leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: use hujson as data format for ACL and IAM policy

Browse Source
This commit is contained in:
Johan Siebens
2024-03-14 08:23:24 +01:00
parent a1debdffb8
commit 6173621730
36 changed files with 752 additions and 1415 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/cmd/acl.go
+4 -30
View File
@@ -2,7 +2,6 @@ package cmd
import ( import (
"bytes" "bytes"
"encoding/json"
"fmt" "fmt"
"github.com/bufbuild/connect-go" "github.com/bufbuild/connect-go"
"github.com/jsiebens/go-edit/editor" "github.com/jsiebens/go-edit/editor"
@@ -25,12 +24,7 @@ func getACLConfigCommand() *cobra.Command {
return err return err
} }
marshal, err := json.MarshalIndent(resp.Msg.Policy, "", " ") fmt.Println(resp.Msg.Policy)
if err != nil {
return err
}
fmt.Println(string(marshal))
return nil return nil
} }
@@ -53,12 +47,7 @@ func editACLConfigCommand() *cobra.Command {
return err return err
} }
previous, err := json.MarshalIndent(resp.Msg.Policy, "", " ") next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader([]byte(resp.Msg.Policy)))
if err != nil {
return err
}
next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader(previous))
if err != nil { if err != nil {
return err return err
} }
@@ -70,12 +59,7 @@ func editACLConfigCommand() *cobra.Command {
return err return err
} }
var policy = &api.ACLPolicy{} _, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(next)}))
if err := json.Unmarshal(next, policy); err != nil {
return err
}
_, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy}))
if err != nil { if err != nil {
return err return err
} }
@@ -105,17 +89,7 @@ func setACLConfigCommand() *cobra.Command {
return err return err
} }
rawJson, err := hujson.Standardize(content) _, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(content)}))
if err != nil {
return err
}
var policy = &api.ACLPolicy{}
if err := json.Unmarshal(rawJson, policy); err != nil {
return err
}
_, err = tc.Client().SetACLPolicy(cmd.Context(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy}))
if err != nil { if err != nil {
return err return err
} }
internal/cmd/iam.go
+4 -36
View File
@@ -2,13 +2,11 @@ package cmd
import ( import (
"bytes" "bytes"
"encoding/json"
"fmt" "fmt"
"github.com/bufbuild/connect-go" "github.com/bufbuild/connect-go"
"github.com/jsiebens/go-edit/editor" "github.com/jsiebens/go-edit/editor"
api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/tailscale/hujson"
"os" "os"
) )
@@ -25,12 +23,7 @@ func getIAMPolicyCommand() *cobra.Command {
return err return err
} }
marshal, err := json.MarshalIndent(resp.Msg.Policy, "", " ") fmt.Println(resp.Msg.Policy)
if err != nil {
return err
}
fmt.Println(string(marshal))
return nil return nil
} }
@@ -53,29 +46,14 @@ func editIAMPolicyCommand() *cobra.Command {
return err return err
} }
previous, err := json.MarshalIndent(resp.Msg.Policy, "", " ") next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader([]byte(resp.Msg.Policy)))
if err != nil {
return err
}
next, s, err := edit.LaunchTempFile("ionscale", ".json", bytes.NewReader(previous))
if err != nil {
return err
}
next, err = hujson.Standardize(next)
if err != nil { if err != nil {
return err return err
} }
defer os.Remove(s) defer os.Remove(s)
var policy = &api.IAMPolicy{} _, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(next)}))
if err := json.Unmarshal(next, policy); err != nil {
return err
}
_, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy}))
if err != nil { if err != nil {
return err return err
} }
@@ -105,17 +83,7 @@ func setIAMPolicyCommand() *cobra.Command {
return err return err
} }
rawJson, err := hujson.Standardize(content) _, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: string(content)}))
if err != nil {
return err
}
var policy = &api.IAMPolicy{}
if err := json.Unmarshal(rawJson, policy); err != nil {
return err
}
_, err = tc.Client().SetIAMPolicy(cmd.Context(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tc.TailnetID(), Policy: policy}))
if err != nil { if err != nil {
return err return err
} }
internal/cmd/tailnet.go
+13 -4
View File
@@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"github.com/bufbuild/connect-go" "github.com/bufbuild/connect-go"
idomain "github.com/jsiebens/ionscale/internal/domain" idomain "github.com/jsiebens/ionscale/internal/domain"
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/jsiebens/ionscale/pkg/defaults" "github.com/jsiebens/ionscale/pkg/defaults"
api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
"github.com/rodaine/table" "github.com/rodaine/table"
@@ -102,24 +103,32 @@ func createTailnetsCommand() *cobra.Command {
command.RunE = func(cmd *cobra.Command, args []string) error { command.RunE = func(cmd *cobra.Command, args []string) error {
dnsConfig := defaults.DefaultDNSConfig() dnsConfig := defaults.DefaultDNSConfig()
aclPolicy := defaults.DefaultACLPolicy() aclPolicy := defaults.DefaultACLPolicy().Marshal()
iamPolicy := &api.IAMPolicy{} iamPolicy := "{}"
if len(domain) != 0 { if len(domain) != 0 {
domainToLower := strings.ToLower(domain) domainToLower := strings.ToLower(domain)
iamPolicy = &api.IAMPolicy{ m, err := json.MarshalIndent(&ionscale.IAMPolicy{
Filters: []string{fmt.Sprintf("domain == %s", domainToLower)}, Filters: []string{fmt.Sprintf("domain == %s", domainToLower)},
}, "", " ")
if err != nil {
return err
} }
iamPolicy = string(m)
} }
if len(email) != 0 { if len(email) != 0 {
emailToLower := strings.ToLower(email) emailToLower := strings.ToLower(email)
iamPolicy = &api.IAMPolicy{ m, err := json.MarshalIndent(&ionscale.IAMPolicy{
Emails: []string{emailToLower}, Emails: []string{emailToLower},
Roles: map[string]string{ Roles: map[string]string{
emailToLower: string(idomain.UserRoleAdmin), emailToLower: string(idomain.UserRoleAdmin),
}, },
}, "", " ")
if err != nil {
return err
} }
iamPolicy = string(m)
} }
resp, err := tc.Client().CreateTailnet(cmd.Context(), connect.NewRequest(&api.CreateTailnetRequest{ resp, err := tc.Client().CreateTailnet(cmd.Context(), connect.NewRequest(&api.CreateTailnetRequest{
internal/database/migration/m202403130830_json_to_text.go
+29
View File
@@ -0,0 +1,29 @@
package migration
import (
"github.com/go-gormigrate/gormigrate/v2"
"gorm.io/gorm"
)
func m202403130830_json_to_text() *gormigrate.Migration {
return &gormigrate.Migration{
ID: "202403130830",
Migrate: func(db *gorm.DB) error {
type Tailnet struct {
IAMPolicy string
ACLPolicy string
}
if err := db.Migrator().AlterColumn(&Tailnet{}, "IAMPolicy"); err != nil {
return err
}
if err := db.Migrator().AlterColumn(&Tailnet{}, "ACLPolicy"); err != nil {
return err
}
return nil
},
Rollback: nil,
}
}
internal/database/migration/migrations.go
+1
View File
@@ -20,6 +20,7 @@ func Migrations() []*gormigrate.Migration {
m202312290900_machine_indeces(), m202312290900_machine_indeces(),
m202401061400_machine_indeces(), m202401061400_machine_indeces(),
m202402120800_user_last_authenticated(), m202402120800_user_last_authenticated(),
m202403130830_json_to_text(),
} }
return migrations return migrations
} }
internal/domain/acl.go
+2 -35
View File
@@ -5,6 +5,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"gorm.io/gorm" "gorm.io/gorm"
"gorm.io/gorm/schema" "gorm.io/gorm/schema"
"net/netip" "net/netip"
@@ -30,41 +31,7 @@ type AutoApprovers struct {
} }
type ACLPolicy struct { type ACLPolicy struct {
Groups map[string][]string `json:"groups,omitempty"` ionscale.ACLPolicy
Hosts map[string]string `json:"hosts,omitempty"`
ACLs []ACL `json:"acls,omitempty"`
TagOwners map[string][]string `json:"tagowners,omitempty"`
AutoApprovers *AutoApprovers `json:"autoApprovers,omitempty"`
SSHRules []SSHRule `json:"ssh,omitempty"`
NodeAttrs []NodeAttr `json:"nodeAttrs,omitempty"`
Grants []Grant `json:"grants,omitempty"`
}
type ACL struct {
Action string `json:"action"`
Proto string `json:"proto"`
Src []string `json:"src"`
Dst []string `json:"dst"`
}
type SSHRule struct {
Action string `json:"action"`
Src []string `json:"src"`
Dst []string `json:"dst"`
Users []string `json:"users"`
CheckPeriod string `json:"checkPeriod,omitempty"`
}
type NodeAttr struct {
Target []string `json:"target"`
Attr []string `json:"attr"`
}
type Grant struct {
Src []string `json:"src"`
Dst []string `json:"dst"`
IP []tailcfg.ProtoPortRange `json:"ip"`
App tailcfg.PeerCapMap `json:"app"`
} }
func (a *ACLPolicy) Equal(x *ACLPolicy) bool { func (a *ACLPolicy) Equal(x *ACLPolicy) bool {
internal/domain/acl_filter_rules.go
+16 -15
View File
@@ -1,6 +1,7 @@
package domain package domain
import ( import (
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"net/netip" "net/netip"
"strings" "strings"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
@@ -12,16 +13,16 @@ func (a ACLPolicy) IsValidPeer(src *Machine, dest *Machine) bool {
} }
for _, acl := range a.ACLs { for _, acl := range a.ACLs {
selfDestPorts, allDestPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Dst, dest) selfDestPorts, allDestPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Destination, dest)
if len(selfDestPorts) != 0 { if len(selfDestPorts) != 0 {
for _, alias := range acl.Src { for _, alias := range acl.Source {
if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 { if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 {
return true return true
} }
} }
} }
if len(allDestPorts) != 0 { if len(allDestPorts) != 0 {
for _, alias := range acl.Src { for _, alias := range acl.Source {
if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 { if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 {
return true return true
} }
@@ -30,16 +31,16 @@ func (a ACLPolicy) IsValidPeer(src *Machine, dest *Machine) bool {
} }
for _, grant := range a.Grants { for _, grant := range a.Grants {
selfIps, otherIps := a.translateDestinationAliasesToMachineIPs(grant.Dst, dest) selfIps, otherIps := a.translateDestinationAliasesToMachineIPs(grant.Destination, dest)
if len(selfIps) != 0 { if len(selfIps) != 0 {
for _, alias := range grant.Src { for _, alias := range grant.Source {
if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 { if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 {
return true return true
} }
} }
} }
if len(otherIps) != 0 { if len(otherIps) != 0 {
for _, alias := range grant.Src { for _, alias := range grant.Source {
if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 { if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 {
return true return true
} }
@@ -89,23 +90,23 @@ func (a ACLPolicy) BuildFilterRules(peers []Machine, dst *Machine) []tailcfg.Fil
for _, acl := range a.ACLs { for _, acl := range a.ACLs {
self, other := a.prepareFilterRulesFromACL(dst, acl) self, other := a.prepareFilterRulesFromACL(dst, acl)
rules = matchSourceAndAppendRule(rules, acl.Src, self, &dst.User) rules = matchSourceAndAppendRule(rules, acl.Source, self, &dst.User)
rules = matchSourceAndAppendRule(rules, acl.Src, other, nil) rules = matchSourceAndAppendRule(rules, acl.Source, other, nil)
} }
for _, acl := range a.Grants { for _, acl := range a.Grants {
self, other := a.prepareFilterRulesFromGrant(dst, acl) self, other := a.prepareFilterRulesFromGrant(dst, acl)
rules = matchSourceAndAppendRule(rules, acl.Src, self, &dst.User) rules = matchSourceAndAppendRule(rules, acl.Source, self, &dst.User)
rules = matchSourceAndAppendRule(rules, acl.Src, other, nil) rules = matchSourceAndAppendRule(rules, acl.Source, other, nil)
} }
return rules return rules
} }
func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ACL) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ionscale.ACLEntry) ([]tailcfg.FilterRule, []tailcfg.FilterRule) {
proto := parseProtocol(acl.Proto) proto := parseProtocol(acl.Protocol)
selfDstPorts, otherDstPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Dst, candidate) selfDstPorts, otherDstPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Destination, candidate)
var selfFilterRules []tailcfg.FilterRule var selfFilterRules []tailcfg.FilterRule
var otherFilterRules []tailcfg.FilterRule var otherFilterRules []tailcfg.FilterRule
@@ -121,8 +122,8 @@ func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ACL) ([]tai
return selfFilterRules, otherFilterRules return selfFilterRules, otherFilterRules
} }
func (a ACLPolicy) prepareFilterRulesFromGrant(candidate *Machine, grant Grant) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { func (a ACLPolicy) prepareFilterRulesFromGrant(candidate *Machine, grant ionscale.ACLGrant) ([]tailcfg.FilterRule, []tailcfg.FilterRule) {
selfIPs, otherIPs := a.translateDestinationAliasesToMachineIPs(grant.Dst, candidate) selfIPs, otherIPs := a.translateDestinationAliasesToMachineIPs(grant.Destination, candidate)
var selfFilterRules []tailcfg.FilterRule var selfFilterRules []tailcfg.FilterRule
var otherFilterRules []tailcfg.FilterRule var otherFilterRules []tailcfg.FilterRule
internal/domain/acl_ssh_policy.go
+6 -5
View File
@@ -1,6 +1,7 @@
package domain package domain
import ( import (
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"strings" "strings"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
