feat: add support for autogroup:tagged

jsiebens · jsiebens · commit 54fa423acdd3 · 2024-01-02T09:32:12.000+01:00
diff --git a/internal/domain/acl.go b/internal/domain/acl.go
@@ -18,6 +18,7 @@ const (
 	AutoGroupSelf     = "autogroup:self"
 	AutoGroupMember   = "autogroup:member"
 	AutoGroupMembers  = "autogroup:members"
+	AutoGroupTagged   = "autogroup:tagged"
 	AutoGroupInternet = "autogroup:internet"
 )
 
@@ -317,6 +318,14 @@ func (a ACLPolicy) expandMachineAlias(m *Machine, alias string, src bool, u *Use
 		}
 	}
 
+	if alias == AutoGroupTagged {
+		if m.HasTags() {
+			return m.IPs()
+		} else {
+			return []string{}
+		}
+	}
+
 	if alias == AutoGroupInternet && m.IsExitNode() {
 		return autogroupInternetRanges()
 	}
diff --git a/internal/domain/acl_test.go b/internal/domain/acl_test.go
@@ -193,6 +193,49 @@ func TestACLPolicy_BuildFilterRulesWithAutoGroupMember(t *testing.T) {
 	assert.Equal(t, expectedRules, actualRules)
 }
 
+func TestACLPolicy_BuildFilterRulesWithAutoGroupTagged(t *testing.T) {
+
+	p1 := createMachine("jane@example.com")
+	p2 := createMachine("nick@example.com")
+	p3 := createMachine("joe@example.com", "tag:web")
+
+	policy := ACLPolicy{
+		ACLs: []ACL{
+			{
+				Action: "accept",
+				Src:    []string{"autogroup:tagged"},
+				Dst:    []string{"*:22"},
+			},
+		},
+	}
+
+	dst := createMachine("john@example.com")
+
+	actualRules := policy.BuildFilterRules([]Machine{*p1, *p2, *p3}, dst)
+
+	expectedSrcIPs := []string{
+		p3.IPv4.String(), p3.IPv6.String(),
+	}
+	sort.Strings(expectedSrcIPs)
+
+	expectedRules := []tailcfg.FilterRule{
+		{
+			SrcIPs: expectedSrcIPs,
+			DstPorts: []tailcfg.NetPortRange{
+				{
+					IP: "*",
+					Ports: tailcfg.PortRange{
+						First: 22,
+						Last:  22,
+					},
+				},
+			},
+		},
+	}
+
+	assert.Equal(t, expectedRules, actualRules)
+}
+
 func TestACLPolicy_BuildFilterRulesAutogroupSelf(t *testing.T) {
 	p1 := createMachine("john@example.com")
 	p2 := createMachine("jane@example.com")

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ const (`
`18`	`18`	`AutoGroupSelf = "autogroup:self"`
`19`	`19`	`AutoGroupMember = "autogroup:member"`
`20`	`20`	`AutoGroupMembers = "autogroup:members"`
	`21`	`+ AutoGroupTagged = "autogroup:tagged"`
`21`	`22`	`AutoGroupInternet = "autogroup:internet"`
`22`	`23`	`)`
`23`	`24`
`@@ -317,6 +318,14 @@ func (a ACLPolicy) expandMachineAlias(m Machine, alias string, src bool, u Use`
`317`	`318`	`}`
`318`	`319`	`}`
`319`	`320`
	`321`	`+ if alias == AutoGroupTagged {`
	`322`	`+ if m.HasTags() {`
	`323`	`+ return m.IPs()`
	`324`	`+ } else {`
	`325`	`+ return []string{}`
	`326`	`+ }`
	`327`	`+ }`
	`328`	`+`
`320`	`329`	`if alias == AutoGroupInternet && m.IsExitNode() {`
`321`	`330`	`return autogroupInternetRanges()`
`322`	`331`	`}`