2021-07-03 11:55:32 +02:00
package headscale
import (
2021-07-04 12:35:18 +02:00
"encoding/json"
2022-04-15 18:01:13 +02:00
"errors"
2021-07-03 17:31:32 +02:00
"fmt"
2021-07-03 11:55:32 +02:00
"io"
2022-09-03 23:46:14 +02:00
"net/netip"
2021-07-03 11:55:32 +02:00
"os"
2022-02-27 09:04:48 +01:00
"path/filepath"
2021-07-04 12:35:18 +02:00
"strconv"
2021-07-03 17:31:32 +02:00
"strings"
2022-09-30 20:44:23 +02:00
"time"
2021-07-03 11:55:32 +02:00
2021-08-05 19:18:18 +02:00
"github.com/rs/zerolog/log"
2023-04-16 12:26:35 +02:00
"github.com/samber/lo"
2021-07-03 11:55:32 +02:00
"github.com/tailscale/hujson"
2023-04-03 10:08:48 +02:00
"go4.org/netipx"
2022-02-27 09:04:48 +01:00
"gopkg.in/yaml.v3"
2022-11-24 16:35:55 +01:00
"tailscale.com/envknob"
2021-07-03 17:31:32 +02:00
"tailscale.com/tailcfg"
2021-07-03 11:55:32 +02:00
)
2021-11-04 23:16:56 +01:00
const (
2022-03-03 23:53:08 +01:00
errEmptyPolicy = Error ( "empty policy" )
errInvalidAction = Error ( "invalid action" )
errInvalidGroup = Error ( "invalid group" )
errInvalidTag = Error ( "invalid tag" )
errInvalidPortFormat = Error ( "invalid port format" )
2022-06-08 17:55:32 +02:00
errWildcardIsNeeded = Error ( "wildcard as port is required for the protocol" )
2021-11-04 23:16:56 +01:00
)
2021-07-03 11:55:32 +02:00
2021-11-14 18:31:51 +01:00
const (
2022-01-28 19:58:22 +01:00
Base8 = 8
2021-11-15 18:24:24 +01:00
Base10 = 10
BitSize16 = 16
2022-01-28 19:58:22 +01:00
BitSize32 = 32
BitSize64 = 64
2021-11-15 18:24:24 +01:00
portRangeBegin = 0
portRangeEnd = 65535
expectedTokenItems = 2
2021-11-14 18:31:51 +01:00
)
2022-06-26 11:43:17 +02:00
// For some reason golang.org/x/net/internal/iana is an internal package.
2022-06-11 14:09:08 +02:00
const (
protocolICMP = 1 // Internet Control Message
protocolIGMP = 2 // Internet Group Management
protocolIPv4 = 4 // IPv4 encapsulation
protocolTCP = 6 // Transmission Control
protocolEGP = 8 // Exterior Gateway Protocol
protocolIGP = 9 // any private interior gateway (used by Cisco for their IGRP)
protocolUDP = 17 // User Datagram
protocolGRE = 47 // Generic Routing Encapsulation
protocolESP = 50 // Encap Security Payload
protocolAH = 51 // Authentication Header
protocolIPv6ICMP = 58 // ICMP for IPv6
protocolSCTP = 132 // Stream Control Transmission Protocol
ProtocolFC = 133 // Fibre Channel
)
2022-11-24 17:26:52 +01:00
var featureEnableSSH = envknob . RegisterBool ( "HEADSCALE_EXPERIMENTAL_FEATURE_SSH" )
2022-11-24 16:35:55 +01:00
2021-11-13 09:39:04 +01:00
// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
2021-07-04 13:33:00 +02:00
func ( h * Headscale ) LoadACLPolicy ( path string ) error {
2021-12-01 20:02:00 +01:00
log . Debug ( ) .
Str ( "func" , "LoadACLPolicy" ) .
Str ( "path" , path ) .
Msg ( "Loading ACL policy from path" )
2021-07-03 11:55:32 +02:00
policyFile , err := os . Open ( path )
if err != nil {
2021-07-03 17:31:32 +02:00
return err
2021-07-03 11:55:32 +02:00
}
defer policyFile . Close ( )
var policy ACLPolicy
2021-11-14 20:32:03 +01:00
policyBytes , err := io . ReadAll ( policyFile )
2021-07-03 11:55:32 +02:00
if err != nil {
2021-07-03 17:31:32 +02:00
return err
2021-07-03 11:55:32 +02:00
}
2021-11-05 08:24:00 +01:00
2022-02-27 09:04:48 +01:00
switch filepath . Ext ( path ) {
case ".yml" , ".yaml" :
log . Debug ( ) .
Str ( "path" , path ) .
Bytes ( "file" , policyBytes ) .
Msg ( "Loading ACLs from YAML" )
err := yaml . Unmarshal ( policyBytes , & policy )
if err != nil {
return err
}
log . Trace ( ) .
Interface ( "policy" , policy ) .
