2023-05-21 18:37:59 +02:00
package policy
2021-07-03 11:55:32 +02:00
import (
2021-07-04 12:35:18 +02:00
"encoding/json"
2022-04-15 18:01:13 +02:00
"errors"
2021-07-03 17:31:32 +02:00
"fmt"
2021-07-03 11:55:32 +02:00
"io"
2022-09-03 23:46:14 +02:00
"net/netip"
2021-07-03 11:55:32 +02:00
"os"
2022-02-27 09:04:48 +01:00
"path/filepath"
2021-07-04 12:35:18 +02:00
"strconv"
2021-07-03 17:31:32 +02:00
"strings"
2022-09-30 20:44:23 +02:00
"time"
2021-07-03 11:55:32 +02:00
2023-05-21 18:37:59 +02:00
"github.com/juanfont/headscale/hscontrol/types"
2023-05-11 09:09:18 +02:00
"github.com/juanfont/headscale/hscontrol/util"
2021-08-05 19:18:18 +02:00
"github.com/rs/zerolog/log"
2021-07-03 11:55:32 +02:00
"github.com/tailscale/hujson"
2023-04-28 16:11:02 +02:00
"go4.org/netipx"
2022-02-27 09:04:48 +01:00
"gopkg.in/yaml.v3"
2021-07-03 17:31:32 +02:00
"tailscale.com/tailcfg"
2021-07-03 11:55:32 +02:00
)
2023-05-11 09:09:18 +02:00
var (
2023-05-21 18:37:59 +02:00
ErrEmptyPolicy = errors . New ( "empty policy" )
ErrInvalidAction = errors . New ( "invalid action" )
ErrInvalidGroup = errors . New ( "invalid group" )
ErrInvalidTag = errors . New ( "invalid tag" )
ErrInvalidPortFormat = errors . New ( "invalid port format" )
ErrWildcardIsNeeded = errors . New ( "wildcard as port is required for the protocol" )
2021-11-04 23:16:56 +01:00
)
2021-07-03 11:55:32 +02:00
2021-11-14 18:31:51 +01:00
const (
2021-11-15 18:24:24 +01:00
portRangeBegin = 0
portRangeEnd = 65535
expectedTokenItems = 2
2021-11-14 18:31:51 +01:00
)
2022-06-26 11:43:17 +02:00
// For some reason golang.org/x/net/internal/iana is an internal package.
2022-06-11 14:09:08 +02:00
const (
protocolICMP = 1 // Internet Control Message
protocolIGMP = 2 // Internet Group Management
protocolIPv4 = 4 // IPv4 encapsulation
protocolTCP = 6 // Transmission Control
protocolEGP = 8 // Exterior Gateway Protocol
protocolIGP = 9 // any private interior gateway (used by Cisco for their IGRP)
protocolUDP = 17 // User Datagram
protocolGRE = 47 // Generic Routing Encapsulation
protocolESP = 50 // Encap Security Payload
protocolAH = 51 // Authentication Header
protocolIPv6ICMP = 58 // ICMP for IPv6
protocolSCTP = 132 // Stream Control Transmission Protocol
ProtocolFC = 133 // Fibre Channel
)
2023-05-10 10:19:16 +02:00
// LoadACLPolicyFromPath loads the ACL policy from the specify path, and generates the ACL rules.
2023-05-21 18:37:59 +02:00
func LoadACLPolicyFromPath ( path string ) ( * ACLPolicy , error ) {
2021-12-01 20:02:00 +01:00
log . Debug ( ) .
Str ( "func" , "LoadACLPolicy" ) .
Str ( "path" , path ) .
Msg ( "Loading ACL policy from path" )
2021-07-03 11:55:32 +02:00
policyFile , err := os . Open ( path )
if err != nil {
2023-05-21 18:37:59 +02:00
return nil , err
2021-07-03 11:55:32 +02:00
}
defer policyFile . Close ( )
2021-11-14 20:32:03 +01:00
policyBytes , err := io . ReadAll ( policyFile )
2021-07-03 11:55:32 +02:00
if err != nil {
2023-05-21 18:37:59 +02:00
return nil , err
2021-07-03 11:55:32 +02:00
}
2021-11-05 08:24:00 +01:00
2023-05-10 10:19:16 +02:00
log . Debug ( ) .
Str ( "path" , path ) .
Bytes ( "file" , policyBytes ) .
