simplify expandAlias function, move seperate logic out

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2023-04-26 10:58:26 +02:00 committed by Juan Font
parent b23a9153df
commit 6de53e2f8d
4 changed files with 266 additions and 175 deletions

261
acls.go
View file

@ -338,9 +338,8 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources)) principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
for innerIndex, rawSrc := range sshACL.Sources { for innerIndex, rawSrc := range sshACL.Sources {
expandedSrcs, err := expandAlias( expandedSrcs, err := h.aclPolicy.expandAlias(
machines, machines,
*h.aclPolicy,
rawSrc, rawSrc,
h.cfg.OIDC.StripEmaildomain, h.cfg.OIDC.StripEmaildomain,
) )
@ -391,16 +390,16 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
func generateACLPolicySrc( func generateACLPolicySrc(
machines []Machine, machines []Machine,
aclPolicy ACLPolicy, pol ACLPolicy,
src string, src string,
stripEmaildomain bool, stripEmaildomain bool,
) ([]string, error) { ) ([]string, error) {
return expandAlias(machines, aclPolicy, src, stripEmaildomain) return pol.expandAlias(machines, src, stripEmaildomain)
} }
func generateACLPolicyDest( func generateACLPolicyDest(
machines []Machine, machines []Machine,
aclPolicy ACLPolicy, pol ACLPolicy,
dest string, dest string,
needsWildcard bool, needsWildcard bool,
stripEmaildomain bool, stripEmaildomain bool,
@ -448,9 +447,8 @@ func generateACLPolicyDest(
alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1]) alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
} }
expanded, err := expandAlias( expanded, err := pol.expandAlias(
machines, machines,
aclPolicy,
alias, alias,
stripEmaildomain, stripEmaildomain,
) )
@ -534,13 +532,11 @@ func parseProtocol(protocol string) ([]int, bool, error) {
// - an ip // - an ip
// - a cidr // - a cidr
// and transform these in IPAddresses. // and transform these in IPAddresses.
func expandAlias( func (pol *ACLPolicy) expandAlias(
machines Machines, machines Machines,
aclPolicy ACLPolicy,
alias string, alias string,
stripEmailDomain bool, stripEmailDomain bool,
) ([]string, error) { ) ([]string, error) {
ips := []string{}
if alias == "*" { if alias == "*" {
return []string{"*"}, nil return []string{"*"}, nil
} }
@ -549,120 +545,48 @@ func expandAlias(
Str("alias", alias). Str("alias", alias).
Msg("Expanding") Msg("Expanding")
// if alias is a group
if strings.HasPrefix(alias, "group:") { if strings.HasPrefix(alias, "group:") {
users, err := expandGroup(aclPolicy, alias, stripEmailDomain) return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
if err != nil {
return ips, err
}
for _, n := range users {
nodes := filterMachinesByUser(machines, n)
for _, node := range nodes {
ips = append(ips, node.IPAddresses.ToStringSlice()...)
}
}
return ips, nil
} }
// if alias is a tag
if strings.HasPrefix(alias, "tag:") { if strings.HasPrefix(alias, "tag:") {
// check for forced tags return pol.getIPsFromTag(alias, machines, stripEmailDomain)
for _, machine := range machines {
if contains(machine.ForcedTags, alias) {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
}
}
// find tag owners
owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
if err != nil {
if errors.Is(err, errInvalidTag) {
if len(ips) == 0 {
return ips, fmt.Errorf(
"%w. %v isn't owned by a TagOwner and no forced tags are defined",
errInvalidTag,
alias,
)
}
return ips, nil
} else {
return ips, err
}
}
// filter out machines per tag owner
for _, user := range owners {
machines := filterMachinesByUser(machines, user)
for _, machine := range machines {
hi := machine.GetHostInfo()
if contains(hi.RequestTags, alias) {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
}
}
}
return ips, nil
} }
// if alias is a user // if alias is a user
nodes := filterMachinesByUser(machines, alias) if ips := pol.getIPsForUser(alias, machines, stripEmailDomain); len(ips) > 0 {
nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
for _, n := range nodes {
ips = append(ips, n.IPAddresses.ToStringSlice()...)