Msg ( "Loaded policy from YAML" )
default :
ast , err := hujson . Parse ( policyBytes )
if err != nil {
return err
}
ast . Standardize ( )
policyBytes = ast . Pack ( )
err = json . Unmarshal ( policyBytes , & policy )
if err != nil {
return err
}
2021-07-04 13:33:00 +02:00
}
2022-02-27 09:04:48 +01:00
2021-07-03 11:55:32 +02:00
if policy . IsZero ( ) {
2021-11-15 17:33:16 +01:00
return errEmptyPolicy
2021-07-03 11:55:32 +02:00
}
2021-07-03 17:31:32 +02:00
h . aclPolicy = & policy
2022-02-14 15:26:54 +01:00
2022-02-03 20:00:41 +01:00
return h . UpdateACLRules ( )
}
func ( h * Headscale ) UpdateACLRules ( ) error {
2022-12-01 00:37:58 +01:00
machines , err := h . ListMachines ( )
if err != nil {
return err
}
if h . aclPolicy == nil {
return errEmptyPolicy
}
2023-04-26 11:24:44 +02:00
rules , err := h . aclPolicy . generateFilterRules ( machines , h . cfg . OIDC . StripEmaildomain )
2021-07-04 13:24:05 +02:00
if err != nil {
return err
}
2023-04-26 17:27:51 +02:00
2021-12-01 20:02:00 +01:00
log . Trace ( ) . Interface ( "ACL" , rules ) . Msg ( "ACL rules generated" )
2022-02-03 20:00:41 +01:00
h . aclRules = rules
2022-02-14 15:26:54 +01:00
2022-11-24 16:35:55 +01:00
if featureEnableSSH ( ) {
sshRules , err := h . generateSSHRules ( )
if err != nil {
return err
}
log . Trace ( ) . Interface ( "SSH" , sshRules ) . Msg ( "SSH rules generated" )
if h . sshPolicy == nil {
h . sshPolicy = & tailcfg . SSHPolicy { }
}
h . sshPolicy . Rules = sshRules
} else if h . aclPolicy != nil && len ( h . aclPolicy . SSHs ) > 0 {
2022-11-24 17:26:52 +01:00
log . Info ( ) . Msg ( "SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating" )
2022-09-30 20:44:23 +02:00
}
2021-07-04 13:24:05 +02:00
return nil
2021-07-03 17:31:32 +02:00
}
2023-04-26 11:19:47 +02:00
// generateFilterRules takes a set of machines and an ACLPolicy and generates a
// set of Tailscale compatible FilterRules used to allow traffic on clients.
2023-04-26 11:24:44 +02:00
func ( pol * ACLPolicy ) generateFilterRules (
2023-01-30 09:39:27 +01:00
machines [ ] Machine ,
2023-04-26 14:04:12 +02:00
stripEmailDomain bool ,
2023-01-30 09:39:27 +01:00
) ( [ ] tailcfg . FilterRule , error ) {
2021-07-03 17:31:32 +02:00
rules := [ ] tailcfg . FilterRule { }
2023-04-26 11:19:47 +02:00
for index , acl := range pol . ACLs {
2021-11-14 20:32:03 +01:00
if acl . Action != "accept" {
2021-11-15 17:33:16 +01:00
return nil , errInvalidAction
2021-07-03 17:31:32 +02:00
}
srcIPs := [ ] string { }
2023-04-26 11:19:47 +02:00
for srcIndex , src := range acl . Sources {
2023-04-26 14:04:12 +02:00
srcs , err := pol . getIPsFromSource ( src , machines , stripEmailDomain )
2021-07-03 17:31:32 +02:00
if err != nil {
2021-08-05 19:18:18 +02:00
log . Error ( ) .
2023-04-26 11:19:47 +02:00
Interface ( "src" , src ) .
Int ( "ACL index" , index ) .
Int ( "Src index" , srcIndex ) .
Msgf ( "Error parsing ACL" )
2021-11-14 16:46:09 +01:00
2021-07-03 17:31:32 +02:00
return nil , err
}
2021-11-04 23:16:56 +01:00
srcIPs = append ( srcIPs , srcs ... )
2021-07-03 17:31:32 +02:00
}
2022-06-08 17:43:59 +02:00
protocols , needsWildcard , err := parseProtocol ( acl . Protocol )
if err != nil {
log . Error ( ) .
Msgf ( "Error parsing ACL %d. protocol unknown %s" , index , acl . Protocol )
return nil , err
}
2021-07-04 12:35:18 +02:00
destPorts := [ ] tailcfg . NetPortRange { }
2023-04-26 11:19:47 +02:00
for destIndex , dest := range acl . Destinations {
dests , err := pol . getNetPortRangeFromDestination (
2022-08-04 10:47:00 +02:00
dest ,
2023-04-26 11:19:47 +02:00
machines ,
2022-08-04 10:47:00 +02:00
needsWildcard ,
2023-04-26 14:04:12 +02:00
stripEmailDomain ,
2022-08-04 10:47:00 +02:00
)
2021-07-04 12:35:18 +02:00
if err != nil {
2021-08-05 19:18:18 +02:00
log . Error ( ) .
2023-04-26 11:19:47 +02:00
Interface ( "dest" , dest ) .
