Evaluate all applied posture checks on source peers only

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
Evaluate all applied posture checks once
2026-04-23 09:52:05 -04:00 · 2024-12-27 23:28:34 +03:00 · 2024-12-27 22:12:47 +03:00 · 2024-12-27 21:49:28 +03:00 · 2024-12-27 14:13:36 +01:00 · 2024-12-27 14:39:34 +03:00
6 changed files with 110 additions and 32 deletions
--- a/management/server/group.go
+++ b/management/server/group.go
@@ -474,6 +474,10 @@ func validateDeleteGroup(ctx context.Context, transaction store.Store, group *ty
 		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
 	}

+	if len(group.Resources) > 0 {
+		return &GroupLinkError{"network resource", group.Resources[0].ID}
+	}
+
 	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
 		return &GroupLinkError{"route", string(linkedRoute.NetID)}
 	}
@@ -529,7 +533,10 @@ func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountI
 	}

 	for _, r := range routes {
-		if slices.Contains(r.Groups, groupID) || slices.Contains(r.PeerGroups, groupID) {
+		isLinked := slices.Contains(r.Groups, groupID) ||
+			slices.Contains(r.PeerGroups, groupID) ||
+			slices.Contains(r.AccessControlGroups, groupID)
+		if isLinked {
 			return true, r
 		}
 	}
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -725,10 +725,6 @@ components:
    PolicyRuleMinimum:
      type: object
      properties:
-        id:
-          description: Policy rule ID
-          type: string
-          example: ch8i4ug6lnn4g9hqv7mg
        name:
          description: Policy rule name identifier
          type: string
@@ -790,6 +786,31 @@ components:
        - end

    PolicyRuleUpdate:
+      allOf:
+        - $ref: '#/components/schemas/PolicyRuleMinimum'
+        - type: object
+          properties:
+            id:
+              description: Policy rule ID
+              type: string
+              example: ch8i4ug6lnn4g9hqv7mg
+            sources:
+              description: Policy rule source group IDs
+              type: array
+              items:
+                type: string
+                example: "ch8i4ug6lnn4g9hqv797"
+            destinations:
+              description: Policy rule destination group IDs
+              type: array
+              items:
+                type: string
+                example: "ch8i4ug6lnn4g9h7v7m0"
+          required:
+            - sources
+            - destinations
+
+    PolicyRuleCreate:
      allOf:
        - $ref: '#/components/schemas/PolicyRuleMinimum'
        - type: object
@@ -817,6 +838,10 @@ components:
        - $ref: '#/components/schemas/PolicyRuleMinimum'
        - type: object
          properties:
+            id:
+              description: Policy rule ID
+              type: string
+              example: ch8i4ug6lnn4g9hqv7mg
            sources:
              description: Policy rule source group IDs
              type: array
@@ -836,10 +861,6 @@ components:
    PolicyMinimum:
      type: object
      properties:
-        id:
-          description: Policy ID
-          type: string
-          example: ch8i4ug6lnn4g9hqv7mg
        name:
          description: Policy name identifier
          type: string
@@ -854,7 +875,6 @@ components:
          example: true
      required:
        - name
-        - description
        - enabled
    PolicyUpdate:
      allOf:
@@ -874,11 +894,33 @@ components:
                $ref: '#/components/schemas/PolicyRuleUpdate'
          required:
            - rules
+    PolicyCreate:
+      allOf:
+        - $ref: '#/components/schemas/PolicyMinimum'
+        - type: object
+          properties:
+            source_posture_checks:
+              description: Posture checks ID's applied to policy source groups
+              type: array
+              items:
+                type: string
+                example: "chacdk86lnnboviihd70"
+            rules:
+              description: Policy rule object for policy UI editor
+              type: array
+              items:
+                $ref: '#/components/schemas/PolicyRuleUpdate'
+          required:
+            - rules
    Policy:
      allOf:
        - $ref: '#/components/schemas/PolicyMinimum'
        - type: object
          properties:
+            id:
+              description: Policy ID
+              type: string
+              example: ch8i4ug6lnn4g9hqv7mg
            source_posture_checks:
              description: Posture checks ID's applied to policy source groups
              type: array
@@ -2463,7 +2505,7 @@ paths:
        content:
          'application/json':
            schema:
-              $ref: '#/components/schemas/PolicyUpdate'
+              $ref: '#/components/schemas/PolicyCreate'
      responses:
        '200':
          description: A Policy object
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -879,7 +879,7 @@ type PersonalAccessTokenRequest struct {
 // Policy defines model for Policy.
 type Policy struct {
 	// Description Policy friendly description
-	Description string `json:"description"`
+	Description *string `json:"description,omitempty"`

 	// Enabled Policy status
 	Enabled bool `json:"enabled"`
@@ -897,16 +897,31 @@ type Policy struct {
 	SourcePostureChecks []string `json:"source_posture_checks"`
 }

-// PolicyMinimum defines model for PolicyMinimum.
-type PolicyMinimum struct {
+// PolicyCreate defines model for PolicyCreate.
+type PolicyCreate struct {
 	// Description Policy friendly description
-	Description string `json:"description"`
+	Description *string `json:"description,omitempty"`

 	// Enabled Policy status
 	Enabled bool `json:"enabled"`

-	// Id Policy ID
-	Id *string `json:"id,omitempty"`
+	// Name Policy name identifier
+	Name string `json:"name"`
+
+	// Rules Policy rule object for policy UI editor
+	Rules []PolicyRuleUpdate `json:"rules"`
+
+	// SourcePostureChecks Posture checks ID's applied to policy source groups
+	SourcePostureChecks *[]string `json:"source_posture_checks,omitempty"`
+}
+
+// PolicyMinimum defines model for PolicyMinimum.
+type PolicyMinimum struct {
+	// Description Policy friendly description
+	Description *string `json:"description,omitempty"`
+
+	// Enabled Policy status
+	Enabled bool `json:"enabled"`

