Fixed linting issues

This commit is contained in:
Juan Font 2021-07-04 13:33:00 +02:00
parent d446e8a2fb
commit 19443669bf
4 changed files with 28 additions and 17 deletions

14
acls.go
View File

@ -22,7 +22,8 @@ const errorInvalidTag = Error("invalid tag")
const errorInvalidNamespace = Error("invalid namespace") const errorInvalidNamespace = Error("invalid namespace")
const errorInvalidPortFormat = Error("invalid port format") const errorInvalidPortFormat = Error("invalid port format")
func (h *Headscale) LoadAclPolicy(path string) error { // LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules
func (h *Headscale) LoadACLPolicy(path string) error {
policyFile, err := os.Open(path) policyFile, err := os.Open(path)
if err != nil { if err != nil {
return err return err
@ -35,6 +36,9 @@ func (h *Headscale) LoadAclPolicy(path string) error {
return err return err
} }
err = hujson.Unmarshal(b, &policy) err = hujson.Unmarshal(b, &policy)
if err != nil {
return err
}
if policy.IsZero() { if policy.IsZero() {
return errorEmptyPolicy return errorEmptyPolicy
} }
@ -61,7 +65,7 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
srcIPs := []string{} srcIPs := []string{}
for j, u := range a.Users { for j, u := range a.Users {
fmt.Printf("acl %d, user %d: ", i, j) fmt.Printf("acl %d, user %d: ", i, j)
srcs, err := h.generateAclPolicySrcIP(u) srcs, err := h.generateACLPolicySrcIP(u)
fmt.Printf(" -> %s\n", err) fmt.Printf(" -> %s\n", err)
if err != nil { if err != nil {
return nil, err return nil, err
@ -73,7 +77,7 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
destPorts := []tailcfg.NetPortRange{} destPorts := []tailcfg.NetPortRange{}
for j, d := range a.Ports { for j, d := range a.Ports {
fmt.Printf("acl %d, port %d: ", i, j) fmt.Printf("acl %d, port %d: ", i, j)
dests, err := h.generateAclPolicyDestPorts(d) dests, err := h.generateACLPolicyDestPorts(d)
fmt.Printf(" -> %s\n", err) fmt.Printf(" -> %s\n", err)
if err != nil { if err != nil {
return nil, err return nil, err
@ -90,11 +94,11 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
return &rules, nil return &rules, nil
} }
func (h *Headscale) generateAclPolicySrcIP(u string) (*[]string, error) { func (h *Headscale) generateACLPolicySrcIP(u string) (*[]string, error) {
return h.expandAlias(u) return h.expandAlias(u)
} }
func (h *Headscale) generateAclPolicyDestPorts(d string) (*[]tailcfg.NetPortRange, error) { func (h *Headscale) generateACLPolicyDestPorts(d string) (*[]tailcfg.NetPortRange, error) {
tokens := strings.Split(d, ":") tokens := strings.Split(d, ":")
if len(tokens) < 2 || len(tokens) > 3 { if len(tokens) < 2 || len(tokens) > 3 {
return nil, errorInvalidPortFormat return nil, errorInvalidPortFormat

