Skip to content

Commit e06f5a3

Browse files
gabe565gabe565
committed
test(policy): Add autogroup tests
1 parent dd528a1 commit e06f5a3

File tree

1 file changed

+255
-0
lines changed

1 file changed

+255
-0
lines changed

hscontrol/policy/acls_test.go

Lines changed: 255 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
"github.com/stretchr/testify/assert"
1515
"go4.org/netipx"
1616
"gopkg.in/check.v1"
17+
"gorm.io/gorm"
1718
"tailscale.com/net/tsaddr"
1819
"tailscale.com/tailcfg"
1920
)
@@ -1594,6 +1595,40 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
15941595
}
15951596

15961597
func TestACLPolicy_generateFilterRules(t *testing.T) {
1598+
user1Node := &types.Node{
1599+
IPv4: iap("100.100.100.100"),
1600+
User: types.User{
1601+
Model: gorm.Model{
1602+
ID: 1,
1603+
},
1604+
},
1605+
}
1606+
1607+
user2Node := &types.Node{
1608+
IPv4: iap("100.100.101.100"),
1609+
User: types.User{
1610+
Model: gorm.Model{
1611+
ID: 2,
1612+
},
1613+
},
1614+
Hostinfo: &tailcfg.Hostinfo{},
1615+
}
1616+
1617+
user1Node2 := &types.Node{
1618+
IPv4: iap("100.100.102.100"),
1619+
User: types.User{
1620+
Model: gorm.Model{
1621+
ID: 1,
1622+
},
1623+
},
1624+
}
1625+
1626+
serverNode := &types.Node{
1627+
IPv4: iap("100.100.103.100"),
1628+
ForcedTags: types.StringList{"tag:server"},
1629+
Hostinfo: &tailcfg.Hostinfo{},
1630+
}
1631+
15971632
type field struct {
15981633
pol ACLPolicy
15991634
}
@@ -1711,6 +1746,175 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
17111746
},
17121747
wantErr: false,
17131748
},
1749+
{
1750+
name: "autogroup-member-to-internet",
1751+
field: field{
1752+
pol: ACLPolicy{
1753+
ACLs: []ACL{
1754+
{
1755+
Action: "accept",
1756+
Sources: []string{"autogroup:member"},
1757+
Destinations: []string{"autogroup:internet:*"},
1758+
},
1759+
},
1760+
},
1761+
},
1762+
args: args{
1763+
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
1764+
},
1765+
want: []tailcfg.FilterRule{
1766+
{
1767+
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
1768+
DstPorts: hsExitNodeDest,
1769+
},
1770+
},
1771+
wantErr: false,
1772+
},
1773+
{
1774+
name: "autogroup-member-to-self",
1775+
field: field{
1776+
pol: ACLPolicy{
1777+
ACLs: []ACL{
1778+
{
1779+
Action: "accept",
1780+
Sources: []string{"autogroup:member"},
1781+
Destinations: []string{"autogroup:self:*"},
1782+
},
1783+
},
1784+
},
1785+
},
1786+
args: args{
1787+
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
1788+
},
1789+
want: []tailcfg.FilterRule{
1790+
{
1791+
SrcIPs: []string{"100.100.100.100/32", "100.100.102.100/32"},
1792+
DstPorts: []tailcfg.NetPortRange{
1793+
{IP: "100.100.100.100/32", Ports: tailcfg.PortRangeAny},
1794+
{IP: "100.100.102.100/32", Ports: tailcfg.PortRangeAny},
1795+
},
1796+
},
1797+
},
1798+
wantErr: false,
1799+
},
1800+
{
1801+
name: "autogroup-member-to-member",
1802+
field: field{
1803+
pol: ACLPolicy{
1804+
ACLs: []ACL{
1805+
{
1806+
Action: "accept",
1807+
Sources: []string{"autogroup:member"},
1808+
Destinations: []string{"autogroup:member:*"},
1809+
},
1810+
},
1811+
},
1812+
},
1813+
args: args{
1814+
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
1815+
},
1816+
want: []tailcfg.FilterRule{
1817+
{
1818+
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
1819+
DstPorts: []tailcfg.NetPortRange{
1820+
{IP: "100.100.100.100/32", Ports: tailcfg.PortRangeAny},
1821+
{IP: "100.100.101.100/32", Ports: tailcfg.PortRangeAny},
1822+
{IP: "100.100.102.100/32", Ports: tailcfg.PortRangeAny},
1823+
},
1824+
},
1825+
},
