diff --git a/machine.go b/machine.go index 8a33e1d..30c4ad9 100644 --- a/machine.go +++ b/machine.go @@ -148,19 +148,13 @@ func matchSourceAndDestinationWithRule(ruleSources []string, ruleDestinations [] } // getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine. -func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) { +func getFilteredByACLPeers(machines []Machine, rules []tailcfg.FilterRule, machine *Machine) (Machines, error) { log.Trace(). Caller(). Str("machine", machine.Name). Msg("Finding peers filtered by ACLs") - machines, err := h.ListAllMachines() - if err != nil { - log.Error().Err(err).Msg("Error retrieving list of machines") - return Machines{}, err - } peers := make(map[uint64]Machine) - // Aclfilter peers here. We are itering through machines in all namespaces and search through the computed aclRules // for match between rule SrcIPs and DstPorts. If the rule is a match we allow the machine to be viewable. @@ -182,7 +176,7 @@ func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) { if peer.ID == machine.ID { continue } - for _, rule := range h.aclRules { + for _, rule := range rules { var dst []string for _, d := range rule.DstPorts { dst = append(dst, d.IP) @@ -301,10 +295,17 @@ func (h *Headscale) getSharedTo(machine *Machine) (Machines, error) { func (h *Headscale) getPeers(machine *Machine) (Machines, error) { var peers Machines var err error + // If ACLs rules are defined, filter visible host list with the ACLs // else use the classic namespace scope if h.aclPolicy != nil { - peers, err = h.getFilteredByACLPeers(machine) + var machines []Machine + machines, err = h.ListAllMachines() + if err != nil { + log.Error().Err(err).Msg("Error retrieving list of machines") + return Machines{}, err + } + peers, err = getFilteredByACLPeers(machines, h.aclRules, machine) if err != nil { log.Error(). Caller(). diff --git a/machine_test.go b/machine_test.go index f9e58be..90caf9d 100644 --- a/machine_test.go +++ b/machine_test.go @@ -219,10 +219,13 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) { _, err = testMachine.GetHostInfo() c.Assert(err, check.IsNil) - peersOfTestMachine, err := app.getFilteredByACLPeers(testMachine) + machines, err := app.ListAllMachines() c.Assert(err, check.IsNil) - peersOfAdminMachine, err := app.getFilteredByACLPeers(adminMachine) + peersOfTestMachine, err := getFilteredByACLPeers(machines, app.aclRules, testMachine) + c.Assert(err, check.IsNil) + + peersOfAdminMachine, err := getFilteredByACLPeers(machines, app.aclRules, adminMachine) c.Assert(err, check.IsNil) c.Log(peersOfTestMachine)