Skip to content

Commit

Permalink
Use correct type for ACL src field (#13)
Browse files Browse the repository at this point in the history 
I incorrectly copied this over as a slice instead of a string. This commit fixes that.

Signed-off-by: David Bond <[email protected]>
  • Loading branch information
@davidsbond
davidsbond authored Apr 14, 2022
1 parent fd197fb commit b0ce196
Show file tree
Hide file tree
Showing 4 changed files with 154 additions and 155 deletions.
5 changes: 3 additions & 2 deletions tailscale/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,8 +223,9 @@ type ACLTest struct {
User string `json:"user" hujson:"User"`
Allow []string `json:"allow" hujson:"Allow"`
Deny []string `json:"deny" hujson:"Deny"`
Source []string `json:"src" hujson:"Src"`
Destination []string `json:"dst" hujson:"Dst"`
Source string `json:"src" hujson:"Src"`
Destination string `json:"dst" hujson:"Dst"`
Accept []string `json:"accept" hujson:"Accept"`
}

type ACLDERPMap struct {
Expand Down
172 changes: 100 additions & 72 deletions tailscale/client_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,51 +38,65 @@ func TestACL_Unmarshal(t *testing.T) {
Expected: tailscale.ACL{
ACLs: []tailscale.ACLEntry{
{
Action: "accept",
Ports: []string{"*:*"},
Users: []string{"*"},
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"autogroup:members"},
Destination: []string{"autogroup:self:*"},
Protocol: "",
},
},
TagOwners: map[string][]string{
"tag:example": {"group:example"},
},
Hosts: map[string]string{
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
},
DERPMap: &tailscale.ACLDERPMap{
Regions: map[int]*tailscale.ACLDERPRegion{
900: {
RegionID: 900,
RegionCode: "example",
RegionName: "example",
Nodes: []*tailscale.ACLDERPNode{
{
Name: "1",
RegionID: 900,
HostName: "example.com",
},
},
},
{
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"group:dev"},
Destination: []string{"tag:dev:*"},
Protocol: "",
},
{
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"group:devops"},
Destination: []string{"tag:prod:*"},
Protocol: "",
},
{
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"autogroup:members"},
Destination: []string{"tag:monitoring:80,443"},
Protocol: "",
},
OmitDefaultRegions: false,
},
Groups: map[string][]string{
"group:example": {
"[email protected]",
"[email protected]",
},
"group:dev": {"[email protected]", "[email protected]"},
"group:devops": {"[email protected]"},
},
Hosts: map[string]string(nil),
TagOwners: map[string][]string{
"tag:dev": {"group:devops"},
"tag:monitoring": {"group:devops"},
"tag:prod": {"group:devops"},
},
DERPMap: (*tailscale.ACLDERPMap)(nil),
Tests: []tailscale.ACLTest{
{
User: "[email protected]",
Allow: []string{"example-host-1:22", "example-host-2:80"},
Deny: []string{"exapmle-host-2:100"},
User: "",
Allow: []string(nil),
Deny: []string(nil),
Source: "[email protected]",
Destination: "",
Accept: []string{"tag:prod:80"},
},
{
User: "[email protected]",
Allow: []string{"100.60.3.4:22"},
},
User: "",
Allow: []string(nil),
Deny: []string{"tag:prod:80"},
Source: "[email protected]",
Destination: "",
Accept: []string{"tag:dev:80"}},
},
},
},
Expand All @@ -93,51 +107,65 @@ func TestACL_Unmarshal(t *testing.T) {
Expected: tailscale.ACL{
ACLs: []tailscale.ACLEntry{
{
Action: "accept",
Ports: []string{"*:*"},
Users: []string{"*"},
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"autogroup:members"},
Destination: []string{"autogroup:self:*"},
Protocol: "",
},
},
TagOwners: map[string][]string{
"tag:example": {"group:example"},
},
Hosts: map[string]string{
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
},
DERPMap: &tailscale.ACLDERPMap{
Regions: map[int]*tailscale.ACLDERPRegion{
900: {
RegionID: 900,
RegionCode: "example",
RegionName: "example",
Nodes: []*tailscale.ACLDERPNode{
{
Name: "1",
RegionID: 900,
HostName: "example.com",
},
},
},
{
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"group:dev"},
Destination: []string{"tag:dev:*"},
Protocol: "",
},
{
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"group:devops"},
Destination: []string{"tag:prod:*"},
Protocol: "",
},
{
Action: "accept",
Ports: []string(nil),
Users: []string(nil),
Source: []string{"autogroup:members"},
Destination: []string{"tag:monitoring:80,443"},
Protocol: "",
},
OmitDefaultRegions: false,
},
Groups: map[string][]string{
"group:example": {
"[email protected]",
"[email protected]",
},
"group:dev": {"[email protected]", "[email protected]"},
