mirror of
https://github.com/juanfont/headscale.git
synced 2025-08-24 13:46:53 +02:00
remove getacl test, add back autoapprover
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
parent
d4de4e99be
commit
7d04c97146
@ -147,105 +147,6 @@ func (s *Suite) TestListPeers(c *check.C) {
|
|||||||
c.Assert(peersOfNode0[8].Hostname, check.Equals, "testnode10")
|
c.Assert(peersOfNode0[8].Hostname, check.Equals, "testnode10")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
|
|
||||||
type base struct {
|
|
||||||
user *types.User
|
|
||||||
key *types.PreAuthKey
|
|
||||||
}
|
|
||||||
|
|
||||||
stor := make([]base, 0)
|
|
||||||
|
|
||||||
for _, name := range []string{"test", "admin"} {
|
|
||||||
user, err := db.CreateUser(types.User{Name: name})
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
stor = append(stor, base{user, pak})
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err := db.GetNodeByID(0)
|
|
||||||
c.Assert(err, check.NotNil)
|
|
||||||
|
|
||||||
for index := 0; index <= 10; index++ {
|
|
||||||
nodeKey := key.NewNode()
|
|
||||||
machineKey := key.NewMachine()
|
|
||||||
|
|
||||||
v4 := netip.MustParseAddr(fmt.Sprintf("100.64.0.%d", index+1))
|
|
||||||
node := types.Node{
|
|
||||||
ID: types.NodeID(index),
|
|
||||||
MachineKey: machineKey.Public(),
|
|
||||||
NodeKey: nodeKey.Public(),
|
|
||||||
IPv4: &v4,
|
|
||||||
Hostname: "testnode" + strconv.Itoa(index),
|
|
||||||
UserID: stor[index%2].user.ID,
|
|
||||||
RegisterMethod: util.RegisterMethodAuthKey,
|
|
||||||
AuthKeyID: ptr.To(stor[index%2].key.ID),
|
|
||||||
}
|
|
||||||
trx := db.DB.Save(&node)
|
|
||||||
c.Assert(trx.Error, check.IsNil)
|
|
||||||
}
|
|
||||||
|
|
||||||
aclPolicy := &policy.ACLPolicy{
|
|
||||||
Groups: map[string][]string{
|
|
||||||
"group:test": {"admin"},
|
|
||||||
},
|
|
||||||
Hosts: map[string]netip.Prefix{},
|
|
||||||
TagOwners: map[string][]string{},
|
|
||||||
ACLs: []policy.ACL{
|
|
||||||
{
|
|
||||||
Action: "accept",
|
|
||||||
Sources: []string{"admin"},
|
|
||||||
Destinations: []string{"*:*"},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Action: "accept",
|
|
||||||
Sources: []string{"test"},
|
|
||||||
Destinations: []string{"test:*"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Tests: []policy.ACLTest{},
|
|
||||||
}
|
|
||||||
|
|
||||||
adminNode, err := db.GetNodeByID(1)
|
|
||||||
c.Logf("Node(%v), user: %v", adminNode.Hostname, adminNode.User)
|
|
||||||
c.Assert(adminNode.IPv4, check.NotNil)
|
|
||||||
c.Assert(adminNode.IPv6, check.IsNil)
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
|
|
||||||
testNode, err := db.GetNodeByID(2)
|
|
||||||
c.Logf("Node(%v), user: %v", testNode.Hostname, testNode.User)
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
|
|
||||||
adminPeers, err := db.ListPeers(adminNode.ID)
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
c.Assert(len(adminPeers), check.Equals, 9)
|
|
||||||
|
|
||||||
testPeers, err := db.ListPeers(testNode.ID)
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
c.Assert(len(testPeers), check.Equals, 9)
|
|
||||||
|
|
||||||
adminRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, adminNode, adminPeers, []types.User{*stor[0].user, *stor[1].user})
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
|
|
||||||
testRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, testNode, testPeers, []types.User{*stor[0].user, *stor[1].user})
