From 8a07381e3ac4a83e6b73ad957a7275a44e02ef88 Mon Sep 17 00:00:00 2001 From: Benjamin Roberts Date: Tue, 1 Nov 2022 22:00:40 +1100 Subject: [PATCH] Fix prefix length comparison bug in AutoApprovers route evaluation (#862) --- CHANGELOG.md | 1 + acls_types.go | 2 +- machine_test.go | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa993fe3..d6836bf0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ - Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767) - Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763) - Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829) +- Fix prefix length comparison bug in AutoApprovers route evaluation [#862](https://github.com/juanfont/headscale/pull/862) - Random node DNS suffix only applied if names collide in namespace. [#766](https://github.com/juanfont/headscale/issues/766) - Remove `ip_prefix` configuration option and warning [#899](https://github.com/juanfont/headscale/pull/899) - Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905) diff --git a/acls_types.go b/acls_types.go index 903f848b..638a456f 100644 --- a/acls_types.go +++ b/acls_types.go @@ -125,7 +125,7 @@ func (autoApprovers *AutoApprovers) GetRouteApprovers( return nil, err } - if autoApprovedPrefix.Bits() >= prefix.Bits() && + if prefix.Bits() >= autoApprovedPrefix.Bits() && autoApprovedPrefix.Contains(prefix.Masked().Addr()) { approverAliases = append(approverAliases, autoApproverAliases...) } diff --git a/machine_test.go b/machine_test.go index 2f02e381..b13ecd0c 100644 --- a/machine_test.go +++ b/machine_test.go @@ -1132,7 +1132,8 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) { defaultRoute := netip.MustParsePrefix("0.0.0.0/0") route1 := netip.MustParsePrefix("10.10.0.0/16") - route2 := netip.MustParsePrefix("10.11.0.0/16") + // Check if a subprefix of an autoapproved route is approved + route2 := netip.MustParsePrefix("10.11.0.0/24") machine := Machine{ ID: 0,