Fixed linting issues
This commit is contained in:
parent
d446e8a2fb
commit
19443669bf
4 changed files with 28 additions and 17 deletions
14
acls.go
14
acls.go
|
@ -22,7 +22,8 @@ const errorInvalidTag = Error("invalid tag")
|
||||||
const errorInvalidNamespace = Error("invalid namespace")
|
const errorInvalidNamespace = Error("invalid namespace")
|
||||||
const errorInvalidPortFormat = Error("invalid port format")
|
const errorInvalidPortFormat = Error("invalid port format")
|
||||||
|
|
||||||
func (h *Headscale) LoadAclPolicy(path string) error {
|
// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules
|
||||||
|
func (h *Headscale) LoadACLPolicy(path string) error {
|
||||||
policyFile, err := os.Open(path)
|
policyFile, err := os.Open(path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -35,6 +36,9 @@ func (h *Headscale) LoadAclPolicy(path string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
err = hujson.Unmarshal(b, &policy)
|
err = hujson.Unmarshal(b, &policy)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
if policy.IsZero() {
|
if policy.IsZero() {
|
||||||
return errorEmptyPolicy
|
return errorEmptyPolicy
|
||||||
}
|
}
|
||||||
|
@ -61,7 +65,7 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
|
||||||
srcIPs := []string{}
|
srcIPs := []string{}
|
||||||
for j, u := range a.Users {
|
for j, u := range a.Users {
|
||||||
fmt.Printf("acl %d, user %d: ", i, j)
|
fmt.Printf("acl %d, user %d: ", i, j)
|
||||||
srcs, err := h.generateAclPolicySrcIP(u)
|
srcs, err := h.generateACLPolicySrcIP(u)
|
||||||
fmt.Printf(" -> %s\n", err)
|
fmt.Printf(" -> %s\n", err)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -73,7 +77,7 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
|
||||||
destPorts := []tailcfg.NetPortRange{}
|
destPorts := []tailcfg.NetPortRange{}
|
||||||
for j, d := range a.Ports {
|
for j, d := range a.Ports {
|
||||||
fmt.Printf("acl %d, port %d: ", i, j)
|
fmt.Printf("acl %d, port %d: ", i, j)
|
||||||
dests, err := h.generateAclPolicyDestPorts(d)
|
dests, err := h.generateACLPolicyDestPorts(d)
|
||||||
fmt.Printf(" -> %s\n", err)
|
fmt.Printf(" -> %s\n", err)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -90,11 +94,11 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
|
||||||
return &rules, nil
|
return &rules, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *Headscale) generateAclPolicySrcIP(u string) (*[]string, error) {
|
func (h *Headscale) generateACLPolicySrcIP(u string) (*[]string, error) {
|
||||||
return h.expandAlias(u)
|
return h.expandAlias(u)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *Headscale) generateAclPolicyDestPorts(d string) (*[]tailcfg.NetPortRange, error) {
|
func (h *Headscale) generateACLPolicyDestPorts(d string) (*[]tailcfg.NetPortRange, error) {
|
||||||
tokens := strings.Split(d, ":")
|
tokens := strings.Split(d, ":")
|
||||||
if len(tokens) < 2 || len(tokens) > 3 {
|
if len(tokens) < 2 || len(tokens) > 3 {
|
||||||
return nil, errorInvalidPortFormat
|
return nil, errorInvalidPortFormat
|
||||||
|
|
22
acls_test.go
22
acls_test.go
|
@ -5,18 +5,18 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func (s *Suite) TestWrongPath(c *check.C) {
|
func (s *Suite) TestWrongPath(c *check.C) {
|
||||||
err := h.LoadAclPolicy("asdfg")
|
err := h.LoadACLPolicy("asdfg")
|
||||||
c.Assert(err, check.NotNil)
|
c.Assert(err, check.NotNil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestBrokenHuJson(c *check.C) {
|
func (s *Suite) TestBrokenHuJson(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/broken.hujson")
|
err := h.LoadACLPolicy("./tests/acls/broken.hujson")
|
||||||
c.Assert(err, check.NotNil)
|
c.Assert(err, check.NotNil)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestInvalidPolicyHuson(c *check.C) {
|
func (s *Suite) TestInvalidPolicyHuson(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/invalid.hujson")
|
err := h.LoadACLPolicy("./tests/acls/invalid.hujson")
|
||||||
c.Assert(err, check.NotNil)
|
c.Assert(err, check.NotNil)
|
||||||
c.Assert(err, check.Equals, errorEmptyPolicy)
|
c.Assert(err, check.Equals, errorEmptyPolicy)
|
||||||
}
|
}
|
||||||
|
@ -36,13 +36,13 @@ func (s *Suite) TestParseInvalidCIDR(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestCheckLoaded(c *check.C) {
|
func (s *Suite) TestCheckLoaded(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/acl_policy_1.hujson")
|
err := h.LoadACLPolicy("./tests/acls/acl_policy_1.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
c.Assert(h.aclPolicy, check.NotNil)
|
c.Assert(h.aclPolicy, check.NotNil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestValidCheckParsedHosts(c *check.C) {
|
func (s *Suite) TestValidCheckParsedHosts(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/acl_policy_1.hujson")
|
err := h.LoadACLPolicy("./tests/acls/acl_policy_1.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
c.Assert(h.aclPolicy, check.NotNil)
|
c.Assert(h.aclPolicy, check.NotNil)
|
||||||
c.Assert(h.aclPolicy.IsZero(), check.Equals, false)
|
