diff --git a/acls.go b/acls.go
index 8ba8618..151fb3b 100644
--- a/acls.go
+++ b/acls.go
@@ -9,7 +9,6 @@ import (
"strconv"
"strings"
- "github.com/davecgh/go-spew/spew"
"github.com/tailscale/hujson"
"inet.af/netaddr"
"tailscale.com/tailcfg"
@@ -82,8 +81,6 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
DstPorts: destPorts,
})
}
- // fmt.Println(rules)
- spew.Dump(rules)
return &rules, nil
}
diff --git a/acls_test.go b/acls_test.go
index 97f0d33..3433848 100644
--- a/acls_test.go
+++ b/acls_test.go
@@ -64,7 +64,82 @@ func (s *Suite) TestBasicRule(c *check.C) {
rules, err := h.generateACLRules()
c.Assert(err, check.IsNil)
- c.Assert(rules, check.IsNil)
+ c.Assert(rules, check.NotNil)
+}
+
+func (s *Suite) TestPortRange(c *check.C) {
+ err := h.LoadPolicy("./tests/acls/acl_policy_basic_range.hujson")
+ c.Assert(err, check.IsNil)
+
+ rules, err := h.generateACLRules()
+ c.Assert(err, check.IsNil)
+ c.Assert(rules, check.NotNil)
+
+ c.Assert(*rules, check.HasLen, 1)
+ c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
+ c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(5400))
+ c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500))
+}
+
+func (s *Suite) TestPortWildcard(c *check.C) {
+ err := h.LoadPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
+ c.Assert(err, check.IsNil)
+
+ rules, err := h.generateACLRules()
+ c.Assert(err, check.IsNil)
+ c.Assert(rules, check.NotNil)
+
+ c.Assert(*rules, check.HasLen, 1)
+ c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
+ c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
+ c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
+ c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
+ c.Assert((*rules)[0].SrcIPs[0], check.Equals, "*")
+}
+
+func (s *Suite) TestPortNamespace(c *check.C) {
+ n, err := h.CreateNamespace("testnamespace")
+ c.Assert(err, check.IsNil)
+
+ pak, err := h.CreatePreAuthKey(n.Name, false, false, nil)
+ c.Assert(err, check.IsNil)
+
+ db, err := h.db()
+ if err != nil {
+ c.Fatal(err)
+ }
+
+ _, err = h.GetMachine("testnamespace", "testmachine")
+ c.Assert(err, check.NotNil)
+ ip, _ := h.getAvailableIP()
+ m := Machine{
+ ID: 0,
+ MachineKey: "foo",
+ NodeKey: "bar",
+ DiscoKey: "faa",
+ Name: "testmachine",
+ NamespaceID: n.ID,
+ Registered: true,
+ RegisterMethod: "authKey",
+ IPAddress: ip.String(),
+ AuthKeyID: uint(pak.ID),
+ }
+ db.Save(&m)
+
+ err = h.LoadPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson")
+ c.Assert(err, check.IsNil)
+
+ rules, err := h.generateACLRules()
+ c.Assert(err, check.IsNil)
+ c.Assert(rules, check.NotNil)
+
+ c.Assert(*rules, check.HasLen, 1)
+ c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
+ c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
+ c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
+ c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
+ c.Assert((*rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip")
+ c.Assert((*rules)[0].SrcIPs[0], check.Equals, ip.String())
}
// func (s *Suite) TestRuleGeneration(c *check.C) {
diff --git a/tests/acls/acl_policy_1.hujson b/tests/acls/acl_policy_1.hujson
index c9881d8..8f70148 100644
--- a/tests/acls/acl_policy_1.hujson
+++ b/tests/acls/acl_policy_1.hujson
@@ -20,12 +20,11 @@
// Everyone in the montreal-admins or global-admins group are
// allowed to tag servers as montreal-webserver.
"tag:montreal-webserver": [
- "group:montreal-admins",
- "group:global-admins",
+ "group:example",
],
// Only a few admins are allowed to create API servers.
- "tag:api-server": [
- "group:global-admins",
+ "tag:production": [
+ "group:example",
"president@example.com",
],
},
@@ -38,7 +37,7 @@
"Action": "accept",
"Users": [
"group:example2",
- "192.168.1.1"
+ "192.168.1.0/24"
],
"Ports": [
"*:22,3389",
@@ -62,8 +61,7 @@
{
"Action": "accept",
"Users": [
- "example-host-2",
- "192.168.1.0/24"
+ "example-host-2",
],
"Ports": [
"example-host-1:*",
diff --git a/tests/acls/acl_policy_basic_1.hujson b/tests/acls/acl_policy_basic_1.hujson
new file mode 100644
index 0000000..4f86af3
--- /dev/null
+++ b/tests/acls/acl_policy_basic_1.hujson
@@ -0,0 +1,24 @@
+// This ACL is a very basic example to validate the
+// expansion of hosts
+
+
+{
+ "Hosts": {
+ "host-1": "100.100.100.100",
+ "subnet-1": "100.100.101.100/24",
+ },
+
+ "ACLs": [
+ {
+ "Action": "accept",
+ "Users": [
+ "subnet-1",
+ "192.168.1.0/24"
+ ],
+ "Ports": [
+ "*:22,3389",
+ "host-1:*",
+ ],
+ },
+ ],
+}
\ No newline at end of file
diff --git a/tests/acls/acl_policy_basic_namespace_as_user.hujson b/tests/acls/acl_policy_basic_namespace_as_user.hujson
new file mode 100644
index 0000000..414bdda
--- /dev/null
+++ b/tests/acls/acl_policy_basic_namespace_as_user.hujson
@@ -0,0 +1,20 @@
+// This ACL is used to test wildcards
+
+{
+ "Hosts": {
+ "host-1": "100.100.100.100",
+ "subnet-1": "100.100.101.100/24",
+ },
+
+ "ACLs": [
+ {
+ "Action": "accept",
+ "Users": [
+ "testnamespace",
+ ],
+ "Ports": [
+ "host-1:*",
+ ],
+ },
+ ],
+}
\ No newline at end of file
diff --git a/tests/acls/acl_policy_basic_range.hujson b/tests/acls/acl_policy_basic_range.hujson
new file mode 100644
index 0000000..8bcbc79
--- /dev/null
+++ b/tests/acls/acl_policy_basic_range.hujson
@@ -0,0 +1,20 @@
+// This ACL is used to test the port range expansion
+
+{
+ "Hosts": {
+ "host-1": "100.100.100.100",
+ "subnet-1": "100.100.101.100/24",
+ },
+
+ "ACLs": [
+ {
+ "Action": "accept",
+ "Users": [
+ "subnet-1",
+ ],
+ "Ports": [
+ "host-1:5400-5500",
+ ],
+ },
+ ],
+}
\ No newline at end of file
diff --git a/tests/acls/acl_policy_basic_wildcards.hujson b/tests/acls/acl_policy_basic_wildcards.hujson
new file mode 100644
index 0000000..ec5ce46
--- /dev/null
+++ b/tests/acls/acl_policy_basic_wildcards.hujson
@@ -0,0 +1,20 @@
+// This ACL is used to test wildcards
+
+{
+ "Hosts": {
+ "host-1": "100.100.100.100",
+ "subnet-1": "100.100.101.100/24",
+ },
+
+ "ACLs": [
+ {
+ "Action": "accept",
+ "Users": [
+ "*",
+ ],
+ "Ports": [
+ "host-1:*",
+ ],
+ },
+ ],
+}
\ No newline at end of file