2021-07-03 18:55:32 +09:00
package headscale
import (
2021-07-04 19:35:18 +09:00
"encoding/json"
2022-04-16 01:01:13 +09:00
"errors"
2021-07-04 00:31:32 +09:00
"fmt"
2021-07-03 18:55:32 +09:00
"io"
2022-09-04 06:46:14 +09:00
"net/netip"
2021-07-03 18:55:32 +09:00
"os"
2022-02-27 17:04:48 +09:00
"path/filepath"
2021-07-04 19:35:18 +09:00
"strconv"
2021-07-04 00:31:32 +09:00
"strings"
2022-10-01 03:44:23 +09:00
"time"
2021-07-03 18:55:32 +09:00
2021-08-06 02:18:18 +09:00
"github.com/rs/zerolog/log"
2021-07-03 18:55:32 +09:00
"github.com/tailscale/hujson"
2023-04-03 17:08:48 +09:00
"go4.org/netipx"
2022-02-27 17:04:48 +09:00
"gopkg.in/yaml.v3"
2022-11-25 00:35:55 +09:00
"tailscale.com/envknob"
2021-07-04 00:31:32 +09:00
"tailscale.com/tailcfg"
2021-07-03 18:55:32 +09:00
)
2021-11-05 07:16:56 +09:00
const (
2022-03-04 07:53:08 +09:00
errEmptyPolicy = Error ( "empty policy" )
errInvalidAction = Error ( "invalid action" )
errInvalidGroup = Error ( "invalid group" )
errInvalidTag = Error ( "invalid tag" )
errInvalidPortFormat = Error ( "invalid port format" )
2022-06-09 00:55:32 +09:00
errWildcardIsNeeded = Error ( "wildcard as port is required for the protocol" )
2021-11-05 07:16:56 +09:00
)
2021-07-03 18:55:32 +09:00
2021-11-15 02:31:51 +09:00
const (
2022-01-29 03:58:22 +09:00
Base8 = 8
2021-11-16 02:24:24 +09:00
Base10 = 10
BitSize16 = 16
2022-01-29 03:58:22 +09:00
BitSize32 = 32
BitSize64 = 64
2021-11-16 02:24:24 +09:00
portRangeBegin = 0
portRangeEnd = 65535
expectedTokenItems = 2
2021-11-15 02:31:51 +09:00
)
2022-06-26 18:43:17 +09:00
// For some reason golang.org/x/net/internal/iana is an internal package.
2022-06-11 21:09:08 +09:00
const (
protocolICMP = 1 // Internet Control Message
protocolIGMP = 2 // Internet Group Management
protocolIPv4 = 4 // IPv4 encapsulation
protocolTCP = 6 // Transmission Control
protocolEGP = 8 // Exterior Gateway Protocol
protocolIGP = 9 // any private interior gateway (used by Cisco for their IGRP)
protocolUDP = 17 // User Datagram
protocolGRE = 47 // Generic Routing Encapsulation
protocolESP = 50 // Encap Security Payload
protocolAH = 51 // Authentication Header
protocolIPv6ICMP = 58 // ICMP for IPv6
protocolSCTP = 132 // Stream Control Transmission Protocol
ProtocolFC = 133 // Fibre Channel
)
2022-11-25 01:26:52 +09:00
var featureEnableSSH = envknob . RegisterBool ( "HEADSCALE_EXPERIMENTAL_FEATURE_SSH" )
2022-11-25 00:35:55 +09:00
2021-11-13 17:39:04 +09:00
// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
2021-07-04 20:33:00 +09:00
func ( h * Headscale ) LoadACLPolicy ( path string ) error {
2021-12-02 04:02:00 +09:00
log . Debug ( ) .
Str ( "func" , "LoadACLPolicy" ) .
Str ( "path" , path ) .
Msg ( "Loading ACL policy from path" )
2021-07-03 18:55:32 +09:00
policyFile , err := os . Open ( path )
if err != nil {
2021-07-04 00:31:32 +09:00
return err
2021-07-03 18:55:32 +09:00
}
defer policyFile . Close ( )
var policy ACLPolicy
2021-11-15 04:32:03 +09:00
policyBytes , err := io . ReadAll ( policyFile )
2021-07-03 18:55:32 +09:00
if err != nil {
2021-07-04 00:31:32 +09:00
return err
2021-07-03 18:55:32 +09:00
}
2021-11-05 16:24:00 +09:00
2022-02-27 17:04:48 +09:00
switch filepath . Ext ( path ) {
case ".yml" , ".yaml" :
log . Debug ( ) .
