diff --git a/integration/acl_test.go b/integration/acl_test.go index fb6fef93..4bbf7157 100644 --- a/integration/acl_test.go +++ b/integration/acl_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" "github.com/stretchr/testify/assert" @@ -50,7 +50,7 @@ var veryLargeDestination = []string{ func aclScenario( t *testing.T, - policy *policy.ACLPolicy, + policy *policyv1.ACLPolicy, clientsPerUser int, ) *Scenario { t.Helper() @@ -77,6 +77,8 @@ func aclScenario( }, hsic.WithACLPolicy(policy), hsic.WithTestName("acl"), + hsic.WithEmbeddedDERPServerOnly(), + hsic.WithTLS(), ) require.NoError(t, err) @@ -100,7 +102,7 @@ func TestACLHostsInNetMapTable(t *testing.T) { // they can access minus one (them self). tests := map[string]struct { users map[string]int - policy policy.ACLPolicy + policy policyv1.ACLPolicy want map[string]int }{ // Test that when we have no ACL, each client netmap has @@ -110,8 +112,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -131,8 +133,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -157,8 +159,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -194,8 +196,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -222,8 +224,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -250,8 +252,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -306,8 +308,8 @@ func TestACLAllowUser80Dst(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -360,11 +362,11 @@ func TestACLDenyAllPort80(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-acl-test": {"user1", "user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"group:integration-acl-test"}, @@ -407,8 +409,8 @@ func TestACLAllowUserDst(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -463,8 +465,8 @@ func TestACLAllowStarDst(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -520,11 +522,11 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - Hosts: policy.Hosts{ + &policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "all": netip.MustParsePrefix("100.64.0.0/24"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ // Everyone can curl test3 { Action: "accept", @@ -617,16 +619,16 @@ func TestACLNamedHostsCanReach(t *testing.T) { IntegrationSkip(t) tests := map[string]struct { - policy policy.ACLPolicy + policy policyv1.ACLPolicy }{ "ipv4": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("100.64.0.1/32"), "test2": netip.MustParsePrefix("100.64.0.2/32"), "test3": netip.MustParsePrefix("100.64.0.3/32"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ // Everyone can curl test3 { Action: "accept", @@ -643,13 +645,13 @@ func TestACLNamedHostsCanReach(t *testing.T) { }, }, "ipv6": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"), "test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"), "test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ // Everyone can curl test3 { Action: "accept", @@ -866,11 +868,11 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { IntegrationSkip(t) tests := map[string]struct { - policy policy.ACLPolicy + policy policyv1.ACLPolicy }{ "ipv4": { - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"100.64.0.1"}, @@ -880,8 +882,8 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "ipv6": { - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"fd7a:115c:a1e0::1"}, @@ -891,12 +893,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "hostv4cidr": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("100.64.0.1/32"), "test2": netip.MustParsePrefix("100.64.0.2/32"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"test1"}, @@ -906,12 +908,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "hostv6cidr": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"), "test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"test1"}, @@ -921,12 +923,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "group": { - policy: policy.ACLPolicy{ + policy: policyv1.ACLPolicy{ Groups: map[string][]string{ "group:one": {"user1"}, "group:two": {"user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"group:one"}, @@ -1085,15 +1087,15 @@ func TestPolicyUpdateWhileRunningWithCLIInDatabase(t *testing.T) { headscale, err := scenario.Headscale() require.NoError(t, err) - p := policy.ACLPolicy{ - ACLs: []policy.ACL{ + p := policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, Destinations: []string{"user2:*"}, }, }, - Hosts: policy.Hosts{}, + Hosts: policyv1.Hosts{}, } pBytes, _ := json.Marshal(p) @@ -1118,7 +1120,7 @@ func TestPolicyUpdateWhileRunningWithCLIInDatabase(t *testing.T) { // Get the current policy and check // if it is the same as the one we set. - var output *policy.ACLPolicy + var output *policyv1.ACLPolicy err = executeAndUnmarshal( headscale, []string{ diff --git a/integration/cli_test.go b/integration/cli_test.go index 17c8870d..ba680d54 100644 --- a/integration/cli_test.go +++ b/integration/cli_test.go @@ -11,7 +11,7 @@ import ( tcmp "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" v1 "github.com/juanfont/headscale/gen/go/headscale/v1" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/hscontrol/types" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" @@ -915,7 +915,7 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { tests := []struct { name string - policy *policy.ACLPolicy + policy *policyv1.ACLPolicy wantTag bool }{ { @@ -924,8 +924,8 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { }, { name: "with-policy-email", - policy: &policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -940,8 +940,8 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { }, { name: "with-policy-username", - policy: &policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -956,11 +956,11 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { }, { name: "with-policy-groups", - policy: &policy.ACLPolicy{ - Groups: policy.Groups{ + policy: &policyv1.ACLPolicy{ + Groups: policyv1.Groups{ "group:admins": []string{"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -1742,8 +1742,8 @@ func TestPolicyCommand(t *testing.T) { headscale, err := scenario.Headscale() assertNoErr(t, err) - p := policy.ACLPolicy{ - ACLs: []policy.ACL{ + p := policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -1778,7 +1778,7 @@ func TestPolicyCommand(t *testing.T) { // Get the current