fix: ignore tag src in check actions

jsiebens · Oct 20, 2022 · 4e96f2a · 4e96f2a
1 parent 43167c1
commit 4e96f2a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/internal/domain/acl_ssh_policy.go b/internal/domain/acl_ssh_policy.go
@@ -8,9 +8,12 @@ import (
 func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPolicy {
 	var rules []*tailcfg.SSHRule
 
-	expandSrcAliases := func(aliases []string, u *User) []*tailcfg.SSHPrincipal {
+	expandSrcAliases := func(aliases []string, action string, u *User) []*tailcfg.SSHPrincipal {
 		var allSrcIPsSet = &StringSet{}
 		for _, alias := range aliases {
+			if strings.HasPrefix(alias, "tag:") && action == "check" {
+				continue
+			}
 			for _, src := range srcs {
 				srcIPs := a.expandSSHSrcAlias(&src, alias, u)
 				allSrcIPsSet.Add(srcIPs...)
@@ -45,7 +48,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli
 		selfUsers, otherUsers := a.expandSSHDstToSSHUsers(dst, rule)
 
 		if len(selfUsers) != 0 {
-			principals := expandSrcAliases(rule.Src, &dst.User)
+			principals := expandSrcAliases(rule.Src, rule.Action, &dst.User)
 			if len(principals) != 0 {
 				rules = append(rules, &tailcfg.SSHRule{
 					Principals: principals,
@@ -56,7 +59,7 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli
 		}
 
 		if len(otherUsers) != 0 {
-			principals := expandSrcAliases(rule.Src, nil)
+			principals := expandSrcAliases(rule.Src, rule.Action, nil)
 			if len(principals) != 0 {
 				rules = append(rules, &tailcfg.SSHRule{
 					Principals: principals,

diff --git a/internal/domain/acl_ssh_policy_test.go b/internal/domain/acl_ssh_policy_test.go
@@ -340,6 +340,28 @@ func TestACLPolicy_BuildSSHPolicy_WithAutogroupSelfAndTagSrc(t *testing.T) {
 	assert.Nil(t, actualRules.Rules)
 }
 
+func TestACLPolicy_BuildSSHPolicy_WithTagsAndActionCheck(t *testing.T) {
+	p1 := createMachine("[email protected]")
+	p2 := createMachine("[email protected]", "tag:web")
+
+	policy := ACLPolicy{
+		SSHRules: []SSHRule{
+			{
+				Action: "check",
+				Src:    []string{"tag:web"},
+				Dst:    []string{"tag:web"},
+				Users:  []string{"autogroup:nonroot"},
+			},
+		},
+	}
+
+	dst := createMachine("[email protected]", "tag:web")
+
+	actualRules := policy.BuildSSHPolicy([]Machine{*p1, *p2}, dst)
+
+	assert.Nil(t, actualRules.Rules)
+}
+
 func printRules(rules []*tailcfg.SSHRule) {
 	indent, err := json.MarshalIndent(rules, "", "  ")
 	if err != nil {