simplify expandAlias function, move seperate logic out
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
parent
b23a9153df
commit
6de53e2f8d
4 changed files with 266 additions and 175 deletions
261
acls.go
261
acls.go
|
@ -338,9 +338,8 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
|
||||||
|
|
||||||
principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
|
principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
|
||||||
for innerIndex, rawSrc := range sshACL.Sources {
|
for innerIndex, rawSrc := range sshACL.Sources {
|
||||||
expandedSrcs, err := expandAlias(
|
expandedSrcs, err := h.aclPolicy.expandAlias(
|
||||||
machines,
|
machines,
|
||||||
*h.aclPolicy,
|
|
||||||
rawSrc,
|
rawSrc,
|
||||||
h.cfg.OIDC.StripEmaildomain,
|
h.cfg.OIDC.StripEmaildomain,
|
||||||
)
|
)
|
||||||
|
@ -391,16 +390,16 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
|
||||||
|
|
||||||
func generateACLPolicySrc(
|
func generateACLPolicySrc(
|
||||||
machines []Machine,
|
machines []Machine,
|
||||||
aclPolicy ACLPolicy,
|
pol ACLPolicy,
|
||||||
src string,
|
src string,
|
||||||
stripEmaildomain bool,
|
stripEmaildomain bool,
|
||||||
) ([]string, error) {
|
) ([]string, error) {
|
||||||
return expandAlias(machines, aclPolicy, src, stripEmaildomain)
|
return pol.expandAlias(machines, src, stripEmaildomain)
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateACLPolicyDest(
|
func generateACLPolicyDest(
|
||||||
machines []Machine,
|
machines []Machine,
|
||||||
aclPolicy ACLPolicy,
|
pol ACLPolicy,
|
||||||
dest string,
|
dest string,
|
||||||
needsWildcard bool,
|
needsWildcard bool,
|
||||||
stripEmaildomain bool,
|
stripEmaildomain bool,
|
||||||
|
@ -448,9 +447,8 @@ func generateACLPolicyDest(
|
||||||
alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
|
alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
|
||||||
}
|
}
|
||||||
|
|
||||||
expanded, err := expandAlias(
|
expanded, err := pol.expandAlias(
|
||||||
machines,
|
machines,
|
||||||
aclPolicy,
|
|
||||||
alias,
|
alias,
|
||||||
stripEmaildomain,
|
stripEmaildomain,
|
||||||
)
|
)
|
||||||
|
@ -534,13 +532,11 @@ func parseProtocol(protocol string) ([]int, bool, error) {
|
||||||
// - an ip
|
// - an ip
|
||||||
// - a cidr
|
// - a cidr
|
||||||
// and transform these in IPAddresses.
|
// and transform these in IPAddresses.
|
||||||
func expandAlias(
|
func (pol *ACLPolicy) expandAlias(
|
||||||
machines Machines,
|
machines Machines,
|
||||||
aclPolicy ACLPolicy,
|
|
||||||
alias string,
|
alias string,
|
||||||
stripEmailDomain bool,
|
stripEmailDomain bool,
|
||||||
) ([]string, error) {
|
) ([]string, error) {
|
||||||
ips := []string{}
|
|
||||||
if alias == "*" {
|
if alias == "*" {
|
||||||
return []string{"*"}, nil
|
return []string{"*"}, nil
|
||||||
}
|
}
|
||||||
|
@ -549,120 +545,48 @@ func expandAlias(
|
||||||
Str("alias", alias).
|
Str("alias", alias).
