From 4394d44cbdd24cf061f04c95f25a751e2e50ccfb Mon Sep 17 00:00:00 2001
From: Johan Siebens <johan.siebens@gmail.com>
Date: Sat, 23 Nov 2024 08:06:17 +0100
Subject: [PATCH] fix: add support for autgroup:member when validating node
 attributes

Signed-off-by: Johan Siebens <johan.siebens@gmail.com>
---
 internal/domain/acl.go      |  4 ++++
 internal/domain/acl_test.go | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/internal/domain/acl.go b/internal/domain/acl.go
index 424d61d..99d5851 100644
--- a/internal/domain/acl.go
+++ b/internal/domain/acl.go
@@ -164,6 +164,10 @@ func (a ACLPolicy) NodeCapabilities(m *Machine) []tailcfg.NodeCapability {
 					}
 				}
 			}
+
+			if (alias == AutoGroupMember || alias == AutoGroupMembers) && !m.HasTags() {
+				return true
+			}
 		}
 
 		return false
diff --git a/internal/domain/acl_test.go b/internal/domain/acl_test.go
index aaee426..66874cb 100644
--- a/internal/domain/acl_test.go
+++ b/internal/domain/acl_test.go
@@ -113,6 +113,38 @@ func TestACLPolicy_NodeAttributesWithUserAndTags(t *testing.T) {
 	assert.Equal(t, expectedAttrs, actualAttrs)
 }
 
+func TestACLPolicy_NodeAttributesWithAutoGroupMember(t *testing.T) {
+	p1 := createMachine("john@example.com")
+
+	policy := ACLPolicy{
+		ionscale.ACLPolicy{
+			NodeAttrs: []ionscale.ACLNodeAttrGrant{
+				{
+					Target: []string{"autogroup:member"},
+					Attr: []string{
+						"attr1",
+						"attr2",
+					},
+				},
+				{
+					Target: []string{"tag:web"},
+					Attr: []string{
+						"attr3",
+					},
+				},
+			},
+		},
+	}
+
+	actualAttrs := policy.NodeCapabilities(p1)
+	expectedAttrs := []tailcfg.NodeCapability{
+		tailcfg.NodeCapability("attr1"),
+		tailcfg.NodeCapability("attr2"),
+	}
+
+	assert.Equal(t, expectedAttrs, actualAttrs)
+}
+
 func TestACLPolicy_BuildFilterRulesEmptyACL(t *testing.T) {
 	p1 := createMachine("john@example.com")
 	p2 := createMachine("jane@example.com")