mirror of
https://github.com/netbirdio/netbird.git
synced 2024-12-24 15:48:52 +01:00
4fec709bb1
* compile client under freebsd (#1620) Compile netbird client under freebsd and now support netstack and userspace modes. Refactoring linux specific code to share same code with FreeBSD, move to *_unix.go files. Not implemented yet: Kernel mode not supported DNS probably does not work yet Routing also probably does not work yet SSH support did not tested yet Lack of test environment for freebsd (dedicated VM for github runners under FreeBSD required) Lack of tests for freebsd specific code info reporting need to review and also implement, for example OS reported as GENERIC instead of FreeBSD (lack of FreeBSD icon in management interface) Lack of proper client setup under FreeBSD Lack of FreeBSD port/package * Add DNS routes (#1943) Given domains are resolved periodically and resolved IPs are replaced with the new ones. Unless the flag keep_route is set to true, then only new ones are added. This option is helpful if there are long-running connections that might still point to old IP addresses from changed DNS records. * Add process posture check (#1693) Introduces a process posture check to validate the existence and active status of specific binaries on peer systems. The check ensures that files are present at specified paths, and that corresponding processes are running. This check supports Linux, Windows, and macOS systems. Co-authored-by: Evgenii <mail@skillcoder.com> Co-authored-by: Pascal Fischer <pascal@netbird.io> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
258 lines
6.8 KiB
Go
258 lines
6.8 KiB
Go
package server
|
|
|
|
import (
|
|
"slices"
|
|
|
|
"github.com/netbirdio/netbird/management/server/activity"
|
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
|
"github.com/netbirdio/netbird/management/server/posture"
|
|
"github.com/netbirdio/netbird/management/server/status"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const (
|
|
errMsgPostureAdminOnly = "only users with admin power are allowed to view posture checks"
|
|
)
|
|
|
|
func (am *DefaultAccountManager) GetPostureChecks(accountID, postureChecksID, userID string) (*posture.Checks, error) {
|
|
unlock := am.Store.AcquireAccountWriteLock(accountID)
|
|
defer unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
user, err := account.FindUser(userID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !user.HasAdminPower() {
|
|
return nil, status.Errorf(status.PermissionDenied, errMsgPostureAdminOnly)
|
|
}
|
|
|
|
for _, postureChecks := range account.PostureChecks {
|
|
if postureChecks.ID == postureChecksID {
|
|
return postureChecks, nil
|
|
}
|
|
}
|
|
|
|
return nil, status.Errorf(status.NotFound, "posture checks with ID %s not found", postureChecksID)
|
|
}
|
|
|
|
func (am *DefaultAccountManager) SavePostureChecks(accountID, userID string, postureChecks *posture.Checks) error {
|
|
unlock := am.Store.AcquireAccountWriteLock(accountID)
|
|
defer unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
user, err := account.FindUser(userID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !user.HasAdminPower() {
|
|
return status.Errorf(status.PermissionDenied, errMsgPostureAdminOnly)
|
|
}
|
|
|
|
if err := postureChecks.Validate(); err != nil {
|
|
return status.Errorf(status.InvalidArgument, err.Error())
|
|
}
|
|
|
|
exists, uniqName := am.savePostureChecks(account, postureChecks)
|
|
|
|
// we do not allow create new posture checks with non uniq name
|
|
if !exists && !uniqName {
|
|
return status.Errorf(status.PreconditionFailed, "Posture check name should be unique")
|
|
}
|
|
|
|
action := activity.PostureCheckCreated
|
|
if exists {
|
|
action = activity.PostureCheckUpdated
|
|
account.Network.IncSerial()
|
|
}
|
|
|
|
if err = am.Store.SaveAccount(account); err != nil {
|
|
return err
|
|
}
|
|
|
|
am.StoreEvent(userID, postureChecks.ID, accountID, action, postureChecks.EventMeta())
|
|
if exists {
|
|
am.updateAccountPeers(account)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (am *DefaultAccountManager) DeletePostureChecks(accountID, postureChecksID, userID string) error {
|
|
unlock := am.Store.AcquireAccountWriteLock(accountID)
|
|
defer unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
user, err := account.FindUser(userID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !user.HasAdminPower() {
|
|
return status.Errorf(status.PermissionDenied, errMsgPostureAdminOnly)
|
|
}
|
|
|
|