) )
@@ -28,7 +29,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli
return result return result
} }
for _, rule := range a.SSHRules { for _, rule := range a.SSH {
if rule.Action != "accept" && rule.Action != "check" { if rule.Action != "accept" && rule.Action != "check" {
continue continue
} }
@@ -48,7 +49,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli
selfUsers, otherUsers := a.expandSSHDstToSSHUsers(dst, rule) selfUsers, otherUsers := a.expandSSHDstToSSHUsers(dst, rule)
if len(selfUsers) != 0 { if len(selfUsers) != 0 {
principals := expandSrcAliases(rule.Src, rule.Action, &dst.User) principals := expandSrcAliases(rule.Source, rule.Action, &dst.User)
if len(principals) != 0 { if len(principals) != 0 {
rules = append(rules, &tailcfg.SSHRule{ rules = append(rules, &tailcfg.SSHRule{
Principals: principals, Principals: principals,
@@ -59,7 +60,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli
} }
if len(otherUsers) != 0 { if len(otherUsers) != 0 {
principals := expandSrcAliases(rule.Src, rule.Action, nil) principals := expandSrcAliases(rule.Source, rule.Action, nil)
if len(principals) != 0 { if len(principals) != 0 {
rules = append(rules, &tailcfg.SSHRule{ rules = append(rules, &tailcfg.SSHRule{
Principals: principals, Principals: principals,
@@ -113,13 +114,13 @@ func (a ACLPolicy) expandSSHSrcAlias(m *Machine, alias string, dstUser *User) []
return []string{} return []string{}
} }
func (a ACLPolicy) expandSSHDstToSSHUsers(m *Machine, rule SSHRule) (map[string]string, map[string]string) { func (a ACLPolicy) expandSSHDstToSSHUsers(m *Machine, rule ionscale.ACLSSH) (map[string]string, map[string]string) {
users := buildSSHUsers(rule.Users) users := buildSSHUsers(rule.Users)
var selfUsers map[string]string var selfUsers map[string]string
var otherUsers map[string]string var otherUsers map[string]string
for _, d := range rule.Dst { for _, d := range rule.Destination {
if strings.HasPrefix(d, "tag:") && m.HasTag(d) { if strings.HasPrefix(d, "tag:") && m.HasTag(d) {
otherUsers = users otherUsers = users
} }
internal/domain/acl_ssh_policy_test.go
+96 -73
View File
@@ -3,6 +3,7 @@ package domain
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"testing" "testing"
@@ -13,12 +14,14 @@ func TestACLPolicy_BuildSSHPolicy_(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"autogroup:members"}, Action: "accept",
Dst: []string{"autogroup:self"}, Source: []string{"autogroup:members"},
Users: []string{"autogroup:nonroot"}, Destination: []string{"autogroup:self"},
Users: []string{"autogroup:nonroot"},
},
}, },
}, },
} }
@@ -52,17 +55,19 @@ func TestACLPolicy_BuildSSHPolicy_WithGroup(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:sre": { Groups: map[string][]string{
"john@example.com", "group:sre": {
"john@example.com",
},
}, },
}, SSH: []ionscale.ACLSSH{
SSHRules: []SSHRule{ {
{ Action: "accept",
Action: "accept", Source: []string{"group:sre"},
Src: []string{"group:sre"}, Destination: []string{"tag:web"},
Dst: []string{"tag:web"}, Users: []string{"autogroup:nonroot", "root"},
Users: []string{"autogroup:nonroot", "root"}, },
}, },
}, },
} }
@@ -96,12 +101,14 @@ func TestACLPolicy_BuildSSHPolicy_WithMatchingUsers(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"john@example.com"}, Action: "accept",
Dst: []string{"john@example.com"}, Source: []string{"john@example.com"},
Users: []string{"autogroup:nonroot", "root"}, Destination: []string{"john@example.com"},
Users: []string{"autogroup:nonroot", "root"},
},
}, },
}, },
} }
@@ -132,15 +139,17 @@ func TestACLPolicy_BuildSSHPolicy_WithMatchingUsersInGroup(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:sre": {"jane@example.com", "john@example.com"}, Groups: map[string][]string{
}, "group:sre": {"jane@example.com", "john@example.com"},
SSHRules: []SSHRule{ },
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"group:sre"}, Action: "accept",
Dst: []string{"john@example.com"}, Source: []string{"group:sre"},
Users: []string{"autogroup:nonroot", "root"}, Destination: []string{"john@example.com"},
Users: []string{"autogroup:nonroot", "root"},
},
}, },
}, },
} }
@@ -171,12 +180,14 @@ func TestACLPolicy_BuildSSHPolicy_WithNoMatchingUsers(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"jane@example.com"}, Action: "accept",
Dst: []string{"john@example.com"}, Source: []string{"jane@example.com"},
Users: []string{"autogroup:nonroot", "root"}, Destination: []string{"john@example.com"},
Users: []string{"autogroup:nonroot", "root"},
},
}, },
}, },
} }
@@ -194,12 +205,14 @@ func TestACLPolicy_BuildSSHPolicy_WithTags(t *testing.T) {
p3 := createMachine("nick@example.com", "tag:web") p3 := createMachine("nick@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"john@example.com", "tag:web"}, Action: "accept",
Dst: []string{"tag:web"}, Source: []string{"john@example.com", "tag:web"},
Users: []string{"ubuntu"}, Destination: []string{"tag:web"},
Users: []string{"ubuntu"},
},
}, },
}, },
} }
@@ -230,12 +243,14 @@ func TestACLPolicy_BuildSSHPolicy_WithTagsInDstAndAutogroupMemberInSrc(t *testin
p3 := createMachine("nick@example.com", "tag:web") p3 := createMachine("nick@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"autogroup:members"}, Action: "accept",
Dst: []string{"tag:web"}, Source: []string{"autogroup:members"},
Users: []string{"ubuntu"}, Destination: []string{"tag:web"},
Users: []string{"ubuntu"},
},
}, },
}, },
} }
@@ -265,12 +280,14 @@ func TestACLPolicy_BuildSSHPolicy_WithUserInDstAndNonMatchingSrc(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"jane@example.com"}, Action: "accept",
Dst: []string{"john@example.com"}, Source: []string{"jane@example.com"},
Users: []string{"autogroup:nonroot"}, Destination: []string{"john@example.com"},
Users: []string{"autogroup:nonroot"},
},
}, },
}, },
} }
@@ -287,12 +304,14 @@ func TestACLPolicy_BuildSSHPolicy_WithUserInDstAndAutogroupMembersSrc(t *testing
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"autogroup:members"}, Action: "accept",
Dst: []string{"john@example.com"}, Source: []string{"autogroup:members"},
Users: []string{"autogroup:nonroot"}, Destination: []string{"john@example.com"},
Users: []string{"autogroup:nonroot"},
},
}, },
}, },
} }
@@ -323,12 +342,14 @@ func TestACLPolicy_BuildSSHPolicy_WithAutogroupSelfAndTagSrc(t *testing.T) {
p2 := createMachine("jane@example.com", "tag:web") p2 := createMachine("jane@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "accept", {
Src: []string{"tag:web"}, Action: "accept",
Dst: []string{"autogroup:self"}, Source: []string{"tag:web"},
Users: []string{"autogroup:nonroot"}, Destination: []string{"autogroup:self"},
Users: []string{"autogroup:nonroot"},
},
}, },
}, },
} }
@@ -345,12 +366,14 @@ func TestACLPolicy_BuildSSHPolicy_WithTagsAndActionCheck(t *testing.T) {
p2 := createMachine("jane@example.com", "tag:web") p2 := createMachine("jane@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
SSHRules: []SSHRule{ ionscale.ACLPolicy{
{ SSH: []ionscale.ACLSSH{
Action: "check", {
Src: []string{"tag:web"}, Action: "check",
Dst: []string{"tag:web"}, Source: []string{"tag:web"},
Users: []string{"autogroup:nonroot"}, Destination: []string{"tag:web"},
Users: []string{"autogroup:nonroot"},
},
}, },
}, },
} }
internal/domain/acl_test.go
+206 -160
View File
@@ -3,6 +3,7 @@ package domain
import ( import (
"encoding/json" "encoding/json"
"github.com/jsiebens/ionscale/internal/addr" "github.com/jsiebens/ionscale/internal/addr"
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"net/netip" "net/netip"
@@ -15,18 +16,20 @@ func TestACLPolicy_NodeAttributesWithWildcards(t *testing.T) {
p1 := createMachine("john@example.com") p1 := createMachine("john@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
NodeAttrs: []NodeAttr{ ionscale.ACLPolicy{
{ NodeAttrs: []ionscale.ACLNodeAttrGrant{
Target: []string{"*"}, {
Attr: []string{ Target: []string{"*"},
"attr1", Attr: []string{
"attr2", "attr1",
"attr2",
},
}, },
}, {
{ Target: []string{"*"},
Target: []string{"*"}, Attr: []string{
Attr: []string{ "attr3",
"attr3", },
}, },
}, },
}, },
@@ -46,21 +49,23 @@ func TestACLPolicy_NodeAttributesWithUserAndGroups(t *testing.T) {
p1 := createMachine("john@example.com") p1 := createMachine("john@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:admins": []string{"john@example.com"}, Groups: map[string][]string{
}, "group:admins": []string{"john@example.com"},
NodeAttrs: []NodeAttr{
{
Target: []string{"john@example.com"},
Attr: []string{
"attr1",
"attr2",
},
}, },
{ NodeAttrs: []ionscale.ACLNodeAttrGrant{
Target: []string{"jane@example.com", "group:analytics", "group:admins"}, {
Attr: []string{ Target: []string{"john@example.com"},
"attr3", Attr: []string{
"attr1",
"attr2",
},
},
{
Target: []string{"jane@example.com", "group:analytics", "group:admins"},
Attr: []string{
"attr3",
},
}, },
}, },
}, },
@@ -80,21 +85,23 @@ func TestACLPolicy_NodeAttributesWithUserAndTags(t *testing.T) {
p1 := createMachine("john@example.com", "tag:web") p1 := createMachine("john@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:admins": []string{"john@example.com"}, Groups: map[string][]string{
}, "group:admins": []string{"john@example.com"},
NodeAttrs: []NodeAttr{
{
Target: []string{"john@example.com"},
Attr: []string{
"attr1",
"attr2",
},
}, },
{ NodeAttrs: []ionscale.ACLNodeAttrGrant{
Target: []string{"jane@example.com", "tag:web"}, {
Attr: []string{ Target: []string{"john@example.com"},
"attr3", Attr: []string{
"attr1",
"attr2",
},
},
{
Target: []string{"jane@example.com", "tag:web"},
Attr: []string{
"attr3",
},
}, },
}, },
}, },
@@ -111,7 +118,9 @@ func TestACLPolicy_BuildFilterRulesEmptyACL(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{}, ionscale.ACLPolicy{
ACLs: []ionscale.ACLEntry{},
},
} }
dst := createMachine("john@example.com") dst := createMachine("john@example.com")
@@ -127,11 +136,13 @@ func TestACLPolicy_BuildFilterRulesWildcards(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"*:*"}, Source: []string{"*"},
Destination: []string{"*:*"},
},
}, },
}, },
} }
@@ -162,17 +173,19 @@ func TestACLPolicy_BuildFilterRulesProto(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"*:22"}, Source: []string{"*"},
}, Destination: []string{"*:22"},
{ },
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"*:*"}, Source: []string{"*"},
Proto: "igmp", Destination: []string{"*:*"},
Protocol: "igmp",
},
}, },
}, },
} }
@@ -217,20 +230,22 @@ func TestACLPolicy_BuildFilterRulesWithGroups(t *testing.T) {
p3 := createMachine("joe@example.com") p3 := createMachine("joe@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:admin": []string{"jane@example.com"}, Groups: map[string][]string{
"group:audit": []string{"nick@example.com"}, "group:admin": []string{"jane@example.com"},
}, "group:audit": []string{"nick@example.com"},
ACLs: []ACL{
{
Action: "accept",
Src: []string{"group:admin"},
Dst: []string{"*:22"},
}, },
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"group:audit"}, Action: "accept",
Dst: []string{"*:8000-8080"}, Source: []string{"group:admin"},
Destination: []string{"*:22"},
},
{
Action: "accept",
Source: []string{"group:audit"},
Destination: []string{"*:8000-8080"},
},
}, },
}, },
} }
@@ -280,11 +295,13 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupMembers(t *testing.T) {
p3 := createMachine("joe@example.com", "tag:web") p3 := createMachine("joe@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"autogroup:members"}, Action: "accept",
Dst: []string{"*:22"}, Source: []string{"autogroup:members"},
Destination: []string{"*:22"},
},
}, },
}, },
} }
@@ -323,11 +340,13 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupMember(t *testing.T) {
p3 := createMachine("joe@example.com", "tag:web") p3 := createMachine("joe@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"autogroup:member"}, Action: "accept",
Dst: []string{"*:22"}, Source: []string{"autogroup:member"},
Destination: []string{"*:22"},
},
}, },
}, },
} }
@@ -367,11 +386,13 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupTagged(t *testing.T) {
p3 := createMachine("joe@example.com", "tag:web") p3 := createMachine("joe@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"autogroup:tagged"}, Action: "accept",
Dst: []string{"*:22"}, Source: []string{"autogroup:tagged"},
Destination: []string{"*:22"},
},
}, },
}, },
} }
@@ -408,11 +429,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelf(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"autogroup:self:*"}, Source: []string{"*"},
Destination: []string{"autogroup:self:*"},
},
}, },
}, },
} }
@@ -453,11 +476,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelfAndTags(t *testing.T) {
p2 := createMachine("john@example.com", "tag:web") p2 := createMachine("john@example.com", "tag:web")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"autogroup:self:*"}, Source: []string{"*"},
Destination: []string{"autogroup:self:*"},
},
}, },
}, },
} }
@@ -499,11 +524,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelfAndOtherDestinations(t *testing.
