make GenerateFilterRules take machine and peers

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-06-08 19:10:09 +02:00 · 2023-06-08 19:10:09 +02:00 · db6cf4ac0a
commit db6cf4ac0a
parent 35770278f7
6 changed files with 291 additions and 316 deletions
--- a/hscontrol/policy/acls.go
+++ b/hscontrol/policy/acls.go
@ -18,7 +18,6 @@ import (
 	"github.com/tailscale/hujson"
 	"go4.org/netipx"
 	"gopkg.in/yaml.v3"
-	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )

@ -54,8 +53,6 @@ const (
 	ProtocolFC       = 133 // Fibre Channel
 )

-var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")
-
 // LoadACLPolicyFromPath loads the ACL policy from the specify path, and generates the ACL rules.
 func LoadACLPolicyFromPath(path string) (*ACLPolicy, error) {
 	log.Debug().
@ -122,7 +119,8 @@ func LoadACLPolicyFromBytes(acl []byte, format string) (*ACLPolicy, error) {
 // per node and that should be taken into account.
 func GenerateFilterRules(
 	policy *ACLPolicy,
-	machines types.Machines,
+	machine *types.Machine,
+	peers types.Machines,
 	stripEmailDomain bool,
 ) ([]tailcfg.FilterRule, *tailcfg.SSHPolicy, error) {
 	// If there is no policy defined, we default to allow all
@ -130,7 +128,7 @@ func GenerateFilterRules(
 		return tailcfg.FilterAllowAll, &tailcfg.SSHPolicy{}, nil
 	}

-	rules, err := policy.generateFilterRules(machines, stripEmailDomain)
+	rules, err := policy.generateFilterRules(append(peers, *machine), stripEmailDomain)
 	if err != nil {
 		return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err
 	}
@ -138,19 +136,15 @@ func GenerateFilterRules(
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")

 	var sshPolicy *tailcfg.SSHPolicy
-	if featureEnableSSH() {
-		sshRules, err := generateSSHRules(policy, machines, stripEmailDomain)
-		if err != nil {
-			return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err
-		}
-		log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
-		if sshPolicy == nil {
-			sshPolicy = &tailcfg.SSHPolicy{}
-		}
-		sshPolicy.Rules = sshRules
-	} else if policy != nil && len(policy.SSHs) > 0 {
-		log.Info().Msg("SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating")
+	sshRules, err := generateSSHRules(policy, append(peers, *machine), stripEmailDomain)
+	if err != nil {
+		return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err
 	}
+	log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
+	if sshPolicy == nil {
+		sshPolicy = &tailcfg.SSHPolicy{}
+	}
+	sshPolicy.Rules = sshRules

 	return rules, sshPolicy, nil
 }
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@ -245,7 +245,7 @@ func (s *Suite) TestInvalidAction(c *check.C) {
 			},
 		},
 	}
-	_, _, err := GenerateFilterRules(pol, types.Machines{}, false)
+	_, _, err := GenerateFilterRules(pol, &types.Machine{}, types.Machines{}, false)
 	c.Assert(errors.Is(err, ErrInvalidAction), check.Equals, true)
 }

@ -264,7 +264,7 @@ func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
 			},
 		},
 	}
-	_, _, err := GenerateFilterRules(pol, types.Machines{}, false)
+	_, _, err := GenerateFilterRules(pol, &types.Machine{}, types.Machines{}, false)
 	c.Assert(errors.Is(err, ErrInvalidGroup), check.Equals, true)
 }

@ -280,7 +280,7 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
 		},
 	}

-	_, _, err := GenerateFilterRules(pol, types.Machines{}, false)
+	_, _, err := GenerateFilterRules(pol, &types.Machine{}, types.Machines{}, false)
 	c.Assert(errors.Is(err, ErrInvalidTag), check.Equals, true)
 }