Remove variables and leftovers of pregenerated ACL content

Prior to the code reorg, we would generate rules from the Policy and store it on the global object. Now we generate it on the fly for each node and this commit cleans up the old variables to make sure we have no unexpected side effects. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-08-11 18:17:40 +00:00 · 2023-05-31 18:45:04 +02:00
parent 084d1d5d6e
commit 725bbd7408
11 changed files with 410 additions and 292 deletions
--- a/hscontrol/types/machine_test.go
+++ b/hscontrol/types/machine_test.go
@@ -1 +1,101 @@
 package types
+
+import (
+	"net/netip"
+	"testing"
+
+	"tailscale.com/tailcfg"
+)
+
+func Test_MachineCanAccess(t *testing.T) {
+	tests := []struct {
+		name     string
+		machine1 Machine
+		machine2 Machine
+		rules    []tailcfg.FilterRule
+		want     bool
+	}{
+		{
+			name: "other-cant-access-src",
+			machine1: Machine{
+				ID:          0,
+				IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.1")},
+				Hostname:    "mini",
+				User:        User{Name: "mini"},
+			},
+			machine2: Machine{
+				ID:          2,
+				IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.3")},
+				Hostname:    "peer2",
+				User:        User{Name: "peer2"},
+			},
+			rules: []tailcfg.FilterRule{
+				{
+					SrcIPs: []string{"100.64.0.2/32"},
+					DstPorts: []tailcfg.NetPortRange{
+						{IP: "100.64.0.3/32", Ports: tailcfg.PortRangeAny},
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "dest-cant-access-src",
+			machine1: Machine{
+				ID:          2,
+				IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.3")},
+				Hostname:    "peer2",
+				User:        User{Name: "peer2"},
+			},
+			machine2: Machine{
+				ID:          0,
+				IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.2")},
+				Hostname:    "mini",
+				User:        User{Name: "mini"},
+			},
+			rules: []tailcfg.FilterRule{
+				{
+					SrcIPs: []string{"100.64.0.2/32"},
+					DstPorts: []tailcfg.NetPortRange{
+						{IP: "100.64.0.3/32", Ports: tailcfg.PortRangeAny},
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "src-can-access-dest",
+			machine1: Machine{
+				ID:          0,
+				IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.2")},
+				Hostname:    "mini",
+				User:        User{Name: "mini"},
+			},
+			machine2: Machine{
+				ID:          2,
+				IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.3")},
+				Hostname:    "peer2",
+				User:        User{Name: "peer2"},
+			},
+			rules: []tailcfg.FilterRule{
+				{
+					SrcIPs: []string{"100.64.0.2/32"},
+					DstPorts: []tailcfg.NetPortRange{
+						{IP: "100.64.0.3/32", Ports: tailcfg.PortRangeAny},
+					},
+				},
+			},
+			want: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.machine1.CanAccess(tt.rules, &tt.machine2)
+
+			if got != tt.want {
+				t.Errorf("canAccess() failed: want (%t), got (%t)", tt.want, got)
+			}
+		})
+	}
+}