
|
type Checks struct {
|
|
// ID of the posture checks
|
|
ID string `gorm:"primaryKey"`
|
|
|
|
// Name of the posture checks
|
|
Name string
|
|
|
|
// Description of the posture checks visible in the UI
|
|
Description string
|
|
|
|
// AccountID is a reference to the Account that this object belongs
|
|
AccountID string `json:"-" gorm:"index"`
|
|
|
|
// Checks is a set of objects that perform the actual checks
|
|
Checks ChecksDefinition `gorm:"serializer:json"`
|
|
}
|
|
|
|
// ChecksDefinition contains definition of actual check
|
|
type ChecksDefinition struct {
|
|
NBVersionCheck *NBVersionCheck `json:",omitempty"`
|
|
OSVersionCheck *OSVersionCheck `json:",omitempty"`
|
|
GeoLocationCheck *GeoLocationCheck `json:",omitempty"`
|
|
PeerNetworkRangeCheck *PeerNetworkRangeCheck `json:",omitempty"`
|
|
}
|
|
|
|
// Copy returns a copy of a checks definition.
|
|
func (cd ChecksDefinition) Copy() ChecksDefinition {
|
|
var cdCopy ChecksDefinition
|
|
if cd.NBVersionCheck != nil {
|
|
cdCopy.NBVersionCheck = &NBVersionCheck{
|
|
MinVersion: cd.NBVersionCheck.MinVersion,
|
|
}
|
|
}
|
|
if cd.OSVersionCheck != nil {
|
|
cdCopy.OSVersionCheck = &OSVersionCheck{}
|
|
osCheck := cd.OSVersionCheck
|
|
if osCheck.Android != nil {
|
|
cdCopy.OSVersionCheck.Android = &MinVersionCheck{MinVersion: osCheck.Android.MinVersion}
|
|
}
|
|
if osCheck.Darwin != nil {
|
|
cdCopy.OSVersionCheck.Darwin = &MinVersionCheck{MinVersion: osCheck.Darwin.MinVersion}
|
|
}
|
|
if osCheck.Ios != nil {
|
|
cdCopy.OSVersionCheck.Ios = &MinVersionCheck{MinVersion: osCheck.Ios.MinVersion}
|
|
}
|
|
if osCheck.Linux != nil {
|
|
cdCopy.OSVersionCheck.Linux = &MinKernelVersionCheck{MinKernelVersion: osCheck.Linux.MinKernelVersion}
|
|
}
|
|
if osCheck.Windows != nil {
|
|
cdCopy.OSVersionCheck.Windows = &MinKernelVersionCheck{MinKernelVersion: osCheck.Windows.MinKernelVersion}
|
|
}
|
|
}
|
|
if cd.GeoLocationCheck != nil {
|
|
geoCheck := cd.GeoLocationCheck
|
|
cdCopy.GeoLocationCheck = &GeoLocationCheck{
|
|
Action: geoCheck.Action,
|
|
Locations: make([]Location, len(geoCheck.Locations)),
|
|
}
|
|
copy(cdCopy.GeoLocationCheck.Locations, geoCheck.Locations)
|
|
}
|
|
if cd.PeerNetworkRangeCheck != nil {
|
|
peerNetRangeCheck := cd.PeerNetworkRangeCheck
|
|
cdCopy.PeerNetworkRangeCheck = &PeerNetworkRangeCheck{
|
|
Action: peerNetRangeCheck.Action,
|
|
Ranges: make([]netip.Prefix, len(peerNetRangeCheck.Ranges)),
|
|
}
|
|
copy(cdCopy.PeerNetworkRangeCheck.Ranges, peerNetRangeCheck.Ranges)
|
|
}
|
|
return cdCopy
|
|
}
|
|
|
|
// TableName returns the name of the table for the Checks model in the database.
|
|
func (*Checks) TableName() string {
|
|
return "posture_checks"
|
|
}
|
|
|
|
// Copy returns a copy of a posture checks.
|
|
func (pc *Checks) Copy() *Checks {
|
|
checks := &Checks{
|
|
ID: pc.ID,
|
|
Name: pc.Name,
|
|
Description: pc.Description,
|
|
AccountID: pc.AccountID,
|
|
Checks: pc.Checks.Copy(),
|
|
}
|
|
return checks
|
|
}
|
|
|
|
// EventMeta returns activity event meta-related to this posture checks.
|
|
func (pc *Checks) EventMeta() map[string]any {
|
|
return map[string]any{"name": pc.Name}
|
|
}
|
|
|
|
// GetChecks returns list of all initialized checks definitions
|
|
func (pc *Checks) GetChecks() []Check {
|
|
var checks []Check
|
|
if pc.Checks.NBVersionCheck != nil {
|
|
checks = append(checks, pc.Checks.NBVersionCheck)
|
|
}
|
|
if pc.Checks.OSVersionCheck != nil {
|
|
checks = append(checks, pc.Checks.OSVersionCheck)
|
|
}
|
|
if pc.Checks.GeoLocationCheck != nil {
|
|
checks = append(checks, pc.Checks.GeoLocationCheck)
|
|
}
|
|
if pc.Checks.PeerNetworkRangeCheck != nil {
|
|
checks = append(checks, pc.Checks.PeerNetworkRangeCheck)
|
|
}
|
|
return checks
|
|
}
|
|
|
|
func (pc *Checks) Validate() error {
|
|
if check := pc.Checks.NBVersionCheck; check != nil {
|
|
if !isVersionValid(check.MinVersion) {
|
|
return fmt.Errorf("%s version: %s is not valid", check.Name(), check.MinVersion)
|
|
}
|
|
}
|
|
|
|
if osCheck := pc.Checks.OSVersionCheck; osCheck != nil {
|
|
if osCheck.Android != nil {
|
|
if !isVersionValid(osCheck.Android.MinVersion) {
|
|
return fmt.Errorf("%s android version: %s is not valid", osCheck.Name(), osCheck.Android.MinVersion)
|
|
}
|
|
}
|
|
|
|
if osCheck.Ios != nil {
|
|
if !isVersionValid(osCheck.Ios.MinVersion) {
|
|
return fmt.Errorf("%s ios version: %s is not valid", osCheck.Name(), osCheck.Ios.MinVersion)
|
|
}
|
|
}
|
|
|
|
if osCheck.Darwin != nil {
|
|
if !isVersionValid(osCheck.Darwin.MinVersion) {
|
|
return fmt.Errorf("%s darwin version: %s is not valid", osCheck.Name(), osCheck.Darwin.MinVersion)
|
|
}
|
|
}
|
|
|
|
if osCheck.Linux != nil {
|
|
if !isVersionValid(osCheck.Linux.MinKernelVersion) {
|
|
return fmt.Errorf("%s linux kernel version: %s is not valid", osCheck.Name(),
|
|
osCheck.Linux.MinKernelVersion)
|
|
}
|
|
}
|
|
|
|
if osCheck.Windows != nil {
|
|
if !isVersionValid(osCheck.Windows.MinKernelVersion) {
|
|
return fmt.Errorf("%s windows kernel version: %s is not valid", osCheck.Name(),
|
|
osCheck.Windows.MinKernelVersion)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func isVersionValid(ver string) bool {
|
|
newVersion, err := version.NewVersion(ver)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if newVersion != nil {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|