diff --git a/internal/cmd/acl.go b/internal/cmd/acl.go index c8ce544..8ec98f4 100644 --- a/internal/cmd/acl.go +++ b/internal/cmd/acl.go @@ -2,7 +2,6 @@ package cmd import ( "bytes" - "encoding/json" "fmt" "github.com/bufbuild/connect-go" "github.com/jsiebens/go-edit/editor" @@ -25,12 +24,7 @@ func getACLConfigCommand() *cobra.Command { return err } - marshal, err := json.MarshalIndent(resp.Msg.Policy, "", " ") - if err != nil { - return err - } - - fmt.Println(string(marshal)) + fmt.Println(resp.Msg.Policy) return nil } @@ -53,12 +47,7 @@ func editACLConfigCommand() *cobra.Command { return err } - previous, err := json.MarshalIndent(resp.Msg.Policy, "", " ") - if err != nil { - return err - } - - next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader(previous)) + next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader([]byte(resp.Msg.Policy))) if err != nil { return err } @@ -70,12 +59,7 @@ func editACLConfigCommand() *cobra.Command { return err } - var policy = &api.ACLPolicy{} - if err := json.Unmarshal(next, policy); err != nil { - return err - } - - _, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy})) + _, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(next)})) if err != nil { return err } @@ -105,17 +89,7 @@ func setACLConfigCommand() *cobra.Command { return err } - rawJson, err := hujson.Standardize(content) - if err != nil { - return err - } - - var policy = &api.ACLPolicy{} - if err := json.Unmarshal(rawJson, policy); err != nil { - return err - } - - _, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy})) + _, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(content)})) if err != nil { return err } diff --git a/internal/cmd/iam.go b/internal/cmd/iam.go index 34cab15..4531ebb 100644 --- a/internal/cmd/iam.go +++ b/internal/cmd/iam.go @@ -2,13 +2,11 @@ package cmd import ( "bytes" - "encoding/json" "fmt" "github.com/bufbuild/connect-go" "github.com/jsiebens/go-edit/editor" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "github.com/spf13/cobra" - "github.com/tailscale/hujson" "os" ) @@ -25,12 +23,7 @@ func getIAMPolicyCommand() *cobra.Command { return err } - marshal, err := json.MarshalIndent(resp.Msg.Policy, "", " ") - if err != nil { - return err - } - - fmt.Println(string(marshal)) + fmt.Println(resp.Msg.Policy) return nil } @@ -53,29 +46,14 @@ func editIAMPolicyCommand() *cobra.Command { return err } - previous, err := json.MarshalIndent(resp.Msg.Policy, "", " ") - if err != nil { - return err - } - - next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader(previous)) - if err != nil { - return err - } - - next, err = hujson.Standardize(next) + next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader([]byte(resp.Msg.Policy))) if err != nil { return err } defer os.Remove(s) - var policy = &api.IAMPolicy{} - if err := json.Unmarshal(next, policy); err != nil { - return err - } - - _, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy})) + _, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(next)})) if err != nil { return err } @@ -105,17 +83,7 @@ func setIAMPolicyCommand() *cobra.Command { return err } - rawJson, err := hujson.Standardize(content) - if err != nil { - return err - } - - var policy = &api.IAMPolicy{} - if err := json.Unmarshal(rawJson, policy); err != nil { - return err - } - - _, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy})) + _, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(content)})) if err != nil { return err } diff --git a/internal/cmd/tailnet.go b/internal/cmd/tailnet.go index 2746b20..52cb0a3 100644 --- a/internal/cmd/tailnet.go +++ b/internal/cmd/tailnet.go @@ -5,6 +5,7 @@ import ( "fmt" "github.com/bufbuild/connect-go" idomain "github.com/jsiebens/ionscale/internal/domain" + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/jsiebens/ionscale/pkg/defaults" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "github.com/rodaine/table" @@ -102,24 +103,32 @@ func createTailnetsCommand() *cobra.Command { command.RunE = func(cmd *cobra.Command, args []string) error { dnsConfig := defaults.DefaultDNSConfig() - aclPolicy := defaults.DefaultACLPolicy() - iamPolicy := &api.IAMPolicy{} + aclPolicy := defaults.DefaultACLPolicy().Marshal() + iamPolicy := "{}" if len(domain) != 0 { domainToLower := strings.ToLower(domain) - iamPolicy = &api.IAMPolicy{ + m, err := json.MarshalIndent(&ionscale.IAMPolicy{ Filters: []string{fmt.Sprintf("domain == %s", domainToLower)}, + }, "", " ") + if err != nil { + return err } + iamPolicy = string(m) } if len(email) != 0 { emailToLower := strings.ToLower(email) - iamPolicy = &api.IAMPolicy{ + m, err := json.MarshalIndent(&ionscale.IAMPolicy{ Emails: []string{emailToLower}, Roles: map[string]string{ emailToLower: string(idomain.UserRoleAdmin), }, + }, "", " ") + if err != nil { + return err } + iamPolicy = string(m) } resp, err := tc.Client().CreateTailnet(cmd.Context(), connect.NewRequest(&api.CreateTailnetRequest{ diff --git a/internal/database/migration/m202403130830_json_to_text.go b/internal/database/migration/m202403130830_json_to_text.go new file mode 100644 index 0000000..37efec7 --- /dev/null +++ b/internal/database/migration/m202403130830_json_to_text.go @@ -0,0 +1,29 @@ +package migration + +import ( + "github.com/go-gormigrate/gormigrate/v2" + "gorm.io/gorm" +) + +func m202403130830_json_to_text() *gormigrate.Migration { + return &gormigrate.Migration{ + ID: "202403130830", + Migrate: func(db *gorm.DB) error { + type Tailnet struct { + IAMPolicy string + ACLPolicy string + } + + if err := db.Migrator().AlterColumn(&Tailnet{}, "IAMPolicy"); err != nil { + return err + } + + if err := db.Migrator().AlterColumn(&Tailnet{}, "ACLPolicy"); err != nil { + return err + } + + return nil + }, + Rollback: nil, + } +} diff --git a/internal/database/migration/migrations.go b/internal/database/migration/migrations.go index 9da4d79..60e01c0 100644 --- a/internal/database/migration/migrations.go +++ b/internal/database/migration/migrations.go @@ -20,6 +20,7 @@ func Migrations() []*gormigrate.Migration { m202312290900_machine_indeces(), m202401061400_machine_indeces(), m202402120800_user_last_authenticated(), + m202403130830_json_to_text(), } return migrations } diff --git a/internal/domain/acl.go b/internal/domain/acl.go index 0834f8e..98ddb25 100644 --- a/internal/domain/acl.go +++ b/internal/domain/acl.go @@ -5,6 +5,7 @@ import ( "encoding/json" "fmt" "github.com/hashicorp/go-multierror" + "github.com/jsiebens/ionscale/pkg/client/ionscale" "gorm.io/gorm" "gorm.io/gorm/schema" "net/netip" @@ -30,41 +31,7 @@ type AutoApprovers struct { } type ACLPolicy struct { - Groups map[string][]string `json:"groups,omitempty"` - Hosts map[string]string `json:"hosts,omitempty"` - ACLs []ACL `json:"acls,omitempty"` - TagOwners map[string][]string `json:"tagowners,omitempty"` - AutoApprovers *AutoApprovers `json:"autoApprovers,omitempty"` - SSHRules []SSHRule `json:"ssh,omitempty"` - NodeAttrs []NodeAttr `json:"nodeAttrs,omitempty"` - Grants []Grant `json:"grants,omitempty"` -} - -type ACL struct { - Action string `json:"action"` - Proto string `json:"proto"` - Src []string `json:"src"` - Dst []string `json:"dst"` -} - -type SSHRule struct { - Action string `json:"action"` - Src []string `json:"src"` - Dst []string `json:"dst"` - Users []string `json:"users"` - CheckPeriod string `json:"checkPeriod,omitempty"` -} - -type NodeAttr struct { - Target []string `json:"target"` - Attr []string `json:"attr"` -} - -type Grant struct { - Src []string `json:"src"` - Dst []string `json:"dst"` - IP []tailcfg.ProtoPortRange `json:"ip"` - App tailcfg.PeerCapMap `json:"app"` + ionscale.ACLPolicy } func (a *ACLPolicy) Equal(x *ACLPolicy) bool { diff --git a/internal/domain/acl_filter_rules.go b/internal/domain/acl_filter_rules.go index d23251a..f345eaf 100644 --- a/internal/domain/acl_filter_rules.go +++ b/internal/domain/acl_filter_rules.go @@ -1,6 +1,7 @@ package domain import ( + "github.com/jsiebens/ionscale/pkg/client/ionscale" "net/netip" "strings" "tailscale.com/tailcfg" @@ -12,16 +13,16 @@ func (a ACLPolicy) IsValidPeer(src *Machine, dest *Machine) bool { } for _, acl := range a.ACLs { - selfDestPorts, allDestPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Dst, dest) + selfDestPorts, allDestPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Destination, dest) if len(selfDestPorts) != 0 { - for _, alias := range acl.Src { + for _, alias := range acl.Source { if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 { return true } } } if len(allDestPorts) != 0 { - for _, alias := range acl.Src { + for _, alias := range acl.Source { if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 { return true } @@ -30,16 +31,16 @@ func (a ACLPolicy) IsValidPeer(src *Machine, dest *Machine) bool { } for _, grant := range a.Grants { - selfIps, otherIps := a.translateDestinationAliasesToMachineIPs(grant.Dst, dest) + selfIps, otherIps := a.translateDestinationAliasesToMachineIPs(grant.Destination, dest) if len(selfIps) != 0 { - for _, alias := range grant.Src { + for _, alias := range grant.Source { if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 { return true } } } if len(otherIps) != 0 { - for _, alias := range grant.Src { + for _, alias := range grant.Source { if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 { return true } @@ -89,23 +90,23 @@ func (a ACLPolicy) BuildFilterRules(peers []Machine, dst *Machine) []tailcfg.Fil for _, acl := range a.ACLs { self, other := a.prepareFilterRulesFromACL(dst, acl) - rules = matchSourceAndAppendRule(rules, acl.Src, self, &dst.User) - rules = matchSourceAndAppendRule(rules, acl.Src, other, nil) + rules = matchSourceAndAppendRule(rules, acl.Source, self, &dst.User) + rules = matchSourceAndAppendRule(rules, acl.Source, other, nil) } for _, acl := range a.Grants { self, other := a.prepareFilterRulesFromGrant(dst, acl) - rules = matchSourceAndAppendRule(rules, acl.Src, self, &dst.User) - rules = matchSourceAndAppendRule(rules, acl.Src, other, nil) + rules = matchSourceAndAppendRule(rules, acl.Source, self, &dst.User) + rules = matchSourceAndAppendRule(rules, acl.Source, other, nil) } return rules } -func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ACL) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { - proto := parseProtocol(acl.Proto) +func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ionscale.ACLEntry) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { + proto := parseProtocol(acl.Protocol) - selfDstPorts, otherDstPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Dst, candidate) + selfDstPorts, otherDstPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Destination, candidate) var selfFilterRules []tailcfg.FilterRule var otherFilterRules []tailcfg.FilterRule @@ -121,8 +122,8 @@ func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ACL) ([]tai return selfFilterRules, otherFilterRules } -func (a ACLPolicy) prepareFilterRulesFromGrant(candidate *Machine, grant Grant) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { - selfIPs, otherIPs := a.translateDestinationAliasesToMachineIPs(grant.Dst, candidate) +func (a ACLPolicy) prepareFilterRulesFromGrant(candidate *Machine, grant ionscale.ACLGrant) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { + selfIPs, otherIPs := a.translateDestinationAliasesToMachineIPs(grant.Destination, candidate) var selfFilterRules []tailcfg.FilterRule var otherFilterRules []tailcfg.FilterRule diff --git a/internal/domain/acl_ssh_policy.go b/internal/domain/acl_ssh_policy.go index bb2ed9f..71b1c78 100644 --- a/internal/domain/acl_ssh_policy.go +++ b/internal/domain/acl_ssh_policy.go @@ -1,6 +1,7 @@ package domain import ( + "github.com/jsiebens/ionscale/pkg/client/ionscale" "strings" "tailscale.com/tailcfg" ) @@ -28,7 +29,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli return result } - for _, rule := range a.SSHRules { + for _, rule := range a.SSH { if rule.Action != "accept" && rule.Action != "check" { continue } @@ -48,7 +49,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli selfUsers, otherUsers := a.expandSSHDstToSSHUsers(dst, rule) if len(selfUsers) != 0 { - principals := expandSrcAliases(rule.Src, rule.Action, &dst.User) + principals := expandSrcAliases(rule.Source, rule.Action, &dst.User) if len(principals) != 0 { rules = append(rules, &tailcfg.SSHRule{ Principals: principals, @@ -59,7 +60,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli } if len(otherUsers) != 0 { - principals := expandSrcAliases(rule.Src, rule.Action, nil) + principals := expandSrcAliases(rule.Source, rule.Action, nil) if len(principals) != 0 { rules = append(rules, &tailcfg.SSHRule{ Principals: principals, @@ -113,13 +114,13 @@ func (a ACLPolicy) expandSSHSrcAlias(m *Machine, alias string, dstUser *User) [] return []string{} } -func (a ACLPolicy) expandSSHDstToSSHUsers(m *Machine, rule SSHRule) (map[string]string, map[string]string) { +func (a ACLPolicy) expandSSHDstToSSHUsers(m *Machine, rule ionscale.ACLSSH) (map[string]string, map[string]string) { users := buildSSHUsers(rule.Users) var selfUsers map[string]string var otherUsers map[string]string - for _, d := range rule.Dst { + for _, d := range rule.Destination { if strings.HasPrefix(d, "tag:") && m.HasTag(d) { otherUsers = users } diff --git a/internal/domain/acl_ssh_policy_test.go b/internal/domain/acl_ssh_policy_test.go index b37ce77..b93176b 100644 --- a/internal/domain/acl_ssh_policy_test.go +++ b/internal/domain/acl_ssh_policy_test.go @@ -3,6 +3,7 @@ package domain import ( "encoding/json" "fmt" + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/stretchr/testify/assert" "tailscale.com/tailcfg" "testing" @@ -13,12 +14,14 @@ func TestACLPolicy_BuildSSHPolicy_(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"autogroup:members"}, - Dst: []string{"autogroup:self"}, - Users: []string{"autogroup:nonroot"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"autogroup:members"}, + Destination: []string{"autogroup:self"}, + Users: []string{"autogroup:nonroot"}, + }, }, }, } @@ -52,17 +55,19 @@ func TestACLPolicy_BuildSSHPolicy_WithGroup(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - Groups: map[string][]string{ - "group:sre": { - "john@example.com", + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:sre": { + "john@example.com", + }, }, - }, - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"group:sre"}, - Dst: []string{"tag:web"}, - Users: []string{"autogroup:nonroot", "root"}, + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"group:sre"}, + Destination: []string{"tag:web"}, + Users: []string{"autogroup:nonroot", "root"}, + }, }, }, } @@ -96,12 +101,14 @@ func TestACLPolicy_BuildSSHPolicy_WithMatchingUsers(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"john@example.com"}, - Dst: []string{"john@example.com"}, - Users: []string{"autogroup:nonroot", "root"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"john@example.com"}, + Destination: []string{"john@example.com"}, + Users: []string{"autogroup:nonroot", "root"}, + }, }, }, } @@ -132,15 +139,17 @@ func TestACLPolicy_BuildSSHPolicy_WithMatchingUsersInGroup(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - Groups: map[string][]string{ - "group:sre": {"jane@example.com", "john@example.com"}, - }, - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"group:sre"}, - Dst: []string{"john@example.com"}, - Users: []string{"autogroup:nonroot", "root"}, + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:sre": {"jane@example.com", "john@example.com"}, + }, + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"group:sre"}, + Destination: []string{"john@example.com"}, + Users: []string{"autogroup:nonroot", "root"}, + }, }, }, } @@ -171,12 +180,14 @@ func TestACLPolicy_BuildSSHPolicy_WithNoMatchingUsers(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"jane@example.com"}, - Dst: []string{"john@example.com"}, - Users: []string{"autogroup:nonroot", "root"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"jane@example.com"}, + Destination: []string{"john@example.com"}, + Users: []string{"autogroup:nonroot", "root"}, + }, }, }, } @@ -194,12 +205,14 @@ func TestACLPolicy_BuildSSHPolicy_WithTags(t *testing.T) { p3 := createMachine("nick@example.com", "tag:web") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"john@example.com", "tag:web"}, - Dst: []string{"tag:web"}, - Users: []string{"ubuntu"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"john@example.com", "tag:web"}, + Destination: []string{"tag:web"}, + Users: []string{"ubuntu"}, + }, }, }, } @@ -230,12 +243,14 @@ func TestACLPolicy_BuildSSHPolicy_WithTagsInDstAndAutogroupMemberInSrc(t *testin p3 := createMachine("nick@example.com", "tag:web") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"autogroup:members"}, - Dst: []string{"tag:web"}, - Users: []string{"ubuntu"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"autogroup:members"}, + Destination: []string{"tag:web"}, + Users: []string{"ubuntu"}, + }, }, }, } @@ -265,12 +280,14 @@ func TestACLPolicy_BuildSSHPolicy_WithUserInDstAndNonMatchingSrc(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"jane@example.com"}, - Dst: []string{"john@example.com"}, - Users: []string{"autogroup:nonroot"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"jane@example.com"}, + Destination: []string{"john@example.com"}, + Users: []string{"autogroup:nonroot"}, + }, }, }, } @@ -287,12 +304,14 @@ func TestACLPolicy_BuildSSHPolicy_WithUserInDstAndAutogroupMembersSrc(t *testing p2 := createMachine("jane@example.com") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"autogroup:members"}, - Dst: []string{"john@example.com"}, - Users: []string{"autogroup:nonroot"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"autogroup:members"}, + Destination: []string{"john@example.com"}, + Users: []string{"autogroup:nonroot"}, + }, }, }, } @@ -323,12 +342,14 @@ func TestACLPolicy_BuildSSHPolicy_WithAutogroupSelfAndTagSrc(t *testing.T) { p2 := createMachine("jane@example.com", "tag:web") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "accept", - Src: []string{"tag:web"}, - Dst: []string{"autogroup:self"}, - Users: []string{"autogroup:nonroot"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "accept", + Source: []string{"tag:web"}, + Destination: []string{"autogroup:self"}, + Users: []string{"autogroup:nonroot"}, + }, }, }, } @@ -345,12 +366,14 @@ func TestACLPolicy_BuildSSHPolicy_WithTagsAndActionCheck(t *testing.T) { p2 := createMachine("jane@example.com", "tag:web") policy := ACLPolicy{ - SSHRules: []SSHRule{ - { - Action: "check", - Src: []string{"tag:web"}, - Dst: []string{"tag:web"}, - Users: []string{"autogroup:nonroot"}, + ionscale.ACLPolicy{ + SSH: []ionscale.ACLSSH{ + { + Action: "check", + Source: []string{"tag:web"}, + Destination: []string{"tag:web"}, + Users: []string{"autogroup:nonroot"}, + }, }, }, } diff --git a/internal/domain/acl_test.go b/internal/domain/acl_test.go index c753b82..ed839af 100644 --- a/internal/domain/acl_test.go +++ b/internal/domain/acl_test.go @@ -3,6 +3,7 @@ package domain import ( "encoding/json" "github.com/jsiebens/ionscale/internal/addr" + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "net/netip" @@ -15,18 +16,20 @@ func TestACLPolicy_NodeAttributesWithWildcards(t *testing.T) { p1 := createMachine("john@example.com") policy := ACLPolicy{ - NodeAttrs: []NodeAttr{ - { - Target: []string{"*"}, - Attr: []string{ - "attr1", - "attr2", + ionscale.ACLPolicy{ + NodeAttrs: []ionscale.ACLNodeAttrGrant{ + { + Target: []string{"*"}, + Attr: []string{ + "attr1", + "attr2", + }, }, - }, - { - Target: []string{"*"}, - Attr: []string{ - "attr3", + { + Target: []string{"*"}, + Attr: []string{ + "attr3", + }, }, }, }, @@ -46,21 +49,23 @@ func TestACLPolicy_NodeAttributesWithUserAndGroups(t *testing.T) { p1 := createMachine("john@example.com") policy := ACLPolicy{ - Groups: map[string][]string{ - "group:admins": []string{"john@example.com"}, - }, - NodeAttrs: []NodeAttr{ - { - Target: []string{"john@example.com"}, - Attr: []string{ - "attr1", - "attr2", - }, + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:admins": []string{"john@example.com"}, }, - { - Target: []string{"jane@example.com", "group:analytics", "group:admins"}, - Attr: []string{ - "attr3", + NodeAttrs: []ionscale.ACLNodeAttrGrant{ + { + Target: []string{"john@example.com"}, + Attr: []string{ + "attr1", + "attr2", + }, + }, + { + Target: []string{"jane@example.com", "group:analytics", "group:admins"}, + Attr: []string{ + "attr3", + }, }, }, }, @@ -80,21 +85,23 @@ func TestACLPolicy_NodeAttributesWithUserAndTags(t *testing.T) { p1 := createMachine("john@example.com", "tag:web") policy := ACLPolicy{ - Groups: map[string][]string{ - "group:admins": []string{"john@example.com"}, - }, - NodeAttrs: []NodeAttr{ - { - Target: []string{"john@example.com"}, - Attr: []string{ - "attr1", - "attr2", - }, + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:admins": []string{"john@example.com"}, }, - { - Target: []string{"jane@example.com", "tag:web"}, - Attr: []string{ - "attr3", + NodeAttrs: []ionscale.ACLNodeAttrGrant{ + { + Target: []string{"john@example.com"}, + Attr: []string{ + "attr1", + "attr2", + }, + }, + { + Target: []string{"jane@example.com", "tag:web"}, + Attr: []string{ + "attr3", + }, }, }, }, @@ -111,7 +118,9 @@ func TestACLPolicy_BuildFilterRulesEmptyACL(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - ACLs: []ACL{}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{}, + }, } dst := createMachine("john@example.com") @@ -127,11 +136,13 @@ func TestACLPolicy_BuildFilterRulesWildcards(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"*:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"*:*"}, + }, }, }, } @@ -162,17 +173,19 @@ func TestACLPolicy_BuildFilterRulesProto(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"*:22"}, - }, - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"*:*"}, - Proto: "igmp", + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"*:22"}, + }, + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"*:*"}, + Protocol: "igmp", + }, }, }, } @@ -217,20 +230,22 @@ func TestACLPolicy_BuildFilterRulesWithGroups(t *testing.T) { p3 := createMachine("joe@example.com") policy := ACLPolicy{ - Groups: map[string][]string{ - "group:admin": []string{"jane@example.com"}, - "group:audit": []string{"nick@example.com"}, - }, - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"group:admin"}, - Dst: []string{"*:22"}, + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:admin": []string{"jane@example.com"}, + "group:audit": []string{"nick@example.com"}, }, - { - Action: "accept", - Src: []string{"group:audit"}, - Dst: []string{"*:8000-8080"}, + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"group:admin"}, + Destination: []string{"*:22"}, + }, + { + Action: "accept", + Source: []string{"group:audit"}, + Destination: []string{"*:8000-8080"}, + }, }, }, } @@ -280,11 +295,13 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupMembers(t *testing.T) { p3 := createMachine("joe@example.com", "tag:web") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"autogroup:members"}, - Dst: []string{"*:22"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"autogroup:members"}, + Destination: []string{"*:22"}, + }, }, }, } @@ -323,11 +340,13 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupMember(t *testing.T) { p3 := createMachine("joe@example.com", "tag:web") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"autogroup:member"}, - Dst: []string{"*:22"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"autogroup:member"}, + Destination: []string{"*:22"}, + }, }, }, } @@ -367,11 +386,13 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupTagged(t *testing.T) { p3 := createMachine("joe@example.com", "tag:web") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"autogroup:tagged"}, - Dst: []string{"*:22"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"autogroup:tagged"}, + Destination: []string{"*:22"}, + }, }, }, } @@ -408,11 +429,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelf(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"autogroup:self:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"autogroup:self:*"}, + }, }, }, } @@ -453,11 +476,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelfAndTags(t *testing.T) { p2 := createMachine("john@example.com", "tag:web") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"autogroup:self:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"autogroup:self:*"}, + }, }, }, } @@ -499,11 +524,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelfAndOtherDestinations(t *testing. p3 := createMachine("jane@example.com") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"autogroup:self:22", "john@example.com:80"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"autogroup:self:22", "john@example.com:80"}, + }, }, }, } @@ -560,11 +587,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupInternet(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"nick@example.com"}, - Dst: []string{"autogroup:internet:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"nick@example.com"}, + Destination: []string{"autogroup:internet:*"}, + }, }, }, } @@ -601,11 +630,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupInternet(t *testing.T) { func TestWithUser(t *testing.T) { policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"john@example.com:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"john@example.com:*"}, + }, }, }, } @@ -618,14 +649,16 @@ func TestWithUser(t *testing.T) { func TestWithGroup(t *testing.T) { policy := ACLPolicy{ - Groups: map[string][]string{ - "group:admin": {"john@example.com"}, - }, - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"group:admin:*"}, + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:admin": {"john@example.com"}, + }, + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"group:admin:*"}, + }, }, }, } @@ -637,11 +670,13 @@ func TestWithGroup(t *testing.T) { func TestWithTags(t *testing.T) { policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"tag:web:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"tag:web:*"}, + }, }, }, } @@ -657,15 +692,17 @@ func TestWithHosts(t *testing.T) { dst2 := createMachine("john@example.com") policy := ACLPolicy{ - Hosts: map[string]string{ - "dst1": dst1.IPv4.String(), - }, - ACLs: []ACL{ + ionscale.ACLPolicy{ + Hosts: map[string]string{ + "dst1": dst1.IPv4.String(), + }, + ACLs: []ionscale.ACLEntry{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"dst1:*"}, + { + Action: "accept", + Source: []string{"*"}, + Destination: []string{"dst1:*"}, + }, }, }, } @@ -695,12 +732,13 @@ func createMachine(user string, tags ...string) *Machine { func TestACLPolicy_IsTagOwner(t *testing.T) { policy := ACLPolicy{ - Groups: map[string][]string{ - "group:engineers": {"jane@example.com"}, - }, - TagOwners: map[string][]string{ - "tag:web": {"john@example.com", "group:engineers"}, - }} + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:engineers": {"jane@example.com"}, + }, + TagOwners: map[string][]string{ + "tag:web": {"john@example.com", "group:engineers"}, + }}} testCases := []struct { name string @@ -780,15 +818,17 @@ func TestACLPolicy_FindAutoApprovedIPs(t *testing.T) { route3 := netip.MustParsePrefix("10.162.0.0/20") policy := ACLPolicy{ - Groups: map[string][]string{ - "group:admins": {"jane@example.com"}, - }, - AutoApprovers: &AutoApprovers{ - Routes: map[string][]string{ - route1.String(): {"group:admins"}, - route2.String(): {"john@example.com", "tag:router"}, + ionscale.ACLPolicy{ + Groups: map[string][]string{ + "group:admins": {"jane@example.com"}, + }, + AutoApprovers: &ionscale.ACLAutoApprovers{ + Routes: map[string][]string{ + route1.String(): {"group:admins"}, + route2.String(): {"john@example.com", "tag:router"}, + }, + ExitNode: []string{"nick@example.com"}, }, - ExitNode: []string{"nick@example.com"}, }, } @@ -872,11 +912,13 @@ func TestACLPolicy_BuildFilterRulesWithAdvertisedRoutes(t *testing.T) { p1 := createMachine("john@example.com", "tag:trusted") policy := ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"tag:trusted"}, - Dst: []string{"fd7a:115c:a1e0:b1a:0:1:a3c:0/120:*"}, + ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ + { + Action: "accept", + Source: []string{"tag:trusted"}, + Destination: []string{"fd7a:115c:a1e0:b1a:0:1:a3c:0/120:*"}, + }, }, }, } @@ -911,11 +953,13 @@ func TestACLPolicy_BuildFilterRulesWildcardGrants(t *testing.T) { p2 := createMachine("jane@example.com") policy := ACLPolicy{ - Grants: []Grant{ - { - Src: []string{"*"}, - Dst: []string{"*"}, - IP: ranges, + ionscale.ACLPolicy{ + Grants: []ionscale.ACLGrant{ + { + Source: []string{"*"}, + Destination: []string{"*"}, + IP: ranges, + }, }, }, } @@ -955,12 +999,14 @@ func TestACLPolicy_BuildFilterRulesWithAppGrants(t *testing.T) { marshal, _ := json.Marshal(mycap) policy := ACLPolicy{ - Grants: []Grant{ - { - Src: []string{"*"}, - Dst: []string{"*"}, - App: map[tailcfg.PeerCapability][]tailcfg.RawMessage{ - tailcfg.PeerCapability("localtest.me/cap/test"): {tailcfg.RawMessage(marshal)}, + ionscale.ACLPolicy{ + Grants: []ionscale.ACLGrant{ + { + Source: []string{"*"}, + Destination: []string{"*"}, + App: map[tailcfg.PeerCapability][]tailcfg.RawMessage{ + tailcfg.PeerCapability("localtest.me/cap/test"): {tailcfg.RawMessage(marshal)}, + }, }, }, }, diff --git a/internal/domain/datatypes.go b/internal/domain/datatypes.go new file mode 100644 index 0000000..fedfb96 --- /dev/null +++ b/internal/domain/datatypes.go @@ -0,0 +1,87 @@ +package domain + +import ( + "database/sql/driver" + "encoding/json" + "fmt" + "github.com/tailscale/hujson" +) + +func NewHuJSON[T any](t *T) HuJSON[T] { + marshal, _ := json.Marshal(t) + return HuJSON[T]{ + v: string(marshal), + t: t, + } +} + +func ParseHuJson[T any](v string) (*HuJSON[T], error) { + ast, err := hujson.Parse([]byte(v)) + if err != nil { + return nil, err + } + + ast.Format() + formatted := string(ast.Pack()) + ast.Standardize() + + t := new(T) + if err := json.Unmarshal(ast.Pack(), t); err != nil { + return nil, err + } + return &HuJSON[T]{v: formatted, t: t}, nil +} + +type HuJSON[T any] struct { + v string + t *T +} + +func (h *HuJSON[T]) Get() *T { + return h.t +} + +func (h *HuJSON[T]) String() string { + return h.v +} + +func (i *HuJSON[T]) Equal(x *HuJSON[T]) bool { + if i == nil && x == nil { + return true + } + if (i == nil) != (x == nil) { + return false + } + return i.v == x.v +} + +func (h HuJSON[T]) Value() (driver.Value, error) { + if len(h.v) == 0 { + return nil, nil + } + return h.v, nil +} + +func (h *HuJSON[T]) Scan(destination interface{}) error { + var v string + switch value := destination.(type) { + case string: + v = value + case []byte: + v = string(value) + default: + return fmt.Errorf("unexpected data type %T", destination) + } + + next, err := hujson.Standardize([]byte(v)) + if err != nil { + return err + } + var n = new(T) + if err := json.Unmarshal(next, n); err != nil { + return err + } + h.v = v + h.t = n + return nil +} diff --git a/internal/domain/tailnet.go b/internal/domain/tailnet.go index 80e9e6c..380e538 100644 --- a/internal/domain/tailnet.go +++ b/internal/domain/tailnet.go @@ -13,8 +13,8 @@ type Tailnet struct { ID uint64 `gorm:"primary_key"` Name string DNSConfig DNSConfig - IAMPolicy IAMPolicy - ACLPolicy ACLPolicy + IAMPolicy HuJSON[IAMPolicy] + ACLPolicy HuJSON[ACLPolicy] DERPMap DERPMap ServiceCollectionEnabled bool FileSharingEnabled bool diff --git a/internal/handlers/authentication.go b/internal/handlers/authentication.go index ce1ac2d..2ce7587 100644 --- a/internal/handlers/authentication.go +++ b/internal/handlers/authentication.go @@ -447,7 +447,7 @@ func (h *AuthenticationHandlers) endMachineRegistrationFlow(c echo.Context, form ephemeral = false } - if err := tailnet.ACLPolicy.CheckTagOwners(registrationRequest.Data.Hostinfo.RequestTags, user); err != nil { + if err := tailnet.ACLPolicy.Get().CheckTagOwners(registrationRequest.Data.Hostinfo.RequestTags, user); err != nil { registrationRequest.Authenticated = false registrationRequest.Error = err.Error() if err := h.repository.SaveRegistrationRequest(ctx, registrationRequest); err != nil { @@ -456,7 +456,7 @@ func (h *AuthenticationHandlers) endMachineRegistrationFlow(c echo.Context, form return c.Redirect(http.StatusFound, "/a/error?e=nto") } - autoAllowIPs := tailnet.ACLPolicy.FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, user) + autoAllowIPs := tailnet.ACLPolicy.Get().FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, user) var m *domain.Machine @@ -573,7 +573,7 @@ func (h *AuthenticationHandlers) listAvailableTailnets(ctx context.Context, u *a return nil, err } for _, t := range tailnets { - approved, err := t.IAMPolicy.EvaluatePolicy(&domain.Identity{UserID: u.ID, Email: u.Name, Attr: u.Attr}) + approved, err := t.IAMPolicy.Get().EvaluatePolicy(&domain.Identity{UserID: u.ID, Email: u.Name, Attr: u.Attr}) if err != nil { return nil, err } diff --git a/internal/handlers/registration.go b/internal/handlers/registration.go index 7169486..edfcf9a 100644 --- a/internal/handlers/registration.go +++ b/internal/handlers/registration.go @@ -160,7 +160,7 @@ func (h *RegistrationHandlers) authenticateMachineWithAuthKey(c echo.Context, ma tailnet := authKey.Tailnet user := authKey.User - if err := tailnet.ACLPolicy.CheckTagOwners(req.Hostinfo.RequestTags, &user); err != nil { + if err := tailnet.ACLPolicy.Get().CheckTagOwners(req.Hostinfo.RequestTags, &user); err != nil { response := tailcfg.RegisterResponse{MachineAuthorized: false, Error: err.Error()} return c.JSON(http.StatusOK, response) } @@ -169,7 +169,7 @@ func (h *RegistrationHandlers) authenticateMachineWithAuthKey(c echo.Context, ma advertisedTags := domain.SanitizeTags(req.Hostinfo.RequestTags) tags := append(registeredTags, advertisedTags...) - autoAllowIPs := tailnet.ACLPolicy.FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, &user) + autoAllowIPs := tailnet.ACLPolicy.Get().FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, &user) var m *domain.Machine diff --git a/internal/mapping/mapping.go b/internal/mapping/mapping.go index a980874..ab46aa6 100644 --- a/internal/mapping/mapping.go +++ b/internal/mapping/mapping.go @@ -85,7 +85,7 @@ func ToDNSConfig(m *domain.Machine, tailnet *domain.Tailnet, c *domain.DNSConfig } func ToNode(capVer tailcfg.CapabilityVersion, m *domain.Machine, tailnet *domain.Tailnet, taggedDevicesUser *domain.User, peer bool, connected bool, routeFilter func(m *domain.Machine) []netip.Prefix) (*tailcfg.Node, *tailcfg.UserProfile, error) { - role := tailnet.IAMPolicy.GetRole(m.User) + role := tailnet.IAMPolicy.Get().GetRole(m.User) nKey, err := util.ParseNodePublicKey(m.NodeKey) if err != nil { @@ -179,7 +179,7 @@ func ToNode(capVer tailcfg.CapabilityVersion, m *domain.Machine, tailnet *domain var capabilities []tailcfg.NodeCapability capMap := make(tailcfg.NodeCapMap) - for _, c := range tailnet.ACLPolicy.NodeCapabilities(m) { + for _, c := range tailnet.ACLPolicy.Get().NodeCapabilities(m) { capabilities = append(capabilities, c) capMap[c] = []tailcfg.RawMessage{} } diff --git a/internal/mapping/poll_net_mapper.go b/internal/mapping/poll_net_mapper.go index 268ebcd..6c895a3 100644 --- a/internal/mapping/poll_net_mapper.go +++ b/internal/mapping/poll_net_mapper.go @@ -53,7 +53,7 @@ func (h *PollNetMapper) CreateMapResponse(ctx context.Context, delta bool) (*Map hostinfo := tailcfg.Hostinfo(m.HostInfo) tailnet := m.Tailnet - policies := tailnet.ACLPolicy + policies := tailnet.ACLPolicy.Get() dnsConfig := tailnet.DNSConfig serviceUser, _, err := h.repository.GetOrCreateServiceUser(ctx, &tailnet) diff --git a/internal/service/acl.go b/internal/service/acl.go index f1e49c9..7d77e16 100644 --- a/internal/service/acl.go +++ b/internal/service/acl.go @@ -5,7 +5,6 @@ import ( "fmt" "github.com/bufbuild/connect-go" "github.com/jsiebens/ionscale/internal/domain" - "github.com/jsiebens/ionscale/internal/mapping" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" ) @@ -23,12 +22,7 @@ func (s *Service) GetACLPolicy(ctx context.Context, req *connect.Request[api.Get return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) } - var policy api.ACLPolicy - if err := mapping.CopyViaJson(&tailnet.ACLPolicy, &policy); err != nil { - return nil, logError(err) - } - - return connect.NewResponse(&api.GetACLPolicyResponse{Policy: &policy}), nil + return connect.NewResponse(&api.GetACLPolicyResponse{Policy: tailnet.ACLPolicy.String()}), nil } func (s *Service) SetACLPolicy(ctx context.Context, req *connect.Request[api.SetACLPolicyRequest]) (*connect.Response[api.SetACLPolicyResponse], error) { @@ -45,17 +39,18 @@ func (s *Service) SetACLPolicy(ctx context.Context, req *connect.Request[api.Set return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) } - oldPolicy := tailnet.ACLPolicy - var newPolicy domain.ACLPolicy - if err := mapping.CopyViaJson(req.Msg.Policy, &newPolicy); err != nil { - return nil, logError(err) + newPolicy, err := domain.ParseHuJson[domain.ACLPolicy](req.Msg.Policy) + if err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid acl policy: %w", err)) } - if oldPolicy.Equal(&newPolicy) { + oldPolicy := tailnet.ACLPolicy + if oldPolicy.Equal(newPolicy) { return connect.NewResponse(&api.SetACLPolicyResponse{}), nil } - tailnet.ACLPolicy = newPolicy + tailnet.ACLPolicy = *newPolicy + if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { return nil, logError(err) } diff --git a/internal/service/auth_keys.go b/internal/service/auth_keys.go index c977593..c3f23c3 100644 --- a/internal/service/auth_keys.go +++ b/internal/service/auth_keys.go @@ -135,7 +135,7 @@ func (s *Service) CreateAuthKey(ctx context.Context, req *connect.Request[api.Cr } if !principal.IsSystemAdmin() { - if err := tailnet.ACLPolicy.CheckTagOwners(req.Msg.Tags, principal.User); err != nil { + if err := tailnet.ACLPolicy.Get().CheckTagOwners(req.Msg.Tags, principal.User); err != nil { return nil, connect.NewError(connect.CodeInvalidArgument, err) } } diff --git a/internal/service/iam.go b/internal/service/iam.go index 8f74235..0424522 100644 --- a/internal/service/iam.go +++ b/internal/service/iam.go @@ -22,14 +22,7 @@ func (s *Service) GetIAMPolicy(ctx context.Context, req *connect.Request[api.Get return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) } - policy := &api.IAMPolicy{ - Subs: tailnet.IAMPolicy.Subs, - Emails: tailnet.IAMPolicy.Emails, - Filters: tailnet.IAMPolicy.Filters, - Roles: domainRolesMapToApiRolesMap(tailnet.IAMPolicy.Roles), - } - - return connect.NewResponse(&api.GetIAMPolicyResponse{Policy: policy}), nil + return connect.NewResponse(&api.GetIAMPolicyResponse{Policy: tailnet.IAMPolicy.String()}), nil } func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.SetIAMPolicyRequest]) (*connect.Response[api.SetIAMPolicyResponse], error) { @@ -46,23 +39,21 @@ func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.Set return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) } - if err := validateIamPolicy(req.Msg.Policy); err != nil { + newPolicy, err := domain.ParseHuJson[domain.IAMPolicy](req.Msg.Policy) + if err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) + } + + if err := validateIamPolicy(newPolicy.Get()); err != nil { return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) } oldPolicy := tailnet.IAMPolicy - newPolicy := domain.IAMPolicy{ - Subs: req.Msg.Policy.Subs, - Emails: req.Msg.Policy.Emails, - Filters: req.Msg.Policy.Filters, - Roles: apiRolesMapToDomainRolesMap(req.Msg.Policy.Roles), - } - - if oldPolicy.Equal(&newPolicy) { + if oldPolicy.Equal(newPolicy) { return connect.NewResponse(&api.SetIAMPolicyResponse{}), nil } - tailnet.IAMPolicy = newPolicy + tailnet.IAMPolicy = *newPolicy if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { return nil, logError(err) @@ -70,19 +61,3 @@ func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.Set return connect.NewResponse(&api.SetIAMPolicyResponse{}), nil } - -func apiRolesMapToDomainRolesMap(values map[string]string) map[string]domain.UserRole { - var result = map[string]domain.UserRole{} - for k, v := range values { - result[k] = domain.UserRole(v) - } - return result -} - -func domainRolesMapToApiRolesMap(values map[string]domain.UserRole) map[string]string { - var result = map[string]string{} - for k, v := range values { - result[k] = string(v) - } - return result -} diff --git a/internal/service/interceptors.go b/internal/service/interceptors.go index 6e76d59..e85802b 100644 --- a/internal/service/interceptors.go +++ b/internal/service/interceptors.go @@ -64,7 +64,7 @@ func exchangeToken(ctx context.Context, systemAdminKey *key.ServerPrivate, repos if err == nil && apiKey != nil { user := apiKey.User tailnet := apiKey.Tailnet - role := tailnet.IAMPolicy.GetRole(user) + role := tailnet.IAMPolicy.Get().GetRole(user) return &domain.Principal{User: &apiKey.User, SystemRole: domain.SystemRoleNone, UserRole: role} } diff --git a/internal/service/service.go b/internal/service/service.go index 17d0909..76eb27f 100644 --- a/internal/service/service.go +++ b/internal/service/service.go @@ -41,7 +41,7 @@ func (s *Service) GetVersion(_ context.Context, _ *connect.Request[api.GetVersio }), nil } -func validateIamPolicy(p *api.IAMPolicy) error { +func validateIamPolicy(p *domain.IAMPolicy) error { var mErr *multierror.Error for i, exp := range p.Filters { if _, err := grammar.Parse(fmt.Sprintf("filter %d", i), []byte(exp)); err != nil { diff --git a/internal/service/tailnet.go b/internal/service/tailnet.go index 4573ebc..d9f2941 100644 --- a/internal/service/tailnet.go +++ b/internal/service/tailnet.go @@ -6,7 +6,6 @@ import ( "fmt" "github.com/bufbuild/connect-go" "github.com/jsiebens/ionscale/internal/domain" - "github.com/jsiebens/ionscale/internal/mapping" "github.com/jsiebens/ionscale/internal/util" "github.com/jsiebens/ionscale/pkg/defaults" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" @@ -17,8 +16,8 @@ func domainTailnetToApiTailnet(tailnet *domain.Tailnet) (*api.Tailnet, error) { t := &api.Tailnet{ Id: tailnet.ID, Name: tailnet.Name, - IamPolicy: new(api.IAMPolicy), - AclPolicy: new(api.ACLPolicy), + IamPolicy: tailnet.IAMPolicy.String(), + AclPolicy: tailnet.ACLPolicy.String(), DnsConfig: domainDNSConfigToApiDNSConfig(tailnet), ServiceCollectionEnabled: tailnet.ServiceCollectionEnabled, FileSharingEnabled: tailnet.FileSharingEnabled, @@ -26,14 +25,6 @@ func domainTailnetToApiTailnet(tailnet *domain.Tailnet) (*api.Tailnet, error) { MachineAuthorizationEnabled: tailnet.MachineAuthorizationEnabled, } - if err := mapping.CopyViaJson(tailnet.IAMPolicy, t.IamPolicy); err != nil { - return nil, err - } - - if err := mapping.CopyViaJson(tailnet.ACLPolicy, t.AclPolicy); err != nil { - return nil, err - } - return t, nil } @@ -51,12 +42,26 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("tailnet with name '%s' already exists", req.Msg.Name)) } - if req.Msg.IamPolicy == nil { - req.Msg.IamPolicy = defaults.DefaultIAMPolicy() + iamPolicy := domain.NewHuJSON(&domain.IAMPolicy{}) + aclPolicy := domain.NewHuJSON(&domain.ACLPolicy{ACLPolicy: *defaults.DefaultACLPolicy()}) + + if req.Msg.IamPolicy != "" { + newPolicy, err := domain.ParseHuJson[domain.IAMPolicy](req.Msg.IamPolicy) + if err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) + } + if err := validateIamPolicy(newPolicy.Get()); err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) + } + iamPolicy = *newPolicy } - if req.Msg.AclPolicy == nil { - req.Msg.AclPolicy = defaults.DefaultACLPolicy() + if req.Msg.AclPolicy != "" { + newPolicy, err := domain.ParseHuJson[domain.ACLPolicy](req.Msg.AclPolicy) + if err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid acl policy: %w", err)) + } + aclPolicy = *newPolicy } if req.Msg.DnsConfig == nil { @@ -66,8 +71,8 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr tailnet := &domain.Tailnet{ ID: util.NextID(), Name: req.Msg.Name, - IAMPolicy: domain.IAMPolicy{}, - ACLPolicy: domain.ACLPolicy{}, + IAMPolicy: iamPolicy, + ACLPolicy: aclPolicy, DNSConfig: apiDNSConfigToDomainDNSConfig(req.Msg.DnsConfig), ServiceCollectionEnabled: req.Msg.ServiceCollectionEnabled, FileSharingEnabled: req.Msg.FileSharingEnabled, @@ -75,18 +80,6 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr MachineAuthorizationEnabled: req.Msg.MachineAuthorizationEnabled, } - if err := validateIamPolicy(req.Msg.IamPolicy); err != nil { - return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) - } - - if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil { - return nil, logError(err) - } - - if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil { - return nil, logError(err) - } - if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { return nil, logError(err) } @@ -116,22 +109,23 @@ func (s *Service) UpdateTailnet(ctx context.Context, req *connect.Request[api.Up return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet not found")) } - if req.Msg.IamPolicy != nil { - if err := validateIamPolicy(req.Msg.IamPolicy); err != nil { + if req.Msg.IamPolicy != "" { + newPolicy, err := domain.ParseHuJson[domain.IAMPolicy](req.Msg.IamPolicy) + if err != nil { return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) } - - tailnet.IAMPolicy = domain.IAMPolicy{} - if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil { - return nil, logError(err) + if err := validateIamPolicy(newPolicy.Get()); err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) } + tailnet.IAMPolicy = *newPolicy } - if req.Msg.AclPolicy != nil { - tailnet.ACLPolicy = domain.ACLPolicy{} - if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil { - return nil, logError(err) + if req.Msg.AclPolicy != "" { + newPolicy, err := domain.ParseHuJson[domain.ACLPolicy](req.Msg.AclPolicy) + if err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid acl policy: %w", err)) } + tailnet.ACLPolicy = *newPolicy } if req.Msg.DnsConfig != nil { diff --git a/internal/service/users.go b/internal/service/users.go index 08f5d9a..8061c11 100644 --- a/internal/service/users.go +++ b/internal/service/users.go @@ -34,7 +34,7 @@ func (s *Service) ListUsers(ctx context.Context, req *connect.Request[api.ListUs resp.Users = append(resp.Users, &api.User{ Id: u.ID, Name: u.Name, - Role: string(tailnet.IAMPolicy.GetRole(u)), + Role: string(tailnet.IAMPolicy.Get().GetRole(u)), }) } diff --git a/pkg/client/ionscale/types.go b/pkg/client/ionscale/types.go new file mode 100644 index 0000000..128362c --- /dev/null +++ b/pkg/client/ionscale/types.go @@ -0,0 +1,66 @@ +package ionscale + +import ( + "encoding/json" + "tailscale.com/tailcfg" +) + +type IAMPolicy struct { + Subs []string `json:"subs,omitempty" hujson:"Subs,omitempty"` + Emails []string `json:"emails,omitempty" hujson:"Emails,omitempty"` + Filters []string `json:"filters,omitempty" hujson:"Filters,omitempty"` + Roles map[string]string `json:"roles,omitempty" hujson:"Roles,omitempty"` +} + +func (a IAMPolicy) Marshal() string { + indent, _ := json.MarshalIndent(&a, "", " ") + return string(indent) +} + +type ACLPolicy struct { + Groups map[string][]string `json:"groups,omitempty" hujson:"Groups,omitempty"` + Hosts map[string]string `json:"hosts,omitempty" hujson:"Hosts,omitempty"` + ACLs []ACLEntry `json:"acls,omitempty" hujson:"ACLs,omitempty"` + TagOwners map[string][]string `json:"tagOwners,omitempty" hujson:"TagOwners,omitempty"` + AutoApprovers *ACLAutoApprovers `json:"autoApprovers,omitempty" hujson:"AutoApprovers,omitempty"` + SSH []ACLSSH `json:"ssh,omitempty" hujson:"SSH,omitempty"` + NodeAttrs []ACLNodeAttrGrant `json:"nodeAttrs,omitempty" hujson:"NodeAttrs,omitempty"` + Grants []ACLGrant `json:"grants,omitempty" hujson:"Grants,omitempty"` +} + +func (a ACLPolicy) Marshal() string { + indent, _ := json.MarshalIndent(&a, "", " ") + return string(indent) +} + +type ACLAutoApprovers struct { + Routes map[string][]string `json:"routes,omitempty" hujson:"Routes,omitempty"` + ExitNode []string `json:"exitNode,omitempty" hujson:"ExitNode,omitempty"` +} + +type ACLEntry struct { + Action string `json:"action,omitempty" hujson:"Action,omitempty"` + Protocol string `json:"proto,omitempty" hujson:"Proto,omitempty"` + Source []string `json:"src,omitempty" hujson:"Src,omitempty"` + Destination []string `json:"dst,omitempty" hujson:"Dst,omitempty"` +} + +type ACLSSH struct { + Action string `json:"action,omitempty" hujson:"Action,omitempty"` + Users []string `json:"users,omitempty" hujson:"Users,omitempty"` + Source []string `json:"src,omitempty" hujson:"Src,omitempty"` + Destination []string `json:"dst,omitempty" hujson:"Dst,omitempty"` + CheckPeriod string `json:"checkPeriod,omitempty" hujson:"CheckPeriod,omitempty"` +} + +type