}
if len(ips) > 0 {
return ips, nil return ips, nil
} }
// if alias is an host // if alias is an host
if h, ok := aclPolicy.Hosts[alias]; ok { if h, ok := pol.Hosts[alias]; ok {
log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry") log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
return expandAlias(machines, aclPolicy, h.String(), stripEmailDomain) return pol.expandAlias(machines, h.String(), stripEmailDomain)
} }
// if alias is an IP // if alias is an IP
if ip, err := netip.ParseAddr(alias); err == nil { if ip, err := netip.ParseAddr(alias); err == nil {
log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip") return pol.getIPsFromSingleIP(ip, machines)
ips := []string{ip.String()}
matches := machines.FilterByIP(ip)
for _, machine := range matches {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
} }
return lo.Uniq(ips), nil // if alias is an IP Prefix (CIDR)
} if prefix, err := netip.ParsePrefix(alias); err == nil {
return pol.getIPsFromIPPrefix(prefix, machines)
if cidr, err := netip.ParsePrefix(alias); err == nil {
log.Trace().Str("cidr", cidr.String()).Msg("expandAlias got cidr")
val := []string{cidr.String()}
// This is suboptimal and quite expensive, but if we only add the cidr, we will miss all the relevant IPv6
// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
for _, machine := range machines {
for _, ip := range machine.IPAddresses {
// log.Trace().
// Msgf("checking if machine ip (%s) is part of cidr (%s): %v, is single ip cidr (%v), addr: %s", ip.String(), cidr.String(), cidr.Contains(ip), cidr.IsSingleIP(), cidr.Addr().String())
if cidr.Contains(ip) {
val = append(val, machine.IPAddresses.ToStringSlice()...)
}
}
}
return lo.Uniq(val), nil
} }
log.Warn().Msgf("No IPs found with the alias %v", alias) log.Warn().Msgf("No IPs found with the alias %v", alias)
return ips, nil return []string{}, nil
} }
// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
// that are correctly tagged since they should not be listed as being in the user // that are correctly tagged since they should not be listed as being in the user
// we assume in this function that we only have nodes from 1 user. // we assume in this function that we only have nodes from 1 user.
func excludeCorrectlyTaggedNodes( func excludeCorrectlyTaggedNodes(
aclPolicy ACLPolicy, aclPolicy *ACLPolicy,
nodes []Machine, nodes []Machine,
user string, user string,
stripEmailDomain bool, stripEmailDomain bool,
@ -670,7 +594,7 @@ func excludeCorrectlyTaggedNodes(
out := []Machine{} out := []Machine{}
tags := []string{} tags := []string{}
for tag := range aclPolicy.TagOwners { for tag := range aclPolicy.TagOwners {
owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain) owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
ns := append(owners, user) ns := append(owners, user)
if contains(ns, user) { if contains(ns, user) {
tags = append(tags, tag) tags = append(tags, tag)
@ -758,15 +682,15 @@ func filterMachinesByUser(machines []Machine, user string) []Machine {
return out return out
} }
// expandTagOwners will return a list of user. An owner can be either a user or a group // getTagOwners will return a list of user. An owner can be either a user or a group
// a group cannot be composed of groups. // a group cannot be composed of groups.
func expandTagOwners( func getTagOwners(
aclPolicy ACLPolicy, pol *ACLPolicy,
tag string, tag string,
stripEmailDomain bool, stripEmailDomain bool,
) ([]string, error) { ) ([]string, error) {
var owners []string var owners []string
ows, ok := aclPolicy.TagOwners[tag] ows, ok := pol.TagOwners[tag]
if !ok { if !ok {
return []string{}, fmt.Errorf( return []string{}, fmt.Errorf(
"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners", "%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
@ -776,7 +700,7 @@ func expandTagOwners(
} }
for _, owner := range ows { for _, owner := range ows {
if strings.HasPrefix(owner, "group:") { if strings.HasPrefix(owner, "group:") {
gs, err := expandGroup(aclPolicy, owner, stripEmailDomain) gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
if err != nil { if err != nil {
return []string{}, err return []string{}, err
} }
@ -789,15 +713,15 @@ func expandTagOwners(
return owners, nil return owners, nil
} }
// expandGroup will return the list of user inside the group // getUsersInGroup will return the list of user inside the group
// after some validation. // after some validation.
