From 4550bdbf2a3c33a51483c2cdc429e8e3063ea010 Mon Sep 17 00:00:00 2001
From: Johan Siebens <johan.siebens@gmail.com>
Date: Sat, 28 Jan 2023 19:28:51 +0100
Subject: [PATCH] fix: set default ACL and IAM policy if not provided

---
 internal/domain/acl.go      | 12 ++++++++++++
 internal/service/tailnet.go |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/internal/domain/acl.go b/internal/domain/acl.go
index 7da527c..3c7d9e9 100644
--- a/internal/domain/acl.go
+++ b/internal/domain/acl.go
@@ -47,6 +47,18 @@ type SSHRule struct {
 	Users  []string `json:"users"`
 }
 
+func DefaultACLPolicy() ACLPolicy {
+	return ACLPolicy{
+		ACLs: []ACL{
+			{
+				Action: "accept",
+				Src:    []string{"*"},
+				Dst:    []string{"*:*"},
+			},
+		},
+	}
+}
+
 func (a ACLPolicy) FindAutoApprovedIPs(routableIPs []netip.Prefix, tags []string, u *User) []netip.Prefix {
 	if a.AutoApprovers == nil || len(routableIPs) == 0 {
 		return nil
diff --git a/internal/service/tailnet.go b/internal/service/tailnet.go
index ed49a46..fd162af 100644
--- a/internal/service/tailnet.go
+++ b/internal/service/tailnet.go
@@ -59,12 +59,16 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
 		if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil {
 			return nil, errors.Wrap(err, 0)
 		}
+	} else {
+		tailnet.IAMPolicy = domain.DefaultIAMPolicy()
 	}
 
 	if req.Msg.AclPolicy != nil {
 		if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil {
 			return nil, errors.Wrap(err, 0)
 		}
+	} else {
+		tailnet.ACLPolicy = domain.DefaultACLPolicy()
 	}
 
 	if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {