mirror of
https://github.com/juanfont/headscale.git
synced 2024-11-29 18:33:05 +00:00
use json in TestReduceFilterRules test
This is to allow for the tests to be ran with the new upcoming parser to ensure we get the same input. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
parent
38f2159c56
commit
a7b2468a42
1 changed files with 290 additions and 203 deletions
|
@ -1838,20 +1838,27 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
name string
|
||||
node *types.Node
|
||||
peers types.Nodes
|
||||
pol ACLPolicy
|
||||
pol string
|
||||
want []tailcfg.FilterRule
|
||||
}{
|
||||
{
|
||||
name: "host1-can-reach-host2-no-rules",
|
||||
pol: ACLPolicy{
|
||||
ACLs: []ACL{
|
||||
pol: `
|
||||
{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"100.64.0.1"},
|
||||
Destinations: []string{"100.64.0.2:*"},
|
||||
},
|
||||
},
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"100.64.0.1"
|
||||
],
|
||||
"dst": [
|
||||
"100.64.0.2:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.1"),
|
||||
IPv6: iap("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"),
|
||||
|
@ -1868,23 +1875,37 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1604-subnet-routers-are-preserved",
|
||||
pol: ACLPolicy{
|
||||
Groups: Groups{
|
||||
"group:admins": {"user1"},
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:admins": [
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:admins"},
|
||||
Destinations: []string{"group:admins:*"},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:admins"
|
||||
],
|
||||
"dst": [
|
||||
"group:admins:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:admins"},
|
||||
Destinations: []string{"10.33.0.0/16:*"},
|
||||
},
|
||||
},
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:admins"
|
||||
],
|
||||
"dst": [
|
||||
"10.33.0.0/16:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.1"),
|
||||
IPv6: iap("fd7a:115c:a1e0::1"),
|
||||
|
@ -1939,31 +1960,42 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1786-reducing-breaks-exit-nodes-the-client",
|
||||
pol: ACLPolicy{
|
||||
Hosts: Hosts{
|
||||
// Exit node
|
||||
"internal": netip.MustParsePrefix("100.64.0.100/32"),
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:team": [
|
||||
"user3",
|
||||
"user2",
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
Groups: Groups{
|
||||
"group:team": {"user3", "user2", "user1"},
|
||||
"hosts": {
|
||||
"internal": "100.64.0.100/32"
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"internal:*",
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"internal:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"autogroup:internet:*",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"autogroup:internet:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.1"),
|
||||
IPv6: iap("fd7a:115c:a1e0::1"),
|
||||
|
@ -1989,31 +2021,42 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1786-reducing-breaks-exit-nodes-the-exit",
|
||||
pol: ACLPolicy{
|
||||
Hosts: Hosts{
|
||||
// Exit node
|
||||
"internal": netip.MustParsePrefix("100.64.0.100/32"),
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:team": [
|
||||
"user3",
|
||||
"user2",
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
Groups: Groups{
|
||||
"group:team": {"user3", "user2", "user1"},
|
||||
"hosts": {
|
||||
"internal": "100.64.0.100/32"
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"internal:*",
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"internal:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"autogroup:internet:*",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"autogroup:internet:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.100"),
|
||||
IPv6: iap("fd7a:115c:a1e0::100"),
|
||||
|
@ -2056,26 +2099,36 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1786-reducing-breaks-exit-nodes-the-example-from-issue",
|
||||
pol: ACLPolicy{
|
||||
Hosts: Hosts{
|
||||
// Exit node
|
||||
"internal": netip.MustParsePrefix("100.64.0.100/32"),
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:team": [
|
||||
"user3",
|
||||
"user2",
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
Groups: Groups{
|
||||