|
||||||
Msg("Expanding")
|
Msg("Expanding")
|
||||||
|
|
||||||
|
// if alias is a group
|
||||||
if strings.HasPrefix(alias, "group:") {
|
if strings.HasPrefix(alias, "group:") {
|
||||||
users, err := expandGroup(aclPolicy, alias, stripEmailDomain)
|
return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
|
||||||
if err != nil {
|
|
||||||
return ips, err
|
|
||||||
}
|
|
||||||
for _, n := range users {
|
|
||||||
nodes := filterMachinesByUser(machines, n)
|
|
||||||
for _, node := range nodes {
|
|
||||||
ips = append(ips, node.IPAddresses.ToStringSlice()...)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return ips, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if alias is a tag
|
||||||
if strings.HasPrefix(alias, "tag:") {
|
if strings.HasPrefix(alias, "tag:") {
|
||||||
// check for forced tags
|
return pol.getIPsFromTag(alias, machines, stripEmailDomain)
|
||||||
for _, machine := range machines {
|
|
||||||
if contains(machine.ForcedTags, alias) {
|
|
||||||
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// find tag owners
|
|
||||||
owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
|
|
||||||
if err != nil {
|
|
||||||
if errors.Is(err, errInvalidTag) {
|
|
||||||
if len(ips) == 0 {
|
|
||||||
return ips, fmt.Errorf(
|
|
||||||
"%w. %v isn't owned by a TagOwner and no forced tags are defined",
|
|
||||||
errInvalidTag,
|
|
||||||
alias,
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
return ips, nil
|
|
||||||
} else {
|
|
||||||
return ips, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// filter out machines per tag owner
|
|
||||||
for _, user := range owners {
|
|
||||||
machines := filterMachinesByUser(machines, user)
|
|
||||||
for _, machine := range machines {
|
|
||||||
hi := machine.GetHostInfo()
|
|
||||||
if contains(hi.RequestTags, alias) {
|
|
||||||
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return ips, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// if alias is a user
|
// if alias is a user
|
||||||
nodes := filterMachinesByUser(machines, alias)
|
if ips := pol.getIPsForUser(alias, machines, stripEmailDomain); len(ips) > 0 {
|
||||||
nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
|
|
||||||
|
|
||||||
for _, n := range nodes {
|
|
||||||
ips = append(ips, n.IPAddresses.ToStringSlice()...)
|
|
||||||
}
|
|
||||||
if len(ips) > 0 {
|
|
||||||
return ips, nil
|
return ips, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// if alias is an host
|
// if alias is an host
|
||||||
if h, ok := aclPolicy.Hosts[alias]; ok {
|
if h, ok := pol.Hosts[alias]; ok {
|
||||||
log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
|
log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
|
||||||
|
|
||||||
return expandAlias(machines, aclPolicy, h.String(), stripEmailDomain)
|
return pol.expandAlias(machines, h.String(), stripEmailDomain)
|
||||||
}
|
}
|
||||||
|
|
||||||
// if alias is an IP
|
// if alias is an IP
|
||||||
if ip, err := netip.ParseAddr(alias); err == nil {
|
if ip, err := netip.ParseAddr(alias); err == nil {
|
||||||
log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
|
return pol.getIPsFromSingleIP(ip, machines)
|
||||||
ips := []string{ip.String()}
|
|
||||||
matches := machines.FilterByIP(ip)
|
|
||||||
|
|
||||||
for _, machine := range matches {
|
|
||||||
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
|
|
||||||
}
|
|
||||||
|
|
||||||
return lo.Uniq(ips), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if cidr, err := netip.ParsePrefix(alias); err == nil {
|
// if alias is an IP Prefix (CIDR)
|
||||||
log.Trace().Str("cidr", cidr.String()).Msg("expandAlias got cidr")
|
if prefix, err := netip.ParsePrefix(alias); err == nil {
|
||||||
val := []string{cidr.String()}
|
return pol.getIPsFromIPPrefix(prefix, machines)
|
||||||
// This is suboptimal and quite expensive, but if we only add the cidr, we will miss all the relevant IPv6
|
|
||||||
// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
|
|
||||||
for _, machine := range machines {
|
|
||||||
for _, ip := range machine.IPAddresses {
|
|
||||||
// log.Trace().
|
|
||||||
// Msgf("checking if machine ip (%s) is part of cidr (%s): %v, is single ip cidr (%v), addr: %s", ip.String(), cidr.String(), cidr.Contains(ip), cidr.IsSingleIP(), cidr.Addr().String())
|
|
||||||
if cidr.Contains(ip) {
|
|
||||||
val = append(val, machine.IPAddresses.ToStringSlice()...)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return lo.Uniq(val), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Warn().Msgf("No IPs found with the alias %v", alias)
|
log.Warn().Msgf("No IPs found with the alias %v", alias)
|
||||||
|
|
||||||
return ips, nil
|
return []string{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
|
// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
|
||||||
// that are correctly tagged since they should not be listed as being in the user
|
// that are correctly tagged since they should not be listed as being in the user
|
||||||
// we assume in this function that we only have nodes from 1 user.
|
// we assume in this function that we only have nodes from 1 user.