Int ( "ACL index" , index ) .
Int ( "dest index" , destIndex ) .
Msgf ( "Error parsing ACL" )
2021-11-14 16:46:09 +01:00
2021-07-04 12:35:18 +02:00
return nil , err
}
2021-11-04 23:16:56 +01:00
destPorts = append ( destPorts , dests ... )
2021-07-04 12:35:18 +02:00
}
rules = append ( rules , tailcfg . FilterRule {
SrcIPs : srcIPs ,
DstPorts : destPorts ,
2022-06-08 17:43:59 +02:00
IPProto : protocols ,
2021-07-04 12:35:18 +02:00
} )
2021-07-03 17:31:32 +02:00
}
2021-11-04 23:16:56 +01:00
return rules , nil
2021-07-03 17:31:32 +02:00
}
2022-09-30 20:44:23 +02:00
func ( h * Headscale ) generateSSHRules ( ) ( [ ] * tailcfg . SSHRule , error ) {
rules := [ ] * tailcfg . SSHRule { }
if h . aclPolicy == nil {
return nil , errEmptyPolicy
}
machines , err := h . ListMachines ( )
if err != nil {
return nil , err
}
acceptAction := tailcfg . SSHAction {
Message : "" ,
Reject : false ,
Accept : true ,
SessionDuration : 0 ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : true ,
}
rejectAction := tailcfg . SSHAction {
Message : "" ,
Reject : true ,
Accept : false ,
SessionDuration : 0 ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : false ,
}
for index , sshACL := range h . aclPolicy . SSHs {
action := rejectAction
switch sshACL . Action {
case "accept" :
action = acceptAction
case "check" :
checkAction , err := sshCheckAction ( sshACL . CheckPeriod )
if err != nil {
log . Error ( ) .
Msgf ( "Error parsing SSH %d, check action with unparsable duration '%s'" , index , sshACL . CheckPeriod )
} else {
action = * checkAction
}
default :
log . Error ( ) .
Msgf ( "Error parsing SSH %d, unknown action '%s'" , index , sshACL . Action )
return nil , err
}
principals := make ( [ ] * tailcfg . SSHPrincipal , 0 , len ( sshACL . Sources ) )
for innerIndex , rawSrc := range sshACL . Sources {
2023-04-26 10:58:26 +02:00
expandedSrcs , err := h . aclPolicy . expandAlias (
2022-09-30 20:44:23 +02:00
machines ,
rawSrc ,
h . cfg . OIDC . StripEmaildomain ,
)
if err != nil {
log . Error ( ) .
Msgf ( "Error parsing SSH %d, Source %d" , index , innerIndex )
return nil , err
}
for _ , expandedSrc := range expandedSrcs {
principals = append ( principals , & tailcfg . SSHPrincipal {
NodeIP : expandedSrc ,
} )
}
}
userMap := make ( map [ string ] string , len ( sshACL . Users ) )
for _ , user := range sshACL . Users {
userMap [ user ] = "="
}
rules = append ( rules , & tailcfg . SSHRule {
RuleExpires : nil ,
Principals : principals ,
SSHUsers : userMap ,
Action : & action ,
} )
}
return rules , nil
}
func sshCheckAction ( duration string ) ( * tailcfg . SSHAction , error ) {
sessionLength , err := time . ParseDuration ( duration )
if err != nil {
return nil , err
}
return & tailcfg . SSHAction {
Message : "" ,
Reject : false ,
Accept : true ,
SessionDuration : sessionLength ,
AllowAgentForwarding : false ,
HoldAndDelegate : "" ,
AllowLocalPortForwarding : true ,
} , nil
}
2023-04-26 11:19:47 +02:00
// getIPsFromSource returns a set of Source IPs that would be associated
// with the given src alias.
func ( pol * ACLPolicy ) getIPsFromSource (
2022-06-08 13:40:15 +02:00
src string ,
2023-04-26 11:19:47 +02:00
machines [ ] Machine ,
2022-12-01 00:37:58 +01:00
stripEmaildomain bool ,
2022-02-14 15:54:51 +01:00
) ( [ ] string , error ) {
2023-04-26 10:58:26 +02:00
return pol . expandAlias ( machines , src , stripEmaildomain )
2021-07-04 12:35:18 +02:00
}
2023-04-26 11:19:47 +02:00
// getNetPortRangeFromDestination returns a set of tailcfg.NetPortRange
// which are associated with the dest alias.
func ( pol * ACLPolicy ) getNetPortRangeFromDestination (
2022-06-08 13:40:15 +02:00
dest string ,
2023-04-26 11:19:47 +02:00
machines [ ] Machine ,
2022-06-08 17:43:59 +02:00
needsWildcard bool ,
2022-12-01 00:37:58 +01:00
stripEmaildomain bool ,
2021-11-13 09:36:45 +01:00
) ( [ ] tailcfg . NetPortRange , error ) {
2023-04-16 12:26:35 +02:00
var tokens [ ] string
log . Trace ( ) . Str ( "destination" , dest ) . Msg ( "generating policy destination" )
// Check if there is a IPv4/6:Port combination, IPv6 has more than
// three ":".
