diff --git a/acls.go b/acls.go
index 9dd1260d..3d6b1945 100644
--- a/acls.go
+++ b/acls.go
@@ -20,7 +20,6 @@ const (
errInvalidUserSection = Error("invalid user section")
errInvalidGroup = Error("invalid group")
errInvalidTag = Error("invalid tag")
- errInvalidNamespace = Error("invalid namespace")
errInvalidPortFormat = Error("invalid port format")
)
@@ -69,6 +68,7 @@ func (h *Headscale) LoadACLPolicy(path string) error {
}
h.aclPolicy = &policy
+
return h.UpdateACLRules()
}
@@ -79,6 +79,7 @@ func (h *Headscale) UpdateACLRules() error {
}
log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
h.aclRules = rules
+
return nil
}
@@ -182,7 +183,7 @@ func (h *Headscale) generateACLPolicyDestPorts(
// - a namespace
// - a group
// - a tag
-// and transform these in IPAddresses
+// and transform these in IPAddresses.
func expandAlias(machines []Machine, aclPolicy ACLPolicy, alias string) ([]string, error) {
ips := []string{}
if alias == "*" {
@@ -200,6 +201,7 @@ func expandAlias(machines []Machine, aclPolicy ACLPolicy, alias string) ([]strin
ips = append(ips, node.IPAddresses.ToStringSlice()...)
}
}
+
return ips, nil
}
@@ -225,6 +227,7 @@ func expandAlias(machines []Machine, aclPolicy ACLPolicy, alias string) ([]strin
}
}
}
+
return ips, nil
}
@@ -276,6 +279,7 @@ func excludeCorrectlyTaggedNodes(aclPolicy ACLPolicy, nodes []Machine, namespace
for _, machine := range nodes {
if len(machine.HostInfo) == 0 {
out = append(out, machine)
+
continue
}
hi, err := machine.GetHostInfo()
@@ -286,6 +290,7 @@ func excludeCorrectlyTaggedNodes(aclPolicy ACLPolicy, nodes []Machine, namespace
for _, t := range hi.RequestTags {
if containsString(tags, t) {
found = true
+
break
}
}
@@ -293,6 +298,7 @@ func excludeCorrectlyTaggedNodes(aclPolicy ACLPolicy, nodes []Machine, namespace
out = append(out, machine)
}
}
+
return out, nil
}
@@ -346,42 +352,45 @@ func listMachinesInNamespace(machines []Machine, namespace string) []Machine {
out = append(out, machine)
}
}
+
return out
}
// expandTagOwners will return a list of namespace. An owner can be either a namespace or a group
-// a group cannot be composed of groups
+// a group cannot be composed of groups.
func expandTagOwners(aclPolicy ACLPolicy, tag string) ([]string, error) {
var owners []string
ows, ok := aclPolicy.TagOwners[tag]
if !ok {
return []string{}, fmt.Errorf("%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners", errInvalidTag, tag)
}
- for _, ow := range ows {
- if strings.HasPrefix(ow, "group:") {
- gs, err := expandGroup(aclPolicy, ow)
+ for _, owner := range ows {
+ if strings.HasPrefix(owner, "group:") {
+ gs, err := expandGroup(aclPolicy, owner)
if err != nil {
return []string{}, err
}
owners = append(owners, gs...)
} else {
- owners = append(owners, ow)
+ owners = append(owners, owner)
}
}
+
return owners, nil
}
// expandGroup will return the list of namespace inside the group
-// after some validation
+// after some validation.
func expandGroup(aclPolicy ACLPolicy, group string) ([]string, error) {
- gs, ok := aclPolicy.Groups[group]
+ groups, ok := aclPolicy.Groups[group]
if !ok {
return []string{}, fmt.Errorf("group %v isn't registered. %w", group, errInvalidGroup)
}
- for _, g := range gs {
+ for _, g := range groups {
if strings.HasPrefix(g, "group:") {
return []string{}, fmt.Errorf("%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups", errInvalidGroup)
}
}
- return gs, nil
+
+ return groups, nil
}
diff --git a/acls_test.go b/acls_test.go
index 8bedb47d..786de0fc 100644
--- a/acls_test.go
+++ b/acls_test.go
@@ -94,7 +94,7 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
// this test should validate that we can expand a group in a TagOWner section and
// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
-// the tag is matched in the Users section
+// the tag is matched in the Users section.
