Merge branch 'main' into db-error-handling

2025-10-28 10:51:44 +01:00 · 2022-06-02 11:11:58 +02:00 · 2022-06-02 11:11:58 +02:00 · 6f6fb4dcd6
commit 6f6fb4dcd6
parent a19af04582 b1ba7ba685
2 changed files with 58 additions and 12 deletions
--- a/acls.go
+++ b/acls.go
@ -250,16 +250,17 @@ func expandAlias(
 	}

 	if strings.HasPrefix(alias, "tag:") {
+		// check for forced tags
+		for _, machine := range machines {
+			if contains(machine.ForcedTags, alias) {
+				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+			}
+		}
+
+		// find tag owners
 		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
 		if err != nil {
 			if errors.Is(err, errInvalidTag) {
-				for _, machine := range machines {
-					for _, t := range machine.ForcedTags {
-						if alias == t {
-							ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-						}
-					}
-				}
 				if len(ips) == 0 {
 					return ips, fmt.Errorf(
 						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
@ -267,20 +268,19 @@ func expandAlias(
 						alias,
 					)
 				}
-
 				return ips, nil
 			} else {
 				return ips, err
 			}
 		}
+
+		// filter out machines per tag owner
 		for _, namespace := range owners {
 			machines := filterMachinesByNamespace(machines, namespace)
 			for _, machine := range machines {
 				hi := machine.GetHostInfo()
-				for _, t := range hi.RequestTags {
-					if alias == t {
-						ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-					}
+				if contains(hi.RequestTags, alias) {
+					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
 				}
 			}
 		}
--- a/acls_test.go
+++ b/acls_test.go
@ -1055,6 +1055,52 @@ func Test_expandAlias(t *testing.T) {
 			want:    []string{"100.64.0.1", "100.64.0.2"},
 			wantErr: false,
 		},
+		{
+			name: "Forced tag with legitimate tagOwner",
+			args: args{
+				alias: "tag:hr-webserver",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace:  Namespace{Name: "joe"},
+						ForcedTags: []string{"tag:hr-webserver"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:hr-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{
+						"tag:hr-webserver": []string{"joe"},
+					},
+				},
+				stripEmailDomain: true,
+			},
+			want:    []string{"100.64.0.1", "100.64.0.2"},
+			wantErr: false,
+		},
 		{
 			name: "list host in namespace without correctly tagged servers",
 			args: args{