p3 := createMachine("jane@example.com") p3 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"autogroup:self:22", "john@example.com:80"}, Source: []string{"*"},
Destination: []string{"autogroup:self:22", "john@example.com:80"},
},
}, },
}, },
} }
@@ -560,11 +587,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupInternet(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"nick@example.com"}, Action: "accept",
Dst: []string{"autogroup:internet:*"}, Source: []string{"nick@example.com"},
Destination: []string{"autogroup:internet:*"},
},
}, },
}, },
} }
@@ -601,11 +630,13 @@ func TestACLPolicy_BuildFilterRulesAutogroupInternet(t *testing.T) {
func TestWithUser(t *testing.T) { func TestWithUser(t *testing.T) {
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"john@example.com:*"}, Source: []string{"*"},
Destination: []string{"john@example.com:*"},
},
}, },
}, },
} }
@@ -618,14 +649,16 @@ func TestWithUser(t *testing.T) {
func TestWithGroup(t *testing.T) { func TestWithGroup(t *testing.T) {
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:admin": {"john@example.com"}, Groups: map[string][]string{
}, "group:admin": {"john@example.com"},
ACLs: []ACL{ },
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"group:admin:*"}, Source: []string{"*"},
Destination: []string{"group:admin:*"},
},
}, },
}, },
} }
@@ -637,11 +670,13 @@ func TestWithGroup(t *testing.T) {
func TestWithTags(t *testing.T) { func TestWithTags(t *testing.T) {
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"*"}, Action: "accept",
Dst: []string{"tag:web:*"}, Source: []string{"*"},
Destination: []string{"tag:web:*"},
},
}, },
}, },
} }
@@ -657,15 +692,17 @@ func TestWithHosts(t *testing.T) {
dst2 := createMachine("john@example.com") dst2 := createMachine("john@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
Hosts: map[string]string{ ionscale.ACLPolicy{
"dst1": dst1.IPv4.String(), Hosts: map[string]string{
}, "dst1": dst1.IPv4.String(),
ACLs: []ACL{ },
ACLs: []ionscale.ACLEntry{
{ {
Action: "accept", Action: "accept",
Src: []string{"*"}, Source: []string{"*"},
Dst: []string{"dst1:*"}, Destination: []string{"dst1:*"},
},
}, },
}, },
} }
@@ -695,12 +732,13 @@ func createMachine(user string, tags ...string) *Machine {
func TestACLPolicy_IsTagOwner(t *testing.T) { func TestACLPolicy_IsTagOwner(t *testing.T) {
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:engineers": {"jane@example.com"}, Groups: map[string][]string{
}, "group:engineers": {"jane@example.com"},
TagOwners: map[string][]string{ },
"tag:web": {"john@example.com", "group:engineers"}, TagOwners: map[string][]string{
}} "tag:web": {"john@example.com", "group:engineers"},
}}}
testCases := []struct { testCases := []struct {
name string name string
@@ -780,15 +818,17 @@ func TestACLPolicy_FindAutoApprovedIPs(t *testing.T) {
route3 := netip.MustParsePrefix("10.162.0.0/20") route3 := netip.MustParsePrefix("10.162.0.0/20")
policy := ACLPolicy{ policy := ACLPolicy{
Groups: map[string][]string{ ionscale.ACLPolicy{
"group:admins": {"jane@example.com"}, Groups: map[string][]string{
}, "group:admins": {"jane@example.com"},
AutoApprovers: &AutoApprovers{ },
Routes: map[string][]string{ AutoApprovers: &ionscale.ACLAutoApprovers{
route1.String(): {"group:admins"}, Routes: map[string][]string{
route2.String(): {"john@example.com", "tag:router"}, route1.String(): {"group:admins"},
route2.String(): {"john@example.com", "tag:router"},
},
ExitNode: []string{"nick@example.com"},
}, },
ExitNode: []string{"nick@example.com"},
}, },
} }
@@ -872,11 +912,13 @@ func TestACLPolicy_BuildFilterRulesWithAdvertisedRoutes(t *testing.T) {
p1 := createMachine("john@example.com", "tag:trusted") p1 := createMachine("john@example.com", "tag:trusted")
policy := ACLPolicy{ policy := ACLPolicy{
ACLs: []ACL{ ionscale.ACLPolicy{
{ ACLs: []ionscale.ACLEntry{
Action: "accept", {
Src: []string{"tag:trusted"}, Action: "accept",
Dst: []string{"fd7a:115c:a1e0:b1a:0:1:a3c:0/120:*"}, Source: []string{"tag:trusted"},
Destination: []string{"fd7a:115c:a1e0:b1a:0:1:a3c:0/120:*"},
},
}, },
}, },
} }
@@ -911,11 +953,13 @@ func TestACLPolicy_BuildFilterRulesWildcardGrants(t *testing.T) {
p2 := createMachine("jane@example.com") p2 := createMachine("jane@example.com")
policy := ACLPolicy{ policy := ACLPolicy{
Grants: []Grant{ ionscale.ACLPolicy{
{ Grants: []ionscale.ACLGrant{
Src: []string{"*"}, {
Dst: []string{"*"}, Source: []string{"*"},
IP: ranges, Destination: []string{"*"},
IP: ranges,
},
}, },
}, },
} }
@@ -955,12 +999,14 @@ func TestACLPolicy_BuildFilterRulesWithAppGrants(t *testing.T) {
marshal, _ := json.Marshal(mycap) marshal, _ := json.Marshal(mycap)
policy := ACLPolicy{ policy := ACLPolicy{
Grants: []Grant{ ionscale.ACLPolicy{
{ Grants: []ionscale.ACLGrant{
Src: []string{"*"}, {
Dst: []string{"*"}, Source: []string{"*"},
App: map[tailcfg.PeerCapability][]tailcfg.RawMessage{ Destination: []string{"*"},
tailcfg.PeerCapability("localtest.me/cap/test"): {tailcfg.RawMessage(marshal)}, App: map[tailcfg.PeerCapability][]tailcfg.RawMessage{
tailcfg.PeerCapability("localtest.me/cap/test"): {tailcfg.RawMessage(marshal)},
},
}, },
}, },
}, },
internal/domain/datatypes.go
+87
View File
@@ -0,0 +1,87 @@
package domain
import (
"database/sql/driver"
"encoding/json"
"fmt"
"github.com/tailscale/hujson"
)
func NewHuJSON[T any](t *T) HuJSON[T] {
marshal, _ := json.Marshal(t)
return HuJSON[T]{
v: string(marshal),
t: t,
}
}
func ParseHuJson[T any](v string) (*HuJSON[T], error) {
ast, err := hujson.Parse([]byte(v))
if err != nil {
return nil, err
}
ast.Format()
formatted := string(ast.Pack())
ast.Standardize()
t := new(T)
if err := json.Unmarshal(ast.Pack(), t); err != nil {
return nil, err
}
return &HuJSON[T]{v: formatted, t: t}, nil
}
type HuJSON[T any] struct {
v string
t *T
}
func (h *HuJSON[T]) Get() *T {
return h.t
}
func (h *HuJSON[T]) String() string {
return h.v
}
func (i *HuJSON[T]) Equal(x *HuJSON[T]) bool {
if i == nil && x == nil {
return true
}
if (i == nil) != (x == nil) {
return false
}
return i.v == x.v
}
func (h HuJSON[T]) Value() (driver.Value, error) {
if len(h.v) == 0 {
return nil, nil
}
return h.v, nil
}
func (h *HuJSON[T]) Scan(destination interface{}) error {
var v string
switch value := destination.(type) {
case string:
v = value
case []byte:
v = string(value)
default:
return fmt.Errorf("unexpected data type %T", destination)
}
next, err := hujson.Standardize([]byte(v))
if err != nil {
return err
}
var n = new(T)
if err := json.Unmarshal(next, n); err != nil {
return err
}
h.v = v
h.t = n
return nil
}
internal/domain/tailnet.go
+2 -2
View File
@@ -13,8 +13,8 @@ type Tailnet struct {
ID uint64 `gorm:"primary_key"` ID uint64 `gorm:"primary_key"`
Name string Name string
DNSConfig DNSConfig DNSConfig DNSConfig
IAMPolicy IAMPolicy IAMPolicy HuJSON[IAMPolicy]
ACLPolicy ACLPolicy ACLPolicy HuJSON[ACLPolicy]
DERPMap DERPMap DERPMap DERPMap
ServiceCollectionEnabled bool ServiceCollectionEnabled bool
FileSharingEnabled bool FileSharingEnabled bool
internal/handlers/authentication.go
+3 -3
View File
@@ -447,7 +447,7 @@ func (h *AuthenticationHandlers) endMachineRegistrationFlow(c echo.Context, form
ephemeral = false ephemeral = false
} }
if err := tailnet.ACLPolicy.CheckTagOwners(registrationRequest.Data.Hostinfo.RequestTags, user); err != nil { if err := tailnet.ACLPolicy.Get().CheckTagOwners(registrationRequest.Data.Hostinfo.RequestTags, user); err != nil {
registrationRequest.Authenticated = false registrationRequest.Authenticated = false
registrationRequest.Error = err.Error() registrationRequest.Error = err.Error()
if err := h.repository.SaveRegistrationRequest(ctx, registrationRequest); err != nil { if err := h.repository.SaveRegistrationRequest(ctx, registrationRequest); err != nil {
@@ -456,7 +456,7 @@ func (h *AuthenticationHandlers) endMachineRegistrationFlow(c echo.Context, form
return c.Redirect(http.StatusFound, "/a/error?e=nto") return c.Redirect(http.StatusFound, "/a/error?e=nto")
} }
autoAllowIPs := tailnet.ACLPolicy.FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, user) autoAllowIPs := tailnet.ACLPolicy.Get().FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, user)
var m *domain.Machine var m *domain.Machine
@@ -573,7 +573,7 @@ func (h *AuthenticationHandlers) listAvailableTailnets(ctx context.Context, u *a
return nil, err return nil, err
} }
for _, t := range tailnets { for _, t := range tailnets {
approved, err := t.IAMPolicy.EvaluatePolicy(&domain.Identity{UserID: u.ID, Email: u.Name, Attr: u.Attr}) approved, err := t.IAMPolicy.Get().EvaluatePolicy(&domain.Identity{UserID: u.ID, Email: u.Name, Attr: u.Attr})
if err != nil { if err != nil {
return nil, err return nil, err
} }
internal/handlers/registration.go
+2 -2
View File
@@ -160,7 +160,7 @@ func (h *RegistrationHandlers) authenticateMachineWithAuthKey(c echo.Context, ma
tailnet := authKey.Tailnet tailnet := authKey.Tailnet
user := authKey.User user := authKey.User
if err := tailnet.ACLPolicy.CheckTagOwners(req.Hostinfo.RequestTags, &user); err != nil { if err := tailnet.ACLPolicy.Get().CheckTagOwners(req.Hostinfo.RequestTags, &user); err != nil {
response := tailcfg.RegisterResponse{MachineAuthorized: false, Error: err.Error()} response := tailcfg.RegisterResponse{MachineAuthorized: false, Error: err.Error()}
return c.JSON(http.StatusOK, response) return c.JSON(http.StatusOK, response)
} }
@@ -169,7 +169,7 @@ func (h *RegistrationHandlers) authenticateMachineWithAuthKey(c echo.Context, ma
advertisedTags := domain.SanitizeTags(req.Hostinfo.RequestTags) advertisedTags := domain.SanitizeTags(req.Hostinfo.RequestTags)
tags := append(registeredTags, advertisedTags...) tags := append(registeredTags, advertisedTags...)