|
||||||
func excludeCorrectlyTaggedNodes(
|
func excludeCorrectlyTaggedNodes(
|
||||||
aclPolicy ACLPolicy,
|
aclPolicy *ACLPolicy,
|
||||||
nodes []Machine,
|
nodes []Machine,
|
||||||
user string,
|
user string,
|
||||||
stripEmailDomain bool,
|
stripEmailDomain bool,
|
||||||
|
@ -670,7 +594,7 @@ func excludeCorrectlyTaggedNodes(
|
||||||
out := []Machine{}
|
out := []Machine{}
|
||||||
tags := []string{}
|
tags := []string{}
|
||||||
for tag := range aclPolicy.TagOwners {
|
for tag := range aclPolicy.TagOwners {
|
||||||
owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain)
|
owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
|
||||||
ns := append(owners, user)
|
ns := append(owners, user)
|
||||||
if contains(ns, user) {
|
if contains(ns, user) {
|
||||||
tags = append(tags, tag)
|
tags = append(tags, tag)
|
||||||
|
@ -758,15 +682,15 @@ func filterMachinesByUser(machines []Machine, user string) []Machine {
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// expandTagOwners will return a list of user. An owner can be either a user or a group
|
// getTagOwners will return a list of user. An owner can be either a user or a group
|
||||||
// a group cannot be composed of groups.
|
// a group cannot be composed of groups.
|
||||||
func expandTagOwners(
|
func getTagOwners(
|
||||||
aclPolicy ACLPolicy,
|
pol *ACLPolicy,
|
||||||
tag string,
|
tag string,
|
||||||
stripEmailDomain bool,
|
stripEmailDomain bool,
|
||||||
) ([]string, error) {
|
) ([]string, error) {
|
||||||
var owners []string
|
var owners []string
|
||||||
ows, ok := aclPolicy.TagOwners[tag]
|
ows, ok := pol.TagOwners[tag]
|
||||||
if !ok {
|
if !ok {
|
||||||
return []string{}, fmt.Errorf(
|
return []string{}, fmt.Errorf(
|
||||||
"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
|
"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
|
||||||
|
@ -776,7 +700,7 @@ func expandTagOwners(
|
||||||
}
|
}
|
||||||
for _, owner := range ows {
|
for _, owner := range ows {
|
||||||
if strings.HasPrefix(owner, "group:") {
|
if strings.HasPrefix(owner, "group:") {
|
||||||
gs, err := expandGroup(aclPolicy, owner, stripEmailDomain)
|
gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return []string{}, err
|
return []string{}, err
|
||||||
}
|
}
|
||||||
|
@ -789,15 +713,15 @@ func expandTagOwners(
|
||||||
return owners, nil
|
return owners, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// expandGroup will return the list of user inside the group
|
// getUsersInGroup will return the list of user inside the group
|
||||||
// after some validation.
|
// after some validation.
|
||||||
func expandGroup(
|
func (pol *ACLPolicy) getUsersInGroup(
|
||||||
aclPolicy ACLPolicy,
|
|
||||||
group string,
|
group string,
|
||||||
stripEmailDomain bool,
|
stripEmailDomain bool,
|
||||||
) ([]string, error) {
|
) ([]string, error) {
|
||||||
outGroups := []string{}
|
users := []string{}
|
||||||
aclGroups, ok := aclPolicy.Groups[group]
|
log.Trace().Caller().Interface("pol", pol).Msg("test")
|
||||||
|
aclGroups, ok := pol.Groups[group]
|
||||||
if !ok {
|
if !ok {
|
||||||
return []string{}, fmt.Errorf(
|
return []string{}, fmt.Errorf(
|
||||||
"group %v isn't registered. %w",
|
"group %v isn't registered. %w",
|
||||||
|
@ -820,8 +744,129 @@ func expandGroup(
|
||||||
errInvalidGroup,
|
errInvalidGroup,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
outGroups = append(outGroups, grp)
|
users = append(users, grp)
|
||||||
}
|
}
|
||||||
|
|
||||||
return outGroups, nil
|
return users, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pol *ACLPolicy) getIPsFromGroup(
|
||||||
|
group string,
|
||||||
|
machines Machines,
|
||||||
|
stripEmailDomain bool,
|
||||||
|
) ([]string, error) {
|
||||||
|
ips := []string{}
|
||||||
|
|
||||||
|
users, err := pol.getUsersInGroup(group, stripEmailDomain)
|
||||||
|
if err != nil {
|
||||||
|
return ips, err
|
||||||
|
}
|
||||||
|
for _, n := range users {
|
||||||
|
nodes := filterMachinesByUser(machines, n)
|
||||||
|
for _, node := range nodes {
|
||||||
|
ips = append(ips, node.IPAddresses.ToStringSlice()...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return ips, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pol *ACLPolicy) getIPsFromTag(
|
||||||
|
alias string,
|
||||||
|
machines Machines,
|
||||||
|
stripEmailDomain bool,
|
||||||
|
) ([]string, error) {
|
||||||
|
ips := []string{}
|
||||||
|
|
||||||
|
// check for forced tags
|
||||||
|
for _, machine := range machines {
|
||||||
|
if contains(machine.ForcedTags, alias) {
|
||||||
|