Str ( "path" , path ) .
Bytes ( "file" , policyBytes ) .
Msg ( "Loading ACLs from YAML" )
err := yaml . Unmarshal ( policyBytes , & policy )
if err != nil {
return err
}
log . Trace ( ) .
Interface ( "policy" , policy ) .
Msg ( "Loaded policy from YAML" )
default :
ast , err := hujson . Parse ( policyBytes )
if err != nil {
return err
}
ast . Standardize ( )
policyBytes = ast . Pack ( )
err = json . Unmarshal ( policyBytes , & policy )
if err != nil {
return err
}
2021-07-04 20:33:00 +09:00
}
2022-02-27 17:04:48 +09:00
2021-07-03 18:55:32 +09:00
if policy . IsZero ( ) {
2021-11-16 01:33:16 +09:00
return errEmptyPolicy
2021-07-03 18:55:32 +09:00
}
2021-07-04 00:31:32 +09:00
h . aclPolicy = & policy
2022-02-14 23:26:54 +09:00
2022-02-04 04:00:41 +09:00
return h . UpdateACLRules ( )
}
func ( h * Headscale ) UpdateACLRules ( ) error {
2022-12-01 08:37:58 +09:00
machines , err := h . ListMachines ( )
if err != nil {
return err
}
if h . aclPolicy == nil {
return errEmptyPolicy
}
rules , err := generateACLRules ( machines , * h . aclPolicy , h . cfg . OIDC . StripEmaildomain )
2021-07-04 20:24:05 +09:00
if err != nil {
return err
}
2021-12-02 04:02:00 +09:00
log . Trace ( ) . Interface ( "ACL" , rules ) . Msg ( "ACL rules generated" )
2022-02-04 04:00:41 +09:00
h . aclRules = rules
2022-02-14 23:26:54 +09:00
2023-03-07 01:50:26 +09:00
// Precompute a map of which sources can reach each destination, this is
// to provide quicker lookup when we calculate the peerlist for the map
// response to nodes.
aclPeerCacheMap := generateACLPeerCacheMap ( rules )
h . aclPeerCacheMapRW . Lock ( )
h . aclPeerCacheMap = aclPeerCacheMap
h . aclPeerCacheMapRW . Unlock ( )
2022-11-25 00:35:55 +09:00
if featureEnableSSH ( ) {
sshRules , err := h . generateSSHRules ( )
if err != nil {
return err
}
log . Trace ( ) . Interface ( "SSH" , sshRules ) . Msg ( "SSH rules generated" )
if h . sshPolicy == nil {
h . sshPolicy = & tailcfg . SSHPolicy { }
}
h . sshPolicy . Rules = sshRules
} else if h . aclPolicy != nil && len ( h . aclPolicy . SSHs ) > 0 {
2022-11-25 01:26:52 +09:00
log . Info ( ) . Msg ( "SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating" )
2022-10-01 03:44:23 +09:00
}
2021-07-04 20:24:05 +09:00
return nil
2021-07-04 00:31:32 +09:00
}
2023-03-07 01:50:26 +09:00
// generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
// of which Sources ("*" and IPs) can access destinations. This is to speed up the
// process of generating MapResponses when deciding which Peers to inform nodes about.
func generateACLPeerCacheMap ( rules [ ] tailcfg . FilterRule ) map [ string ] map [ string ] struct { } {
aclCachePeerMap := make ( map [ string ] map [ string ] struct { } )
for _ , rule := range rules {
for _ , srcIP := range rule . SrcIPs {
2023-04-03 17:08:48 +09:00
for _ , ip := range expandACLPeerAddr ( srcIP ) {
if data , ok := aclCachePeerMap [ ip ] ; ok {
for _ , dstPort := range rule . DstPorts {
for _ , dstIP := range expandACLPeerAddr ( dstPort . IP ) {
data [ dstIP ] = struct { } { }
}
}
} else {
dstPortsMap := make ( map [ string ] struct { } , len ( rule . DstPorts ) )
for _ , dstPort := range rule . DstPorts {
for _ , dstIP := range expandACLPeerAddr ( dstPort . IP ) {
dstPortsMap [ dstIP ] = struct { } { }
}
}
aclCachePeerMap [ ip ] = dstPortsMap
2023-03-07 01:50:26 +09:00
}
}
}
}
2023-03-28 02:19:32 +09:00
log . Trace ( ) . Interface ( "ACL Cache Map" , aclCachePeerMap ) . Msg ( "ACL Peer Cache Map generated" )
2023-03-07 01:50:26 +09:00
return aclCachePeerMap
}
2023-04-03 17:08:48 +09:00
// expandACLPeerAddr takes a "tailcfg.FilterRule" "IP" and expands it into
// something our cache logic can look up, which is "*" or single IP addresses.