autoAllowIPs := tailnet.ACLPolicy.FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, &user) autoAllowIPs := tailnet.ACLPolicy.Get().FindAutoApprovedIPs(req.Hostinfo.RoutableIPs, tags, &user)
var m *domain.Machine var m *domain.Machine
internal/mapping/mapping.go
+2 -2
View File
@@ -85,7 +85,7 @@ func ToDNSConfig(m *domain.Machine, tailnet *domain.Tailnet, c *domain.DNSConfig
} }
func ToNode(capVer tailcfg.CapabilityVersion, m *domain.Machine, tailnet *domain.Tailnet, taggedDevicesUser *domain.User, peer bool, connected bool, routeFilter func(m *domain.Machine) []netip.Prefix) (*tailcfg.Node, *tailcfg.UserProfile, error) { func ToNode(capVer tailcfg.CapabilityVersion, m *domain.Machine, tailnet *domain.Tailnet, taggedDevicesUser *domain.User, peer bool, connected bool, routeFilter func(m *domain.Machine) []netip.Prefix) (*tailcfg.Node, *tailcfg.UserProfile, error) {
role := tailnet.IAMPolicy.GetRole(m.User) role := tailnet.IAMPolicy.Get().GetRole(m.User)
nKey, err := util.ParseNodePublicKey(m.NodeKey) nKey, err := util.ParseNodePublicKey(m.NodeKey)
if err != nil { if err != nil {
@@ -179,7 +179,7 @@ func ToNode(capVer tailcfg.CapabilityVersion, m *domain.Machine, tailnet *domain
var capabilities []tailcfg.NodeCapability var capabilities []tailcfg.NodeCapability
capMap := make(tailcfg.NodeCapMap) capMap := make(tailcfg.NodeCapMap)
for _, c := range tailnet.ACLPolicy.NodeCapabilities(m) { for _, c := range tailnet.ACLPolicy.Get().NodeCapabilities(m) {
capabilities = append(capabilities, c) capabilities = append(capabilities, c)
capMap[c] = []tailcfg.RawMessage{} capMap[c] = []tailcfg.RawMessage{}
} }
internal/mapping/poll_net_mapper.go
+1 -1
View File
@@ -53,7 +53,7 @@ func (h *PollNetMapper) CreateMapResponse(ctx context.Context, delta bool) (*Map
hostinfo := tailcfg.Hostinfo(m.HostInfo) hostinfo := tailcfg.Hostinfo(m.HostInfo)
tailnet := m.Tailnet tailnet := m.Tailnet
policies := tailnet.ACLPolicy policies := tailnet.ACLPolicy.Get()
dnsConfig := tailnet.DNSConfig dnsConfig := tailnet.DNSConfig
serviceUser, _, err := h.repository.GetOrCreateServiceUser(ctx, &tailnet) serviceUser, _, err := h.repository.GetOrCreateServiceUser(ctx, &tailnet)
internal/service/acl.go
+8 -13
View File
@@ -5,7 +5,6 @@ import (
"fmt" "fmt"
"github.com/bufbuild/connect-go" "github.com/bufbuild/connect-go"
"github.com/jsiebens/ionscale/internal/domain" "github.com/jsiebens/ionscale/internal/domain"
"github.com/jsiebens/ionscale/internal/mapping"
api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
) )
@@ -23,12 +22,7 @@ func (s *Service) GetACLPolicy(ctx context.Context, req *connect.Request[api.Get
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist"))
} }
var policy api.ACLPolicy return connect.NewResponse(&api.GetACLPolicyResponse{Policy: tailnet.ACLPolicy.String()}), nil
if err := mapping.CopyViaJson(&tailnet.ACLPolicy, &policy); err != nil {
return nil, logError(err)
}
return connect.NewResponse(&api.GetACLPolicyResponse{Policy: &policy}), nil
} }
func (s *Service) SetACLPolicy(ctx context.Context, req *connect.Request[api.SetACLPolicyRequest]) (*connect.Response[api.SetACLPolicyResponse], error) { func (s *Service) SetACLPolicy(ctx context.Context, req *connect.Request[api.SetACLPolicyRequest]) (*connect.Response[api.SetACLPolicyResponse], error) {
@@ -45,17 +39,18 @@ func (s *Service) SetACLPolicy(ctx context.Context, req *connect.Request[api.Set
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist"))
} }
oldPolicy := tailnet.ACLPolicy newPolicy, err := domain.ParseHuJson[domain.ACLPolicy](req.Msg.Policy)
var newPolicy domain.ACLPolicy if err != nil {
if err := mapping.CopyViaJson(req.Msg.Policy, &newPolicy); err != nil { return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid acl policy: %w", err))
return nil, logError(err)
} }
if oldPolicy.Equal(&newPolicy) { oldPolicy := tailnet.ACLPolicy
if oldPolicy.Equal(newPolicy) {
return connect.NewResponse(&api.SetACLPolicyResponse{}), nil return connect.NewResponse(&api.SetACLPolicyResponse{}), nil
} }
tailnet.ACLPolicy = newPolicy tailnet.ACLPolicy = *newPolicy
if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
return nil, logError(err) return nil, logError(err)
} }
internal/service/auth_keys.go
+1 -1
View File
@@ -135,7 +135,7 @@ func (s *Service) CreateAuthKey(ctx context.Context, req *connect.Request[api.Cr
} }
if !principal.IsSystemAdmin() { if !principal.IsSystemAdmin() {
if err := tailnet.ACLPolicy.CheckTagOwners(req.Msg.Tags, principal.User); err != nil { if err := tailnet.ACLPolicy.Get().CheckTagOwners(req.Msg.Tags, principal.User); err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err) return nil, connect.NewError(connect.CodeInvalidArgument, err)
} }
} }
internal/service/iam.go
+9 -34
View File
@@ -22,14 +22,7 @@ func (s *Service) GetIAMPolicy(ctx context.Context, req *connect.Request[api.Get
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist"))
} }
policy := &api.IAMPolicy{ return connect.NewResponse(&api.GetIAMPolicyResponse{Policy: tailnet.IAMPolicy.String()}), nil
Subs: tailnet.IAMPolicy.Subs,
Emails: tailnet.IAMPolicy.Emails,
Filters: tailnet.IAMPolicy.Filters,
Roles: domainRolesMapToApiRolesMap(tailnet.IAMPolicy.Roles),
}
return connect.NewResponse(&api.GetIAMPolicyResponse{Policy: policy}), nil
} }
func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.SetIAMPolicyRequest]) (*connect.Response[api.SetIAMPolicyResponse], error) { func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.SetIAMPolicyRequest]) (*connect.Response[api.SetIAMPolicyResponse], error) {
@@ -46,23 +39,21 @@ func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.Set
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist")) return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist"))
} }
if err := validateIamPolicy(req.Msg.Policy); err != nil { newPolicy, err := domain.ParseHuJson[domain.IAMPolicy](req.Msg.Policy)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
}
if err := validateIamPolicy(newPolicy.Get()); err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
} }
oldPolicy := tailnet.IAMPolicy oldPolicy := tailnet.IAMPolicy
newPolicy := domain.IAMPolicy{ if oldPolicy.Equal(newPolicy) {
Subs: req.Msg.Policy.Subs,
Emails: req.Msg.Policy.Emails,
Filters: req.Msg.Policy.Filters,
Roles: apiRolesMapToDomainRolesMap(req.Msg.Policy.Roles),
}
if oldPolicy.Equal(&newPolicy) {
return connect.NewResponse(&api.SetIAMPolicyResponse{}), nil return connect.NewResponse(&api.SetIAMPolicyResponse{}), nil
} }
tailnet.IAMPolicy = newPolicy tailnet.IAMPolicy = *newPolicy
if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
return nil, logError(err) return nil, logError(err)
@@ -70,19 +61,3 @@ func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.Set
return connect.NewResponse(&api.SetIAMPolicyResponse{}), nil return connect.NewResponse(&api.SetIAMPolicyResponse{}), nil
} }
func apiRolesMapToDomainRolesMap(values map[string]string) map[string]domain.UserRole {
var result = map[string]domain.UserRole{}
for k, v := range values {
result[k] = domain.UserRole(v)
}
return result
}
func domainRolesMapToApiRolesMap(values map[string]domain.UserRole) map[string]string {
var result = map[string]string{}
for k, v := range values {
result[k] = string(v)
}
return result
}
internal/service/interceptors.go
+1 -1
View File
@@ -64,7 +64,7 @@ func exchangeToken(ctx context.Context, systemAdminKey *key.ServerPrivate, repos
if err == nil && apiKey != nil { if err == nil && apiKey != nil {
user := apiKey.User user := apiKey.User
tailnet := apiKey.Tailnet tailnet := apiKey.Tailnet
role := tailnet.IAMPolicy.GetRole(user) role := tailnet.IAMPolicy.Get().GetRole(user)
return &domain.Principal{User: &apiKey.User, SystemRole: domain.SystemRoleNone, UserRole: role} return &domain.Principal{User: &apiKey.User, SystemRole: domain.SystemRoleNone, UserRole: role}
} }
internal/service/service.go
+1 -1
View File
@@ -41,7 +41,7 @@ func (s *Service) GetVersion(_ context.Context, _ *connect.Request[api.GetVersio
}), nil }), nil
} }
func validateIamPolicy(p *api.IAMPolicy) error { func validateIamPolicy(p *domain.IAMPolicy) error {
var mErr *multierror.Error var mErr *multierror.Error
for i, exp := range p.Filters { for i, exp := range p.Filters {
if _, err := grammar.Parse(fmt.Sprintf("filter %d", i), []byte(exp)); err != nil { if _, err := grammar.Parse(fmt.Sprintf("filter %d", i), []byte(exp)); err != nil {
internal/service/tailnet.go
+33 -39
View File
@@ -6,7 +6,6 @@ import (
"fmt" "fmt"
"github.com/bufbuild/connect-go" "github.com/bufbuild/connect-go"
"github.com/jsiebens/ionscale/internal/domain" "github.com/jsiebens/ionscale/internal/domain"
"github.com/jsiebens/ionscale/internal/mapping"
"github.com/jsiebens/ionscale/internal/util" "github.com/jsiebens/ionscale/internal/util"
"github.com/jsiebens/ionscale/pkg/defaults" "github.com/jsiebens/ionscale/pkg/defaults"
api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
@@ -17,8 +16,8 @@ func domainTailnetToApiTailnet(tailnet *domain.Tailnet) (*api.Tailnet, error) {
t := &api.Tailnet{ t := &api.Tailnet{
Id: tailnet.ID, Id: tailnet.ID,
Name: tailnet.Name, Name: tailnet.Name,
IamPolicy: new(api.IAMPolicy), IamPolicy: tailnet.IAMPolicy.String(),
AclPolicy: new(api.ACLPolicy), AclPolicy: tailnet.ACLPolicy.String(),
DnsConfig: domainDNSConfigToApiDNSConfig(tailnet), DnsConfig: domainDNSConfigToApiDNSConfig(tailnet),
ServiceCollectionEnabled: tailnet.ServiceCollectionEnabled, ServiceCollectionEnabled: tailnet.ServiceCollectionEnabled,
FileSharingEnabled: tailnet.FileSharingEnabled, FileSharingEnabled: tailnet.FileSharingEnabled,
@@ -26,14 +25,6 @@ func domainTailnetToApiTailnet(tailnet *domain.Tailnet) (*api.Tailnet, error) {
MachineAuthorizationEnabled: tailnet.MachineAuthorizationEnabled, MachineAuthorizationEnabled: tailnet.MachineAuthorizationEnabled,
} }
if err := mapping.CopyViaJson(tailnet.IAMPolicy, t.IamPolicy); err != nil {
return nil, err
}
if err := mapping.CopyViaJson(tailnet.ACLPolicy, t.AclPolicy); err != nil {
return nil, err
}
return t, nil return t, nil
} }
@@ -51,12 +42,26 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("tailnet with name '%s' already exists", req.Msg.Name)) return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("tailnet with name '%s' already exists", req.Msg.Name))
} }
if req.Msg.IamPolicy == nil { iamPolicy := domain.NewHuJSON(&domain.IAMPolicy{})
req.Msg.IamPolicy = defaults.DefaultIAMPolicy() aclPolicy := domain.NewHuJSON(&domain.ACLPolicy{ACLPolicy: *defaults.DefaultACLPolicy()})
if req.Msg.IamPolicy != "" {
newPolicy, err := domain.ParseHuJson[domain.IAMPolicy](req.Msg.IamPolicy)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
}
if err := validateIamPolicy(newPolicy.Get()); err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
}
iamPolicy = *newPolicy
} }
if req.Msg.AclPolicy == nil { if req.Msg.AclPolicy != "" {
req.Msg.AclPolicy = defaults.DefaultACLPolicy() newPolicy, err := domain.ParseHuJson[domain.ACLPolicy](req.Msg.AclPolicy)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid acl policy: %w", err))
}
aclPolicy = *newPolicy
} }
if req.Msg.DnsConfig == nil { if req.Msg.DnsConfig == nil {
@@ -66,8 +71,8 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
tailnet := &domain.Tailnet{ tailnet := &domain.Tailnet{
ID: util.NextID(), ID: util.NextID(),
Name: req.Msg.Name, Name: req.Msg.Name,
IAMPolicy: domain.IAMPolicy{}, IAMPolicy: iamPolicy,
ACLPolicy: domain.ACLPolicy{}, ACLPolicy: aclPolicy,
DNSConfig: apiDNSConfigToDomainDNSConfig(req.Msg.DnsConfig), DNSConfig: apiDNSConfigToDomainDNSConfig(req.Msg.DnsConfig),
ServiceCollectionEnabled: req.Msg.ServiceCollectionEnabled, ServiceCollectionEnabled: req.Msg.ServiceCollectionEnabled,
FileSharingEnabled: req.Msg.FileSharingEnabled, FileSharingEnabled: req.Msg.FileSharingEnabled,
@@ -75,18 +80,6 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
MachineAuthorizationEnabled: req.Msg.MachineAuthorizationEnabled, MachineAuthorizationEnabled: req.Msg.MachineAuthorizationEnabled,
} }
if err := validateIamPolicy(req.Msg.IamPolicy); err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
}
if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil {
return nil, logError(err)
}
if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil {
return nil, logError(err)
}
if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
return nil, logError(err) return nil, logError(err)
} }
@@ -116,22 +109,23 @@ func (s *Service) UpdateTailnet(ctx context.Context, req *connect.Request[api.Up
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet not found")) return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet not found"))
} }
if req.Msg.IamPolicy != nil { if req.Msg.IamPolicy != "" {
if err := validateIamPolicy(req.Msg.IamPolicy); err != nil { newPolicy, err := domain.ParseHuJson[domain.IAMPolicy](req.Msg.IamPolicy)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
} }
if err := validateIamPolicy(newPolicy.Get()); err != nil {
tailnet.IAMPolicy = domain.IAMPolicy{} return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil {
return nil, logError(err)
} }
tailnet.IAMPolicy = *newPolicy
} }
if req.Msg.AclPolicy != nil { if req.Msg.AclPolicy != "" {
tailnet.ACLPolicy = domain.ACLPolicy{} newPolicy, err := domain.ParseHuJson[domain.ACLPolicy](req.Msg.AclPolicy)
if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil { if err != nil {
return nil, logError(err) return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid acl policy: %w", err))
} }
tailnet.ACLPolicy = *newPolicy
} }
if req.Msg.DnsConfig != nil { if req.Msg.DnsConfig != nil {
internal/service/users.go
+1 -1
View File
@@ -34,7 +34,7 @@ func (s *Service) ListUsers(ctx context.Context, req *connect.Request[api.ListUs