tokens = strings . Split ( dest , ":" )
2021-11-15 18:24:24 +01:00
if len ( tokens ) < expectedTokenItems || len ( tokens ) > 3 {
2023-04-16 12:26:35 +02:00
port := tokens [ len ( tokens ) - 1 ]
maybeIPv6Str := strings . TrimSuffix ( dest , ":" + port )
log . Trace ( ) . Str ( "maybeIPv6Str" , maybeIPv6Str ) . Msg ( "" )
if maybeIPv6 , err := netip . ParseAddr ( maybeIPv6Str ) ; err != nil && ! maybeIPv6 . Is6 ( ) {
log . Trace ( ) . Err ( err ) . Msg ( "trying to parse as IPv6" )
return nil , fmt . Errorf (
"failed to parse destination, tokens %v: %w" ,
tokens ,
errInvalidPortFormat ,
)
} else {
tokens = [ ] string { maybeIPv6Str , port }
}
2021-07-04 12:35:18 +02:00
}
2023-04-16 12:26:35 +02:00
log . Trace ( ) . Strs ( "tokens" , tokens ) . Msg ( "generating policy destination" )
2021-07-04 12:35:18 +02:00
var alias string
// We can have here stuff like:
// git-server:*
// 192.168.1.0/24:22
2023-04-16 12:26:35 +02:00
// fd7a:115c:a1e0::2:22
// fd7a:115c:a1e0::2/128:22
2021-07-04 12:35:18 +02:00
// tag:montreal-webserver:80,443
// tag:api-server:443
// example-host-1:*
2021-11-15 18:24:24 +01:00
if len ( tokens ) == expectedTokenItems {
2021-07-04 12:35:18 +02:00
alias = tokens [ 0 ]
} else {
alias = fmt . Sprintf ( "%s:%s" , tokens [ 0 ] , tokens [ 1 ] )
}
2023-04-26 10:58:26 +02:00
expanded , err := pol . expandAlias (
2022-03-01 21:01:46 +01:00
machines ,
alias ,
2022-12-01 00:37:58 +01:00
stripEmaildomain ,
2022-03-01 21:01:46 +01:00
)
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
2022-06-08 17:43:59 +02:00
ports , err := expandPorts ( tokens [ len ( tokens ) - 1 ] , needsWildcard )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
dests := [ ] tailcfg . NetPortRange { }
2021-11-04 23:16:56 +01:00
for _ , d := range expanded {
2021-07-04 12:35:18 +02:00
for _ , p := range * ports {
pr := tailcfg . NetPortRange {
IP : d ,
Ports : p ,
}
dests = append ( dests , pr )
}
}
2021-11-14 16:46:09 +01:00
2021-11-04 23:16:56 +01:00
return dests , nil
2021-07-04 12:35:18 +02:00
}
2022-06-08 17:43:59 +02:00
// parseProtocol reads the proto field of the ACL and generates a list of
// protocols that will be allowed, following the IANA IP protocol number
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
//
// If the ACL proto field is empty, it allows ICMPv4, ICMPv6, TCP, and UDP,
// as per Tailscale behaviour (see tailcfg.FilterRule).
//
// Also returns a boolean indicating if the protocol
// requires all the destinations to use wildcard as port number (only TCP,
// UDP and SCTP support specifying ports).
func parseProtocol ( protocol string ) ( [ ] int , bool , error ) {
switch protocol {
case "" :
2022-12-05 20:12:33 +01:00
return nil , false , nil
2022-06-08 17:43:59 +02:00
case "igmp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolIGMP } , true , nil
2022-06-08 17:43:59 +02:00
case "ipv4" , "ip-in-ip" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolIPv4 } , true , nil
2022-06-08 17:43:59 +02:00
case "tcp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolTCP } , false , nil
2022-06-08 17:43:59 +02:00
case "egp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolEGP } , true , nil
2022-06-08 17:43:59 +02:00
case "igp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolIGP } , true , nil
2022-06-08 17:43:59 +02:00
case "udp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolUDP } , false , nil
2022-06-08 17:43:59 +02:00
case "gre" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolGRE } , true , nil
2022-06-08 17:43:59 +02:00
case "esp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolESP } , true , nil
2022-06-08 17:43:59 +02:00
case "ah" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolAH } , true , nil
2022-06-08 17:43:59 +02:00
case "sctp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolSCTP } , false , nil
2022-06-08 17:43:59 +02:00
case "icmp" :
2022-06-11 14:09:08 +02:00
return [ ] int { protocolICMP , protocolIPv6ICMP } , true , nil
2022-06-08 17:43:59 +02:00
default :
protocolNumber , err := strconv . Atoi ( protocol )
if err != nil {
return nil , false , err
}
2022-08-04 10:47:00 +02:00
needsWildcard := protocolNumber != protocolTCP &&
protocolNumber != protocolUDP &&
protocolNumber != protocolSCTP
2022-06-08 17:43:59 +02:00
return [ ] int { protocolNumber } , needsWildcard , nil
}
}
2022-02-05 17:18:39 +01:00
// expandalias has an input of either
2023-01-17 17:43:44 +01:00
// - a user
2022-02-05 17:18:39 +01:00
// - a group
// - a tag
2023-01-30 09:39:27 +01:00
// - a host
2023-04-16 12:26:35 +02:00
// - an ip
// - a cidr
2022-02-14 15:26:54 +01:00
// and transform these in IPAddresses.
