Move to using variable for group memebership, fix crash when prev kv …

…is empty
NHAS · May 8, 2024 · 5144115 · 5144115
1 parent 08b7446
commit 5144115
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 9 deletions.
diff --git a/internal/data/acls.go b/internal/data/acls.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 
 	"github.com/NHAS/wag/internal/acls"
 	"github.com/NHAS/wag/internal/config"
@@ -81,9 +82,10 @@ func GetEffectiveAcl(username string) acls.Acl {
 	resultingACLs.Allow = []string{config.Values.Wireguard.ServerAddress.String() + "/32"}
 
 	txn := etcd.Txn(context.Background())
-	txn.Then(clientv3.OpGet("wag-acls-*"), clientv3.OpGet("wag-acls-"+username), clientv3.OpGet("wag-membership"), clientv3.OpGet(dnsKey))
+	txn.Then(clientv3.OpGet("wag-acls-*"), clientv3.OpGet("wag-acls-"+username), clientv3.OpGet(MembershipKey), clientv3.OpGet(dnsKey))
 	resp, err := txn.Commit()
 	if err != nil {
+		log.Println("failed to get policy data for user", username, "err:", err)
 		return acls.Acl{}
 	}
 
@@ -95,6 +97,9 @@ func GetEffectiveAcl(username string) acls.Acl {
 		if err == nil {
 			resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
 			resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
+		} else {
+			RaiseError(err, []byte("failed to unmarshal default acls policy"))
+			log.Println("failed to unmarshal default acls policy: ", err)
 		}
 	}
 
@@ -106,6 +111,8 @@ func GetEffectiveAcl(username string) acls.Acl {
 		if err == nil {
 			resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
 			resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
+		} else {
+			log.Println("failed to unmarshal user specific acls: ", err)
 		}
 	}
 
@@ -115,6 +122,8 @@ func GetEffectiveAcl(username string) acls.Acl {
 
 		err = json.Unmarshal(resp.Responses[2].GetResponseRange().Kvs[0].Value, &rGroupLookup)
 		if err == nil {
+			log.Println("DEBUG got reverse groups map", rGroupLookup)
+			log.Println("DEBUG got groups map for user", username, rGroupLookup[username])
 
 			txn := etcd.Txn(context.Background())
 
@@ -126,6 +135,8 @@ func GetEffectiveAcl(username string) acls.Acl {
 
 			resp, err := txn.Then(ops...).Commit()
 			if err != nil {
+				log.Println("failed to get acls for groups: ", err)
+				RaiseError(err, []byte("failed to determine acls from groups"))
 				return acls.Acl{}
 			}
 
@@ -137,9 +148,12 @@ func GetEffectiveAcl(username string) acls.Acl {
 
 					err := json.Unmarshal(r.Kvs[0].Value, &acl)
 					if err != nil {
+						log.Println("failed to unmarshal acl from response: ", err, string(r.Kvs[0].Value))
 						continue
 					}
 
+					log.Println("DEBUG user", username, " acls construction, adding: ", acl)
+
 					resultingACLs.Allow = append(resultingACLs.Allow, acl.Allow...)
 					resultingACLs.Mfa = append(resultingACLs.Mfa, acl.Mfa...)
 				}
@@ -158,6 +172,8 @@ func GetEffectiveAcl(username string) acls.Acl {
 			for _, server := range dns {
 				resultingACLs.Allow = append(resultingACLs.Allow, fmt.Sprintf("%s 53/any", server))
 			}
+		} else {
+			log.Println("failed to unmarshal dns setting: ", err)
 		}
 	}
 

diff --git a/internal/data/config.go b/internal/data/config.go
@@ -51,6 +51,8 @@ const (
 
 	externalAddressKey = "wag-config-network-external-address"
 	dnsKey             = "wag-config-network-dns"
+
+	MembershipKey = "wag-membership"
 )
 
 func getString(key string) (ret string, err error) {

diff --git a/internal/data/events.go b/internal/data/events.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/NHAS/wag/pkg/queue"
+	"go.etcd.io/etcd/api/v3/mvccpb"
 	clientv3 "go.etcd.io/etcd/client/v3"
 )
 
@@ -110,7 +111,7 @@ func RegisterEventListener[T any](path string, isPrefix bool, f func(key string,
 					}
 				}
 