"group:team": {"user3", "user2", "user1"},
|
||||
"hosts": {
|
||||
"internal": "100.64.0.100/32"
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"internal:*",
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"internal:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"0.0.0.0/5:*",
|
||||
"8.0.0.0/7:*",
|
||||
"11.0.0.0/8:*",
|
||||
|
@ -2105,11 +2158,12 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
"194.0.0.0/7:*",
|
||||
"196.0.0.0/6:*",
|
||||
"200.0.0.0/5:*",
|
||||
"208.0.0.0/4:*",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"208.0.0.0/4:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.100"),
|
||||
IPv6: iap("fd7a:115c:a1e0::100"),
|
||||
|
@ -2186,32 +2240,43 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1786-reducing-breaks-exit-nodes-app-connector-like",
|
||||
pol: ACLPolicy{
|
||||
Hosts: Hosts{
|
||||
// Exit node
|
||||
"internal": netip.MustParsePrefix("100.64.0.100/32"),
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:team": [
|
||||
"user3",
|
||||
"user2",
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
Groups: Groups{
|
||||
"group:team": {"user3", "user2", "user1"},
|
||||
"hosts": {
|
||||
"internal": "100.64.0.100/32"
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"internal:*",
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"internal:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"8.0.0.0/8:*",
|
||||
"16.0.0.0/8:*",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"16.0.0.0/8:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.100"),
|
||||
IPv6: iap("fd7a:115c:a1e0::100"),
|
||||
|
@ -2263,32 +2328,43 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1786-reducing-breaks-exit-nodes-app-connector-like2",
|
||||
pol: ACLPolicy{
|
||||
Hosts: Hosts{
|
||||
// Exit node
|
||||
"internal": netip.MustParsePrefix("100.64.0.100/32"),
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:team": [
|
||||
"user3",
|
||||
"user2",
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
Groups: Groups{
|
||||
"group:team": {"user3", "user2", "user1"},
|
||||
"hosts": {
|
||||
"internal": "100.64.0.100/32"
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"internal:*",
|
||||
},
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"internal:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:team"},
|
||||
Destinations: []string{
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:team"
|
||||
],
|
||||
"dst": [
|
||||
"8.0.0.0/16:*",
|
||||
"16.0.0.0/16:*",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"16.0.0.0/16:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.100"),
|
||||
IPv6: iap("fd7a:115c:a1e0::100"),
|
||||
|
@ -2340,25 +2416,32 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
},
|
||||
{
|
||||
name: "1817-reduce-breaks-32-mask",
|
||||
pol: ACLPolicy{
|
||||
Hosts: Hosts{
|
||||
"vlan1": netip.MustParsePrefix("172.16.0.0/24"),
|
||||
"dns1": netip.MustParsePrefix("172.16.0.21/32"),
|
||||
pol: `
|
||||
{
|
||||
"groups": {
|
||||
"group:access": [
|
||||
"user1"
|
||||
]
|
||||
},
|
||||
Groups: Groups{
|
||||
"group:access": {"user1"},
|
||||
"hosts": {
|
||||
"dns1": "172.16.0.21/32",
|
||||
"vlan1": "172.16.0.0/24"
|
||||
},
|
||||
ACLs: []ACL{
|
||||
"acls": [
|
||||
{
|
||||
Action: "accept",
|
||||
Sources: []string{"group:access"},
|
||||
Destinations: []string{
|
||||
"action": "accept",
|
||||
"proto": "",
|
||||
"src": [
|
||||
"group:access"
|
||||
],
|
||||
"dst": [
|
||||
"tag:access-servers:*",
|
||||
"dns1:*",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"dns1:*"
|
||||
]
|
||||
}
|
||||
],
|
||||
}
|
||||
`,
|
||||
node: &types.Node{
|
||||
IPv4: iap("100.64.0.100"),
|
||||
IPv6: iap("fd7a:115c:a1e0::100"),
|
||||
|
@ -2399,7 +2482,11 @@ func TestReduceFilterRules(t *testing.T) {
|
|||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, _ := tt.pol.CompileFilterRules(
|
||||
pol, err := LoadACLPolicyFromBytes([]byte(tt.pol))
|
||||
if err != nil {
|
||||
t.Fatalf("parsing policy: %s", err)
|
||||
}
|
||||
got, _ := pol.CompileFilterRules(
|
||||
append(tt.peers, tt.node),
|
||||
)
|
||||
|
||||
|
|
Loading…
Reference in a new issue