func expandGroup( func (pol *ACLPolicy) getUsersInGroup(
aclPolicy ACLPolicy,
group string, group string,
stripEmailDomain bool, stripEmailDomain bool,
) ([]string, error) { ) ([]string, error) {
outGroups := []string{} users := []string{}
aclGroups, ok := aclPolicy.Groups[group] log.Trace().Caller().Interface("pol", pol).Msg("test")
aclGroups, ok := pol.Groups[group]
if !ok { if !ok {
return []string{}, fmt.Errorf( return []string{}, fmt.Errorf(
"group %v isn't registered. %w", "group %v isn't registered. %w",
@ -820,8 +744,129 @@ func expandGroup(
errInvalidGroup, errInvalidGroup,
) )
} }
outGroups = append(outGroups, grp) users = append(users, grp)
} }
return outGroups, nil return users, nil
}
func (pol *ACLPolicy) getIPsFromGroup(
group string,
machines Machines,
stripEmailDomain bool,
) ([]string, error) {
ips := []string{}
users, err := pol.getUsersInGroup(group, stripEmailDomain)
if err != nil {
return ips, err
}
for _, n := range users {
nodes := filterMachinesByUser(machines, n)
for _, node := range nodes {
ips = append(ips, node.IPAddresses.ToStringSlice()...)
}
}
return ips, nil
}
func (pol *ACLPolicy) getIPsFromTag(
alias string,
machines Machines,
stripEmailDomain bool,
) ([]string, error) {
ips := []string{}
// check for forced tags
for _, machine := range machines {
if contains(machine.ForcedTags, alias) {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
}
}
// find tag owners
owners, err := getTagOwners(pol, alias, stripEmailDomain)
if err != nil {
if errors.Is(err, errInvalidTag) {
if len(ips) == 0 {
return ips, fmt.Errorf(
"%w. %v isn't owned by a TagOwner and no forced tags are defined",
errInvalidTag,
alias,
)
}
return ips, nil
} else {
return ips, err
}
}
// filter out machines per tag owner
for _, user := range owners {
machines := filterMachinesByUser(machines, user)
for _, machine := range machines {
hi := machine.GetHostInfo()
if contains(hi.RequestTags, alias) {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
}
}
}
return ips, nil
}
func (pol *ACLPolicy) getIPsForUser(
user string,
machines Machines,
stripEmailDomain bool,
) []string {
ips := []string{}
nodes := filterMachinesByUser(machines, user)
nodes = excludeCorrectlyTaggedNodes(pol, nodes, user, stripEmailDomain)
for _, n := range nodes {
ips = append(ips, n.IPAddresses.ToStringSlice()...)
}
return ips
}
func (pol *ACLPolicy) getIPsFromSingleIP(
ip netip.Addr,
machines Machines,
) ([]string, error) {
log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
ips := []string{ip.String()}
matches := machines.FilterByIP(ip)
for _, machine := range matches {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
}
return lo.Uniq(ips), nil
}
func (pol *ACLPolicy) getIPsFromIPPrefix(
prefix netip.Prefix,
machines Machines,
) ([]string, error) {
log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
val := []string{prefix.String()}
// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
for _, machine := range machines {
for _, ip := range machine.IPAddresses {
// log.Trace().
// Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
if prefix.Contains(ip) {
val = append(val, machine.IPAddresses.ToStringSlice()...)
