eyjhb/headscale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Split code into modules

Browse source 
This is a massive commit that restructures the code into modules:

db/
    All functions related to modifying the Database

types/
    All type definitions and methods that can be exclusivly used on
    these types without dependencies

policy/
    All Policy related code, now without dependencies on the Database.

policy/matcher/
    Dedicated code to match machines in a list of FilterRules

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2023-05-21 19:37:59 +03:00 committed by Kristoffer Dalby
parent 14e29a7bee
commit feb15365b5
51 changed files with 4677 additions and 4290 deletions
Download patch file Download diff file Expand all files Collapse all files

88
integration/acl_test.go
View file

@ -6,7 +6,7 @@ import (
"strings"
"testing"
"github.com/juanfont/headscale/hscontrol"
"github.com/juanfont/headscale/hscontrol/policy"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
"github.com/stretchr/testify/assert"
@ -45,7 +45,7 @@ var veryLargeDestination = []string{
"208.0.0.0/4:*",
}
func aclScenario(t *testing.T, policy *hscontrol.ACLPolicy, clientsPerUser int) *Scenario {
func aclScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario {
t.Helper()
scenario, err := NewScenario()
assert.NoError(t, err)
@ -92,7 +92,7 @@ func TestACLHostsInNetMapTable(t *testing.T) {
// they can access minus one (them self).
tests := map[string]struct {
users map[string]int
policy hscontrol.ACLPolicy
policy policy.ACLPolicy
want map[string]int
}{
// Test that when we have no ACL, each client netmap has
@ -102,8 +102,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -123,8 +123,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -149,8 +149,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -186,8 +186,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -214,8 +214,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -282,8 +282,8 @@ func TestACLAllowUser80Dst(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
&policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -338,11 +338,11 @@ func TestACLDenyAllPort80(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&hscontrol.ACLPolicy{
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-acl-test": {"user1", "user2"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"group:integration-acl-test"},
@ -387,8 +387,8 @@ func TestACLAllowUserDst(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
&policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -445,8 +445,8 @@ func TestACLAllowStarDst(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
&policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -504,11 +504,11 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&hscontrol.ACLPolicy{
Hosts: hscontrol.Hosts{
&policy.ACLPolicy{
Hosts: policy.Hosts{
"all": netip.MustParsePrefix("100.64.0.0/24"),
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
// Everyone can curl test3
{
Action: "accept",
@ -603,16 +603,16 @@ func TestACLNamedHostsCanReach(t *testing.T) {
IntegrationSkip(t)
tests := map[string]struct {
policy hscontrol.ACLPolicy
policy policy.ACLPolicy
}{
"ipv4": {
policy: hscontrol.ACLPolicy{
Hosts: hscontrol.Hosts{
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
"test1": netip.MustParsePrefix("100.64.0.1/32"),
"test2": netip.MustParsePrefix("100.64.0.2/32"),
"test3": netip.MustParsePrefix("100.64.0.3/32"),
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
// Everyone can curl test3
{
Action: "accept",
@ -629,13 +629,13 @@ func TestACLNamedHostsCanReach(t *testing.T) {
},
},
"ipv6": {
policy: hscontrol.ACLPolicy{
Hosts: hscontrol.Hosts{
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
"test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"),
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
// Everyone can curl test3
{
Action: "accept",
@ -854,11 +854,11 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
IntegrationSkip(t)
tests := map[string]struct {
policy hscontrol.ACLPolicy
policy policy.ACLPolicy
}{
"ipv4": {
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"100.64.0.1"},
@ -868,8 +868,8 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"ipv6": {
policy: hscontrol.ACLPolicy{
ACLs: []hscontrol.ACL{
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"fd7a:115c:a1e0::1"},
@ -879,12 +879,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"hostv4cidr": {
policy: hscontrol.ACLPolicy{
Hosts: hscontrol.Hosts{
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
"test1": netip.MustParsePrefix("100.64.0.1/32"),
"test2": netip.MustParsePrefix("100.64.0.2/32"),
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"test1"},
@ -894,12 +894,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"hostv6cidr": {
policy: hscontrol.ACLPolicy{
Hosts: hscontrol.Hosts{
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"test1"},
@ -909,12 +909,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"group": {
policy: hscontrol.ACLPolicy{
policy: policy.ACLPolicy{
Groups: map[string][]string{
"group:one": {"user1"},
"group:two": {"user2"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"group:one"},