Msg ( "Loading ACLs" )
2022-02-27 09:04:48 +01:00
switch filepath . Ext ( path ) {
case ".yml" , ".yaml" :
2023-05-21 18:37:59 +02:00
return LoadACLPolicyFromBytes ( policyBytes , "yaml" )
2023-05-10 10:19:16 +02:00
}
2022-02-27 09:04:48 +01:00
2023-05-21 18:37:59 +02:00
return LoadACLPolicyFromBytes ( policyBytes , "hujson" )
2023-05-10 10:19:16 +02:00
}
2023-05-21 18:37:59 +02:00
func LoadACLPolicyFromBytes ( acl [ ] byte , format string ) ( * ACLPolicy , error ) {
2023-05-10 10:19:16 +02:00
var policy ACLPolicy
switch format {
case "yaml" :
err := yaml . Unmarshal ( acl , & policy )
2022-02-27 09:04:48 +01:00
if err != nil {
2023-05-21 18:37:59 +02:00
return nil , err
2022-02-27 09:04:48 +01:00
}
default :
2023-05-10 10:19:16 +02:00
ast , err := hujson . Parse ( acl )
2022-02-27 09:04:48 +01:00
if err != nil {
2023-05-21 18:37:59 +02:00
return nil , err
2022-02-27 09:04:48 +01:00
}
ast . Standardize ( )
2023-05-10 10:19:16 +02:00
acl = ast . Pack ( )
err = json . Unmarshal ( acl , & policy )
2022-02-27 09:04:48 +01:00
if err != nil {
2023-05-21 18:37:59 +02:00
return nil , err
2022-02-27 09:04:48 +01:00
}
2021-07-04 13:33:00 +02:00
}
2022-02-27 09:04:48 +01:00
2021-07-03 11:55:32 +02:00
if policy . IsZero ( ) {
2023-05-21 18:37:59 +02:00
return nil , ErrEmptyPolicy
2021-07-03 11:55:32 +02:00
}
2023-05-21 18:37:59 +02:00
return & policy , nil
2022-02-03 20:00:41 +01:00
}
2024-02-23 10:59:24 +01:00
func GenerateFilterAndSSHRulesForTests (
2023-05-21 18:37:59 +02:00
policy * ACLPolicy ,
2023-09-24 13:42:05 +02:00
node * types . Node ,
peers types . Nodes ,
2023-05-21 18:37:59 +02:00
) ( [ ] tailcfg . FilterRule , * tailcfg . SSHPolicy , error ) {
2023-05-31 18:45:04 +02:00
// If there is no policy defined, we default to allow all
2023-05-21 18:37:59 +02:00
if policy == nil {
2023-05-31 18:45:04 +02:00
return tailcfg . FilterAllowAll , & tailcfg . SSHPolicy { } , nil
2022-12-01 00:37:58 +01:00
}
2024-02-23 10:59:24 +01:00
rules , err := policy . CompileFilterRules ( append ( peers , node ) )
2021-07-04 13:24:05 +02:00
if err != nil {
2023-05-21 18:37:59 +02:00
return [ ] tailcfg . FilterRule { } , & tailcfg . SSHPolicy { } , err
2021-07-04 13:24:05 +02:00
}
2023-04-26 17:27:51 +02:00
2023-09-24 13:42:05 +02:00
log . Trace ( ) . Interface ( "ACL" , rules ) . Str ( "node" , node . GivenName ) . Msg ( "ACL rules" )
2022-02-14 15:26:54 +01:00
2024-02-23 10:59:24 +01:00
sshPolicy , err := policy . CompileSSHPolicy ( node , peers )
2023-06-08 19:10:09 +02:00
if err != nil {
return [ ] tailcfg . FilterRule { } , & tailcfg . SSHPolicy { } , err
}
2023-06-16 16:42:30 +02:00
2023-05-21 18:37:59 +02:00
return rules , sshPolicy , nil
2021-07-03 17:31:32 +02:00
}
2024-02-23 10:59:24 +01:00
// CompileFilterRules takes a set of nodes and an ACLPolicy and generates a
2023-04-26 11:19:47 +02:00
// set of Tailscale compatible FilterRules used to allow traffic on clients.
2024-02-23 10:59:24 +01:00
func ( pol * ACLPolicy ) CompileFilterRules (
nodes types . Nodes ,
2023-01-30 09:39:27 +01:00
) ( [ ] tailcfg . FilterRule , error ) {
2024-02-23 10:59:24 +01:00
if pol == nil {
return tailcfg . FilterAllowAll , nil
}
2021-07-03 17:31:32 +02:00
rules := [ ] tailcfg . FilterRule { }
2023-04-26 11:19:47 +02:00
for index , acl := range pol . ACLs {
2021-11-14 20:32:03 +01:00
if acl . Action != "accept" {
2023-05-21 18:37:59 +02:00
return nil , ErrInvalidAction
2021-07-03 17:31:32 +02:00
}
srcIPs := [ ] string { }
2023-04-26 11:19:47 +02:00
for srcIndex , src := range acl . Sources {
2023-09-24 13:42:05 +02:00
srcs , err := pol . expandSource ( src , nodes )
2021-07-03 17:31:32 +02:00
if err != nil {
2024-04-12 15:57:43 +02:00
return nil , fmt . Errorf ( "parsing policy, acl index: %d->%d: %w" , index , srcIndex , err )
2021-07-03 17:31:32 +02:00
}
2021-11-04 23:16:56 +01:00
srcIPs = append ( srcIPs , srcs ... )
2021-07-03 17:31:32 +02:00
}
2023-06-13 10:03:22 +02:00
protocols , isWildcard , err := parseProtocol ( acl . Protocol )
2022-06-08 17:43:59 +02:00
if err != nil {
2024-04-12 15:57:43 +02:00
return nil , fmt . Errorf ( "parsing policy, protocol err: %w " , err )
2022-06-08 17:43:59 +02:00
}
2021-07-04 12:35:18 +02:00
destPorts := [ ] tailcfg . NetPortRange { }
2023-06-13 10:03:22 +02:00
for _ , dest := range acl . Destinations {
alias , port , err := parseDestination ( dest )
if err != nil {
return nil , err
}
expanded , err := pol . ExpandAlias (
2023-09-24 13:42:05 +02:00
nodes ,
2023-06-13 10:03:22 +02:00
alias ,
2022-08-04 10:47:00 +02:00
)
2021-07-04 12:35:18 +02:00
if err != nil {
2023-06-13 10:03:22 +02:00
return nil , err
}
2021-11-14 16:46:09 +01:00
2023-06-13 10:03:22 +02:00
ports , err := expandPorts ( port , isWildcard )
if err != nil {
2021-07-04 12:35:18 +02:00
return nil , err
}
2023-06-13 10:03:22 +02:00
dests := [ ] tailcfg . NetPortRange { }
for _ , dest := range expanded . Prefixes ( ) {
for _ , port := range * ports {
pr := tailcfg . NetPortRange {
IP : dest . String ( ) ,
Ports : port ,
}
dests = append ( dests , pr )
}
}
2021-11-04 23:16:56 +01:00
destPorts = append ( destPorts , dests ... )
2021-07-04 12:35:18 +02:00
}
rules = append ( rules , tailcfg . FilterRule {
SrcIPs : srcIPs ,
DstPorts : destPorts ,
2022-06-08 17:43:59 +02:00
IPProto : protocols ,
2021-07-04 12:35:18 +02:00
} )
2021-07-03 17:31:32 +02:00
}
2021-11-04 23:16:56 +01:00
return rules , nil
2021-07-03 17:31:32 +02:00
}
2023-09-24 13:42:05 +02:00
// ReduceFilterRules takes a node and a set of rules and removes all rules and destinations
2023-06-16 16:42:30 +02:00
// that are not relevant to that particular node.