}
}
}
return lo.Uniq(val), nil
} }

View file

@ -556,26 +556,31 @@ func (s *Suite) TestPortGroup(c *check.C) {
} }
func Test_expandGroup(t *testing.T) { func Test_expandGroup(t *testing.T) {
type field struct {
pol ACLPolicy
}
type args struct { type args struct {
aclPolicy ACLPolicy
group string group string
stripEmailDomain bool stripEmailDomain bool
} }
tests := []struct { tests := []struct {
name string name string
field field
args args args args
want []string want []string
wantErr bool wantErr bool
}{ }{
{ {
name: "simple test", name: "simple test",
args: args{ field: field{
aclPolicy: ACLPolicy{ pol: ACLPolicy{
Groups: Groups{ Groups: Groups{
"group:test": []string{"user1", "user2", "user3"}, "group:test": []string{"user1", "user2", "user3"},
"group:foo": []string{"user2", "user3"}, "group:foo": []string{"user2", "user3"},
}, },
}, },
},
args: args{
group: "group:test", group: "group:test",
stripEmailDomain: true, stripEmailDomain: true,
}, },
@ -584,13 +589,15 @@ func Test_expandGroup(t *testing.T) {
}, },
{ {
name: "InexistantGroup", name: "InexistantGroup",
args: args{ field: field{
aclPolicy: ACLPolicy{ pol: ACLPolicy{
Groups: Groups{ Groups: Groups{
"group:test": []string{"user1", "user2", "user3"}, "group:test": []string{"user1", "user2", "user3"},
"group:foo": []string{"user2", "user3"}, "group:foo": []string{"user2", "user3"},
}, },
}, },
},
args: args{
group: "group:undefined", group: "group:undefined",
stripEmailDomain: true, stripEmailDomain: true,
}, },
@ -599,8 +606,8 @@ func Test_expandGroup(t *testing.T) {
}, },
{ {
name: "Expand emails in group", name: "Expand emails in group",
args: args{ field: field{
aclPolicy: ACLPolicy{ pol: ACLPolicy{
Groups: Groups{ Groups: Groups{
"group:admin": []string{ "group:admin": []string{
"joe.bar@gmail.com", "joe.bar@gmail.com",
@ -608,6 +615,8 @@ func Test_expandGroup(t *testing.T) {
}, },
}, },
}, },
},
args: args{
group: "group:admin", group: "group:admin",
stripEmailDomain: true, stripEmailDomain: true,
}, },
@ -616,8 +625,8 @@ func Test_expandGroup(t *testing.T) {
}, },
{ {
name: "Expand emails in group", name: "Expand emails in group",
args: args{ field: field{
aclPolicy: ACLPolicy{ pol: ACLPolicy{
Groups: Groups{ Groups: Groups{
"group:admin": []string{ "group:admin": []string{
"joe.bar@gmail.com", "joe.bar@gmail.com",
@ -625,6 +634,8 @@ func Test_expandGroup(t *testing.T) {
}, },
}, },
}, },
},
args: args{
group: "group:admin", group: "group:admin",
stripEmailDomain: false, stripEmailDomain: false,
}, },
@ -634,8 +645,7 @@ func Test_expandGroup(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
got, err := expandGroup( got, err := test.field.pol.getUsersInGroup(
test.args.aclPolicy,
test.args.group, test.args.group,
test.args.stripEmailDomain, test.args.stripEmailDomain,
) )
@ -653,7 +663,7 @@ func Test_expandGroup(t *testing.T) {
func Test_expandTagOwners(t *testing.T) { func Test_expandTagOwners(t *testing.T) {
type args struct { type args struct {
aclPolicy ACLPolicy aclPolicy *ACLPolicy
tag string tag string
stripEmailDomain bool stripEmailDomain bool
} }
@ -666,7 +676,7 @@ func Test_expandTagOwners(t *testing.T) {
{ {
name: "simple tag expansion", name: "simple tag expansion",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
TagOwners: TagOwners{"tag:test": []string{"user1"}}, TagOwners: TagOwners{"tag:test": []string{"user1"}},
}, },
tag: "tag:test", tag: "tag:test",
@ -678,7 +688,7 @@ func Test_expandTagOwners(t *testing.T) {
{ {
name: "expand with tag and group", name: "expand with tag and group",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
Groups: Groups{"group:foo": []string{"user1", "user2"}}, Groups: Groups{"group:foo": []string{"user1", "user2"}},
TagOwners: TagOwners{"tag:test": []string{"group:foo"}}, TagOwners: TagOwners{"tag:test": []string{"group:foo"}},
}, },
@ -691,7 +701,7 @@ func Test_expandTagOwners(t *testing.T) {
{ {
name: "expand with user and group", name: "expand with user and group",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
Groups: Groups{"group:foo": []string{"user1", "user2"}}, Groups: Groups{"group:foo": []string{"user1", "user2"}},
TagOwners: TagOwners{"tag:test": []string{"group:foo", "user3"}}, TagOwners: TagOwners{"tag:test": []string{"group:foo", "user3"}},
}, },
@ -704,7 +714,7 @@ func Test_expandTagOwners(t *testing.T) {
{ {
name: "invalid tag", name: "invalid tag",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
TagOwners: TagOwners{"tag:foo": []string{"group:foo", "user1"}}, TagOwners: TagOwners{"tag:foo": []string{"group:foo", "user1"}},
}, },
tag: "tag:test", tag: "tag:test",
@ -716,7 +726,7 @@ func Test_expandTagOwners(t *testing.T) {
{ {
name: "invalid group", name: "invalid group",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
Groups: Groups{"group:bar": []string{"user1", "user2"}}, Groups: Groups{"group:bar": []string{"user1", "user2"}},
TagOwners: TagOwners{"tag:test": []string{"group:foo", "user2"}}, TagOwners: TagOwners{"tag:test": []string{"group:foo", "user2"}},
}, },
@ -729,7 +739,7 @@ func Test_expandTagOwners(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
got, err := expandTagOwners( got, err := getTagOwners(
test.args.aclPolicy, test.args.aclPolicy,
test.args.tag, test.args.tag,
test.args.stripEmailDomain, test.args.stripEmailDomain,
@ -908,6 +918,9 @@ func Test_listMachinesInUser(t *testing.T) {
} }
func Test_expandAlias(t *testing.T) { func Test_expandAlias(t *testing.T) {
type field struct {
pol ACLPolicy
}
type args struct { type args struct {
machines []Machine machines []Machine
aclPolicy ACLPolicy aclPolicy ACLPolicy
@ -916,12 +929,16 @@ func Test_expandAlias(t *testing.T) {
} }
tests := []struct { tests := []struct {
name string name string
field field
args args args args
want []string want []string
wantErr bool wantErr bool
}{ }{
{ {
name: "wildcard", name: "wildcard",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "*", alias: "*",
machines: []Machine{ machines: []Machine{
@ -932,7 +949,6 @@ func Test_expandAlias(t *testing.T) {
}, },
}, },
}, },
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"*"}, want: []string{"*"},
@ -940,6 +956,11 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple group", name: "simple group",
field: field{
pol: ACLPolicy{
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
},
},
args: args{ args: args{
alias: "group:accountant", alias: "group:accountant",
machines: []Machine{ machines: []Machine{
@ -968,9 +989,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"}, want: []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"},
@ -978,6 +996,11 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "wrong group", name: "wrong group",
field: field{
pol: ACLPolicy{
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
},
},
args: args{ args: args{
alias: "group:hr", alias: "group:hr",
machines: []Machine{ machines: []Machine{
@ -1006,9 +1029,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{}, want: []string{},
@ -1016,10 +1036,12 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple ipaddress", name: "simple ipaddress",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "10.0.0.3", alias: "10.0.0.3",
machines: []Machine{}, machines: []Machine{},
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"10.0.0.3"}, want: []string{"10.0.0.3"},
@ -1027,10 +1049,12 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple host by ip passed through", name: "simple host by ip passed through",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "10.0.0.1", alias: "10.0.0.1",
machines: []Machine{}, machines: []Machine{},
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"10.0.0.1"}, want: []string{"10.0.0.1"},
@ -1038,6 +1062,9 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple host by ipv4 single ipv4", name: "simple host by ipv4 single ipv4",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "10.0.0.1", alias: "10.0.0.1",
machines: []Machine{ machines: []Machine{
@ -1048,7 +1075,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"10.0.0.1"}, want: []string{"10.0.0.1"},
@ -1056,6 +1082,9 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple host by ipv4 single dual stack", name: "simple host by ipv4 single dual stack",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "10.0.0.1", alias: "10.0.0.1",
machines: []Machine{ machines: []Machine{
@ -1067,7 +1096,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"10.0.0.1", "fd7a:115c:a1e0:ab12:4843:2222:6273:2222"}, want: []string{"10.0.0.1", "fd7a:115c:a1e0:ab12:4843:2222:6273:2222"},