 	// Name Policy name identifier
 	Name string `json:"name"`
@@ -970,9 +985,6 @@ type PolicyRuleMinimum struct {
 	// Enabled Policy rule status
 	Enabled bool `json:"enabled"`

-	// Id Policy rule ID
-	Id *string `json:"id,omitempty"`
-
 	// Name Policy rule name identifier
 	Name string `json:"name"`

@@ -1039,14 +1051,11 @@ type PolicyRuleUpdateProtocol string
 // PolicyUpdate defines model for PolicyUpdate.
 type PolicyUpdate struct {
 	// Description Policy friendly description
-	Description string `json:"description"`
+	Description *string `json:"description,omitempty"`

 	// Enabled Policy status
 	Enabled bool `json:"enabled"`

-	// Id Policy ID
-	Id *string `json:"id,omitempty"`
-
 	// Name Policy name identifier
 	Name string `json:"name"`

@@ -1473,7 +1482,7 @@ type PutApiPeersPeerIdJSONRequestBody = PeerRequest
 type PostApiPoliciesJSONRequestBody = PolicyUpdate

 // PutApiPoliciesPolicyIdJSONRequestBody defines body for PutApiPoliciesPolicyId for application/json ContentType.
-type PutApiPoliciesPolicyIdJSONRequestBody = PolicyUpdate
+type PutApiPoliciesPolicyIdJSONRequestBody = PolicyCreate

 // PostApiPostureChecksJSONRequestBody defines body for PostApiPostureChecks for application/json ContentType.
 type PostApiPostureChecksJSONRequestBody = PostureCheckUpdate
--- a/management/server/http/handlers/policies/policies_handler.go
+++ b/management/server/http/handlers/policies/policies_handler.go
@@ -133,16 +133,21 @@ func (h *handler) savePolicy(w http.ResponseWriter, r *http.Request, accountID s
 		return
 	}

+	description := ""
+	if req.Description != nil {
+		description = *req.Description
+	}
+
 	policy := &types.Policy{
 		ID:          policyID,
 		AccountID:   accountID,
 		Name:        req.Name,
 		Enabled:     req.Enabled,
-		Description: req.Description,
+		Description: description,
 	}
 	for _, rule := range req.Rules {
 		var ruleID string
-		if rule.Id != nil {
+		if rule.Id != nil && policyID != "" {
 			ruleID = *rule.Id
 		}

@@ -370,7 +375,7 @@ func toPolicyResponse(groups []*types.Group, policy *types.Policy) *api.Policy {
 	ap := &api.Policy{
 		Id:                  &policy.ID,
 		Name:                policy.Name,
-		Description:         policy.Description,
+		Description:         &policy.Description,
 		Enabled:             policy.Enabled,
 		SourcePostureChecks: policy.SourcePostureChecks,
 	}
--- a/management/server/http/handlers/policies/policies_handler_test.go
+++ b/management/server/http/handlers/policies/policies_handler_test.go
@@ -154,6 +154,7 @@ func TestPoliciesGetPolicy(t *testing.T) {

 func TestPoliciesWritePolicy(t *testing.T) {
 	str := func(s string) *string { return &s }
+	emptyString := ""
 	tt := []struct {
 		name           string
 		expectedStatus int
@@ -184,8 +185,9 @@ func TestPoliciesWritePolicy(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedPolicy: &api.Policy{
-				Id:   str("id-was-set"),
-				Name: "Default POSTed Policy",
+				Id:          str("id-was-set"),
+				Name:        "Default POSTed Policy",
+				Description: &emptyString,
 				Rules: []api.PolicyRule{
 					{
 						Id:            str("id-was-set"),
@@ -232,8 +234,9 @@ func TestPoliciesWritePolicy(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedPolicy: &api.Policy{
-				Id:   str("id-existed"),
-				Name: "Default POSTed Policy",
+				Id:          str("id-existed"),
+				Name:        "Default POSTed Policy",
+				Description: &emptyString,
 				Rules: []api.PolicyRule{
 					{
 						Id:            str("id-existed"),
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -1319,6 +1319,18 @@ func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID st
 			}
 		}

+		if !addSourcePeers {
+			var peerPostureChecks []string
+			for _, policy := range resourcePolicies[resource.ID] {
+				peerPostureChecks = append(peerPostureChecks, policy.SourcePostureChecks...)
+			}
+
+			isValid := a.validatePostureChecksOnPeer(ctx, peerPostureChecks, peerID)
+			if !isValid {
+				continue
+			}
+		}
+
 		for _, policy := range resourcePolicies[resource.ID] {
 			for _, sourceGroup := range policy.SourceGroups() {
 				group := a.GetGroup(sourceGroup)
Author	SHA1	Message	Date
bcmmbaga	feb8e90ae1	Evaluate all applied posture checks on source peers only Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 23:28:34 +03:00
bcmmbaga	076d6d8a87	Evaluate all applied posture checks once Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 22:12:47 +03:00
bcmmbaga	c8c25221bd	Apply policy posture checks on peer Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 21:49:28 +03:00
Pascal Fischer	fbce8bb511	[management] remove ids from policy creation api (#2997 )	2024-12-27 14:13:36 +01:00
Bethuel Mmbaga	445b626dc8	[management] Add missing group usage checks for network resources and routes access control (#3117 ) * Prevent deletion of groups linked to routes access control groups Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Prevent deletion of groups linked to network resource Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 14:39:34 +03:00