Split code into modules

This is a massive commit that restructures the code into modules:

db/
    All functions related to modifying the Database

types/
    All type definitions and methods that can be exclusivly used on
    these types without dependencies

policy/
    All Policy related code, now without dependencies on the Database.

policy/matcher/
    Dedicated code to match machines in a list of FilterRules

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/util/addr.go

@@ -1,12 +1,94 @@
 package util
 
 import (
+	"fmt"
 	"net/netip"
 	"reflect"
+	"strings"
 
 	"go4.org/netipx"
 )
 
+// This is borrowed from, and updated to use IPSet
+// https://github.com/tailscale/tailscale/blob/71029cea2ddf82007b80f465b256d027eab0f02d/wgengine/filter/tailcfg.go#L97-L162
+// TODO(kradalby): contribute upstream and make public.
+var (
+	zeroIP4 = netip.AddrFrom4([4]byte{})
+	zeroIP6 = netip.AddrFrom16([16]byte{})
+)
+
+// parseIPSet parses arg as one:
+//
+//   - an IP address (IPv4 or IPv6)
+//   - the string "*" to match everything (both IPv4 & IPv6)
+//   - a CIDR (e.g. "192.168.0.0/16")
+//   - a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
+//
+// bits, if non-nil, is the legacy SrcBits CIDR length to make a IP
+// address (without a slash) treated as a CIDR of *bits length.
+// nolint
+func ParseIPSet(arg string, bits *int) (*netipx.IPSet, error) {
+	var ipSet netipx.IPSetBuilder
+	if arg == "*" {
+		ipSet.AddPrefix(netip.PrefixFrom(zeroIP4, 0))
+		ipSet.AddPrefix(netip.PrefixFrom(zeroIP6, 0))
+
+		return ipSet.IPSet()
+	}
+	if strings.Contains(arg, "/") {
+		pfx, err := netip.ParsePrefix(arg)
+		if err != nil {
+			return nil, err
+		}
+		if pfx != pfx.Masked() {
+			return nil, fmt.Errorf("%v contains non-network bits set", pfx)
+		}
+
+		ipSet.AddPrefix(pfx)
+
+		return ipSet.IPSet()
+	}
+	if strings.Count(arg, "-") == 1 {
+		ip1s, ip2s, _ := strings.Cut(arg, "-")
+
+		ip1, err := netip.ParseAddr(ip1s)
+		if err != nil {
+			return nil, err
+		}
+
+		ip2, err := netip.ParseAddr(ip2s)
+		if err != nil {
+			return nil, err
+		}
+
+		r := netipx.IPRangeFrom(ip1, ip2)
+		if !r.IsValid() {
+			return nil, fmt.Errorf("invalid IP range %q", arg)
+		}
+
+		for _, prefix := range r.Prefixes() {
+			ipSet.AddPrefix(prefix)
+		}
+
+		return ipSet.IPSet()
+	}
+	ip, err := netip.ParseAddr(arg)
+	if err != nil {
+		return nil, fmt.Errorf("invalid IP address %q", arg)
+	}
+	bits8 := uint8(ip.BitLen())
+	if bits != nil {
+		if *bits < 0 || *bits > int(bits8) {
+			return nil, fmt.Errorf("invalid CIDR size %d for IP %q", *bits, arg)
+		}
+		bits8 = uint8(*bits)
+	}
+
+	ipSet.AddPrefix(netip.PrefixFrom(ip, int(bits8)))
+
+	return ipSet.IPSet()
+}
+
 func GetIPPrefixEndpoints(na netip.Prefix) (netip.Addr, netip.Addr) {
 	var network, broadcast netip.Addr
 	ipRange := netipx.RangeOfPrefix(na)

hscontrol/util/addr_test.go

@@ -0,0 +1,119 @@
+package util
+
+import (
+	"net/netip"
+	"reflect"
+	"testing"
+
+	"go4.org/netipx"
+)
+
+func Test_parseIPSet(t *testing.T) {
+	set := func(ips []string, prefixes []string) *netipx.IPSet {
+		var builder netipx.IPSetBuilder
+
+		for _, ip := range ips {
+			builder.Add(netip.MustParseAddr(ip))
+		}
+
+		for _, pre := range prefixes {
+			builder.AddPrefix(netip.MustParsePrefix(pre))
+		}
+
+		s, _ := builder.IPSet()
+
+		return s
+	}
+
+	type args struct {
+		arg  string
+		bits *int
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *netipx.IPSet
+		wantErr bool
+	}{
+		{
+			name: "simple ip4",
+			args: args{
+				arg:  "10.0.0.1",
+				bits: nil,
+			},
+			want: set([]string{
+				"10.0.0.1",
+			}, []string{}),
+			wantErr: false,
+		},
+		{
+			name: "simple ip6",
+			args: args{
+				arg:  "2001:db8:abcd:1234::2",
+				bits: nil,
+			},
+			want: set([]string{
+				"2001:db8:abcd:1234::2",
+			}, []string{}),
+			wantErr: false,
+		},
+		{
+			name: "wildcard",
+			args: args{
+				arg:  "*",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"0.0.0.0/0",
+				"::/0",
+			}),
+			wantErr: false,
+		},
+		{
+			name: "prefix4",
+			args: args{
+				arg:  "192.168.0.0/16",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"192.168.0.0/16",
+			}),
+			wantErr: false,
+		},
+		{
+			name: "prefix6",
+			args: args{
+				arg:  "2001:db8:abcd:1234::/64",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"2001:db8:abcd:1234::/64",
+			}),
+			wantErr: false,
+		},
+		{
+			name: "range4",
+			args: args{
+				arg:  "192.168.0.0-192.168.255.255",
+				bits: nil,
+			},
+			want: set([]string{}, []string{
+				"192.168.0.0/16",
+			}),
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseIPSet(tt.args.arg, tt.args.bits)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("parseIPSet() error = %v, wantErr %v", err, tt.wantErr)
+
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("parseIPSet() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