2023-09-24 13:42:05 +02:00
func ReduceFilterRules ( node * types . Node , rules [ ] tailcfg . FilterRule ) [ ] tailcfg . FilterRule {
2023-06-16 16:42:30 +02:00
ret := [ ] tailcfg . FilterRule { }
for _ , rule := range rules {
2023-09-24 13:42:05 +02:00
// record if the rule is actually relevant for the given node.
2023-06-16 16:42:30 +02:00
dests := [ ] tailcfg . NetPortRange { }
for _ , dest := range rule . DstPorts {
expanded , err := util . ParseIPSet ( dest . IP , nil )
// Fail closed, if we cant parse it, then we should not allow
// access.
if err != nil {
continue
}
2024-04-17 07:03:06 +02:00
if node . InIPSet ( expanded ) {
2023-06-16 16:42:30 +02:00
dests = append ( dests , dest )
}
2024-01-18 17:30:25 +01:00
// If the node exposes routes, ensure they are note removed
// when the filters are reduced.
if node . Hostinfo != nil {
// TODO(kradalby): Evaluate if we should only keep
// the routes if the route is enabled. This will
// require database access in this part of the code.
if len ( node . Hostinfo . RoutableIPs ) > 0 {
for _ , routableIP := range node . Hostinfo . RoutableIPs {
if expanded . ContainsPrefix ( routableIP ) {
dests = append ( dests , dest )
}
}
}
}
2023-06-16 16:42:30 +02:00
}
if len ( dests ) > 0 {
ret = append ( ret , tailcfg . FilterRule {
SrcIPs : rule . SrcIPs ,
DstPorts : dests ,
IPProto : rule . IPProto ,
} )
}
}
return ret
}
2024-02-23 10:59:24 +01:00
func ( pol * ACLPolicy ) CompileSSHPolicy (
2023-09-24 13:42:05 +02:00
node * types . Node ,
peers types . Nodes ,
2024-02-23 10:59:24 +01:00
) ( * tailcfg . SSHPolicy , error ) {
if pol == nil {
return nil , nil
}
2022-09-30 20:44:23 +02:00
rules := [ ] * tailcfg . SSHRule { }
acceptAction := tailcfg . SSHAction {
Message : "" ,
Reject : false ,
Accept : true ,
SessionDuration : 0 ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : true ,
}
rejectAction := tailcfg . SSHAction {
Message : "" ,
Reject : true ,
Accept : false ,
SessionDuration : 0 ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : false ,
}
2023-06-08 19:50:59 +02:00
for index , sshACL := range pol . SSHs {
var dest netipx . IPSetBuilder
for _ , src := range sshACL . Destinations {
2023-09-24 13:42:05 +02:00
expanded , err := pol . ExpandAlias ( append ( peers , node ) , src )
2023-06-08 19:50:59 +02:00
if err != nil {
return nil , err
}
dest . AddSet ( expanded )
}
destSet , err := dest . IPSet ( )
if err != nil {
return nil , err
}
2024-04-17 07:03:06 +02:00
if ! node . InIPSet ( destSet ) {
2023-06-08 19:50:59 +02:00
continue
}
2022-09-30 20:44:23 +02:00
action := rejectAction
switch sshACL . Action {
case "accept" :
action = acceptAction
case "check" :
checkAction , err := sshCheckAction ( sshACL . CheckPeriod )
if err != nil {
2024-04-12 15:57:43 +02:00
return nil , fmt . Errorf ( "parsing SSH policy, parsing check duration, index: %d: %w" , index , err )
2022-09-30 20:44:23 +02:00
} else {
action = * checkAction
}
default :
2024-04-12 15:57:43 +02:00
return nil , fmt . Errorf ( "parsing SSH policy, unknown action %q, index: %d: %w" , sshACL . Action , index , err )
2022-09-30 20:44:23 +02:00
}
principals := make ( [ ] * tailcfg . SSHPrincipal , 0 , len ( sshACL . Sources ) )
for innerIndex , rawSrc := range sshACL . Sources {
2023-04-28 16:11:02 +02:00
if isWildcard ( rawSrc ) {
2022-09-30 20:44:23 +02:00
principals = append ( principals , & tailcfg . SSHPrincipal {
2023-04-28 16:11:02 +02:00
Any : true ,
2022-09-30 20:44:23 +02:00
} )
2023-04-28 16:11:02 +02:00
} else if isGroup ( rawSrc ) {
2023-06-19 09:17:50 +02:00
users , err := pol . expandUsersFromGroup ( rawSrc )
2023-04-28 16:11:02 +02:00
if err != nil {
2024-04-12 15:57:43 +02:00
return nil , fmt . Errorf ( "parsing SSH policy, expanding user from group, index: %d->%d: %w" , index , innerIndex , err )
2023-04-28 16:11:02 +02:00
}
for _ , user := range users {
principals = append ( principals , & tailcfg . SSHPrincipal {
UserLogin : user ,
} )
}
} else {
2023-06-08 19:50:59 +02:00
expandedSrcs , err := pol . ExpandAlias (
peers ,
2023-04-28 16:11:02 +02:00
rawSrc ,
)
if err != nil {
2024-04-12 15:57:43 +02:00
return nil , fmt . Errorf ( "parsing SSH policy, expanding alias, index: %d->%d: %w" , index , innerIndex , err )
2023-04-28 16:11:02 +02:00
}
for _ , expandedSrc := range expandedSrcs . Prefixes ( ) {
principals = append ( principals , & tailcfg . SSHPrincipal {
NodeIP : expandedSrc . Addr ( ) . String ( ) ,
} )
}
2022-09-30 20:44:23 +02:00
}
}
userMap := make ( map [ string ] string , len ( sshACL . Users ) )
for _ , user := range sshACL . Users {
userMap [ user ] = "="
}
rules = append ( rules , & tailcfg . SSHRule {
2023-04-28 16:11:02 +02:00
Principals : principals ,
SSHUsers : userMap ,
Action : & action ,
2022-09-30 20:44:23 +02:00
} )
}
2024-02-23 10:59:24 +01:00
return & tailcfg . SSHPolicy {
Rules : rules ,
} , nil
2022-09-30 20:44:23 +02:00
}
func sshCheckAction ( duration string ) ( * tailcfg . SSHAction , error ) {
sessionLength , err := time . ParseDuration ( duration )
if err != nil {
return nil , err
}
return & tailcfg . SSHAction {
Message : "" ,
Reject : false ,
Accept : true ,
SessionDuration : sessionLength ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : true ,
} , nil
}
2023-06-12 15:59:05 +02:00
func parseDestination ( dest string ) ( string , string , error ) {
var tokens [ ] string
2023-04-16 12:26:35 +02:00
// Check if there is a IPv4/6:Port combination, IPv6 has more than
// three ":".
