diff --git a/hscontrol/policy/acls.go b/hscontrol/policy/acls.go index d3ad12f..35580aa 100644 --- a/hscontrol/policy/acls.go +++ b/hscontrol/policy/acls.go @@ -128,7 +128,7 @@ func GenerateFilterRules( return tailcfg.FilterAllowAll, &tailcfg.SSHPolicy{}, nil } - rules, err := policy.generateFilterRules(append(peers, *machine), stripEmailDomain) + rules, err := policy.generateFilterRules(machine, peers, stripEmailDomain) if err != nil { return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err } @@ -152,10 +152,12 @@ func GenerateFilterRules( // generateFilterRules takes a set of machines and an ACLPolicy and generates a // set of Tailscale compatible FilterRules used to allow traffic on clients. func (pol *ACLPolicy) generateFilterRules( - machines types.Machines, + machine *types.Machine, + peers types.Machines, stripEmailDomain bool, ) ([]tailcfg.FilterRule, error) { rules := []tailcfg.FilterRule{} + machines := append(peers, *machine) for index, acl := range pol.ACLs { if acl.Action != "accept" { diff --git a/hscontrol/policy/acls_test.go b/hscontrol/policy/acls_test.go index d7f5932..5652e8c 100644 --- a/hscontrol/policy/acls_test.go +++ b/hscontrol/policy/acls_test.go @@ -199,7 +199,7 @@ func (s *Suite) TestRuleInvalidGeneration(c *check.C) { c.Assert(pol.ACLs, check.HasLen, 6) c.Assert(err, check.IsNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.NotNil) c.Assert(rules, check.IsNil) } @@ -230,7 +230,7 @@ func (s *Suite) TestBasicRule(c *check.C) { pol, err := LoadACLPolicyFromBytes(acl, "hujson") c.Assert(err, check.IsNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.IsNil) c.Assert(rules, check.NotNil) } @@ -310,7 +310,7 @@ func (s *Suite) TestPortRange(c *check.C) { c.Assert(err, check.IsNil) c.Assert(pol, check.NotNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.IsNil) c.Assert(rules, check.NotNil) @@ -366,7 +366,7 @@ func (s *Suite) TestProtocolParsing(c *check.C) { c.Assert(err, check.IsNil) c.Assert(pol, check.NotNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.IsNil) c.Assert(rules, check.NotNil) @@ -401,7 +401,7 @@ func (s *Suite) TestPortWildcard(c *check.C) { c.Assert(err, check.IsNil) c.Assert(pol, check.NotNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.IsNil) c.Assert(rules, check.NotNil) @@ -428,7 +428,7 @@ acls: c.Assert(err, check.IsNil) c.Assert(pol, check.NotNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.IsNil) c.Assert(rules, check.NotNil) @@ -459,7 +459,7 @@ acls: c.Assert(err, check.IsNil) c.Assert(pol, check.NotNil) - rules, err := pol.generateFilterRules(types.Machines{}, false) + rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false) c.Assert(err, check.IsNil) c.Assert(rules, check.NotNil) @@ -1620,7 +1620,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) { pol ACLPolicy } type args struct { - machines types.Machines + machine types.Machine + peers types.Machines stripEmailDomain bool } tests := []struct { @@ -1651,7 +1652,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) { }, }, args: args{ - machines: types.Machines{}, + machine: types.Machine{}, + peers: types.Machines{}, stripEmailDomain: true, }, want: []tailcfg.FilterRule{ @@ -1691,14 +1693,14 @@ func TestACLPolicy_generateFilterRules(t *testing.T) { }, }, args: args{ - machines: types.Machines{ - { - IPAddresses: types.MachineAddresses{ - netip.MustParseAddr("100.64.0.1"), - netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"), - }, - User: types.User{Name: "mickael"}, + machine: types.Machine{ + IPAddresses: types.MachineAddresses{ + netip.MustParseAddr("100.64.0.1"), + netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"), }, + User: types.User{Name: "mickael"}, + }, + peers: types.Machines{ { IPAddresses: types.MachineAddresses{ netip.MustParseAddr("100.64.0.2"), @@ -1739,7 +1741,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := tt.field.pol.generateFilterRules( - tt.args.machines, + &tt.args.machine, + tt.args.peers, tt.args.stripEmailDomain, ) if (err != nil) != tt.wantErr {