resp.Users = append(resp.Users, &api.User{ resp.Users = append(resp.Users, &api.User{
Id: u.ID, Id: u.ID,
Name: u.Name, Name: u.Name,
Role: string(tailnet.IAMPolicy.GetRole(u)), Role: string(tailnet.IAMPolicy.Get().GetRole(u)),
}) })
} }
pkg/client/ionscale/types.go
+66
View File
@@ -0,0 +1,66 @@
package ionscale
import (
"encoding/json"
"tailscale.com/tailcfg"
)
type IAMPolicy struct {
Subs []string `json:"subs,omitempty" hujson:"Subs,omitempty"`
Emails []string `json:"emails,omitempty" hujson:"Emails,omitempty"`
Filters []string `json:"filters,omitempty" hujson:"Filters,omitempty"`
Roles map[string]string `json:"roles,omitempty" hujson:"Roles,omitempty"`
}
func (a IAMPolicy) Marshal() string {
indent, _ := json.MarshalIndent(&a, "", " ")
return string(indent)
}
type ACLPolicy struct {
Groups map[string][]string `json:"groups,omitempty" hujson:"Groups,omitempty"`
Hosts map[string]string `json:"hosts,omitempty" hujson:"Hosts,omitempty"`
ACLs []ACLEntry `json:"acls,omitempty" hujson:"ACLs,omitempty"`
TagOwners map[string][]string `json:"tagOwners,omitempty" hujson:"TagOwners,omitempty"`
AutoApprovers *ACLAutoApprovers `json:"autoApprovers,omitempty" hujson:"AutoApprovers,omitempty"`
SSH []ACLSSH `json:"ssh,omitempty" hujson:"SSH,omitempty"`
NodeAttrs []ACLNodeAttrGrant `json:"nodeAttrs,omitempty" hujson:"NodeAttrs,omitempty"`
Grants []ACLGrant `json:"grants,omitempty" hujson:"Grants,omitempty"`
}
func (a ACLPolicy) Marshal() string {
indent, _ := json.MarshalIndent(&a, "", " ")
return string(indent)
}
type ACLAutoApprovers struct {
Routes map[string][]string `json:"routes,omitempty" hujson:"Routes,omitempty"`
ExitNode []string `json:"exitNode,omitempty" hujson:"ExitNode,omitempty"`
}
type ACLEntry struct {
Action string `json:"action,omitempty" hujson:"Action,omitempty"`
Protocol string `json:"proto,omitempty" hujson:"Proto,omitempty"`
Source []string `json:"src,omitempty" hujson:"Src,omitempty"`
Destination []string `json:"dst,omitempty" hujson:"Dst,omitempty"`
}
type ACLSSH struct {
Action string `json:"action,omitempty" hujson:"Action,omitempty"`
Users []string `json:"users,omitempty" hujson:"Users,omitempty"`
Source []string `json:"src,omitempty" hujson:"Src,omitempty"`
Destination []string `json:"dst,omitempty" hujson:"Dst,omitempty"`
CheckPeriod string `json:"checkPeriod,omitempty" hujson:"CheckPeriod,omitempty"`
}
type ACLNodeAttrGrant struct {
Target []string `json:"target,omitempty" hujson:"Target,omitempty"`
Attr []string `json:"attr,omitempty" hujson:"Attr,omitempty"`
}
type ACLGrant struct {
Source []string `json:"src,omitempty" hujson:"Src,omitempty"`
Destination []string `json:"dst,omitempty" hujson:"Dst,omitempty"`
IP []tailcfg.ProtoPortRange `json:"ip,omitempty" hujson:"Ip,omitempty"`
App tailcfg.PeerCapMap `json:"app,omitempty" hujson:"App,omitempty"`
}
pkg/defaults/defaults.go
+19 -16
View File
@@ -1,31 +1,34 @@
package defaults package defaults
import ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" import (
"github.com/jsiebens/ionscale/pkg/client/ionscale"
ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
)
func DefaultACLPolicy() *ionscalev1.ACLPolicy { func DefaultIAMPolicy() *ionscale.IAMPolicy {
return &ionscalev1.ACLPolicy{ return &ionscale.IAMPolicy{}
Acls: []*ionscalev1.ACL{ }
func DefaultACLPolicy() *ionscale.ACLPolicy {
return &ionscale.ACLPolicy{
ACLs: []ionscale.ACLEntry{
{ {
Action: "accept", Action: "accept",
Src: []string{"*"}, Source: []string{"*"},
Dst: []string{"*:*"}, Destination: []string{"*:*"},
}, },
}, },
Ssh: []*ionscalev1.SSHRule{ SSH: []ionscale.ACLSSH{
{ {
Action: "check", Action: "check",
Src: []string{"autogroup:member"}, Source: []string{"autogroup:member"},
Dst: []string{"autogroup:self"}, Destination: []string{"autogroup:self"},
Users: []string{"autogroup:nonroot", "root"}, Users: []string{"autogroup:nonroot", "root"},
}, },
}, },
} }
} }
func DefaultIAMPolicy() *ionscalev1.IAMPolicy {
return &ionscalev1.IAMPolicy{}
}
func DefaultDNSConfig() *ionscalev1.DNSConfig { func DefaultDNSConfig() *ionscalev1.DNSConfig {
return &ionscalev1.DNSConfig{ return &ionscalev1.DNSConfig{
MagicDns: true, MagicDns: true,
pkg/gen/ionscale/v1/acl.pb.go
+31 -657
View File
@@ -9,7 +9,6 @@ package ionscalev1
import ( import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl" protoimpl "google.golang.org/protobuf/runtime/protoimpl"
structpb "google.golang.org/protobuf/types/known/structpb"
reflect "reflect" reflect "reflect"
sync "sync" sync "sync"
) )
@@ -73,7 +72,7 @@ type GetACLPolicyResponse struct {
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
Policy *ACLPolicy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
} }
func (x *GetACLPolicyResponse) Reset() { func (x *GetACLPolicyResponse) Reset() {
@@ -108,11 +107,11 @@ func (*GetACLPolicyResponse) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{1} return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{1}
} }
func (x *GetACLPolicyResponse) GetPolicy() *ACLPolicy { func (x *GetACLPolicyResponse) GetPolicy() string {
if x != nil { if x != nil {
return x.Policy return x.Policy
} }
return nil return ""
} }
type SetACLPolicyRequest struct { type SetACLPolicyRequest struct {
@@ -120,8 +119,8 @@ type SetACLPolicyRequest struct {
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"`
Policy *ACLPolicy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"` Policy string `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
} }
func (x *SetACLPolicyRequest) Reset() { func (x *SetACLPolicyRequest) Reset() {
@@ -163,11 +162,11 @@ func (x *SetACLPolicyRequest) GetTailnetId() uint64 {
return 0 return 0
} }
func (x *SetACLPolicyRequest) GetPolicy() *ACLPolicy { func (x *SetACLPolicyRequest) GetPolicy() string {
if x != nil { if x != nil {
return x.Policy return x.Policy
} }
return nil return ""
} }
type SetACLPolicyResponse struct { type SetACLPolicyResponse struct {
@@ -208,553 +207,29 @@ func (*SetACLPolicyResponse) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{3} return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{3}
} }
type ACLPolicy struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Hosts map[string]string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Groups map[string]*structpb.ListValue `protobuf:"bytes,2,rep,name=groups,proto3" json:"groups,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Acls []*ACL `protobuf:"bytes,3,rep,name=acls,proto3" json:"acls,omitempty"`
Tagowners map[string]*structpb.ListValue `protobuf:"bytes,4,rep,name=tagowners,proto3" json:"tagowners,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Autoapprovers *AutoApprovers `protobuf:"bytes,5,opt,name=autoapprovers,proto3,oneof" json:"autoapprovers,omitempty"`
Ssh []*SSHRule `protobuf:"bytes,6,rep,name=ssh,proto3" json:"ssh,omitempty"`
Nodeattrs []*NodeAttr `protobuf:"bytes,7,rep,name=nodeattrs,proto3" json:"nodeattrs,omitempty"`
Grants []*ACLGrant `protobuf:"bytes,8,rep,name=grants,proto3" json:"grants,omitempty"`
}
func (x *ACLPolicy) Reset() {
*x = ACLPolicy{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_acl_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ACLPolicy) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ACLPolicy) ProtoMessage() {}
func (x *ACLPolicy) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_acl_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ACLPolicy.ProtoReflect.Descriptor instead.
func (*ACLPolicy) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{4}
}
func (x *ACLPolicy) GetHosts() map[string]string {
if x != nil {
return x.Hosts
}
return nil
}
func (x *ACLPolicy) GetGroups() map[string]*structpb.ListValue {
if x != nil {
return x.Groups
}
return nil
}
func (x *ACLPolicy) GetAcls() []*ACL {
if x != nil {
return x.Acls
}
return nil
}
func (x *ACLPolicy) GetTagowners() map[string]*structpb.ListValue {
if x != nil {
return x.Tagowners
}
return nil
}
func (x *ACLPolicy) GetAutoapprovers() *AutoApprovers {
if x != nil {
return x.Autoapprovers
}
return nil
}
func (x *ACLPolicy) GetSsh() []*SSHRule {
if x != nil {
return x.Ssh
}
return nil
}
func (x *ACLPolicy) GetNodeattrs() []*NodeAttr {
if x != nil {
return x.Nodeattrs
}
return nil
}
func (x *ACLPolicy) GetGrants() []*ACLGrant {
if x != nil {
return x.Grants
}
return nil
}
type ACL struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Action string `protobuf:"bytes,1,opt,name=action,proto3" json:"action,omitempty"`
Src []string `protobuf:"bytes,2,rep,name=src,proto3" json:"src,omitempty"`
Dst []string `protobuf:"bytes,3,rep,name=dst,proto3" json:"dst,omitempty"`
Proto string `protobuf:"bytes,4,opt,name=proto,proto3" json:"proto,omitempty"`
}
func (x *ACL) Reset() {
*x = ACL{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_acl_proto_msgTypes[5]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ACL) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ACL) ProtoMessage() {}
func (x *ACL) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_acl_proto_msgTypes[5]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ACL.ProtoReflect.Descriptor instead.
func (*ACL) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{5}
}
func (x *ACL) GetAction() string {
if x != nil {
return x.Action
}
return ""
}
func (x *ACL) GetSrc() []string {
if x != nil {
return x.Src
}
return nil
}
func (x *ACL) GetDst() []string {
if x != nil {
return x.Dst
}
return nil
}
func (x *ACL) GetProto() string {
if x != nil {
return x.Proto
}
return ""
}
type AutoApprovers struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Routes map[string]*structpb.ListValue `protobuf:"bytes,1,rep,name=routes,proto3" json:"routes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Exitnode []string `protobuf:"bytes,2,rep,name=exitnode,proto3" json:"exitnode,omitempty"`
}
func (x *AutoApprovers) Reset() {
*x = AutoApprovers{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_acl_proto_msgTypes[6]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *AutoApprovers) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*AutoApprovers) ProtoMessage() {}
func (x *AutoApprovers) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_acl_proto_msgTypes[6]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use AutoApprovers.ProtoReflect.Descriptor instead.
func (*AutoApprovers) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{6}
}
func (x *AutoApprovers) GetRoutes() map[string]*structpb.ListValue {
if x != nil {
return x.Routes
}
return nil
}
func (x *AutoApprovers) GetExitnode() []string {
if x != nil {
return x.Exitnode
}
return nil
}
type SSHRule struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Action string `protobuf:"bytes,1,opt,name=action,proto3" json:"action,omitempty"`
Src []string `protobuf:"bytes,2,rep,name=src,proto3" json:"src,omitempty"`
Dst []string `protobuf:"bytes,3,rep,name=dst,proto3" json:"dst,omitempty"`
Users []string `protobuf:"bytes,4,rep,name=users,proto3" json:"users,omitempty"`
Checkperiod string `protobuf:"bytes,5,opt,name=checkperiod,proto3" json:"checkperiod,omitempty"`
}
func (x *SSHRule) Reset() {
*x = SSHRule{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_acl_proto_msgTypes[7]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *SSHRule) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*SSHRule) ProtoMessage() {}
func (x *SSHRule) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_acl_proto_msgTypes[7]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use SSHRule.ProtoReflect.Descriptor instead.
func (*SSHRule) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{7}
}
func (x *SSHRule) GetAction() string {
if x != nil {
return x.Action
}
return ""
}
func (x *SSHRule) GetSrc() []string {
if x != nil {
return x.Src
}
return nil
}
func (x *SSHRule) GetDst() []string {
if x != nil {
return x.Dst
}
return nil
}
func (x *SSHRule) GetUsers() []string {
if x != nil {
return x.Users
}
return nil
}
func (x *SSHRule) GetCheckperiod() string {
if x != nil {
return x.Checkperiod
}
return ""
}
type NodeAttr struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Target []string `protobuf:"bytes,1,rep,name=target,proto3" json:"target,omitempty"`
Attr []string `protobuf:"bytes,2,rep,name=attr,proto3" json:"attr,omitempty"`
}
func (x *NodeAttr) Reset() {
*x = NodeAttr{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_acl_proto_msgTypes[8]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *NodeAttr) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*NodeAttr) ProtoMessage() {}
func (x *NodeAttr) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_acl_proto_msgTypes[8]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use NodeAttr.ProtoReflect.Descriptor instead.
func (*NodeAttr) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{8}
}
func (x *NodeAttr) GetTarget() []string {
if x != nil {
return x.Target
}
return nil
}
func (x *NodeAttr) GetAttr() []string {
if x != nil {
return x.Attr
}
return nil
}
type ACLGrant struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Src []string `protobuf:"bytes,1,rep,name=src,proto3" json:"src,omitempty"`
Dst []string `protobuf:"bytes,2,rep,name=dst,proto3" json:"dst,omitempty"`
Ip []string `protobuf:"bytes,3,rep,name=ip,proto3" json:"ip,omitempty"`
App map[string]*structpb.ListValue `protobuf:"bytes,4,rep,name=app,proto3" json:"app,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
}
func (x *ACLGrant) Reset() {
*x = ACLGrant{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_acl_proto_msgTypes[9]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ACLGrant) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ACLGrant) ProtoMessage() {}
func (x *ACLGrant) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_acl_proto_msgTypes[9]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ACLGrant.ProtoReflect.Descriptor instead.