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// find tag owners
|
||||||
|
owners, err := getTagOwners(pol, alias, stripEmailDomain)
|
||||||
|
if err != nil {
|
||||||
|
if errors.Is(err, errInvalidTag) {
|
||||||
|
if len(ips) == 0 {
|
||||||
|
return ips, fmt.Errorf(
|
||||||
|
"%w. %v isn't owned by a TagOwner and no forced tags are defined",
|
||||||
|
errInvalidTag,
|
||||||
|
alias,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ips, nil
|
||||||
|
} else {
|
||||||
|
return ips, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// filter out machines per tag owner
|
||||||
|
for _, user := range owners {
|
||||||
|
machines := filterMachinesByUser(machines, user)
|
||||||
|
for _, machine := range machines {
|
||||||
|
hi := machine.GetHostInfo()
|
||||||
|
if contains(hi.RequestTags, alias) {
|
||||||
|
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return ips, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pol *ACLPolicy) getIPsForUser(
|
||||||
|
user string,
|
||||||
|
machines Machines,
|
||||||
|
stripEmailDomain bool,
|
||||||
|
) []string {
|
||||||
|
ips := []string{}
|
||||||
|
|
||||||
|
nodes := filterMachinesByUser(machines, user)
|
||||||
|
nodes = excludeCorrectlyTaggedNodes(pol, nodes, user, stripEmailDomain)
|
||||||
|
|
||||||
|
for _, n := range nodes {
|
||||||
|
ips = append(ips, n.IPAddresses.ToStringSlice()...)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ips
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pol *ACLPolicy) getIPsFromSingleIP(
|
||||||
|
ip netip.Addr,
|
||||||
|
machines Machines,
|
||||||
|
) ([]string, error) {
|
||||||
|
log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
|
||||||
|
|
||||||
|
ips := []string{ip.String()}
|
||||||
|
matches := machines.FilterByIP(ip)
|
||||||
|
|
||||||
|
for _, machine := range matches {
|
||||||
|
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
|
||||||
|
}
|
||||||
|
|
||||||
|
return lo.Uniq(ips), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pol *ACLPolicy) getIPsFromIPPrefix(
|
||||||
|
prefix netip.Prefix,
|
||||||
|
machines Machines,
|
||||||
|
) ([]string, error) {
|
||||||
|
log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
|
||||||
|
val := []string{prefix.String()}
|
||||||
|
// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
|
||||||
|
// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
|
||||||
|
for _, machine := range machines {
|
||||||
|
for _, ip := range machine.IPAddresses {
|
||||||
|
// log.Trace().
|
||||||
|
// Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
|
||||||
|
if prefix.Contains(ip) {
|
||||||
|
val = append(val, machine.IPAddresses.ToStringSlice()...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return lo.Uniq(val), nil
|
||||||
}
|
}
|
||||||
|
|
172
acls_test.go
172
acls_test.go
|
@ -556,26 +556,31 @@ func (s *Suite) TestPortGroup(c *check.C) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func Test_expandGroup(t *testing.T) {
|
func Test_expandGroup(t *testing.T) {
|
||||||
|
type field struct {
|
||||||
|
pol ACLPolicy
|
||||||
|
}
|
||||||
type args struct {
|
type args struct {
|
||||||
aclPolicy ACLPolicy
|
|
||||||
group string
|
group string
|
||||||
stripEmailDomain bool
|
stripEmailDomain bool
|
||||||
}
|
}
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
|
field field
|
||||||
args args
|
args args
|
||||||
want []string
|
want []string
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "simple test",
|
name: "simple test",
|
||||||
args: args{
|
field: field{
|
||||||
aclPolicy: ACLPolicy{
|
pol: ACLPolicy{
|
||||||
Groups: Groups{
|
Groups: Groups{
|
||||||
"group:test": []string{"user1", "user2", "user3"},
|
"group:test": []string{"user1", "user2", "user3"},
|
||||||
"group:foo": []string{"user2", "user3"},
|
"group:foo": []string{"user2", "user3"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
group: "group:test",
|
group: "group:test",
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
|
@ -584,13 +589,15 @@ func Test_expandGroup(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "InexistantGroup",
|
name: "InexistantGroup",
|
||||||
args: args{
|
field: field{
|
||||||
aclPolicy: ACLPolicy{
|
pol: ACLPolicy{
|
||||||
Groups: Groups{
|
Groups: Groups{
|
||||||
"group:test": []string{"user1", "user2", "user3"},
|
"group:test": []string{"user1", "user2", "user3"},
|
||||||
"group:foo": []string{"user2", "user3"},
|
"group:foo": []string{"user2", "user3"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
group: "group:undefined",
|
group: "group:undefined",