tokens = strings . Split ( dest , ":" )
2021-11-15 18:24:24 +01:00
if len ( tokens ) < expectedTokenItems || len ( tokens ) > 3 {
2023-04-16 12:26:35 +02:00
port := tokens [ len ( tokens ) - 1 ]
maybeIPv6Str := strings . TrimSuffix ( dest , ":" + port )
log . Trace ( ) . Str ( "maybeIPv6Str" , maybeIPv6Str ) . Msg ( "" )
2023-05-20 11:53:01 +02:00
filteredMaybeIPv6Str := maybeIPv6Str
if strings . Contains ( maybeIPv6Str , "/" ) {
networkParts := strings . Split ( maybeIPv6Str , "/" )
filteredMaybeIPv6Str = networkParts [ 0 ]
}
if maybeIPv6 , err := netip . ParseAddr ( filteredMaybeIPv6Str ) ; err != nil && ! maybeIPv6 . Is6 ( ) {
2023-04-16 12:26:35 +02:00
log . Trace ( ) . Err ( err ) . Msg ( "trying to parse as IPv6" )
2023-06-12 15:59:05 +02:00
return "" , "" , fmt . Errorf (
2023-04-16 12:26:35 +02:00
"failed to parse destination, tokens %v: %w" ,
tokens ,
2023-05-21 18:37:59 +02:00
ErrInvalidPortFormat ,
2023-04-16 12:26:35 +02:00
)
} else {
tokens = [ ] string { maybeIPv6Str , port }
}
2021-07-04 12:35:18 +02:00
}
var alias string
// We can have here stuff like:
// git-server:*
// 192.168.1.0/24:22
2023-04-16 12:26:35 +02:00
// fd7a:115c:a1e0::2:22
// fd7a:115c:a1e0::2/128:22
2021-07-04 12:35:18 +02:00
// tag:montreal-webserver:80,443
// tag:api-server:443
// example-host-1:*
2021-11-15 18:24:24 +01:00
if len ( tokens ) == expectedTokenItems {
2021-07-04 12:35:18 +02:00
alias = tokens [ 0 ]
} else {
alias = fmt . Sprintf ( "%s:%s" , tokens [ 0 ] , tokens [ 1 ] )
}
2023-06-12 15:59:05 +02:00
return alias , tokens [ len ( tokens ) - 1 ] , nil
2021-07-04 12:35:18 +02:00
}
2022-06-08 17:43:59 +02:00
// parseProtocol reads the proto field of the ACL and generates a list of
// protocols that will be allowed, following the IANA IP protocol number
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
//
// If the ACL proto field is empty, it allows ICMPv4, ICMPv6, TCP, and UDP,
// as per Tailscale behaviour (see tailcfg.FilterRule).
//
// Also returns a boolean indicating if the protocol
// requires all the destinations to use wildcard as port number (only TCP,
// UDP and SCTP support specifying ports).
func parseProtocol ( protocol string ) ( [ ] int , bool , error ) {
switch protocol {
case "" :
2022-12-05 20:12:33 +01:00
return nil , false , nil
2022-06-08 17:43:59 +02:00
case "igmp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolIGMP } , true , nil
2022-06-08 17:43:59 +02:00
case "ipv4" , "ip-in-ip" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolIPv4 } , true , nil
2022-06-08 17:43:59 +02:00
case "tcp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolTCP } , false , nil
2022-06-08 17:43:59 +02:00
case "egp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolEGP } , true , nil
2022-06-08 17:43:59 +02:00
case "igp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolIGP } , true , nil
2022-06-08 17:43:59 +02:00
case "udp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolUDP } , false , nil
2022-06-08 17:43:59 +02:00
case "gre" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolGRE } , true , nil
2022-06-08 17:43:59 +02:00
case "esp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolESP } , true , nil
2022-06-08 17:43:59 +02:00
case "ah" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolAH } , true , nil
2022-06-08 17:43:59 +02:00
case "sctp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolSCTP } , false , nil
2022-06-08 17:43:59 +02:00
case "icmp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolICMP , protocolIPv6ICMP } , true , nil
2022-06-08 17:43:59 +02:00
default :
protocolNumber , err := strconv . Atoi ( protocol )
if err != nil {
2024-04-12 15:57:43 +02:00
return nil , false , fmt . Errorf ( "parsing protocol number: %w" , err )
2022-06-08 17:43:59 +02:00
}
2022-08-04 10:47:00 +02:00
needsWildcard := protocolNumber != protocolTCP &&
protocolNumber != protocolUDP &&
protocolNumber != protocolSCTP
2022-06-08 17:43:59 +02:00
return [ ] int { protocolNumber } , needsWildcard , nil
}
}
2023-06-19 09:17:50 +02:00
// expandSource returns a set of Source IPs that would be associated
// with the given src alias.
