headscale/acls_types.go

102 lines
2.5 KiB
Go
Raw Normal View History

2021-07-03 09:55:32 +00:00
package headscale
import (
2021-11-05 07:24:00 +00:00
"encoding/json"
2021-07-03 09:55:32 +00:00
"strings"
2021-07-03 15:31:32 +00:00
"github.com/tailscale/hujson"
2022-02-27 08:04:48 +00:00
"gopkg.in/yaml.v3"
2021-07-03 09:55:32 +00:00
"inet.af/netaddr"
)
2021-11-13 08:39:04 +00:00
// ACLPolicy represents a Tailscale ACL Policy.
2021-07-03 09:55:32 +00:00
type ACLPolicy struct {
2022-02-27 08:04:48 +00:00
Groups Groups `json:"Groups" yaml:"Groups"`
Hosts Hosts `json:"Hosts" yaml:"Hosts"`
TagOwners TagOwners `json:"TagOwners" yaml:"TagOwners"`
ACLs []ACL `json:"ACLs" yaml:"ACLs"`
Tests []ACLTest `json:"Tests" yaml:"Tests"`
2021-07-03 09:55:32 +00:00
}
2021-11-13 08:39:04 +00:00
// ACL is a basic rule for the ACL Policy.
2021-07-03 09:55:32 +00:00
type ACL struct {
2022-02-27 08:04:48 +00:00
Action string `json:"Action" yaml:"Action"`
Users []string `json:"Users" yaml:"Users"`
Ports []string `json:"Ports" yaml:"Ports"`
2021-07-03 09:55:32 +00:00
}
2021-11-13 08:39:04 +00:00
// Groups references a series of alias in the ACL rules.
2021-07-03 09:55:32 +00:00
type Groups map[string][]string
2021-11-13 08:39:04 +00:00
// Hosts are alias for IP addresses or subnets.
2021-07-03 15:31:32 +00:00
type Hosts map[string]netaddr.IPPrefix
2021-07-03 09:55:32 +00:00
2021-11-13 08:39:04 +00:00
// TagOwners specify what users (namespaces?) are allow to use certain tags.
2021-07-03 15:31:32 +00:00
type TagOwners map[string][]string
2021-07-03 09:55:32 +00:00
2021-11-13 08:39:04 +00:00
// ACLTest is not implemented, but should be use to check if a certain rule is allowed.
2021-07-03 09:55:32 +00:00
type ACLTest struct {
2022-02-27 08:04:48 +00:00
User string `json:"User" yaml:"User"`
Allow []string `json:"Allow" yaml:"Allow"`
Deny []string `json:"Deny,omitempty" yaml:"Deny,omitempty"`
2021-07-03 09:55:32 +00:00
}
2021-11-13 08:39:04 +00:00
// UnmarshalJSON allows to parse the Hosts directly into netaddr objects.
func (hosts *Hosts) UnmarshalJSON(data []byte) error {
newHosts := Hosts{}
hostIPPrefixMap := make(map[string]string)
2021-11-05 07:24:00 +00:00
ast, err := hujson.Parse(data)
if err != nil {
return err
}
ast.Standardize()
data = ast.Pack()
err = json.Unmarshal(data, &hostIPPrefixMap)
2021-07-03 15:31:32 +00:00
if err != nil {
return err
2021-07-03 09:55:32 +00:00
}
for host, prefixStr := range hostIPPrefixMap {
if !strings.Contains(prefixStr, "/") {
prefixStr += "/32"
2021-07-03 09:55:32 +00:00
}
prefix, err := netaddr.ParseIPPrefix(prefixStr)
2021-07-03 09:55:32 +00:00
if err != nil {
2021-07-03 15:31:32 +00:00
return err
2021-07-03 09:55:32 +00:00
}
newHosts[host] = prefix
2021-07-03 09:55:32 +00:00
}
*hosts = newHosts
2021-11-14 15:46:09 +00:00
2021-07-03 15:31:32 +00:00
return nil
}
2022-02-27 08:04:48 +00:00
// UnmarshalYAML allows to parse the Hosts directly into netaddr objects.
func (hosts *Hosts) UnmarshalYAML(data []byte) error {
newHosts := Hosts{}
hostIPPrefixMap := make(map[string]string)
err := yaml.Unmarshal(data, &hostIPPrefixMap)
if err != nil {
return err
}
for host, prefixStr := range hostIPPrefixMap {
prefix, err := netaddr.ParseIPPrefix(prefixStr)
if err != nil {
return err
}
newHosts[host] = prefix
}
*hosts = newHosts
return nil
}
2021-11-13 08:39:04 +00:00
// IsZero is perhaps a bit naive here.
func (policy ACLPolicy) IsZero() bool {
if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
2021-07-03 15:31:32 +00:00
return true
}
2021-11-14 15:46:09 +00:00
2021-07-03 15:31:32 +00:00
return false
2021-07-03 09:55:32 +00:00
}