Added more unit tests

acls.go

@@ -9,7 +9,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/davecgh/go-spew/spew"
 	"github.com/tailscale/hujson"
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
@@ -82,8 +81,6 @@ func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
 			DstPorts: destPorts,
 		})
 	}
-	// fmt.Println(rules)
-	spew.Dump(rules)
 
 	return &rules, nil
 }

acls_test.go

@@ -64,7 +64,82 @@ func (s *Suite) TestBasicRule(c *check.C) {
 
 	rules, err := h.generateACLRules()
 	c.Assert(err, check.IsNil)
-	c.Assert(rules, check.IsNil)
+	c.Assert(rules, check.NotNil)
+}
+
+func (s *Suite) TestPortRange(c *check.C) {
+	err := h.LoadPolicy("./tests/acls/acl_policy_basic_range.hujson")
+	c.Assert(err, check.IsNil)
+
+	rules, err := h.generateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(rules, check.NotNil)
+
+	c.Assert(*rules, check.HasLen, 1)
+	c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
+	c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(5400))
+	c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500))
+}
+
+func (s *Suite) TestPortWildcard(c *check.C) {
+	err := h.LoadPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
+	c.Assert(err, check.IsNil)
+
+	rules, err := h.generateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(rules, check.NotNil)
+
+	c.Assert(*rules, check.HasLen, 1)
+	c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
+	c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
+	c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
+	c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
+	c.Assert((*rules)[0].SrcIPs[0], check.Equals, "*")
+}
+
+func (s *Suite) TestPortNamespace(c *check.C) {
+	n, err := h.CreateNamespace("testnamespace")
+	c.Assert(err, check.IsNil)
+
+	pak, err := h.CreatePreAuthKey(n.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	db, err := h.db()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	_, err = h.GetMachine("testnamespace", "testmachine")
+	c.Assert(err, check.NotNil)
+	ip, _ := h.getAvailableIP()
+	m := Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Name:           "testmachine",
+		NamespaceID:    n.ID,
+		Registered:     true,
+		RegisterMethod: "authKey",
+		IPAddress:      ip.String(),
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.Save(&m)
+
+	err = h.LoadPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson")
+	c.Assert(err, check.IsNil)
+
+	rules, err := h.generateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(rules, check.NotNil)
+
+	c.Assert(*rules, check.HasLen, 1)
+	c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
+	c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
+	c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
+	c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
+	c.Assert((*rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip")
+	c.Assert((*rules)[0].SrcIPs[0], check.Equals, ip.String())
 }
 
 // func (s *Suite) TestRuleGeneration(c *check.C) {

tests/acls/acl_policy_1.hujson

@@ -20,12 +20,11 @@
         // Everyone in the montreal-admins or global-admins group are
         // allowed to tag servers as montreal-webserver.
         "tag:montreal-webserver": [
-            "group:montreal-admins",
-            "group:global-admins",
+            "group:example",
         ],
         // Only a few admins are allowed to create API servers.
-        "tag:api-server": [
-            "group:global-admins",
+        "tag:production": [
+            "group:example",
             "president@example.com",
         ],
     },
@@ -38,7 +37,7 @@
             "Action": "accept",
             "Users": [
                 "group:example2",
-                "192.168.1.1"
+                "192.168.1.0/24"
             ],
             "Ports": [
                 "*:22,3389",
@@ -62,8 +61,7 @@
         {
             "Action": "accept",
             "Users": [
-                "example-host-2",
-                "192.168.1.0/24"
+                "example-host-2", 
             ],
             "Ports": [
                 "example-host-1:*",

tests/acls/acl_policy_basic_1.hujson

@@ -0,0 +1,24 @@
+// This ACL is a very basic example to validate the 
+// expansion of hosts
+
+
+{
+    "Hosts": {
+        "host-1": "100.100.100.100",
+        "subnet-1": "100.100.101.100/24",
+    },
+
+    "ACLs": [
+        {
+            "Action": "accept",
+            "Users": [
+                "subnet-1",
+                "192.168.1.0/24"
+            ],
+            "Ports": [
+                "*:22,3389",
+                "host-1:*",
+            ],
+        },
+    ],
+}

tests/acls/acl_policy_basic_namespace_as_user.hujson

@@ -0,0 +1,20 @@
+// This ACL is used to test wildcards
+
+{
+    "Hosts": {
+        "host-1": "100.100.100.100",
+        "subnet-1": "100.100.101.100/24",
+    },
+
+    "ACLs": [
+        {
+            "Action": "accept",
+            "Users": [
+                "testnamespace",
+            ],
+            "Ports": [
+                "host-1:*",
+            ],
+        },
+    ],
+}

tests/acls/acl_policy_basic_range.hujson

@@ -0,0 +1,20 @@
+// This ACL is used to test the port range expansion
+
+{
+    "Hosts": {
+        "host-1": "100.100.100.100",
+        "subnet-1": "100.100.101.100/24",
+    },
+
+    "ACLs": [
+        {
+            "Action": "accept",
+            "Users": [
+                "subnet-1",
+            ],
+            "Ports": [
+                "host-1:5400-5500",
+            ],
+        },
+    ],
+}

tests/acls/acl_policy_basic_wildcards.hujson

@@ -0,0 +1,20 @@
+// This ACL is used to test wildcards
+
+{
+    "Hosts": {
+        "host-1": "100.100.100.100",
+        "subnet-1": "100.100.101.100/24",
+    },
+
+    "ACLs": [
+        {
+            "Action": "accept",
+            "Users": [
+                "*",
+            ],
+            "Ports": [
+                "host-1:*",
+            ],
+        },
+    ],
+}