leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: expand src wildcard alias to peer ip addresses

Browse Source
This commit is contained in:
Johan Siebens
2024-05-29 08:30:42 +02:00
parent 3d21630bf3
commit eadd42b19a
2 changed files with 24 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/domain/acl_filter_rules.go
+10 -10
View File
@@ -274,7 +274,11 @@ func (a ACLPolicy) translateDestinationAliasToMachineIPs(alias string, m *Machin
return make([]string, 0)
}
return a.translateAliasToMachineIPs(alias, m, nil, f)
if alias == "*" {
return []string{"*"}
}
return a.translateAliasToMachineIPs(alias, m, f)
}
func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u *User) []string {
@@ -287,10 +291,6 @@ func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u
return make([]string, 0)
}
return a.translateAliasToMachineIPs(alias, m, u, f)
}
func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, u *User, f func(string, *Machine) []string) []string {
if u != nil && m.HasTags() {
return []string{}
}
@@ -299,14 +299,14 @@ func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, u *User,
return []string{}
}
if alias == "*" && u != nil {
return m.IPs()
}
if alias == "*" {
return []string{"*"}
return append(m.IPs(), m.AllowedPrefixes()...)
}
return a.translateAliasToMachineIPs(alias, m, f)
}
func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, f func(string, *Machine) []string) []string {
if alias == AutoGroupMember || alias == AutoGroupMembers || alias == AutoGroupSelf {
if !m.HasTags() {
return m.IPs()
internal/domain/acl_test.go
+14 -6
View File
@@ -152,7 +152,7 @@ func TestACLPolicy_BuildFilterRulesWildcards(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{
{
SrcIPs: []string{"*"},
SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
@@ -195,7 +195,7 @@ func TestACLPolicy_BuildFilterRulesProto(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{
{
SrcIPs: []string{"*"},
SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
@@ -207,7 +207,7 @@ func TestACLPolicy_BuildFilterRulesProto(t *testing.T) {
},
},
{
SrcIPs: []string{"*"},
SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
@@ -559,7 +559,7 @@ func TestACLPolicy_BuildFilterRulesAutogroupSelfAndOtherDestinations(t *testing.
},
},
{
SrcIPs: []string{"*"},
SrcIPs: expectedSourceIPs(p1, p2, p3),
DstPorts: []tailcfg.NetPortRange{
{
IP: dst.IPv4.String(),
@@ -730,6 +730,14 @@ func createMachine(user string, tags ...string) *Machine {
}
}
func expectedSourceIPs(m ...*Machine) []string {
x := &StringSet{}
for _, m := range m {
x = x.Add(m.IPv4.String(), m.IPv6.String())
}
return x.Items()
}
func TestACLPolicy_IsTagOwner(t *testing.T) {
policy := ACLPolicy{
ionscale.ACLPolicy{
@@ -969,7 +977,7 @@ func TestACLPolicy_BuildFilterRulesWildcardGrants(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{
{
SrcIPs: []string{"*"},
SrcIPs: expectedSourceIPs(p1, p2),
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
@@ -1015,7 +1023,7 @@ func TestACLPolicy_BuildFilterRulesWithAppGrants(t *testing.T) {
actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst)
expectedRules := []tailcfg.FilterRule{
{
SrcIPs: []string{"*"},
SrcIPs: expectedSourceIPs(p1, p2),
CapGrant: []tailcfg.CapGrant{
{
Dsts: []netip.Prefix{