Improvements on the ACLs and bug fixing #320
Conversation
9c23400 to
9643a5a
Compare
|
Can you have a look at the conflicts :)? all the other stuff is in now, and @juanfont will have a look at the proposal. |
|
Sorry I didn't saw your comment I'll look at it tomorrow. I'll need to work on integration tests also. |
This commit change the default behaviour and remove the notion of namespaces between the hosts. It allows all namespaces to be only filtered by the ACLs. This behavior is closer to tailsnet.
This call should be done quite at each modification of a server resources like RequestTags. When a server changes it's tag we should rebuild the ACL rules. When a server is added to headscale we also should update the ACLRules.
Rewrite some function to get rid of the dependency on Headscale object. This allows us to write succinct test that are more easy to review and implement. The improvements of the tests allowed to write the removal of the tagged hosts from the namespace as specified here: https://tailscale.com/kb/1068/acl-tags/
This is a false positive on the way the function is built. Small tests cases are all inside this functions, making it big.
3127a61 to
f073d8f
Compare
|
I've rebased the modifications on latest main branch |
| // Aclfilter peers here. We are itering through machines in all namespaces and search through the computed aclRules | ||
| // for match between rule SrcIPs and DstPorts. If the rule is a match we allow the machine to be viewable. | ||
|
|
||
| // FIXME: On official control plane if a rule allow user A to talk to user B but NO rule allows user B to talk to |
There was a problem hiding this comment.
This should be a github issue
There was a problem hiding this comment.
I think this is looking very promising!
I have left comments on the "input data" for tests for the ACLs, its quite hard to follow when using foo, bar, etc. Would be great if you could change that to descriptive, unique values and I will review that section again.
Otherwise, the expand* tests looks quite sensible and well covering, easy to extend!
There is a couple of other naming nits, but mostly good, thanks.
acls_test.go
Outdated
| // match properly the IP's of the related hosts. The owner is valid and the tag is also valid. | ||
| // the tag is matched in the Users section. | ||
| func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) { | ||
| namespace, err := app.CreateNamespace("foo") |
There was a problem hiding this comment.
| namespace, err := app.CreateNamespace("foo") | |
| namespace, err := app.CreateNamespace("validate-tagowner-expands-in-user") |
Test values should be descriptive and independent, this makes it a lot easier to follow the tests as you read them without having to go up and down to check if foo was a hostname or bar was a tag, group, or user.
If they have description based on the test their a part of, e.g. tagValidateTagOwnerExpandsInUser for tag, it will also guarantee that the tag is independent and will not interfere with other parts of the tests (even if the test framework is suppose to sort this.
There was a problem hiding this comment.
I changed for more explicit names, username for namespaces, teams for groups and groups of servers for tags. It's better than before but not up to what you describe here.
There was a problem hiding this comment.
Better thanks, when using the same values in adjacent tests, we don't make them independent of each other, but we can let this go for now and I can do a follow up PR and you have help me review it.
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
Using h.ListAllMachines also listed the current machine in the result. It's unnecessary (I don't know if it's harmful). Breaking the check with the `matchSourceAndDestinationWithRule` broke the tests. We have a specificity with the '*' destination that isn't symetrical. I need to think of a better way to do this. It too hard to read.
This should fix the performance issue with computation of `dst` variable. It's also easier to read now.
added a simple filter to remove the current node
The dependency to the `headscale` struct makes tests harder to do. This change allow to easily add some tests for this quite sensible function.
|
Could you run prettier lint? And I see the integration test fail, but I can't really see why, and not sure if any of the changes should really affect it. Could you have a dive? Other than that I think I'm happy to get it in :) |
Linting is done. For the integrations tests, I see some mentions of ACL parsing in the logs and calls seems to go through |
|
It looks like there is nil pointer as a result to a call to the Ill see if I can come up with a suggestion before I have to go out again. |
poll.go
Outdated
| err = h.UpdateACLRules() | ||
| if err != nil { | ||
| log.Error(). | ||
| Caller(). | ||
| Str("func", "handleAuthKey"). | ||
| Str("machine", machine.Name). | ||
| Err(err) | ||
| } |
There was a problem hiding this comment.
| err = h.UpdateACLRules() | |
| if err != nil { | |
| log.Error(). | |
| Caller(). | |
| Str("func", "handleAuthKey"). | |
| Str("machine", machine.Name). | |
| Err(err) | |
| } | |
| if h.aclPolicy != nil { | |
| err = h.UpdateACLRules() | |
| if err != nil { | |
| log.Error(). | |
| Caller(). | |
| Str("func", "handleAuthKey"). | |
| Str("machine", machine.Name). | |
| Err(err) | |
| } | |
| } | |
This should do it.
There was a problem hiding this comment.
But open to better solutions.
There was a problem hiding this comment.
I've opted for both adding error to the callee and avoiding error case on caller side. The callee still need to report and error since it can generate errors if no ACLPolicies are defined.
As for the placement of this piece of code, I'm also open to suggestion. I've put it here but don't know well enough the code to find better place. We need to update the ACL when the HostInfo of the machines are modified, and when hosts are registered.
|
As a side note, we should probably have integration tests for ACL, but that can be done in the future, want to clean them up and remove all the shared stuff first |
If aclPolicy is not defined, in updateAclPolicy, return an error.
Yes I wanted to do it but here, but the PR is big enough. We should create a issue for this subject as well. |
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
|
Good job, lets do it, I think I will release this as a beta straight away. |
|
Would you mind creating the issues mentioned in this PR @restanrm ? |
Yes, I'll create it now |
This PR is a first implementation of what has been discussed on #311 It should be reviewed commit by commit since last commits are linting modifications and changes quite much some part of the code that I didn't touch.
All subject discussed in PR #311 are not implemented here. I think all those modifications should be splitted in multiple PRs.
If this PR is too big, some commits could be moved outside of this PR it's related but just fixes some bugs on the ACLs parsing behavior.