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
|
@ -599,8 +606,8 @@ func Test_expandGroup(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "Expand emails in group",
|
name: "Expand emails in group",
|
||||||
args: args{
|
field: field{
|
||||||
aclPolicy: ACLPolicy{
|
pol: ACLPolicy{
|
||||||
Groups: Groups{
|
Groups: Groups{
|
||||||
"group:admin": []string{
|
"group:admin": []string{
|
||||||
"joe.bar@gmail.com",
|
"joe.bar@gmail.com",
|
||||||
|
@ -608,6 +615,8 @@ func Test_expandGroup(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
group: "group:admin",
|
group: "group:admin",
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
|
@ -616,8 +625,8 @@ func Test_expandGroup(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "Expand emails in group",
|
name: "Expand emails in group",
|
||||||
args: args{
|
field: field{
|
||||||
aclPolicy: ACLPolicy{
|
pol: ACLPolicy{
|
||||||
Groups: Groups{
|
Groups: Groups{
|
||||||
"group:admin": []string{
|
"group:admin": []string{
|
||||||
"joe.bar@gmail.com",
|
"joe.bar@gmail.com",
|
||||||
|
@ -625,6 +634,8 @@ func Test_expandGroup(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
group: "group:admin",
|
group: "group:admin",
|
||||||
stripEmailDomain: false,
|
stripEmailDomain: false,
|
||||||
},
|
},
|
||||||
|
@ -634,8 +645,7 @@ func Test_expandGroup(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
t.Run(test.name, func(t *testing.T) {
|
t.Run(test.name, func(t *testing.T) {
|
||||||
got, err := expandGroup(
|
got, err := test.field.pol.getUsersInGroup(
|
||||||
test.args.aclPolicy,
|
|
||||||
test.args.group,
|
test.args.group,
|
||||||
test.args.stripEmailDomain,
|
test.args.stripEmailDomain,
|
||||||
)
|
)
|
||||||
|
@ -653,7 +663,7 @@ func Test_expandGroup(t *testing.T) {
|
||||||
|
|
||||||
func Test_expandTagOwners(t *testing.T) {
|
func Test_expandTagOwners(t *testing.T) {
|
||||||
type args struct {
|
type args struct {
|
||||||
aclPolicy ACLPolicy
|
aclPolicy *ACLPolicy
|
||||||
tag string
|
tag string
|
||||||
stripEmailDomain bool
|
stripEmailDomain bool
|
||||||
}
|
}
|
||||||
|
@ -666,7 +676,7 @@ func Test_expandTagOwners(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "simple tag expansion",
|
name: "simple tag expansion",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
TagOwners: TagOwners{"tag:test": []string{"user1"}},
|
TagOwners: TagOwners{"tag:test": []string{"user1"}},
|
||||||
},
|
},
|
||||||
tag: "tag:test",
|
tag: "tag:test",
|
||||||
|
@ -678,7 +688,7 @@ func Test_expandTagOwners(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "expand with tag and group",
|
name: "expand with tag and group",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
Groups: Groups{"group:foo": []string{"user1", "user2"}},
|
Groups: Groups{"group:foo": []string{"user1", "user2"}},
|
||||||
TagOwners: TagOwners{"tag:test": []string{"group:foo"}},
|
TagOwners: TagOwners{"tag:test": []string{"group:foo"}},
|
||||||
},
|
},
|
||||||
|
@ -691,7 +701,7 @@ func Test_expandTagOwners(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "expand with user and group",
|
name: "expand with user and group",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
Groups: Groups{"group:foo": []string{"user1", "user2"}},
|
Groups: Groups{"group:foo": []string{"user1", "user2"}},
|
||||||
TagOwners: TagOwners{"tag:test": []string{"group:foo", "user3"}},
|
TagOwners: TagOwners{"tag:test": []string{"group:foo", "user3"}},
|
||||||
},
|
},
|
||||||
|
@ -704,7 +714,7 @@ func Test_expandTagOwners(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "invalid tag",
|
name: "invalid tag",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
TagOwners: TagOwners{"tag:foo": []string{"group:foo", "user1"}},
|
TagOwners: TagOwners{"tag:foo": []string{"group:foo", "user1"}},
|
||||||
},
|
},
|
||||||
tag: "tag:test",
|
tag: "tag:test",
|
||||||
|
@ -716,7 +726,7 @@ func Test_expandTagOwners(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "invalid group",
|
name: "invalid group",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
Groups: Groups{"group:bar": []string{"user1", "user2"}},
|
Groups: Groups{"group:bar": []string{"user1", "user2"}},
|
||||||
TagOwners: TagOwners{"tag:test": []string{"group:foo", "user2"}},
|
TagOwners: TagOwners{"tag:test": []string{"group:foo", "user2"}},
|
||||||
},
|
},
|
||||||
|
@ -729,7 +739,7 @@ func Test_expandTagOwners(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
t.Run(test.name, func(t *testing.T) {
|
t.Run(test.name, func(t *testing.T) {
|
||||||
got, err := expandTagOwners(
|
got, err := getTagOwners(
