fix(acl): fix issue with groups in excludeCorretlyTaggedNodes

This commit fix issue #563
This commit is contained in:
Adrien Raffin-Caboisse 2022-08-04 10:42:47 +02:00
parent f9c4d577e2
commit babf9470c2
No known key found for this signature in database
GPG Key ID: 7FB60532DEBEAD6A
2 changed files with 64 additions and 7 deletions

View File

@ -367,7 +367,7 @@ func expandAlias(
// if alias is a namespace // if alias is a namespace
nodes := filterMachinesByNamespace(machines, alias) nodes := filterMachinesByNamespace(machines, alias)
nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias) nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
for _, n := range nodes { for _, n := range nodes {
ips = append(ips, n.IPAddresses.ToStringSlice()...) ips = append(ips, n.IPAddresses.ToStringSlice()...)
@ -405,10 +405,13 @@ func excludeCorrectlyTaggedNodes(
aclPolicy ACLPolicy, aclPolicy ACLPolicy,
nodes []Machine, nodes []Machine,
namespace string, namespace string,
stripEmailDomain bool,
) []Machine { ) []Machine {
out := []Machine{} out := []Machine{}
tags := []string{} tags := []string{}
for tag, ns := range aclPolicy.TagOwners { for tag, ns := range aclPolicy.TagOwners {
owners, _ := expandTagOwners(aclPolicy, namespace, stripEmailDomain)
ns = append(owners, namespace)
if contains(ns, namespace) { if contains(ns, namespace) {
tags = append(tags, tag) tags = append(tags, tag)
} }

View File

@ -1201,9 +1201,10 @@ func Test_expandAlias(t *testing.T) {
func Test_excludeCorrectlyTaggedNodes(t *testing.T) { func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
type args struct { type args struct {
aclPolicy ACLPolicy aclPolicy ACLPolicy
nodes []Machine nodes []Machine
namespace string namespace string
stripEmailDomain bool
} }
tests := []struct { tests := []struct {
name string name string
@ -1247,7 +1248,57 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
Namespace: Namespace{Name: "joe"}, Namespace: Namespace{Name: "joe"},
}, },
}, },
namespace: "joe", namespace: "joe",
stripEmailDomain: true,
},
want: []Machine{
{
IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
Namespace: Namespace{Name: "joe"},
},
},
},
{
name: "exclude nodes with valid tags, and owner is in a group",
args: args{
aclPolicy: ACLPolicy{
Groups: Groups{
"group:accountant": []string{"joe", "bar"},
},
TagOwners: TagOwners{"tag:accountant-webserver": []string{"group:accountant"}},
},
nodes: []Machine{
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.1"),
},
Namespace: Namespace{Name: "joe"},
HostInfo: HostInfo{
OS: "centos",
Hostname: "foo",
RequestTags: []string{"tag:accountant-webserver"},
},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.2"),
},
Namespace: Namespace{Name: "joe"},
HostInfo: HostInfo{
OS: "centos",
Hostname: "foo",
RequestTags: []string{"tag:accountant-webserver"},
},
},
{
IPAddresses: MachineAddresses{
netaddr.MustParseIP("100.64.0.4"),
},
Namespace: Namespace{Name: "joe"},
},
},
namespace: "joe",
stripEmailDomain: true,
}, },
want: []Machine{ want: []Machine{
{ {
@ -1288,7 +1339,8 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
Namespace: Namespace{Name: "joe"}, Namespace: Namespace{Name: "joe"},
}, },
}, },
namespace: "joe", namespace: "joe",
stripEmailDomain: true,
}, },
want: []Machine{ want: []Machine{
{ {
@ -1333,7 +1385,8 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
Namespace: Namespace{Name: "joe"}, Namespace: Namespace{Name: "joe"},
}, },
}, },
namespace: "joe", namespace: "joe",
stripEmailDomain: true,
}, },
want: []Machine{ want: []Machine{
{ {
@ -1373,6 +1426,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
test.args.aclPolicy, test.args.aclPolicy,
test.args.nodes, test.args.nodes,
test.args.namespace, test.args.namespace,
test.args.stripEmailDomain,
) )
if !reflect.DeepEqual(got, test.want) { if !reflect.DeepEqual(got, test.want) {
t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want) t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)