hscontrol/util/const.go

@@ -0,0 +1,7 @@
+package util
+
+const (
+	RegisterMethodAuthKey = "authkey"
+	RegisterMethodOIDC    = "oidc"
+	RegisterMethodCLI     = "cli"
+)

hscontrol/util/dns.go

@@ -0,0 +1,69 @@
+package util
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+const (
+	// value related to RFC 1123 and 952.
+	LabelHostnameLength = 63
+)
+
+var invalidCharsInUserRegex = regexp.MustCompile("[^a-z0-9-.]+")
+
+var ErrInvalidUserName = errors.New("invalid user name")
+
+// NormalizeToFQDNRules will replace forbidden chars in user
+// it can also return an error if the user doesn't respect RFC 952 and 1123.
+func NormalizeToFQDNRules(name string, stripEmailDomain bool) (string, error) {
+	name = strings.ToLower(name)
+	name = strings.ReplaceAll(name, "'", "")
+	atIdx := strings.Index(name, "@")
+	if stripEmailDomain && atIdx > 0 {
+		name = name[:atIdx]
+	} else {
+		name = strings.ReplaceAll(name, "@", ".")
+	}
+	name = invalidCharsInUserRegex.ReplaceAllString(name, "-")
+
+	for _, elt := range strings.Split(name, ".") {
+		if len(elt) > LabelHostnameLength {
+			return "", fmt.Errorf(
+				"label %v is more than 63 chars: %w",
+				elt,
+				ErrInvalidUserName,
+			)
+		}
+	}
+
+	return name, nil
+}
+
+func CheckForFQDNRules(name string) error {
+	if len(name) > LabelHostnameLength {
+		return fmt.Errorf(
+			"DNS segment must not be over 63 chars. %v doesn't comply with this rule: %w",
+			name,
+			ErrInvalidUserName,
+		)
+	}
+	if strings.ToLower(name) != name {
+		return fmt.Errorf(
+			"DNS segment should be lowercase. %v doesn't comply with this rule: %w",
+			name,
+			ErrInvalidUserName,
+		)
+	}
+	if invalidCharsInUserRegex.MatchString(name) {
+		return fmt.Errorf(
+			"DNS segment should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
+			name,
+			ErrInvalidUserName,
+		)
+	}
+
+	return nil
+}

hscontrol/util/dns_test.go

@@ -0,0 +1,143 @@
+package util
+
+import "testing"
+
+func TestNormalizeToFQDNRules(t *testing.T) {
+	type args struct {
+		name             string
+		stripEmailDomain bool
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "normalize simple name",
+			args: args{
+				name:             "normalize-simple.name",
+				stripEmailDomain: false,
+			},
+			want:    "normalize-simple.name",
+			wantErr: false,
+		},
+		{
+			name: "normalize an email",
+			args: args{
+				name:             "foo.bar@example.com",
+				stripEmailDomain: false,
+			},
+			want:    "foo.bar.example.com",
+			wantErr: false,
+		},
+		{
+			name: "normalize an email domain should be removed",
+			args: args{
+				name:             "foo.bar@example.com",
+				stripEmailDomain: true,
+			},
+			want:    "foo.bar",
+			wantErr: false,
+		},
+		{
+			name: "strip enabled no email passed as argument",
+			args: args{
+				name:             "not-email-and-strip-enabled",
+				stripEmailDomain: true,
+			},
+			want:    "not-email-and-strip-enabled",
+			wantErr: false,
+		},
+		{
+			name: "normalize complex email",
+			args: args{
+				name:             "foo.bar+complex-email@example.com",
+				stripEmailDomain: false,
+			},
+			want:    "foo.bar-complex-email.example.com",
+			wantErr: false,
+		},
+		{
+			name: "user name with space",
+			args: args{
+				name:             "name space",
+				stripEmailDomain: false,
+			},
+			want:    "name-space",
+			wantErr: false,
+		},
+		{
+			name: "user with quote",
+			args: args{
+				name:             "Jamie's iPhone 5",
+				stripEmailDomain: false,
+			},
+			want:    "jamies-iphone-5",
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NormalizeToFQDNRules(tt.args.name, tt.args.stripEmailDomain)
+			if (err != nil) != tt.wantErr {
+				t.Errorf(
+					"NormalizeToFQDNRules() error = %v, wantErr %v",
+					err,
+					tt.wantErr,
+				)
+
+				return
+			}
+			if got != tt.want {
+				t.Errorf("NormalizeToFQDNRules() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCheckForFQDNRules(t *testing.T) {
+	type args struct {
+		name string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name:    "valid: user",
+			args:    args{name: "valid-user"},
+			wantErr: false,
+		},
+		{
+			name:    "invalid: capitalized user",
+			args:    args{name: "Invalid-CapItaLIzed-user"},
+			wantErr: true,
+		},
+		{
+			name:    "invalid: email as user",
+			args:    args{name: "foo.bar@example.com"},
+			wantErr: true,
+		},
+		{
+			name:    "invalid: chars in user name",
+			args:    args{name: "super-user+name"},
+			wantErr: true,
+		},
+		{
+			name: "invalid: too long name for user",
+			args: args{
+				name: "super-long-useruseruser-name-that-should-be-a-little-more-than-63-chars",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := CheckForFQDNRules(tt.args.name); (err != nil) != tt.wantErr {
+				t.Errorf("CheckForFQDNRules() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}