c.Assert(h.aclPolicy.IsZero(), check.Equals, false)
|
||||||
|
@ -50,7 +50,7 @@ func (s *Suite) TestValidCheckParsedHosts(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
|
func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/acl_policy_invalid.hujson")
|
err := h.LoadACLPolicy("./tests/acls/acl_policy_invalid.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
rules, err := h.generateACLRules()
|
rules, err := h.generateACLRules()
|
||||||
|
@ -59,7 +59,7 @@ func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestBasicRule(c *check.C) {
|
func (s *Suite) TestBasicRule(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_1.hujson")
|
err := h.LoadACLPolicy("./tests/acls/acl_policy_basic_1.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
rules, err := h.generateACLRules()
|
rules, err := h.generateACLRules()
|
||||||
|
@ -68,7 +68,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestPortRange(c *check.C) {
|
func (s *Suite) TestPortRange(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_range.hujson")
|
err := h.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
rules, err := h.generateACLRules()
|
rules, err := h.generateACLRules()
|
||||||
|
@ -82,7 +82,7 @@ func (s *Suite) TestPortRange(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestPortWildcard(c *check.C) {
|
func (s *Suite) TestPortWildcard(c *check.C) {
|
||||||
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
|
err := h.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
rules, err := h.generateACLRules()
|
rules, err := h.generateACLRules()
|
||||||
|
@ -126,7 +126,7 @@ func (s *Suite) TestPortNamespace(c *check.C) {
|
||||||
}
|
}
|
||||||
db.Save(&m)
|
db.Save(&m)
|
||||||
|
|
||||||
err = h.LoadAclPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson")
|
err = h.LoadACLPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
rules, err := h.generateACLRules()
|
rules, err := h.generateACLRules()
|
||||||
|
@ -171,7 +171,7 @@ func (s *Suite) TestPortGroup(c *check.C) {
|
||||||
}
|
}
|
||||||
db.Save(&m)
|
db.Save(&m)
|
||||||
|
|
||||||
err = h.LoadAclPolicy("./tests/acls/acl_policy_basic_groups.hujson")
|
err = h.LoadACLPolicy("./tests/acls/acl_policy_basic_groups.hujson")
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
rules, err := h.generateACLRules()
|
rules, err := h.generateACLRules()
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"inet.af/netaddr"
|
"inet.af/netaddr"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// ACLPolicy represents a Tailscale ACL Policy
|
||||||
type ACLPolicy struct {
|
type ACLPolicy struct {
|
||||||
Groups Groups `json:"Groups"`
|
Groups Groups `json:"Groups"`
|
||||||
Hosts Hosts `json:"Hosts"`
|
Hosts Hosts `json:"Hosts"`
|
||||||
|
@ -15,24 +16,30 @@ type ACLPolicy struct {
|
||||||
Tests []ACLTest `json:"Tests"`
|
Tests []ACLTest `json:"Tests"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ACL is a basic rule for the ACL Policy
|
||||||
type ACL struct {
|
type ACL struct {
|
||||||
Action string `json:"Action"`
|
Action string `json:"Action"`
|
||||||
Users []string `json:"Users"`
|
Users []string `json:"Users"`
|
||||||
Ports []string `json:"Ports"`
|
Ports []string `json:"Ports"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Groups references a series of alias in the ACL rules
|
||||||
type Groups map[string][]string
|
type Groups map[string][]string
|
||||||
|
|
||||||
|
// Hosts are alias for IP addresses or subnets
|
||||||
type Hosts map[string]netaddr.IPPrefix
|
type Hosts map[string]netaddr.IPPrefix
|
||||||
|
|
||||||
|
// TagOwners specify what users (namespaces?) are allow to use certain tags
|
||||||
type TagOwners map[string][]string
|
type TagOwners map[string][]string
|
||||||
|
|
||||||
|
// ACLTest is not implemented, but should be use to check if a certain rule is allowed
|
||||||
type ACLTest struct {
|
type ACLTest struct {
|
||||||
User string `json:"User"`
|
User string `json:"User"`
|
||||||
Allow []string `json:"Allow"`
|
Allow []string `json:"Allow"`
|
||||||
Deny []string `json:"Deny,omitempty"`
|
Deny []string `json:"Deny,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// UnmarshalJSON allows to parse the Hosts directly into netaddr objects
|
||||||
func (h *Hosts) UnmarshalJSON(data []byte) error {
|
func (h *Hosts) UnmarshalJSON(data []byte) error {
|
||||||
hosts := Hosts{}
|
hosts := Hosts{}
|
||||||
hs := make(map[string]string)
|
hs := make(map[string]string)
|
||||||
|
|
|
@ -121,7 +121,7 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// We are doing this here, as in the future could be cool to have it also hot-reload
|
// We are doing this here, as in the future could be cool to have it also hot-reload
|
||||||
err = h.LoadAclPolicy(absPath(viper.GetString("acl_policy_path")))
|
err = h.LoadACLPolicy(absPath(viper.GetString("acl_policy_path")))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Could not load the ACL policy: %s", err)
|
log.Printf("Could not load the ACL policy: %s", err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue