devproje/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2024-11-26 08:53:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

use json in TestReduceFilterRules test

Browse source 
This is to allow for the tests to be ran with
the new upcoming parser to ensure we get the
same input.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2024-10-17 01:23:44 +02:00
parent 03fd7f31b4
commit 662dfbf423
No known key found for this signature in database
1 changed files with 290 additions and 203 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

493
hscontrol/policy/acls_test.go
View file

@ -2112,20 +2112,27 @@ func TestReduceFilterRules(t *testing.T) {
name string name string
node *types.Node node *types.Node
peers types.Nodes peers types.Nodes
pol ACLPolicy pol string
want []tailcfg.FilterRule want []tailcfg.FilterRule
}{ }{
{ {
name: "host1-can-reach-host2-no-rules", name: "host1-can-reach-host2-no-rules",
pol: ACLPolicy{ pol: `
ACLs: []ACL{ {
{ "acls": [
Action: "accept", {
Sources: []string{"100.64.0.1"}, "action": "accept",
Destinations: []string{"100.64.0.2:*"}, "proto": "",
}, "src": [
}, "100.64.0.1"
}, ],
"dst": [
"100.64.0.2:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.1"), IPv4: iap("100.64.0.1"),
IPv6: iap("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"), IPv6: iap("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"),
@ -2142,23 +2149,37 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1604-subnet-routers-are-preserved", name: "1604-subnet-routers-are-preserved",
pol: ACLPolicy{ pol: `
Groups: Groups{ {
"group:admins": {"user1"}, "groups": {
}, "group:admins": [
ACLs: []ACL{ "user1"
{ ]
Action: "accept", },
Sources: []string{"group:admins"}, "acls": [
Destinations: []string{"group:admins:*"}, {
}, "action": "accept",
{ "proto": "",
Action: "accept", "src": [
Sources: []string{"group:admins"}, "group:admins"
Destinations: []string{"10.33.0.0/16:*"}, ],
}, "dst": [
}, "group:admins:*"
}, ]
},
{
"action": "accept",
"proto": "",
"src": [
"group:admins"
],
"dst": [
"10.33.0.0/16:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.1"), IPv4: iap("100.64.0.1"),
IPv6: iap("fd7a:115c:a1e0::1"), IPv6: iap("fd7a:115c:a1e0::1"),
@ -2213,31 +2234,42 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1786-reducing-breaks-exit-nodes-the-client", name: "1786-reducing-breaks-exit-nodes-the-client",
pol: ACLPolicy{ pol: `
Hosts: Hosts{ {
// Exit node "groups": {
"internal": netip.MustParsePrefix("100.64.0.100/32"), "group:team": [
}, "user3",
Groups: Groups{ "user2",
"group:team": {"user3", "user2", "user1"}, "user1"
}, ]
ACLs: []ACL{ },
{ "hosts": {
Action: "accept", "internal": "100.64.0.100/32"
Sources: []string{"group:team"}, },
Destinations: []string{ "acls": [
"internal:*", {
}, "action": "accept",
}, "proto": "",
{ "src": [
Action: "accept", "group:team"
Sources: []string{"group:team"}, ],
Destinations: []string{ "dst": [
"autogroup:internet:*", "internal:*"
}, ]
}, },
}, {
}, "action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"autogroup:internet:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.1"), IPv4: iap("100.64.0.1"),
IPv6: iap("fd7a:115c:a1e0::1"), IPv6: iap("fd7a:115c:a1e0::1"),
@ -2263,31 +2295,42 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1786-reducing-breaks-exit-nodes-the-exit", name: "1786-reducing-breaks-exit-nodes-the-exit",
pol: ACLPolicy{ pol: `
Hosts: Hosts{ {
// Exit node "groups": {
"internal": netip.MustParsePrefix("100.64.0.100/32"), "group:team": [
}, "user3",
Groups: Groups{ "user2",
"group:team": {"user3", "user2", "user1"}, "user1"
}, ]
ACLs: []ACL{ },
{ "hosts": {
Action: "accept", "internal": "100.64.0.100/32"
Sources: []string{"group:team"}, },
Destinations: []string{ "acls": [
"internal:*", {
}, "action": "accept",
}, "proto": "",
{ "src": [
Action: "accept", "group:team"
Sources: []string{"group:team"}, ],
Destinations: []string{ "dst": [
"autogroup:internet:*", "internal:*"
}, ]
}, },
}, {
}, "action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"autogroup:internet:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.100"), IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"), IPv6: iap("fd7a:115c:a1e0::100"),
@ -2340,60 +2383,71 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1786-reducing-breaks-exit-nodes-the-example-from-issue", name: "1786-reducing-breaks-exit-nodes-the-example-from-issue",
pol: ACLPolicy{ pol: `
Hosts: Hosts{ {
// Exit node "groups": {
"internal": netip.MustParsePrefix("100.64.0.100/32"), "group:team": [
}, "user3",
Groups: Groups{ "user2",
"group:team": {"user3", "user2", "user1"}, "user1"
}, ]
ACLs: []ACL{ },
{ "hosts": {
Action: "accept", "internal": "100.64.0.100/32"
Sources: []string{"group:team"}, },
Destinations: []string{ "acls": [
"internal:*", {
}, "action": "accept",
}, "proto": "",
{ "src": [
Action: "accept", "group:team"
Sources: []string{"group:team"}, ],
Destinations: []string{ "dst": [
"0.0.0.0/5:*", "internal:*"
"8.0.0.0/7:*", ]
"11.0.0.0/8:*", },
"12.0.0.0/6:*", {
"16.0.0.0/4:*", "action": "accept",
"32.0.0.0/3:*", "proto": "",
"64.0.0.0/2:*", "src": [
"128.0.0.0/3:*", "group:team"
"160.0.0.0/5:*", ],
"168.0.0.0/6:*", "dst": [
"172.0.0.0/12:*", "0.0.0.0/5:*",
"172.32.0.0/11:*", "8.0.0.0/7:*",
"172.64.0.0/10:*", "11.0.0.0/8:*",
"172.128.0.0/9:*", "12.0.0.0/6:*",
"173.0.0.0/8:*", "16.0.0.0/4:*",
"174.0.0.0/7:*", "32.0.0.0/3:*",
"176.0.0.0/4:*", "64.0.0.0/2:*",
"192.0.0.0/9:*", "128.0.0.0/3:*",
"192.128.0.0/11:*", "160.0.0.0/5:*",
"192.160.0.0/13:*", "168.0.0.0/6:*",
"192.169.0.0/16:*", "172.0.0.0/12:*",
"192.170.0.0/15:*", "172.32.0.0/11:*",
"192.172.0.0/14:*", "172.64.0.0/10:*",
"192.176.0.0/12:*", "172.128.0.0/9:*",
"192.192.0.0/10:*", "173.0.0.0/8:*",
"193.0.0.0/8:*", "174.0.0.0/7:*",
"194.0.0.0/7:*", "176.0.0.0/4:*",
"196.0.0.0/6:*", "192.0.0.0/9:*",
"200.0.0.0/5:*", "192.128.0.0/11:*",
"208.0.0.0/4:*", "192.160.0.0/13:*",
}, "192.169.0.0/16:*",
}, "192.170.0.0/15:*",
}, "192.172.0.0/14:*",
}, "192.176.0.0/12:*",
"192.192.0.0/10:*",
"193.0.0.0/8:*",
"194.0.0.0/7:*",
"196.0.0.0/6:*",
"200.0.0.0/5:*",
"208.0.0.0/4:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.100"), IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"), IPv6: iap("fd7a:115c:a1e0::100"),
@ -2480,32 +2534,43 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1786-reducing-breaks-exit-nodes-app-connector-like", name: "1786-reducing-breaks-exit-nodes-app-connector-like",
