diff --git a/acls.go b/acls.go index 8ba86186..151fb3b6 100644 --- a/acls.go +++ b/acls.go @@ -9,7 +9,6 @@ import ( "strconv" "strings" - "github.com/davecgh/go-spew/spew" "github.com/tailscale/hujson" "inet.af/netaddr" "tailscale.com/tailcfg" @@ -82,8 +81,6 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) { DstPorts: destPorts, }) } - // fmt.Println(rules) - spew.Dump(rules) return &rules, nil } diff --git a/acls_test.go b/acls_test.go index 97f0d334..34338483 100644 --- a/acls_test.go +++ b/acls_test.go @@ -64,7 +64,82 @@ func (s *Suite) TestBasicRule(c *check.C) { rules, err := h.generateACLRules() c.Assert(err, check.IsNil) - c.Assert(rules, check.IsNil) + c.Assert(rules, check.NotNil) +} + +func (s *Suite) TestPortRange(c *check.C) { + err := h.LoadPolicy("./tests/acls/acl_policy_basic_range.hujson") + c.Assert(err, check.IsNil) + + rules, err := h.generateACLRules() + c.Assert(err, check.IsNil) + c.Assert(rules, check.NotNil) + + c.Assert(*rules, check.HasLen, 1) + c.Assert((*rules)[0].DstPorts, check.HasLen, 1) + c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(5400)) + c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500)) +} + +func (s *Suite) TestPortWildcard(c *check.C) { + err := h.LoadPolicy("./tests/acls/acl_policy_basic_wildcards.hujson") + c.Assert(err, check.IsNil) + + rules, err := h.generateACLRules() + c.Assert(err, check.IsNil) + c.Assert(rules, check.NotNil) + + c.Assert(*rules, check.HasLen, 1) + c.Assert((*rules)[0].DstPorts, check.HasLen, 1) + c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0)) + c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535)) + c.Assert((*rules)[0].SrcIPs, check.HasLen, 1) + c.Assert((*rules)[0].SrcIPs[0], check.Equals, "*") +} + +func (s *Suite) TestPortNamespace(c *check.C) { + n, err := h.CreateNamespace("testnamespace") + c.Assert(err, check.IsNil) + + pak, err := h.CreatePreAuthKey(n.Name, false, false, nil) + c.Assert(err, check.IsNil) + + db, err := h.db() + if err != nil { + c.Fatal(err) + } + + _, err = h.GetMachine("testnamespace", "testmachine") + c.Assert(err, check.NotNil) + ip, _ := h.getAvailableIP() + m := Machine{ + ID: 0, + MachineKey: "foo", + NodeKey: "bar", + DiscoKey: "faa", + Name: "testmachine", + NamespaceID: n.ID, + Registered: true, + RegisterMethod: "authKey", + IPAddress: ip.String(), + AuthKeyID: uint(pak.ID), + } + db.Save(&m) + + err = h.LoadPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson") + c.Assert(err, check.IsNil) + + rules, err := h.generateACLRules() + c.Assert(err, check.IsNil) + c.Assert(rules, check.NotNil) + + c.Assert(*rules, check.HasLen, 1) + c.Assert((*rules)[0].DstPorts, check.HasLen, 1) + c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0)) + c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535)) + c.Assert((*rules)[0].SrcIPs, check.HasLen, 1) + c.Assert((*rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip") + c.Assert((*rules)[0].SrcIPs[0], check.Equals, ip.String()) } // func (s *Suite) TestRuleGeneration(c *check.C) { diff --git a/tests/acls/acl_policy_1.hujson b/tests/acls/acl_policy_1.hujson index c9881d82..8f70148b 100644 --- a/tests/acls/acl_policy_1.hujson +++ b/tests/acls/acl_policy_1.hujson @@ -20,12 +20,11 @@ // Everyone in the montreal-admins or global-admins group are // allowed to tag servers as montreal-webserver. "tag:montreal-webserver": [ - "group:montreal-admins", - "group:global-admins", + "group:example", ], // Only a few admins are allowed to create API servers. - "tag:api-server": [ - "group:global-admins", + "tag:production": [ + "group:example", "president@example.com", ], }, @@ -38,7 +37,7 @@ "Action": "accept", "Users": [ "group:example2", - "192.168.1.1" + "192.168.1.0/24" ], "Ports": [ "*:22,3389", @@ -62,8 +61,7 @@ { "Action": "accept", "Users": [ - "example-host-2", - "192.168.1.0/24" + "example-host-2", ], "Ports": [ "example-host-1:*", diff --git a/tests/acls/acl_policy_basic_1.hujson b/tests/acls/acl_policy_basic_1.hujson new file mode 100644 index 00000000..4f86af3d --- /dev/null +++ b/tests/acls/acl_policy_basic_1.hujson @@ -0,0 +1,24 @@ +// This ACL is a very basic example to validate the +// expansion of hosts + + +{ + "Hosts": { + "host-1": "100.100.100.100", + "subnet-1": "100.100.101.100/24", + }, + + "ACLs": [ + { + "Action": "accept", + "Users": [ + "subnet-1", + "192.168.1.0/24" + ], + "Ports": [ + "*:22,3389", + "host-1:*", + ], + }, + ], +} \ No newline at end of file diff --git a/tests/acls/acl_policy_basic_namespace_as_user.hujson b/tests/acls/acl_policy_basic_namespace_as_user.hujson new file mode 100644 index 00000000..414bdda4 --- /dev/null +++ b/tests/acls/acl_policy_basic_namespace_as_user.hujson @@ -0,0 +1,20 @@ +// This ACL is used to test wildcards + +{ + "Hosts": { + "host-1": "100.100.100.100", + "subnet-1": "100.100.101.100/24", + }, + + "ACLs": [ + { + "Action": "accept", + "Users": [ + "testnamespace", + ], + "Ports": [ + "host-1:*", + ], + }, + ], +} \ No newline at end of file diff --git a/tests/acls/acl_policy_basic_range.hujson b/tests/acls/acl_policy_basic_range.hujson new file mode 100644 index 00000000..8bcbc798 --- /dev/null +++ b/tests/acls/acl_policy_basic_range.hujson @@ -0,0 +1,20 @@ +// This ACL is used to test the port range expansion + +{ + "Hosts": { + "host-1": "100.100.100.100", + "subnet-1": "100.100.101.100/24", + }, + + "ACLs": [ + { + "Action": "accept", + "Users": [ + "subnet-1", + ], + "Ports": [ + "host-1:5400-5500", + ], + }, + ], +} \ No newline at end of file diff --git a/tests/acls/acl_policy_basic_wildcards.hujson b/tests/acls/acl_policy_basic_wildcards.hujson new file mode 100644 index 00000000..ec5ce468 --- /dev/null +++ b/tests/acls/acl_policy_basic_wildcards.hujson @@ -0,0 +1,20 @@ +// This ACL is used to test wildcards + +{ + "Hosts": { + "host-1": "100.100.100.100", + "subnet-1": "100.100.101.100/24", + }, + + "ACLs": [ + { + "Action": "accept", + "Users": [ + "*", + ], + "Ports": [ + "host-1:*", + ], + }, + ], +} \ No newline at end of file