Skip to content

Commit

Permalink
Migrate ACLs syntax to new Tailscale format
Browse files Browse the repository at this point in the history 
Implements #617.

Tailscale has changed the format of their ACLs to use a more firewall-y terms ("users" & "ports" -> "src" & "dst"). They have also started using all-lowercase tags. This PR applies these changes.
  • Loading branch information
@juanfont
juanfont committed Jun 8, 2022
1 parent 8fed47a commit 3e35300
Show file tree
Hide file tree
Showing 12 changed files with 126 additions and 124 deletions.
22 changes: 11 additions & 11 deletions acls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,23 +123,23 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
}

srcIPs := []string{}
for innerIndex, user := range acl.Users {
srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, user)
for innerIndex, src := range acl.Sources {
srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, src)
if err != nil {
log.Error().
Msgf("Error parsing ACL %d, User %d", index, innerIndex)
Msgf("Error parsing ACL %d, Source %d", index, innerIndex)

return nil, err
}
srcIPs = append(srcIPs, srcs...)
}

destPorts := []tailcfg.NetPortRange{}
for innerIndex, ports := range acl.Ports {
dests, err := h.generateACLPolicyDestPorts(machines, *h.aclPolicy, ports)
for innerIndex, dest := range acl.Destinations {
dests, err := h.generateACLPolicyDest(machines, *h.aclPolicy, dest)
if err != nil {
log.Error().
Msgf("Error parsing ACL %d, Port %d", index, innerIndex)
Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)

return nil, err
}
Expand All @@ -158,17 +158,17 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
func (h *Headscale) generateACLPolicySrcIP(
machines []Machine,
aclPolicy ACLPolicy,
u string,
src string,
) ([]string, error) {
return expandAlias(machines, aclPolicy, u, h.cfg.OIDC.StripEmaildomain)
return expandAlias(machines, aclPolicy, src, h.cfg.OIDC.StripEmaildomain)
}

func (h *Headscale) generateACLPolicyDestPorts(
func (h *Headscale) generateACLPolicyDest(
machines []Machine,
aclPolicy ACLPolicy,
d string,
dest string,
) ([]tailcfg.NetPortRange, error) {
tokens := strings.Split(d, ":")
tokens := strings.Split(dest, ":")
if len(tokens) < expectedTokenItems || len(tokens) > 3 {
return nil, errInvalidPortFormat
}
Expand Down
28 changes: 14 additions & 14 deletions acls_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,22 +62,22 @@ func (s *Suite) TestBasicRule(c *check.C) {
func (s *Suite) TestInvalidAction(c *check.C) {
app.aclPolicy = &ACLPolicy{
ACLs: []ACL{
{Action: "invalidAction", Users: []string{"*"}, Ports: []string{"*:*"}},
{Action: "invalidAction", Sources: []string{"*"}, Destinations: []string{"*:*"}},
},
}
err := app.UpdateACLRules()
c.Assert(errors.Is(err, errInvalidAction), check.Equals, true)
}

func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
// this ACL is wrong because the group in users sections doesn't exist
// this ACL is wrong because the group in Sources sections doesn't exist
app.aclPolicy = &ACLPolicy{
Groups: Groups{
"group:test": []string{"foo"},
"group:error": []string{"foo", "group:test"},
},
ACLs: []ACL{
{Action: "accept", Users: []string{"group:error"}, Ports: []string{"*:*"}},
{Action: "accept", Sources: []string{"group:error"}, Destinations: []string{"*:*"}},
},
}
err := app.UpdateACLRules()
Expand All @@ -88,7 +88,7 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
// this ACL is wrong because no tagOwners own the requested tag for the server
app.aclPolicy = &ACLPolicy{
ACLs: []ACL{
{Action: "accept", Users: []string{"tag:foo"}, Ports: []string{"*:*"}},
{Action: "accept", Sources: []string{"tag:foo"}, Destinations: []string{"*:*"}},
},
}
err := app.UpdateACLRules()
Expand All @@ -97,8 +97,8 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {

// this test should validate that we can expand a group in a TagOWner section and
// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
// the tag is matched in the Users section.
func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
// the tag is matched in the Sources section.
func (s *Suite) TestValidExpandTagOwnersInSources(c *check.C) {
namespace, err := app.CreateNamespace("user1")
c.Assert(err, check.IsNil)

Expand Down Expand Up @@ -131,7 +131,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
Groups: Groups{"group:test": []string{"user1", "user2"}},
TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
ACLs: []ACL{
{Action: "accept", Users: []string{"tag:test"}, Ports: []string{"*:*"}},
{Action: "accept", Sources: []string{"tag:test"}, Destinations: []string{"*:*"}},
},
}
err = app.UpdateACLRules()
Expand All @@ -143,7 +143,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {

// this test should validate that we can expand a group in a TagOWner section and
// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
// the tag is matched in the Ports section.
// the tag is matched in the Destinations section.
func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
namespace, err := app.CreateNamespace("user1")
c.Assert(err, check.IsNil)
Expand Down Expand Up @@ -177,7 +177,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
Groups: Groups{"group:test": []string{"user1", "user2"}},
TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
ACLs: []ACL{
{Action: "accept", Users: []string{"*"}, Ports: []string{"tag:test:*"}},
{Action: "accept", Sources: []string{"*"}, Destinations: []string{"tag:test:*"}},
},
}
err = app.UpdateACLRules()
Expand Down Expand Up @@ -222,7 +222,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
app.aclPolicy = &ACLPolicy{
TagOwners: TagOwners{"tag:test": []string{"user1"}},
ACLs: []ACL{
{Action: "accept", Users: []string{"user1"}, Ports: []string{"*:*"}},
{Action: "accept", Sources: []string{"user1"}, Destinations: []string{"*:*"}},
},
}
err = app.UpdateACLRules()
Expand Down Expand Up @@ -287,9 +287,9 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
TagOwners: TagOwners{"tag:webapp": []string{"user1"}},
ACLs: []ACL{
{
Action: "accept",
Users: []string{"user1"},
Ports: []string{"tag:webapp:80,443"},
Action: "accept",
Sources: []string{"user1"},
Destinations: []string{"tag:webapp:80,443"},
},
},
}
Expand Down Expand Up @@ -645,7 +645,7 @@ func Test_expandPorts(t *testing.T) {
wantErr: false,
},
{
name: "two ports",
name: "two Destinations",
args: args{portsStr: "80,443"},
want: &[]tailcfg.PortRange{
{First: 80, Last: 80},
Expand Down
23 changes: 12 additions & 11 deletions acls_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,19 @@ import (

// ACLPolicy represents a Tailscale ACL Policy.
type ACLPolicy struct {
Groups Groups `json:"Groups" yaml:"Groups"`
Hosts Hosts `json:"Hosts" yaml:"Hosts"`
TagOwners TagOwners `json:"TagOwners" yaml:"TagOwners"`
ACLs []ACL `json:"ACLs" yaml:"ACLs"`
Tests []ACLTest `json:"Tests" yaml:"Tests"`
Groups Groups `json:"groups" yaml:"groups"`
Hosts Hosts `json:"hosts" yaml:"hosts"`
TagOwners TagOwners `json:"tagOwners" yaml:"tagOwners"`
ACLs []ACL `json:"acls" yaml:"acls"`
Tests []ACLTest `json:"tests" yaml:"tests"`
}

// ACL is a basic rule for the ACL Policy.
type ACL struct {
Action string `json:"Action" yaml:"Action"`
Users []string `json:"Users" yaml:"Users"`
Ports []string `json:"Ports" yaml:"Ports"`
Action string `json:"action" yaml:"action"`
Protocol string `json:"protocol" yaml:"protocol"`
Sources []string `json:"src" yaml:"src"`
Destinations []string `json:"dst" yaml:"dst"`
}

// Groups references a series of alias in the ACL rules.
Expand All @@ -36,9 +37,9 @@ type TagOwners map[string][]string

