diff --git a/acls.go b/acls.go index 0387f30b..2ca65393 100644 --- a/acls.go +++ b/acls.go @@ -250,16 +250,17 @@ func expandAlias( } if strings.HasPrefix(alias, "tag:") { + // check for forced tags + for _, machine := range machines { + if contains(machine.ForcedTags, alias) { + ips = append(ips, machine.IPAddresses.ToStringSlice()...) + } + } + + // find tag owners owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain) if err != nil { if errors.Is(err, errInvalidTag) { - for _, machine := range machines { - for _, t := range machine.ForcedTags { - if alias == t { - ips = append(ips, machine.IPAddresses.ToStringSlice()...) - } - } - } if len(ips) == 0 { return ips, fmt.Errorf( "%w. %v isn't owned by a TagOwner and no forced tags are defined", @@ -267,20 +268,19 @@ func expandAlias( alias, ) } - return ips, nil } else { return ips, err } } + + // filter out machines per tag owner for _, namespace := range owners { machines := filterMachinesByNamespace(machines, namespace) for _, machine := range machines { hi := machine.GetHostInfo() - for _, t := range hi.RequestTags { - if alias == t { - ips = append(ips, machine.IPAddresses.ToStringSlice()...) - } + if contains(hi.RequestTags, alias) { + ips = append(ips, machine.IPAddresses.ToStringSlice()...) } } } diff --git a/acls_test.go b/acls_test.go index 1b56ef23..e91e95d9 100644 --- a/acls_test.go +++ b/acls_test.go @@ -1055,6 +1055,52 @@ func Test_expandAlias(t *testing.T) { want: []string{"100.64.0.1", "100.64.0.2"}, wantErr: false, }, + { + name: "Forced tag with legitimate tagOwner", + args: args{ + alias: "tag:hr-webserver", + machines: []Machine{ + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.1"), + }, + Namespace: Namespace{Name: "joe"}, + ForcedTags: []string{"tag:hr-webserver"}, + }, + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.2"), + }, + Namespace: Namespace{Name: "joe"}, + HostInfo: HostInfo{ + OS: "centos", + Hostname: "foo", + RequestTags: []string{"tag:hr-webserver"}, + }, + }, + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.3"), + }, + Namespace: Namespace{Name: "marc"}, + }, + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.4"), + }, + Namespace: Namespace{Name: "mickael"}, + }, + }, + aclPolicy: ACLPolicy{ + TagOwners: TagOwners{ + "tag:hr-webserver": []string{"joe"}, + }, + }, + stripEmailDomain: true, + }, + want: []string{"100.64.0.1", "100.64.0.2"}, + wantErr: false, + }, { name: "list host in namespace without correctly tagged servers", args: args{