headscale/acls.go

package headscale

import (
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"os"
	"strconv"
	"strings"

	"github.com/rs/zerolog/log"
	"github.com/tailscale/hujson"
	"inet.af/netaddr"
	"tailscale.com/tailcfg"
)

const (
	errEmptyPolicy        = Error("empty policy")
	errInvalidAction      = Error("invalid action")
	errInvalidUserSection = Error("invalid user section")
	errInvalidGroup       = Error("invalid group")
	errInvalidTag         = Error("invalid tag")
	errInvalidNamespace   = Error("invalid namespace")
	errInvalidPortFormat  = Error("invalid port format")
)

const (
	Base8              = 8
	Base10             = 10
	BitSize16          = 16
	BitSize32          = 32
	BitSize64          = 64
	portRangeBegin     = 0
	portRangeEnd       = 65535
	expectedTokenItems = 2
)

// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
func (h *Headscale) LoadACLPolicy(path string) error {
	log.Debug().
		Str("func", "LoadACLPolicy").
		Str("path", path).
		Msg("Loading ACL policy from path")

	policyFile, err := os.Open(path)
	if err != nil {
		return err
	}
	defer policyFile.Close()

	var policy ACLPolicy
	policyBytes, err := io.ReadAll(policyFile)
	if err != nil {
		return err
	}

	ast, err := hujson.Parse(policyBytes)
	if err != nil {
		return err
	}
	ast.Standardize()
	policyBytes = ast.Pack()
	err = json.Unmarshal(policyBytes, &policy)
	if err != nil {
		return err
	}
	if policy.IsZero() {
		return errEmptyPolicy
	}

	h.aclPolicy = &policy
	return h.UpdateACLRules()
}

func (h *Headscale) UpdateACLRules() error {
	rules, err := h.generateACLRules()
	if err != nil {
		return err
	}
	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
	h.aclRules = rules
	return nil
}

func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
	rules := []tailcfg.FilterRule{}

	for index, acl := range h.aclPolicy.ACLs {
		if acl.Action != "accept" {
			return nil, errInvalidAction
		}

		srcIPs := []string{}
		for innerIndex, user := range acl.Users {
			srcs, err := h.generateACLPolicySrcIP(user)
			if err != nil {
				log.Error().
					Msgf("Error parsing ACL %d, User %d", index, innerIndex)

				return nil, err
			}
			srcIPs = append(srcIPs, srcs...)
		}

		destPorts := []tailcfg.NetPortRange{}
		for innerIndex, ports := range acl.Ports {
			dests, err := h.generateACLPolicyDestPorts(ports)
			if err != nil {
				log.Error().
					Msgf("Error parsing ACL %d, Port %d", index, innerIndex)

				return nil, err
			}
			destPorts = append(destPorts, dests...)
		}

		rules = append(rules, tailcfg.FilterRule{
			SrcIPs:   srcIPs,
			DstPorts: destPorts,
		})
	}

	return rules, nil
}

func (h *Headscale) generateACLPolicySrcIP(u string) ([]string, error) {
	return h.expandAlias(u)
}

func (h *Headscale) generateACLPolicyDestPorts(
	d string,
) ([]tailcfg.NetPortRange, error) {
	tokens := strings.Split(d, ":")
	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
		return nil, errInvalidPortFormat
	}

	var alias string
	// We can have here stuff like:
	// git-server:*
	// 192.168.1.0/24:22
	// tag:montreal-webserver:80,443
	// tag:api-server:443
	// example-host-1:*
	if len(tokens) == expectedTokenItems {
		alias = tokens[0]
	} else {
		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
	}

	expanded, err := h.expandAlias(alias)
	if err != nil {
		return nil, err
	}
	ports, err := h.expandPorts(tokens[len(tokens)-1])
	if err != nil {
		return nil, err
	}

	dests := []tailcfg.NetPortRange{}
	for _, d := range expanded {
		for _, p := range *ports {
			pr := tailcfg.NetPortRange{
				IP:    d,
				Ports: p,
			}
			dests = append(dests, pr)
		}
	}

	return dests, nil
}

// expandalias has an input of either
// - a namespace
// - a group
// - a tag
// and transform these in IPAddresses
func (h *Headscale) expandAlias(alias string) ([]string, error) {
	if alias == "*" {
		return []string{"*"}, nil
	}

