diff --git a/acls.go b/acls.go index b485ce30..426c63df 100644 --- a/acls.go +++ b/acls.go @@ -367,7 +367,7 @@ func expandAlias( // if alias is a namespace nodes := filterMachinesByNamespace(machines, alias) - nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias) + nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain) for _, n := range nodes { ips = append(ips, n.IPAddresses.ToStringSlice()...) @@ -405,10 +405,13 @@ func excludeCorrectlyTaggedNodes( aclPolicy ACLPolicy, nodes []Machine, namespace string, + stripEmailDomain bool, ) []Machine { out := []Machine{} tags := []string{} for tag, ns := range aclPolicy.TagOwners { + owners, _ := expandTagOwners(aclPolicy, namespace, stripEmailDomain) + ns = append(owners, namespace) if contains(ns, namespace) { tags = append(tags, tag) } diff --git a/acls_test.go b/acls_test.go index 9e24f99f..f8af1b78 100644 --- a/acls_test.go +++ b/acls_test.go @@ -1201,9 +1201,10 @@ func Test_expandAlias(t *testing.T) { func Test_excludeCorrectlyTaggedNodes(t *testing.T) { type args struct { - aclPolicy ACLPolicy - nodes []Machine - namespace string + aclPolicy ACLPolicy + nodes []Machine + namespace string + stripEmailDomain bool } tests := []struct { name string @@ -1247,7 +1248,57 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) { Namespace: Namespace{Name: "joe"}, }, }, - namespace: "joe", + namespace: "joe", + stripEmailDomain: true, + }, + want: []Machine{ + { + IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")}, + Namespace: Namespace{Name: "joe"}, + }, + }, + }, + { + name: "exclude nodes with valid tags, and owner is in a group", + args: args{ + aclPolicy: ACLPolicy{ + Groups: Groups{ + "group:accountant": []string{"joe", "bar"}, + }, + TagOwners: TagOwners{"tag:accountant-webserver": []string{"group:accountant"}}, + }, + nodes: []Machine{ + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.1"), + }, + Namespace: Namespace{Name: "joe"}, + HostInfo: HostInfo{ + OS: "centos", + Hostname: "foo", + RequestTags: []string{"tag:accountant-webserver"}, + }, + }, + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.2"), + }, + Namespace: Namespace{Name: "joe"}, + HostInfo: HostInfo{ + OS: "centos", + Hostname: "foo", + RequestTags: []string{"tag:accountant-webserver"}, + }, + }, + { + IPAddresses: MachineAddresses{ + netaddr.MustParseIP("100.64.0.4"), + }, + Namespace: Namespace{Name: "joe"}, + }, + }, + namespace: "joe", + stripEmailDomain: true, }, want: []Machine{ { @@ -1288,7 +1339,8 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) { Namespace: Namespace{Name: "joe"}, }, }, - namespace: "joe", + namespace: "joe", + stripEmailDomain: true, }, want: []Machine{ { @@ -1333,7 +1385,8 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) { Namespace: Namespace{Name: "joe"}, }, }, - namespace: "joe", + namespace: "joe", + stripEmailDomain: true, }, want: []Machine{ { @@ -1373,6 +1426,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) { test.args.aclPolicy, test.args.nodes, test.args.namespace, + test.args.stripEmailDomain, ) if !reflect.DeepEqual(got, test.want) { t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)