MyFavMirrors
/
headscale
mirror of https://github.com/juanfont/headscale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Expand the signature of policy.ExpandAlias() to support the implementation of autogroups

This commit is contained in:
Juan Font 2023-08-12 11:47:23 +00:00
parent 043be13e6d
commit 28354cc651
3 changed files with 48 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hscontrol/db/routes.go
View File

@ -424,7 +424,7 @@ func (hsdb *HSDatabase) EnableAutoApprovedRoutes(
approvedRoutes = append(approvedRoutes, advertisedRoute)
} else {
// TODO(kradalby): figure out how to get this to depend on less stuff
approvedIps, err := aclPolicy.ExpandAlias(types.Machines{*machine}, approvedAlias)
approvedIps, err := aclPolicy.ExpandAlias(*machine, types.Machines{}, approvedAlias)
if err != nil {
log.Err(err).
Str("alias", approvedAlias).

35
hscontrol/policy/acls.go
View File

@ -157,7 +157,6 @@ func (pol *ACLPolicy) generateFilterRules(
peers types.Machines,
) ([]tailcfg.FilterRule, error) {
rules := []tailcfg.FilterRule{}
machines := append(peers, *machine)
for index, acl := range pol.ACLs {
if acl.Action != "accept" {
@ -166,7 +165,7 @@ func (pol *ACLPolicy) generateFilterRules(
srcIPs := []string{}
for srcIndex, src := range acl.Sources {
srcs, err := pol.expandSource(src, machines)
srcs, err := pol.expandSource(src, *machine, peers)
if err != nil {
log.Error().
Interface("src", src).
@ -195,7 +194,8 @@ func (pol *ACLPolicy) generateFilterRules(
}
expanded, err := pol.ExpandAlias(
machines,
*machine,
peers,
alias,
)
if err != nil {
@ -293,7 +293,7 @@ func (pol *ACLPolicy) generateSSHRules(
for index, sshACL := range pol.SSHs {
var dest netipx.IPSetBuilder
for _, src := range sshACL.Destinations {
expanded, err := pol.ExpandAlias(append(peers, *machine), src)
expanded, err := pol.ExpandAlias(*machine, peers, src)
if err != nil {
return nil, err
}
@ -350,6 +350,7 @@ func (pol *ACLPolicy) generateSSHRules(
}
} else {
expandedSrcs, err := pol.ExpandAlias(
*machine,
peers,
rawSrc,
)
@ -501,9 +502,10 @@ func parseProtocol(protocol string) ([]int, bool, error) {
// with the given src alias.
func (pol *ACLPolicy) expandSource(
src string,
machines types.Machines,
machine types.Machine,
peers types.Machines,
) ([]string, error) {
ipSet, err := pol.ExpandAlias(machines, src)
ipSet, err := pol.ExpandAlias(machine, peers, src)
if err != nil {
return []string{}, err
}
@ -526,7 +528,8 @@ func (pol *ACLPolicy) expandSource(
// - a cidr
// and transform these in IPAddresses.
func (pol *ACLPolicy) ExpandAlias(
machines types.Machines,
machine types.Machine,
peers types.Machines,
alias string,
) (*netipx.IPSet, error) {
if isWildcard(alias) {
@ -535,22 +538,24 @@ func (pol *ACLPolicy) ExpandAlias(
build := netipx.IPSetBuilder{}
allMachines := append(peers, machine)
log.Debug().
Str("alias", alias).
Msg("Expanding")
// if alias is a group
if isGroup(alias) {
return pol.expandIPsFromGroup(alias, machines)
return pol.expandIPsFromGroup(alias, allMachines)
}
// if alias is a tag
if isTag(alias) {
return pol.expandIPsFromTag(alias, machines)
return pol.expandIPsFromTag(alias, allMachines)
}
// if alias is a user
if ips, err := pol.expandIPsFromUser(alias, machines); ips != nil {
if ips, err := pol.expandIPsFromUser(alias, allMachines); ips != nil {
return ips, err
}
@ -559,17 +564,17 @@ func (pol *ACLPolicy) ExpandAlias(
if h, ok := pol.Hosts[alias]; ok {
log.Trace().Str("host", h.String()).Msg("ExpandAlias got hosts entry")
return pol.ExpandAlias(machines, h.String())
return pol.ExpandAlias(machine, peers, h.String())
}
// if alias is an IP
if ip, err := netip.ParseAddr(alias); err == nil {
return pol.expandIPsFromSingleIP(ip, machines)
return pol.expandIPsFromSingleIP(ip, allMachines)
}
// if alias is an IP Prefix (CIDR)
if prefix, err := netip.ParsePrefix(alias); err == nil {
return pol.expandIPsFromIPPrefix(prefix, machines)
return pol.expandIPsFromIPPrefix(prefix, allMachines)
}
log.Warn().Msgf("No IPs found with the alias %v", alias)
@ -871,6 +876,10 @@ func isTag(str string) bool {
return strings.HasPrefix(str, "tag:")
}
func isAutogroup(str string) bool {
return strings.HasPrefix(str, "autogroup:")
}
// TagsOfMachine will return the tags of the current machine.
// Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag.
// Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.

