Skip to content

Commit

Permalink
test(policy): Add autogroup tests
Browse files Browse the repository at this point in the history
  • Loading branch information
gabe565 committed Nov 8, 2024
1 parent dd528a1 commit e06f5a3
Showing 1 changed file with 255 additions and 0 deletions.
255 changes: 255 additions & 0 deletions hscontrol/policy/acls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"github.com/stretchr/testify/assert"
"go4.org/netipx"
"gopkg.in/check.v1"
"gorm.io/gorm"
"tailscale.com/net/tsaddr"
"tailscale.com/tailcfg"
)
Expand Down Expand Up @@ -1594,6 +1595,40 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
}

func TestACLPolicy_generateFilterRules(t *testing.T) {
user1Node := &types.Node{
IPv4: iap("100.100.100.100"),
User: types.User{
Model: gorm.Model{
ID: 1,
},
},
}

user2Node := &types.Node{
IPv4: iap("100.100.101.100"),
User: types.User{
Model: gorm.Model{
ID: 2,
},
},
Hostinfo: &tailcfg.Hostinfo{},
}

user1Node2 := &types.Node{
IPv4: iap("100.100.102.100"),
User: types.User{
Model: gorm.Model{
ID: 1,
},
},
}

serverNode := &types.Node{
IPv4: iap("100.100.103.100"),
ForcedTags: types.StringList{"tag:server"},
Hostinfo: &tailcfg.Hostinfo{},
}

type field struct {
pol ACLPolicy
}
Expand Down Expand Up @@ -1711,6 +1746,175 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
},
wantErr: false,
},
{
name: "autogroup-member-to-internet",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member"},
Destinations: []string{"autogroup:internet:*"},
},
},
},
},
args: args{
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
},
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
DstPorts: hsExitNodeDest,
},
},
wantErr: false,
},
{
name: "autogroup-member-to-self",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member"},
Destinations: []string{"autogroup:self:*"},
},
},
},
},
args: args{
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
},
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"100.100.100.100/32", "100.100.102.100/32"},
DstPorts: []tailcfg.NetPortRange{
{IP: "100.100.100.100/32", Ports: tailcfg.PortRangeAny},
{IP: "100.100.102.100/32", Ports: tailcfg.PortRangeAny},
},
},
},
wantErr: false,
},
{
name: "autogroup-member-to-member",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member"},
Destinations: []string{"autogroup:member:*"},
},
},
},
},
args: args{
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
},
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
DstPorts: []tailcfg.NetPortRange{
{IP: "100.100.100.100/32", Ports: tailcfg.PortRangeAny},
{IP: "100.100.101.100/32", Ports: tailcfg.PortRangeAny},
{IP: "100.100.102.100/32", Ports: tailcfg.PortRangeAny},
},
},
},
wantErr: false,
},
{
name: "autogroup-member-to-tagged",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member"},
Destinations: []string{"autogroup:tagged:*"},
},
},
},
},
args: args{
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
},
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
DstPorts: []tailcfg.NetPortRange{
{
IP: "100.100.103.100/32",
Ports: tailcfg.PortRangeAny,
},
},
},
},
wantErr: false,
},
{
name: "autogroup-member-to-all",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member"},
Destinations: []string{"autogroup:danger-all:*"},
},
},
},
},
args: args{
nodes: types.Nodes{user2Node, serverNode, user1Node2, user1Node},
},
want: []tailcfg.FilterRule{
{
SrcIPs: []string{"100.100.100.100/32", "100.100.101.100/32", "100.100.102.100/32"},
DstPorts: []tailcfg.NetPortRange{
{IP: "0.0.0.0/0", Ports: tailcfg.PortRangeAny},
{IP: "::/0", Ports: tailcfg.PortRangeAny},
},
},
},
wantErr: false,
},
{
name: "autogroup-unknown",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member"},
Destinations: []string{"autogroup:fake:*"},
},
},
},
},
args: args{},
want: nil,
wantErr: true,
},
{
name: "autogroup-multiple-to-self",
field: field{
pol: ACLPolicy{
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"autogroup:member", "autogroup:tagged"},
Destinations: []string{"autogroup:self"},
},
},
},
},
args: args{},
want: nil,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down Expand Up @@ -3387,6 +3591,57 @@ func TestSSHRules(t *testing.T) {
},
want: &tailcfg.SSHPolicy{Rules: nil},
},
{
name: "autogroup-member-to-tagged",
node: types.Node{
Hostname: "testnodes",
IPv4: iap("100.64.0.1"),
UserID: 0,
User: types.User{
Name: "user1",
},
},
peers: types.Nodes{
&types.Node{
Hostname: "testnodes2",
IPv4: iap("100.64.99.42"),
UserID: 0,
User: types.User{
Name: "user1",
},
},
},
pol: ACLPolicy{
Groups: Groups{
"group:test": []string{"user1"},
},
Hosts: Hosts{
"client": netip.PrefixFrom(netip.MustParseAddr("100.64.99.42"), 32),
},
ACLs: []ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []SSH{
{
Action: "accept",
Sources: []string{"group:test"},
Destinations: []string{"100.64.99.42"},
Users: []string{"autogroup:nonroot"},
},
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"100.64.99.42"},
Users: []string{"autogroup:nonroot"},
},
},
},
want: &tailcfg.SSHPolicy{Rules: nil},
},
}

for _, tt := range tests {
Expand Down

0 comments on commit e06f5a3

Please sign in to comment.