	if strings.HasPrefix(alias, "group:") {
		namespaces, err := h.expandGroup(alias)
		if err != nil {
			return nil, err
		}
		ips := []string{}
		for _, n := range namespaces {
			nodes, err := h.ListMachinesInNamespace(n)
			if err != nil {
				return nil, errInvalidNamespace
			}
			for _, node := range nodes {
				ips = append(ips, node.IPAddresses.ToStringSlice()...)
			}
		}

		return ips, nil
	}

	if strings.HasPrefix(alias, "tag:") {
		var ips []string
		owners, err := h.expandTagOwners(alias)
		if err != nil {
			return nil, err
		}
		for _, namespace := range owners {
			machines, err := h.ListMachinesInNamespace(namespace)
			if err != nil {
				if errors.Is(err, errNamespaceNotFound) {
					continue
				} else {
					return nil, err
				}
			}
			for _, machine := range machines {
				if len(machine.HostInfo) == 0 {
					continue
				}
				hi, err := machine.GetHostInfo()
				if err != nil {
					return nil, err
				}
				for _, t := range hi.RequestTags {
					if alias == t {
						ips = append(ips, machine.IPAddresses.ToStringSlice()...)
					}
				}
			}
		}
		return ips, nil
	}

	n, err := h.GetNamespace(alias)
	if err == nil {
		nodes, err := h.ListMachinesInNamespace(n.Name)
		if err != nil {
			return nil, err
		}
		ips := []string{}
		for _, n := range nodes {
			ips = append(ips, n.IPAddresses.ToStringSlice()...)
		}

		return ips, nil
	}

	if h, ok := h.aclPolicy.Hosts[alias]; ok {
		return []string{h.String()}, nil
	}

	ip, err := netaddr.ParseIP(alias)
	if err == nil {
		return []string{ip.String()}, nil
	}

	cidr, err := netaddr.ParseIPPrefix(alias)
	if err == nil {
		return []string{cidr.String()}, nil
	}

	return nil, errInvalidUserSection
}

// expandTagOwners will return a list of namespace. An owner can be either a namespace or a group
// a group cannot be composed of groups
func (h *Headscale) expandTagOwners(owner string) ([]string, error) {
	var owners []string
	ows, ok := h.aclPolicy.TagOwners[owner]
	if !ok {
		return []string{}, fmt.Errorf("%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners", errInvalidTag, owner)
	}
	for _, ow := range ows {
		if strings.HasPrefix(ow, "group:") {
			gs, err := h.expandGroup(ow)
			if err != nil {
				return []string{}, err
			}
			owners = append(owners, gs...)
		} else {
			owners = append(owners, ow)
		}
	}
	return owners, nil
}

// expandGroup will return the list of namespace inside the group
// after some validation
func (h *Headscale) expandGroup(group string) ([]string, error) {
	gs, ok := h.aclPolicy.Groups[group]
	if !ok {
		return []string{}, fmt.Errorf("group %v isn't registered. %w", group, errInvalidGroup)
	}
	for _, g := range gs {
		if strings.HasPrefix(g, "group:") {
			return []string{}, fmt.Errorf("%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups", errInvalidGroup)
		}
	}
	return gs, nil
}

func (h *Headscale) expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {
	if portsStr == "*" {
		return &[]tailcfg.PortRange{
			{First: portRangeBegin, Last: portRangeEnd},
		}, nil
	}

	ports := []tailcfg.PortRange{}
	for _, portStr := range strings.Split(portsStr, ",") {
		rang := strings.Split(portStr, "-")
		switch len(rang) {
		case 1:
			port, err := strconv.ParseUint(rang[0], Base10, BitSize16)
			if err != nil {
				return nil, err
			}
			ports = append(ports, tailcfg.PortRange{
				First: uint16(port),
				Last:  uint16(port),
			})

		case expectedTokenItems:
			start, err := strconv.ParseUint(rang[0], Base10, BitSize16)
			if err != nil {
				return nil, err
			}
			last, err := strconv.ParseUint(rang[1], Base10, BitSize16)
			if err != nil {
				return nil, err
			}
			ports = append(ports, tailcfg.PortRange{
				First: uint16(start),
				Last:  uint16(last),
			})

		default:
			return nil, errInvalidPortFormat
		}
	}

	return &ports, nil
}
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`package headscale`

			`import (`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`"encoding/json"`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`"errors"`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`"fmt"`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`"io"`
			`"os"`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`"strconv"`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`"strings"`
Initial work on ACLs 2021-07-03 05:55:32 -04:00
Convert acls.go 2021-08-05 13:18:18 -04:00			`"github.com/rs/zerolog/log"`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`"github.com/tailscale/hujson"`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`"inet.af/netaddr"`
			`"tailscale.com/tailcfg"`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`)`

Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`const (`
Add and fix errname 2021-11-15 11:33:16 -05:00			`errEmptyPolicy = Error("empty policy")`
			`errInvalidAction = Error("invalid action")`
			`errInvalidUserSection = Error("invalid user section")`
			`errInvalidGroup = Error("invalid group")`
			`errInvalidTag = Error("invalid tag")`
			`errInvalidNamespace = Error("invalid namespace")`
			`errInvalidPortFormat = Error("invalid port format")`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`)`
Initial work on ACLs 2021-07-03 05:55:32 -04:00
Remove all instances of undefined numbers (gonmd) 2021-11-14 12:31:51 -05:00			`const (`
Make Unix socket permissions configurable 2022-01-28 13:58:22 -05:00			`Base8 = 8`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`Base10 = 10`
			`BitSize16 = 16`
Make Unix socket permissions configurable 2022-01-28 13:58:22 -05:00			`BitSize32 = 32`
			`BitSize64 = 64`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`portRangeBegin = 0`
			`portRangeEnd = 65535`
			`expectedTokenItems = 2`
Remove all instances of undefined numbers (gonmd) 2021-11-14 12:31:51 -05:00			`)`

golangci-lint --fix 2021-11-13 03:39:04 -05:00			`// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.`
Fixed linting issues 2021-07-04 07:33:00 -04:00			`func (h *Headscale) LoadACLPolicy(path string) error {`
Add log_level to config, more ACL debug log 2021-12-01 14:02:00 -05:00			`log.Debug().`
			`Str("func", "LoadACLPolicy").`
			`Str("path", path).`
			`Msg("Loading ACL policy from path")`

Initial work on ACLs 2021-07-03 05:55:32 -04:00			`policyFile, err := os.Open(path)`
			`if err != nil {`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`return err`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`}`
			`defer policyFile.Close()`

			`var policy ACLPolicy`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`policyBytes, err := io.ReadAll(policyFile)`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`if err != nil {`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`return err`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`}`
Fix new version of hujson 2021-11-05 03:24:00 -04:00
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`ast, err := hujson.Parse(policyBytes)`
Fix new version of hujson 2021-11-05 03:24:00 -04:00			`if err != nil {`
			`return err`
			`}`
			`ast.Standardize()`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`policyBytes = ast.Pack()`
			`err = json.Unmarshal(policyBytes, &policy)`
Fixed linting issues 2021-07-04 07:33:00 -04:00			`if err != nil {`
			`return err`
			`}`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`if policy.IsZero() {`
Add and fix errname 2021-11-15 11:33:16 -05:00			`return errEmptyPolicy`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`}`

Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`h.aclPolicy = &policy`
feat(acls): simplify updating rules 2022-02-03 14:00:41 -05:00			`return h.UpdateACLRules()`
			`}`

			`func (h *Headscale) UpdateACLRules() error {`
Load ACL policy on headscale startup 2021-07-04 07:24:05 -04:00			`rules, err := h.generateACLRules()`
			`if err != nil {`
			`return err`
			`}`
Add log_level to config, more ACL debug log 2021-12-01 14:02:00 -05:00			`log.Trace().Interface("ACL", rules).Msg("ACL rules generated")`
feat(acls): simplify updating rules 2022-02-03 14:00:41 -05:00			`h.aclRules = rules`
Load ACL policy on headscale startup 2021-07-04 07:24:05 -04:00			`return nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`rules := []tailcfg.FilterRule{}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`for index, acl := range h.aclPolicy.ACLs {`
			`if acl.Action != "accept" {`
Add and fix errname 2021-11-15 11:33:16 -05:00			`return nil, errInvalidAction`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

			`srcIPs := []string{}`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`for innerIndex, user := range acl.Users {`
			`srcs, err := h.generateACLPolicySrcIP(user)`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`if err != nil {`
Convert acls.go 2021-08-05 13:18:18 -04:00			`log.Error().`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`Msgf("Error parsing ACL %d, User %d", index, innerIndex)`
Add and fix nlreturn (new line return) 2021-11-14 10:46:09 -05:00
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`return nil, err`
			`}`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`srcIPs = append(srcIPs, srcs...)`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`destPorts := []tailcfg.NetPortRange{}`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`for innerIndex, ports := range acl.Ports {`
			`dests, err := h.generateACLPolicyDestPorts(ports)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`if err != nil {`
Convert acls.go 2021-08-05 13:18:18 -04:00			`log.Error().`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`Msgf("Error parsing ACL %d, Port %d", index, innerIndex)`
Add and fix nlreturn (new line return) 2021-11-14 10:46:09 -05:00
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`return nil, err`
			`}`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`destPorts = append(destPorts, dests...)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`

