only send relevant filterrules to nodes
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
Kristoffer Dalby
parent
2675ff4b94
commit
88ca2501d1
4 changed files with 489 additions and 454 deletions
|
|
@ -125,122 +125,6 @@ func TestInvalidTagValidUser(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestPortGroup(t *testing.T) {
|
||||
machine := types.Machine{
|
||||
ID: 0,
|
||||
MachineKey: "foo",
|
||||
NodeKey: "bar",
|
||||
DiscoKey: "faa",
|
||||
Hostname: "testmachine",
|
||||
UserID: 0,
|
||||
User: types.User{
|
||||
Name: "testuser",
|
||||
},
|
||||
RegisterMethod: util.RegisterMethodAuthKey,
|
||||
IPAddresses: types.MachineAddresses{netip.MustParseAddr("100.64.0.5")},
|
||||
}
|
||||
|
||||
acl := []byte(`
|
||||
{
|
||||
"groups": {
|
||||
"group:example": [
|
||||
"testuser",
|
||||
],
|
||||
},
|
||||
|
||||
"hosts": {
|
||||
"host-1": "100.100.100.100",
|
||||
"subnet-1": "100.100.101.100/24",
|
||||
},
|
||||
|
||||
"acls": [
|
||||
{
|
||||
"action": "accept",
|
||||
"src": [
|
||||
"group:example",
|
||||
],
|
||||
"dst": [
|
||||
"host-1:*",
|
||||
],
|
||||
},
|
||||
],
|
||||
}
|
||||
`)
|
||||
pol, err := policy.LoadACLPolicyFromBytes(acl, "hujson")
|
||||
assert.NoError(t, err)
|
||||
|
||||
got, _, err := policy.GenerateFilterRules(pol, &machine, types.Machines{})
|
||||
assert.NoError(t, err)
|
||||
|
||||
want := []tailcfg.FilterRule{
|
||||
{
|
||||
SrcIPs: []string{"100.64.0.5/32"},
|
||||
DstPorts: []tailcfg.NetPortRange{
|
||||
{IP: "100.100.100.100/32", Ports: tailcfg.PortRange{Last: 65535}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if diff := cmp.Diff(want, got); diff != "" {
|
||||
t.Errorf("TestPortGroup() unexpected result (-want +got):\n%s", diff)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPortUser(t *testing.T) {
|
||||
machine := types.Machine{
|
||||
ID: 0,
|
||||
MachineKey: "12345",
|
||||
NodeKey: "bar",
|
||||
DiscoKey: "faa",
|
||||
Hostname: "testmachine",
|
||||
UserID: 0,
|
||||
User: types.User{
|
||||
Name: "testuser",
|
||||
},
|
||||
RegisterMethod: util.RegisterMethodAuthKey,
|
||||
IPAddresses: types.MachineAddresses{netip.MustParseAddr("100.64.0.9")},
|
||||
}
|
||||
|
||||
acl := []byte(`
|
||||
{
|
||||
"hosts": {
|
||||
"host-1": "100.100.100.100",
|
||||
"subnet-1": "100.100.101.100/24",
|
||||
},
|
||||
|
||||
"acls": [
|
||||
{
|
||||
"action": "accept",
|
||||
"src": [
|
||||
"testuser",
|
||||
],
|
||||
"dst": [
|
||||
"host-1:*",
|
||||
],
|
||||
},
|
||||
],
|
||||
}
|
||||
`)
|
||||
pol, err := policy.LoadACLPolicyFromBytes(acl, "hujson")
|
||||
assert.NoError(t, err)
|
||||
|
||||
got, _, err := policy.GenerateFilterRules(pol, &machine, types.Machines{})
|
||||
assert.NoError(t, err)
|
||||
|
||||
want := []tailcfg.FilterRule{
|
||||
{
|
||||
SrcIPs: []string{"100.64.0.9/32"},
|
||||
DstPorts: []tailcfg.NetPortRange{
|
||||
{IP: "100.100.100.100/32", Ports: tailcfg.PortRange{Last: 65535}},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if diff := cmp.Diff(want, got); diff != "" {
|
||||
t.Errorf("TestPortUser() unexpected result (-want +got):\n%s", diff)
|
||||
}
|
||||
}
|
||||
|
||||
// this test should validate that we can expand a group in a TagOWner section and
|
||||
// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
|
||||
// the tag is matched in the Destinations section.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue