fix(acl): fix issue with groups in excludeCorretlyTaggedNodes

This commit fix issue #563

acls.go

@@ -367,7 +367,7 @@ func expandAlias(
 
 	// if alias is a namespace
 	nodes := filterMachinesByNamespace(machines, alias)
-	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias)
+	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
 
 	for _, n := range nodes {
 		ips = append(ips, n.IPAddresses.ToStringSlice()...)
@@ -405,10 +405,13 @@ func excludeCorrectlyTaggedNodes(
 	aclPolicy ACLPolicy,
 	nodes []Machine,
 	namespace string,
+	stripEmailDomain bool,
 ) []Machine {
 	out := []Machine{}
 	tags := []string{}
 	for tag, ns := range aclPolicy.TagOwners {
+		owners, _ := expandTagOwners(aclPolicy, namespace, stripEmailDomain)
+		ns = append(owners, namespace)
 		if contains(ns, namespace) {
 			tags = append(tags, tag)
 		}

acls_test.go

@@ -1201,9 +1201,10 @@ func Test_expandAlias(t *testing.T) {
 
 func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 	type args struct {
-		aclPolicy ACLPolicy
+		aclPolicy        ACLPolicy
-		nodes     []Machine
+		nodes            []Machine
-		namespace string
+		namespace        string
+		stripEmailDomain bool
 	}
 	tests := []struct {
 		name    string
@@ -1247,7 +1248,57 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace: "joe",
+				namespace:        "joe",
+				stripEmailDomain: true,
+			},
+			want: []Machine{
+				{
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
+					Namespace:   Namespace{Name: "joe"},
+				},
+			},
+		},
+		{
+			name: "exclude nodes with valid tags, and owner is in a group",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups: Groups{
+						"group:accountant": []string{"joe", "bar"},
+					},
+					TagOwners: TagOwners{"tag:accountant-webserver": []string{"group:accountant"}},
+				},
+				nodes: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:accountant-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:accountant-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				namespace:        "joe",
+				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
@@ -1288,7 +1339,8 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace: "joe",
+				namespace:        "joe",
+				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
@@ -1333,7 +1385,8 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace: "joe",
+				namespace:        "joe",
+				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
@@ -1373,6 +1426,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				test.args.aclPolicy,
 				test.args.nodes,
 				test.args.namespace,
+				test.args.stripEmailDomain,
 			)
 			if !reflect.DeepEqual(got, test.want) {
 				t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)