|
||||||
test.args.aclPolicy,
|
test.args.aclPolicy,
|
||||||
test.args.tag,
|
test.args.tag,
|
||||||
test.args.stripEmailDomain,
|
test.args.stripEmailDomain,
|
||||||
|
@ -908,6 +918,9 @@ func Test_listMachinesInUser(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func Test_expandAlias(t *testing.T) {
|
func Test_expandAlias(t *testing.T) {
|
||||||
|
type field struct {
|
||||||
|
pol ACLPolicy
|
||||||
|
}
|
||||||
type args struct {
|
type args struct {
|
||||||
machines []Machine
|
machines []Machine
|
||||||
aclPolicy ACLPolicy
|
aclPolicy ACLPolicy
|
||||||
|
@ -916,12 +929,16 @@ func Test_expandAlias(t *testing.T) {
|
||||||
}
|
}
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
|
field field
|
||||||
args args
|
args args
|
||||||
want []string
|
want []string
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "wildcard",
|
name: "wildcard",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "*",
|
alias: "*",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -932,7 +949,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"*"},
|
want: []string{"*"},
|
||||||
|
@ -940,6 +956,11 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple group",
|
name: "simple group",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{
|
||||||
|
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
|
||||||
|
},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "group:accountant",
|
alias: "group:accountant",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -968,9 +989,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
|
|
||||||
},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"},
|
want: []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"},
|
||||||
|
@ -978,6 +996,11 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "wrong group",
|
name: "wrong group",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{
|
||||||
|
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
|
||||||
|
},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "group:hr",
|
alias: "group:hr",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1006,9 +1029,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
|
|
||||||
},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{},
|
want: []string{},
|
||||||
|
@ -1016,10 +1036,12 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple ipaddress",
|
name: "simple ipaddress",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "10.0.0.3",
|
alias: "10.0.0.3",
|
||||||
machines: []Machine{},
|
machines: []Machine{},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"10.0.0.3"},
|
want: []string{"10.0.0.3"},
|
||||||
|
@ -1027,10 +1049,12 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple host by ip passed through",
|
name: "simple host by ip passed through",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "10.0.0.1",
|
alias: "10.0.0.1",
|
||||||
machines: []Machine{},
|
machines: []Machine{},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"10.0.0.1"},
|
want: []string{"10.0.0.1"},
|
||||||
|
@ -1038,6 +1062,9 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple host by ipv4 single ipv4",
|
name: "simple host by ipv4 single ipv4",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "10.0.0.1",
|
alias: "10.0.0.1",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1048,7 +1075,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"10.0.0.1"},
|
want: []string{"10.0.0.1"},
|
||||||
|
@ -1056,6 +1082,9 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple host by ipv4 single dual stack",
|
name: "simple host by ipv4 single dual stack",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "10.0.0.1",
|
alias: "10.0.0.1",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1067,7 +1096,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"10.0.0.1", "fd7a:115c:a1e0:ab12:4843:2222:6273:2222"},
|
want: []string{"10.0.0.1", "fd7a:115c:a1e0:ab12:4843:2222:6273:2222"},
|
||||||
|
@ -1075,6 +1103,9 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple host by ipv6 single dual stack",
|
name: "simple host by ipv6 single dual stack",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222",
|
alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1086,7 +1117,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"fd7a:115c:a1e0:ab12:4843:2222:6273:2222", "10.0.0.1"},
|
want: []string{"fd7a:115c:a1e0:ab12:4843:2222:6273:2222", "10.0.0.1"},
|
||||||
|
@ -1094,14 +1124,16 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple host by hostname alias",
|
name: "simple host by hostname alias",
|
||||||
args: args{
|