@ -1075,6 +1103,9 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple host by ipv6 single dual stack", name: "simple host by ipv6 single dual stack",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222", alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222",
machines: []Machine{ machines: []Machine{
@ -1086,7 +1117,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"fd7a:115c:a1e0:ab12:4843:2222:6273:2222", "10.0.0.1"}, want: []string{"fd7a:115c:a1e0:ab12:4843:2222:6273:2222", "10.0.0.1"},
@ -1094,14 +1124,16 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple host by hostname alias", name: "simple host by hostname alias",
args: args{ field: field{
alias: "testy", pol: ACLPolicy{
machines: []Machine{},
aclPolicy: ACLPolicy{
Hosts: Hosts{ Hosts: Hosts{
"testy": netip.MustParsePrefix("10.0.0.132/32"), "testy": netip.MustParsePrefix("10.0.0.132/32"),
}, },
}, },
},
args: args{
alias: "testy",
machines: []Machine{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"10.0.0.132/32"}, want: []string{"10.0.0.132/32"},
@ -1109,14 +1141,16 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "private network", name: "private network",
args: args{ field: field{
alias: "homeNetwork", pol: ACLPolicy{
machines: []Machine{},
aclPolicy: ACLPolicy{
Hosts: Hosts{ Hosts: Hosts{
"homeNetwork": netip.MustParsePrefix("192.168.1.0/24"), "homeNetwork": netip.MustParsePrefix("192.168.1.0/24"),
}, },
}, },
},
args: args{
alias: "homeNetwork",
machines: []Machine{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"192.168.1.0/24"}, want: []string{"192.168.1.0/24"},
@ -1124,6 +1158,9 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple CIDR", name: "simple CIDR",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "10.0.0.0/16", alias: "10.0.0.0/16",
machines: []Machine{}, machines: []Machine{},
@ -1135,6 +1172,11 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "simple tag", name: "simple tag",
field: field{
pol: ACLPolicy{
TagOwners: TagOwners{"tag:hr-webserver": []string{"joe"}},
},
},
args: args{ args: args{
alias: "tag:hr-webserver", alias: "tag:hr-webserver",
machines: []Machine{ machines: []Machine{
@ -1173,9 +1215,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "joe"}, User: User{Name: "joe"},
}, },
}, },
aclPolicy: ACLPolicy{
TagOwners: TagOwners{"tag:hr-webserver": []string{"joe"}},
},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"100.64.0.1", "100.64.0.2"}, want: []string{"100.64.0.1", "100.64.0.2"},
@ -1183,6 +1222,14 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "No tag defined", name: "No tag defined",
field: field{
pol: ACLPolicy{
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
TagOwners: TagOwners{
"tag:accountant-webserver": []string{"group:accountant"},
},
},
},
args: args{ args: args{
alias: "tag:hr-webserver", alias: "tag:hr-webserver",
machines: []Machine{ machines: []Machine{
@ -1211,12 +1258,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{
Groups: Groups{"group:accountant": []string{"joe", "marc"}},
TagOwners: TagOwners{
"tag:accountant-webserver": []string{"group:accountant"},
},
},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{}, want: []string{},
@ -1224,6 +1265,9 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "Forced tag defined", name: "Forced tag defined",
field: field{
pol: ACLPolicy{},
},
args: args{ args: args{
alias: "tag:hr-webserver", alias: "tag:hr-webserver",
machines: []Machine{ machines: []Machine{
@ -1254,7 +1298,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"100.64.0.1", "100.64.0.2"}, want: []string{"100.64.0.1", "100.64.0.2"},
@ -1262,6 +1305,13 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "Forced tag with legitimate tagOwner", name: "Forced tag with legitimate tagOwner",
field: field{
pol: ACLPolicy{
TagOwners: TagOwners{
"tag:hr-webserver": []string{"joe"},
},
},
},
args: args{ args: args{
alias: "tag:hr-webserver", alias: "tag:hr-webserver",
machines: []Machine{ machines: []Machine{
@ -1296,11 +1346,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "mickael"}, User: User{Name: "mickael"},
}, },
}, },
aclPolicy: ACLPolicy{
TagOwners: TagOwners{
"tag:hr-webserver": []string{"joe"},
},
},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"100.64.0.1", "100.64.0.2"}, want: []string{"100.64.0.1", "100.64.0.2"},
@ -1308,6 +1353,11 @@ func Test_expandAlias(t *testing.T) {
