From 9cdf21847436491266428b2ddca8d661c82a6c31 Mon Sep 17 00:00:00 2001 From: nitper <301091+nitper@users.noreply.github.com> Date: Tue, 27 May 2025 16:52:06 -0700 Subject: [PATCH] add support for sshTests https://tailscale.com/kb/1337/policy-syntax#sshtests --- Makefile | 2 +- main.go | 1 + testdata/departments/engineering/acls.json | 27 ++++++++++++++-------- testdata/input-parent.hujson | 8 +++++++ testdata/output-file-to-compare-to.hujson | 22 ++++++++++++++++++ 5 files changed, 50 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index e7437f5..1f5d9ba 100644 --- a/Makefile +++ b/Makefile @@ -5,4 +5,4 @@ testdata: -f testdata/input-parent.hujson \ -d testdata/departments/ \ -o testdata/output-file-to-compare-to.hujson \ - -allow=acls,autoApprovers,grants,groups,ipsets,ssh,tests + -allow=acls,autoApprovers,grants,groups,ipsets,ssh,tests,sshTests diff --git a/main.go b/main.go index c8c0cc8..3017c07 100644 --- a/main.go +++ b/main.go @@ -36,6 +36,7 @@ var ( "ssh": handleArray(), "tagOwners": handleObject(), "tests": handleArray(), + "sshTests": handleArray(), "hosts": handleObject(), } ) diff --git a/testdata/departments/engineering/acls.json b/testdata/departments/engineering/acls.json index eb53fbb..8531b97 100644 --- a/testdata/departments/engineering/acls.json +++ b/testdata/departments/engineering/acls.json @@ -2,15 +2,24 @@ "acls": [ { "action": "accept", - "src": [ - "engineering@example.com" - ], - "dst": [ - "tag:json-rule:22" - ], - "srcPosture": [ - "posture:latestMac" - ] + "src": ["engineering@example.com"], + "dst": ["tag:json-rule:22"], + "srcPosture": ["posture:latestMac"] + } + ], + "ssh": [ + { + "action": "accept", + "src": ["engineering@example.com"], + "dst": ["autogroup:self"], + "users": ["root", "autogroup:nonroot"] + } + ], + "sshTests": [ + { + "src": ["engineering@example.com"], + "dst": ["autogroup:self"], + "accept": ["root", "autogroup:nonroot"] } ] } diff --git a/testdata/input-parent.hujson b/testdata/input-parent.hujson index f16ad40..ff66836 100644 --- a/testdata/input-parent.hujson +++ b/testdata/input-parent.hujson @@ -56,6 +56,14 @@ }, ], + "sshTests": [ + { + "src": ["autogroup:member"], + "dst": ["autogroup:self"], + "accept": ["root", "autogroup:nonroot"], + }, + ], + "tagOwners": { "tag:parent": [], "tag:user1": [ diff --git a/testdata/output-file-to-compare-to.hujson b/testdata/output-file-to-compare-to.hujson index c82d211..934b857 100644 --- a/testdata/output-file-to-compare-to.hujson +++ b/testdata/output-file-to-compare-to.hujson @@ -152,6 +152,13 @@ "dst": ["autogroup:self"], "users": ["root", "autogroup:nonroot"], }, + // from `testdata/departments/engineering/acls.json` + { + "action": "accept", + "src": ["engineering@example.com"], + "dst": ["autogroup:self"], + "users": ["root", "autogroup:nonroot"], + }, // from `testdata/departments/finance/ssh.hujson` { "action": "accept", @@ -167,6 +174,21 @@ }, ], + "sshTests": [ + // from `testdata/input-parent.hujson` + { + "src": ["autogroup:member"], + "dst": ["autogroup:self"], + "accept": ["root", "autogroup:nonroot"], + }, + // from `testdata/departments/engineering/acls.json` + { + "src": ["engineering@example.com"], + "dst": ["autogroup:self"], + "accept": ["root", "autogroup:nonroot"], + }, + ], + "tagOwners": { // from `testdata/input-parent.hujson` "tag:parent": [],