pol: ACLPolicy{ pol: `
Hosts: Hosts{ {
// Exit node "groups": {
"internal": netip.MustParsePrefix("100.64.0.100/32"), "group:team": [
}, "user3",
Groups: Groups{ "user2",
"group:team": {"user3", "user2", "user1"}, "user1"
}, ]
ACLs: []ACL{ },
{ "hosts": {
Action: "accept", "internal": "100.64.0.100/32"
Sources: []string{"group:team"}, },
Destinations: []string{ "acls": [
"internal:*", {
}, "action": "accept",
}, "proto": "",
{ "src": [
Action: "accept", "group:team"
Sources: []string{"group:team"}, ],
Destinations: []string{ "dst": [
"8.0.0.0/8:*", "internal:*"
"16.0.0.0/8:*", ]
}, },
}, {
}, "action": "accept",
}, "proto": "",
"src": [
"group:team"
],
"dst": [
"8.0.0.0/8:*",
"16.0.0.0/8:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.100"), IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"), IPv6: iap("fd7a:115c:a1e0::100"),
@ -2570,32 +2635,43 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1786-reducing-breaks-exit-nodes-app-connector-like2", name: "1786-reducing-breaks-exit-nodes-app-connector-like2",
pol: ACLPolicy{ pol: `
Hosts: Hosts{ {
// Exit node "groups": {
"internal": netip.MustParsePrefix("100.64.0.100/32"), "group:team": [
}, "user3",
Groups: Groups{ "user2",
"group:team": {"user3", "user2", "user1"}, "user1"
}, ]
ACLs: []ACL{ },
{ "hosts": {
Action: "accept", "internal": "100.64.0.100/32"
Sources: []string{"group:team"}, },
Destinations: []string{ "acls": [
"internal:*", {
}, "action": "accept",
}, "proto": "",
{ "src": [
Action: "accept", "group:team"
Sources: []string{"group:team"}, ],
Destinations: []string{ "dst": [
"8.0.0.0/16:*", "internal:*"
"16.0.0.0/16:*", ]
}, },
}, {
}, "action": "accept",
}, "proto": "",
"src": [
"group:team"
],
"dst": [
"8.0.0.0/16:*",
"16.0.0.0/16:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.100"), IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"), IPv6: iap("fd7a:115c:a1e0::100"),
@ -2660,25 +2736,32 @@ func TestReduceFilterRules(t *testing.T) {
}, },
{ {
name: "1817-reduce-breaks-32-mask", name: "1817-reduce-breaks-32-mask",
pol: ACLPolicy{ pol: `
Hosts: Hosts{ {
"vlan1": netip.MustParsePrefix("172.16.0.0/24"), "groups": {
"dns1": netip.MustParsePrefix("172.16.0.21/32"), "group:access": [
}, "user1"
Groups: Groups{ ]
"group:access": {"user1"}, },
}, "hosts": {
ACLs: []ACL{ "dns1": "172.16.0.21/32",
{ "vlan1": "172.16.0.0/24"
Action: "accept", },
Sources: []string{"group:access"}, "acls": [
Destinations: []string{ {
"tag:access-servers:*", "action": "accept",
"dns1:*", "proto": "",
}, "src": [
}, "group:access"
}, ],
}, "dst": [
"tag:access-servers:*",
"dns1:*"
]
}
],
}
`,
node: &types.Node{ node: &types.Node{
IPv4: iap("100.64.0.100"), IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"), IPv6: iap("fd7a:115c:a1e0::100"),
@ -2719,7 +2802,11 @@ func TestReduceFilterRules(t *testing.T) {
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got, _ := tt.pol.CompileFilterRules( pol, err := LoadACLPolicyFromBytes([]byte(tt.pol))
if err != nil {
t.Fatalf("parsing policy: %s", err)
}
got, _ := pol.CompileFilterRules(
users, users,
append(tt.peers, tt.node), append(tt.peers, tt.node),
) )