|
|
||||||
c.Assert(err, check.IsNil)
|
|
||||||
|
|
||||||
peersOfAdminNode := policy.FilterNodesByACL(adminNode, adminPeers, adminRules)
|
|
||||||
peersOfTestNode := policy.FilterNodesByACL(testNode, testPeers, testRules)
|
|
||||||
c.Log(peersOfAdminNode)
|
|
||||||
c.Log(peersOfTestNode)
|
|
||||||
|
|
||||||
c.Assert(len(peersOfTestNode), check.Equals, 9)
|
|
||||||
c.Assert(peersOfTestNode[0].Hostname, check.Equals, "testnode1")
|
|
||||||
c.Assert(peersOfTestNode[1].Hostname, check.Equals, "testnode3")
|
|
||||||
c.Assert(peersOfTestNode[3].Hostname, check.Equals, "testnode5")
|
|
||||||
|
|
||||||
c.Assert(len(peersOfAdminNode), check.Equals, 9)
|
|
||||||
c.Assert(peersOfAdminNode[0].Hostname, check.Equals, "testnode2")
|
|
||||||
c.Assert(peersOfAdminNode[2].Hostname, check.Equals, "testnode4")
|
|
||||||
c.Assert(peersOfAdminNode[5].Hostname, check.Equals, "testnode7")
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Suite) TestExpireNode(c *check.C) {
|
func (s *Suite) TestExpireNode(c *check.C) {
|
||||||
user, err := db.CreateUser(types.User{Name: "test"})
|
user, err := db.CreateUser(types.User{Name: "test"})
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
@ -457,143 +358,171 @@ func TestHeadscale_generateGivenName(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO(kradalby): replace this test
|
func TestAutoApproveRoutes(t *testing.T) {
|
||||||
// func TestAutoApproveRoutes(t *testing.T) {
|
tests := []struct {
|
||||||
// tests := []struct {
|
name string
|
||||||
// name string
|
acl string
|
||||||
// acl string
|
routes []netip.Prefix
|
||||||
// routes []netip.Prefix
|
want []netip.Prefix
|
||||||
// want []netip.Prefix
|
want2 []netip.Prefix
|
||||||
// }{
|
}{
|
||||||
// {
|
{
|
||||||
// name: "2068-approve-issue-sub",
|
name: "2068-approve-issue-sub-kube",
|
||||||
// acl: `
|
acl: `
|
||||||
// {
|
{
|
||||||
// "groups": {
|
"groups": {
|
||||||
// "group:k8s": ["test"]
|
"group:k8s": ["test@"]
|
||||||
// },
|
},
|
||||||
|
|
||||||
// "acls": [
|
// "acls": [
|
||||||
// {"action": "accept", "users": ["*"], "ports": ["*:*"]},
|
// {"action": "accept", "users": ["*"], "ports": ["*:*"]},
|
||||||
// ],
|
// ],
|
||||||
|
|
||||||
// "autoApprovers": {
|
"autoApprovers": {
|
||||||
// "routes": {
|
"routes": {
|
||||||
// "10.42.0.0/16": ["test"],
|
"10.42.0.0/16": ["test@"],
|
||||||
// }
|
}
|
||||||
// }
|
}
|
||||||
// }`,
|
}`,
|
||||||
// routes: []netip.Prefix{netip.MustParsePrefix("10.42.7.0/24")},
|
routes: []netip.Prefix{netip.MustParsePrefix("10.42.7.0/24")},
|
||||||
// want: []netip.Prefix{netip.MustParsePrefix("10.42.7.0/24")},
|
want: []netip.Prefix{netip.MustParsePrefix("10.42.7.0/24")},
|
||||||
// },
|
},
|
||||||
// {
|
{
|
||||||
// name: "2068-approve-issue-sub",
|
name: "2068-approve-issue-sub-exit-tag",
|
||||||
// acl: `
|
acl: `
|
||||||
// {
|
{
|
||||||
// "tagOwners": {
|
"tagOwners": {
|
||||||
// "tag:exit": ["test"],
|
"tag:exit": ["test@"],
|
||||||
// },
|
},
|
||||||
|
|
||||||
// "groups": {
|
"groups": {
|
||||||
// "group:test": ["test"]
|
"group:test": ["test@"]
|
||||||
// },
|
},
|
||||||
|
|
||||||
// "acls": [
|
// "acls": [
|
||||||
// {"action": "accept", "users": ["*"], "ports": ["*:*"]},
|
// {"action": "accept", "users": ["*"], "ports": ["*:*"]},
|
||||||
// ],
|
// ],