1826+
wantErr: false,
1827+
},
1828+
{
1829+
name: "autogroup-member-to-tagged",
1830+
field: field{
1831+
pol: ACLPolicy{
1832+
ACLs: []ACL{
1833+
{
1834+
Action: "accept",
1835+
Sources: []string{"autogroup:member"},
1836+
Destinations: []string{"autogroup:tagged:*"},
1837+
},
1838+
},
1839+
},
1840+
},
1841+
args: args{
1842+
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
1843+
},
1844+
want: []tailcfg.FilterRule{
1845+
{
1846+
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
1847+
DstPorts: []tailcfg.NetPortRange{
1848+
{
1849+
IP: "100.100.103.100/32",
1850+
Ports: tailcfg.PortRangeAny,
1851+
},
1852+
},
1853+
},
1854+
},
1855+
wantErr: false,
1856+
},
1857+
{
1858+
name: "autogroup-member-to-all",
1859+
field: field{
1860+
pol: ACLPolicy{
1861+
ACLs: []ACL{
1862+
{
1863+
Action: "accept",
1864+
Sources: []string{"autogroup:member"},
1865+
Destinations: []string{"autogroup:danger-all:*"},
1866+
},
1867+
},
1868+
},
1869+
},
1870+
args: args{
1871+
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
1872+
},
1873+
want: []tailcfg.FilterRule{
1874+
{
1875+
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
1876+
DstPorts: []tailcfg.NetPortRange{
1877+
{IP: "0.0.0.0/0", Ports: tailcfg.PortRangeAny},
1878+
{IP: "::/0", Ports: tailcfg.PortRangeAny},
1879+
},
1880+
},
1881+
},
1882+
wantErr: false,
1883+
},
1884+
{
1885+
name: "autogroup-unknown",
1886+
field: field{
1887+
pol: ACLPolicy{
1888+
ACLs: []ACL{
1889+
{
1890+
Action: "accept",
1891+
Sources: []string{"autogroup:member"},
1892+
Destinations: []string{"autogroup:fake:*"},
1893+
},
1894+
},
1895+
},
1896+
},
1897+
args: args{},
1898+
want: nil,
1899+
wantErr: true,
1900+
},
1901+
{
1902+
name: "autogroup-multiple-to-self",
1903+
field: field{
1904+
pol: ACLPolicy{
1905+
ACLs: []ACL{
1906+
{
1907+
Action: "accept",
1908+
Sources: []string{"autogroup:member", "autogroup:tagged"},
1909+
Destinations: []string{"autogroup:self"},
1910+
},
1911+
},
1912+
},
1913+
},
1914+
args: args{},
1915+
want: nil,
1916+
wantErr: true,
1917+
},
17141918
}
17151919
for _, tt := range tests {
17161920
t.Run(tt.name, func(t *testing.T) {
@@ -3387,6 +3591,57 @@ func TestSSHRules(t *testing.T) {
33873591
},
33883592
want: &tailcfg.SSHPolicy{Rules: nil},
33893593
},
3594+
{
3595+
name: "autogroup-member-to-tagged",
3596+
node: types.Node{
3597+
Hostname: "testnodes",
3598+
IPv4: iap("100.64.0.1"),
3599+
UserID: 0,
3600+
User: types.User{
3601+
Name: "user1",
3602+
},
3603+
},
3604+
peers: types.Nodes{
3605+
&types.Node{
3606+
Hostname: "testnodes2",
3607+
IPv4: iap("100.64.99.42"),
3608+
UserID: 0,
3609+
User: types.User{
3610+
Name: "user1",
3611+
},
3612+
},
3613+
},
3614+
pol: ACLPolicy{
3615+
Groups: Groups{
3616+
"group:test": []string{"user1"},
3617+
},
3618+
Hosts: Hosts{
3619+
"client": netip.PrefixFrom(netip.MustParseAddr("100.64.99.42"), 32),
3620+
},
3621+
ACLs: []ACL{
3622+
{
3623+
Action: "accept",
3624+
Sources: []string{"*"},
3625+
Destinations: []string{"*:*"},
3626+
},
3627+
},
3628+
SSHs: []SSH{
3629+
{
3630+
Action: "accept",
3631+
Sources: []string{"group:test"},
3632+
Destinations: []string{"100.64.99.42"},
3633+
Users: []string{"autogroup:nonroot"},
3634+
},
3635+
{
3636+
Action: "accept",
3637+
Sources: []string{"*"},
3638+
Destinations: []string{"100.64.99.42"},
3639+
Users: []string{"autogroup:nonroot"},
3640+
},
3641+
},
3642+
},
3643+
want: &tailcfg.SSHPolicy{Rules: nil},
3644+
},
33903645
}
33913646

33923647
for _, tt := range tests {

0 commit comments

Comments
 (0)