Skip to content

Commit

Permalink
Merge pull request #3332 from gravitl/master
Browse files Browse the repository at this point in the history 
Master
  • Loading branch information
@abhishek9686
abhishek9686 authored Feb 17, 2025
2 parents 689b9b6 + 06bd376 commit f028a63
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions logic/acls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -570,14 +570,14 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) (bool, []mode

// IsPeerAllowed - checks if peer needs to be added to the interface
func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
peerTags := maps.Clone(peer.Tags)
nodeTags := maps.Clone(node.Tags)
if node.IsStatic {
node = node.StaticNode.ConvertToStaticNode()
}
if peer.IsStatic {
peer = peer.StaticNode.ConvertToStaticNode()
}
peerTags := maps.Clone(peer.Tags)
nodeTags := maps.Clone(node.Tags)
if checkDefaultPolicy {
// check default policy if all allowed return true
defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
Expand Down Expand Up @@ -660,6 +660,8 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
if peer.IsStatic {
peer = peer.StaticNode.ConvertToStaticNode()
}
peerTags := maps.Clone(peer.Tags)
nodeTags := maps.Clone(node.Tags)
if checkDefaultPolicy {
// check default policy if all allowed return true
defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
Expand All @@ -684,15 +686,15 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
}
srcMap = convAclTagToValueMap(policy.Src)
dstMap = convAclTagToValueMap(policy.Dst)
for tagID := range node.Tags {
for tagID := range nodeTags {
allowed := false
if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok {
if _, ok := srcMap["*"]; ok {
allowed = true
allowedPolicies = append(allowedPolicies, policy)
break
}
for tagID := range peer.Tags {
for tagID := range peerTags {
if _, ok := srcMap[tagID.String()]; ok {
allowed = true
break
Expand All @@ -709,7 +711,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
allowedPolicies = append(allowedPolicies, policy)
break
}
for tagID := range peer.Tags {
for tagID := range peerTags {
if _, ok := dstMap[tagID.String()]; ok {
allowed = true
break
Expand All @@ -721,15 +723,15 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
break
}
}
for tagID := range peer.Tags {
for tagID := range peerTags {
allowed := false
if _, ok := dstMap[tagID.String()]; ok {
if _, ok := srcMap["*"]; ok {
allowed = true
allowedPolicies = append(allowedPolicies, policy)
break
}
for tagID := range node.Tags {
for tagID := range nodeTags {

if _, ok := srcMap[tagID.String()]; ok {
allowed = true
Expand All @@ -748,7 +750,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
allowedPolicies = append(allowedPolicies, policy)
break
}
for tagID := range node.Tags {
for tagID := range nodeTags {
if _, ok := dstMap[tagID.String()]; ok {
allowed = true
break
Expand Down

0 comments on commit f028a63

Please sign in to comment.