// This is probably quite inefficient, but it is a result of
// "make it work, then make it fast", and a lot of the ACL stuff does not
// work, but people have tried to make it fast.
func expandACLPeerAddr ( srcIP string ) [ ] string {
if ip , err := netip . ParseAddr ( srcIP ) ; err == nil {
return [ ] string { ip . String ( ) }
}
if cidr , err := netip . ParsePrefix ( srcIP ) ; err == nil {
addrs := [ ] string { }
ipRange := netipx . RangeOfPrefix ( cidr )
from := ipRange . From ( )
too := ipRange . To ( )
if from == too {
return [ ] string { from . String ( ) }
}
2023-04-05 07:41:00 +09:00
for from != too && from . Less ( too ) {
2023-04-03 17:08:48 +09:00
addrs = append ( addrs , from . String ( ) )
from = from . Next ( )
}
2023-04-05 07:41:00 +09:00
addrs = append ( addrs , too . String ( ) ) // Add the last IP address in the range
2023-04-03 17:08:48 +09:00
return addrs
}
// probably "*" or other string based "IP"
return [ ] string { srcIP }
}
2023-01-30 17:39:27 +09:00
func generateACLRules (
machines [ ] Machine ,
aclPolicy ACLPolicy ,
stripEmaildomain bool ,
) ( [ ] tailcfg . FilterRule , error ) {
2021-07-04 00:31:32 +09:00
rules := [ ] tailcfg . FilterRule { }
2022-12-01 08:37:58 +09:00
for index , acl := range aclPolicy . ACLs {
2021-11-15 04:32:03 +09:00
if acl . Action != "accept" {
2021-11-16 01:33:16 +09:00
return nil , errInvalidAction
2021-07-04 00:31:32 +09:00
}
srcIPs := [ ] string { }
2022-06-08 20:40:15 +09:00
for innerIndex , src := range acl . Sources {
2023-01-30 17:39:27 +09:00
srcs , err := generateACLPolicySrc ( machines , aclPolicy , src , stripEmaildomain )
2021-07-04 00:31:32 +09:00
if err != nil {
2021-08-06 02:18:18 +09:00
log . Error ( ) .
2022-06-08 20:40:15 +09:00
Msgf ( "Error parsing ACL %d, Source %d" , index , innerIndex )
2021-11-15 00:46:09 +09:00
2021-07-04 00:31:32 +09:00
return nil , err
}
2021-11-05 07:16:56 +09:00
srcIPs = append ( srcIPs , srcs ... )
2021-07-04 00:31:32 +09:00
}
2022-06-09 00:43:59 +09:00
protocols , needsWildcard , err := parseProtocol ( acl . Protocol )
if err != nil {
log . Error ( ) .
Msgf ( "Error parsing ACL %d. protocol unknown %s" , index , acl . Protocol )
return nil , err
}
2021-07-04 19:35:18 +09:00
destPorts := [ ] tailcfg . NetPortRange { }
2022-06-08 20:40:15 +09:00
for innerIndex , dest := range acl . Destinations {
2022-12-01 08:37:58 +09:00
dests , err := generateACLPolicyDest (
2022-08-04 17:47:00 +09:00
machines ,
2022-12-01 08:37:58 +09:00
aclPolicy ,
2022-08-04 17:47:00 +09:00
dest ,
needsWildcard ,
2022-12-01 08:37:58 +09:00
stripEmaildomain ,
2022-08-04 17:47:00 +09:00
)
2021-07-04 19:35:18 +09:00
if err != nil {
2021-08-06 02:18:18 +09:00
log . Error ( ) .
