policyfile: add grants and ipsets

Fixes #35

Author: clstokes

policyfile.go

@@ -69,6 +69,8 @@ type ACL struct {
 	DisableIPv4         bool                `json:"disableIPv4,omitempty" hujson:"DisableIPv4,omitempty"`
 	OneCGNATRoute       string              `json:"oneCGNATRoute,omitempty" hujson:"OneCGNATRoute,omitempty"`
 	RandomizeClientPort bool                `json:"randomizeClientPort,omitempty" hujson:"RandomizeClientPort,omitempty"`
+	Grants              []Grant             `json:"grants,omitempty" hujson:"Grants,omitempty"`
+	IPSets              map[string][]string `json:"ipsets,omitempty" hujson:"IPSets,omitempty"`
 
 	// Postures and DefaultSourcePosture are for an experimental feature and not yet public or documented as of 2023-08-17.
 	// This API is subject to change. Internal bug: corp/13986
@@ -160,6 +162,15 @@ type NodeAttrGrantApp struct {
 	Domains    []string `json:"domains,omitempty" hujson:"Domains,omitempty"`
 }
 
+type Grant struct {
+	Source      []string                    `json:"src,omitempty" hujson:"Src,omitempty"`
+	Destination []string                    `json:"dst,omitempty" hujson:"Dst,omitempty"`
+	IP          []string                    `json:"ip,omitempty" hujson:"IP,omitempty"`
+	App         map[string][]map[string]any `json:"app,omitempty" hujson:"App,omitempty"`
+	SrcPosture  []string                    `json:"srcPosture,omitempty" hujson:"SrcPosture,omitempty"`
+	Via         []string                    `json:"via,omitempty" hujson:"Via,omitempty"`
+}
+
 // Get retrieves the [ACL] that is currently set for the tailnet.
 func (pr *PolicyFileResource) Get(ctx context.Context) (*ACL, error) {
 	req, err := pr.buildRequest(ctx, http.MethodGet, pr.buildTailnetURL("acl"))

policyfile_test.go

@@ -117,6 +117,45 @@ func TestACL_Unmarshal(t *testing.T) {
 						CheckPeriod: SSHCheckPeriod(time.Hour * 20),
 					},
 				},
+				Grants: []Grant{
+					{
+						Source:      []string{"autogroup:member"},
+						Destination: []string{"autogroup:self"},
+						IP:          []string{"*"},
+						SrcPosture:  []string{"posture:latestMac"},
+						Via:         []string{"tag:subnet-router"},
+					},
+					{
+						Source:      []string{"group:prod"},
+						Destination: []string{"tag:k8s-operator"},
+						App: map[string][]map[string]any{
+							"tailscale.com/cap/kubernetes": {
+								{
+									"impersonate": map[string]any{
+										"groups": []any{"system:masters"},
+									},
+								},
+							},
+						},
+					},
+					{
+						Source:      []string{"autogroup:admin"},
+						Destination: []string{"tag:golinks"},
+						App: map[string][]map[string]any{
+							"tailscale.com/cap/golink": {
+								{
+									"admin": true,
+								},
+							},
+						},
+					},
+				},
+				IPSets: map[string][]string{
+					"ipset:prod": {
+						"add 192.0.2.0/24",
+						"remove 192.0.2.33",
+					},
+				},
 			},
 		},
 		{
@@ -219,6 +258,45 @@ func TestACL_Unmarshal(t *testing.T) {
 						Source: "[email protected]",
 						Accept: []string{"tag:dev:80"}},
 				},
+				Grants: []Grant{
+					{
+						Source:      []string{"autogroup:member"},
+						Destination: []string{"autogroup:self"},
+						IP:          []string{"*"},
+						SrcPosture:  []string{"posture:latestMac"},
+						Via:         []string{"tag:subnet-router"},
+					},
+					{
+						Source:      []string{"group:prod"},
+						Destination: []string{"tag:k8s-operator"},
+						App: map[string][]map[string]any{
+							"tailscale.com/cap/kubernetes": {
+								{
+									"impersonate": map[string]any{
+										"groups": []any{"system:masters"},
+									},
+								},
+							},
+						},
+					},
+					{
+						Source:      []string{"autogroup:admin"},
+						Destination: []string{"tag:golinks"},
+						App: map[string][]map[string]any{
+							"tailscale.com/cap/golink": {
+								{
+									"admin": true,
+								},
+							},
+						},
+					},
+				},
+				IPSets: map[string][]string{
+					"ipset:prod": {
+						"add 192.0.2.0/24",
+						"remove 192.0.2.33",
+					},
+				},
 			},
 		},
 	}

testdata/acl.hujson

@@ -65,5 +65,40 @@
       "users": ["root", "autogroup:nonroot"],
       "checkPeriod": "always"
     },
-  ]
+  ],
+  "grants": [
+    {
+      "src": ["autogroup:member"],
+      "dst": ["autogroup:self"],
+      "ip": ["*"],
+      "srcPosture": ["posture:latestMac"],
+      "via": ["tag:subnet-router"]
+    },
+    {
+      "src": ["group:prod"],
+      "dst": ["tag:k8s-operator"],
+      "app": {
+        "tailscale.com/cap/kubernetes": [
+          {
+            "impersonate": {
+              "groups": ["system:masters"]
+            }
+          }
+        ]
+      }
+    },
+    {
+      "src": ["autogroup:admin"],
+      "dst": ["tag:golinks"],
+      "app": {
+          "tailscale.com/cap/golink": [{"admin": true}]
+      }
+    },
+  ],
+  "ipsets": {
+    "ipset:prod": [
+        "add 192.0.2.0/24",
+        "remove 192.0.2.33"
+    ]
+  },
 }

testdata/acl.json

@@ -45,5 +45,40 @@
       "users": ["root", "autogroup:nonroot"],
       "checkPeriod": "20h"
     }
-  ]
+  ],
+  "grants": [
+    {
+      "src": ["autogroup:member"],
+      "dst": ["autogroup:self"],
+      "ip": ["*"],
+      "srcPosture": ["posture:latestMac"],
+      "via": ["tag:subnet-router"]
+    },
+    {
+      "src": ["group:prod"],
+      "dst": ["tag:k8s-operator"],
+      "app": {
+        "tailscale.com/cap/kubernetes": [
+          {
+            "impersonate": {
+              "groups": ["system:masters"]
+            }
+          }
+        ]
+      }
+    },
+    {
+        "src": ["autogroup:admin"],
+        "dst": ["tag:golinks"],
+        "app": {
+            "tailscale.com/cap/golink": [{"admin": true}]
+        }
+    }
+  ],
+  "ipsets": {
+    "ipset:prod": [
+        "add 192.0.2.0/24",
+        "remove 192.0.2.33"
+    ]
+  }
 }