			`rules = append(rules, tailcfg.FilterRule{`
			`SrcIPs: srcIPs,`
			`DstPorts: destPorts,`
			`})`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return rules, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`func (h *Headscale) generateACLPolicySrcIP(u string) ([]string, error) {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`return h.expandAlias(u)`
			`}`

Go format with shorter lines 2021-11-13 03:36:45 -05:00			`func (h *Headscale) generateACLPolicyDestPorts(`
			`d string,`
			`) ([]tailcfg.NetPortRange, error) {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`tokens := strings.Split(d, ":")`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`if len(tokens) < expectedTokenItems \|\| len(tokens) > 3 {`
Add and fix errname 2021-11-15 11:33:16 -05:00			`return nil, errInvalidPortFormat`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`

			`var alias string`
			`// We can have here stuff like:`
			`// git-server:*`
			`// 192.168.1.0/24:22`
			`// tag:montreal-webserver:80,443`
			`// tag:api-server:443`
			`// example-host-1:*`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`if len(tokens) == expectedTokenItems {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`alias = tokens[0]`
			`} else {`
			`alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])`
			`}`

			`expanded, err := h.expandAlias(alias)`
			`if err != nil {`
			`return nil, err`
			`}`
			`ports, err := h.expandPorts(tokens[len(tokens)-1])`
			`if err != nil {`
			`return nil, err`
			`}`

			`dests := []tailcfg.NetPortRange{}`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`for _, d := range expanded {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`for _, p := range *ports {`
			`pr := tailcfg.NetPortRange{`
			`IP: d,`
			`Ports: p,`
			`}`
			`dests = append(dests, pr)`
			`}`
			`}`
Add and fix nlreturn (new line return) 2021-11-14 10:46:09 -05:00
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return dests, nil`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`

feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`// expandalias has an input of either`
			`// - a namespace`
			`// - a group`
			`// - a tag`
			`// and transform these in IPAddresses`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`func (h *Headscale) expandAlias(alias string) ([]string, error) {`
			`if alias == "*" {`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return []string{"*"}, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`if strings.HasPrefix(alias, "group:") {`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`namespaces, err := h.expandGroup(alias)`
			`if err != nil {`
			`return nil, err`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`ips := []string{}`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`for _, n := range namespaces {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`nodes, err := h.ListMachinesInNamespace(n)`
			`if err != nil {`
Add and fix errname 2021-11-15 11:33:16 -05:00			`return nil, errInvalidNamespace`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`for _, node := range nodes {`
Add support for multiple IP prefixes 2022-01-16 08:16:59 -05:00			`ips = append(ips, node.IPAddresses.ToStringSlice()...)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`
			`}`
Add and fix nlreturn (new line return) 2021-11-14 10:46:09 -05:00
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return ips, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`if strings.HasPrefix(alias, "tag:") {`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`var ips []string`
			`owners, err := h.expandTagOwners(alias)`
			`if err != nil {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`return nil, err`
			`}`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`for _, namespace := range owners {`
			`machines, err := h.ListMachinesInNamespace(namespace)`
			`if err != nil {`
			`if errors.Is(err, errNamespaceNotFound) {`
			`continue`
			`} else {`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`return nil, err`
			`}`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`}`
			`for _, machine := range machines {`
			`if len(machine.HostInfo) == 0 {`
			`continue`
			`}`
			`hi, err := machine.GetHostInfo()`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`if err != nil {`
			`return nil, err`
			`}`
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`for _, t := range hi.RequestTags {`
			`if alias == t {`
Add support for multiple IP prefixes 2022-01-16 08:16:59 -05:00			`ips = append(ips, machine.IPAddresses.ToStringSlice()...)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`
			`}`
			`}`
			`}`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return ips, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`n, err := h.GetNamespace(alias)`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`if err == nil {`
			`nodes, err := h.ListMachinesInNamespace(n.Name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`ips := []string{}`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`for _, n := range nodes {`
Add support for multiple IP prefixes 2022-01-16 08:16:59 -05:00			`ips = append(ips, n.IPAddresses.ToStringSlice()...)`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`
Add and fix nlreturn (new line return) 2021-11-14 10:46:09 -05:00
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return ips, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`if h, ok := h.aclPolicy.Hosts[alias]; ok {`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return []string{h.String()}, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`ip, err := netaddr.ParseIP(alias)`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`if err == nil {`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return []string{ip.String()}, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`cidr, err := netaddr.ParseIPPrefix(alias)`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`if err == nil {`
Clean up the return of "pointer list" This commit is getting rid of a bunch of returned list pointers. 2021-11-04 18:16:56 -04:00			`return []string{cidr.String()}, nil`
Work in progress in rule generation 2021-07-03 11:31:32 -04:00			`}`

