Expand the signature of policy.ExpandAlias() to support the implementation of autogroups
This commit is contained in:
parent
043be13e6d
commit
28354cc651
|
@ -424,7 +424,7 @@ func (hsdb *HSDatabase) EnableAutoApprovedRoutes(
|
|||
approvedRoutes = append(approvedRoutes, advertisedRoute)
|
||||
} else {
|
||||
// TODO(kradalby): figure out how to get this to depend on less stuff
|
||||
approvedIps, err := aclPolicy.ExpandAlias(types.Machines{*machine}, approvedAlias)
|
||||
approvedIps, err := aclPolicy.ExpandAlias(*machine, types.Machines{}, approvedAlias)
|
||||
if err != nil {
|
||||
log.Err(err).
|
||||
Str("alias", approvedAlias).
|
||||
|
|
|
@ -157,7 +157,6 @@ func (pol *ACLPolicy) generateFilterRules(
|
|||
peers types.Machines,
|
||||
) ([]tailcfg.FilterRule, error) {
|
||||
rules := []tailcfg.FilterRule{}
|
||||
machines := append(peers, *machine)
|
||||
|
||||
for index, acl := range pol.ACLs {
|
||||
if acl.Action != "accept" {
|
||||
|
@ -166,7 +165,7 @@ func (pol *ACLPolicy) generateFilterRules(
|
|||
|
||||
srcIPs := []string{}
|
||||
for srcIndex, src := range acl.Sources {
|
||||
srcs, err := pol.expandSource(src, machines)
|
||||
srcs, err := pol.expandSource(src, *machine, peers)
|
||||
if err != nil {
|
||||
log.Error().
|
||||
Interface("src", src).
|
||||
|
@ -195,7 +194,8 @@ func (pol *ACLPolicy) generateFilterRules(
|
|||
}
|
||||
|
||||
expanded, err := pol.ExpandAlias(
|
||||
machines,
|
||||
*machine,
|
||||
peers,
|
||||
alias,
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -293,7 +293,7 @@ func (pol *ACLPolicy) generateSSHRules(
|
|||
for index, sshACL := range pol.SSHs {
|
||||
var dest netipx.IPSetBuilder
|
||||
for _, src := range sshACL.Destinations {
|
||||
expanded, err := pol.ExpandAlias(append(peers, *machine), src)
|
||||
expanded, err := pol.ExpandAlias(*machine, peers, src)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -350,6 +350,7 @@ func (pol *ACLPolicy) generateSSHRules(
|
|||
}
|
||||
} else {
|
||||
expandedSrcs, err := pol.ExpandAlias(
|
||||
*machine,
|
||||
peers,
|
||||
rawSrc,
|
||||
)
|
||||
|
@ -501,9 +502,10 @@ func parseProtocol(protocol string) ([]int, bool, error) {
|
|||
// with the given src alias.
|
||||
func (pol *ACLPolicy) expandSource(
|
||||
src string,
|
||||
machines types.Machines,
|
||||
machine types.Machine,
|
||||
peers types.Machines,
|
||||
) ([]string, error) {
|
||||
ipSet, err := pol.ExpandAlias(machines, src)
|
||||
ipSet, err := pol.ExpandAlias(machine, peers, src)
|
||||
if err != nil {
|
||||
return []string{}, err
|
||||
}
|
||||
|
@ -526,7 +528,8 @@ func (pol *ACLPolicy) expandSource(
|
|||
// - a cidr
|
||||
// and transform these in IPAddresses.
|
||||
func (pol *ACLPolicy) ExpandAlias(
|
||||
machines types.Machines,
|
||||
machine types.Machine,
|
||||
peers types.Machines,
|
||||
alias string,
|
||||
) (*netipx.IPSet, error) {
|
||||
if isWildcard(alias) {
|
||||
|
@ -535,22 +538,24 @@ func (pol *ACLPolicy) ExpandAlias(
|
|||
|
||||
build := netipx.IPSetBuilder{}
|
||||
|
||||
allMachines := append(peers, machine)
|
||||
|
||||
log.Debug().
|
||||
Str("alias", alias).
|
||||
Msg("Expanding")
|
||||
|
||||
// if alias is a group
|
||||
if isGroup(alias) {
|
||||
return pol.expandIPsFromGroup(alias, machines)
|
||||
return pol.expandIPsFromGroup(alias, allMachines)
|
||||
}
|
||||
|
||||
// if alias is a tag
|
||||
if isTag(alias) {
|
||||
return pol.expandIPsFromTag(alias, machines)
|
||||
return pol.expandIPsFromTag(alias, allMachines)
|
||||
}
|
||||
|
||||
// if alias is a user
|
||||
if ips, err := pol.expandIPsFromUser(alias, machines); ips != nil {
|
||||
if ips, err := pol.expandIPsFromUser(alias, allMachines); ips != nil {
|
||||
return ips, err
|
||||
}
|
||||
|
||||
|
@ -559,17 +564,17 @@ func (pol *ACLPolicy) ExpandAlias(
|
|||
if h, ok := pol.Hosts[alias]; ok {
|
||||
log.Trace().Str("host", h.String()).Msg("ExpandAlias got hosts entry")
|
||||
|
||||
return pol.ExpandAlias(machines, h.String())
|
||||
return pol.ExpandAlias(machine, peers, h.String())
|
||||
}
|
||||
|
||||
// if alias is an IP
|
||||
if ip, err := netip.ParseAddr(alias); err == nil {
|
||||
return pol.expandIPsFromSingleIP(ip, machines)
|
||||
return pol.expandIPsFromSingleIP(ip, allMachines)
|
||||
}
|
||||
|
||||
// if alias is an IP Prefix (CIDR)
|
||||
if prefix, err := netip.ParsePrefix(alias); err == nil {
|
||||
return pol.expandIPsFromIPPrefix(prefix, machines)
|
||||
return pol.expandIPsFromIPPrefix(prefix, allMachines)
|
||||
}
|
||||
|
||||
log.Warn().Msgf("No IPs found with the alias %v", alias)
|
||||
|
@ -871,6 +876,10 @@ func isTag(str string) bool {
|
|||
return strings.HasPrefix(str, "tag:")
|
||||
}
|
||||
|
||||
func isAutogroup(str string) bool {
|
||||
return strings.HasPrefix(str, "autogroup:")
|
||||
}
|
||||
|
||||
// TagsOfMachine will return the tags of the current machine.
|
||||
// Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag.
|
||||
// Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.
|
||||
|
|
|
@ -979,7 +979,8 @@ func Test_expandAlias(t *testing.T) {
|
|||
pol ACLPolicy
|
||||
}
|
||||
type args struct {
|
||||
machines types.Machines
|
||||
machine types.Machine
|
||||
peers types.Machines
|
||||
aclPolicy ACLPolicy
|
||||
alias string
|
||||
}
|
||||
|
@ -997,7 +998,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "*",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{IPAddresses: types.MachineAddresses{netip.MustParseAddr("100.64.0.1")}},
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
|
@ -1021,7 +1022,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "group:accountant",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1062,7 +1063,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "group:hr",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1098,8 +1099,8 @@ func Test_expandAlias(t *testing.T) {
|
|||
pol: ACLPolicy{},
|
||||
},
|
||||
args: args{
|
||||
alias: "10.0.0.3",
|
||||
machines: types.Machines{},
|
||||
alias: "10.0.0.3",
|
||||
peers: types.Machines{},
|
||||
},
|
||||
want: set([]string{
|
||||
"10.0.0.3",
|
||||
|
@ -1112,8 +1113,8 @@ func Test_expandAlias(t *testing.T) {
|
|||
pol: ACLPolicy{},
|
||||
},
|
||||
args: args{
|
||||
alias: "10.0.0.1",
|
||||
machines: types.Machines{},
|
||||
alias: "10.0.0.1",
|
||||
peers: types.Machines{},
|
||||
},
|
||||
want: set([]string{
|
||||
"10.0.0.1",
|
||||
|
@ -1127,7 +1128,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "10.0.0.1",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("10.0.0.1"),
|
||||
|
@ -1148,7 +1149,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "10.0.0.1",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("10.0.0.1"),
|
||||
|
@ -1170,7 +1171,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("10.0.0.1"),
|
||||
|
@ -1195,8 +1196,8 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
},
|
||||
args: args{
|
||||
alias: "testy",
|
||||
machines: types.Machines{},
|
||||
alias: "testy",
|
||||
peers: types.Machines{},
|
||||
},
|
||||
want: set([]string{}, []string{"10.0.0.132/32"}),
|
||||
wantErr: false,
|
||||
|
@ -1211,8 +1212,8 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
},
|
||||
args: args{
|
||||
alias: "homeNetwork",
|
||||
machines: types.Machines{},
|
||||
alias: "homeNetwork",
|
||||
peers: types.Machines{},
|
||||
},
|
||||
want: set([]string{}, []string{"192.168.1.0/24"}),
|
||||
wantErr: false,
|
||||
|
@ -1224,7 +1225,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "10.0.0.0/16",
|
||||
machines: types.Machines{},
|
||||
peers: types.Machines{},
|
||||
aclPolicy: ACLPolicy{},
|
||||
},
|
||||
want: set([]string{}, []string{"10.0.0.0/16"}),
|
||||
|
@ -1239,7 +1240,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "tag:hr-webserver",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1293,7 +1294,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "tag:hr-webserver",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1330,7 +1331,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "tag:hr-webserver",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1373,7 +1374,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "tag:hr-webserver",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1418,7 +1419,7 @@ func Test_expandAlias(t *testing.T) {
|
|||
},
|
||||
args: args{
|
||||
alias: "joe",
|
||||
machines: types.Machines{
|
||||
peers: types.Machines{
|
||||
{
|
||||
IPAddresses: types.MachineAddresses{
|
||||
netip.MustParseAddr("100.64.0.1"),
|
||||
|
@ -1462,7 +1463,8 @@ func Test_expandAlias(t *testing.T) {
|
|||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
got, err := test.field.pol.ExpandAlias(
|
||||
test.args.machines,
|
||||
test.args.machine,
|
||||
test.args.peers,
|
||||
test.args.alias,
|
||||
)
|
||||
if (err != nil) != test.wantErr {
|
||||
|
@ -2421,7 +2423,7 @@ func Test_getFilteredByACLPeers(t *testing.T) {
|
|||
},
|
||||
{
|
||||
// Investigating 699
|
||||
// Found some machines: [ts-head-8w6paa ts-unstable-lys2ib ts-head-upcrmb ts-unstable-rlwpvr] machine=ts-head-8w6paa
|
||||
// Found some peers: [ts-head-8w6paa ts-unstable-lys2ib ts-head-upcrmb ts-unstable-rlwpvr] machine=ts-head-8w6paa
|
||||
// ACL rules generated ACL=[{"DstPorts":[{"Bits":null,"IP":"*","Ports":{"First":0,"Last":65535}}],"SrcIPs":["fd7a:115c:a1e0::3","100.64.0.3","fd7a:115c:a1e0::4","100.64.0.4"]}]
|
||||
// ACL Cache Map={"100.64.0.3":{"*":{}},"100.64.0.4":{"*":{}},"fd7a:115c:a1e0::3":{"*":{}},"fd7a:115c:a1e0::4":{"*":{}}}
|
||||
name: "issue-699-broken-star",
|
||||
|
|
Loading…
Reference in New Issue