From 7eb808c71cf3513bf2f8bbb8c8d550ae25757768 Mon Sep 17 00:00:00 2001 From: Johan Siebens Date: Tue, 6 Feb 2024 21:31:10 +0100 Subject: [PATCH] fix: add ssh rules to default acl policy --- internal/domain/acl.go | 12 ------------ internal/domain/iam.go | 4 ---- internal/service/tailnet.go | 37 +++++++++++++++++++++---------------- pkg/defaults/defaults.go | 12 ++++++++++++ 4 files changed, 33 insertions(+), 32 deletions(-) diff --git a/internal/domain/acl.go b/internal/domain/acl.go index d468166..b2a9489 100644 --- a/internal/domain/acl.go +++ b/internal/domain/acl.go @@ -66,18 +66,6 @@ type Grant struct { App tailcfg.PeerCapMap `json:"app"` } -func DefaultACLPolicy() ACLPolicy { - return ACLPolicy{ - ACLs: []ACL{ - { - Action: "accept", - Src: []string{"*"}, - Dst: []string{"*:*"}, - }, - }, - } -} - func (a ACLPolicy) FindAutoApprovedIPs(routableIPs []netip.Prefix, tags []string, u *User) []netip.Prefix { if a.AutoApprovers == nil || len(routableIPs) == 0 { return nil diff --git a/internal/domain/iam.go b/internal/domain/iam.go index d014f68..93418a9 100644 --- a/internal/domain/iam.go +++ b/internal/domain/iam.go @@ -11,10 +11,6 @@ import ( "gorm.io/gorm/schema" ) -func DefaultIAMPolicy() IAMPolicy { - return IAMPolicy{} -} - type Identity struct { UserID string Username string diff --git a/internal/service/tailnet.go b/internal/service/tailnet.go index f1415de..295d717 100644 --- a/internal/service/tailnet.go +++ b/internal/service/tailnet.go @@ -8,6 +8,7 @@ import ( "github.com/jsiebens/ionscale/internal/domain" "github.com/jsiebens/ionscale/internal/mapping" "github.com/jsiebens/ionscale/internal/util" + "github.com/jsiebens/ionscale/pkg/defaults" api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1" "tailscale.com/tailcfg" ) @@ -42,6 +43,18 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied")) } + if req.Msg.IamPolicy == nil { + req.Msg.IamPolicy = defaults.DefaultIAMPolicy() + } + + if req.Msg.AclPolicy == nil { + req.Msg.AclPolicy = defaults.DefaultACLPolicy() + } + + if req.Msg.DnsConfig == nil { + req.Msg.DnsConfig = defaults.DefaultDNSConfig() + } + tailnet := &domain.Tailnet{ ID: util.NextID(), Name: req.Msg.Name, @@ -54,24 +67,16 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr MachineAuthorizationEnabled: req.Msg.MachineAuthorizationEnabled, } - if req.Msg.IamPolicy != nil { - if err := validateIamPolicy(req.Msg.IamPolicy); err != nil { - return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) - } - - if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil { - return nil, logError(err) - } - } else { - tailnet.IAMPolicy = domain.DefaultIAMPolicy() + if err := validateIamPolicy(req.Msg.IamPolicy); err != nil { + return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err)) } - if req.Msg.AclPolicy != nil { - if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil { - return nil, logError(err) - } - } else { - tailnet.ACLPolicy = domain.DefaultACLPolicy() + if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil { + return nil, logError(err) + } + + if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil { + return nil, logError(err) } if err := s.repository.SaveTailnet(ctx, tailnet); err != nil { diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go index 64ccd74..8cb2243 100644 --- a/pkg/defaults/defaults.go +++ b/pkg/defaults/defaults.go @@ -11,9 +11,21 @@ func DefaultACLPolicy() *ionscalev1.ACLPolicy { Dst: []string{"*:*"}, }, }, + Ssh: []*ionscalev1.SSHRule{ + { + Action: "check", + Src: []string{"autogroup:member"}, + Dst: []string{"autogroup:self"}, + Users: []string{"autogroup:nonroot", "root"}, + }, + }, } } +func DefaultIAMPolicy() *ionscalev1.IAMPolicy { + return &ionscalev1.IAMPolicy{} +} + func DefaultDNSConfig() *ionscalev1.DNSConfig { return &ionscalev1.DNSConfig{ MagicDns: true,