use gorm serialiser instead of custom hooks (#2156)

* add sqlite to debug/test image Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * test using gorm serialiser instead of custom hooks Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 11:41:58 +02:00 · 2024-10-02 11:41:58 +02:00 · bc9e83b52e
commit bc9e83b52e
parent 3964dec1c6
21 changed files with 240 additions and 351 deletions
--- a/hscontrol/policy/acls.go
+++ b/hscontrol/policy/acls.go
@ -595,6 +595,11 @@ func (pol *ACLPolicy) ExpandAlias(
 // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
 // that are correctly tagged since they should not be listed as being in the user
 // we assume in this function that we only have nodes from 1 user.
+//
+// TODO(kradalby): It is quite hard to understand what this function is doing,
+// it seems like it trying to ensure that we dont include nodes that are tagged
+// when we look up the nodes owned by a user.
+// This should be refactored to be more clear as part of the Tags work in #1369
 func excludeCorrectlyTaggedNodes(
 	aclPolicy *ACLPolicy,
 	nodes types.Nodes,
@ -613,17 +618,16 @@ func excludeCorrectlyTaggedNodes(
 	for _, node := range nodes {
 		found := false

-		if node.Hostinfo == nil {
-			continue
-		}
+		if node.Hostinfo != nil {
+			for _, t := range node.Hostinfo.RequestTags {
+				if slices.Contains(tags, t) {
+					found = true

-		for _, t := range node.Hostinfo.RequestTags {
-			if slices.Contains(tags, t) {
-				found = true
-
-				break
+					break
+				}
 			}
 		}
+
 		if len(node.ForcedTags) > 0 {
 			found = true
 		}
@ -981,7 +985,10 @@ func FilterNodesByACL(
 			continue
 		}

+		log.Printf("Checking if %s can access %s", node.Hostname, peer.Hostname)
+
 		if node.CanAccess(filter, nodes[index]) || peer.CanAccess(filter, node) {
+			log.Printf("CAN ACCESS %s can access %s", node.Hostname, peer.Hostname)
 			result = append(result, peer)
 		}
 	}
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@ -2385,7 +2385,7 @@ func TestReduceFilterRules(t *testing.T) {
 				Hostinfo: &tailcfg.Hostinfo{
 					RoutableIPs: []netip.Prefix{netip.MustParsePrefix("172.16.0.0/24")},
 				},
-				ForcedTags: types.StringList{"tag:access-servers"},
+				ForcedTags: []string{"tag:access-servers"},
 			},
 			peers: types.Nodes{
 				&types.Node{
@ -3182,7 +3182,7 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 						Routes: types.Routes{
 							types.Route{
 								NodeID:    2,
-								Prefix:    types.IPPrefix(netip.MustParsePrefix("10.33.0.0/16")),
+								Prefix:    netip.MustParsePrefix("10.33.0.0/16"),
 								IsPrimary: true,
 								Enabled:   true,
 							},
@ -3215,7 +3215,7 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 					Routes: types.Routes{
 						types.Route{
 							NodeID:    2,
-							Prefix:    types.IPPrefix(netip.MustParsePrefix("10.33.0.0/16")),
+							Prefix:    netip.MustParsePrefix("10.33.0.0/16"),
 							IsPrimary: true,
 							Enabled:   true,
 						},
@ -3225,13 +3225,6 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 		},
 	}

-	// TODO(kradalby): Remove when we have gotten rid of IPPrefix type
-	prefixComparer := cmp.Comparer(func(x, y types.IPPrefix) bool {
-		return x == y
-	})
-	comparers := append([]cmp.Option{}, util.Comparers...)
-	comparers = append(comparers, prefixComparer)
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := FilterNodesByACL(
@ -3239,7 +3232,7 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 				tt.args.nodes,
 				tt.args.rules,
 			)
-			if diff := cmp.Diff(tt.want, got, comparers...); diff != "" {
+			if diff := cmp.Diff(tt.want, got, util.Comparers...); diff != "" {
 				t.Errorf("FilterNodesByACL() unexpected result (-want +got):\n%s", diff)
 			}
 		})