2023-04-26 10:58:26 +02:00
func ( pol * ACLPolicy ) expandAlias (
2023-04-16 12:26:35 +02:00
machines Machines ,
2022-02-14 15:54:51 +01:00
alias string ,
2022-03-01 21:01:46 +01:00
stripEmailDomain bool ,
2022-02-14 15:54:51 +01:00
) ( [ ] string , error ) {
2021-11-14 20:32:03 +01:00
if alias == "*" {
2021-11-04 23:16:56 +01:00
return [ ] string { "*" } , nil
2021-07-03 17:31:32 +02:00
}
2022-03-02 21:46:02 +01:00
log . Debug ( ) .
Str ( "alias" , alias ) .
Msg ( "Expanding" )
2023-04-26 10:58:26 +02:00
// if alias is a group
2021-11-14 20:32:03 +01:00
if strings . HasPrefix ( alias , "group:" ) {
2023-04-26 10:58:26 +02:00
return pol . getIPsFromGroup ( alias , machines , stripEmailDomain )
2021-07-03 17:31:32 +02:00
}
2023-04-26 10:58:26 +02:00
// if alias is a tag
2021-11-14 20:32:03 +01:00
if strings . HasPrefix ( alias , "tag:" ) {
2023-04-26 10:58:26 +02:00
return pol . getIPsFromTag ( alias , machines , stripEmailDomain )
2021-07-03 17:31:32 +02:00
}
2023-01-17 17:43:44 +01:00
// if alias is a user
2023-04-26 10:58:26 +02:00
if ips := pol . getIPsForUser ( alias , machines , stripEmailDomain ) ; len ( ips ) > 0 {
2021-11-04 23:16:56 +01:00
return ips , nil
2021-07-03 17:31:32 +02:00
}
2022-02-07 16:12:05 +01:00
// if alias is an host
2023-04-26 14:04:12 +02:00
// Note, this is recursive.
2023-04-26 10:58:26 +02:00
if h , ok := pol . Hosts [ alias ] ; ok {
2023-04-16 12:26:35 +02:00
log . Trace ( ) . Str ( "host" , h . String ( ) ) . Msg ( "expandAlias got hosts entry" )
2023-04-26 10:58:26 +02:00
return pol . expandAlias ( machines , h . String ( ) , stripEmailDomain )
2021-07-03 17:31:32 +02:00
}
2022-02-07 16:12:05 +01:00
// if alias is an IP
2023-04-16 12:26:35 +02:00
if ip , err := netip . ParseAddr ( alias ) ; err == nil {
2023-04-26 10:58:26 +02:00
return pol . getIPsFromSingleIP ( ip , machines )
2021-07-03 17:31:32 +02:00
}
2023-04-26 10:58:26 +02:00
// if alias is an IP Prefix (CIDR)
if prefix , err := netip . ParsePrefix ( alias ) ; err == nil {
return pol . getIPsFromIPPrefix ( prefix , machines )
2021-07-03 17:31:32 +02:00
}
2022-03-02 21:46:02 +01:00
log . Warn ( ) . Msgf ( "No IPs found with the alias %v" , alias )
2023-04-26 10:58:26 +02:00
return [ ] string { } , nil
2021-07-03 11:55:32 +02:00
}
2021-07-04 12:35:18 +02:00
2022-02-07 16:12:05 +01:00
// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
2023-01-17 17:43:44 +01:00
// that are correctly tagged since they should not be listed as being in the user
// we assume in this function that we only have nodes from 1 user.
2022-02-14 15:54:51 +01:00
func excludeCorrectlyTaggedNodes (
2023-04-26 10:58:26 +02:00
aclPolicy * ACLPolicy ,
2022-02-14 15:54:51 +01:00
nodes [ ] Machine ,
2023-01-17 17:43:44 +01:00
user string ,
2022-08-04 10:42:47 +02:00
stripEmailDomain bool ,
2022-03-02 09:15:14 +01:00
) [ ] Machine {
2022-02-07 16:12:05 +01:00
out := [ ] Machine { }
tags := [ ] string { }
2022-08-11 14:12:45 +02:00
for tag := range aclPolicy . TagOwners {
2023-04-26 10:58:26 +02:00
owners , _ := getTagOwners ( aclPolicy , user , stripEmailDomain )
2023-01-17 17:43:44 +01:00
ns := append ( owners , user )
if contains ( ns , user ) {
2022-02-07 16:12:05 +01:00
tags = append ( tags , tag )
}
2022-02-05 17:18:39 +01:00
}
2022-02-07 16:12:05 +01:00
// for each machine if tag is in tags list, don't append it.