func ( pol * ACLPolicy ) expandSource (
src string ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-06-19 09:17:50 +02:00
) ( [ ] string , error ) {
2023-09-24 13:42:05 +02:00
ipSet , err := pol . ExpandAlias ( nodes , src )
2023-06-19 09:17:50 +02:00
if err != nil {
return [ ] string { } , err
}
prefixes := [ ] string { }
for _ , prefix := range ipSet . Prefixes ( ) {
prefixes = append ( prefixes , prefix . String ( ) )
}
return prefixes , nil
}
2022-02-05 17:18:39 +01:00
// expandalias has an input of either
2023-01-17 17:43:44 +01:00
// - a user
2022-02-05 17:18:39 +01:00
// - a group
// - a tag
2023-01-30 09:39:27 +01:00
// - a host
2023-04-16 12:26:35 +02:00
// - an ip
// - a cidr
2022-02-14 15:26:54 +01:00
// and transform these in IPAddresses.
2023-05-21 18:37:59 +02:00
func ( pol * ACLPolicy ) ExpandAlias (
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2022-02-14 15:54:51 +01:00
alias string ,
2023-04-28 16:11:02 +02:00
) ( * netipx . IPSet , error ) {
if isWildcard ( alias ) {
2023-05-21 18:37:59 +02:00
return util . ParseIPSet ( "*" , nil )
2021-07-03 17:31:32 +02:00
}
2023-04-28 16:11:02 +02:00
build := netipx . IPSetBuilder { }
2022-03-02 21:46:02 +01:00
log . Debug ( ) .
Str ( "alias" , alias ) .
Msg ( "Expanding" )
2023-04-26 10:58:26 +02:00
// if alias is a group
2023-04-28 16:11:02 +02:00
if isGroup ( alias ) {
2023-09-24 13:42:05 +02:00
return pol . expandIPsFromGroup ( alias , nodes )
2021-07-03 17:31:32 +02:00
}
2023-04-26 10:58:26 +02:00
// if alias is a tag
2023-04-28 16:11:02 +02:00
if isTag ( alias ) {
2023-09-24 13:42:05 +02:00
return pol . expandIPsFromTag ( alias , nodes )
2021-07-03 17:31:32 +02:00
}
2023-01-17 17:43:44 +01:00
// if alias is a user
2023-09-24 13:42:05 +02:00
if ips , err := pol . expandIPsFromUser ( alias , nodes ) ; ips != nil {
2023-04-28 16:11:02 +02:00
return ips , err
2021-07-03 17:31:32 +02:00
}
2022-02-07 16:12:05 +01:00
// if alias is an host
2023-04-26 14:04:12 +02:00
// Note, this is recursive.
2023-04-26 10:58:26 +02:00
if h , ok := pol . Hosts [ alias ] ; ok {
2023-05-21 18:37:59 +02:00
log . Trace ( ) . Str ( "host" , h . String ( ) ) . Msg ( "ExpandAlias got hosts entry" )
2023-04-16 12:26:35 +02:00
2023-09-24 13:42:05 +02:00
return pol . ExpandAlias ( nodes , h . String ( ) )
2021-07-03 17:31:32 +02:00
}
2022-02-07 16:12:05 +01:00
// if alias is an IP
2023-04-16 12:26:35 +02:00
if ip , err := netip . ParseAddr ( alias ) ; err == nil {
2023-09-24 13:42:05 +02:00
return pol . expandIPsFromSingleIP ( ip , nodes )
2021-07-03 17:31:32 +02:00
}
2023-04-26 10:58:26 +02:00
// if alias is an IP Prefix (CIDR)
if prefix , err := netip . ParsePrefix ( alias ) ; err == nil {
2023-09-24 13:42:05 +02:00
return pol . expandIPsFromIPPrefix ( prefix , nodes )
2021-07-03 17:31:32 +02:00
}
2022-03-02 21:46:02 +01:00
log . Warn ( ) . Msgf ( "No IPs found with the alias %v" , alias )
2023-04-28 16:11:02 +02:00
return build . IPSet ( )
2021-07-03 11:55:32 +02:00
}
2021-07-04 12:35:18 +02:00
2022-02-07 16:12:05 +01:00
// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
2023-01-17 17:43:44 +01:00
// that are correctly tagged since they should not be listed as being in the user
// we assume in this function that we only have nodes from 1 user.
2022-02-14 15:54:51 +01:00
func excludeCorrectlyTaggedNodes (
2023-04-26 10:58:26 +02:00
aclPolicy * ACLPolicy ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-01-17 17:43:44 +01:00
user string ,
2023-09-24 13:42:05 +02:00
) types . Nodes {
out := types . Nodes { }
2022-02-07 16:12:05 +01:00
tags := [ ] string { }
2022-08-11 14:12:45 +02:00
for tag := range aclPolicy . TagOwners {
2023-06-19 09:17:50 +02:00
owners , _ := expandOwnersFromTag ( aclPolicy , user )
2023-01-17 17:43:44 +01:00
ns := append ( owners , user )
2023-05-11 09:09:18 +02:00
if util . StringOrPrefixListContains ( ns , user ) {
2022-02-07 16:12:05 +01:00
tags = append ( tags , tag )
}
2022-02-05 17:18:39 +01:00
}
2023-09-24 13:42:05 +02:00
// for each node if tag is in tags list, don't append it.
