Split GetRouteApprovers from EnableAutoApprovedRoutes
This commit is contained in:
parent
004ebcaba1
commit
7653ad40d6
2 changed files with 58 additions and 45 deletions
|
@ -108,3 +108,28 @@ func (policy ACLPolicy) IsZero() bool {
|
||||||
|
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Returns the list of autoApproving namespaces, groups or tags for a given IPPrefix
|
||||||
|
func (autoApprovers *AutoApprovers) GetRouteApprovers(
|
||||||
|
prefix netaddr.IPPrefix,
|
||||||
|
) ([]string, error) {
|
||||||
|
if prefix.Bits() == 0 {
|
||||||
|
return autoApprovers.ExitNode, nil // 0.0.0.0/0, ::/0 or equivalent
|
||||||
|
}
|
||||||
|
|
||||||
|
approverAliases := []string{}
|
||||||
|
|
||||||
|
for autoApprovedPrefix, autoApproverAliases := range autoApprovers.Routes {
|
||||||
|
autoApprovedPrefix, err := netaddr.ParseIPPrefix(autoApprovedPrefix)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if autoApprovedPrefix.Bits() >= prefix.Bits() &&
|
||||||
|
autoApprovedPrefix.Contains(prefix.IP()) {
|
||||||
|
approverAliases = append(approverAliases, autoApproverAliases...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return approverAliases, nil
|
||||||
|
}
|
||||||
|
|
78
machine.go
78
machine.go
|
@ -931,60 +931,48 @@ func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Enabled any routes advertised by a machine that match the ACL autoApprovers policy
|
// Enabled any routes advertised by a machine that match the ACL autoApprovers policy
|
||||||
// TODO simplify by expanding only for current machine, and by checking if approvedIPs contains machine.IPs[0]
|
|
||||||
func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
|
func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
|
||||||
approvedRoutes := make([]netaddr.IPPrefix, 0, len(machine.HostInfo.RoutableIPs))
|
if len(machine.IPAddresses) == 0 {
|
||||||
machines, err := h.ListMachines()
|
return nil // This machine has no IPAddresses, so can't possibly match any autoApprovers ACLs
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
log.Err(err)
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
approvedRoutes := make([]netaddr.IPPrefix, 0, len(machine.HostInfo.RoutableIPs))
|
||||||
|
thisMachine := []Machine{*machine}
|
||||||
|
|
||||||
for _, advertisedRoute := range machine.HostInfo.RoutableIPs {
|
for _, advertisedRoute := range machine.HostInfo.RoutableIPs {
|
||||||
log.Debug().
|
|
||||||
Uint64("machine", machine.ID).
|
|
||||||
Str("advertisedRoute", advertisedRoute.String()).
|
|
||||||
Msg("Client requested to advertise route")
|
|
||||||
|
|
||||||
approved := false
|
if contains(machine.EnabledRoutes, advertisedRoute) {
|
||||||
routeApprovers := h.aclPolicy.AutoApprovers.Routes[advertisedRoute.String()]
|
continue // Skip routes that are already enabled for the node
|
||||||
|
|
||||||
if advertisedRoute.Bits() == 0 {
|
|
||||||
routeApprovers = h.aclPolicy.AutoApprovers.ExitNode
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(routeApprovers) > 0 {
|
approved := false
|
||||||
for _, approvedAlias := range routeApprovers {
|
routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(advertisedRoute)
|
||||||
|
|
||||||
approvedIps, err := expandAlias(machines, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
|
if err != nil {
|
||||||
|
log.Err(err).
|
||||||
if err != nil {
|
|
||||||
log.Err(err).
|
|
||||||
Str("alias", approvedAlias).
|
|
||||||
Msg("Failed to expand alias when processing autoApprovers policy")
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, machineIp := range machine.IPAddresses {
|
|
||||||
for _, approvedIp := range approvedIps {
|
|
||||||
approved = machineIp.String() == approvedIp
|
|
||||||
|
|
||||||
if approved {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if approved {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
log.Debug().
|
|
||||||
Uint64("client", machine.ID).
|
|
||||||
Str("advertisedRoute", advertisedRoute.String()).
|
Str("advertisedRoute", advertisedRoute.String()).
|
||||||
Msg("Advertised route is not automatically approved")
|
Uint64("machineId", machine.ID).
|
||||||
|
Msg("Failed to resolve autoApprovers for advertised route")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, approvedAlias := range routeApprovers {
|
||||||
|
|
||||||
|
approvedIps, err := expandAlias(thisMachine, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
log.Err(err).
|
||||||
|
Str("alias", approvedAlias).
|
||||||
|
Msg("Failed to expand alias when processing autoApprovers policy")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
|
||||||
|
approved = contains(approvedIps, machine.IPAddresses[0].String())
|
||||||
|
|
||||||
|
if approved {
|
||||||
|
break
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if approved {
|
if approved {
|
||||||
|
|
Loading…
Reference in a new issue