starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-10 19:17:25 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

hscontrol/policy/v2: add TestACLToGrants

Browse Source 
Add test for aclToGrants() function that converts ACL rules to Grant
format. Tests conversion of:
- Single-port TCP rules
- Multiple ACL entries to multiple Grants
- Port ranges and multiple ports in a single rule
- Wildcard protocols
- UDP, ICMP, and other protocol types

Ensures backward compatibility by verifying that ACL rules are correctly
transformed to the new Grant format.

Updates #2180
This commit is contained in:
Kristoffer Dalby
2026-02-23 04:23:17 +01:00
committed by Kristoffer Dalby
parent 31c0ecbd68
commit 1c31f04fab
1 changed files with 163 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
hscontrol/policy/v2/types_test.go
View File

@@ -4748,3 +4748,166 @@ func TestUnmarshalGrants(t *testing.T) {
})
}
}
func TestACLToGrants(t *testing.T) {
tests := []struct {
name string
acl ACL
want []Grant
}{
{
name: "single-destination-tcp",
acl: ACL{
Action: ActionAccept,
Protocol: ProtocolNameTCP,
Sources: Aliases{gp("group:eng")},
Destinations: []AliasWithPorts{
{
Alias: tp("tag:server"),
Ports: []tailcfg.PortRange{{First: 443, Last: 443}},
},
},
},
want: []Grant{
{
Sources: Aliases{gp("group:eng")},
Destinations: Aliases{tp("tag:server")},
InternetProtocols: []ProtocolPort{
{
Protocol: ProtocolNameTCP,
Ports: []tailcfg.PortRange{{First: 443, Last: 443}},
},
},
},
},
},
{
name: "multiple-destinations-creates-multiple-grants",
acl: ACL{
Action: ActionAccept,
Protocol: ProtocolNameTCP,
Sources: Aliases{gp("group:eng")},
Destinations: []AliasWithPorts{
{
Alias: tp("tag:web"),
Ports: []tailcfg.PortRange{{First: 80, Last: 80}},
},
{
Alias: tp("tag:db"),
Ports: []tailcfg.PortRange{{First: 5432, Last: 5432}},
},
},
},
want: []Grant{
{
Sources: Aliases{gp("group:eng")},
Destinations: Aliases{tp("tag:web")},
InternetProtocols: []ProtocolPort{
{
Protocol: ProtocolNameTCP,
Ports: []tailcfg.PortRange{{First: 80, Last: 80}},
},
},
},
{
Sources: Aliases{gp("group:eng")},
Destinations: Aliases{tp("tag:db")},
InternetProtocols: []ProtocolPort{
{
Protocol: ProtocolNameTCP,
Ports: []tailcfg.PortRange{{First: 5432, Last: 5432}},
},
},
},
},
},
{
name: "wildcard-protocol",
acl: ACL{
Action: ActionAccept,
Protocol: ProtocolNameWildcard,
Sources: Aliases{gp("group:admin")},
Destinations: []AliasWithPorts{
{
Alias: up("alice@example.com"),
Ports: []tailcfg.PortRange{tailcfg.PortRangeAny},
},
},
},
want: []Grant{
{
Sources: Aliases{gp("group:admin")},
Destinations: Aliases{up("alice@example.com")},
InternetProtocols: []ProtocolPort{
{
Protocol: ProtocolNameWildcard,
Ports: []tailcfg.PortRange{tailcfg.PortRangeAny},
},
},
},
},
},
{
name: "udp-with-port-range",
acl: ACL{
Action: ActionAccept,
Protocol: ProtocolNameUDP,
Sources: Aliases{up("bob@example.com")},
Destinations: []AliasWithPorts{
{
Alias: tp("tag:voip"),
Ports: []tailcfg.PortRange{{First: 10000, Last: 20000}},
},
},
},
want: []Grant{
{
Sources: Aliases{up("bob@example.com")},
Destinations: Aliases{tp("tag:voip")},
InternetProtocols: []ProtocolPort{
{
Protocol: ProtocolNameUDP,
Ports: []tailcfg.PortRange{{First: 10000, Last: 20000}},
},
},
},
},
},
{
name: "icmp-protocol",
acl: ACL{
Action: ActionAccept,
Protocol: ProtocolNameICMP,
Sources: Aliases{gp("group:monitoring")},
Destinations: []AliasWithPorts{
{
Alias: new(Asterix),
Ports: []tailcfg.PortRange{tailcfg.PortRangeAny},
},
},
},
want: []Grant{
{
Sources: Aliases{gp("group:monitoring")},
Destinations: Aliases{new(Asterix)},
InternetProtocols: []ProtocolPort{
{
Protocol: ProtocolNameICMP,
Ports: []tailcfg.PortRange{tailcfg.PortRangeAny},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := aclToGrants(tt.acl)
if diff := cmp.Diff(tt.want, got); diff != "" {
t.Errorf("aclToGrants() mismatch (-want +got):\n%s", diff)
}
})
}
}