func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
namespace, err := app.CreateNamespace("foo")
c.Assert(err, check.IsNil)
@@ -104,7 +104,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
_, err = app.GetMachine("foo", "testmachine")
c.Assert(err, check.NotNil)
- b := []byte("{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:test\"]}")
+ hostInfo := []byte("{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:test\"]}")
machine := Machine{
ID: 0,
MachineKey: "foo",
@@ -116,7 +116,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
Registered: true,
RegisterMethod: RegisterMethodAuthKey,
AuthKeyID: uint(pak.ID),
- HostInfo: datatypes.JSON(b),
+ HostInfo: datatypes.JSON(hostInfo),
}
app.db.Save(&machine)
@@ -136,7 +136,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
// this test should validate that we can expand a group in a TagOWner section and
// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
-// the tag is matched in the Ports section
+// the tag is matched in the Ports section.
func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
namespace, err := app.CreateNamespace("foo")
c.Assert(err, check.IsNil)
@@ -146,7 +146,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
_, err = app.GetMachine("foo", "testmachine")
c.Assert(err, check.NotNil)
- b := []byte("{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:test\"]}")
+ hostInfo := []byte("{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:test\"]}")
machine := Machine{
ID: 1,
MachineKey: "foo",
@@ -158,7 +158,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
Registered: true,
RegisterMethod: RegisterMethodAuthKey,
AuthKeyID: uint(pak.ID),
- HostInfo: datatypes.JSON(b),
+ HostInfo: datatypes.JSON(hostInfo),
}
app.db.Save(&machine)
@@ -178,7 +178,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
// need a test with:
// tag on a host that isn't owned by a tag owners. So the namespace
-// of the host should be valid
+// of the host should be valid.
func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
namespace, err := app.CreateNamespace("foo")
c.Assert(err, check.IsNil)
@@ -188,7 +188,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
_, err = app.GetMachine("foo", "testmachine")
c.Assert(err, check.NotNil)
- b := []byte("{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:foo\"]}")
+ hostInfo := []byte("{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:foo\"]}")
machine := Machine{
ID: 1,
MachineKey: "foo",
@@ -200,7 +200,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
Registered: true,
RegisterMethod: RegisterMethodAuthKey,
AuthKeyID: uint(pak.ID),
- HostInfo: datatypes.JSON(b),
+ HostInfo: datatypes.JSON(hostInfo),
}
app.db.Save(&machine)
@@ -229,7 +229,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
_, err = app.GetMachine("foo", "webserver")
c.Assert(err, check.NotNil)
- b := []byte("{\"OS\":\"centos\",\"Hostname\":\"webserver\",\"RequestTags\":[\"tag:webapp\"]}")
+ hostInfo := []byte("{\"OS\":\"centos\",\"Hostname\":\"webserver\",\"RequestTags\":[\"tag:webapp\"]}")
machine := Machine{
ID: 1,
MachineKey: "foo",
@@ -241,11 +241,11 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
Registered: true,
RegisterMethod: RegisterMethodAuthKey,
AuthKeyID: uint(pak.ID),
- HostInfo: datatypes.JSON(b),
+ HostInfo: datatypes.JSON(hostInfo),
}
app.db.Save(&machine)
_, err = app.GetMachine("foo", "user")
- b = []byte("{\"OS\":\"debian\",\"Hostname\":\"user\"}")
+ hostInfo = []byte("{\"OS\":\"debian\",\"Hostname\":\"user\"}")
c.Assert(err, check.NotNil)
machine = Machine{
ID: 2,
@@ -258,7 +258,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
Registered: true,
RegisterMethod: RegisterMethodAuthKey,
AuthKeyID: uint(pak.ID),
- HostInfo: datatypes.JSON(b),
+ HostInfo: datatypes.JSON(hostInfo),
}
app.db.Save(&machine)
@@ -430,15 +430,16 @@ func Test_expandGroup(t *testing.T) {
wantErr: true,
},
}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got, err := expandGroup(tt.args.aclPolicy, tt.args.group)
- if (err != nil) != tt.wantErr {
- t.Errorf("expandGroup() error = %v, wantErr %v", err, tt.wantErr)
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ got, err := expandGroup(test.args.aclPolicy, test.args.group)