for _ , machine := range nodes {
2022-03-01 17:34:24 +01:00
hi := machine . GetHostInfo ( )
2022-02-14 15:26:54 +01:00
2022-02-07 16:12:05 +01:00
found := false
for _ , t := range hi . RequestTags {
2022-04-25 21:50:40 +02:00
if contains ( tags , t ) {
2022-02-07 16:12:05 +01:00
found = true
2022-02-14 15:26:54 +01:00
2022-02-07 16:12:05 +01:00
break
2022-02-05 17:18:39 +01:00
}
}
2022-04-15 18:01:13 +02:00
if len ( machine . ForcedTags ) > 0 {
found = true
}
2022-02-07 16:12:05 +01:00
if ! found {
out = append ( out , machine )
2022-02-05 17:18:39 +01:00
}
}
2022-02-14 15:26:54 +01:00
2022-03-02 09:15:14 +01:00
return out
2022-02-05 17:18:39 +01:00
}
2022-06-08 17:43:59 +02:00
func expandPorts ( portsStr string , needsWildcard bool ) ( * [ ] tailcfg . PortRange , error ) {
2021-11-14 20:32:03 +01:00
if portsStr == "*" {
2021-11-14 18:31:51 +01:00
return & [ ] tailcfg . PortRange {
2021-11-15 18:24:24 +01:00
{ First : portRangeBegin , Last : portRangeEnd } ,
2021-11-14 18:31:51 +01:00
} , nil
2021-07-04 12:35:18 +02:00
}
2022-06-08 17:43:59 +02:00
if needsWildcard {
return nil , errWildcardIsNeeded
}
2021-07-04 12:35:18 +02:00
ports := [ ] tailcfg . PortRange { }
2021-11-14 20:32:03 +01:00
for _ , portStr := range strings . Split ( portsStr , "," ) {
2023-04-16 12:26:35 +02:00
log . Trace ( ) . Msgf ( "parsing portstring: %s" , portStr )
2021-11-14 20:32:03 +01:00
rang := strings . Split ( portStr , "-" )
2021-11-14 18:44:37 +01:00
switch len ( rang ) {
case 1 :
2021-11-15 18:24:24 +01:00
port , err := strconv . ParseUint ( rang [ 0 ] , Base10 , BitSize16 )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
ports = append ( ports , tailcfg . PortRange {
2021-11-14 20:32:03 +01:00
First : uint16 ( port ) ,
Last : uint16 ( port ) ,
2021-07-04 12:35:18 +02:00
} )
2021-11-14 18:44:37 +01:00
2021-11-15 18:24:24 +01:00
case expectedTokenItems :
start , err := strconv . ParseUint ( rang [ 0 ] , Base10 , BitSize16 )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
2021-11-15 18:24:24 +01:00
last , err := strconv . ParseUint ( rang [ 1 ] , Base10 , BitSize16 )
2021-07-04 12:35:18 +02:00
if err != nil {
return nil , err
}
ports = append ( ports , tailcfg . PortRange {
First : uint16 ( start ) ,
Last : uint16 ( last ) ,
} )
2021-11-14 18:44:37 +01:00
default :
2021-11-15 17:33:16 +01:00
return nil , errInvalidPortFormat
2021-07-04 12:35:18 +02:00
}
}
2021-11-14 16:46:09 +01:00
2021-07-04 12:35:18 +02:00
return & ports , nil
}
2022-02-07 16:12:05 +01:00
2023-01-17 17:43:44 +01:00
func filterMachinesByUser ( machines [ ] Machine , user string ) [ ] Machine {
2022-02-07 16:12:05 +01:00
out := [ ] Machine { }
for _ , machine := range machines {
2023-01-17 17:43:44 +01:00
if machine . User . Name == user {
2022-02-07 16:12:05 +01:00
out = append ( out , machine )
}
}
2022-02-14 15:26:54 +01:00
2022-02-07 16:12:05 +01:00
return out
}
2023-04-26 10:58:26 +02:00
// getTagOwners will return a list of user. An owner can be either a user or a group
2022-02-14 15:26:54 +01:00
// a group cannot be composed of groups.
2023-04-26 10:58:26 +02:00
func getTagOwners (
pol * ACLPolicy ,
2022-03-01 21:01:46 +01:00
tag string ,
stripEmailDomain bool ,
) ( [ ] string , error ) {
2022-02-07 16:12:05 +01:00
var owners [ ] string
2023-04-26 10:58:26 +02:00
ows , ok := pol . TagOwners [ tag ]
2022-02-07 16:12:05 +01:00
if ! ok {
2022-02-14 15:54:51 +01:00
return [ ] string { } , fmt . Errorf (
"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners" ,
errInvalidTag ,
tag ,
)
2022-02-07 16:12:05 +01:00
}
2022-02-14 15:26:54 +01:00
for _ , owner := range ows {
if strings . HasPrefix ( owner , "group:" ) {
2023-04-26 10:58:26 +02:00
gs , err := pol . getUsersInGroup ( owner , stripEmailDomain )
2022-02-07 16:12:05 +01:00
if err != nil {
return [ ] string { } , err
}
owners = append ( owners , gs ... )
} else {
2022-02-14 15:26:54 +01:00
owners = append ( owners , owner )
2022-02-07 16:12:05 +01:00
}
}
2022-02-14 15:26:54 +01:00
2022-02-07 16:12:05 +01:00
return owners , nil
}
2023-04-26 10:58:26 +02:00
// getUsersInGroup will return the list of user inside the group
2022-02-14 15:26:54 +01:00
// after some validation.