postureChecks, err := am.deletePostureChecks(account, postureChecksID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err = am.Store.SaveAccount(account); err != nil {
|
|
return err
|
|
}
|
|
|
|
am.StoreEvent(userID, postureChecks.ID, accountID, activity.PostureCheckDeleted, postureChecks.EventMeta())
|
|
|
|
return nil
|
|
}
|
|
|
|
func (am *DefaultAccountManager) ListPostureChecks(accountID, userID string) ([]*posture.Checks, error) {
|
|
unlock := am.Store.AcquireAccountWriteLock(accountID)
|
|
defer unlock()
|
|
|
|
account, err := am.Store.GetAccount(accountID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
user, err := account.FindUser(userID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !user.HasAdminPower() {
|
|
return nil, status.Errorf(status.PermissionDenied, errMsgPostureAdminOnly)
|
|
}
|
|
|
|
return account.PostureChecks, nil
|
|
}
|
|
|
|
func (am *DefaultAccountManager) savePostureChecks(account *Account, postureChecks *posture.Checks) (exists, uniqName bool) {
|
|
uniqName = true
|
|
for i, p := range account.PostureChecks {
|
|
if !exists && p.ID == postureChecks.ID {
|
|
account.PostureChecks[i] = postureChecks
|
|
exists = true
|
|
}
|
|
if p.Name == postureChecks.Name {
|
|
uniqName = false
|
|
}
|
|
}
|
|
if !exists {
|
|
account.PostureChecks = append(account.PostureChecks, postureChecks)
|
|
}
|
|
return
|
|
}
|
|
|
|
func (am *DefaultAccountManager) deletePostureChecks(account *Account, postureChecksID string) (*posture.Checks, error) {
|
|
postureChecksIdx := -1
|
|
for i, postureChecks := range account.PostureChecks {
|
|
if postureChecks.ID == postureChecksID {
|
|
postureChecksIdx = i
|
|
break
|
|
}
|
|
}
|
|
if postureChecksIdx < 0 {
|
|
return nil, status.Errorf(status.NotFound, "posture checks with ID %s doesn't exist", postureChecksID)
|
|
}
|
|
|
|
// check policy links
|
|
for _, policy := range account.Policies {
|
|
for _, id := range policy.SourcePostureChecks {
|
|
if id == postureChecksID {
|
|
return nil, status.Errorf(status.PreconditionFailed, "posture checks have been linked to policy: %s", policy.Name)
|
|
}
|
|
}
|
|
}
|
|
|
|
postureChecks := account.PostureChecks[postureChecksIdx]
|
|
account.PostureChecks = append(account.PostureChecks[:postureChecksIdx], account.PostureChecks[postureChecksIdx+1:]...)
|
|
|
|
return postureChecks, nil
|
|
}
|
|
|
|
// GetPeerAppliedPostureChecks returns posture checks that are applied to the peer.
|
|
func (am *DefaultAccountManager) GetPeerAppliedPostureChecks(peerKey string) ([]posture.Checks, error) {
|
|
account, err := am.Store.GetAccountByPeerPubKey(peerKey)
|
|
if err != nil {
|
|
log.Errorf("failed while getting peer %s: %v", peerKey, err)
|
|
return nil, err
|
|
}
|
|
|
|
peer, err := account.FindPeerByPubKey(peerKey)
|
|
if err != nil {
|
|
return nil, status.Errorf(status.NotFound, "peer is not registered")
|
|
}
|
|
if peer == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
peerPostureChecks := am.collectPeerPostureChecks(account, peer)
|
|
|
|
postureChecksList := make([]posture.Checks, 0, len(peerPostureChecks))
|
|
for _, check := range peerPostureChecks {
|
|
postureChecksList = append(postureChecksList, check)
|
|
}
|
|
|
|
return postureChecksList, nil
|
|
}
|
|
|
|
// collectPeerPostureChecks collects the posture checks applied for a given peer.
|
|
func (am *DefaultAccountManager) collectPeerPostureChecks(account *Account, peer *nbpeer.Peer) map[string]posture.Checks {
|
|
peerPostureChecks := make(map[string]posture.Checks)
|
|
|
|
for _, policy := range account.Policies {
|
|
if !policy.Enabled {
|
|
continue
|
|
}
|
|
|
|
if isPeerInPolicySourceGroups(peer.ID, account, policy) {
|
|
addPolicyPostureChecks(account, policy, peerPostureChecks)
|
|
}
|
|
}
|
|
|
|
return peerPostureChecks
|
|
}
|
|
|
|
// isPeerInPolicySourceGroups checks if a peer is present in any of the policy rule source groups.
|
|
func isPeerInPolicySourceGroups(peerID string, account *Account, policy *Policy) bool {
|
|
for _, rule := range policy.Rules {
|
|
if !rule.Enabled {
|
|
continue
|
|
}
|
|
|
|
for _, sourceGroup := range rule.Sources {
|
|
group, ok := account.Groups[sourceGroup]
|
|
if ok && slices.Contains(group.Peers, peerID) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func addPolicyPostureChecks(account *Account, policy *Policy, peerPostureChecks map[string]posture.Checks) {
|
|
for _, sourcePostureCheckID := range policy.SourcePostureChecks {
|
|
for _, postureCheck := range account.PostureChecks {
|
|
if postureCheck.ID == sourcePostureCheckID {
|
|
peerPostureChecks[sourcePostureCheckID] = *postureCheck
|
|
}
|
|
}
|
|
}
|
|
}
|