leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: incorrect splitting of alias and port ranges

Browse Source
This commit is contained in:
Johan Siebens
2024-01-15 09:50:43 +01:00
parent 6a5d44882a
commit c1ea283e6d
2 changed files with 44 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/domain/acl.go
+8 -12
View File
@@ -307,19 +307,15 @@ func (a ACLPolicy) expandMachineToDstPorts(m *Machine, ports []string) ([]tailcf
} }
func (a ACLPolicy) expandMachineDestToNetPortRanges(m *Machine, dest string) (bool, []tailcfg.NetPortRange) { func (a ACLPolicy) expandMachineDestToNetPortRanges(m *Machine, dest string) (bool, []tailcfg.NetPortRange) {
tokens := strings.Split(dest, ":") lastInd := strings.LastIndex(dest, ":")
if len(tokens) < 2 || len(tokens) > 3 { if lastInd == -1 {
return false, nil return false, nil
} }
var alias string alias := dest[:lastInd]
if len(tokens) == 2 { portRange := dest[lastInd+1:]
alias = tokens[0]
} else {
alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
}
ports, err := a.expandValuePortToPortRange(tokens[len(tokens)-1]) ports, err := a.expandValuePortToPortRange(portRange)
if err != nil { if err != nil {
return false, nil return false, nil
} }
@@ -329,18 +325,18 @@ func (a ACLPolicy) expandMachineDestToNetPortRanges(m *Machine, dest string) (bo
return false, nil return false, nil
} }
dests := []tailcfg.NetPortRange{} var netPortRanges []tailcfg.NetPortRange
for _, d := range ips { for _, d := range ips {
for _, p := range ports { for _, p := range ports {
pr := tailcfg.NetPortRange{ pr := tailcfg.NetPortRange{
IP: d, IP: d,
Ports: p, Ports: p,
} }
dests = append(dests, pr) netPortRanges = append(netPortRanges, pr)
} }
} }
return alias == AutoGroupSelf, dests return alias == AutoGroupSelf, netPortRanges
} }
func (a ACLPolicy) expandMachineAlias(m *Machine, alias string, src bool, u *User) []string { func (a ACLPolicy) expandMachineAlias(m *Machine, alias string, src bool, u *User) []string {
internal/domain/acl_test.go
+36
View File
@@ -794,3 +794,39 @@ func TestACLPolicy_FindAutoApprovedIPs(t *testing.T) {
}) })
} }
} }
func TestACLPolicy_BuildFilterRulesWithAdvertisedRoutes(t *testing.T) {
route1 := netip.MustParsePrefix("fd7a:115c:a1e0:b1a:0:1:a3c:0/120")
p1 := createMachine("john@example.com", "tag:trusted")
policy := ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Src: []string{"tag:trusted"},
Dst: []string{"fd7a:115c:a1e0:b1a:0:1:a3c:0/120:*"},
},
},
}
dst := createMachine("john@example.com")
dst.AllowIPs = []netip.Prefix{route1}
actualRules := policy.BuildFilterRules([]Machine{*p1}, dst)
expectedRules := []tailcfg.FilterRule{
{
SrcIPs: p1.IPs(),
DstPorts: []tailcfg.NetPortRange{
{
IP: route1.String(),
Ports: tailcfg.PortRange{
First: 0,
Last: 65535,
},
},
},
},
}
assert.Equal(t, expectedRules, actualRules)
}