|
||||||
|
|
||||||
// "autoApprovers": {
|
"autoApprovers": {
|
||||||
// "exitNode": ["tag:exit"],
|
"exitNode": ["tag:exit"],
|
||||||
// "routes": {
|
"routes": {
|
||||||
// "10.10.0.0/16": ["group:test"],
|
"10.10.0.0/16": ["group:test"],
|
||||||
// "10.11.0.0/16": ["test"],
|
"10.11.0.0/16": ["test@"],
|
||||||
// }
|
"8.11.0.0/24": ["test2@"], // No nodes
|
||||||
// }
|
}
|
||||||
// }`,
|
}
|
||||||
// routes: []netip.Prefix{
|
}`,
|
||||||
// tsaddr.AllIPv4(),
|
routes: []netip.Prefix{
|
||||||
// tsaddr.AllIPv6(),
|
tsaddr.AllIPv4(),
|
||||||
// netip.MustParsePrefix("10.10.0.0/16"),
|
tsaddr.AllIPv6(),
|
||||||
// netip.MustParsePrefix("10.11.0.0/24"),
|
netip.MustParsePrefix("10.10.0.0/16"),
|
||||||
// },
|
netip.MustParsePrefix("10.11.0.0/24"),
|
||||||
// want: []netip.Prefix{
|
|
||||||
// tsaddr.AllIPv4(),
|
|
||||||
// netip.MustParsePrefix("10.10.0.0/16"),
|
|
||||||
// netip.MustParsePrefix("10.11.0.0/24"),
|
|
||||||
// tsaddr.AllIPv6(),
|
|
||||||
// },
|
|
||||||
// },
|
|
||||||
// }
|
|
||||||
|
|
||||||
// for _, tt := range tests {
|
// Not approved
|
||||||
// t.Run(tt.name, func(t *testing.T) {
|
netip.MustParsePrefix("8.11.0.0/24"),
|
||||||
// adb, err := newSQLiteTestDB()
|
},
|
||||||
// require.NoError(t, err)
|
want: []netip.Prefix{
|
||||||
// pol, err := policy.LoadACLPolicyFromBytes([]byte(tt.acl))
|
netip.MustParsePrefix("10.10.0.0/16"),
|
||||||
|
netip.MustParsePrefix("10.11.0.0/24"),
|
||||||
|
},
|
||||||
|
want2: []netip.Prefix{
|
||||||
|
tsaddr.AllIPv4(),
|
||||||
|
tsaddr.AllIPv6(),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
// require.NoError(t, err)
|
for _, tt := range tests {
|
||||||
// require.NotNil(t, pol)
|
pmfs := policy.PolicyManagerFuncsForTest([]byte(tt.acl))
|
||||||
|
for i, pmf := range pmfs {
|
||||||
|
version := i + 1
|
||||||
|
t.Run(fmt.Sprintf("%s-policyv%d", tt.name, version), func(t *testing.T) {
|
||||||
|
adb, err := newSQLiteTestDB()
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
// user, err := adb.CreateUser(types.User{Name: "test"})
|
suffix := ""
|
||||||
// require.NoError(t, err)
|
if version == 1 {
|
||||||
|
suffix = "@"
|
||||||
|
}
|
||||||
|
|
||||||
// pak, err := adb.CreatePreAuthKey(types.UserID(user.ID), false, nil, nil)
|
user, err := adb.CreateUser(types.User{Name: "test" + suffix})
|
||||||
// require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
_, err = adb.CreateUser(types.User{Name: "test2" + suffix})
|
||||||
|
require.NoError(t, err)
|
||||||
|
taggedUser, err := adb.CreateUser(types.User{Name: "tagged" + suffix})
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
// nodeKey := key.NewNode()
|
node := types.Node{
|
||||||
// machineKey := key.NewMachine()
|
ID: 1,
|
||||||
|
MachineKey: key.NewMachine().Public(),
|
||||||
|
NodeKey: key.NewNode().Public(),
|
||||||
|
Hostname: "testnode",
|
||||||
|
UserID: user.ID,
|
||||||
|
RegisterMethod: util.RegisterMethodAuthKey,
|
||||||
|
Hostinfo: &tailcfg.Hostinfo{
|
||||||
|
RoutableIPs: tt.routes,
|
||||||
|
},
|
||||||
|
IPv4: ptr.To(netip.MustParseAddr("100.64.0.1")),
|
||||||
|
}
|
||||||
|
|
||||||
// v4 := netip.MustParseAddr("100.64.0.1")
|
err = adb.DB.Save(&node).Error
|
||||||
// node := types.Node{
|
require.NoError(t, err)
|
||||||
// ID: 0,
|
|
||||||
// MachineKey: machineKey.Public(),
|
|
||||||
// NodeKey: nodeKey.Public(),
