Resolve user to stable unique ID in policy (#2205)

kradalby · web-flow · commit fffd23602b4f · 2024-11-24T00:13:27.000+01:00
diff --git a/hscontrol/app.go b/hscontrol/app.go
@@ -1029,14 +1029,18 @@ func (h *Headscale) loadACLPolicy() error {
 		if err != nil {
 			return fmt.Errorf("loading nodes from database to validate policy: %w", err)
 		}
+		users, err := h.db.ListUsers()
+		if err != nil {
+			return fmt.Errorf("loading users from database to validate policy: %w", err)
+		}
 
-		_, err = pol.CompileFilterRules(nodes)
+		_, err = pol.CompileFilterRules(users, nodes)
 		if err != nil {
 			return fmt.Errorf("verifying policy rules: %w", err)
 		}
 
 		if len(nodes) > 0 {
-			_, err = pol.CompileSSHPolicy(nodes[0], nodes)
+			_, err = pol.CompileSSHPolicy(nodes[0], users, nodes)
 			if err != nil {
 				return fmt.Errorf("verifying SSH rules: %w", err)
 			}
diff --git a/hscontrol/db/node_test.go b/hscontrol/db/node_test.go
@@ -256,10 +256,10 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(testPeers), check.Equals, 9)
 
-	adminRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, adminNode, adminPeers)
+	adminRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, adminNode, adminPeers, []types.User{*stor[0].user, *stor[1].user})
 	c.Assert(err, check.IsNil)
 
-	testRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, testNode, testPeers)
+	testRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, testNode, testPeers, []types.User{*stor[0].user, *stor[1].user})
 	c.Assert(err, check.IsNil)
 
 	peersOfAdminNode := policy.FilterNodesByACL(adminNode, adminPeers, adminRules)
diff --git a/hscontrol/db/routes.go b/hscontrol/db/routes.go
@@ -648,8 +648,13 @@ func EnableAutoApprovedRoutes(
 			if approvedAlias == node.User.Username() {
 				approvedRoutes = append(approvedRoutes, advertisedRoute)
 			} else {
+				users, err := ListUsers(tx)
+				if err != nil {
+					return fmt.Errorf("looking up users to expand route alias: %w", err)
+				}
+
 				// TODO(kradalby): figure out how to get this to depend on less stuff
-				approvedIps, err := aclPolicy.ExpandAlias(types.Nodes{node}, approvedAlias)
+				approvedIps, err := aclPolicy.ExpandAlias(types.Nodes{node}, users, approvedAlias)
 				if err != nil {
 					return fmt.Errorf("expanding alias %q for autoApprovers: %w", approvedAlias, err)
 				}
diff --git a/hscontrol/grpcv1.go b/hscontrol/grpcv1.go
@@ -773,14 +773,18 @@ func (api headscaleV1APIServer) SetPolicy(
 	if err != nil {
 		return nil, fmt.Errorf("loading nodes from database to validate policy: %w", err)
 	}
+	users, err := api.h.db.ListUsers()
+	if err != nil {
+		return nil, fmt.Errorf("loading users from database to validate policy: %w", err)
+	}
 
-	_, err = pol.CompileFilterRules(nodes)
+	_, err = pol.CompileFilterRules(users, nodes)
 	if err != nil {
 		return nil, fmt.Errorf("verifying policy rules: %w", err)
 	}
 
 	if len(nodes) > 0 {
-		_, err = pol.CompileSSHPolicy(nodes[0], nodes)
+		_, err = pol.CompileSSHPolicy(nodes[0], users, nodes)
 		if err != nil {
 			return nil, fmt.Errorf("verifying SSH rules: %w", err)
 		}
diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
@@ -153,6 +153,7 @@ func addNextDNSMetadata(resolvers []*dnstype.Resolver, node *types.Node) {
 func (m *Mapper) fullMapResponse(
 	node *types.Node,
 	peers types.Nodes,
+	users []types.User,
 	pol *policy.ACLPolicy,
 	capVer tailcfg.CapabilityVersion,
 ) (*tailcfg.MapResponse, error) {
@@ -167,6 +168,7 @@ func (m *Mapper) fullMapResponse(
 		pol,
 		node,
 		capVer,
+		users,
 		peers,
 		peers,
 		m.cfg,
@@ -189,8 +191,12 @@ func (m *Mapper) FullMapResponse(
 	if err != nil {
 		return nil, err
 	}
+	users, err := m.db.ListUsers()
+	if err != nil {
+		return nil, err
+	}
 
-	resp, err := m.fullMapResponse(node, peers, pol, mapRequest.Version)
+	resp, err := m.fullMapResponse(node, peers, users, pol, mapRequest.Version)
 	if err != nil {
 		return nil, err
 	}
@@ -253,6 +259,11 @@ func (m *Mapper) PeerChangedResponse(
 		return nil, err
 	}
 
+	users, err := m.db.ListUsers()
+	if err != nil {
+		return nil, fmt.Errorf("listing users for map response: %w", err)
+	}
+
 	var removedIDs []tailcfg.NodeID
 	var changedIDs []types.NodeID
 	for nodeID, nodeChanged := range changed {
@@ -276,6 +287,7 @@ func (m *Mapper) PeerChangedResponse(
 		pol,
 		node,
 		mapRequest.Version,
+		users,
 		peers,
 		changedNodes,
 		m.cfg,
@@ -508,16 +520,17 @@ func appendPeerChanges(
 	pol *policy.ACLPolicy,
 	node *types.Node,
 	capVer tailcfg.CapabilityVersion,
+	users []types.User,
 	peers types.Nodes,
 	changed types.Nodes,
 	cfg *types.Config,
 ) error {
-	packetFilter, err := pol.CompileFilterRules(append(peers, node))
+	packetFilter, err := pol.CompileFilterRules(users, append(peers, node))
 	if err != nil {
 		return err
 	}
 