2023-04-26 10:58:26 +02:00
func ( pol * ACLPolicy ) getUsersInGroup (
2022-03-01 21:01:46 +01:00
group string ,
stripEmailDomain bool ,
) ( [ ] string , error ) {
2023-04-26 10:58:26 +02:00
users := [ ] string { }
log . Trace ( ) . Caller ( ) . Interface ( "pol" , pol ) . Msg ( "test" )
aclGroups , ok := pol . Groups [ group ]
2022-02-07 16:12:05 +01:00
if ! ok {
2022-02-14 15:54:51 +01:00
return [ ] string { } , fmt . Errorf (
"group %v isn't registered. %w" ,
group ,
errInvalidGroup ,
)
2022-02-07 16:12:05 +01:00
}
2022-03-01 21:01:46 +01:00
for _ , group := range aclGroups {
if strings . HasPrefix ( group , "group:" ) {
2022-02-14 15:54:51 +01:00
return [ ] string { } , fmt . Errorf (
"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups" ,
errInvalidGroup ,
)
2022-02-07 16:12:05 +01:00
}
2022-03-07 23:20:30 +01:00
grp , err := NormalizeToFQDNRules ( group , stripEmailDomain )
2022-03-01 21:01:46 +01:00
if err != nil {
return [ ] string { } , fmt . Errorf (
"failed to normalize group %q, err: %w" ,
group ,
errInvalidGroup ,
)
}
2023-04-26 10:58:26 +02:00
users = append ( users , grp )
}
return users , nil
}
func ( pol * ACLPolicy ) getIPsFromGroup (
group string ,
machines Machines ,
stripEmailDomain bool ,
) ( [ ] string , error ) {
ips := [ ] string { }
users , err := pol . getUsersInGroup ( group , stripEmailDomain )
if err != nil {
return ips , err
}
for _ , n := range users {
nodes := filterMachinesByUser ( machines , n )
for _ , node := range nodes {
ips = append ( ips , node . IPAddresses . ToStringSlice ( ) ... )
}
}
return ips , nil
}
func ( pol * ACLPolicy ) getIPsFromTag (
alias string ,
machines Machines ,
stripEmailDomain bool ,
) ( [ ] string , error ) {
ips := [ ] string { }
// check for forced tags
for _ , machine := range machines {
if contains ( machine . ForcedTags , alias ) {
ips = append ( ips , machine . IPAddresses . ToStringSlice ( ) ... )
}
}
// find tag owners
owners , err := getTagOwners ( pol , alias , stripEmailDomain )
if err != nil {
if errors . Is ( err , errInvalidTag ) {
if len ( ips ) == 0 {
return ips , fmt . Errorf (
"%w. %v isn't owned by a TagOwner and no forced tags are defined" ,
errInvalidTag ,
alias ,
)
}
return ips , nil
} else {
return ips , err
}
}
// filter out machines per tag owner
for _ , user := range owners {
machines := filterMachinesByUser ( machines , user )
for _ , machine := range machines {
hi := machine . GetHostInfo ( )
if contains ( hi . RequestTags , alias ) {
ips = append ( ips , machine . IPAddresses . ToStringSlice ( ) ... )
}
}
}
return ips , nil
}
func ( pol * ACLPolicy ) getIPsForUser (
user string ,
machines Machines ,
stripEmailDomain bool ,
) [ ] string {
ips := [ ] string { }
nodes := filterMachinesByUser ( machines , user )
nodes = excludeCorrectlyTaggedNodes ( pol , nodes , user , stripEmailDomain )
for _ , n := range nodes {
ips = append ( ips , n . IPAddresses . ToStringSlice ( ) ... )
}
return ips
}
func ( pol * ACLPolicy ) getIPsFromSingleIP (
ip netip . Addr ,
machines Machines ,
) ( [ ] string , error ) {
log . Trace ( ) . Str ( "ip" , ip . String ( ) ) . Msg ( "expandAlias got ip" )
ips := [ ] string { ip . String ( ) }
matches := machines . FilterByIP ( ip )
for _ , machine := range matches {
ips = append ( ips , machine . IPAddresses . ToStringSlice ( ) ... )
}
return lo . Uniq ( ips ) , nil
}
func ( pol * ACLPolicy ) getIPsFromIPPrefix (
prefix netip . Prefix ,
machines Machines ,
) ( [ ] string , error ) {
log . Trace ( ) . Str ( "prefix" , prefix . String ( ) ) . Msg ( "expandAlias got prefix" )
val := [ ] string { prefix . String ( ) }
// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
for _ , machine := range machines {
for _ , ip := range machine . IPAddresses {
// log.Trace().
// Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
if prefix . Contains ( ip ) {
val = append ( val , machine . IPAddresses . ToStringSlice ( ) ... )
}
}
2022-02-07 16:12:05 +01:00
}
2022-02-14 15:26:54 +01:00
2023-04-26 10:58:26 +02:00
return lo . Uniq ( val ) , nil
2022-02-07 16:12:05 +01:00
}
2023-04-26 17:27:51 +02:00
// This is borrowed from
// https://github.com/tailscale/tailscale/blob/71029cea2ddf82007b80f465b256d027eab0f02d/wgengine/filter/tailcfg.go#L97-L162
var (
zeroIP4 = netip . AddrFrom4 ( [ 4 ] byte { } )
zeroIP6 = netip . AddrFrom16 ( [ 16 ] byte { } )
)
// parseIPSet parses arg as one:
//
// - an IP address (IPv4 or IPv6)
// - the string "*" to match everything (both IPv4 & IPv6)
// - a CIDR (e.g. "192.168.0.0/16")
// - a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
//
// bits, if non-nil, is the legacy SrcBits CIDR length to make a IP
// address (without a slash) treated as a CIDR of *bits length.
//
// TODO(bradfitz): make this return an IPSet and plumb that all
// around, and ultimately use a new version of IPSet.ContainsFunc like
// Contains16Func that works in [16]byte address, so we we can match
// at runtime without allocating?
2023-04-26 17:42:14 +02:00
// nolint
2023-04-26 17:27:51 +02:00
func parseIPSet ( arg string , bits * int ) ( [ ] netip . Prefix , error ) {
if arg == "*" {
// User explicitly requested wildcard.
return [ ] netip . Prefix {
netip . PrefixFrom ( zeroIP4 , 0 ) ,
netip . PrefixFrom ( zeroIP6 , 0 ) ,
} , nil
}
if strings . Contains ( arg , "/" ) {
pfx , err := netip . ParsePrefix ( arg )
if err != nil {
return nil , err
}
if pfx != pfx . Masked ( ) {
return nil , fmt . Errorf ( "%v contains non-network bits set" , pfx )
}
2023-04-26 17:42:14 +02:00
2023-04-26 17:27:51 +02:00
return [ ] netip . Prefix { pfx } , nil
}
if strings . Count ( arg , "-" ) == 1 {
ip1s , ip2s , _ := strings . Cut ( arg , "-" )
2023-04-26 17:42:14 +02:00
2023-04-26 17:27:51 +02:00
ip1 , err := netip . ParseAddr ( ip1s )
if err != nil {
return nil , err
}
2023-04-26 17:42:14 +02:00
2023-04-26 17:27:51 +02:00
ip2 , err := netip . ParseAddr ( ip2s )
if err != nil {
return nil , err
}
2023-04-26 17:42:14 +02:00
2023-04-26 17:27:51 +02:00
r := netipx . IPRangeFrom ( ip1 , ip2 )
2023-04-26 17:42:14 +02:00
if ! r . IsValid ( ) {
2023-04-26 17:27:51 +02:00
return nil , fmt . Errorf ( "invalid IP range %q" , arg )
}
2023-04-26 17:42:14 +02:00
2023-04-26 17:27:51 +02:00
return r . Prefixes ( ) , nil
}
ip , err := netip . ParseAddr ( arg )
if err != nil {
return nil , fmt . Errorf ( "invalid IP address %q" , arg )
}
bits8 := uint8 ( ip . BitLen ( ) )
if bits != nil {
if * bits < 0 || * bits > int ( bits8 ) {
return nil , fmt . Errorf ( "invalid CIDR size %d for IP %q" , * bits , arg )
}
bits8 = uint8 ( * bits )
}
2023-04-26 17:42:14 +02:00
return [ ] netip . Prefix { netip . PrefixFrom ( ip , int ( bits8 ) ) } , nil
2023-04-26 17:27:51 +02:00
}
type Match struct {
Srcs [ ] netip . Prefix
Dests [ ] netip . Prefix
}
func MatchFromFilterRule ( rule tailcfg . FilterRule ) Match {
match := Match {
Srcs : [ ] netip . Prefix { } ,
Dests : [ ] netip . Prefix { } ,
}
for _ , srcIP := range rule . SrcIPs {
prefix , _ := parseIPSet ( srcIP , nil )
match . Srcs = append ( match . Srcs , prefix ... )
}
for _ , dest := range rule . DstPorts {
prefix , _ := parseIPSet ( dest . IP , nil )
match . Dests = append ( match . Dests , prefix ... )
}
return match
}
func ( m * Match ) SrcsContainsIPs ( ips [ ] netip . Addr ) bool {
for _ , prefix := range m . Srcs {
for _ , ip := range ips {
if prefix . Contains ( ip ) {
return true
}
}
}
return false
}
func ( m * Match ) DestsContainsIP ( ips [ ] netip . Addr ) bool {
for _ , prefix := range m . Dests {
for _ , ip := range ips {
if prefix . Contains ( ip ) {
return true
}
}
}
return false
}