feat(acls): add support for forced tags

This commit is contained in:
Adrien Raffin-Caboisse 2022-04-15 18:01:13 +02:00
parent 9de9bc23f8
commit cd1d10761f
No known key found for this signature in database
GPG key ID: 7FB60532DEBEAD6A
2 changed files with 98 additions and 1 deletions

20
acls.go
View file

@ -2,6 +2,7 @@ package headscale
import ( import (
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io" "io"
"os" "os"
@ -251,7 +252,21 @@ func expandAlias(
if strings.HasPrefix(alias, "tag:") { if strings.HasPrefix(alias, "tag:") {
owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain) owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
if err != nil { if err != nil {
return ips, err if errors.Is(err, errInvalidTag) {
for _, machine := range machines {
for _, t := range machine.ForcedTags {
if alias == t {
ips = append(ips, machine.IPAddresses.ToStringSlice()...)
}
}
}
if len(ips) == 0 {
return ips, fmt.Errorf("%w. %v isn't owned by a TagOwner and no forced tags are defined.", errInvalidTag, alias)
}
return ips, nil
} else {
return ips, err
}
} }
for _, namespace := range owners { for _, namespace := range owners {
machines := filterMachinesByNamespace(machines, namespace) machines := filterMachinesByNamespace(machines, namespace)
@ -328,6 +343,9 @@ func excludeCorrectlyTaggedNodes(
break break
} }
} }
if len(machine.ForcedTags) > 0 {
found = true
}
if !found { if !found {
out = append(out, machine) out = append(out, machine)
} }

View file

@ -1017,6 +1017,44 @@ func Test_expandAlias(t *testing.T) {
want: []string{}, want: []string{},
wantErr: true, wantErr: true,
}, },
{
name: "Forced tag defined",
args: args{
alias: "tag:hr-webserver",
machines: []Machine{
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.1"),
},
Namespace: Namespace{Name: "joe"},
ForcedTags: []string{"tag:hr-webserver"},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.2"),
},
Namespace: Namespace{Name: "joe"},
ForcedTags: []string{"tag:hr-webserver"},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.3"),
},
Namespace: Namespace{Name: "marc"},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.4"),
},
Namespace: Namespace{Name: "mickael"},
},
},
aclPolicy: ACLPolicy{},
stripEmailDomain: true,
},
want: []string{"100.64.0.1", "100.64.0.2"},
wantErr: false,
},
{ {
name: "list host in namespace without correctly tagged servers", name: "list host in namespace without correctly tagged servers",
args: args{ args: args{
@ -1143,6 +1181,47 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
}, },
}, },
}, },
{
name: "exclude nodes with valid tags and with forced tags",
args: args{
aclPolicy: ACLPolicy{
TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
},
nodes: []Machine{
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.1"),
},
Namespace: Namespace{Name: "joe"},
HostInfo: HostInfo{
OS: "centos",
Hostname: "foo",
RequestTags: []string{"tag:accountant-webserver"},
},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.2"),
},
Namespace: Namespace{Name: "joe"},
ForcedTags: []string{"tag:accountant-webserver"},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.4"),
},
Namespace: Namespace{Name: "joe"},
},
},
namespace: "joe",
},
want: []Machine{
{
IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
Namespace: Namespace{Name: "joe"},
},
},
},
{ {
name: "all nodes have invalid tags, don't exclude them", name: "all nodes have invalid tags, don't exclude them",
args: args{ args: args{