field: field{
|
||||||
alias: "testy",
|
pol: ACLPolicy{
|
||||||
machines: []Machine{},
|
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
Hosts: Hosts{
|
Hosts: Hosts{
|
||||||
"testy": netip.MustParsePrefix("10.0.0.132/32"),
|
"testy": netip.MustParsePrefix("10.0.0.132/32"),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
|
alias: "testy",
|
||||||
|
machines: []Machine{},
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"10.0.0.132/32"},
|
want: []string{"10.0.0.132/32"},
|
||||||
|
@ -1109,14 +1141,16 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "private network",
|
name: "private network",
|
||||||
args: args{
|
field: field{
|
||||||
alias: "homeNetwork",
|
pol: ACLPolicy{
|
||||||
machines: []Machine{},
|
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
Hosts: Hosts{
|
Hosts: Hosts{
|
||||||
"homeNetwork": netip.MustParsePrefix("192.168.1.0/24"),
|
"homeNetwork": netip.MustParsePrefix("192.168.1.0/24"),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
args: args{
|
||||||
|
alias: "homeNetwork",
|
||||||
|
machines: []Machine{},
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"192.168.1.0/24"},
|
want: []string{"192.168.1.0/24"},
|
||||||
|
@ -1124,6 +1158,9 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple CIDR",
|
name: "simple CIDR",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "10.0.0.0/16",
|
alias: "10.0.0.0/16",
|
||||||
machines: []Machine{},
|
machines: []Machine{},
|
||||||
|
@ -1135,6 +1172,11 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "simple tag",
|
name: "simple tag",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{
|
||||||
|
TagOwners: TagOwners{"tag:hr-webserver": []string{"joe"}},
|
||||||
|
},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "tag:hr-webserver",
|
alias: "tag:hr-webserver",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1173,9 +1215,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "joe"},
|
User: User{Name: "joe"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
TagOwners: TagOwners{"tag:hr-webserver": []string{"joe"}},
|
|
||||||
},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"100.64.0.1", "100.64.0.2"},
|
want: []string{"100.64.0.1", "100.64.0.2"},
|
||||||
|
@ -1183,6 +1222,14 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "No tag defined",
|
name: "No tag defined",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{
|
||||||
|
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
|
||||||
|
TagOwners: TagOwners{
|
||||||
|
"tag:accountant-webserver": []string{"group:accountant"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "tag:hr-webserver",
|
alias: "tag:hr-webserver",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1211,12 +1258,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
|
|
||||||
TagOwners: TagOwners{
|
|
||||||
"tag:accountant-webserver": []string{"group:accountant"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{},
|
want: []string{},
|
||||||
|
@ -1224,6 +1265,9 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "Forced tag defined",
|
name: "Forced tag defined",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "tag:hr-webserver",
|
alias: "tag:hr-webserver",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1254,7 +1298,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"100.64.0.1", "100.64.0.2"},
|
want: []string{"100.64.0.1", "100.64.0.2"},
|
||||||
|
@ -1262,6 +1305,13 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "Forced tag with legitimate tagOwner",
|
name: "Forced tag with legitimate tagOwner",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{
|
||||||
|
TagOwners: TagOwners{
|
||||||
|
"tag:hr-webserver": []string{"joe"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "tag:hr-webserver",
|
alias: "tag:hr-webserver",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1296,11 +1346,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "mickael"},
|
User: User{Name: "mickael"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
TagOwners: TagOwners{
|
|
||||||
"tag:hr-webserver": []string{"joe"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"100.64.0.1", "100.64.0.2"},
|
want: []string{"100.64.0.1", "100.64.0.2"},
|
||||||
|
@ -1308,6 +1353,11 @@ func Test_expandAlias(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "list host in user without correctly tagged servers",
|
name: "list host in user without correctly tagged servers",
|
||||||
|
field: field{
|
||||||
|
pol: ACLPolicy{
|
||||||
|
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
||||||
|
},
|
||||||
|
},
|
||||||
args: args{
