leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: expand src wildcard alias to peer ip addresses

Browse Source
This commit is contained in:
Johan Siebens
2024-05-29 08:30:42 +02:00
parent 3d21630bf3
commit eadd42b19a
2 changed files with 24 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/domain/acl_filter_rules.go
+10 -10
View File
@@ -274,7 +274,11 @@ func (a ACLPolicy) translateDestinationAliasToMachineIPs(alias string, m *Machin
return make([]string, 0) return make([]string, 0)
} }
return a.translateAliasToMachineIPs(alias, m, nil, f) if alias == "*" {
return []string{"*"}
}
return a.translateAliasToMachineIPs(alias, m, f)
} }
func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u *User) []string { func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u *User) []string {
@@ -287,10 +291,6 @@ func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u
return make([]string, 0) return make([]string, 0)
} }
return a.translateAliasToMachineIPs(alias, m, u, f)
}
func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, u *User, f func(string, *Machine) []string) []string {
if u != nil && m.HasTags() { if u != nil && m.HasTags() {
return []string{} return []string{}
} }
@@ -299,14 +299,14 @@ func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, u *User,
return []string{} return []string{}
} }
if alias == "*" && u != nil {
return m.IPs()
}
if alias == "*" { if alias == "*" {
return []string{"*"} return append(m.IPs(), m.AllowedPrefixes()...)
} }
return a.translateAliasToMachineIPs(alias, m, f)
}
func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, f func(string, *Machine) []string) []string {
if alias == AutoGroupMember || alias == AutoGroupMembers || alias == AutoGroupSelf { if alias == AutoGroupMember || alias == AutoGroupMembers || alias == AutoGroupSelf {
if !m.HasTags() { if !m.HasTags() {
return m.IPs() return m.IPs()
internal/domain/acl_test.go
+14 -6
View File
@@ -152,7 +152,7 @@ func TestACLPolicy_BuildFilterRulesWildcards(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst) actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{ expectedRules := []tailcfg.FilterRule{
{ {
SrcIPs: []string{"*"}, SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{ DstPorts: []tailcfg.NetPortRange{
{ {
IP: "*", IP: "*",
@@ -195,7 +195,7 @@ func TestACLPolicy_BuildFilterRulesProto(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst) actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{ expectedRules := []tailcfg.FilterRule{
{ {
SrcIPs: []string{"*"}, SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{ DstPorts: []tailcfg.NetPortRange{
{ {
IP: "*", IP: "*",
@@ -207,7 +207,7 @@ func TestACLPolicy_BuildFilterRulesProto(t *testing.T) {
}, },
}, },
{ {
SrcIPs: []string{"*"}, SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{ DstPorts: []tailcfg.NetPortRange{
{ {
IP: "*", IP: "*",
@@ -559,7 +559,7 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelfAndOtherDestinations(t *testing.
}, },
}, },
{ {
SrcIPs: []string{"*"}, SrcIPs: expectedSourceIPs(p1, p2, p3),
DstPorts: []tailcfg.NetPortRange{ DstPorts: []tailcfg.NetPortRange{
{ {
IP: dst.IPv4.String(), IP: dst.IPv4.String(),
@@ -730,6 +730,14 @@ func createMachine(user string, tags ...string) *Machine {
} }
} }
func expectedSourceIPs(m ...*Machine) []string {
x := &StringSet{}
for _, m := range m {
x = x.Add(m.IPv4.String(), m.IPv6.String())
}
return x.Items()
}
func TestACLPolicy_IsTagOwner(t *testing.T) { func TestACLPolicy_IsTagOwner(t *testing.T) {
policy := ACLPolicy{ policy := ACLPolicy{
ionscale.ACLPolicy{ ionscale.ACLPolicy{
@@ -969,7 +977,7 @@ func TestACLPolicy_BuildFilterRulesWildcardGrants(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst) actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{ expectedRules := []tailcfg.FilterRule{
{ {
SrcIPs: []string{"*"}, SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{ DstPorts: []tailcfg.NetPortRange{
{ {
IP: "*", IP: "*",
@@ -1015,7 +1023,7 @@ func TestACLPolicy_BuildFilterRulesWithAppGrants(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst) actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{ expectedRules := []tailcfg.FilterRule{
{ {
SrcIPs: []string{"*"}, SrcIPs: expectedSourceIPs(p1, p2),
CapGrant: []tailcfg.CapGrant{ CapGrant: []tailcfg.CapGrant{
{ {
Dsts: []netip.Prefix{ Dsts: []netip.Prefix{