Add and fix errname 2021-11-15 11:33:16 -05:00			`return nil, errInvalidUserSection`
Initial work on ACLs 2021-07-03 05:55:32 -04:00			`}`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00
feat(acls): check acl owners and add bunch of tests 2022-02-05 11:18:39 -05:00			`// expandTagOwners will return a list of namespace. An owner can be either a namespace or a group`
			`// a group cannot be composed of groups`
			`func (h *Headscale) expandTagOwners(owner string) ([]string, error) {`
			`var owners []string`
			`ows, ok := h.aclPolicy.TagOwners[owner]`
			`if !ok {`
			`return []string{}, fmt.Errorf("%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners", errInvalidTag, owner)`
			`}`
			`for _, ow := range ows {`
			`if strings.HasPrefix(ow, "group:") {`
			`gs, err := h.expandGroup(ow)`
			`if err != nil {`
			`return []string{}, err`
			`}`
			`owners = append(owners, gs...)`
			`} else {`
			`owners = append(owners, ow)`
			`}`
			`}`
			`return owners, nil`
			`}`

			`// expandGroup will return the list of namespace inside the group`
			`// after some validation`
			`func (h *Headscale) expandGroup(group string) ([]string, error) {`
			`gs, ok := h.aclPolicy.Groups[group]`
			`if !ok {`
			`return []string{}, fmt.Errorf("group %v isn't registered. %w", group, errInvalidGroup)`
			`}`
			`for _, g := range gs {`
			`if strings.HasPrefix(g, "group:") {`
			`return []string{}, fmt.Errorf("%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups", errInvalidGroup)`
			`}`
			`}`
			`return gs, nil`
			`}`

Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`func (h Headscale) expandPorts(portsStr string) ([]tailcfg.PortRange, error) {`
			`if portsStr == "*" {`
Remove all instances of undefined numbers (gonmd) 2021-11-14 12:31:51 -05:00			`return &[]tailcfg.PortRange{`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`{First: portRangeBegin, Last: portRangeEnd},`
Remove all instances of undefined numbers (gonmd) 2021-11-14 12:31:51 -05:00			`}, nil`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`

			`ports := []tailcfg.PortRange{}`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`for _, portStr := range strings.Split(portsStr, ",") {`
			`rang := strings.Split(portStr, "-")`
Start work on making gocritic pass 2021-11-14 12:44:37 -05:00			`switch len(rang) {`
			`case 1:`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`port, err := strconv.ParseUint(rang[0], Base10, BitSize16)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`if err != nil {`
			`return nil, err`
			`}`
			`ports = append(ports, tailcfg.PortRange{`
Initial work eliminating one/two letter variables 2021-11-14 14:32:03 -05:00			`First: uint16(port),`
			`Last: uint16(port),`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`})`
Start work on making gocritic pass 2021-11-14 12:44:37 -05:00
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`case expectedTokenItems:`
			`start, err := strconv.ParseUint(rang[0], Base10, BitSize16)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`if err != nil {`
			`return nil, err`
			`}`
Add and fix stylecheck (golint replacement) 2021-11-15 12:24:24 -05:00			`last, err := strconv.ParseUint(rang[1], Base10, BitSize16)`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`if err != nil {`
			`return nil, err`
			`}`
			`ports = append(ports, tailcfg.PortRange{`
			`First: uint16(start),`
			`Last: uint16(last),`
			`})`
Start work on making gocritic pass 2021-11-14 12:44:37 -05:00
			`default:`
Add and fix errname 2021-11-15 11:33:16 -05:00			`return nil, errInvalidPortFormat`
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`}`
			`}`
Add and fix nlreturn (new line return) 2021-11-14 10:46:09 -05:00
Rule generation kinda working, missing tests 2021-07-04 06:35:18 -04:00			`return &ports, nil`
			`}`