func (*ACLGrant) Descriptor() ([]byte, []int) {
return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{9}
}
func (x *ACLGrant) GetSrc() []string {
if x != nil {
return x.Src
}
return nil
}
func (x *ACLGrant) GetDst() []string {
if x != nil {
return x.Dst
}
return nil
}
func (x *ACLGrant) GetIp() []string {
if x != nil {
return x.Ip
}
return nil
}
func (x *ACLGrant) GetApp() map[string]*structpb.ListValue {
if x != nil {
return x.App
}
return nil
}
var File_ionscale_v1_acl_proto protoreflect.FileDescriptor var File_ionscale_v1_acl_proto protoreflect.FileDescriptor
var file_ionscale_v1_acl_proto_rawDesc = []byte{ var file_ionscale_v1_acl_proto_rawDesc = []byte{
0x0a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x0a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63,
0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
0x65, 0x2e, 0x76, 0x31, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x65, 0x2e, 0x76, 0x31, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f,
0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74,
0x74, 0x6f, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52,
0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x2e, 0x0a, 0x14, 0x47, 0x65,
0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x46, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x41, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x4c, 0x0a, 0x13, 0x53, 0x65,
0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18,
0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64,
0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x41,
0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a,
0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65,
0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
0x22, 0x64, 0x0a, 0x13, 0x53, 0x65, 0x74, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62,
0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69,
0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06,
0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x41, 0x43, 0x4c,
0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xbb,
0x05, 0x0a, 0x09, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x37, 0x0a, 0x05,
0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x6f,
0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c,
0x69, 0x63, 0x79, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x05,
0x68, 0x6f, 0x73, 0x74, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18,
0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65,
0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x47, 0x72,
0x6f, 0x75, 0x70, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70,
0x73, 0x12, 0x24, 0x0a, 0x04, 0x61, 0x63, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
0x10, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43,
0x4c, 0x52, 0x04, 0x61, 0x63, 0x6c, 0x73, 0x12, 0x43, 0x0a, 0x09, 0x74, 0x61, 0x67, 0x6f, 0x77,
0x6e, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x6f, 0x6e,
0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69,
0x63, 0x79, 0x2e, 0x54, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72,
0x79, 0x52, 0x09, 0x74, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x12, 0x45, 0x0a, 0x0d,
0x61, 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x18, 0x05, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
0x31, 0x2e, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x48,
0x00, 0x52, 0x0d, 0x61, 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73,
0x88, 0x01, 0x01, 0x12, 0x26, 0x0a, 0x03, 0x73, 0x73, 0x68, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b,
0x32, 0x14, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53,
0x53, 0x48, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x03, 0x73, 0x73, 0x68, 0x12, 0x33, 0x0a, 0x09, 0x6e,
0x6f, 0x64, 0x65, 0x61, 0x74, 0x74, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15,
0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64,
0x65, 0x41, 0x74, 0x74, 0x72, 0x52, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x61, 0x74, 0x74, 0x72, 0x73,
0x12, 0x2d, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b,
0x32, 0x15, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41,
0x43, 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x1a,
0x38, 0x0a, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x55, 0x0a, 0x0b, 0x47, 0x72, 0x6f,
0x75, 0x70, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61,
0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74,
0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
0x1a, 0x58, 0x0a, 0x0e, 0x54, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74,
0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x61,
0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x22, 0x57, 0x0a, 0x03,
0x41, 0x43, 0x4c, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20,
0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x73,
0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12, 0x10, 0x0a,
0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73, 0x74, 0x12,
0x14, 0x0a, 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc2, 0x01, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70,
0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65,
0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61,
0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x72, 0x6f, 0x76,
0x65, 0x72, 0x73, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x78, 0x69, 0x74, 0x6e,
0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x65, 0x78, 0x69, 0x74, 0x6e,
0x6f, 0x64, 0x65, 0x1a, 0x55, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74,
0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x7d, 0x0a, 0x07, 0x53, 0x53,
0x48, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18,
0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a,
0x03, 0x73, 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12,
0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73,
0x74, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09,
0x52, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x68, 0x65, 0x63, 0x6b,
0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x68,
0x65, 0x63, 0x6b, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x22, 0x36, 0x0a, 0x08, 0x4e, 0x6f, 0x64,
0x65, 0x41, 0x74, 0x74, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18,
0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x12, 0x0a,
0x04, 0x61, 0x74, 0x74, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x61, 0x74, 0x74,
0x72, 0x22, 0xc4, 0x01, 0x0a, 0x08, 0x41, 0x43, 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x12, 0x10,
0x0a, 0x03, 0x73, 0x72, 0x63, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63,
0x12, 0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64,
0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x02,
0x69, 0x70, 0x12, 0x30, 0x0a, 0x03, 0x61, 0x70, 0x70, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32,
0x1e, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43,
0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x41, 0x70, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
0x03, 0x61, 0x70, 0x70, 0x1a, 0x52, 0x0a, 0x08, 0x41, 0x70, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79,
0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76,
0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68,
0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f,
0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e,
0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e,
0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (
@@ -769,47 +244,19 @@ func file_ionscale_v1_acl_proto_rawDescGZIP() []byte {
return file_ionscale_v1_acl_proto_rawDescData return file_ionscale_v1_acl_proto_rawDescData
} }
var file_ionscale_v1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 15) var file_ionscale_v1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
var file_ionscale_v1_acl_proto_goTypes = []interface{}{ var file_ionscale_v1_acl_proto_goTypes = []interface{}{
(*GetACLPolicyRequest)(nil), // 0: ionscale.v1.GetACLPolicyRequest (*GetACLPolicyRequest)(nil), // 0: ionscale.v1.GetACLPolicyRequest
(*GetACLPolicyResponse)(nil), // 1: ionscale.v1.GetACLPolicyResponse (*GetACLPolicyResponse)(nil), // 1: ionscale.v1.GetACLPolicyResponse
(*SetACLPolicyRequest)(nil), // 2: ionscale.v1.SetACLPolicyRequest (*SetACLPolicyRequest)(nil), // 2: ionscale.v1.SetACLPolicyRequest
(*SetACLPolicyResponse)(nil), // 3: ionscale.v1.SetACLPolicyResponse (*SetACLPolicyResponse)(nil), // 3: ionscale.v1.SetACLPolicyResponse
(*ACLPolicy)(nil), // 4: ionscale.v1.ACLPolicy
(*ACL)(nil), // 5: ionscale.v1.ACL
(*AutoApprovers)(nil), // 6: ionscale.v1.AutoApprovers
(*SSHRule)(nil), // 7: ionscale.v1.SSHRule
(*NodeAttr)(nil), // 8: ionscale.v1.NodeAttr
(*ACLGrant)(nil), // 9: ionscale.v1.ACLGrant
nil, // 10: ionscale.v1.ACLPolicy.HostsEntry
nil, // 11: ionscale.v1.ACLPolicy.GroupsEntry
nil, // 12: ionscale.v1.ACLPolicy.TagownersEntry
nil, // 13: ionscale.v1.AutoApprovers.RoutesEntry
nil, // 14: ionscale.v1.ACLGrant.AppEntry
(*structpb.ListValue)(nil), // 15: google.protobuf.ListValue
} }
var file_ionscale_v1_acl_proto_depIdxs = []int32{ var file_ionscale_v1_acl_proto_depIdxs = []int32{
4, // 0: ionscale.v1.GetACLPolicyResponse.policy:type_name -> ionscale.v1.ACLPolicy 0, // [0:0] is the sub-list for method output_type
4, // 1: ionscale.v1.SetACLPolicyRequest.policy:type_name -> ionscale.v1.ACLPolicy 0, // [0:0] is the sub-list for method input_type
10, // 2: ionscale.v1.ACLPolicy.hosts:type_name -> ionscale.v1.ACLPolicy.HostsEntry 0, // [0:0] is the sub-list for extension type_name
11, // 3: ionscale.v1.ACLPolicy.groups:type_name -> ionscale.v1.ACLPolicy.GroupsEntry 0, // [0:0] is the sub-list for extension extendee
5, // 4: ionscale.v1.ACLPolicy.acls:type_name -> ionscale.v1.ACL 0, // [0:0] is the sub-list for field type_name
12, // 5: ionscale.v1.ACLPolicy.tagowners:type_name -> ionscale.v1.ACLPolicy.TagownersEntry
6, // 6: ionscale.v1.ACLPolicy.autoapprovers:type_name -> ionscale.v1.AutoApprovers
7, // 7: ionscale.v1.ACLPolicy.ssh:type_name -> ionscale.v1.SSHRule
8, // 8: ionscale.v1.ACLPolicy.nodeattrs:type_name -> ionscale.v1.NodeAttr
9, // 9: ionscale.v1.ACLPolicy.grants:type_name -> ionscale.v1.ACLGrant
13, // 10: ionscale.v1.AutoApprovers.routes:type_name -> ionscale.v1.AutoApprovers.RoutesEntry
14, // 11: ionscale.v1.ACLGrant.app:type_name -> ionscale.v1.ACLGrant.AppEntry
15, // 12: ionscale.v1.ACLPolicy.GroupsEntry.value:type_name -> google.protobuf.ListValue
15, // 13: ionscale.v1.ACLPolicy.TagownersEntry.value:type_name -> google.protobuf.ListValue
15, // 14: ionscale.v1.AutoApprovers.RoutesEntry.value:type_name -> google.protobuf.ListValue
15, // 15: ionscale.v1.ACLGrant.AppEntry.value:type_name -> google.protobuf.ListValue
16, // [16:16] is the sub-list for method output_type
16, // [16:16] is the sub-list for method input_type
16, // [16:16] is the sub-list for extension type_name
16, // [16:16] is the sub-list for extension extendee
0, // [0:16] is the sub-list for field type_name
} }
func init() { file_ionscale_v1_acl_proto_init() } func init() { file_ionscale_v1_acl_proto_init() }
@@ -866,87 +313,14 @@ func file_ionscale_v1_acl_proto_init() {
return nil return nil
} }
} }
file_ionscale_v1_acl_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*ACLPolicy); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_ionscale_v1_acl_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*ACL); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_ionscale_v1_acl_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*AutoApprovers); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_ionscale_v1_acl_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*SSHRule); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_ionscale_v1_acl_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*NodeAttr); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_ionscale_v1_acl_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*ACLGrant); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
} }
file_ionscale_v1_acl_proto_msgTypes[4].OneofWrappers = []interface{}{}
type x struct{} type x struct{}
out := protoimpl.TypeBuilder{ out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{ File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(), GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_ionscale_v1_acl_proto_rawDesc, RawDescriptor: file_ionscale_v1_acl_proto_rawDesc,
NumEnums: 0, NumEnums: 0,
NumMessages: 15, NumMessages: 4,
NumExtensions: 0, NumExtensions: 0,
NumServices: 0, NumServices: 0,
}, },
pkg/gen/ionscale/v1/iam.pb.go
+26 -129
View File
@@ -72,7 +72,7 @@ type GetIAMPolicyResponse struct {
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
Policy *IAMPolicy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
} }
func (x *GetIAMPolicyResponse) Reset() { func (x *GetIAMPolicyResponse) Reset() {
@@ -107,11 +107,11 @@ func (*GetIAMPolicyResponse) Descriptor() ([]byte, []int) {
return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{1} return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{1}
} }
func (x *GetIAMPolicyResponse) GetPolicy() *IAMPolicy { func (x *GetIAMPolicyResponse) GetPolicy() string {
if x != nil { if x != nil {
return x.Policy return x.Policy
} }
return nil return ""
} }
type SetIAMPolicyRequest struct { type SetIAMPolicyRequest struct {
@@ -119,8 +119,8 @@ type SetIAMPolicyRequest struct {
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"`
Policy *IAMPolicy `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"` Policy string `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
} }
func (x *SetIAMPolicyRequest) Reset() { func (x *SetIAMPolicyRequest) Reset() {
@@ -162,11 +162,11 @@ func (x *SetIAMPolicyRequest) GetTailnetId() uint64 {
return 0 return 0
} }
func (x *SetIAMPolicyRequest) GetPolicy() *IAMPolicy { func (x *SetIAMPolicyRequest) GetPolicy() string {
if x != nil { if x != nil {
return x.Policy return x.Policy
} }
return nil return ""
} }
type SetIAMPolicyResponse struct { type SetIAMPolicyResponse struct {
@@ -207,77 +207,6 @@ func (*SetIAMPolicyResponse) Descriptor() ([]byte, []int) {
return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{3} return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{3}
} }
type IAMPolicy struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Subs []string `protobuf:"bytes,1,rep,name=subs,proto3" json:"subs,omitempty"`
Emails []string `protobuf:"bytes,2,rep,name=emails,proto3" json:"emails,omitempty"`
Filters []string `protobuf:"bytes,3,rep,name=filters,proto3" json:"filters,omitempty"`
Roles map[string]string `protobuf:"bytes,4,rep,name=roles,proto3" json:"roles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
}
func (x *IAMPolicy) Reset() {
*x = IAMPolicy{}
if protoimpl.UnsafeEnabled {
mi := &file_ionscale_v1_iam_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *IAMPolicy) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*IAMPolicy) ProtoMessage() {}
func (x *IAMPolicy) ProtoReflect() protoreflect.Message {
mi := &file_ionscale_v1_iam_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use IAMPolicy.ProtoReflect.Descriptor instead.
func (*IAMPolicy) Descriptor() ([]byte, []int) {
return file_ionscale_v1_iam_proto_rawDescGZIP(), []int{4}
}
func (x *IAMPolicy) GetSubs() []string {
if x != nil {
return x.Subs
}
return nil
}
func (x *IAMPolicy) GetEmails() []string {
if x != nil {
return x.Emails
}
return nil
}
func (x *IAMPolicy) GetFilters() []string {
if x != nil {
return x.Filters
}
return nil
}
func (x *IAMPolicy) GetRoles() map[string]string {
if x != nil {
return x.Roles
}
return nil
}
var File_ionscale_v1_iam_proto protoreflect.FileDescriptor var File_ionscale_v1_iam_proto protoreflect.FileDescriptor
var file_ionscale_v1_iam_proto_rawDesc = []byte{ var file_ionscale_v1_iam_proto_rawDesc = []byte{
@@ -286,36 +215,21 @@ var file_ionscale_v1_iam_proto_rawDesc = []byte{
0x65, 0x2e, 0x76, 0x31, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x65, 0x2e, 0x76, 0x31, 0x22, 0x34, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f,
0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74,
0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52,
0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x46, 0x0a, 0x14, 0x47, 0x65, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x2e, 0x0a, 0x14, 0x47, 0x65,
0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
0x73, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x4c, 0x0a, 0x13, 0x53, 0x65,
0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
0x63, 0x79, 0x22, 0x64, 0x0a, 0x13, 0x53, 0x65, 0x74, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18,
0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64,
0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69,
0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63,
0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x49, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x49,
0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
0x22, 0xc4, 0x01, 0x0a, 0x09, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x12, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a,
0x0a, 0x04, 0x73, 0x75, 0x62, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x73, 0x75, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65,
0x62, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x03, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
0x28, 0x09, 0x52, 0x06, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x66, 0x69, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62,
0x6c, 0x74, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x66, 0x69, 0x6c, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x74, 0x65, 0x72, 0x73, 0x12, 0x37, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20,
0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x6f, 0x6c, 0x65,
0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x1a, 0x38, 0x0a,
0x0a, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a,
0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75,
0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69,
0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f,
0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73,
0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (
@@ -330,24 +244,19 @@ func file_ionscale_v1_iam_proto_rawDescGZIP() []byte {
return file_ionscale_v1_iam_proto_rawDescData return file_ionscale_v1_iam_proto_rawDescData
} }
var file_ionscale_v1_iam_proto_msgTypes = make([]protoimpl.MessageInfo, 6) var file_ionscale_v1_iam_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
var file_ionscale_v1_iam_proto_goTypes = []interface{}{ var file_ionscale_v1_iam_proto_goTypes = []interface{}{
(*GetIAMPolicyRequest)(nil), // 0: ionscale.v1.GetIAMPolicyRequest (*GetIAMPolicyRequest)(nil), // 0: ionscale.v1.GetIAMPolicyRequest
(*GetIAMPolicyResponse)(nil), // 1: ionscale.v1.GetIAMPolicyResponse (*GetIAMPolicyResponse)(nil), // 1: ionscale.v1.GetIAMPolicyResponse
(*SetIAMPolicyRequest)(nil), // 2: ionscale.v1.SetIAMPolicyRequest (*SetIAMPolicyRequest)(nil), // 2: ionscale.v1.SetIAMPolicyRequest
(*SetIAMPolicyResponse)(nil), // 3: ionscale.v1.SetIAMPolicyResponse (*SetIAMPolicyResponse)(nil), // 3: ionscale.v1.SetIAMPolicyResponse
(*IAMPolicy)(nil), // 4: ionscale.v1.IAMPolicy
nil, // 5: ionscale.v1.IAMPolicy.RolesEntry
} }
var file_ionscale_v1_iam_proto_depIdxs = []int32{ var file_ionscale_v1_iam_proto_depIdxs = []int32{
4, // 0: ionscale.v1.GetIAMPolicyResponse.policy:type_name -> ionscale.v1.IAMPolicy 0, // [0:0] is the sub-list for method output_type
4, // 1: ionscale.v1.SetIAMPolicyRequest.policy:type_name -> ionscale.v1.IAMPolicy 0, // [0:0] is the sub-list for method input_type
5, // 2: ionscale.v1.IAMPolicy.roles:type_name -> ionscale.v1.IAMPolicy.RolesEntry 0, // [0:0] is the sub-list for extension type_name
3, // [3:3] is the sub-list for method output_type 0, // [0:0] is the sub-list for extension extendee
3, // [3:3] is the sub-list for method input_type 0, // [0:0] is the sub-list for field type_name
3, // [3:3] is the sub-list for extension type_name
3, // [3:3] is the sub-list for extension extendee
0, // [0:3] is the sub-list for field type_name
} }
func init() { file_ionscale_v1_iam_proto_init() } func init() { file_ionscale_v1_iam_proto_init() }
@@ -404,18 +313,6 @@ func file_ionscale_v1_iam_proto_init() {
return nil return nil
} }
} }
file_ionscale_v1_iam_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*IAMPolicy); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
} }
type x struct{} type x struct{}
out := protoimpl.TypeBuilder{ out := protoimpl.TypeBuilder{
@@ -423,7 +320,7 @@ func file_ionscale_v1_iam_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(), GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_ionscale_v1_iam_proto_rawDesc, RawDescriptor: file_ionscale_v1_iam_proto_rawDesc,
NumEnums: 0, NumEnums: 0,
NumMessages: 6, NumMessages: 4,
NumExtensions: 0, NumExtensions: 0,
NumServices: 0, NumServices: 0,
}, },
pkg/gen/ionscale/v1/tailnets.pb.go
+47 -64
View File
@@ -27,8 +27,8 @@ type Tailnet struct {
Id uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"` Id uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
IamPolicy *IAMPolicy `protobuf:"bytes,3,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` IamPolicy string `protobuf:"bytes,3,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"`
AclPolicy *ACLPolicy `protobuf:"bytes,4,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` AclPolicy string `protobuf:"bytes,4,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"`
DnsConfig *DNSConfig `protobuf:"bytes,5,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"` DnsConfig *DNSConfig `protobuf:"bytes,5,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"`
ServiceCollectionEnabled bool `protobuf:"varint,6,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"` ServiceCollectionEnabled bool `protobuf:"varint,6,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"`
FileSharingEnabled bool `protobuf:"varint,7,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"` FileSharingEnabled bool `protobuf:"varint,7,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"`
@@ -82,18 +82,18 @@ func (x *Tailnet) GetName() string {
return "" return ""
} }
func (x *Tailnet) GetIamPolicy() *IAMPolicy { func (x *Tailnet) GetIamPolicy() string {
if x != nil { if x != nil {
return x.IamPolicy return x.IamPolicy
} }
return nil return ""
} }
func (x *Tailnet) GetAclPolicy() *ACLPolicy { func (x *Tailnet) GetAclPolicy() string {
if x != nil { if x != nil {
return x.AclPolicy return x.AclPolicy
} }
return nil return ""
} }
func (x *Tailnet) GetDnsConfig() *DNSConfig { func (x *Tailnet) GetDnsConfig() *DNSConfig {
@@ -137,8 +137,8 @@ type CreateTailnetRequest struct {
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
IamPolicy *IAMPolicy `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` IamPolicy string `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"`
AclPolicy *ACLPolicy `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` AclPolicy string `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"`
DnsConfig *DNSConfig `protobuf:"bytes,4,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"` DnsConfig *DNSConfig `protobuf:"bytes,4,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"`
ServiceCollectionEnabled bool `protobuf:"varint,5,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"` ServiceCollectionEnabled bool `protobuf:"varint,5,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"`
FileSharingEnabled bool `protobuf:"varint,6,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"` FileSharingEnabled bool `protobuf:"varint,6,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"`
@@ -185,18 +185,18 @@ func (x *CreateTailnetRequest) GetName() string {
return "" return ""
} }
func (x *CreateTailnetRequest) GetIamPolicy() *IAMPolicy { func (x *CreateTailnetRequest) GetIamPolicy() string {
if x != nil { if x != nil {
return x.IamPolicy return x.IamPolicy
} }
return nil return ""
} }
func (x *CreateTailnetRequest) GetAclPolicy() *ACLPolicy { func (x *CreateTailnetRequest) GetAclPolicy() string {
if x != nil { if x != nil {
return x.AclPolicy return x.AclPolicy
} }
return nil return ""
} }
func (x *CreateTailnetRequest) GetDnsConfig() *DNSConfig { func (x *CreateTailnetRequest) GetDnsConfig() *DNSConfig {
@@ -287,8 +287,8 @@ type UpdateTailnetRequest struct {
unknownFields protoimpl.UnknownFields unknownFields protoimpl.UnknownFields
TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"` TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"`
IamPolicy *IAMPolicy `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"` IamPolicy string `protobuf:"bytes,2,opt,name=iam_policy,json=iamPolicy,proto3" json:"iam_policy,omitempty"`
AclPolicy *ACLPolicy `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"` AclPolicy string `protobuf:"bytes,3,opt,name=acl_policy,json=aclPolicy,proto3" json:"acl_policy,omitempty"`
DnsConfig *DNSConfig `protobuf:"bytes,4,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"` DnsConfig *DNSConfig `protobuf:"bytes,4,opt,name=dns_config,json=dnsConfig,proto3" json:"dns_config,omitempty"`
ServiceCollectionEnabled bool `protobuf:"varint,5,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"` ServiceCollectionEnabled bool `protobuf:"varint,5,opt,name=service_collection_enabled,json=serviceCollectionEnabled,proto3" json:"service_collection_enabled,omitempty"`
FileSharingEnabled bool `protobuf:"varint,6,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"` FileSharingEnabled bool `protobuf:"varint,6,opt,name=file_sharing_enabled,json=fileSharingEnabled,proto3" json:"file_sharing_enabled,omitempty"`
@@ -335,18 +335,18 @@ func (x *UpdateTailnetRequest) GetTailnetId() uint64 {
return 0 return 0
} }
func (x *UpdateTailnetRequest) GetIamPolicy() *IAMPolicy { func (x *UpdateTailnetRequest) GetIamPolicy() string {
if x != nil { if x != nil {
return x.IamPolicy return x.IamPolicy
} }
return nil return ""
} }
func (x *UpdateTailnetRequest) GetAclPolicy() *ACLPolicy { func (x *UpdateTailnetRequest) GetAclPolicy() string {
if x != nil { if x != nil {
return x.AclPolicy return x.AclPolicy
} }
return nil return ""
} }
func (x *UpdateTailnetRequest) GetDnsConfig() *DNSConfig { func (x *UpdateTailnetRequest) GetDnsConfig() *DNSConfig {
@@ -1673,17 +1673,14 @@ var file_ionscale_v1_tailnets_proto_rawDesc = []byte{
0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x61, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x61,
0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf7,
0x03, 0x0a, 0x07, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x02, 0x0a, 0x07, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64,
0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x35, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d,
0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x28, 0x09, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1d, 0x0a,
0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28,
0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x09, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a,
0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73,
0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63,
0x79, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a,
0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44,
0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x64, 0x6e, 0x73, 0x43, 0x6f, 0x6e, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x64, 0x6e, 0x73, 0x43, 0x6f, 0x6e,
@@ -1700,16 +1697,13 @@ var file_ionscale_v1_tailnets_proto_rawDesc = []byte{
0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x65, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x65, 0x6e,
0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1b, 0x6d, 0x61, 0x63, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1b, 0x6d, 0x61, 0x63,
0x68, 0x69, 0x6e, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x68, 0x69, 0x6e, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0xa4, 0x03, 0x0a, 0x14, 0x43, 0x72, 0x65, 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0xf4, 0x02, 0x0a, 0x14, 0x43, 0x72, 0x65,
0x61, 0x74, 0x65, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x61, 0x74, 0x65, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x35, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c,
0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f,
0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69,
0x79, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c,
0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41,
0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c,
0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69,
0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61,
0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52,
@@ -1731,17 +1725,14 @@ var file_ionscale_v1_tailnets_proto_rawDesc = []byte{
0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x74, 0x61, 0x69, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x74, 0x61, 0x69, 0x6c,
0x6e, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x6e, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x69, 0x6f, 0x6e, 0x73,
0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52,
0x07, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x22, 0xaf, 0x03, 0x0a, 0x14, 0x55, 0x70, 0x64, 0x07, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x22, 0xff, 0x02, 0x0a, 0x14, 0x55, 0x70, 0x64,
0x61, 0x74, 0x65, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x61, 0x74, 0x65, 0x54, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18,
0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64,
0x12, 0x35, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x61, 0x6d, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02,
0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x61, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
0x76, 0x31, 0x2e, 0x49, 0x41, 0x4d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x09, 0x69, 0x61, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20,
0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x61, 0x63, 0x6c, 0x5f, 0x70, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35,
0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f,
0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c,