ACLNodeAttrGrant struct { + Target []string `json:"target,omitempty" hujson:"Target,omitempty"` + Attr []string `json:"attr,omitempty" hujson:"Attr,omitempty"` +} + +type ACLGrant struct { + Source []string `json:"src,omitempty" hujson:"Src,omitempty"` + Destination []string `json:"dst,omitempty" hujson:"Dst,omitempty"` + IP []tailcfg.ProtoPortRange `json:"ip,omitempty" hujson:"Ip,omitempty"` + App tailcfg.PeerCapMap `json:"app,omitempty" hujson:"App,omitempty"` +} diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go index 8cb2243..8bbcb90 100644 --- a/pkg/defaults/defaults.go +++ b/pkg/defaults/defaults.go @@ -1,31 +1,34 @@ package defaults -import ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" +import ( + "github.com/jsiebens/ionscale/pkg/client/ionscale" + ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" +) -func DefaultACLPolicy() *ionscalev1.ACLPolicy { - return &ionscalev1.ACLPolicy{ - Acls: []*ionscalev1.ACL{ +func DefaultIAMPolicy() *ionscale.IAMPolicy { + return &ionscale.IAMPolicy{} +} + +func DefaultACLPolicy() *ionscale.ACLPolicy { + return &ionscale.ACLPolicy{ + ACLs: []ionscale.ACLEntry{ { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"*:*"}, + Action: "accept", + Source: []string{"*"}, + Destination: []string{"*:*"}, }, }, - Ssh: []*ionscalev1.SSHRule{ + SSH: []ionscale.ACLSSH{ { - Action: "check", - Src: []string{"autogroup:member"}, - Dst: []string{"autogroup:self"}, - Users: []string{"autogroup:nonroot", "root"}, + Action: "check", + Source: []string{"autogroup:member"}, + Destination: []string{"autogroup:self"}, + Users: []string{"autogroup:nonroot", "root"}, }, }, } } -func DefaultIAMPolicy() *ionscalev1.IAMPolicy { - return &ionscalev1.IAMPolicy{} -} - func DefaultDNSConfig() *ionscalev1.DNSConfig { return &ionscalev1.DNSConfig{ MagicDns: true, diff --git a/pkg/gen/ionscale/v1/acl.pb.go b/pkg/gen/ionscale/v1/acl.pb.go index 0e05ec0..03505cc 100644 --- a/pkg/gen/ionscale/v1/acl.pb.go +++ b/pkg/gen/ionscale/v1/acl.pb.go @@ -9,7 +9,6 @@ package ionscalev1 import ( protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" - structpb "google.golang.org/protobuf/types/known/structpb" reflect "reflect" sync "sync" ) @@ -73,7 +72,7 @@ type GetACLPolicyResponse struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Policy *ACLPolicy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` + Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` } func (x *GetACLPolicyResponse) Reset() { @@ -108,11 +107,11 @@ func (*GetACLPolicyResponse) Descriptor() ([]byte, []int) { return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{1} } -func (x *GetACLPolicyResponse) GetPolicy() *ACLPolicy { +func (x *GetACLPolicyResponse) GetPolicy() string { if x != nil { return x.Policy } - return nil + return "" } type SetACLPolicyRequest struct { @@ -120,8 +119,8 @@ type SetACLPolicyRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` - Policy *ACLPolicy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"` + TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` + Policy string `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"` } func (x *SetACLPolicyRequest) Reset() { @@ -163,11 +162,11 @@ func (x *SetACLPolicyRequest) GetTailnetId() uint64 { return 0 } -func (x *SetACLPolicyRequest) GetPolicy() *ACLPolicy { +func (x *SetACLPolicyRequest) GetPolicy() string { if x != nil { return x.Policy } - return nil + return "" } type SetACLPolicyResponse struct { @@ -208,553 +207,29 @@ func (*SetACLPolicyResponse) Descriptor() ([]byte, []int) { return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{3} } -type ACLPolicy struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Hosts map[string]string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - Groups map[string]*structpb.ListValue `protobuf:"bytes,2,rep,name=groups,proto3" json:"groups,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - Acls []*ACL `protobuf:"bytes,3,rep,name=acls,proto3" json:"acls,omitempty"` - Tagowners map[string]*structpb.ListValue `protobuf:"bytes,4,rep,name=tagowners,proto3" json:"tagowners,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - Autoapprovers *AutoApprovers `protobuf:"bytes,5,opt,name=autoapprovers,proto3,oneof" json:"autoapprovers,omitempty"` - Ssh []*SSHRule `protobuf:"bytes,6,rep,name=ssh,proto3" json:"ssh,omitempty"` - Nodeattrs []*NodeAttr `protobuf:"bytes,7,rep,name=nodeattrs,proto3" json:"nodeattrs,omitempty"` - Grants []*ACLGrant `protobuf:"bytes,8,rep,name=grants,proto3" json:"grants,omitempty"` -} - -func (x *ACLPolicy) Reset() { - *x = ACLPolicy{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_acl_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ACLPolicy) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ACLPolicy) ProtoMessage() {} - -func (x *ACLPolicy) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_acl_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ACLPolicy.ProtoReflect.Descriptor instead. -func (*ACLPolicy) Descriptor() ([]byte, []int) { - return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{4} -} - -func (x *ACLPolicy) GetHosts() map[string]string { - if x != nil { - return x.Hosts - } - return nil -} - -func (x *ACLPolicy) GetGroups() map[string]*structpb.ListValue { - if x != nil { - return x.Groups - } - return nil -} - -func (x *ACLPolicy) GetAcls() []*ACL { - if x != nil { - return x.Acls - } - return nil -} - -func (x *ACLPolicy) GetTagowners() map[string]*structpb.ListValue { - if x != nil { - return x.Tagowners - } - return nil -} - -func (x *ACLPolicy) GetAutoapprovers() *AutoApprovers { - if x != nil { - return x.Autoapprovers - } - return nil -} - -func (x *ACLPolicy) GetSsh() []*SSHRule { - if x != nil { - return x.Ssh - } - return nil -} - -func (x *ACLPolicy) GetNodeattrs() []*NodeAttr { - if x != nil { - return x.Nodeattrs - } - return nil -} - -func (x *ACLPolicy) GetGrants() []*ACLGrant { - if x != nil { - return x.Grants - } - return nil -} - -type ACL struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Action string `protobuf:"bytes,1,opt,name=action,proto3" json:"action,omitempty"` - Src []string `protobuf:"bytes,2,rep,name=src,proto3" json:"src,omitempty"` - Dst []string `protobuf:"bytes,3,rep,name=dst,proto3" json:"dst,omitempty"` - Proto string `protobuf:"bytes,4,opt,name=proto,proto3" json:"proto,omitempty"` -} - -func (x *ACL) Reset() { - *x = ACL{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_acl_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ACL) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ACL) ProtoMessage() {} - -func (x *ACL) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_acl_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ACL.ProtoReflect.Descriptor instead. -func (*ACL) Descriptor() ([]byte, []int) { - return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{5} -} - -func (x *ACL) GetAction() string { - if x != nil { - return x.Action - } - return "" -} - -func (x *ACL) GetSrc() []string { - if x != nil { - return x.Src - } - return nil -} - -func (x *ACL) GetDst() []string { - if x != nil { - return x.Dst - } - return nil -} - -func (x *ACL) GetProto() string { - if x != nil { - return x.Proto - } - return "" -} - -type AutoApprovers struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Routes map[string]*structpb.ListValue `protobuf:"bytes,1,rep,name=routes,proto3" json:"routes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - Exitnode []string `protobuf:"bytes,2,rep,name=exitnode,proto3" json:"exitnode,omitempty"` -} - -func (x *AutoApprovers) Reset() { - *x = AutoApprovers{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_acl_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *AutoApprovers) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*AutoApprovers) ProtoMessage() {} - -func (x *AutoApprovers) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_acl_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use AutoApprovers.ProtoReflect.Descriptor instead. -func (*AutoApprovers) Descriptor() ([]byte, []int) { - return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{6} -} - -func (x *AutoApprovers) GetRoutes() map[string]*structpb.ListValue { - if x != nil { - return x.Routes - } - return nil -} - -func (x *AutoApprovers) GetExitnode() []string { - if x != nil { - return x.Exitnode - } - return nil -} - -type SSHRule struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Action string `protobuf:"bytes,1,opt,name=action,proto3" json:"action,omitempty"` - Src []string `protobuf:"bytes,2,rep,name=src,proto3" json:"src,omitempty"` - Dst []string `protobuf:"bytes,3,rep,name=dst,proto3" json:"dst,omitempty"` - Users []string `protobuf:"bytes,4,rep,name=users,proto3" json:"users,omitempty"` - Checkperiod string `protobuf:"bytes,5,opt,name=checkperiod,proto3" json:"checkperiod,omitempty"` -} - -func (x *SSHRule) Reset() { - *x = SSHRule{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_acl_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SSHRule) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SSHRule) ProtoMessage() {} - -func (x *SSHRule) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_acl_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SSHRule.ProtoReflect.Descriptor instead. -func (*SSHRule) Descriptor() ([]byte, []int) { - return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{7} -} - -func (x *SSHRule) GetAction() string { - if x != nil { - return x.Action - } - return "" -} - -func (x *SSHRule) GetSrc() []string { - if x != nil { - return x.Src - } - return nil -} - -func (x *SSHRule) GetDst() []string { - if x != nil { - return x.Dst - } - return nil -} - -func (x *SSHRule) GetUsers() []string { - if x != nil { - return x.Users - } - return nil -} - -func (x *SSHRule) GetCheckperiod() string { - if x != nil { - return x.Checkperiod - } - return "" -} - -type NodeAttr struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Target []string `protobuf:"bytes,1,rep,name=target,proto3" json:"target,omitempty"` - Attr []string `protobuf:"bytes,2,rep,name=attr,proto3" json:"attr,omitempty"` -} - -func (x *NodeAttr) Reset() { - *x = NodeAttr{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_acl_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *NodeAttr) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*NodeAttr) ProtoMessage() {} - -func (x *NodeAttr) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_acl_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use NodeAttr.ProtoReflect.Descriptor instead. -func (*NodeAttr) Descriptor() ([]byte, []int) { - return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{8} -} - -func (x *NodeAttr) GetTarget() []string { - if x != nil { - return x.Target - } - return nil -} - -func (x *NodeAttr) GetAttr() []string { - if x != nil { - return x.Attr - } - return nil -} - -type ACLGrant struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Src []string `protobuf:"bytes,1,rep,name=src,proto3" json:"src,omitempty"` - Dst []string `protobuf:"bytes,2,rep,name=dst,proto3" json:"dst,omitempty"` - Ip []string `protobuf:"bytes,3,rep,name=ip,proto3" json:"ip,omitempty"` - App map[string]*structpb.ListValue `protobuf:"bytes,4,rep,name=app,proto3" json:"app,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (x *ACLGrant) Reset() { - *x = ACLGrant{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_acl_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ACLGrant) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ACLGrant) ProtoMessage() {} - -func (x *ACLGrant) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_acl_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ACLGrant.ProtoReflect.Descriptor instead. -func (*ACLGrant) Descriptor() ([]byte, []int) { - return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{9} -} - -func (x *ACLGrant) GetSrc() []string { - if x != nil { - return x.Src - } - return nil -} - -func (x *ACLGrant) GetDst() []string { - if x != nil { - return x.Dst - } - return nil -} - -func (x *ACLGrant) GetIp() []string { - if x != nil { - return x.Ip - } - return nil -} - -func (x *ACLGrant) GetApp() map[string]*structpb.ListValue { - if x != nil { - return