6
integration/hsic/hsic.go
View file

@ -23,7 +23,7 @@ import (
"github.com/davecgh/go-spew/spew"
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
"github.com/juanfont/headscale/hscontrol"
"github.com/juanfont/headscale/hscontrol/policy"
"github.com/juanfont/headscale/hscontrol/util"
"github.com/juanfont/headscale/integration/dockertestutil"
"github.com/juanfont/headscale/integration/integrationutil"
@ -60,7 +60,7 @@ type HeadscaleInContainer struct {
port int
extraPorts []string
hostPortBindings map[string][]string
aclPolicy *hscontrol.ACLPolicy
aclPolicy *policy.ACLPolicy
env map[string]string
tlsCert []byte
tlsKey []byte
@ -73,7 +73,7 @@ type Option = func(c *HeadscaleInContainer)
// WithACLPolicy adds a hscontrol.ACLPolicy policy to the
// HeadscaleInContainer instance.
func WithACLPolicy(acl *hscontrol.ACLPolicy) Option {
func WithACLPolicy(acl *policy.ACLPolicy) Option {
return func(hsic *HeadscaleInContainer) {
// TODO(kradalby): Move somewhere appropriate
hsic.env["HEADSCALE_ACL_POLICY_PATH"] = aclPolicyPath

32
integration/ssh_test.go
View file

@ -6,7 +6,7 @@ import (
"testing"
"time"
"github.com/juanfont/headscale/hscontrol"
"github.com/juanfont/headscale/hscontrol/policy"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
"github.com/stretchr/testify/assert"
@ -57,18 +57,18 @@ func TestSSHOneUserAllToAll(t *testing.T) {
err = scenario.CreateHeadscaleEnv(spec,
[]tsic.Option{tsic.WithSSH()},
hsic.WithACLPolicy(
&hscontrol.ACLPolicy{
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []hscontrol.SSH{
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
@ -134,18 +134,18 @@ func TestSSHMultipleUsersAllToAll(t *testing.T) {
err = scenario.CreateHeadscaleEnv(spec,
[]tsic.Option{tsic.WithSSH()},
hsic.WithACLPolicy(
&hscontrol.ACLPolicy{
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1", "user2"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []hscontrol.SSH{
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
@ -216,18 +216,18 @@ func TestSSHNoSSHConfigured(t *testing.T) {
err = scenario.CreateHeadscaleEnv(spec,
[]tsic.Option{tsic.WithSSH()},
hsic.WithACLPolicy(
&hscontrol.ACLPolicy{
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []hscontrol.SSH{},
SSHs: []policy.SSH{},
},
),
hsic.WithTestName("sshnoneconfigured"),
@ -286,18 +286,18 @@ func TestSSHIsBlockedInACL(t *testing.T) {
err = scenario.CreateHeadscaleEnv(spec,
[]tsic.Option{tsic.WithSSH()},
hsic.WithACLPolicy(
&hscontrol.ACLPolicy{
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:80"},
},
},
SSHs: []hscontrol.SSH{
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
@ -364,19 +364,19 @@ func TestSSUserOnlyIsolation(t *testing.T) {
err = scenario.CreateHeadscaleEnv(spec,
[]tsic.Option{tsic.WithSSH()},
hsic.WithACLPolicy(
&hscontrol.ACLPolicy{
&policy.ACLPolicy{
Groups: map[string][]string{
"group:ssh1": {"useracl1"},
"group:ssh2": {"useracl2"},
},
ACLs: []hscontrol.ACL{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []hscontrol.SSH{
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:ssh1"},