+ if (err != nil) != test.wantErr {
+ t.Errorf("expandGroup() error = %v, wantErr %v", err, test.wantErr)
+
return
}
- if !reflect.DeepEqual(got, tt.want) {
- t.Errorf("expandGroup() = %v, want %v", got, tt.want)
+ if !reflect.DeepEqual(got, test.want) {
+ t.Errorf("expandGroup() = %v, want %v", got, test.want)
}
})
}
@@ -514,15 +515,16 @@ func Test_expandTagOwners(t *testing.T) {
wantErr: true,
},
}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got, err := expandTagOwners(tt.args.aclPolicy, tt.args.tag)
- if (err != nil) != tt.wantErr {
- t.Errorf("expandTagOwners() error = %v, wantErr %v", err, tt.wantErr)
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ got, err := expandTagOwners(test.args.aclPolicy, test.args.tag)
+ if (err != nil) != test.wantErr {
+ t.Errorf("expandTagOwners() error = %v, wantErr %v", err, test.wantErr)
+
return
}
- if !reflect.DeepEqual(got, tt.want) {
- t.Errorf("expandTagOwners() = %v, want %v", got, tt.want)
+ if !reflect.DeepEqual(got, test.want) {
+ t.Errorf("expandTagOwners() = %v, want %v", got, test.want)
}
})
}
@@ -595,15 +597,16 @@ func Test_expandPorts(t *testing.T) {
wantErr: true,
},
}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got, err := expandPorts(tt.args.portsStr)
- if (err != nil) != tt.wantErr {
- t.Errorf("expandPorts() error = %v, wantErr %v", err, tt.wantErr)
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ got, err := expandPorts(test.args.portsStr)
+ if (err != nil) != test.wantErr {
+ t.Errorf("expandPorts() error = %v, wantErr %v", err, test.wantErr)
+
return
}
- if !reflect.DeepEqual(got, tt.want) {
- t.Errorf("expandPorts() = %v, want %v", got, tt.want)
+ if !reflect.DeepEqual(got, test.want) {
+ t.Errorf("expandPorts() = %v, want %v", got, test.want)
}
})
}
@@ -824,15 +827,16 @@ func Test_expandAlias(t *testing.T) {
wantErr: false,
},
}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got, err := expandAlias(tt.args.machines, tt.args.aclPolicy, tt.args.alias)
- if (err != nil) != tt.wantErr {
- t.Errorf("expandAlias() error = %v, wantErr %v", err, tt.wantErr)
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ got, err := expandAlias(test.args.machines, test.args.aclPolicy, test.args.alias)
+ if (err != nil) != test.wantErr {
+ t.Errorf("expandAlias() error = %v, wantErr %v", err, test.wantErr)
+
return
}
- if !reflect.DeepEqual(got, tt.want) {
- t.Errorf("expandAlias() = %v, want %v", got, tt.want)
+ if !reflect.DeepEqual(got, test.want) {
+ t.Errorf("expandAlias() = %v, want %v", got, test.want)
}
})
}
@@ -889,15 +893,16 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
wantErr: false,
},
}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got, err := excludeCorrectlyTaggedNodes(tt.args.aclPolicy, tt.args.nodes, tt.args.namespace)
- if (err != nil) != tt.wantErr {
- t.Errorf("excludeCorrectlyTaggedNodes() error = %v, wantErr %v", err, tt.wantErr)
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ got, err := excludeCorrectlyTaggedNodes(test.args.aclPolicy, test.args.nodes, test.args.namespace)
+ if (err != nil) != test.wantErr {
+ t.Errorf("excludeCorrectlyTaggedNodes() error = %v, wantErr %v", err, test.wantErr)
+
return
}
- if !reflect.DeepEqual(got, tt.want) {
- t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, tt.want)
+ if !reflect.DeepEqual(got, test.want) {
+ t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)
}
})
}
diff --git a/api.go b/api.go
index 020ded01..073be5e2 100644
--- a/api.go
+++ b/api.go
@@ -261,7 +261,16 @@ func (h *Headscale) getMapResponse(
var respBody []byte
if req.Compress == "zstd" {
- src, _ := json.Marshal(resp)
+ src, err := json.Marshal(resp)
+ if err != nil {
+ log.Error().
+ Caller().
+ Str("func", "getMapResponse").
+ Err(err).
+ Msg("Failed to marshal response for the client")
+
+ return nil, err
+ }
encoder, _ := zstd.NewWriter(nil)
srcCompressed := encoder.EncodeAll(src, nil)
@@ -290,7 +299,16 @@ func (h *Headscale) getMapKeepAliveResponse(
var respBody []byte
var err error
if mapRequest.Compress == "zstd" {
- src, _ := json.Marshal(mapResponse)
+ src, err := json.Marshal(mapResponse)
+ if err != nil {
+ log.Error().
+ Caller().
+ Str("func", "getMapKeepAliveResponse").
+ Err(err).
