eyjhb/headscale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Migrate ACLs syntax to new Tailscale format

Browse source 
Implements #617.

Tailscale has changed the format of their ACLs to use a more firewall-y terms ("users" & "ports" -> "src" & "dst"). They have also started using all-lowercase tags. This PR applies these changes.
This commit is contained in:
Juan Font Alonso 2022-06-08 13:40:15 +02:00
parent 8fed47a2be
commit 3e353004b8
12 changed files with 126 additions and 124 deletions
Download patch file Download diff file Expand all files Collapse all files

57
tests/acls/acl_policy_1.hujson
View file

@ -1,6 +1,6 @@
{
// Declare static groups of users beyond those in the identity service.
"Groups": {
"groups": {
"group:example": [
"user1@example.com",
"user2@example.com",
@ -11,12 +11,12 @@
],
},
// Declare hostname aliases to use in place of IP addresses or subnets.
"Hosts": {
"hosts": {
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
},
// Define who is allowed to use which tags.
"TagOwners": {
"tagOwners": {
// Everyone in the montreal-admins or global-admins group are
// allowed to tag servers as montreal-webserver.
"tag:montreal-webserver": [
@ -29,17 +29,18 @@
],
},
// Access control lists.
"ACLs": [
"acls": [
// Engineering users, plus the president, can access port 22 (ssh)
// and port 3389 (remote desktop protocol) on all servers, and all
// ports on git-server or ci-server.
{
"Action": "accept",
"Users": [
"action": "accept",
"protocol": "tcp",
"src": [
"group:example2",
"192.168.1.0/24"
],
"Ports": [
"dst": [
"*:22,3389",
"git-server:*",
"ci-server:*"
@ -48,22 +49,22 @@
// Allow engineer users to access any port on a device tagged with
// tag:production.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"group:example"
],
"Ports": [
"dst": [
"tag:production:*"
],
},
// Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts
// on both networks.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"example-host-2",
],
"Ports": [
"dst": [
"example-host-1:*",
"192.168.1.0/24:*"
],
@ -72,22 +73,22 @@
// Comment out this section if you want to define specific ACL
// restrictions above.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"*"
],
"Ports": [
"dst": [
"*:*"
],
},
// All users in Montreal are allowed to access the Montreal web
// servers.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"example-host-1"
],
"Ports": [
"dst": [
"tag:montreal-webserver:80,443"
],
},
@ -96,30 +97,30 @@
// In contrast, this doesn't grant API servers the right to initiate
// any connections.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"tag:montreal-webserver"
],
"Ports": [
"dst": [
"tag:api-server:443"
],
},
],
// Declare tests to check functionality of ACL rules
"Tests": [
"tests": [
{
"User": "user1@example.com",
"Allow": [
"src": "user1@example.com",
"accept": [
"example-host-1:22",
"example-host-2:80"
],
"Deny": [
"deny": [
"exapmle-host-2:100"
],
},
{
"User": "user2@example.com",
"Allow": [
"src": "user2@example.com",
"accept": [
"100.60.3.4:22"
],
},

10
tests/acls/acl_policy_basic_1.hujson
View file

@ -3,19 +3,19 @@
{
"Hosts": {
"hosts": {
"host-1": "100.100.100.100",
"subnet-1": "100.100.101.100/24",
},
"ACLs": [
"acls": [
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"subnet-1",
"192.168.1.0/24"
],
"Ports": [
"dst": [
"*:22,3389",
"host-1:*",
],

12
tests/acls/acl_policy_basic_groups.hujson
View file

@ -1,24 +1,24 @@
// This ACL is used to test group expansion
{
"Groups": {
"groups": {
"group:example": [
"testnamespace",
],
},
"Hosts": {
"hosts": {
"host-1": "100.100.100.100",
"subnet-1": "100.100.101.100/24",
},
"ACLs": [
"acls": [
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"group:example",
],
"Ports": [
"dst": [
"host-1:*",
],
},