x.App - } - return nil -} - var File_ionscale_v1_acl_proto protoreflect.FileDescriptor var file_ionscale_v1_acl_proto_rawDesc = []byte{ 0x0a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, - 0x65, 0x2e, 0x76, 0x31, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, - 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, - 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x46, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x41, + 0x65, 0x2e, 0x76, 0x31, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, + 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, + 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x2e, 0x0a, 0x14, 0x47, 0x65, + 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x4c, 0x0a, 0x13, 0x53, 0x65, + 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, + 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, - 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x22, 0x64, 0x0a, 0x13, 0x53, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, - 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, - 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, - 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x41, 0x43, 0x4c, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xbb, - 0x05, 0x0a, 0x09, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x37, 0x0a, 0x05, - 0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x6f, - 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x05, - 0x68, 0x6f, 0x73, 0x74, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, - 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, - 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x47, 0x72, - 0x6f, 0x75, 0x70, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70, - 0x73, 0x12, 0x24, 0x0a, 0x04, 0x61, 0x63, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x10, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, - 0x4c, 0x52, 0x04, 0x61, 0x63, 0x6c, 0x73, 0x12, 0x43, 0x0a, 0x09, 0x74, 0x61, 0x67, 0x6f, 0x77, - 0x6e, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x6f, 0x6e, - 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x54, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, - 0x79, 0x52, 0x09, 0x74, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x12, 0x45, 0x0a, 0x0d, - 0x61, 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x18, 0x05, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, - 0x31, 0x2e, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x48, - 0x00, 0x52, 0x0d, 0x61, 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, - 0x88, 0x01, 0x01, 0x12, 0x26, 0x0a, 0x03, 0x73, 0x73, 0x68, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x14, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, - 0x53, 0x48, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x03, 0x73, 0x73, 0x68, 0x12, 0x33, 0x0a, 0x09, 0x6e, - 0x6f, 0x64, 0x65, 0x61, 0x74, 0x74, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, - 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, - 0x65, 0x41, 0x74, 0x74, 0x72, 0x52, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x61, 0x74, 0x74, 0x72, 0x73, - 0x12, 0x2d, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x15, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, - 0x43, 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x1a, - 0x38, 0x0a, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, - 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, - 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x55, 0x0a, 0x0b, 0x47, 0x72, 0x6f, - 0x75, 0x70, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, - 0x1a, 0x58, 0x0a, 0x0e, 0x54, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x61, - 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x22, 0x57, 0x0a, 0x03, - 0x41, 0x43, 0x4c, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x73, - 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12, 0x10, 0x0a, - 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73, 0x74, 0x12, - 0x14, 0x0a, 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc2, 0x01, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, - 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, - 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, - 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x72, 0x6f, 0x76, - 0x65, 0x72, 0x73, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, - 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x78, 0x69, 0x74, 0x6e, - 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x65, 0x78, 0x69, 0x74, 0x6e, - 0x6f, 0x64, 0x65, 0x1a, 0x55, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x7d, 0x0a, 0x07, 0x53, 0x53, - 0x48, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, - 0x03, 0x73, 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12, - 0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73, - 0x74, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x68, 0x65, 0x63, 0x6b, - 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x68, - 0x65, 0x63, 0x6b, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x22, 0x36, 0x0a, 0x08, 0x4e, 0x6f, 0x64, - 0x65, 0x41, 0x74, 0x74, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x12, 0x0a, - 0x04, 0x61, 0x74, 0x74, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x61, 0x74, 0x74, - 0x72, 0x22, 0xc4, 0x01, 0x0a, 0x08, 0x41, 0x43, 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x12, 0x10, - 0x0a, 0x03, 0x73, 0x72, 0x63, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, - 0x12, 0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, - 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x02, - 0x69, 0x70, 0x12, 0x30, 0x0a, 0x03, 0x61, 0x70, 0x70, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x1e, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, - 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x41, 0x70, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, - 0x03, 0x61, 0x70, 0x70, 0x1a, 0x52, 0x0a, 0x08, 0x41, 0x70, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, - 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, - 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, - 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, - 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, - 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, - 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, + 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, + 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, + 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, + 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -769,47 +244,19 @@ func file_ionscale_v1_acl_proto_rawDescGZIP() []byte { return file_ionscale_v1_acl_proto_rawDescData } -var file_ionscale_v1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 15) +var file_ionscale_v1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 4) var file_ionscale_v1_acl_proto_goTypes = []interface{}{ (*GetACLPolicyRequest)(nil), // 0: ionscale.v1.GetACLPolicyRequest (*GetACLPolicyResponse)(nil), // 1: ionscale.v1.GetACLPolicyResponse (*SetACLPolicyRequest)(nil), // 2: ionscale.v1.SetACLPolicyRequest (*SetACLPolicyResponse)(nil), // 3: ionscale.v1.SetACLPolicyResponse - (*ACLPolicy)(nil), // 4: ionscale.v1.ACLPolicy - (*ACL)(nil), // 5: ionscale.v1.ACL - (*AutoApprovers)(nil), // 6: ionscale.v1.AutoApprovers - (*SSHRule)(nil), // 7: ionscale.v1.SSHRule - (*NodeAttr)(nil), // 8: ionscale.v1.NodeAttr - (*ACLGrant)(nil), // 9: ionscale.v1.ACLGrant - nil, // 10: ionscale.v1.ACLPolicy.HostsEntry - nil, // 11: ionscale.v1.ACLPolicy.GroupsEntry - nil, // 12: ionscale.v1.ACLPolicy.TagownersEntry - nil, // 13: ionscale.v1.AutoApprovers.RoutesEntry - nil, // 14: ionscale.v1.ACLGrant.AppEntry - (*structpb.ListValue)(nil), // 15: google.protobuf.ListValue } var file_ionscale_v1_acl_proto_depIdxs = []int32{ - 4, // 0: ionscale.v1.GetACLPolicyResponse.policy:type_name -> ionscale.v1.ACLPolicy - 4, // 1: ionscale.v1.SetACLPolicyRequest.policy:type_name -> ionscale.v1.ACLPolicy - 10, // 2: ionscale.v1.ACLPolicy.hosts:type_name -> ionscale.v1.ACLPolicy.HostsEntry - 11, // 3: ionscale.v1.ACLPolicy.groups:type_name -> ionscale.v1.ACLPolicy.GroupsEntry - 5, // 4: ionscale.v1.ACLPolicy.acls:type_name -> ionscale.v1.ACL - 12, // 5: ionscale.v1.ACLPolicy.tagowners:type_name -> ionscale.v1.ACLPolicy.TagownersEntry - 6, // 6: ionscale.v1.ACLPolicy.autoapprovers:type_name -> ionscale.v1.AutoApprovers - 7, // 7: ionscale.v1.ACLPolicy.ssh:type_name -> ionscale.v1.SSHRule - 8, // 8: ionscale.v1.ACLPolicy.nodeattrs:type_name -> ionscale.v1.NodeAttr - 9, // 9: ionscale.v1.ACLPolicy.grants:type_name -> ionscale.v1.ACLGrant - 13, // 10: ionscale.v1.AutoApprovers.routes:type_name -> ionscale.v1.AutoApprovers.RoutesEntry - 14, // 11: ionscale.v1.ACLGrant.app:type_name -> ionscale.v1.ACLGrant.AppEntry - 15, // 12: ionscale.v1.ACLPolicy.GroupsEntry.value:type_name -> google.protobuf.ListValue - 15, // 13: ionscale.v1.ACLPolicy.TagownersEntry.value:type_name -> google.protobuf.ListValue - 15, // 14: ionscale.v1.AutoApprovers.RoutesEntry.value:type_name -> google.protobuf.ListValue - 15, // 15: ionscale.v1.ACLGrant.AppEntry.value:type_name -> google.protobuf.ListValue - 16, // [16:16] is the sub-list for method output_type - 16, // [16:16] is the sub-list for method input_type - 16, // [16:16] is the sub-list for extension type_name - 16, // [16:16] is the sub-list for extension extendee - 0, // [0:16] is the sub-list for field type_name + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name } func init() { file_ionscale_v1_acl_proto_init() } @@ -866,87 +313,14 @@ func file_ionscale_v1_acl_proto_init() { return nil } } - file_ionscale_v1_acl_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ACLPolicy); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_ionscale_v1_acl_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ACL); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_ionscale_v1_acl_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*AutoApprovers); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_ionscale_v1_acl_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SSHRule); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_ionscale_v1_acl_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*NodeAttr); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_ionscale_v1_acl_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ACLGrant); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } } - file_ionscale_v1_acl_proto_msgTypes[4].OneofWrappers = []interface{}{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_ionscale_v1_acl_proto_rawDesc, NumEnums: 0, - NumMessages: 15, + NumMessages: 4, NumExtensions: 0, NumServices: 0, }, diff --git a/pkg/gen/ionscale/v1/iam.pb.go b/pkg/gen/ionscale/v1/iam.pb.go index a0c91ea..7f5928b 100644 --- a/pkg/gen/ionscale/v1/iam.pb.go +++ b/pkg/gen/ionscale/v1/iam.pb.go @@ -72,7 +72,7 @@ type GetIAMPolicyResponse struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Policy *IAMPolicy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` + Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` } func (x *GetIAMPolicyResponse) Reset() { @@ -107,11 +107,11 @@ func (*GetIAMPolicyResponse) Descriptor() ([]byte, []int) { return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{1} } -func (x *GetIAMPolicyResponse) GetPolicy() *IAMPolicy { +func (x *GetIAMPolicyResponse) GetPolicy() string { if x != nil { return x.Policy } - return nil + return "" } type SetIAMPolicyRequest struct { @@ -119,8 +119,8 @@ type SetIAMPolicyRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` - Policy *IAMPolicy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"` + TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` + Policy string `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"` } func (x *SetIAMPolicyRequest) Reset() { @@ -162,11 +162,11 @@ func (x *SetIAMPolicyRequest) GetTailnetId() uint64 { return 0 } -func (x *SetIAMPolicyRequest) GetPolicy() *IAMPolicy { +func (x *SetIAMPolicyRequest) GetPolicy() string { if x != nil { return x.Policy } - return nil + return "" } type SetIAMPolicyResponse struct { @@ -207,77 +207,6 @@ func (*SetIAMPolicyResponse) Descriptor() ([]byte, []int) { return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{3} } -type IAMPolicy struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Subs []string `protobuf:"bytes,1,rep,name=subs,proto3" json:"subs,omitempty"` - Emails []string `protobuf:"bytes,2,rep,name=emails,proto3" json:"emails,omitempty"` - Filters []string `protobuf:"bytes,3,rep,name=filters,proto3" json:"filters,omitempty"` - Roles map[string]string `protobuf:"bytes,4,rep,name=roles,proto3" json:"roles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (x *IAMPolicy) Reset() { - *x = IAMPolicy{} - if protoimpl.UnsafeEnabled { - mi := &file_ionscale_v1_iam_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IAMPolicy) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IAMPolicy) ProtoMessage() {} - -func (x *IAMPolicy) ProtoReflect() protoreflect.Message { - mi := &file_ionscale_v1_iam_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IAMPolicy.ProtoReflect.Descriptor instead. -func (*IAMPolicy) Descriptor() ([]byte, []int) { - return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{4} -} - -func (x *IAMPolicy) GetSubs() []string { - if x != nil { - return x.Subs - } - return nil -} - -func (x *IAMPolicy) GetEmails() []string { - if x != nil { - return x.Emails - } - return nil -} - -func (x *IAMPolicy) GetFilters() []string { - if x != nil { - return x.Filters - } - return nil -} - -func (x *IAMPolicy) GetRoles() map[string]string { - if x != nil { - return x.Roles - } - return nil -} - var File_ionscale_v1_iam_proto protoreflect.FileDescriptor var file_ionscale_v1_iam_proto_rawDesc = []byte{ @@ -286,36 +215,21 @@ var file_ionscale_v1_iam_proto_rawDesc = []byte{ 0x65, 0x2e, 0x76, 0x31, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, - 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x46, 0x0a, 0x14, 0x47, 0x65, + 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x2e, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, - 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x22, 0x64, 0x0a, 0x13, 0x53, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, - 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, - 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, - 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x4c, 0x0a, 0x13, 0x53, 0x65, + 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, + 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x22, 0xc4, 0x01, 0x0a, 0x09, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x12, - 0x0a, 0x04, 0x73, 0x75, 0x62, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x73, 0x75, - 0x62, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x03, - 0x28, 0x09, 0x52, 0x06, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x66, 0x69, - 0x6c, 0x74, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x66, 0x69, 0x6c, - 0x74, 0x65, 0x72, 0x73, 0x12, 0x37, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, - 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x6f, 0x6c, 0x65, - 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x1a, 0x38, 0x0a, - 0x0a, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, - 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, - 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, - 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, - 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, + 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, + 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, + 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, + 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -330,24 +244,19 @@ func file_ionscale_v1_iam_proto_rawDescGZIP() []byte { return file_ionscale_v1_iam_proto_rawDescData } -var file_ionscale_v1_iam_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_ionscale_v1_iam_proto_msgTypes = make([]protoimpl.MessageInfo, 4) var file_ionscale_v1_iam_proto_goTypes = []interface{}{ (*GetIAMPolicyRequest)(nil), // 0: ionscale.v1.GetIAMPolicyRequest (*GetIAMPolicyResponse)(nil), // 1: ionscale.v1.GetIAMPolicyResponse (*SetIAMPolicyRequest)(nil), // 2: ionscale.v1.SetIAMPolicyRequest (*SetIAMPolicyResponse)(nil), // 3: ionscale.v1.SetIAMPolicyResponse - (*IAMPolicy)(nil), // 4: ionscale.v1.IAMPolicy - nil, // 5: ionscale.v1.IAMPolicy.RolesEntry } var file_ionscale_v1_iam_proto_depIdxs = []int32{ - 4, // 0: ionscale.v1.GetIAMPolicyResponse.policy:type_name -> ionscale.v1.IAMPolicy - 4, // 1: ionscale.v1.SetIAMPolicyRequest.policy:type_name -> ionscale.v1.IAMPolicy - 5, // 2: ionscale.v1.IAMPolicy.roles:type_name -> ionscale.v1.IAMPolicy.RolesEntry - 3, // [3:3] is the sub-list for method output_type - 3, // [3:3] is the sub-list for method input_type - 3, // [3:3] is the sub-list for extension type_name - 3, // [3:3] is the sub-list for extension extendee - 0, // [0:3] is the sub-list for field type_name + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name } func init() { file_ionscale_v1_iam_proto_init() } @@ -404,18 +313,6 @@ func file_ionscale_v1_iam_proto_init() { return nil } } - file_ionscale_v1_iam_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IAMPolicy); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } } type x struct{} out := protoimpl.TypeBuilder{ @@ -423,7 +320,7 @@ func file_ionscale_v1_iam_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_ionscale_v1_iam_proto_rawDesc, NumEnums: 0, - NumMessages: 6, + NumMessages: 4, NumExtensions: 0, NumServices: 0, }, diff --git a/pkg/gen/ionscale/v1/tailnets.pb.go b/pkg/gen/ionscale/v1/tailnets.pb.go index e7cb63c..107e4a3 100644 --- a/pkg/gen/ionscale/v1/tailnets.pb.go +++ b/pkg/gen/ionscale/v1/tailnets.pb.go @@ -27,8 +27,8 @@ type Tailnet struct { Id uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"` Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` - IamPolicy *IAMPolicy `protobuf:"bytes,3,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` - AclPolicy *ACLPolicy `protobuf:"bytes,4,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` + IamPolicy string `protobuf:"bytes,3,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` + AclPolicy string `protobuf:"bytes,4,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` DnsConfig *DNSConfig `protobuf:"bytes,5,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"` ServiceCollectionEnabled bool `protobuf:"varint,6,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"` FileSharingEnabled bool `protobuf:"varint,7,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"` @@ -82,18 +82,18 @@ func (x *Tailnet) GetName() string { return "" } -func (x *Tailnet) GetIamPolicy() *IAMPolicy { +func (x *Tailnet) GetIamPolicy() string { if x != nil { return x.IamPolicy } - return nil + return "" } -func (x *Tailnet) GetAclPolicy() *ACLPolicy { +func (x *Tailnet) GetAclPolicy() string { if x != nil { return x.AclPolicy } - return nil + return "" } func (x *Tailnet) GetDnsConfig() *DNSConfig { @@ -137,8 +137,8 @@ type CreateTailnetRequest struct { unknownFields protoimpl.UnknownFields Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - IamPolicy *IAMPolicy `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` - AclPolicy *ACLPolicy `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` + IamPolicy string `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` + AclPolicy string `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` DnsConfig *DNSConfig `protobuf:"bytes,4,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"` ServiceCollectionEnabled bool `protobuf:"varint,5,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"` FileSharingEnabled bool `protobuf:"varint,6,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"` @@ -185,18 +185,18 @@ func (x *CreateTailnetRequest) GetName() string { return "" } -func (x *CreateTailnetRequest) GetIamPolicy() *IAMPolicy { +func (x *CreateTailnetRequest) GetIamPolicy() string { if x != nil { return x.IamPolicy } - return nil + return "" } -func (x *CreateTailnetRequest) GetAclPolicy() *ACLPolicy { +func (x *CreateTailnetRequest) GetAclPolicy() string { if x != nil { return x.AclPolicy } - return nil + return "" } func (x *CreateTailnetRequest) GetDnsConfig() *DNSConfig { @@ -287,8 +287,8 @@ type UpdateTailnetRequest struct { unknownFields protoimpl.UnknownFields TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` - IamPolicy *IAMPolicy `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` - AclPolicy *ACLPolicy `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` + IamPolicy string `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` + AclPolicy string `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` DnsConfig *DNSConfig `protobuf:"bytes,4,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"` ServiceCollectionEnabled bool `protobuf:"varint,5,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"` FileSharingEnabled bool `protobuf:"varint,6,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"` @@ -335,18 +335,18 @@ func (x *UpdateTailnetRequest) GetTailnetId() uint64 { return 0 } -func (x *UpdateTailnetRequest) GetIamPolicy() *IAMPolicy { +func (x *UpdateTailnetRequest) GetIamPolicy() string { if x != nil { return x.IamPolicy } - return nil + return "" } -func (x *UpdateTailnetRequest) GetAclPolicy() *ACLPolicy { +func (x *UpdateTailnetRequest) GetAclPolicy() string { if x != nil { return x.AclPolicy } - return nil + return "" } func (x *UpdateTailnetRequest) GetDnsConfig() *DNSConfig { @@ -1673,17 +1673,14 @@ var file_ionscale_v1_tailnets_proto_rawDesc = []byte{ 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x61, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, - 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, - 0x03, 0x0a, 0x07, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, + 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf7, + 0x02, 0x0a, 0x07, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x35, + 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, - 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, - 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, + 0x28, 0x09, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1d, 0x0a, + 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x64, 0x6e, 0x73, 0x43, 0x6f, 0x6e, @@ -1700,16 +1697,13 @@ var file_ionscale_v1_tailnets_proto_rawDesc = []byte{ 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0xa4, 0x03, 0x0a, 0x14, 0x43, 0x72, 0x65, + 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0xf4, 0x02, 0x0a, 0x14, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x35, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, - 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, - 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, - 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, + 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, @@ -1731,17 +1725,14 @@ var file_ionscale_v1_tailnets_proto_rawDesc = []byte{ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, - 0x07, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x22, 0xaf, 0x03, 0x0a, 0x14, 0x55, 0x70, 0x64, + 0x07, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x22, 0xff, 0x02, 0x0a, 0x14, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, - 0x12, 0x35, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, - 0x76, 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x09, 0x69, 0x61, - 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, - 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, + 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, + 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x64, 0x6e, 0x73, 0x43, @@ -1901,29 +1892,21 @@ var file_ionscale_v1_tailnets_proto_goTypes = []interface{}{ (*EnableMachineAuthorizationResponse)(nil), // 30: ionscale.v1.EnableMachineAuthorizationResponse (*DisableMachineAuthorizationRequest)(nil), // 31: ionscale.v1.DisableMachineAuthorizationRequest (*DisableMachineAuthorizationResponse)(nil), // 32: ionscale.v1.DisableMachineAuthorizationResponse - (*IAMPolicy)(nil), // 33: ionscale.v1.IAMPolicy - (*ACLPolicy)(nil), // 34: ionscale.v1.ACLPolicy - (*DNSConfig)(nil), // 35: ionscale.v1.DNSConfig + (*DNSConfig)(nil), // 33: ionscale.v1.DNSConfig } var file_ionscale_v1_tailnets_proto_depIdxs = []int32{ - 33, // 0: ionscale.v1.Tailnet.iam_policy:type_name -> ionscale.v1.IAMPolicy - 34, // 1: ionscale.v1.Tailnet.acl_policy:type_name -> ionscale.v1.ACLPolicy - 35, // 2: ionscale.v1.Tailnet.dns_config:type_name -> ionscale.v1.DNSConfig - 33, // 3: ionscale.v1.CreateTailnetRequest.iam_policy:type_name -> ionscale.v1.IAMPolicy - 34, // 4: ionscale.v1.CreateTailnetRequest.acl_policy:type_name -> ionscale.v1.ACLPolicy - 35, // 5: ionscale.v1.CreateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig - 0, // 6: ionscale.v1.CreateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet - 33, // 7: ionscale.v1.UpdateTailnetRequest.iam_policy:type_name -> ionscale.v1.IAMPolicy - 34, // 8: ionscale.v1.UpdateTailnetRequest.acl_policy:type_name -> ionscale.v1.ACLPolicy - 35, // 9: ionscale.v1.UpdateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig - 0, // 10: ionscale.v1.UpdateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet - 0, // 11: ionscale.v1.GetTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet - 0, // 12: ionscale.v1.ListTailnetsResponse.tailnet:type_name -> ionscale.v1.Tailnet - 13, // [13:13] is the sub-list for method output_type - 13, // [13:13] is the sub-list for method input_type - 13, // [13:13] is the sub-list for extension type_name - 13, // [13:13] is the sub-list for extension extendee - 0, // [0:13] is the sub-list for field type_name + 33, // 0: ionscale.v1.Tailnet.dns_config:type_name -> ionscale.v1.DNSConfig + 33, // 1: ionscale.v1.CreateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig + 0, // 2: ionscale.v1.CreateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet + 33, // 3: ionscale.v1.UpdateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig + 0, // 4: ionscale.v1.UpdateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet + 0, // 5: ionscale.v1.GetTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet + 0, // 6: ionscale.v1.ListTailnetsResponse.tailnet:type_name -> ionscale.v1.Tailnet + 7, // [7:7] is the sub-list for method output_type + 7, // [7:7] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name } func init() { file_ionscale_v1_tailnets_proto_init() } diff --git a/proto/ionscale/v1/acl.proto b/proto/ionscale/v1/acl.proto index a6164a3..aab7e2d 100644 --- a/proto/ionscale/v1/acl.proto +++ b/proto/ionscale/v1/acl.proto @@ -2,8 +2,6 @@ syntax = "proto3"; package ionscale.v1; -import "google/protobuf/struct.proto"; - option go_package = "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1;ionscalev1"; message GetACLPolicyRequest { @@ -11,55 +9,12 @@ message GetACLPolicyRequest { } message GetACLPolicyResponse { - ACLPolicy policy = 1; + string policy = 1; } message SetACLPolicyRequest { uint64 tailnet_id = 1; - ACLPolicy policy = 2; + string policy = 2; } message SetACLPolicyResponse {} - -message ACLPolicy { - map hosts = 1; - map groups = 2; - repeated ACL acls = 3; - map tagowners = 4; - optional AutoApprovers autoapprovers = 5; - repeated SSHRule ssh = 6; - repeated NodeAttr nodeattrs = 7; - repeated ACLGrant grants = 8; -} - -message ACL { - string action = 1; - repeated string src = 2; - repeated string dst = 3; - string proto = 4; -} - -message AutoApprovers { - map routes = 1; - repeated string exitnode = 2; -} - -message SSHRule { - string action = 1; - repeated string src = 2; - repeated string dst = 3; - repeated string users = 4; - string checkperiod = 5; -} - -message NodeAttr { - repeated string target = 1; - repeated string attr = 2; -} - -message ACLGrant { - repeated string src = 1; - repeated string dst = 2; - repeated string ip = 3; - map app = 4; -} \ No newline at end of file diff --git a/proto/ionscale/v1/iam.proto b/proto/ionscale/v1/iam.proto index 124906e..cb032a3 100644 --- a/proto/ionscale/v1/iam.proto +++ b/proto/ionscale/v1/iam.proto @@ -9,19 +9,12 @@ message GetIAMPolicyRequest { } message GetIAMPolicyResponse { - IAMPolicy policy = 1; + string policy = 1; } message SetIAMPolicyRequest { uint64 tailnet_id = 1; - IAMPolicy policy = 2; + string policy = 2; } message SetIAMPolicyResponse {} - -message IAMPolicy { - repeated string subs = 1; - repeated string emails = 2; - repeated string filters = 3; - map roles = 4; -} diff --git a/proto/ionscale/v1/tailnets.proto b/proto/ionscale/v1/tailnets.proto index 82b1d7c..c678fc3 100644 --- a/proto/ionscale/v1/tailnets.proto +++ b/proto/ionscale/v1/tailnets.proto @@ -11,8 +11,8 @@ option go_package = "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1;ionscalev1 message Tailnet { uint64 id = 1; string name = 2; - IAMPolicy iam_policy = 3; - ACLPolicy acl_policy = 4; + string iam_policy = 3; + string acl_policy = 4; DNSConfig dns_config = 5; bool service_collection_enabled = 6; @@ -23,8 +23,8 @@ message Tailnet { message CreateTailnetRequest { string name = 1; - IAMPolicy iam_policy = 2; - ACLPolicy acl_policy = 3; + string iam_policy = 2; + string acl_policy = 3; DNSConfig dns_config = 4; bool service_collection_enabled = 5; @@ -39,8 +39,8 @@ message CreateTailnetResponse { message UpdateTailnetRequest { uint64 tailnet_id = 1; - IAMPolicy iam_policy = 2; - ACLPolicy acl_policy = 3; + string iam_policy = 2; + string acl_policy = 3; DNSConfig dns_config = 4; bool service_collection_enabled = 5; diff --git a/tests/acl_test.go b/tests/acl_test.go index 4a1a4bb..4b37d89 100644 --- a/tests/acl_test.go +++ b/tests/acl_test.go @@ -1,8 +1,8 @@ package tests import ( + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/jsiebens/ionscale/pkg/defaults" - ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/tsn" "github.com/stretchr/testify/require" @@ -25,11 +25,11 @@ func TestACL_PeersShouldBeRemovedWhenNoMatchingACLRuleIsAvailable(t *testing.T) require.NoError(t, server.WaitFor(tsn.PeerCount(2))) policy := defaults.DefaultACLPolicy() - policy.Acls = []*ionscalev1.ACL{ + policy.ACLs = []ionscale.ACLEntry{ { - Action: "accept", - Src: []string{"tag:server"}, - Dst: []string{"tag:server:*"}, + Action: "accept", + Source: []string{"tag:server"}, + Destination: []string{"tag:server:*"}, }, } diff --git a/tests/node_attributes_test.go b/tests/node_attributes_test.go index 3969d19..b535ef7 100644 --- a/tests/node_attributes_test.go +++ b/tests/node_attributes_test.go @@ -1,8 +1,8 @@ package tests import ( + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/jsiebens/ionscale/pkg/defaults" - ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/tsn" "github.com/stretchr/testify/require" @@ -19,7 +19,7 @@ func TestNodeAttrs(t *testing.T) { require.NoError(t, nodeA.Up(key)) policy := defaults.DefaultACLPolicy() - policy.Nodeattrs = []*ionscalev1.NodeAttr{ + policy.NodeAttrs = []ionscale.ACLNodeAttrGrant{ { Target: []string{"tag:test"}, Attr: []string{"ionscale:test"}, @@ -41,10 +41,10 @@ func TestNodeAttrs_IgnoreFunnelAttr(t *testing.T) { require.NoError(t, nodeA.Up(key)) policy := defaults.DefaultACLPolicy() - policy.Nodeattrs = []*ionscalev1.NodeAttr{ + policy.NodeAttrs = []ionscale.ACLNodeAttrGrant{ { Target: []string{"tag:test"}, - Attr: []string{"ionscale:test", string(tailcfg.NodeAttrFunnel)}, + Attr: []string{"ionscale:test"}, }, } diff --git a/tests/sc/scenario.go b/tests/sc/scenario.go index 810e7e5..3fcf98c 100644 --- a/tests/sc/scenario.go +++ b/tests/sc/scenario.go @@ -85,13 +85,13 @@ func (s *Scenario) ExpireMachines(tailnetID uint64) { } } -func (s *Scenario) SetACLPolicy(tailnetID uint64, policy *api.ACLPolicy) { - _, err := s.ionscaleClient.SetACLPolicy(context.Background(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tailnetID, Policy: policy})) +func (s *Scenario) SetACLPolicy(tailnetID uint64, policy *ionscaleclt.ACLPolicy) { + _, err := s.ionscaleClient.SetACLPolicy(context.Background(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tailnetID, Policy: policy.Marshal()})) require.NoError(s.t, err) } -func (s *Scenario) SetIAMPolicy(tailnetID uint64, policy *api.IAMPolicy) { - _, err := s.ionscaleClient.SetIAMPolicy(context.Background(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tailnetID, Policy: policy})) +func (s *Scenario) SetIAMPolicy(tailnetID uint64, policy *ionscaleclt.IAMPolicy) { + _, err := s.ionscaleClient.SetIAMPolicy(context.Background(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tailnetID, Policy: policy.Marshal()})) require.NoError(s.t, err) } diff --git a/tests/switch_test.go b/tests/switch_test.go index 49b5ef1..14432d6 100644 --- a/tests/switch_test.go +++ b/tests/switch_test.go @@ -1,7 +1,7 @@ package tests import ( - api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/tsn" "github.com/stretchr/testify/require" @@ -15,7 +15,7 @@ func TestSwitchAccounts(t *testing.T) { s.PushOIDCUser("124", "jane@localtest.me", "jane") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Filters: []string{"domain == localtest.me"}}) + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Filters: []string{"domain == localtest.me"}}) node := s.NewTailscaleNode(sc.WithName("switch")) diff --git a/tests/weblogin_test.go b/tests/weblogin_test.go index bf7c3d2..e9d92e1 100644 --- a/tests/weblogin_test.go +++ b/tests/weblogin_test.go @@ -1,12 +1,11 @@ package tests import ( + "github.com/jsiebens/ionscale/pkg/client/ionscale" "github.com/jsiebens/ionscale/pkg/defaults" - api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/tsn" "github.com/stretchr/testify/require" - "google.golang.org/protobuf/types/known/structpb" "net/http" "tailscale.com/tailcfg" "testing" @@ -30,7 +29,7 @@ func TestWebLoginWithDomainFilterInIAMPolicy(t *testing.T) { s.PushOIDCUser("124", "jane@localtest.me", "jane") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Filters: []string{"domain == localtest.me"}}) + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Filters: []string{"domain == localtest.me"}}) john := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me") jane := newTailscaleNodeAndLoginWithOIDC(t, s, "jane@localtest.me") @@ -49,7 +48,7 @@ func TestWebLoginWithSubsAndEmailsInIAMPolicy(t *testing.T) { s.PushOIDCUser("124", "jane@localtest.me", "jane") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Subs: []string{"123"}, Emails: []string{"jane@localtest.me"}}) + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Subs: []string{"123"}, Emails: []string{"jane@localtest.me"}}) john := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me") jane := newTailscaleNodeAndLoginWithOIDC(t, s, "jane@localtest.me") @@ -65,7 +64,7 @@ func TestWebLoginWithUserAsTailnetAdmin(t *testing.T) { s.PushOIDCUser("124", "jane@localtest.me", "jane") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{ Filters: []string{"domain == localtest.me"}, Roles: map[string]string{"john@localtest.me": "admin"}, }) @@ -83,7 +82,7 @@ func TestWebLoginWhenNotAuthorizedForAnyTailnet(t *testing.T) { s.PushOIDCUser("124", "jane@localtest.me", "jane") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{ Subs: []string{"123"}, }) @@ -99,7 +98,7 @@ func TestWebLoginWhenInvalidTagOwner(t *testing.T) { s.PushOIDCUser("124", "jane@localtest.me", "jane") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{ Subs: []string{"124"}, }) @@ -114,17 +113,14 @@ func TestWebLoginAsTagOwner(t *testing.T) { sc.Run(t, func(s *sc.Scenario) { s.PushOIDCUser("124", "jane@localtest.me", "jane") - owners, err := structpb.NewList([]interface{}{"jane@localtest.me"}) - require.NoError(t, err) - aclPolicy := defaults.DefaultACLPolicy() - aclPolicy.Tagowners = map[string]*structpb.ListValue{ - "tag:localtest": owners, + aclPolicy.TagOwners = map[string][]string{ + "tag:localtest": {"jane@localtest.me"}, } tailnet := s.CreateTailnet() s.SetACLPolicy(tailnet.Id, aclPolicy) - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{ Subs: []string{"124"}, }) @@ -137,7 +133,7 @@ func TestWebLoginWithMachineAuthorizationRequired(t *testing.T) { s.PushOIDCUser("123", "john@localtest.me", "john") tailnet := s.CreateTailnet() - s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Filters: []string{"domain == localtest.me"}}) + s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Filters: []string{"domain == localtest.me"}}) s.EnableMachineAutorization(tailnet.Id) node := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me")