-	sshPolicy, err := pol.CompileSSHPolicy(node, peers)
+	sshPolicy, err := pol.CompileSSHPolicy(node, users, peers)
 	if err != nil {
 		return err
 	}
diff --git a/hscontrol/mapper/mapper_test.go b/hscontrol/mapper/mapper_test.go
@@ -159,6 +159,9 @@ func Test_fullMapResponse(t *testing.T) {
 	lastSeen := time.Date(2009, time.November, 10, 23, 9, 0, 0, time.UTC)
 	expire := time.Date(2500, time.November, 11, 23, 0, 0, 0, time.UTC)
 
+	user1 := types.User{Model: gorm.Model{ID: 0}, Name: "mini"}
+	user2 := types.User{Model: gorm.Model{ID: 1}, Name: "peer2"}
+
 	mini := &types.Node{
 		ID: 0,
 		MachineKey: mustMK(
@@ -173,8 +176,8 @@ func Test_fullMapResponse(t *testing.T) {
 		IPv4:       iap("100.64.0.1"),
 		Hostname:   "mini",
 		GivenName:  "mini",
-		UserID:     0,
-		User:       types.User{Name: "mini"},
+		UserID:     user1.ID,
+		User:       user1,
 		ForcedTags: []string{},
 		AuthKey:    &types.PreAuthKey{},
 		LastSeen:   &lastSeen,
@@ -253,8 +256,8 @@ func Test_fullMapResponse(t *testing.T) {
 		IPv4:       iap("100.64.0.2"),
 		Hostname:   "peer1",
 		GivenName:  "peer1",
-		UserID:     0,
-		User:       types.User{Name: "mini"},
+		UserID:     user1.ID,
+		User:       user1,
 		ForcedTags: []string{},
 		LastSeen:   &lastSeen,
 		Expiry:     &expire,
@@ -308,8 +311,8 @@ func Test_fullMapResponse(t *testing.T) {
 		IPv4:       iap("100.64.0.3"),
 		Hostname:   "peer2",
 		GivenName:  "peer2",
-		UserID:     1,
-		User:       types.User{Name: "peer2"},
+		UserID:     user2.ID,
+		User:       user2,
 		ForcedTags: []string{},
 		LastSeen:   &lastSeen,
 		Expiry:     &expire,
@@ -468,6 +471,7 @@ func Test_fullMapResponse(t *testing.T) {
 			got, err := mappy.fullMapResponse(
 				tt.node,
 				tt.peers,
+				[]types.User{user1, user2},
 				tt.pol,
 				0,
 			)
diff --git a/hscontrol/policy/acls.go b/hscontrol/policy/acls.go
diff --git a/hscontrol/policy/acls_test.go b/hscontrol/policy/acls_test.go
diff --git a/hscontrol/types/users.go b/hscontrol/types/users.go

Original file line number	Diff line number	Diff line change
`@@ -1029,14 +1029,18 @@ func (h *Headscale) loadACLPolicy() error {`
`1029`	`1029`	`if err != nil {`
`1030`	`1030`	`return fmt.Errorf("loading nodes from database to validate policy: %w", err)`
`1031`	`1031`	`}`
	`1032`	`+ users, err := h.db.ListUsers()`
	`1033`	`+ if err != nil {`
	`1034`	`+ return fmt.Errorf("loading users from database to validate policy: %w", err)`
	`1035`	`+ }`
`1032`	`1036`
`1033`		`- _, err = pol.CompileFilterRules(nodes)`
	`1037`	`+ _, err = pol.CompileFilterRules(users, nodes)`
`1034`	`1038`	`if err != nil {`
`1035`	`1039`	`return fmt.Errorf("verifying policy rules: %w", err)`
`1036`	`1040`	`}`
`1037`	`1041`
`1038`	`1042`	`if len(nodes) > 0 {`
`1039`		`- _, err = pol.CompileSSHPolicy(nodes[0], nodes)`
	`1043`	`+ _, err = pol.CompileSSHPolicy(nodes[0], users, nodes)`
`1040`	`1044`	`if err != nil {`
`1041`	`1045`	`return fmt.Errorf("verifying SSH rules: %w", err)`
`1042`	`1046`	`}`
Original file line number	Diff line number	Diff line change
`@@ -773,14 +773,18 @@ func (api headscaleV1APIServer) SetPolicy(`
`773`	`773`	`if err != nil {`
`774`	`774`	`return nil, fmt.Errorf("loading nodes from database to validate policy: %w", err)`
`775`	`775`	`}`
	`776`	`+ users, err := api.h.db.ListUsers()`
	`777`	`+ if err != nil {`
	`778`	`+ return nil, fmt.Errorf("loading users from database to validate policy: %w", err)`
	`779`	`+ }`
`776`	`780`
`777`		`- _, err = pol.CompileFilterRules(nodes)`
	`781`	`+ _, err = pol.CompileFilterRules(users, nodes)`
`778`	`782`	`if err != nil {`
`779`	`783`	`return nil, fmt.Errorf("verifying policy rules: %w", err)`
`780`	`784`	`}`
`781`	`785`
`782`	`786`	`if len(nodes) > 0 {`
`783`		`- _, err = pol.CompileSSHPolicy(nodes[0], nodes)`
	`787`	`+ _, err = pol.CompileSSHPolicy(nodes[0], users, nodes)`
`784`	`788`	`if err != nil {`
`785`	`789`	`return nil, fmt.Errorf("verifying SSH rules: %w", err)`
`786`	`790`	`}`