feat: add support for autogroup:danger-all

2026-03-31 15:07:49 +01:00 · 2024-05-29 08:41:48 +02:00
parent eadd42b19a
commit 41de33deab
3 changed files with 60 additions and 5 deletions
@@ -23,6 +23,7 @@ const (
 	AutoGroupMembers   = "autogroup:members"
 	AutoGroupTagged    = "autogroup:tagged"
 	AutoGroupInternet  = "autogroup:internet"
+	AutoGroupDangerAll = "autogroup:danger-all"
 )

 type AutoApprovers struct {
@@ -303,6 +303,10 @@ func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u
 		return append(m.IPs(), m.AllowedPrefixes()...)
 	}

+	if alias == AutoGroupDangerAll {
+		return []string{"0.0.0.0/0", "::/0"}
+	}
+
 	return a.translateAliasToMachineIPs(alias, m, f)
 }

@@ -628,6 +628,56 @@ func TestACLPolicy_BuildFilterRulesAutogroupInternet(t *testing.T) {
 	assert.Equal(t, expectedRules, actualRules)
 }

+func TestACLPolicy_BuildFilterRulesAutogroupDangerAll(t *testing.T) {
+	p1 := createMachine("nick@example.com")
+	p2 := createMachine("jane@example.com")
+
+	policy := ACLPolicy{
+		ionscale.ACLPolicy{
+			ACLs: []ionscale.ACLEntry{
+				{
+					Action:      "accept",
+					Source:      []string{"autogroup:danger-all"},
+					Destination: []string{"*:*"},
+				},
+			},
+		},
+	}
+
+	dst := createMachine("john@example.com")
+
+	expectedDstPorts := []tailcfg.NetPortRange{}
+	for _, r := range autogroupInternetRanges() {
+		expectedDstPorts = append(expectedDstPorts, tailcfg.NetPortRange{
+			IP: r,
+			Ports: tailcfg.PortRange{
+				First: 0,
+				Last:  65535,
+			},
+		})
+	}
+
+	actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
+	expectedRules := []tailcfg.FilterRule{
+		{
+			SrcIPs: []string{
+				"0.0.0.0/0", "::/0",
+			},
+			DstPorts: []tailcfg.NetPortRange{
+				{
+					IP: "*",
+					Ports: tailcfg.PortRange{
+						First: 0,
+						Last:  65535,
+					},
+				},
+			},
+		},
+	}
+
+	assert.Equal(t, expectedRules, actualRules)
+}
+
 func TestWithUser(t *testing.T) {
 	policy := ACLPolicy{
 		ionscale.ACLPolicy{