0x69, 0x63, 0x79, 0x52, 0x09, 0x61, 0x63, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x35,
0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x0a, 0x0a, 0x64, 0x6e, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x64, 0x6e, 0x73, 0x43, 0x2e, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x64, 0x6e, 0x73, 0x43,
@@ -1901,29 +1892,21 @@ var file_ionscale_v1_tailnets_proto_goTypes = []interface{}{
(*EnableMachineAuthorizationResponse)(nil), // 30: ionscale.v1.EnableMachineAuthorizationResponse (*EnableMachineAuthorizationResponse)(nil), // 30: ionscale.v1.EnableMachineAuthorizationResponse
(*DisableMachineAuthorizationRequest)(nil), // 31: ionscale.v1.DisableMachineAuthorizationRequest (*DisableMachineAuthorizationRequest)(nil), // 31: ionscale.v1.DisableMachineAuthorizationRequest
(*DisableMachineAuthorizationResponse)(nil), // 32: ionscale.v1.DisableMachineAuthorizationResponse (*DisableMachineAuthorizationResponse)(nil), // 32: ionscale.v1.DisableMachineAuthorizationResponse
(*IAMPolicy)(nil), // 33: ionscale.v1.IAMPolicy (*DNSConfig)(nil), // 33: ionscale.v1.DNSConfig
(*ACLPolicy)(nil), // 34: ionscale.v1.ACLPolicy
(*DNSConfig)(nil), // 35: ionscale.v1.DNSConfig
} }
var file_ionscale_v1_tailnets_proto_depIdxs = []int32{ var file_ionscale_v1_tailnets_proto_depIdxs = []int32{
33, // 0: ionscale.v1.Tailnet.iam_policy:type_name -> ionscale.v1.IAMPolicy 33, // 0: ionscale.v1.Tailnet.dns_config:type_name -> ionscale.v1.DNSConfig
34, // 1: ionscale.v1.Tailnet.acl_policy:type_name -> ionscale.v1.ACLPolicy 33, // 1: ionscale.v1.CreateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig
35, // 2: ionscale.v1.Tailnet.dns_config:type_name -> ionscale.v1.DNSConfig 0, // 2: ionscale.v1.CreateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet
33, // 3: ionscale.v1.CreateTailnetRequest.iam_policy:type_name -> ionscale.v1.IAMPolicy 33, // 3: ionscale.v1.UpdateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig
34, // 4: ionscale.v1.CreateTailnetRequest.acl_policy:type_name -> ionscale.v1.ACLPolicy 0, // 4: ionscale.v1.UpdateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet
35, // 5: ionscale.v1.CreateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig 0, // 5: ionscale.v1.GetTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet
0, // 6: ionscale.v1.CreateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet 0, // 6: ionscale.v1.ListTailnetsResponse.tailnet:type_name -> ionscale.v1.Tailnet
33, // 7: ionscale.v1.UpdateTailnetRequest.iam_policy:type_name -> ionscale.v1.IAMPolicy 7, // [7:7] is the sub-list for method output_type
34, // 8: ionscale.v1.UpdateTailnetRequest.acl_policy:type_name -> ionscale.v1.ACLPolicy 7, // [7:7] is the sub-list for method input_type
35, // 9: ionscale.v1.UpdateTailnetRequest.dns_config:type_name -> ionscale.v1.DNSConfig 7, // [7:7] is the sub-list for extension type_name
0, // 10: ionscale.v1.UpdateTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet 7, // [7:7] is the sub-list for extension extendee
0, // 11: ionscale.v1.GetTailnetResponse.tailnet:type_name -> ionscale.v1.Tailnet 0, // [0:7] is the sub-list for field type_name
0, // 12: ionscale.v1.ListTailnetsResponse.tailnet:type_name -> ionscale.v1.Tailnet
13, // [13:13] is the sub-list for method output_type
13, // [13:13] is the sub-list for method input_type
13, // [13:13] is the sub-list for extension type_name
13, // [13:13] is the sub-list for extension extendee
0, // [0:13] is the sub-list for field type_name
} }
func init() { file_ionscale_v1_tailnets_proto_init() } func init() { file_ionscale_v1_tailnets_proto_init() }
proto/ionscale/v1/acl.proto
+2 -47
View File
@@ -2,8 +2,6 @@ syntax = "proto3";
package ionscale.v1; package ionscale.v1;
import "google/protobuf/struct.proto";
option go_package = "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1;ionscalev1"; option go_package = "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1;ionscalev1";
message GetACLPolicyRequest { message GetACLPolicyRequest {
@@ -11,55 +9,12 @@ message GetACLPolicyRequest {
} }
message GetACLPolicyResponse { message GetACLPolicyResponse {
ACLPolicy policy = 1; string policy = 1;
} }
message SetACLPolicyRequest { message SetACLPolicyRequest {
uint64 tailnet_id = 1; uint64 tailnet_id = 1;
ACLPolicy policy = 2; string policy = 2;
} }
message SetACLPolicyResponse {} message SetACLPolicyResponse {}
message ACLPolicy {
map<string, string> hosts = 1;
map<string, google.protobuf.ListValue> groups = 2;
repeated ACL acls = 3;
map<string, google.protobuf.ListValue> tagowners = 4;
optional AutoApprovers autoapprovers = 5;
repeated SSHRule ssh = 6;
repeated NodeAttr nodeattrs = 7;
repeated ACLGrant grants = 8;
}
message ACL {
string action = 1;
repeated string src = 2;
repeated string dst = 3;
string proto = 4;
}
message AutoApprovers {
map<string, google.protobuf.ListValue> routes = 1;
repeated string exitnode = 2;
}
message SSHRule {
string action = 1;
repeated string src = 2;
repeated string dst = 3;
repeated string users = 4;
string checkperiod = 5;
}
message NodeAttr {
repeated string target = 1;
repeated string attr = 2;
}
message ACLGrant {
repeated string src = 1;
repeated string dst = 2;
repeated string ip = 3;
map<string, google.protobuf.ListValue> app = 4;
}
proto/ionscale/v1/iam.proto
+2 -9
View File
@@ -9,19 +9,12 @@ message GetIAMPolicyRequest {
} }
message GetIAMPolicyResponse { message GetIAMPolicyResponse {
IAMPolicy policy = 1; string policy = 1;
} }
message SetIAMPolicyRequest { message SetIAMPolicyRequest {
uint64 tailnet_id = 1; uint64 tailnet_id = 1;
IAMPolicy policy = 2; string policy = 2;
} }
message SetIAMPolicyResponse {} message SetIAMPolicyResponse {}
message IAMPolicy {
repeated string subs = 1;
repeated string emails = 2;
repeated string filters = 3;
map<string, string> roles = 4;
}
proto/ionscale/v1/tailnets.proto
+6 -6
View File
@@ -11,8 +11,8 @@ option go_package = "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1;ionscalev1
message Tailnet { message Tailnet {
uint64 id = 1; uint64 id = 1;
string name = 2; string name = 2;
IAMPolicy iam_policy = 3; string iam_policy = 3;
ACLPolicy acl_policy = 4; string acl_policy = 4;
DNSConfig dns_config = 5; DNSConfig dns_config = 5;
bool service_collection_enabled = 6; bool service_collection_enabled = 6;
@@ -23,8 +23,8 @@ message Tailnet {
message CreateTailnetRequest { message CreateTailnetRequest {
string name = 1; string name = 1;
IAMPolicy iam_policy = 2; string iam_policy = 2;
ACLPolicy acl_policy = 3; string acl_policy = 3;
DNSConfig dns_config = 4; DNSConfig dns_config = 4;
bool service_collection_enabled = 5; bool service_collection_enabled = 5;
@@ -39,8 +39,8 @@ message CreateTailnetResponse {
message UpdateTailnetRequest { message UpdateTailnetRequest {
uint64 tailnet_id = 1; uint64 tailnet_id = 1;
IAMPolicy iam_policy = 2; string iam_policy = 2;
ACLPolicy acl_policy = 3; string acl_policy = 3;
DNSConfig dns_config = 4; DNSConfig dns_config = 4;
bool service_collection_enabled = 5; bool service_collection_enabled = 5;
tests/acl_test.go
+5 -5
View File
@@ -1,8 +1,8 @@
package tests package tests
import ( import (
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/jsiebens/ionscale/pkg/defaults" "github.com/jsiebens/ionscale/pkg/defaults"
ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
"github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/sc"
"github.com/jsiebens/ionscale/tests/tsn" "github.com/jsiebens/ionscale/tests/tsn"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@@ -25,11 +25,11 @@ func TestACL_PeersShouldBeRemovedWhenNoMatchingACLRuleIsAvailable(t *testing.T)
require.NoError(t, server.WaitFor(tsn.PeerCount(2))) require.NoError(t, server.WaitFor(tsn.PeerCount(2)))
policy := defaults.DefaultACLPolicy() policy := defaults.DefaultACLPolicy()
policy.Acls = []*ionscalev1.ACL{ policy.ACLs = []ionscale.ACLEntry{
{ {
Action: "accept", Action: "accept",
Src: []string{"tag:server"}, Source: []string{"tag:server"},
Dst: []string{"tag:server:*"}, Destination: []string{"tag:server:*"},
}, },
} }
tests/node_attributes_test.go
+4 -4
View File
@@ -1,8 +1,8 @@
package tests package tests
import ( import (
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/jsiebens/ionscale/pkg/defaults" "github.com/jsiebens/ionscale/pkg/defaults"
ionscalev1 "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
"github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/sc"
"github.com/jsiebens/ionscale/tests/tsn" "github.com/jsiebens/ionscale/tests/tsn"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@@ -19,7 +19,7 @@ func TestNodeAttrs(t *testing.T) {
require.NoError(t, nodeA.Up(key)) require.NoError(t, nodeA.Up(key))
policy := defaults.DefaultACLPolicy() policy := defaults.DefaultACLPolicy()
policy.Nodeattrs = []*ionscalev1.NodeAttr{ policy.NodeAttrs = []ionscale.ACLNodeAttrGrant{
{ {
Target: []string{"tag:test"}, Target: []string{"tag:test"},
Attr: []string{"ionscale:test"}, Attr: []string{"ionscale:test"},
@@ -41,10 +41,10 @@ func TestNodeAttrs_IgnoreFunnelAttr(t *testing.T) {
require.NoError(t, nodeA.Up(key)) require.NoError(t, nodeA.Up(key))
policy := defaults.DefaultACLPolicy() policy := defaults.DefaultACLPolicy()
policy.Nodeattrs = []*ionscalev1.NodeAttr{ policy.NodeAttrs = []ionscale.ACLNodeAttrGrant{
{ {
Target: []string{"tag:test"}, Target: []string{"tag:test"},
Attr: []string{"ionscale:test", string(tailcfg.NodeAttrFunnel)}, Attr: []string{"ionscale:test"},
}, },
} }
tests/sc/scenario.go
+4 -4
View File
@@ -85,13 +85,13 @@ func (s *Scenario) ExpireMachines(tailnetID uint64) {
} }
} }
func (s *Scenario) SetACLPolicy(tailnetID uint64, policy *api.ACLPolicy) { func (s *Scenario) SetACLPolicy(tailnetID uint64, policy *ionscaleclt.ACLPolicy) {
_, err := s.ionscaleClient.SetACLPolicy(context.Background(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tailnetID, Policy: policy})) _, err := s.ionscaleClient.SetACLPolicy(context.Background(), connect.NewRequest(&api.SetACLPolicyRequest{TailnetId: tailnetID, Policy: policy.Marshal()}))
require.NoError(s.t, err) require.NoError(s.t, err)
} }
func (s *Scenario) SetIAMPolicy(tailnetID uint64, policy *api.IAMPolicy) { func (s *Scenario) SetIAMPolicy(tailnetID uint64, policy *ionscaleclt.IAMPolicy) {
_, err := s.ionscaleClient.SetIAMPolicy(context.Background(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tailnetID, Policy: policy})) _, err := s.ionscaleClient.SetIAMPolicy(context.Background(), connect.NewRequest(&api.SetIAMPolicyRequest{TailnetId: tailnetID, Policy: policy.Marshal()}))
require.NoError(s.t, err) require.NoError(s.t, err)
} }
tests/switch_test.go
+2 -2
View File
@@ -1,7 +1,7 @@
package tests package tests
import ( import (
api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/sc"
"github.com/jsiebens/ionscale/tests/tsn" "github.com/jsiebens/ionscale/tests/tsn"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@@ -15,7 +15,7 @@ func TestSwitchAccounts(t *testing.T) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Filters: []string{"domain == localtest.me"}}) s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Filters: []string{"domain == localtest.me"}})
node := s.NewTailscaleNode(sc.WithName("switch")) node := s.NewTailscaleNode(sc.WithName("switch"))
tests/weblogin_test.go
+10 -14
View File
@@ -1,12 +1,11 @@
package tests package tests
import ( import (
"github.com/jsiebens/ionscale/pkg/client/ionscale"
"github.com/jsiebens/ionscale/pkg/defaults" "github.com/jsiebens/ionscale/pkg/defaults"
api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
"github.com/jsiebens/ionscale/tests/sc" "github.com/jsiebens/ionscale/tests/sc"
"github.com/jsiebens/ionscale/tests/tsn" "github.com/jsiebens/ionscale/tests/tsn"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/structpb"
"net/http" "net/http"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"testing" "testing"
@@ -30,7 +29,7 @@ func TestWebLoginWithDomainFilterInIAMPolicy(t *testing.T) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Filters: []string{"domain == localtest.me"}}) s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Filters: []string{"domain == localtest.me"}})
john := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me") john := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me")
jane := newTailscaleNodeAndLoginWithOIDC(t, s, "jane@localtest.me") jane := newTailscaleNodeAndLoginWithOIDC(t, s, "jane@localtest.me")
@@ -49,7 +48,7 @@ func TestWebLoginWithSubsAndEmailsInIAMPolicy(t *testing.T) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Subs: []string{"123"}, Emails: []string{"jane@localtest.me"}}) s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Subs: []string{"123"}, Emails: []string{"jane@localtest.me"}})
john := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me") john := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me")
jane := newTailscaleNodeAndLoginWithOIDC(t, s, "jane@localtest.me") jane := newTailscaleNodeAndLoginWithOIDC(t, s, "jane@localtest.me")
@@ -65,7 +64,7 @@ func TestWebLoginWithUserAsTailnetAdmin(t *testing.T) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{
Filters: []string{"domain == localtest.me"}, Filters: []string{"domain == localtest.me"},
Roles: map[string]string{"john@localtest.me": "admin"}, Roles: map[string]string{"john@localtest.me": "admin"},
}) })
@@ -83,7 +82,7 @@ func TestWebLoginWhenNotAuthorizedForAnyTailnet(t *testing.T) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{
Subs: []string{"123"}, Subs: []string{"123"},
}) })
@@ -99,7 +98,7 @@ func TestWebLoginWhenInvalidTagOwner(t *testing.T) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{
Subs: []string{"124"}, Subs: []string{"124"},
}) })
@@ -114,17 +113,14 @@ func TestWebLoginAsTagOwner(t *testing.T) {
sc.Run(t, func(s *sc.Scenario) { sc.Run(t, func(s *sc.Scenario) {
s.PushOIDCUser("124", "jane@localtest.me", "jane") s.PushOIDCUser("124", "jane@localtest.me", "jane")
owners, err := structpb.NewList([]interface{}{"jane@localtest.me"})
require.NoError(t, err)
aclPolicy := defaults.DefaultACLPolicy() aclPolicy := defaults.DefaultACLPolicy()
aclPolicy.Tagowners = map[string]*structpb.ListValue{ aclPolicy.TagOwners = map[string][]string{
"tag:localtest": owners, "tag:localtest": {"jane@localtest.me"},
} }
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetACLPolicy(tailnet.Id, aclPolicy) s.SetACLPolicy(tailnet.Id, aclPolicy)
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{ s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{
Subs: []string{"124"}, Subs: []string{"124"},
}) })
@@ -137,7 +133,7 @@ func TestWebLoginWithMachineAuthorizationRequired(t *testing.T) {
s.PushOIDCUser("123", "john@localtest.me", "john") s.PushOIDCUser("123", "john@localtest.me", "john")
tailnet := s.CreateTailnet() tailnet := s.CreateTailnet()
s.SetIAMPolicy(tailnet.Id, &api.IAMPolicy{Filters: []string{"domain == localtest.me"}}) s.SetIAMPolicy(tailnet.Id, &ionscale.IAMPolicy{Filters: []string{"domain == localtest.me"}})
s.EnableMachineAutorization(tailnet.Id) s.EnableMachineAutorization(tailnet.Id)
node := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me") node := newTailscaleNodeAndLoginWithOIDC(t, s, "john@localtest.me")