"group:devops": {"[email protected]"},
},
Hosts: map[string]string(nil),
TagOwners: map[string][]string{
"tag:dev": {"group:devops"},
"tag:monitoring": {"group:devops"},
"tag:prod": {"group:devops"},
},
DERPMap: (*tailscale.ACLDERPMap)(nil),
Tests: []tailscale.ACLTest{
{
User: "[email protected]",
Allow: []string{"example-host-1:22", "example-host-2:80"},
Deny: []string{"exapmle-host-2:100"},
User: "",
Allow: []string(nil),
Deny: []string(nil),
Source: "[email protected]",
Destination: "",
Accept: []string{"tag:prod:80"},
},
{
User: "[email protected]",
Allow: []string{"100.60.3.4:22"},
},
User: "",
Allow: []string(nil),
Deny: []string{"tag:prod:80"},
Source: "[email protected]",
Destination: "",
Accept: []string{"tag:dev:80"}},
},
},
},
Expand Down
77 changes: 34 additions & 43 deletions tailscale/testdata/acl.hujson
View file
Original file line number Diff line number Diff line change
@@ -1,50 +1,41 @@
{
// Allow all users access to all ports.
"ACLS": [
{
"Action": "accept",
"Users": ["*"],
"Ports": ["*:*"]
}
],
"TagOwners": {
"tag:example": [
"group:example",
]
},
"Groups": {
"group:example": [
"[email protected]",
"[email protected]",
]
},
"Hosts": {
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
"groups": {
// Alice and Bob are in group:dev
"group:dev": ["[email protected]", "[email protected]",],
// Carl is in group:devops
"group:devops": ["[email protected]",],
},
"DerpMap": {
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "example",
"RegionName": "example",
"Nodes": [{
"Name": "1",
"RegionID": 900,
"HostName": "example.com"
}]
}
}
"acls": [
// all employees can access their own devices
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
// users in group:dev can access devices tagged tag:dev
{ "action": "accept", "src": ["group:dev"], "dst": ["tag:dev:*"] },
// users in group:devops can access devices tagged tag:prod
{ "action": "accept", "src": ["group:devops"], "dst": ["tag:prod:*"] },
// all employees can access devices tagged tag:monitoring on
// ports 80 and 443
{ "action": "accept", "src": ["autogroup:members"], "dst": ["tag:monitoring:80,443"] },
],
"tagOwners": {
// users in group:devops can apply the tag tag:monitoring
"tag:monitoring": ["group:devops"],
// users in group:devops can apply the tag tag:dev
"tag:dev": ["group:devops"],
// users in group:devops can apply the tag tag:prod
"tag:prod": ["group:devops"],
},
"Tests": [
"tests": [
{
"User": "user1@example.com",
"Allow": ["example-host-1:22", "example-host-2:80"],
"Deny": ["exapmle-host-2:100"],
"src": "carl@example.com",
// test that Carl can access devices tagged tag:prod on port 80
"accept": ["tag:prod:80"],
},
{
"User": "[email protected]",
"Allow": ["100.60.3.4:22"],
}
]
"src": "[email protected]",
// test that Alice can access devices tagged tag:dev on port 80
"accept": ["tag:dev:80"],
// test that Alice cannot access devices tagged tag:prod on port 80
"deny": ["tag:prod:80"],
},
],
}
55 changes: 17 additions & 38 deletions tailscale/testdata/acl.json
View file
Original file line number Diff line number Diff line change
@@ -1,49 +1,28 @@
{
"acls": [
{
"action": "accept",
"users": ["*"],
"ports": ["*:*"]
}
],
"tagowners": {
"tag:example": [
"group:example"
]
},
"groups": {
"group:example": [
"[email protected]",
"[email protected]"
]
"group:dev": ["[email protected]", "[email protected]"],
"group:devops": ["[email protected]"]
},
"hosts": {
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24"
},
"derpMap": {
"regions": {
"900": {
"regionID": 900,
"regionCode": "example",
"regionName": "example",
"nodes": [{
"name": "1",
"regionID": 900,
"hostName": "example.com"
}]
}
}
"acls": [
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
{ "action": "accept", "src": ["group:dev"], "dst": ["tag:dev:*"] },
{ "action": "accept", "src": ["group:devops"], "dst": ["tag:prod:*"] },
{ "action": "accept", "src": ["autogroup:members"], "dst": ["tag:monitoring:80,443"] }
],
"tagOwners": {
"tag:monitoring": ["group:devops"],
"tag:dev": ["group:devops"],
"tag:prod": ["group:devops"]
},
"tests": [
{
"user": "[email protected]",
"allow": ["example-host-1:22", "example-host-2:80"],
"deny": ["exapmle-host-2:100"]
"src": "[email protected]",
"accept": ["tag:prod:80"]
},
{
"user": "[email protected]",
"allow": ["100.60.3.4:22"]
"src": "[email protected]",
"accept": ["tag:dev:80"],
"deny": ["tag:prod:80"]
}
]
}

0 comments on commit b0ce196

Please sign in to comment.