2022-06-08 20:40:15 +09:00
Msgf ( "Error parsing ACL %d, Destination %d" , index , innerIndex )
2021-11-15 00:46:09 +09:00
2021-07-04 19:35:18 +09:00
return nil , err
}
2021-11-05 07:16:56 +09:00
destPorts = append ( destPorts , dests ... )
2021-07-04 19:35:18 +09:00
}
rules = append ( rules , tailcfg . FilterRule {
SrcIPs : srcIPs ,
DstPorts : destPorts ,
2022-06-09 00:43:59 +09:00
IPProto : protocols ,
2021-07-04 19:35:18 +09:00
} )
2021-07-04 00:31:32 +09:00
}
2021-11-05 07:16:56 +09:00
return rules , nil
2021-07-04 00:31:32 +09:00
}
2022-10-01 03:44:23 +09:00
func ( h * Headscale ) generateSSHRules ( ) ( [ ] * tailcfg . SSHRule , error ) {
rules := [ ] * tailcfg . SSHRule { }
if h . aclPolicy == nil {
return nil , errEmptyPolicy
}
machines , err := h . ListMachines ( )
if err != nil {
return nil , err
}
acceptAction := tailcfg . SSHAction {
Message : "" ,
Reject : false ,
Accept : true ,
SessionDuration : 0 ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : true ,
}
rejectAction := tailcfg . SSHAction {
Message : "" ,
Reject : true ,
Accept : false ,
SessionDuration : 0 ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : false ,
}
for index , sshACL := range h . aclPolicy . SSHs {
action := rejectAction
switch sshACL . Action {
case "accept" :
action = acceptAction
case "check" :
checkAction , err := sshCheckAction ( sshACL . CheckPeriod )
if err != nil {
log . Error ( ) .
Msgf ( "Error parsing SSH %d, check action with unparsable duration '%s'" , index , sshACL . CheckPeriod )
} else {
action = * checkAction
}
default :
log . Error ( ) .
Msgf ( "Error parsing SSH %d, unknown action '%s'" , index , sshACL . Action )
return nil , err
}
principals := make ( [ ] * tailcfg . SSHPrincipal , 0 , len ( sshACL . Sources ) )
for innerIndex , rawSrc := range sshACL . Sources {
expandedSrcs , err := expandAlias (
machines ,
* h . aclPolicy ,
rawSrc ,
h . cfg . OIDC . StripEmaildomain ,
)
if err != nil {
log . Error ( ) .
Msgf ( "Error parsing SSH %d, Source %d" , index , innerIndex )
return nil , err
}
for _ , expandedSrc := range expandedSrcs {
principals = append ( principals , & tailcfg . SSHPrincipal {
NodeIP : expandedSrc ,
} )
}
}
userMap := make ( map [ string ] string , len ( sshACL . Users ) )
for _ , user := range sshACL . Users {
userMap [ user ] = "="
}
rules = append ( rules , & tailcfg . SSHRule {
RuleExpires : nil ,
Principals : principals ,
SSHUsers : userMap ,
Action : & action ,
} )
}
return rules , nil
}
func sshCheckAction ( duration string ) ( * tailcfg . SSHAction , error ) {
sessionLength , err := time . ParseDuration ( duration )
if err != nil {
return nil , err
}
return & tailcfg . SSHAction {
Message : "" ,
Reject : false ,
Accept : true ,
SessionDuration : sessionLength ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : true ,
} , nil
}
2023-01-30 17:39:27 +09:00
func generateACLPolicySrc (
2022-02-14 23:54:51 +09:00
machines [ ] Machine ,
aclPolicy ACLPolicy ,
2022-06-08 20:40:15 +09:00
src string ,
2022-12-01 08:37:58 +09:00
stripEmaildomain bool ,
2022-02-14 23:54:51 +09:00
) ( [ ] string , error ) {
2022-12-01 08:37:58 +09:00
return expandAlias ( machines , aclPolicy , src , stripEmaildomain )
2021-07-04 19:35:18 +09:00
}
2022-12-01 08:37:58 +09:00
func generateACLPolicyDest (
2022-02-08 00:12:05 +09:00
machines [ ] Machine ,
aclPolicy ACLPolicy ,
2022-06-08 20:40:15 +09:00
dest string ,
2022-06-09 00:43:59 +09:00
needsWildcard bool ,
2022-12-01 08:37:58 +09:00
stripEmaildomain bool ,
2021-11-13 17:36:45 +09:00
) ( [ ] tailcfg . NetPortRange , error ) {
2022-06-08 20:40:15 +09:00
tokens := strings . Split ( dest , ":" )
2021-11-16 02:24:24 +09:00
if len ( tokens ) < expectedTokenItems || len ( tokens ) > 3 {
2021-11-16 01:33:16 +09:00
return nil , errInvalidPortFormat
2021-07-04 19:35:18 +09:00
}
var alias string
// We can have here stuff like:
// git-server:*
// 192.168.1.0/24:22
// tag:montreal-webserver:80,443
// tag:api-server:443