10
tests/acls/acl_policy_basic_namespace_as_user.hujson
View file

@ -1,18 +1,18 @@
// This ACL is used to test namespace expansion
{
"Hosts": {
"hosts": {
"host-1": "100.100.100.100",
"subnet-1": "100.100.101.100/24",
},
"ACLs": [
"acls": [
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"testnamespace",
],
"Ports": [
"dst": [
"host-1:*",
],
},

10
tests/acls/acl_policy_basic_range.hujson
View file

@ -1,18 +1,18 @@
// This ACL is used to test the port range expansion
{
"Hosts": {
"hosts": {
"host-1": "100.100.100.100",
"subnet-1": "100.100.101.100/24",
},
"ACLs": [
"acls": [
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"subnet-1",
],
"Ports": [
"dst": [
"host-1:5400-5500",
],
},

8
tests/acls/acl_policy_basic_wildcards.hujson
View file

@ -1,18 +1,18 @@
// This ACL is used to test wildcards
{
"Hosts": {
"hosts": {
"host-1": "100.100.100.100",
"subnet-1": "100.100.101.100/24",
},
"ACLs": [
"acls": [
{
"Action": "accept",
"Users": [
"src": [
"*",
],
"Ports": [
"dst": [
"host-1:*",
],
},

10
tests/acls/acl_policy_basic_wildcards.yaml
View file

@ -1,10 +1,10 @@
---
Hosts:
hosts:
host-1: 100.100.100.100/32
subnet-1: 100.100.101.100/24
ACLs:
- Action: accept
Users:
acls:
- action: accept
src:
- "*"
Ports:
dst:
- host-1:*

56
tests/acls/acl_policy_invalid.hujson
View file

@ -1,18 +1,18 @@
{
// Declare static groups of users beyond those in the identity service.
"Groups": {
"groups": {
"group:example": [
"user1@example.com",
"user2@example.com",
],
},
// Declare hostname aliases to use in place of IP addresses or subnets.
"Hosts": {
"hosts": {
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
},
// Define who is allowed to use which tags.
"TagOwners": {
"tagOwners": {
// Everyone in the montreal-admins or global-admins group are
// allowed to tag servers as montreal-webserver.
"tag:montreal-webserver": [
@ -26,17 +26,17 @@
],
},
// Access control lists.
"ACLs": [
"acls": [
// Engineering users, plus the president, can access port 22 (ssh)
// and port 3389 (remote desktop protocol) on all servers, and all
// ports on git-server or ci-server.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"group:engineering",
"president@example.com"
],
"Ports": [
"dst": [
"*:22,3389",
"git-server:*",
"ci-server:*"
@ -45,23 +45,23 @@
// Allow engineer users to access any port on a device tagged with
// tag:production.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"group:engineers"
],
"Ports": [
"dst": [
"tag:production:*"
],
},
// Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts
// on both networks.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"my-subnet",
"192.168.1.0/24"
],
"Ports": [
"dst": [
"my-subnet:*",
"192.168.1.0/24:*"
],
@ -70,22 +70,22 @@
// Comment out this section if you want to define specific ACL
// restrictions above.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"*"
],
"Ports": [
"dst": [
"*:*"
],
},
// All users in Montreal are allowed to access the Montreal web
// servers.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"group:montreal-users"
],
"Ports": [
"dst": [
"tag:montreal-webserver:80,443"
],
},
@ -94,30 +94,30 @@
// In contrast, this doesn't grant API servers the right to initiate
// any connections.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"tag:montreal-webserver"
],
"Ports": [
"dst": [
"tag:api-server:443"
],
},
],
// Declare tests to check functionality of ACL rules
"Tests": [
"tests": [
{
"User": "user1@example.com",
"Allow": [
"src": "user1@example.com",
"accept": [
"example-host-1:22",
"example-host-2:80"
],
"Deny": [
"deny": [
"exapmle-host-2:100"
],
},
{
"User": "user2@example.com",
"Allow": [
"src": "user2@example.com",
"accept": [
"100.60.3.4:22"
],
},