48
hscontrol/policy/acls_test.go
View File

@ -979,7 +979,8 @@ func Test_expandAlias(t *testing.T) {
pol ACLPolicy
}
type args struct {
machines types.Machines
machine types.Machine
peers types.Machines
aclPolicy ACLPolicy
alias string
}
@ -997,7 +998,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "*",
machines: types.Machines{
peers: types.Machines{
{IPAddresses: types.MachineAddresses{netip.MustParseAddr("100.64.0.1")}},
{
IPAddresses: types.MachineAddresses{
@ -1021,7 +1022,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "group:accountant",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1062,7 +1063,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "group:hr",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1098,8 +1099,8 @@ func Test_expandAlias(t *testing.T) {
pol: ACLPolicy{},
},
args: args{
alias: "10.0.0.3",
machines: types.Machines{},
alias: "10.0.0.3",
peers: types.Machines{},
},
want: set([]string{
"10.0.0.3",
@ -1112,8 +1113,8 @@ func Test_expandAlias(t *testing.T) {
pol: ACLPolicy{},
},
args: args{
alias: "10.0.0.1",
machines: types.Machines{},
alias: "10.0.0.1",
peers: types.Machines{},
},
want: set([]string{
"10.0.0.1",
@ -1127,7 +1128,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "10.0.0.1",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("10.0.0.1"),
@ -1148,7 +1149,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "10.0.0.1",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("10.0.0.1"),
@ -1170,7 +1171,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("10.0.0.1"),
@ -1195,8 +1196,8 @@ func Test_expandAlias(t *testing.T) {
},
},
args: args{
alias: "testy",
machines: types.Machines{},
alias: "testy",
peers: types.Machines{},
},
want: set([]string{}, []string{"10.0.0.132/32"}),
wantErr: false,
@ -1211,8 +1212,8 @@ func Test_expandAlias(t *testing.T) {
},
},
args: args{
alias: "homeNetwork",
machines: types.Machines{},
alias: "homeNetwork",
peers: types.Machines{},
},
want: set([]string{}, []string{"192.168.1.0/24"}),
wantErr: false,
@ -1224,7 +1225,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "10.0.0.0/16",
machines: types.Machines{},
peers: types.Machines{},
aclPolicy: ACLPolicy{},
},
want: set([]string{}, []string{"10.0.0.0/16"}),
@ -1239,7 +1240,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "tag:hr-webserver",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1293,7 +1294,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "tag:hr-webserver",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1330,7 +1331,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "tag:hr-webserver",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1373,7 +1374,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "tag:hr-webserver",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1418,7 +1419,7 @@ func Test_expandAlias(t *testing.T) {
},
args: args{
alias: "joe",
machines: types.Machines{
peers: types.Machines{
{
IPAddresses: types.MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
@ -1462,7 +1463,8 @@ func Test_expandAlias(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
got, err := test.field.pol.ExpandAlias(
test.args.machines,
test.args.machine,
test.args.peers,
test.args.alias,
)
if (err != nil) != test.wantErr {
@ -2421,7 +2423,7 @@ func Test_getFilteredByACLPeers(t *testing.T) {
},
{
// Investigating 699
// Found some machines: [ts-head-8w6paa ts-unstable-lys2ib ts-head-upcrmb ts-unstable-rlwpvr] machine=ts-head-8w6paa
// Found some peers: [ts-head-8w6paa ts-unstable-lys2ib ts-head-upcrmb ts-unstable-rlwpvr] machine=ts-head-8w6paa
// ACL rules generated ACL=[{"DstPorts":[{"Bits":null,"IP":"*","Ports":{"First":0,"Last":65535}}],"SrcIPs":["fd7a:115c:a1e0::3","100.64.0.3","fd7a:115c:a1e0::4","100.64.0.4"]}]
// ACL Cache Map={"100.64.0.3":{"*":{}},"100.64.0.4":{"*":{}},"fd7a:115c:a1e0::3":{"*":{}},"fd7a:115c:a1e0::4":{"*":{}}}
name: "issue-699-broken-star",