}, },
{ {
name: "list host in user without correctly tagged servers", name: "list host in user without correctly tagged servers",
field: field{
pol: ACLPolicy{
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
},
},
args: args{ args: args{
alias: "joe", alias: "joe",
machines: []Machine{ machines: []Machine{
@ -1346,9 +1396,6 @@ func Test_expandAlias(t *testing.T) {
User: User{Name: "joe"}, User: User{Name: "joe"},
}, },
}, },
aclPolicy: ACLPolicy{
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
},
stripEmailDomain: true, stripEmailDomain: true,
}, },
want: []string{"100.64.0.4"}, want: []string{"100.64.0.4"},
@ -1357,9 +1404,8 @@ func Test_expandAlias(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
got, err := expandAlias( got, err := test.field.pol.expandAlias(
test.args.machines, test.args.machines,
test.args.aclPolicy,
test.args.alias, test.args.alias,
test.args.stripEmailDomain, test.args.stripEmailDomain,
) )
@ -1377,7 +1423,7 @@ func Test_expandAlias(t *testing.T) {
func Test_excludeCorrectlyTaggedNodes(t *testing.T) { func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
type args struct { type args struct {
aclPolicy ACLPolicy aclPolicy *ACLPolicy
nodes []Machine nodes []Machine
user string user string
stripEmailDomain bool stripEmailDomain bool
@ -1391,7 +1437,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
{ {
name: "exclude nodes with valid tags", name: "exclude nodes with valid tags",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}}, TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
}, },
nodes: []Machine{ nodes: []Machine{
@ -1437,7 +1483,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
{ {
name: "exclude nodes with valid tags, and owner is in a group", name: "exclude nodes with valid tags, and owner is in a group",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
Groups: Groups{ Groups: Groups{
"group:accountant": []string{"joe", "bar"}, "group:accountant": []string{"joe", "bar"},
}, },
@ -1488,7 +1534,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
{ {
name: "exclude nodes with valid tags and with forced tags", name: "exclude nodes with valid tags and with forced tags",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}}, TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
}, },
nodes: []Machine{ nodes: []Machine{
@ -1530,7 +1576,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
{ {
name: "all nodes have invalid tags, don't exclude them", name: "all nodes have invalid tags, don't exclude them",
args: args{ args: args{
aclPolicy: ACLPolicy{ aclPolicy: &ACLPolicy{
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}}, TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
}, },
nodes: []Machine{ nodes: []Machine{

View file

@ -111,8 +111,8 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
} }
// IsZero is perhaps a bit naive here. // IsZero is perhaps a bit naive here.
func (policy ACLPolicy) IsZero() bool { func (pol ACLPolicy) IsZero() bool {
if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 { if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
return true return true
} }

View file

@ -893,7 +893,7 @@ func getTags(
validTagMap := make(map[string]bool) validTagMap := make(map[string]bool)
invalidTagMap := make(map[string]bool) invalidTagMap := make(map[string]bool)
for _, tag := range machine.HostInfo.RequestTags { for _, tag := range machine.HostInfo.RequestTags {
owners, err := expandTagOwners(*aclPolicy, tag, stripEmailDomain) owners, err := getTagOwners(aclPolicy, tag, stripEmailDomain)
if errors.Is(err, errInvalidTag) { if errors.Is(err, errInvalidTag) {
invalidTagMap[tag] = true invalidTagMap[tag] = true
@ -1207,7 +1207,7 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
if approvedAlias == machine.User.Name { if approvedAlias == machine.User.Name {
approvedRoutes = append(approvedRoutes, advertisedRoute) approvedRoutes = append(approvedRoutes, advertisedRoute)
} else { } else {
approvedIps, err := expandAlias([]Machine{*machine}, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain) approvedIps, err := h.aclPolicy.expandAlias([]Machine{*machine}, approvedAlias, h.cfg.OIDC.StripEmaildomain)
if err != nil { if err != nil {
log.Err(err). log.Err(err).
Str("alias", approvedAlias). Str("alias", approvedAlias).