for _ , node := range nodes {
2022-02-07 16:12:05 +01:00
found := false
2023-11-21 18:20:06 +01:00
if node . Hostinfo == nil {
continue
}
for _ , t := range node . Hostinfo . RequestTags {
2023-05-11 09:09:18 +02:00
if util . StringOrPrefixListContains ( tags , t ) {
2022-02-07 16:12:05 +01:00
found = true
2022-02-14 15:26:54 +01:00
2022-02-07 16:12:05 +01:00
break
2022-02-05 17:18:39 +01:00
}
}
2023-09-24 13:42:05 +02:00
if len ( node . ForcedTags ) > 0 {
2022-04-15 18:01:13 +02:00
found = true
}
2022-02-07 16:12:05 +01:00
if ! found {
2023-09-24 13:42:05 +02:00
out = append ( out , node )
2022-02-05 17:18:39 +01:00
}
}
2022-02-14 15:26:54 +01:00
2022-03-02 09:15:14 +01:00
return out
2022-02-05 17:18:39 +01:00
}
2023-06-13 10:03:22 +02:00
func expandPorts ( portsStr string , isWild bool ) ( * [ ] tailcfg . PortRange , error ) {
2023-04-28 16:11:02 +02:00
if isWildcard ( portsStr ) {
2021-11-14 18:31:51 +01:00
return & [ ] tailcfg . PortRange {
2021-11-15 18:24:24 +01:00
{ First : portRangeBegin , Last : portRangeEnd } ,
2021-11-14 18:31:51 +01:00
} , nil
2021-07-04 12:35:18 +02:00
}
2023-06-13 10:03:22 +02:00
if isWild {
2023-05-21 18:37:59 +02:00
return nil , ErrWildcardIsNeeded
2022-06-08 17:43:59 +02:00
}
2021-07-04 12:35:18 +02:00
ports := [ ] tailcfg . PortRange { }
2021-11-14 20:32:03 +01:00
for _ , portStr := range strings . Split ( portsStr , "," ) {
2023-04-16 12:26:35 +02:00
log . Trace ( ) . Msgf ( "parsing portstring: %s" , portStr )
2021-11-14 20:32:03 +01:00
rang := strings . Split ( portStr , "-" )
2021-11-14 18:44:37 +01:00
switch len ( rang ) {
case 1 :
2023-05-11 09:09:18 +02:00
port , err := strconv . ParseUint ( rang [ 0 ] , util . Base10 , util . BitSize16 )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
ports = append ( ports , tailcfg . PortRange {
2021-11-14 20:32:03 +01:00
First : uint16 ( port ) ,
Last : uint16 ( port ) ,
2021-07-04 12:35:18 +02:00
} )
2021-11-14 18:44:37 +01:00
2021-11-15 18:24:24 +01:00
case expectedTokenItems :
2023-05-11 09:09:18 +02:00
start , err := strconv . ParseUint ( rang [ 0 ] , util . Base10 , util . BitSize16 )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
2023-05-11 09:09:18 +02:00
last , err := strconv . ParseUint ( rang [ 1 ] , util . Base10 , util . BitSize16 )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
ports = append ( ports , tailcfg . PortRange {
First : uint16 ( start ) ,
Last : uint16 ( last ) ,
} )
2021-11-14 18:44:37 +01:00
default :
2023-05-21 18:37:59 +02:00
return nil , ErrInvalidPortFormat
2021-07-04 12:35:18 +02:00
}
}
2021-11-14 16:46:09 +01:00
2021-07-04 12:35:18 +02:00
return & ports , nil
}
2022-02-07 16:12:05 +01:00
2023-06-19 09:17:50 +02:00
// expandOwnersFromTag will return a list of user. An owner can be either a user or a group
2022-02-14 15:26:54 +01:00
// a group cannot be composed of groups.
2023-06-19 09:17:50 +02:00
func expandOwnersFromTag (
2023-04-26 10:58:26 +02:00
pol * ACLPolicy ,
2022-03-01 21:01:46 +01:00
tag string ,
) ( [ ] string , error ) {
2024-01-04 21:26:49 +01:00
noTagErr := fmt . Errorf (
"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners" ,
ErrInvalidTag ,
tag ,
)
if pol == nil {
return [ ] string { } , noTagErr
}
2022-02-07 16:12:05 +01:00
var owners [ ] string
2023-04-26 10:58:26 +02:00
ows , ok := pol . TagOwners [ tag ]
2022-02-07 16:12:05 +01:00
if ! ok {
2024-01-04 21:26:49 +01:00
return [ ] string { } , noTagErr
2022-02-07 16:12:05 +01:00
}
2022-02-14 15:26:54 +01:00
for _ , owner := range ows {
2023-04-28 16:11:02 +02:00
if isGroup ( owner ) {
2023-06-19 09:17:50 +02:00
gs , err := pol . expandUsersFromGroup ( owner )
2022-02-07 16:12:05 +01:00
if err != nil {
return [ ] string { } , err
}
owners = append ( owners , gs ... )
} else {
2022-02-14 15:26:54 +01:00
owners = append ( owners , owner )
2022-02-07 16:12:05 +01:00
}
}
2022-02-14 15:26:54 +01:00
2022-02-07 16:12:05 +01:00
return owners , nil
}
2023-06-19 09:17:50 +02:00
// expandUsersFromGroup will return the list of user inside the group
2022-02-14 15:26:54 +01:00
// after some validation.