// example-host-1:*
2021-11-16 02:24:24 +09:00
if len ( tokens ) == expectedTokenItems {
2021-07-04 19:35:18 +09:00
alias = tokens [ 0 ]
} else {
alias = fmt . Sprintf ( "%s:%s" , tokens [ 0 ] , tokens [ 1 ] )
}
2022-03-02 05:01:46 +09:00
expanded , err := expandAlias (
machines ,
aclPolicy ,
alias ,
2022-12-01 08:37:58 +09:00
stripEmaildomain ,
2022-03-02 05:01:46 +09:00
)
2021-07-04 19:35:18 +09:00
if err != nil {
return nil , err
}
2022-06-09 00:43:59 +09:00
ports , err := expandPorts ( tokens [ len ( tokens ) - 1 ] , needsWildcard )
2021-07-04 19:35:18 +09:00
if err != nil {
return nil , err
}
dests := [ ] tailcfg . NetPortRange { }
2021-11-05 07:16:56 +09:00
for _ , d := range expanded {
2021-07-04 19:35:18 +09:00
for _ , p := range * ports {
pr := tailcfg . NetPortRange {
IP : d ,
Ports : p ,
}
dests = append ( dests , pr )
}
}
2021-11-15 00:46:09 +09:00
2021-11-05 07:16:56 +09:00
return dests , nil
2021-07-04 19:35:18 +09:00
}
2022-06-09 00:43:59 +09:00
// parseProtocol reads the proto field of the ACL and generates a list of
// protocols that will be allowed, following the IANA IP protocol number
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
//
// If the ACL proto field is empty, it allows ICMPv4, ICMPv6, TCP, and UDP,
// as per Tailscale behaviour (see tailcfg.FilterRule).
//
// Also returns a boolean indicating if the protocol
// requires all the destinations to use wildcard as port number (only TCP,
// UDP and SCTP support specifying ports).
func parseProtocol ( protocol string ) ( [ ] int , bool , error ) {
switch protocol {
case "" :
2022-12-06 04:12:33 +09:00
return nil , false , nil
2022-06-09 00:43:59 +09:00
case "igmp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolIGMP } , true , nil
2022-06-09 00:43:59 +09:00
case "ipv4" , "ip-in-ip" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolIPv4 } , true , nil
2022-06-09 00:43:59 +09:00
case "tcp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolTCP } , false , nil
2022-06-09 00:43:59 +09:00
case "egp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolEGP } , true , nil
2022-06-09 00:43:59 +09:00
case "igp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolIGP } , true , nil
2022-06-09 00:43:59 +09:00
case "udp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolUDP } , false , nil
2022-06-09 00:43:59 +09:00
case "gre" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolGRE } , true , nil
2022-06-09 00:43:59 +09:00
case "esp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolESP } , true , nil
2022-06-09 00:43:59 +09:00
case "ah" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolAH } , true , nil
2022-06-09 00:43:59 +09:00
case "sctp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolSCTP } , false , nil
2022-06-09 00:43:59 +09:00
case "icmp" :
2022-06-11 21:09:08 +09:00
return [ ] int { protocolICMP , protocolIPv6ICMP } , true , nil
2022-06-09 00:43:59 +09:00
default :
protocolNumber , err := strconv . Atoi ( protocol )
if err != nil {
return nil , false , err
}
2022-08-04 17:47:00 +09:00
needsWildcard := protocolNumber != protocolTCP &&
protocolNumber != protocolUDP &&
protocolNumber != protocolSCTP
2022-06-09 00:43:59 +09:00
return [ ] int { protocolNumber } , needsWildcard , nil
}
}
2022-02-06 01:18:39 +09:00
// expandalias has an input of either
2023-01-18 01:43:44 +09:00
// - a user
2022-02-06 01:18:39 +09:00
// - a group
// - a tag
2023-01-30 17:39:27 +09:00
// - a host
2022-02-14 23:26:54 +09:00
// and transform these in IPAddresses.
2022-02-14 23:54:51 +09:00
func expandAlias (
machines [ ] Machine ,
aclPolicy ACLPolicy ,
alias string ,
2022-03-02 05:01:46 +09:00
stripEmailDomain bool ,
2022-02-14 23:54:51 +09:00
) ( [ ] string , error ) {
2022-02-08 00:12:05 +09:00
ips := [ ] string { }
2021-11-15 04:32:03 +09:00
if alias == "*" {
2021-11-05 07:16:56 +09:00
return [ ] string { "*" } , nil
2021-07-04 00:31:32 +09:00
}
2022-03-03 05:46:02 +09:00
log . Debug ( ) .