-				go func(key, previous []byte) {
+				go func(key []byte, prevKv *mvccpb.KeyValue) {
 					if err := f(string(key), currentValue, previousValue, state); err != nil {
 						log.Println("applying event failed: ", state, currentValue, "err:", err)
 						err = RaiseError(err, value)
@@ -126,11 +127,17 @@ func RegisterEventListener[T any](path string, isPrefix bool, f func(key string,
 						EventsQueue.Write([]byte(fmt.Sprintf("%s[%s]", key, state)))
 
 					case MODIFIED:
-						EventsQueue.Write([]byte(fmt.Sprintf("%s[%s]: %s -> %s", key, state, string(previous), string(value))))
+
+						previous := "nil"
+						if prevKv != nil {
+							previous = string(prevKv.Value)
+						}
+
+						EventsQueue.Write([]byte(fmt.Sprintf("%s[%s]: %s -> %s", key, state, previous, string(value))))
 
 					}
 
-				}(event.Kv.Key, event.PrevKv.Value)
+				}(event.Kv.Key, event.PrevKv)
 
 			}
 		}

diff --git a/internal/data/groups.go b/internal/data/groups.go
@@ -37,7 +37,7 @@ func SetGroup(group string, members []string, overwrite bool) error {
 		}
 	}
 
-	err = doSafeUpdate(context.Background(), "wag-membership", func(gr *clientv3.GetResponse) (value string, err error) {
+	err = doSafeUpdate(context.Background(), MembershipKey, func(gr *clientv3.GetResponse) (value string, err error) {
 
 		if len(gr.Kvs) != 1 {
 			return "", errors.New("bad number of membership keys")
@@ -112,7 +112,7 @@ func RemoveGroup(groupName string) error {
 		}
 	}
 
-	err = doSafeUpdate(context.Background(), "wag-membership", func(gr *clientv3.GetResponse) (value string, err error) {
+	err = doSafeUpdate(context.Background(), MembershipKey, func(gr *clientv3.GetResponse) (value string, err error) {
 
 		if len(gr.Kvs) != 1 {
 			return "", errors.New("bad number of membership keys")
@@ -138,7 +138,7 @@ func RemoveGroup(groupName string) error {
 
 func GetUserGroupMembership(username string) ([]string, error) {
 
-	response, err := etcd.Get(context.Background(), "wag-membership")
+	response, err := etcd.Get(context.Background(), MembershipKey)
 	if err != nil {
 		return nil, err
 	}
@@ -159,7 +159,7 @@ func GetUserGroupMembership(username string) ([]string, error) {
 
 func SetUserGroupMembership(username string, newGroups []string) error {
 
-	err := doSafeUpdate(context.Background(), "wag-membership", func(gr *clientv3.GetResponse) (value string, err error) {
+	err := doSafeUpdate(context.Background(), MembershipKey, func(gr *clientv3.GetResponse) (value string, err error) {
 
 		if len(gr.Kvs) != 1 {
 			return "", errors.New("bad number of membership keys")

diff --git a/internal/data/init.go b/internal/data/init.go
@@ -248,7 +248,7 @@ func loadInitialSettings() error {
 		}
 
 		reverseMappingJson, _ := json.Marshal(rGroupLookup)
-		_, err = etcd.Put(context.Background(), "wag-membership", string(reverseMappingJson))
+		_, err = etcd.Put(context.Background(), MembershipKey, string(reverseMappingJson))
 		if err != nil {
 			return err
 		}

diff --git a/internal/routetypes/parser_test.go b/internal/routetypes/parser_test.go
@@ -371,3 +371,35 @@ func TestParseRules(t *testing.T) {
 	}
 
 }
+
+func TestParseRulesDuplicates(t *testing.T) {
+	/*
+	   "*": {
+	       "Allow": [
+	           "7.7.7.7",
+	           "google.com"
+	       ]
+	   },
+	   "tester": {
+	       "Mfa": [
+	           "192.168.3.0/24",
+	           "192.168.5.0/24"
+	       ],
+	       "Allow": [
+	           "4.3.3.3/32"
+	       ]
+	   },
+	*/
+
+	mfaRules := []string{"192.168.33.1/32", "192.168.33.1/32"}
+
+	result, err := ParseRules(mfaRules, []string{}, []string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(result) < 1 {
+		t.Fatal("resulting number of rules was wrong")
+	}
+
+}