outline tests for full filter generate

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2023-04-26 14:04:12 +02:00 committed by Juan Font
parent 200e3b88cc
commit 1700a747f6
3 changed files with 132 additions and 3 deletions

View file

@ -228,7 +228,7 @@ func expandACLPeerAddr(srcIP string) []string {
// set of Tailscale compatible FilterRules used to allow traffic on clients.
func (pol *ACLPolicy) generateFilterRules(
machines []Machine,
stripEmaildomain bool,
stripEmailDomain bool,
) ([]tailcfg.FilterRule, error) {
rules := []tailcfg.FilterRule{}
@ -239,7 +239,7 @@ func (pol *ACLPolicy) generateFilterRules(
srcIPs := []string{}
for srcIndex, src := range acl.Sources {
srcs, err := pol.getIPsFromSource(src, machines, stripEmaildomain)
srcs, err := pol.getIPsFromSource(src, machines, stripEmailDomain)
if err != nil {
log.Error().
Interface("src", src).
@ -266,7 +266,7 @@ func (pol *ACLPolicy) generateFilterRules(
dest,
machines,
needsWildcard,
stripEmaildomain,
stripEmailDomain,
)
if err != nil {
log.Error().
@ -569,6 +569,7 @@ func (pol *ACLPolicy) expandAlias(
}
// if alias is an host
// Note, this is recursive.
if h, ok := pol.Hosts[alias]; ok {
log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")

View file

@ -6,6 +6,8 @@ import (
"reflect"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/rs/zerolog/log"
"gopkg.in/check.v1"
"tailscale.com/envknob"
"tailscale.com/tailcfg"
@ -1793,3 +1795,128 @@ func Test_expandACLPeerAddrV6(t *testing.T) {
})
}
}
func TestACLPolicy_generateFilterRules(t *testing.T) {
type field struct {
pol ACLPolicy
}
type args struct {
machines []Machine
stripEmailDomain bool
}
tests := []struct {
name string
field field
args args
want []tailcfg.FilterRule
wantErr bool
}{
{
name: "no-policy",
field: field{},
args: args{},
want: []tailcfg.FilterRule{},
wantErr: false,
},
{
name: "simple group",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
},
},
args: args{
machines: []Machine{},
stripEmailDomain: true,
},
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"*"},
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
Ports: tailcfg.PortRange{
First: 0,
Last: 65535,
},
},
},
},
},
wantErr: false,
},
{
name: "simple host by ipv4 single dual stack",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"100.64.0.1"},
Destinations: []string{"100.64.0.2:*"},
},
},
},
},
args: args{
machines: []Machine{
{
IPAddresses: MachineAddresses{
netip.MustParseAddr("10.0.0.1"),
netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"),
},
User: User{Name: "mickael"},
},
{
IPAddresses: MachineAddresses{
netip.MustParseAddr("10.0.0.2"),
netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2222"),
},
User: User{Name: "mickael"},
},
},
stripEmailDomain: true,
},
// [{"SrcIPs":["100.64.0.1"],"DstPorts":[{"IP":"100.64.0.2","Bits":null,"Ports":{"First":0,"Last":65535}}]}]
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"100.64.0.1"},
DstPorts: []tailcfg.NetPortRange{
{
IP: "100.64.0.2",
Ports: tailcfg.PortRange{
First: 0,
Last: 65535,
},
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := tt.field.pol.generateFilterRules(
tt.args.machines,
tt.args.stripEmailDomain,
)
if (err != nil) != tt.wantErr {
t.Errorf("ACLPolicy.generateFilterRules() error = %v, wantErr %v", err, tt.wantErr)
return
}
if diff := cmp.Diff(tt.want, got); diff != "" {
log.Trace().Interface("got", got).Msg("result")
t.Errorf("ACLPolicy.generateFilterRules() = %v, want %v", got, tt.want)
}
})
}
}

View file

@ -99,6 +99,7 @@
goreleaser
nfpm
gotestsum
gotests
# 'dot' is needed for pprof graphs
# go tool pprof -http=: <source>