Str ( "alias" , alias ) .
Msg ( "Expanding" )
2021-11-15 04:32:03 +09:00
if strings . HasPrefix ( alias , "group:" ) {
2023-01-18 01:43:44 +09:00
users , err := expandGroup ( aclPolicy , alias , stripEmailDomain )
2022-02-06 01:18:39 +09:00
if err != nil {
2022-02-08 00:12:05 +09:00
return ips , err
2021-07-04 00:31:32 +09:00
}
2023-01-18 01:43:44 +09:00
for _ , n := range users {
nodes := filterMachinesByUser ( machines , n )
2021-11-05 07:16:56 +09:00
for _ , node := range nodes {
2022-01-16 22:16:59 +09:00
ips = append ( ips , node . IPAddresses . ToStringSlice ( ) ... )
2021-07-04 19:35:18 +09:00
}
}
2022-02-14 23:26:54 +09:00
2021-11-05 07:16:56 +09:00
return ips , nil
2021-07-04 00:31:32 +09:00
}
2021-11-15 04:32:03 +09:00
if strings . HasPrefix ( alias , "tag:" ) {
2022-06-01 22:39:59 +09:00
// check for forced tags
for _ , machine := range machines {
if contains ( machine . ForcedTags , alias ) {
ips = append ( ips , machine . IPAddresses . ToStringSlice ( ) ... )
}
}
// find tag owners
2022-03-02 05:01:46 +09:00
owners , err := expandTagOwners ( aclPolicy , alias , stripEmailDomain )
2022-02-06 01:18:39 +09:00
if err != nil {
2022-04-16 01:01:13 +09:00
if errors . Is ( err , errInvalidTag ) {
if len ( ips ) == 0 {
2022-04-16 01:27:57 +09:00
return ips , fmt . Errorf (
2022-05-16 21:59:46 +09:00
"%w. %v isn't owned by a TagOwner and no forced tags are defined" ,
2022-04-16 01:27:57 +09:00
errInvalidTag ,
alias ,
)
2022-04-16 01:01:13 +09:00
}
2022-06-09 00:43:59 +09:00
2022-04-16 01:01:13 +09:00
return ips , nil
} else {
return ips , err
}
2021-07-04 19:35:18 +09:00
}
2022-06-01 22:39:59 +09:00
// filter out machines per tag owner
2023-01-18 01:43:44 +09:00
for _ , user := range owners {
machines := filterMachinesByUser ( machines , user )
2022-02-06 01:18:39 +09:00
for _ , machine := range machines {
2022-03-02 01:34:24 +09:00
hi := machine . GetHostInfo ( )
2022-06-01 22:39:59 +09:00
if contains ( hi . RequestTags , alias ) {
ips = append ( ips , machine . IPAddresses . ToStringSlice ( ) ... )
2021-07-04 19:35:18 +09:00
}
}
}
2022-02-14 23:26:54 +09:00
2021-11-05 07:16:56 +09:00
return ips , nil
2021-07-04 00:31:32 +09:00
}
2023-01-18 01:43:44 +09:00
// if alias is a user
nodes := filterMachinesByUser ( machines , alias )
2022-08-04 17:42:47 +09:00
nodes = excludeCorrectlyTaggedNodes ( aclPolicy , nodes , alias , stripEmailDomain )
2022-03-02 17:15:14 +09:00
2022-02-08 00:12:05 +09:00
for _ , n := range nodes {
ips = append ( ips , n . IPAddresses . ToStringSlice ( ) ... )
}
if len ( ips ) > 0 {
2021-11-05 07:16:56 +09:00
return ips , nil
2021-07-04 00:31:32 +09:00
}
2022-02-08 00:12:05 +09:00
// if alias is an host
if h , ok := aclPolicy . Hosts [ alias ] ; ok {
2021-11-05 07:16:56 +09:00
return [ ] string { h . String ( ) } , nil
2021-07-04 00:31:32 +09:00
}
2022-02-08 00:12:05 +09:00
// if alias is an IP
2022-09-04 06:46:14 +09:00
ip , err := netip . ParseAddr ( alias )
2021-07-04 00:31:32 +09:00
if err == nil {
2021-11-05 07:16:56 +09:00
return [ ] string { ip . String ( ) } , nil
2021-07-04 00:31:32 +09:00
}
2022-02-08 00:12:05 +09:00
// if alias is an CIDR
2022-09-04 06:46:14 +09:00
cidr , err := netip . ParsePrefix ( alias )
2021-07-04 00:31:32 +09:00
if err == nil {
2021-11-05 07:16:56 +09:00
return [ ] string { cidr . String ( ) } , nil
2021-07-04 00:31:32 +09:00
}
2022-03-03 05:46:02 +09:00
log . Warn ( ) . Msgf ( "No IPs found with the alias %v" , alias )
return ips , nil
2021-07-03 18:55:32 +09:00
}
2021-07-04 19:35:18 +09:00
2022-02-08 00:12:05 +09:00
// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
2023-01-18 01:43:44 +09:00
// that are correctly tagged since they should not be listed as being in the user
// we assume in this function that we only have nodes from 1 user.
