use json in TestReduceFilterRules test

This is to allow for the tests to be ran with
the new upcoming parser to ensure we get the
same input.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2024-10-17 01:23:44 +02:00
parent 38f2159c56
commit a7b2468a42
No known key found for this signature in database

View file

@ -1838,20 +1838,27 @@ func TestReduceFilterRules(t *testing.T) {
name string
node *types.Node
peers types.Nodes
pol ACLPolicy
pol string
want []tailcfg.FilterRule
}{
{
name: "host1-can-reach-host2-no-rules",
pol: ACLPolicy{
ACLs: []ACL{
pol: `
{
"acls": [
{
Action: "accept",
Sources: []string{"100.64.0.1"},
Destinations: []string{"100.64.0.2:*"},
},
},
},
"action": "accept",
"proto": "",
"src": [
"100.64.0.1"
],
"dst": [
"100.64.0.2:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.1"),
IPv6: iap("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"),
@ -1868,23 +1875,37 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1604-subnet-routers-are-preserved",
pol: ACLPolicy{
Groups: Groups{
"group:admins": {"user1"},
pol: `
{
"groups": {
"group:admins": [
"user1"
]
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:admins"},
Destinations: []string{"group:admins:*"},
"action": "accept",
"proto": "",
"src": [
"group:admins"
],
"dst": [
"group:admins:*"
]
},
{
Action: "accept",
Sources: []string{"group:admins"},
Destinations: []string{"10.33.0.0/16:*"},
},
},
},
"action": "accept",
"proto": "",
"src": [
"group:admins"
],
"dst": [
"10.33.0.0/16:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.1"),
IPv6: iap("fd7a:115c:a1e0::1"),
@ -1939,31 +1960,42 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1786-reducing-breaks-exit-nodes-the-client",
pol: ACLPolicy{
Hosts: Hosts{
// Exit node
"internal": netip.MustParsePrefix("100.64.0.100/32"),
pol: `
{
"groups": {
"group:team": [
"user3",
"user2",
"user1"
]
},
Groups: Groups{
"group:team": {"user3", "user2", "user1"},
"hosts": {
"internal": "100.64.0.100/32"
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"internal:*",
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"internal:*"
]
},
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"autogroup:internet:*",
},
},
},
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"autogroup:internet:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.1"),
IPv6: iap("fd7a:115c:a1e0::1"),
@ -1989,31 +2021,42 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1786-reducing-breaks-exit-nodes-the-exit",
pol: ACLPolicy{
Hosts: Hosts{
// Exit node
"internal": netip.MustParsePrefix("100.64.0.100/32"),
pol: `
{
"groups": {
"group:team": [
"user3",
"user2",
"user1"
]
},
Groups: Groups{
"group:team": {"user3", "user2", "user1"},
"hosts": {
"internal": "100.64.0.100/32"
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"internal:*",
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"internal:*"
]
},
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"autogroup:internet:*",
},
},
},
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"autogroup:internet:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"),
@ -2056,26 +2099,36 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1786-reducing-breaks-exit-nodes-the-example-from-issue",
pol: ACLPolicy{
Hosts: Hosts{
// Exit node
"internal": netip.MustParsePrefix("100.64.0.100/32"),
pol: `
{
"groups": {
"group:team": [
"user3",
"user2",
"user1"
]
},
Groups: Groups{
"group:team": {"user3", "user2", "user1"},
"hosts": {
"internal": "100.64.0.100/32"
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"internal:*",
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"internal:*"
]
},
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"0.0.0.0/5:*",
"8.0.0.0/7:*",
"11.0.0.0/8:*",
@ -2105,11 +2158,12 @@ func TestReduceFilterRules(t *testing.T) {
"194.0.0.0/7:*",
"196.0.0.0/6:*",
"200.0.0.0/5:*",
"208.0.0.0/4:*",
},
},
},
},
"208.0.0.0/4:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"),
@ -2186,32 +2240,43 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1786-reducing-breaks-exit-nodes-app-connector-like",
pol: ACLPolicy{
Hosts: Hosts{
// Exit node
"internal": netip.MustParsePrefix("100.64.0.100/32"),
pol: `
{
"groups": {
"group:team": [
"user3",
"user2",
"user1"
]
},
Groups: Groups{
"group:team": {"user3", "user2", "user1"},
"hosts": {
"internal": "100.64.0.100/32"
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"internal:*",
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"internal:*"
]
},
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"8.0.0.0/8:*",
"16.0.0.0/8:*",
},
},
},
},
"16.0.0.0/8:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"),
@ -2263,32 +2328,43 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1786-reducing-breaks-exit-nodes-app-connector-like2",
pol: ACLPolicy{
Hosts: Hosts{
// Exit node
"internal": netip.MustParsePrefix("100.64.0.100/32"),
pol: `
{
"groups": {
"group:team": [
"user3",
"user2",
"user1"
]
},
Groups: Groups{
"group:team": {"user3", "user2", "user1"},
"hosts": {
"internal": "100.64.0.100/32"
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"internal:*",
},
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"internal:*"
]
},
{
Action: "accept",
Sources: []string{"group:team"},
Destinations: []string{
"action": "accept",
"proto": "",
"src": [
"group:team"
],
"dst": [
"8.0.0.0/16:*",
"16.0.0.0/16:*",
},
},
},
},
"16.0.0.0/16:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"),
@ -2340,25 +2416,32 @@ func TestReduceFilterRules(t *testing.T) {
},
{
name: "1817-reduce-breaks-32-mask",
pol: ACLPolicy{
Hosts: Hosts{
"vlan1": netip.MustParsePrefix("172.16.0.0/24"),
"dns1": netip.MustParsePrefix("172.16.0.21/32"),
pol: `
{
"groups": {
"group:access": [
"user1"
]
},
Groups: Groups{
"group:access": {"user1"},
"hosts": {
"dns1": "172.16.0.21/32",
"vlan1": "172.16.0.0/24"
},
ACLs: []ACL{
"acls": [
{
Action: "accept",
Sources: []string{"group:access"},
Destinations: []string{
"action": "accept",
"proto": "",
"src": [
"group:access"
],
"dst": [
"tag:access-servers:*",
"dns1:*",
},
},
},
},
"dns1:*"
]
}
],
}
`,
node: &types.Node{
IPv4: iap("100.64.0.100"),
IPv6: iap("fd7a:115c:a1e0::100"),
@ -2399,7 +2482,11 @@ func TestReduceFilterRules(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, _ := tt.pol.CompileFilterRules(
pol, err := LoadACLPolicyFromBytes([]byte(tt.pol))
if err != nil {
t.Fatalf("parsing policy: %s", err)
}
got, _ := pol.CompileFilterRules(
append(tt.peers, tt.node),
)