View File

@ -5,18 +5,18 @@ import (
) )
func (s *Suite) TestWrongPath(c *check.C) { func (s *Suite) TestWrongPath(c *check.C) {
err := h.LoadAclPolicy("asdfg") err := h.LoadACLPolicy("asdfg")
c.Assert(err, check.NotNil) c.Assert(err, check.NotNil)
} }
func (s *Suite) TestBrokenHuJson(c *check.C) { func (s *Suite) TestBrokenHuJson(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/broken.hujson") err := h.LoadACLPolicy("./tests/acls/broken.hujson")
c.Assert(err, check.NotNil) c.Assert(err, check.NotNil)
} }
func (s *Suite) TestInvalidPolicyHuson(c *check.C) { func (s *Suite) TestInvalidPolicyHuson(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/invalid.hujson") err := h.LoadACLPolicy("./tests/acls/invalid.hujson")
c.Assert(err, check.NotNil) c.Assert(err, check.NotNil)
c.Assert(err, check.Equals, errorEmptyPolicy) c.Assert(err, check.Equals, errorEmptyPolicy)
} }
@ -36,13 +36,13 @@ func (s *Suite) TestParseInvalidCIDR(c *check.C) {
} }
func (s *Suite) TestCheckLoaded(c *check.C) { func (s *Suite) TestCheckLoaded(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/acl_policy_1.hujson") err := h.LoadACLPolicy("./tests/acls/acl_policy_1.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
c.Assert(h.aclPolicy, check.NotNil) c.Assert(h.aclPolicy, check.NotNil)
} }
func (s *Suite) TestValidCheckParsedHosts(c *check.C) { func (s *Suite) TestValidCheckParsedHosts(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/acl_policy_1.hujson") err := h.LoadACLPolicy("./tests/acls/acl_policy_1.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
c.Assert(h.aclPolicy, check.NotNil) c.Assert(h.aclPolicy, check.NotNil)
c.Assert(h.aclPolicy.IsZero(), check.Equals, false) c.Assert(h.aclPolicy.IsZero(), check.Equals, false)
@ -50,7 +50,7 @@ func (s *Suite) TestValidCheckParsedHosts(c *check.C) {
} }
func (s *Suite) TestRuleInvalidGeneration(c *check.C) { func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/acl_policy_invalid.hujson") err := h.LoadACLPolicy("./tests/acls/acl_policy_invalid.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
rules, err := h.generateACLRules() rules, err := h.generateACLRules()
@ -59,7 +59,7 @@ func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
} }
func (s *Suite) TestBasicRule(c *check.C) { func (s *Suite) TestBasicRule(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_1.hujson") err := h.LoadACLPolicy("./tests/acls/acl_policy_basic_1.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
rules, err := h.generateACLRules() rules, err := h.generateACLRules()
@ -68,7 +68,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
} }
func (s *Suite) TestPortRange(c *check.C) { func (s *Suite) TestPortRange(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_range.hujson") err := h.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
rules, err := h.generateACLRules() rules, err := h.generateACLRules()
@ -82,7 +82,7 @@ func (s *Suite) TestPortRange(c *check.C) {
} }
func (s *Suite) TestPortWildcard(c *check.C) { func (s *Suite) TestPortWildcard(c *check.C) {
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_wildcards.hujson") err := h.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
rules, err := h.generateACLRules() rules, err := h.generateACLRules()
@ -126,7 +126,7 @@ func (s *Suite) TestPortNamespace(c *check.C) {
} }
db.Save(&m) db.Save(&m)
err = h.LoadAclPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson") err = h.LoadACLPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
rules, err := h.generateACLRules() rules, err := h.generateACLRules()
@ -171,7 +171,7 @@ func (s *Suite) TestPortGroup(c *check.C) {
} }
db.Save(&m) db.Save(&m)
err = h.LoadAclPolicy("./tests/acls/acl_policy_basic_groups.hujson") err = h.LoadACLPolicy("./tests/acls/acl_policy_basic_groups.hujson")
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)
rules, err := h.generateACLRules() rules, err := h.generateACLRules()

View File

@ -7,6 +7,7 @@ import (
"inet.af/netaddr" "inet.af/netaddr"
) )
// ACLPolicy represents a Tailscale ACL Policy
type ACLPolicy struct { type ACLPolicy struct {
Groups Groups `json:"Groups"` Groups Groups `json:"Groups"`
Hosts Hosts `json:"Hosts"` Hosts Hosts `json:"Hosts"`
@ -15,24 +16,30 @@ type ACLPolicy struct {
Tests []ACLTest `json:"Tests"` Tests []ACLTest `json:"Tests"`
} }
// ACL is a basic rule for the ACL Policy
type ACL struct { type ACL struct {
Action string `json:"Action"` Action string `json:"Action"`
Users []string `json:"Users"` Users []string `json:"Users"`
Ports []string `json:"Ports"` Ports []string `json:"Ports"`
} }
// Groups references a series of alias in the ACL rules
type Groups map[string][]string type Groups map[string][]string
// Hosts are alias for IP addresses or subnets
type Hosts map[string]netaddr.IPPrefix type Hosts map[string]netaddr.IPPrefix
// TagOwners specify what users (namespaces?) are allow to use certain tags
type TagOwners map[string][]string type TagOwners map[string][]string
// ACLTest is not implemented, but should be use to check if a certain rule is allowed
type ACLTest struct { type ACLTest struct {
User string `json:"User"` User string `json:"User"`
Allow []string `json:"Allow"` Allow []string `json:"Allow"`
Deny []string `json:"Deny,omitempty"` Deny []string `json:"Deny,omitempty"`
} }
// UnmarshalJSON allows to parse the Hosts directly into netaddr objects
func (h *Hosts) UnmarshalJSON(data []byte) error { func (h *Hosts) UnmarshalJSON(data []byte) error {
hosts := Hosts{} hosts := Hosts{}
hs := make(map[string]string) hs := make(map[string]string)

View File

@ -121,7 +121,7 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
} }
// We are doing this here, as in the future could be cool to have it also hot-reload // We are doing this here, as in the future could be cool to have it also hot-reload
err = h.LoadAclPolicy(absPath(viper.GetString("acl_policy_path"))) err = h.LoadACLPolicy(absPath(viper.GetString("acl_policy_path")))
if err != nil { if err != nil {
log.Printf("Could not load the ACL policy: %s", err) log.Printf("Could not load the ACL policy: %s", err)
} }