2022-02-14 23:54:51 +09:00
func excludeCorrectlyTaggedNodes (
aclPolicy ACLPolicy ,
nodes [ ] Machine ,
2023-01-18 01:43:44 +09:00
user string ,
2022-08-04 17:42:47 +09:00
stripEmailDomain bool ,
2022-03-02 17:15:14 +09:00
) [ ] Machine {
2022-02-08 00:12:05 +09:00
out := [ ] Machine { }
tags := [ ] string { }
2022-08-11 21:12:45 +09:00
for tag := range aclPolicy . TagOwners {
2023-01-18 01:43:44 +09:00
owners , _ := expandTagOwners ( aclPolicy , user , stripEmailDomain )
ns := append ( owners , user )
if contains ( ns , user ) {
2022-02-08 00:12:05 +09:00
tags = append ( tags , tag )
}
2022-02-06 01:18:39 +09:00
}
2022-02-08 00:12:05 +09:00
// for each machine if tag is in tags list, don't append it.
for _ , machine := range nodes {
2022-03-02 01:34:24 +09:00
hi := machine . GetHostInfo ( )
2022-02-14 23:26:54 +09:00
2022-02-08 00:12:05 +09:00
found := false
for _ , t := range hi . RequestTags {
2022-04-26 04:50:40 +09:00
if contains ( tags , t ) {
2022-02-08 00:12:05 +09:00
found = true
2022-02-14 23:26:54 +09:00
2022-02-08 00:12:05 +09:00
break
2022-02-06 01:18:39 +09:00
}
}
2022-04-16 01:01:13 +09:00
if len ( machine . ForcedTags ) > 0 {
found = true
}
2022-02-08 00:12:05 +09:00
if ! found {
out = append ( out , machine )
2022-02-06 01:18:39 +09:00
}
}
2022-02-14 23:26:54 +09:00
2022-03-02 17:15:14 +09:00
return out
2022-02-06 01:18:39 +09:00
}
2022-06-09 00:43:59 +09:00
func expandPorts ( portsStr string , needsWildcard bool ) ( * [ ] tailcfg . PortRange , error ) {
2021-11-15 04:32:03 +09:00
if portsStr == "*" {
2021-11-15 02:31:51 +09:00
return & [ ] tailcfg . PortRange {
2021-11-16 02:24:24 +09:00
{ First : portRangeBegin , Last : portRangeEnd } ,
2021-11-15 02:31:51 +09:00
} , nil
2021-07-04 19:35:18 +09:00
}
2022-06-09 00:43:59 +09:00
if needsWildcard {
return nil , errWildcardIsNeeded
}
2021-07-04 19:35:18 +09:00
ports := [ ] tailcfg . PortRange { }
2021-11-15 04:32:03 +09:00
for _ , portStr := range strings . Split ( portsStr , "," ) {
rang := strings . Split ( portStr , "-" )
2021-11-15 02:44:37 +09:00
switch len ( rang ) {
case 1 :
2021-11-16 02:24:24 +09:00
port , err := strconv . ParseUint ( rang [ 0 ] , Base10 , BitSize16 )
2021-07-04 19:35:18 +09:00
if err != nil {
return nil , err
}
ports = append ( ports , tailcfg . PortRange {
2021-11-15 04:32:03 +09:00
First : uint16 ( port ) ,
Last : uint16 ( port ) ,
2021-07-04 19:35:18 +09:00
} )
2021-11-15 02:44:37 +09:00
2021-11-16 02:24:24 +09:00
case expectedTokenItems :
start , err := strconv . ParseUint ( rang [ 0 ] , Base10 , BitSize16 )
2021-07-04 19:35:18 +09:00
if err != nil {
return nil , err
}
2021-11-16 02:24:24 +09:00
last , err := strconv . ParseUint ( rang [ 1 ] , Base10 , BitSize16 )
2021-07-04 19:35:18 +09:00
if err != nil {
return nil , err
}
ports = append ( ports , tailcfg . PortRange {
First : uint16 ( start ) ,
Last : uint16 ( last ) ,
} )
2021-11-15 02:44:37 +09:00
default :