policy and check // if it is the same as the one we set. - var output *policy.ACLPolicy + var output *policyv1.ACLPolicy err = executeAndUnmarshal( headscale, []string{ @@ -1822,8 +1822,8 @@ func TestPolicyBrokenConfigCommand(t *testing.T) { headscale, err := scenario.Headscale() assertNoErr(t, err) - p := policy.ACLPolicy{ - ACLs: []policy.ACL{ + p := policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { // This is an unknown action, so it will return an error // and the config will not be applied. diff --git a/integration/general_test.go b/integration/general_test.go index 3bdce469..d6d9e7e1 100644 --- a/integration/general_test.go +++ b/integration/general_test.go @@ -365,7 +365,11 @@ func TestTaildrop(t *testing.T) { "taildrop": len(MustTestVersions), } - err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("taildrop")) + err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, + hsic.WithTestName("taildrop"), + hsic.WithEmbeddedDERPServerOnly(), + hsic.WithTLS(), + ) assertNoErrHeadscaleEnv(t, err) allClients, err := scenario.ListTailscaleClients() diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go index b75d9c08..02ec0fed 100644 --- a/integration/hsic/hsic.go +++ b/integration/hsic/hsic.go @@ -12,6 +12,7 @@ import ( "net/netip" "os" "path" + "regexp" "sort" "strconv" "strings" @@ -19,7 +20,7 @@ import ( "github.com/davecgh/go-spew/spew" v1 "github.com/juanfont/headscale/gen/go/headscale/v1" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/hscontrol/types" "github.com/juanfont/headscale/hscontrol/util" "github.com/juanfont/headscale/integration/dockertestutil" @@ -64,7 +65,7 @@ type HeadscaleInContainer struct { extraPorts []string caCerts [][]byte hostPortBindings map[string][]string - aclPolicy *policy.ACLPolicy + aclPolicy *policyv1.ACLPolicy env map[string]string tlsCert []byte tlsKey []byte @@ -78,7 +79,7 @@ type Option = func(c *HeadscaleInContainer) // WithACLPolicy adds a hscontrol.ACLPolicy policy to the // HeadscaleInContainer instance. -func WithACLPolicy(acl *policy.ACLPolicy) Option { +func WithACLPolicy(acl *policyv1.ACLPolicy) Option { return func(hsic *HeadscaleInContainer) { if acl == nil { return diff --git a/integration/route_test.go b/integration/route_test.go index e6f6b5d6..e92a4c37 100644 --- a/integration/route_test.go +++ b/integration/route_test.go @@ -8,7 +8,7 @@ import ( "github.com/google/go-cmp/cmp" v1 "github.com/juanfont/headscale/gen/go/headscale/v1" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/hscontrol/util" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" @@ -29,7 +29,7 @@ func TestEnablingRoutes(t *testing.T) { IntegrationSkip(t) t.Parallel() - user := "enable-routing" + user := "user6" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -203,7 +203,7 @@ func TestHASubnetRouterFailover(t *testing.T) { IntegrationSkip(t) t.Parallel() - user := "enable-routing" + user := "user9" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -528,7 +528,7 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) { expectedRoutes := "172.0.0.0/24" - user := "enable-disable-routing" + user := "user2" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -539,8 +539,8 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) { } err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{tsic.WithTags([]string{"tag:approve"})}, hsic.WithTestName("clienableroute"), hsic.WithACLPolicy( - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -550,7 +550,7 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) { TagOwners: map[string][]string{ "tag:approve": {user}, }, - AutoApprovers: policy.AutoApprovers{ + AutoApprovers: policyv1.AutoApprovers{ Routes: map[string][]string{ expectedRoutes: {"tag:approve"}, }, @@ -640,8 +640,8 @@ func TestAutoApprovedSubRoute2068(t *testing.T) { hsic.WithEmbeddedDERPServerOnly(), hsic.WithTLS(), hsic.WithACLPolicy( - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -651,7 +651,7 @@ func TestAutoApprovedSubRoute2068(t *testing.T) { TagOwners: map[string][]string{ "tag:approve": {user}, }, - AutoApprovers: policy.AutoApprovers{ + AutoApprovers: policyv1.AutoApprovers{ Routes: map[string][]string{ "10.42.0.0/16": {"tag:approve"}, }, @@ -696,7 +696,7 @@ func TestSubnetRouteACL(t *testing.T) { IntegrationSkip(t) t.Parallel() - user := "subnet-route-acl" + user := "user4" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -707,11 +707,11 @@ func TestSubnetRouteACL(t *testing.T) { } err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clienableroute"), hsic.WithACLPolicy( - &policy.ACLPolicy{ - Groups: policy.Groups{ + &policyv1.ACLPolicy{ + Groups: policyv1.Groups{ "group:admins": {user}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"group:admins"}, diff --git a/integration/ssh_test.go b/integration/ssh_test.go index d060831d..ade119d3 100644 --- a/integration/ssh_test.go +++ b/integration/ssh_test.go @@ -7,7 +7,7 @@ import ( "testing" "time" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" "github.com/stretchr/testify/assert" @@ -48,7 +48,7 @@ var retry = func(times int, sleepInterval time.Duration, return result, stderr, err } -func sshScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario { +func sshScenario(t *testing.T, policy *policyv1.ACLPolicy, clientsPerUser int) *Scenario { t.Helper() scenario, err := NewScenario(dockertestMaxWait()) assertNoErr(t, err) @@ -92,18 +92,18 @@ func TestSSHOneUserToAll(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:integration-test"}, @@ -157,18 +157,18 @@ func TestSSHMultipleUsersAllToAll(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1", "user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:integration-test"}, @@ -210,18 +210,18 @@ func TestSSHNoSSHConfigured(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{}, + SSHs: []policyv1.SSH{}, }, len(MustTestVersions), ) @@ -252,18 +252,18 @@ func TestSSHIsBlockedInACL(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:80"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:integration-test"}, @@ -301,19 +301,19 @@ func TestSSHUserOnlyIsolation(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:ssh1": {"user1"}, "group:ssh2": {"user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:ssh1"},