fix: add support for autgroup:member when validating node attributes

Signed-off-by: Johan Siebens <[email protected]>
jsiebens · Nov 23, 2024 · 4394d44 · 4394d44
1 parent d44832e
commit 4394d44
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/internal/domain/acl.go b/internal/domain/acl.go
@@ -164,6 +164,10 @@ func (a ACLPolicy) NodeCapabilities(m *Machine) []tailcfg.NodeCapability {
 					}
 				}
 			}
+
+			if (alias == AutoGroupMember || alias == AutoGroupMembers) && !m.HasTags() {
+				return true
+			}
 		}
 
 		return false

diff --git a/internal/domain/acl_test.go b/internal/domain/acl_test.go
@@ -113,6 +113,38 @@ func TestACLPolicy_NodeAttributesWithUserAndTags(t *testing.T) {
 	assert.Equal(t, expectedAttrs, actualAttrs)
 }
 
+func TestACLPolicy_NodeAttributesWithAutoGroupMember(t *testing.T) {
+	p1 := createMachine("[email protected]")
+
+	policy := ACLPolicy{
+		ionscale.ACLPolicy{
+			NodeAttrs: []ionscale.ACLNodeAttrGrant{
+				{
+					Target: []string{"autogroup:member"},
+					Attr: []string{
+						"attr1",
+						"attr2",
+					},
+				},
+				{
+					Target: []string{"tag:web"},
+					Attr: []string{
+						"attr3",
+					},
+				},
+			},
+		},
+	}
+
+	actualAttrs := policy.NodeCapabilities(p1)
+	expectedAttrs := []tailcfg.NodeCapability{
+		tailcfg.NodeCapability("attr1"),
+		tailcfg.NodeCapability("attr2"),
+	}
+
+	assert.Equal(t, expectedAttrs, actualAttrs)
+}
+
 func TestACLPolicy_BuildFilterRulesEmptyACL(t *testing.T) {
 	p1 := createMachine("[email protected]")
 	p2 := createMachine("[email protected]")
-Original file line number
+Diff line change
@@ Expand Up @@
     					}
     				}
     			}
+    			if (alias == AutoGroupMember || alias == AutoGroupMembers) && !m.HasTags() {
+    				return true
+    			}
     		}
     		return false
@@ Expand Down @@