2023-06-19 09:17:50 +02:00
func ( pol * ACLPolicy ) expandUsersFromGroup (
2022-03-01 21:01:46 +01:00
group string ,
) ( [ ] string , error ) {
2023-04-26 10:58:26 +02:00
users := [ ] string { }
log . Trace ( ) . Caller ( ) . Interface ( "pol" , pol ) . Msg ( "test" )
aclGroups , ok := pol . Groups [ group ]
2022-02-07 16:12:05 +01:00
if ! ok {
2022-02-14 15:54:51 +01:00
return [ ] string { } , fmt . Errorf (
"group %v isn't registered. %w" ,
group ,
2023-05-21 18:37:59 +02:00
ErrInvalidGroup ,
2022-02-14 15:54:51 +01:00
)
2022-02-07 16:12:05 +01:00
}
2022-03-01 21:01:46 +01:00
for _ , group := range aclGroups {
2023-04-28 16:11:02 +02:00
if isGroup ( group ) {
2022-02-14 15:54:51 +01:00
return [ ] string { } , fmt . Errorf (
"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups" ,
2023-05-21 18:37:59 +02:00
ErrInvalidGroup ,
2022-02-14 15:54:51 +01:00
)
2022-02-07 16:12:05 +01:00
}
2023-06-12 15:29:34 +02:00
grp , err := util . NormalizeToFQDNRulesConfigFromViper ( group )
2022-03-01 21:01:46 +01:00
if err != nil {
return [ ] string { } , fmt . Errorf (
"failed to normalize group %q, err: %w" ,
group ,
2023-05-21 18:37:59 +02:00
ErrInvalidGroup ,
2022-03-01 21:01:46 +01:00
)
}
2023-04-26 10:58:26 +02:00
users = append ( users , grp )
}
return users , nil
}
2023-06-19 09:17:50 +02:00
func ( pol * ACLPolicy ) expandIPsFromGroup (
2023-04-26 10:58:26 +02:00
group string ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-04-28 16:11:02 +02:00
) ( * netipx . IPSet , error ) {
build := netipx . IPSetBuilder { }
2023-04-26 10:58:26 +02:00
2023-06-19 09:17:50 +02:00
users , err := pol . expandUsersFromGroup ( group )
2023-04-26 10:58:26 +02:00
if err != nil {
2023-04-28 16:11:02 +02:00
return & netipx . IPSet { } , err
2023-04-26 10:58:26 +02:00
}
2023-04-28 16:11:02 +02:00
for _ , user := range users {
2023-09-24 13:42:05 +02:00
filteredNodes := filterNodesByUser ( nodes , user )
for _ , node := range filteredNodes {
2024-04-17 07:03:06 +02:00
node . AppendToIPSet ( & build )
2023-04-26 10:58:26 +02:00
}
}
2023-04-28 16:11:02 +02:00
return build . IPSet ( )
2023-04-26 10:58:26 +02:00
}
2023-06-19 09:17:50 +02:00
func ( pol * ACLPolicy ) expandIPsFromTag (
2023-04-26 10:58:26 +02:00
alias string ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-04-28 16:11:02 +02:00
) ( * netipx . IPSet , error ) {
build := netipx . IPSetBuilder { }
2023-04-26 10:58:26 +02:00
// check for forced tags
2023-09-24 13:42:05 +02:00
for _ , node := range nodes {
if util . StringOrPrefixListContains ( node . ForcedTags , alias ) {
2024-04-17 07:03:06 +02:00
node . AppendToIPSet ( & build )
2023-04-26 10:58:26 +02:00
}
}
// find tag owners
2023-06-19 09:17:50 +02:00
owners , err := expandOwnersFromTag ( pol , alias )
2023-04-26 10:58:26 +02:00
if err != nil {
2023-05-21 18:37:59 +02:00
if errors . Is ( err , ErrInvalidTag ) {
2023-04-28 16:11:02 +02:00
ipSet , _ := build . IPSet ( )
if len ( ipSet . Prefixes ( ) ) == 0 {
return ipSet , fmt . Errorf (
2023-04-26 10:58:26 +02:00
"%w. %v isn't owned by a TagOwner and no forced tags are defined" ,
2023-05-21 18:37:59 +02:00
ErrInvalidTag ,
2023-04-26 10:58:26 +02:00
alias ,
)
}
2023-04-28 16:11:02 +02:00
return build . IPSet ( )
2023-04-26 10:58:26 +02:00
} else {
2023-04-28 16:11:02 +02:00
return nil , err
2023-04-26 10:58:26 +02:00
}
}
2023-09-24 13:42:05 +02:00
// filter out nodes per tag owner
2023-04-26 10:58:26 +02:00
for _ , user := range owners {
2023-09-24 13:42:05 +02:00
nodes := filterNodesByUser ( nodes , user )
for _ , node := range nodes {
2023-11-21 18:20:06 +01:00
if node . Hostinfo == nil {
continue
}
if util . StringOrPrefixListContains ( node . Hostinfo . RequestTags , alias ) {
2024-04-17 07:03:06 +02:00
node . AppendToIPSet ( & build )
2023-04-26 10:58:26 +02:00
}
}
}
2023-04-28 16:11:02 +02:00
return build . IPSet ( )
2023-04-26 10:58:26 +02:00
}
2023-06-19 09:17:50 +02:00
func ( pol * ACLPolicy ) expandIPsFromUser (
2023-04-26 10:58:26 +02:00
user string ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-04-28 16:11:02 +02:00
) ( * netipx . IPSet , error ) {
build := netipx . IPSetBuilder { }
2023-04-26 10:58:26 +02:00
2023-09-24 13:42:05 +02:00
filteredNodes := filterNodesByUser ( nodes , user )
filteredNodes = excludeCorrectlyTaggedNodes ( pol , filteredNodes , user )
2023-04-26 10:58:26 +02:00
2023-09-24 13:42:05 +02:00
// shortcurcuit if we have no nodes to get ips from.