2021-11-16 01:33:16 +09:00
return nil , errInvalidPortFormat
2021-07-04 19:35:18 +09:00
}
}
2021-11-15 00:46:09 +09:00
2021-07-04 19:35:18 +09:00
return & ports , nil
}
2022-02-08 00:12:05 +09:00
2023-01-18 01:43:44 +09:00
func filterMachinesByUser ( machines [ ] Machine , user string ) [ ] Machine {
2022-02-08 00:12:05 +09:00
out := [ ] Machine { }
for _ , machine := range machines {
2023-01-18 01:43:44 +09:00
if machine . User . Name == user {
2022-02-08 00:12:05 +09:00
out = append ( out , machine )
}
}
2022-02-14 23:26:54 +09:00
2022-02-08 00:12:05 +09:00
return out
}
2023-01-18 01:43:44 +09:00
// expandTagOwners will return a list of user. An owner can be either a user or a group
2022-02-14 23:26:54 +09:00
// a group cannot be composed of groups.
2022-03-02 05:01:46 +09:00
func expandTagOwners (
aclPolicy ACLPolicy ,
tag string ,
stripEmailDomain bool ,
) ( [ ] string , error ) {
2022-02-08 00:12:05 +09:00
var owners [ ] string
ows , ok := aclPolicy . TagOwners [ tag ]
if ! ok {
2022-02-14 23:54:51 +09:00
return [ ] string { } , fmt . Errorf (
"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners" ,
errInvalidTag ,
tag ,
)
2022-02-08 00:12:05 +09:00
}
2022-02-14 23:26:54 +09:00
for _ , owner := range ows {
if strings . HasPrefix ( owner , "group:" ) {
2022-03-02 05:01:46 +09:00
gs , err := expandGroup ( aclPolicy , owner , stripEmailDomain )
2022-02-08 00:12:05 +09:00
if err != nil {
return [ ] string { } , err
}
owners = append ( owners , gs ... )
} else {
2022-02-14 23:26:54 +09:00
owners = append ( owners , owner )
2022-02-08 00:12:05 +09:00
}
}
2022-02-14 23:26:54 +09:00
2022-02-08 00:12:05 +09:00
return owners , nil
}
2023-01-18 01:43:44 +09:00
// expandGroup will return the list of user inside the group
2022-02-14 23:26:54 +09:00
// after some validation.
2022-03-02 05:01:46 +09:00
func expandGroup (
aclPolicy ACLPolicy ,
group string ,
stripEmailDomain bool ,
) ( [ ] string , error ) {
outGroups := [ ] string { }
aclGroups , ok := aclPolicy . Groups [ group ]
2022-02-08 00:12:05 +09:00
if ! ok {
2022-02-14 23:54:51 +09:00
return [ ] string { } , fmt . Errorf (
"group %v isn't registered. %w" ,
group ,
errInvalidGroup ,
)
2022-02-08 00:12:05 +09:00
}
2022-03-02 05:01:46 +09:00
for _ , group := range aclGroups {
if strings . HasPrefix ( group , "group:" ) {
2022-02-14 23:54:51 +09:00
return [ ] string { } , fmt . Errorf (
"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups" ,
errInvalidGroup ,
)
2022-02-08 00:12:05 +09:00
}
2022-03-08 07:20:30 +09:00
grp , err := NormalizeToFQDNRules ( group , stripEmailDomain )
2022-03-02 05:01:46 +09:00
if err != nil {
return [ ] string { } , fmt . Errorf (
"failed to normalize group %q, err: %w" ,
group ,
errInvalidGroup ,
)
}
outGroups = append ( outGroups , grp )
2022-02-08 00:12:05 +09:00
}
2022-02-14 23:26:54 +09:00
2022-03-02 05:01:46 +09:00
return outGroups , nil
2022-02-08 00:12:05 +09:00
}