leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: add support for autogroup:danger-all

Browse Source
This commit is contained in:
Johan Siebens
2024-05-29 08:41:48 +02:00
parent eadd42b19a
commit 41de33deab
3 changed files with 60 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/domain/acl.go
+6 -5
View File
@@ -18,11 +18,12 @@ import (
) )
const ( const (
AutoGroupSelf = "autogroup:self" AutoGroupSelf = "autogroup:self"
AutoGroupMember = "autogroup:member" AutoGroupMember = "autogroup:member"
AutoGroupMembers = "autogroup:members" AutoGroupMembers = "autogroup:members"
AutoGroupTagged = "autogroup:tagged" AutoGroupTagged = "autogroup:tagged"
AutoGroupInternet = "autogroup:internet" AutoGroupInternet = "autogroup:internet"
AutoGroupDangerAll = "autogroup:danger-all"
) )
type AutoApprovers struct { type AutoApprovers struct {
internal/domain/acl_filter_rules.go
+4
View File
@@ -303,6 +303,10 @@ func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u
return append(m.IPs(), m.AllowedPrefixes()...) return append(m.IPs(), m.AllowedPrefixes()...)
} }
if alias == AutoGroupDangerAll {
return []string{"0.0.0.0/0", "::/0"}
}
return a.translateAliasToMachineIPs(alias, m, f) return a.translateAliasToMachineIPs(alias, m, f)
} }
internal/domain/acl_test.go
+50
View File
@@ -628,6 +628,56 @@ func TestACLPolicy_BuildFilterRulesAutogroupInternet(t *testing.T) {
assert.Equal(t, expectedRules, actualRules) assert.Equal(t, expectedRules, actualRules)
} }
func TestACLPolicy_BuildFilterRulesAutogroupDangerAll(t *testing.T) {
p1 := createMachine("nick@example.com")
p2 := createMachine("jane@example.com")
policy := ACLPolicy{
ionscale.ACLPolicy{
ACLs: []ionscale.ACLEntry{
{
Action: "accept",
Source: []string{"autogroup:danger-all"},
Destination: []string{"*:*"},
},
},
},
}
dst := createMachine("john@example.com")
expectedDstPorts := []tailcfg.NetPortRange{}
for _, r := range autogroupInternetRanges() {
expectedDstPorts = append(expectedDstPorts, tailcfg.NetPortRange{
IP: r,
Ports: tailcfg.PortRange{
First: 0,
Last: 65535,
},
})
}
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{
{
SrcIPs: []string{
"0.0.0.0/0", "::/0",
},
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
Ports: tailcfg.PortRange{
First: 0,
Last: 65535,
},
},
},
},
}
assert.Equal(t, expectedRules, actualRules)
}
func TestWithUser(t *testing.T) { func TestWithUser(t *testing.T) {
policy := ACLPolicy{ policy := ACLPolicy{
ionscale.ACLPolicy{ ionscale.ACLPolicy{