if len ( filteredNodes ) == 0 {
2023-04-28 16:11:02 +02:00
return nil , nil //nolint
2023-04-26 10:58:26 +02:00
}
2023-09-24 13:42:05 +02:00
for _ , node := range filteredNodes {
2024-04-17 07:03:06 +02:00
node . AppendToIPSet ( & build )
2023-04-28 16:11:02 +02:00
}
return build . IPSet ( )
2023-04-26 10:58:26 +02:00
}
2023-06-19 09:17:50 +02:00
func ( pol * ACLPolicy ) expandIPsFromSingleIP (
2023-04-26 10:58:26 +02:00
ip netip . Addr ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-04-28 16:11:02 +02:00
) ( * netipx . IPSet , error ) {
2023-05-21 18:37:59 +02:00
log . Trace ( ) . Str ( "ip" , ip . String ( ) ) . Msg ( "ExpandAlias got ip" )
2023-04-26 10:58:26 +02:00
2023-09-24 13:42:05 +02:00
matches := nodes . FilterByIP ( ip )
2023-04-26 10:58:26 +02:00
2023-04-28 16:11:02 +02:00
build := netipx . IPSetBuilder { }
build . Add ( ip )
2023-09-24 13:42:05 +02:00
for _ , node := range matches {
2024-04-17 07:03:06 +02:00
node . AppendToIPSet ( & build )
2023-04-26 10:58:26 +02:00
}
2023-04-28 16:11:02 +02:00
return build . IPSet ( )
2023-04-26 10:58:26 +02:00
}
2023-06-19 09:17:50 +02:00
func ( pol * ACLPolicy ) expandIPsFromIPPrefix (
2023-04-26 10:58:26 +02:00
prefix netip . Prefix ,
2023-09-24 13:42:05 +02:00
nodes types . Nodes ,
2023-04-28 16:11:02 +02:00
) ( * netipx . IPSet , error ) {
2023-04-26 10:58:26 +02:00
log . Trace ( ) . Str ( "prefix" , prefix . String ( ) ) . Msg ( "expandAlias got prefix" )
2023-04-28 16:11:02 +02:00
build := netipx . IPSetBuilder { }
build . AddPrefix ( prefix )
2023-04-26 10:58:26 +02:00
// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
2023-09-24 13:42:05 +02:00
for _ , node := range nodes {
2024-04-17 07:03:06 +02:00
for _ , ip := range node . IPs ( ) {
2023-04-26 10:58:26 +02:00
// log.Trace().
2023-09-24 13:42:05 +02:00
// Msgf("checking if node ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
2023-04-26 10:58:26 +02:00
if prefix . Contains ( ip ) {
2024-04-17 07:03:06 +02:00
node . AppendToIPSet ( & build )
2023-04-26 10:58:26 +02:00
}
}
2022-02-07 16:12:05 +01:00
}
2022-02-14 15:26:54 +01:00
2023-04-28 16:11:02 +02:00
return build . IPSet ( )
}
func isWildcard ( str string ) bool {
return str == "*"
}
func isGroup ( str string ) bool {
return strings . HasPrefix ( str , "group:" )
}
func isTag ( str string ) bool {
return strings . HasPrefix ( str , "tag:" )
2022-02-07 16:12:05 +01:00
}
2023-05-21 18:37:59 +02:00
2023-09-24 13:42:05 +02:00
// TagsOfNode will return the tags of the current node.
2023-05-21 18:37:59 +02:00
// Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag.
// Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.
2023-09-24 13:42:05 +02:00
func ( pol * ACLPolicy ) TagsOfNode (
node * types . Node ,
2023-05-21 18:37:59 +02:00
) ( [ ] string , [ ] string ) {
validTags := make ( [ ] string , 0 )
invalidTags := make ( [ ] string , 0 )
2024-02-08 17:28:19 +01:00
// TODO(kradalby): Why is this sometimes nil? coming from tailNode?
if node == nil {
return validTags , invalidTags
}
2023-05-21 18:37:59 +02:00
validTagMap := make ( map [ string ] bool )
invalidTagMap := make ( map [ string ] bool )
2024-02-08 17:28:19 +01:00
if node . Hostinfo != nil {
for _ , tag := range node . Hostinfo . RequestTags {
owners , err := expandOwnersFromTag ( pol , tag )
if errors . Is ( err , ErrInvalidTag ) {
invalidTagMap [ tag ] = true
2023-05-21 18:37:59 +02:00
2024-02-08 17:28:19 +01:00
continue
}
var found bool
for _ , owner := range owners {
if node . User . Name == owner {
found = true
}
}
if found {
validTagMap [ tag ] = true
} else {
invalidTagMap [ tag ] = true
2023-05-21 18:37:59 +02:00
}
}
2024-02-08 17:28:19 +01:00
for tag := range invalidTagMap {
invalidTags = append ( invalidTags , tag )
}
for tag := range validTagMap {
validTags = append ( validTags , tag )
2023-05-21 18:37:59 +02:00
}
}
return validTags , invalidTags
}
2023-09-24 13:42:05 +02:00
func filterNodesByUser ( nodes types . Nodes , user string ) types . Nodes {
out := types . Nodes { }
for _ , node := range nodes {
if node . User . Name == user {
out = append ( out , node )
2023-06-19 09:17:50 +02:00
}
}
return out
}
2023-09-24 13:42:05 +02:00
// FilterNodesByACL returns the list of peers authorized to be accessed from a given node.
func FilterNodesByACL (
node * types . Node ,
nodes types . Nodes ,
2023-05-21 18:37:59 +02:00
filter [ ] tailcfg . FilterRule ,
2023-09-24 13:42:05 +02:00
) types . Nodes {
result := types . Nodes { }
2023-05-21 18:37:59 +02:00
2023-09-24 13:42:05 +02:00
for index , peer := range nodes {
if peer . ID == node . ID {
2023-05-21 18:37:59 +02:00
continue
}
2023-09-24 13:42:05 +02:00
if node . CanAccess ( filter , nodes [ index ] ) || peer . CanAccess ( filter , node ) {
2023-05-21 18:37:59 +02:00
result = append ( result , peer )
}
}
return result
}