|
|
||||||
// Hostname: "test",
|
|
||||||
// UserID: user.ID,
|
|
||||||
// RegisterMethod: util.RegisterMethodAuthKey,
|
|
||||||
// AuthKeyID: ptr.To(pak.ID),
|
|
||||||
// Hostinfo: &tailcfg.Hostinfo{
|
|
||||||
// RequestTags: []string{"tag:exit"},
|
|
||||||
// RoutableIPs: tt.routes,
|
|
||||||
// },
|
|
||||||
// IPv4: &v4,
|
|
||||||
// }
|
|
||||||
|
|
||||||
// trx := adb.DB.Save(&node)
|
nodeTagged := types.Node{
|
||||||
// require.NoError(t, trx.Error)
|
ID: 2,
|
||||||
|
MachineKey: key.NewMachine().Public(),
|
||||||
|
NodeKey: key.NewNode().Public(),
|
||||||
|
Hostname: "taggednode",
|
||||||
|
UserID: taggedUser.ID,
|
||||||
|
RegisterMethod: util.RegisterMethodAuthKey,
|
||||||
|
Hostinfo: &tailcfg.Hostinfo{
|
||||||
|
RoutableIPs: tt.routes,
|
||||||
|
},
|
||||||
|
ForcedTags: []string{"tag:exit"},
|
||||||
|
IPv4: ptr.To(netip.MustParseAddr("100.64.0.2")),
|
||||||
|
}
|
||||||
|
|
||||||
// sendUpdate, err := adb.SaveNodeRoutes(&node)
|
err = adb.DB.Save(&nodeTagged).Error
|
||||||
// require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
// assert.False(t, sendUpdate)
|
|
||||||
|
|
||||||
// node0ByID, err := adb.GetNodeByID(0)
|
users, err := adb.ListUsers()
|
||||||
// require.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
// users, err := adb.ListUsers()
|
nodes, err := adb.ListNodes()
|
||||||
// assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
// nodes, err := adb.ListNodes()
|
pm, err := pmf(users, nodes)
|
||||||
// assert.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
require.NotNil(t, pm)
|
||||||
|
|
||||||
// pm, err := policy.NewPolicyManager([]byte(tt.acl), users, nodes)
|
changed1 := policy.AutoApproveRoutes(pm, &node)
|
||||||
// assert.NoError(t, err)
|
assert.True(t, changed1)
|
||||||
|
|
||||||
// // TODO(kradalby): Check state update
|
err = adb.DB.Save(&node).Error
|
||||||
// err = adb.EnableAutoApprovedRoutes(pm, node0ByID)
|
require.NoError(t, err)
|
||||||
// require.NoError(t, err)
|
|
||||||
|
|
||||||
// enabledRoutes, err := adb.GetEnabledRoutes(node0ByID)
|
_ = policy.AutoApproveRoutes(pm, &nodeTagged)
|
||||||
// require.NoError(t, err)
|
|
||||||
// assert.Len(t, enabledRoutes, len(tt.want))
|
|
||||||
|
|
||||||
// tsaddr.SortPrefixes(enabledRoutes)
|
err = adb.DB.Save(&nodeTagged).Error
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
// if diff := cmp.Diff(tt.want, enabledRoutes, util.Comparers...); diff != "" {
|
node1ByID, err := adb.GetNodeByID(1)
|
||||||
// t.Errorf("unexpected enabled routes (-want +got):\n%s", diff)
|
require.NoError(t, err)
|
||||||
// }
|
|
||||||
// })
|
if diff := cmp.Diff(tt.want, node1ByID.SubnetRoutes(), util.Comparers...); diff != "" {
|
||||||
// }
|
t.Errorf("unexpected enabled routes (-want +got):\n%s", diff)
|
||||||
// }
|
}
|
||||||
|
|
||||||
|
node2ByID, err := adb.GetNodeByID(2)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
if diff := cmp.Diff(tt.want2, node2ByID.SubnetRoutes(), util.Comparers...); diff != "" {
|
||||||
|
t.Errorf("unexpected enabled routes (-want +got):\n%s", diff)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestEphemeralGarbageCollectorOrder(t *testing.T) {
|
func TestEphemeralGarbageCollectorOrder(t *testing.T) {
|
||||||
want := []types.NodeID{1, 3}
|
want := []types.NodeID{1, 3}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user