Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-10-28 10:51:44 +01:00
Code Issues Projects Releases Wiki Activity

Add test for autoApprovers feature

Browse Source
This commit is contained in:
Benjamin George Roberts 2022-08-24 22:09:06 +10:00
parent 7653ad40d6
commit 60cc9ddb3b
4 changed files with 83 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
machine.go
View File

@ -945,9 +945,9 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
continue // Skip routes that are already enabled for the node
}
approved := false
routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(advertisedRoute)
routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(
advertisedRoute,
)
if err != nil {
log.Err(err).
Str("advertisedRoute", advertisedRoute.String()).
@ -957,26 +957,22 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
}
for _, approvedAlias := range routeApprovers {
if approvedAlias == machine.Namespace.Name {
approvedRoutes = append(approvedRoutes, advertisedRoute)
} else {
approvedIps, err := expandAlias(thisMachine, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
if err != nil {
log.Err(err).
Str("alias", approvedAlias).
Msg("Failed to expand alias when processing autoApprovers policy")
return err
}
approvedIps, err := expandAlias(thisMachine, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
if err != nil {
log.Err(err).
Str("alias", approvedAlias).
Msg("Failed to expand alias when processing autoApprovers policy")
return err
// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
if contains(approvedIps, machine.IPAddresses[0].String()) {
approvedRoutes = append(approvedRoutes, advertisedRoute)
}
}
// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
approved = contains(approvedIps, machine.IPAddresses[0].String())
if approved {
break
}
}
if approved {
approvedRoutes = append(approvedRoutes, advertisedRoute)
}
}

41
machine_test.go
View File

@ -1051,3 +1051,44 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
})
}
}
func (s *Suite) TestAutoApproveRoutes(c *check.C) {
err := app.LoadACLPolicy("./tests/acls/acl_policy_autoapprovers.hujson")
c.Assert(err, check.IsNil)
namespace, err := app.CreateNamespace("test")
c.Assert(err, check.IsNil)
pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
c.Assert(err, check.IsNil)
nodeKey := key.NewNode()
defaultRoute := netaddr.MustParseIPPrefix("0.0.0.0/0")
route1 := netaddr.MustParseIPPrefix("10.10.0.0/16")
route2 := netaddr.MustParseIPPrefix("10.11.0.0/16")
machine := Machine{
ID: 0,
MachineKey: "foo",
NodeKey: NodePublicKeyStripPrefix(nodeKey.Public()),
DiscoKey: "faa",
Hostname: "test",
NamespaceID: namespace.ID,
RegisterMethod: RegisterMethodAuthKey,
AuthKeyID: uint(pak.ID),
HostInfo: HostInfo{
RequestTags: []string{"tag:exit"},
RoutableIPs: []netaddr.IPPrefix{defaultRoute, route1, route2},
},
IPAddresses: []netaddr.IP{netaddr.MustParseIP("100.64.0.1")},
}
app.db.Save(&machine)
machine0ByID, err := app.GetMachineByID(0)
c.Assert(err, check.IsNil)
app.EnableAutoApprovedRoutes(machine0ByID)
c.Assert(machine0ByID.GetEnabledRoutes(), check.HasLen, 3)
}

5
protocol_common_poll.go
View File

@ -44,10 +44,7 @@ func (h *Headscale) handlePollCommon(
}
// update routes with peer information
err = h.EnableAutoApprovedRoutes(machine)
if err != nil {
//TODO
}
h.EnableAutoApprovedRoutes(machine)
}
// From Tailscale client:

24
tests/acls/acl_policy_autoapprovers.hujson Normal file
View File

@ -0,0 +1,24 @@
// This ACL validates autoApprovers support for
// exit nodes and advertised routes
{
"tagOwners": {
"tag:exit": ["test"],
},
"groups": {
"group:test": ["test"]
},
"acls": [
{"action": "accept", "users": ["*"], "ports": ["*:*"]},
],
"autoApprovers": {
"exitNode": ["tag:exit"],
"routes": {
"10.10.0.0/16": ["group:test"],
"10.11.0.0/16": ["test"],
}
}
}