TheArchive/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2024-11-30 13:35:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(machine): revert modifications

Browse Source 
Using h.ListAllMachines also listed the current machine in the result. It's unnecessary (I don't know if it's harmful).

Breaking the check with the `matchSourceAndDestinationWithRule` broke the tests. We have a specificity with the '*' destination that isn't symetrical.
I need to think of a better way to do this. It too hard to read.
This commit is contained in:
Adrien Raffin-Caboisse 2022-02-20 23:47:04 +01:00
parent 5e167cc00a
commit b3d0fb7a93
1 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
machine.go
View File

@ -142,16 +142,6 @@ func containsAddresses(inputs []string, addrs MachineAddresses) bool {
return false return false
} }
// matchSourceAndDestinationWithRule will check if source is authorized to communicate with destination through
// the given rule.
func matchSourceAndDestinationWithRule(rule tailcfg.FilterRule, source Machine, destination Machine) bool {
var dst []string
for _, d := range rule.DstPorts {
dst = append(dst, d.IP)
}
return (containsAddresses(rule.SrcIPs, source.IPAddresses) && containsAddresses(dst, destination.IPAddresses)) || containsString(dst, "*")
}
// getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine. // getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine.
func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) { func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
log.Trace(). log.Trace().
@ -159,9 +149,10 @@ func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
Str("machine", machine.Name). Str("machine", machine.Name).
Msg("Finding peers filtered by ACLs") Msg("Finding peers filtered by ACLs")
machines, err := h.ListAllMachines() machines := Machines{}
if err != nil { if err := h.db.Preload("Namespace").Where("machine_key <> ? AND registered",
log.Error().Err(err).Msg("Error retrieving list of machines") machine.MachineKey).Find(&machines).Error; err != nil {
log.Error().Err(err).Msg("Error accessing db")
return Machines{}, err return Machines{}, err
} }
peers := make(map[uint64]Machine) peers := make(map[uint64]Machine)
@ -185,7 +176,13 @@ func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
for _, peer := range machines { for _, peer := range machines {
for _, rule := range h.aclRules { for _, rule := range h.aclRules {
if matchSourceAndDestinationWithRule(rule, *machine, peer) || matchSourceAndDestinationWithRule(rule, peer, *machine) { var dst []string
for _, d := range rule.DstPorts {
dst = append(dst, d.IP)
}
if (containsAddresses(rule.SrcIPs, machine.IPAddresses) && (containsAddresses(dst, peer.IPAddresses) || containsString(dst, "*"))) || (
// open return path
containsAddresses(rule.SrcIPs, peer.IPAddresses) && containsAddresses(dst, machine.IPAddresses)) {
peers[peer.ID] = peer peers[peer.ID] = peer
} }
} }