// ACLTest is not implemented, but should be use to check if a certain rule is allowed.
type ACLTest struct {
User string `json:"User" yaml:"User"`
Allow []string `json:"Allow" yaml:"Allow"`
Deny []string `json:"Deny,omitempty" yaml:"Deny,omitempty"`
Source string `json:"src" yaml:"src"`
Accept []string `json:"accept" yaml:"accept"`
Deny []string `json:"deny,omitempty" yaml:"deny,omitempty"`
}

// UnmarshalJSON allows to parse the Hosts directly into netaddr objects.
Expand Down
4 changes: 2 additions & 2 deletions machine_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,8 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
Hosts: map[string]netaddr.IPPrefix{},
TagOwners: map[string][]string{},
ACLs: []ACL{
{Action: "accept", Users: []string{"admin"}, Ports: []string{"*:*"}},
{Action: "accept", Users: []string{"test"}, Ports: []string{"test:*"}},
{Action: "accept", Sources: []string{"admin"}, Destinations: []string{"*:*"}},
{Action: "accept", Sources: []string{"test"}, Destinations: []string{"test:*"}},
},
Tests: []ACLTest{},
}
Expand Down
57 changes: 29 additions & 28 deletions tests/acls/acl_policy_1.hujson
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
// Declare static groups of users beyond those in the identity service.
"Groups": {
"groups": {
"group:example": [
"[email protected]",
"[email protected]",
Expand All @@ -11,12 +11,12 @@
],
},
// Declare hostname aliases to use in place of IP addresses or subnets.
"Hosts": {
"hosts": {
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
},
// Define who is allowed to use which tags.
"TagOwners": {
"tagOwners": {
// Everyone in the montreal-admins or global-admins group are
// allowed to tag servers as montreal-webserver.
"tag:montreal-webserver": [
Expand All @@ -29,17 +29,18 @@
],
},
// Access control lists.
"ACLs": [
"acls": [
// Engineering users, plus the president, can access port 22 (ssh)
// and port 3389 (remote desktop protocol) on all servers, and all
// ports on git-server or ci-server.
{
"Action": "accept",
"Users": [
"action": "accept",
"protocol": "tcp",
"src": [
"group:example2",
"192.168.1.0/24"
],
"Ports": [
"dst": [
"*:22,3389",
"git-server:*",
"ci-server:*"
Expand All @@ -48,22 +49,22 @@
// Allow engineer users to access any port on a device tagged with
// tag:production.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"group:example"
],
"Ports": [
"dst": [
"tag:production:*"
],
},
// Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts
// on both networks.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"example-host-2",
],
"Ports": [
"dst": [
"example-host-1:*",
"192.168.1.0/24:*"
],
Expand All @@ -72,22 +73,22 @@
// Comment out this section if you want to define specific ACL
// restrictions above.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"*"
],
"Ports": [
"dst": [
"*:*"
],
},
// All users in Montreal are allowed to access the Montreal web
// servers.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"example-host-1"
],
"Ports": [
"dst": [
"tag:montreal-webserver:80,443"
],
},
Expand All @@ -96,30 +97,30 @@
// In contrast, this doesn't grant API servers the right to initiate
// any connections.
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"tag:montreal-webserver"
],
"Ports": [
"dst": [
"tag:api-server:443"
],
},
],
// Declare tests to check functionality of ACL rules
"Tests": [
"tests": [
{
"User": "[email protected]",
"Allow": [
"src": "[email protected]",
"accept": [
"example-host-1:22",
"example-host-2:80"
],
"Deny": [
"deny": [
"exapmle-host-2:100"
],
},
{
"User": "[email protected]",
"Allow": [
"src": "[email protected]",
"accept": [
"100.60.3.4:22"
],
},
Expand Down
10 changes: 5 additions & 5 deletions tests/acls/acl_policy_basic_1.hujson
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,19 @@


{
"Hosts": {
"hosts": {
"host-1": "100.100.100.100",
"subnet-1": "100.100.101.100/24",
},

"ACLs": [
"acls": [
{
"Action": "accept",
"Users": [
"action": "accept",
"src": [
"subnet-1",
"192.168.1.0/24"
],
"Ports": [
"dst": [
"*:22,3389",
"host-1:*",
],
Expand Down
Loading

0 comments on commit 3e35300

Please sign in to comment.