|
args: args{
|
||||||
alias: "joe",
|
alias: "joe",
|
||||||
machines: []Machine{
|
machines: []Machine{
|
||||||
|
@ -1346,9 +1396,6 @@ func Test_expandAlias(t *testing.T) {
|
||||||
User: User{Name: "joe"},
|
User: User{Name: "joe"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
aclPolicy: ACLPolicy{
|
|
||||||
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
|
||||||
},
|
|
||||||
stripEmailDomain: true,
|
stripEmailDomain: true,
|
||||||
},
|
},
|
||||||
want: []string{"100.64.0.4"},
|
want: []string{"100.64.0.4"},
|
||||||
|
@ -1357,9 +1404,8 @@ func Test_expandAlias(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
t.Run(test.name, func(t *testing.T) {
|
t.Run(test.name, func(t *testing.T) {
|
||||||
got, err := expandAlias(
|
got, err := test.field.pol.expandAlias(
|
||||||
test.args.machines,
|
test.args.machines,
|
||||||
test.args.aclPolicy,
|
|
||||||
test.args.alias,
|
test.args.alias,
|
||||||
test.args.stripEmailDomain,
|
test.args.stripEmailDomain,
|
||||||
)
|
)
|
||||||
|
@ -1377,7 +1423,7 @@ func Test_expandAlias(t *testing.T) {
|
||||||
|
|
||||||
func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
|
func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
|
||||||
type args struct {
|
type args struct {
|
||||||
aclPolicy ACLPolicy
|
aclPolicy *ACLPolicy
|
||||||
nodes []Machine
|
nodes []Machine
|
||||||
user string
|
user string
|
||||||
stripEmailDomain bool
|
stripEmailDomain bool
|
||||||
|
@ -1391,7 +1437,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "exclude nodes with valid tags",
|
name: "exclude nodes with valid tags",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
||||||
},
|
},
|
||||||
nodes: []Machine{
|
nodes: []Machine{
|
||||||
|
@ -1437,7 +1483,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "exclude nodes with valid tags, and owner is in a group",
|
name: "exclude nodes with valid tags, and owner is in a group",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
Groups: Groups{
|
Groups: Groups{
|
||||||
"group:accountant": []string{"joe", "bar"},
|
"group:accountant": []string{"joe", "bar"},
|
||||||
},
|
},
|
||||||
|
@ -1488,7 +1534,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "exclude nodes with valid tags and with forced tags",
|
name: "exclude nodes with valid tags and with forced tags",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
||||||
},
|
},
|
||||||
nodes: []Machine{
|
nodes: []Machine{
|
||||||
|
@ -1530,7 +1576,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "all nodes have invalid tags, don't exclude them",
|
name: "all nodes have invalid tags, don't exclude them",
|
||||||
args: args{
|
args: args{
|
||||||
aclPolicy: ACLPolicy{
|
aclPolicy: &ACLPolicy{
|
||||||
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
|
||||||
},
|
},
|
||||||
nodes: []Machine{
|
nodes: []Machine{
|
||||||
|
|
|
@ -111,8 +111,8 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsZero is perhaps a bit naive here.
|
// IsZero is perhaps a bit naive here.
|
||||||
func (policy ACLPolicy) IsZero() bool {
|
func (pol ACLPolicy) IsZero() bool {
|
||||||
if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
|
if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -893,7 +893,7 @@ func getTags(
|
||||||
validTagMap := make(map[string]bool)
|
validTagMap := make(map[string]bool)
|
||||||
invalidTagMap := make(map[string]bool)
|
invalidTagMap := make(map[string]bool)
|
||||||
for _, tag := range machine.HostInfo.RequestTags {
|
for _, tag := range machine.HostInfo.RequestTags {
|
||||||
owners, err := expandTagOwners(*aclPolicy, tag, stripEmailDomain)
|
owners, err := getTagOwners(aclPolicy, tag, stripEmailDomain)
|
||||||
if errors.Is(err, errInvalidTag) {
|
if errors.Is(err, errInvalidTag) {
|
||||||
invalidTagMap[tag] = true
|
invalidTagMap[tag] = true
|
||||||
|
|
||||||
|
@ -1207,7 +1207,7 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
|
||||||
if approvedAlias == machine.User.Name {
|
if approvedAlias == machine.User.Name {
|
||||||
approvedRoutes = append(approvedRoutes, advertisedRoute)
|
approvedRoutes = append(approvedRoutes, advertisedRoute)
|
||||||
} else {
|
} else {
|
||||||
approvedIps, err := expandAlias([]Machine{*machine}, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
|
approvedIps, err := h.aclPolicy.expandAlias([]Machine{*machine}, approvedAlias, h.cfg.OIDC.StripEmaildomain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Err(err).
|
log.Err(err).
|
||||||
Str("alias", approvedAlias).
|
Str("alias", approvedAlias).
|
||||||
|
|
Loading…
Reference in a new issue