+ Msg("Failed to marshal keepalive response for the client")
+
+ return nil, err
+ }
encoder, _ := zstd.NewWriter(nil)
srcCompressed := encoder.EncodeAll(src, nil)
respBody = h.privateKey.SealTo(machineKey, srcCompressed)
diff --git a/dns.go b/dns.go
index 37daa884..085a14e2 100644
--- a/dns.go
+++ b/dns.go
@@ -165,7 +165,7 @@ func getMapResponseDNSConfig(
dnsConfig.Domains,
fmt.Sprintf(
"%s.%s",
- strings.Replace(machine.Namespace.Name, "@", ".", -1), // Replace @ with . for valid domain for machine
+ strings.ReplaceAll(machine.Namespace.Name, "@", "."), // Replace @ with . for valid domain for machine
baseDomain,
),
)
@@ -176,7 +176,7 @@ func getMapResponseDNSConfig(
namespaceSet.Add(p.Namespace)
}
for _, namespace := range namespaceSet.List() {
- dnsRoute := fmt.Sprintf("%s.%s", namespace.(Namespace).Name, baseDomain)
+ var dnsRoute string = fmt.Sprintf("%v.%v", namespace.(Namespace).Name, baseDomain)
dnsConfig.Routes[dnsRoute] = nil
}
} else {
diff --git a/machine.go b/machine.go
index 01fc9276..cb70bf12 100644
--- a/machine.go
+++ b/machine.go
@@ -138,6 +138,7 @@ func containsAddresses(inputs []string, addrs MachineAddresses) bool {
return true
}
}
+
return false
}
@@ -174,20 +175,20 @@ func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
// In order to do this we would need to be able to identify that node A want to talk to node B but that Node B doesn't know
// how to talk to node A and then add the peering resource.
- for _, m := range machines {
+ for _, mchn := range machines {
for _, rule := range h.aclRules {
var dst []string
for _, d := range rule.DstPorts {
dst = append(dst, d.IP)
}
- if (containsAddresses(rule.SrcIPs, machine.IPAddresses) && (containsAddresses(dst, m.IPAddresses) || containsString(dst, "*"))) ||
- (containsAddresses(rule.SrcIPs, m.IPAddresses) && containsAddresses(dst, machine.IPAddresses)) {
- mMachines[m.ID] = m
+ if (containsAddresses(rule.SrcIPs, machine.IPAddresses) && (containsAddresses(dst, mchn.IPAddresses) || containsString(dst, "*"))) ||
+ (containsAddresses(rule.SrcIPs, mchn.IPAddresses) && containsAddresses(dst, machine.IPAddresses)) {
+ mMachines[mchn.ID] = mchn
}
}
}
- var authorizedMachines Machines
+ authorizedMachines := make([]Machine, 0, len(mMachines))
for _, m := range mMachines {
authorizedMachines = append(authorizedMachines, m)
}
@@ -694,7 +695,7 @@ func (machine Machine) toNode(
hostname = fmt.Sprintf(
"%s.%s.%s",
machine.Name,
- strings.Replace(machine.Namespace.Name, "@", ".", -1), // Replace @ with . for valid domain for machine
+ strings.ReplaceAll(machine.Namespace.Name, "@", "."), // Replace @ with . for valid domain for machine
baseDomain,
)
} else {
diff --git a/machine_test.go b/machine_test.go
index 203289ac..df00067b 100644
--- a/machine_test.go
+++ b/machine_test.go
@@ -161,7 +161,7 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
key *PreAuthKey
}
- var stor []base
+ stor := make([]base, 0)
for _, name := range []string{"test", "admin"} {
namespace, err := app.CreateNamespace(name)
@@ -169,7 +169,6 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
c.Assert(err, check.IsNil)
stor = append(stor, base{namespace, pak})
-
}
_, err := app.GetMachineByID(0)
diff --git a/poll.go b/poll.go
index c2a51d11..f00f7484 100644
--- a/poll.go
+++ b/poll.go
@@ -85,7 +85,10 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
Str("machine", machine.Name).
Msg("Found machine in database")
- hostinfo, _ := json.Marshal(req.Hostinfo)
+ hostinfo, err := json.Marshal(req.Hostinfo)
+ if err != nil {
+ return
+ }
machine.Name = req.Hostinfo.Hostname
machine.HostInfo = datatypes.JSON(hostinfo)
machine.DiscoKey = DiscoPublicKeyStripPrefix(req.DiscoKey)
@@ -106,7 +109,17 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
// The intended use is for clients to discover the DERP map at start-up
// before their first real endpoint update.
if !req.ReadOnly {
- endpoints, _ := json.Marshal(req.Endpoints)
+ endpoints, err := json.Marshal(req.Endpoints)
+ if err != nil {
+ log.Error().
+ Caller().
+ Str("func", "PollNetMapHandler").
+ Err(err).
+ Msg("Failed to mashal requested endpoints for the client")
+ ctx.String(http.StatusInternalServerError, ":(")
+
+ return
+ }
machine.Endpoints = datatypes.JSON(endpoints)
machine.LastSeen = &now
}