make generateFilterRules take machine and peers

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-11-04 10:01:05 +01:00 · 2023-06-12 11:18:58 +02:00 · 2023-06-12 11:18:58 +02:00 · 161243c787
commit 161243c787
parent 9c425a1c08
2 changed files with 24 additions and 19 deletions
--- a/hscontrol/policy/acls.go
+++ b/hscontrol/policy/acls.go
@ -128,7 +128,7 @@ func GenerateFilterRules(
 		return tailcfg.FilterAllowAll, &tailcfg.SSHPolicy{}, nil
 	}

-	rules, err := policy.generateFilterRules(append(peers, *machine), stripEmailDomain)
+	rules, err := policy.generateFilterRules(machine, peers, stripEmailDomain)
 	if err != nil {
 		return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err
 	}
@ -152,10 +152,12 @@ func GenerateFilterRules(
 // generateFilterRules takes a set of machines and an ACLPolicy and generates a
 // set of Tailscale compatible FilterRules used to allow traffic on clients.
 func (pol *ACLPolicy) generateFilterRules(
-	machines types.Machines,
+	machine *types.Machine,
+	peers types.Machines,
 	stripEmailDomain bool,
 ) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
+	machines := append(peers, *machine)

 	for index, acl := range pol.ACLs {
 		if acl.Action != "accept" {
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@ -199,7 +199,7 @@ func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
 	c.Assert(pol.ACLs, check.HasLen, 6)
 	c.Assert(err, check.IsNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.NotNil)
 	c.Assert(rules, check.IsNil)
 }
@ -230,7 +230,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
 	pol, err := LoadACLPolicyFromBytes(acl, "hujson")
 	c.Assert(err, check.IsNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 }
@ -310,7 +310,7 @@ func (s *Suite) TestPortRange(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(pol, check.NotNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@ -366,7 +366,7 @@ func (s *Suite) TestProtocolParsing(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(pol, check.NotNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@ -401,7 +401,7 @@ func (s *Suite) TestPortWildcard(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(pol, check.NotNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@ -428,7 +428,7 @@ acls:
 	c.Assert(err, check.IsNil)
 	c.Assert(pol, check.NotNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@ -459,7 +459,7 @@ acls:
 	c.Assert(err, check.IsNil)
 	c.Assert(pol, check.NotNil)

-	rules, err := pol.generateFilterRules(types.Machines{}, false)
+	rules, err := pol.generateFilterRules(&types.Machine{}, types.Machines{}, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@ -1620,7 +1620,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
 		pol ACLPolicy
 	}
 	type args struct {
-		machines         types.Machines
+		machine          types.Machine
+		peers            types.Machines
 		stripEmailDomain bool
 	}
 	tests := []struct {
@ -1651,7 +1652,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
 				},
 			},
 			args: args{
-				machines:         types.Machines{},
+				machine:          types.Machine{},
+				peers:            types.Machines{},
 				stripEmailDomain: true,
 			},
 			want: []tailcfg.FilterRule{
@ -1691,14 +1693,14 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
 				},
 			},
 			args: args{
-				machines: types.Machines{
-					{
-						IPAddresses: types.MachineAddresses{
-							netip.MustParseAddr("100.64.0.1"),
-							netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"),
-						},
-						User: types.User{Name: "mickael"},
+				machine: types.Machine{
+					IPAddresses: types.MachineAddresses{
+						netip.MustParseAddr("100.64.0.1"),
+						netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2221"),
 					},
+					User: types.User{Name: "mickael"},
+				},
+				peers: types.Machines{
 					{
 						IPAddresses: types.MachineAddresses{
 							netip.MustParseAddr("100.64.0.2"),
@ -1739,7 +1741,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := tt.field.pol.generateFilterRules(
-				tt.args.machines,
+				&tt.args.machine,
+				tt.args.peers,
 				tt.args.stripEmailDomain,
 			)
 			if (err != nil) != tt.wantErr {