Add test for autoApprovers feature
This commit is contained in:
parent
7653ad40d6
commit
60cc9ddb3b
4 changed files with 83 additions and 25 deletions
38
machine.go
38
machine.go
|
@ -945,9 +945,9 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
|
||||||
continue // Skip routes that are already enabled for the node
|
continue // Skip routes that are already enabled for the node
|
||||||
}
|
}
|
||||||
|
|
||||||
approved := false
|
routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(
|
||||||
routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(advertisedRoute)
|
advertisedRoute,
|
||||||
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).
|
log.Err(err).
|
||||||
Str("advertisedRoute", advertisedRoute.String()).
|
Str("advertisedRoute", advertisedRoute.String()).
|
||||||
|
@ -957,26 +957,22 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, approvedAlias := range routeApprovers {
|
for _, approvedAlias := range routeApprovers {
|
||||||
|
if approvedAlias == machine.Namespace.Name {
|
||||||
|
approvedRoutes = append(approvedRoutes, advertisedRoute)
|
||||||
|
} else {
|
||||||
|
approvedIps, err := expandAlias(thisMachine, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
|
||||||
|
if err != nil {
|
||||||
|
log.Err(err).
|
||||||
|
Str("alias", approvedAlias).
|
||||||
|
Msg("Failed to expand alias when processing autoApprovers policy")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
approvedIps, err := expandAlias(thisMachine, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
|
// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
|
||||||
|
if contains(approvedIps, machine.IPAddresses[0].String()) {
|
||||||
if err != nil {
|
approvedRoutes = append(approvedRoutes, advertisedRoute)
|
||||||
log.Err(err).
|
}
|
||||||
Str("alias", approvedAlias).
|
|
||||||
Msg("Failed to expand alias when processing autoApprovers policy")
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
|
|
||||||
approved = contains(approvedIps, machine.IPAddresses[0].String())
|
|
||||||
|
|
||||||
if approved {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if approved {
|
|
||||||
approvedRoutes = append(approvedRoutes, advertisedRoute)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1051,3 +1051,44 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Suite) TestAutoApproveRoutes(c *check.C) {
|
||||||
|
err := app.LoadACLPolicy("./tests/acls/acl_policy_autoapprovers.hujson")
|
||||||
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
|
namespace, err := app.CreateNamespace("test")
|
||||||
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
|
pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
|
||||||
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
|
nodeKey := key.NewNode()
|
||||||
|
|
||||||
|
defaultRoute := netaddr.MustParseIPPrefix("0.0.0.0/0")
|
||||||
|
route1 := netaddr.MustParseIPPrefix("10.10.0.0/16")
|
||||||
|
route2 := netaddr.MustParseIPPrefix("10.11.0.0/16")
|
||||||
|
|
||||||
|
machine := Machine{
|
||||||
|
ID: 0,
|
||||||
|
MachineKey: "foo",
|
||||||
|
NodeKey: NodePublicKeyStripPrefix(nodeKey.Public()),
|
||||||
|
DiscoKey: "faa",
|
||||||
|
Hostname: "test",
|
||||||
|
NamespaceID: namespace.ID,
|
||||||
|
RegisterMethod: RegisterMethodAuthKey,
|
||||||
|
AuthKeyID: uint(pak.ID),
|
||||||
|
HostInfo: HostInfo{
|
||||||
|
RequestTags: []string{"tag:exit"},
|
||||||
|
RoutableIPs: []netaddr.IPPrefix{defaultRoute, route1, route2},
|
||||||
|
},
|
||||||
|
IPAddresses: []netaddr.IP{netaddr.MustParseIP("100.64.0.1")},
|
||||||
|
}
|
||||||
|
|
||||||
|
app.db.Save(&machine)
|
||||||
|
|
||||||
|
machine0ByID, err := app.GetMachineByID(0)
|
||||||
|
c.Assert(err, check.IsNil)
|
||||||
|
|
||||||
|
app.EnableAutoApprovedRoutes(machine0ByID)
|
||||||
|
c.Assert(machine0ByID.GetEnabledRoutes(), check.HasLen, 3)
|
||||||
|
}
|
||||||
|
|
|
@ -44,10 +44,7 @@ func (h *Headscale) handlePollCommon(
|
||||||
}
|
}
|
||||||
|
|
||||||
// update routes with peer information
|
// update routes with peer information
|
||||||
err = h.EnableAutoApprovedRoutes(machine)
|
h.EnableAutoApprovedRoutes(machine)
|
||||||
if err != nil {
|
|
||||||
//TODO
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// From Tailscale client:
|
// From Tailscale client:
|
||||||
|
|
24
tests/acls/acl_policy_autoapprovers.hujson
Normal file
24
tests/acls/acl_policy_autoapprovers.hujson
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
// This ACL validates autoApprovers support for
|
||||||
|
// exit nodes and advertised routes
|
||||||
|
|
||||||
|
{
|
||||||
|
"tagOwners": {
|
||||||
|
"tag:exit": ["test"],
|
||||||
|
},
|
||||||
|
|
||||||
|
"groups": {
|
||||||
|
"group:test": ["test"]
|
||||||
|
},
|
||||||
|
|
||||||
|
"acls": [
|
||||||
|
{"action": "accept", "users": ["*"], "ports": ["*:*"]},
|
||||||
|
],
|
||||||
|
|
||||||
|
"autoApprovers": {
|
||||||
|
"exitNode": ["tag:exit"],
|
||||||
|
"routes": {
|
||||||
|
"10.10.0.0/16": ["group:test"],
|
||||||
|
"10.11.0.0/16": ["test"],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue