From 379bd51c67147d307887f57f8ec0953698e997f9 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Tue, 19 Sep 2023 10:46:37 -0500
Subject: [PATCH] temp

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 hscontrol/policy/acls_test.go | 244 ++++++++++++++++++++++++++++++++++
 1 file changed, 244 insertions(+)

diff --git a/hscontrol/policy/acls_test.go b/hscontrol/policy/acls_test.go
index 9afb58a546..6b0d8ac5ec 100644
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@@ -1857,6 +1857,8 @@ func TestACLPolicy_generateFilterRules(t *testing.T) {
 }
 
 func TestReduceFilterRules(t *testing.T) {
+	intp := func(i int) *int { return &i }
+
 	tests := []struct {
 		name    string
 		machine *types.Machine
@@ -1893,6 +1895,248 @@ func TestReduceFilterRules(t *testing.T) {
 			},
 			want: []tailcfg.FilterRule{},
 		},
+
+		// This section contains a bunch of issues from Github which has
+		// been set up on Tailscale and the packetfilter output has been
+		// captured to make it easier to verify that we implement it correctly.
+
+		// Issue 1305 - ACL issue: specifing CIDR from subnet doesn't work
+		// ACL on tailscale.com:
+		//
+		// "hosts": {
+		// 	"lima1": "100.77.51.52",
+		// 	"lima2": "100.121.119.6",
+		//
+		// 	"ovh-vrack": "10.0.1.0/24",
+		// },
+		// "acls": [
+		// 	{
+		// 		"action": "accept",
+		// 		"src":    ["lima1"],
+		// 		"dst":    ["ovh-vrack:80,443"],
+		// 	},
+		// ],
+		{
+			name: "issue-1305-cidr-from-subnet-lima1",
+			pol: ACLPolicy{
+				Hosts: map[string]netip.Prefix{
+					"lima1": netip.MustParsePrefix("100.77.51.52/32"),
+					"lima2": netip.MustParsePrefix("100.121.119.6/32"),
+
+					"ovh-vrack": netip.MustParsePrefix("10.0.1.0/24"),
+				},
+				ACLs: []ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"lima1"},
+						Destinations: []string{"ovh-vrack:80,443"},
+					},
+				},
+			},
+			machine: types.Machine{
+				// lima1
+				IPAddresses: types.MachineAddresses{
+					netip.MustParseAddr("100.77.51.52"),
+					netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:624d:3334"),
+				},
+				User: types.User{Name: "kradalby"},
+			},
+			peers: types.Machines{
+				{
+					// lima2
+					IPAddresses: types.MachineAddresses{
+						netip.MustParseAddr("100.121.119.6"),
+						netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:6279:7706"),
+					},
+					User: types.User{Name: "kradalby"},
+				},
+			},
+			want: []tailcfg.FilterRule{},
+		},
+		{
+			name: "issue-1305-cidr-from-subnet-lima2",
+			pol: ACLPolicy{
+				Hosts: map[string]netip.Prefix{
+					"lima1": netip.MustParsePrefix("100.77.51.52/32"),
+					"lima2": netip.MustParsePrefix("100.121.119.6/32"),
+
+					"ovh-vrack": netip.MustParsePrefix("10.0.1.0/24"),
+				},
+				ACLs: []ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"lima1"},
+						Destinations: []string{"ovh-vrack:80,443"},
+					},
+				},
+			},
+			machine: types.Machine{
+				// lima2
+				IPAddresses: types.MachineAddresses{
+					netip.MustParseAddr("100.121.119.6"),
+					netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:6279:7706"),
+				},
+				User: types.User{Name: "kradalby"},
+			},
+			peers: types.Machines{
+				{
+					// lima1
+					IPAddresses: types.MachineAddresses{
+						netip.MustParseAddr("100.77.51.52"),
+						netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:624d:3334"),
+					},
+					User: types.User{Name: "kradalby"},
+				},
+			},
+			want: []tailcfg.FilterRule{
+				// TODO(kradalby): This is filtered out, I think I got the reduce
+				// filter stuff the wrong way around...
+				{
+					SrcIPs: []string{
+						"100.77.51.52/32",
+						"fd7a:115c:a1e0:ab12:4843:cd96:624d:3334/128",
+					},
+					DstPorts: []tailcfg.NetPortRange{
+						{
+							IP:   "10.0.1.0",
+							Bits: intp(24),
+							Ports: tailcfg.PortRange{
+								First: 80,
+								Last:  80,
+							},
+						},
+						{
+							IP:   "10.0.1.0",
+							Bits: intp(24),
+							Ports: tailcfg.PortRange{
+								First: 443,
+								Last:  443,
+							},
+						},
+					},
+				},
+			},
+		},
+
+		// Issue 1347 - ACLs with multiple users do not work
+		{
+			name: "issue-1347-multiple-users-does-not-work-lima1",
+			pol: ACLPolicy{
+				Groups: Groups{
+					"group:admin":  []string{"test-admin"},
+					"group:family": []string{"test-family-member"},
+				},
+				Hosts: map[string]netip.Prefix{
+					"lima2": netip.MustParsePrefix("100.121.119.6/32"),
+
+					"firewall": netip.MustParsePrefix("100.77.51.52/32"),
+					"lan":      netip.MustParsePrefix("192.168.1.0/24"),
+				},
+				ACLs: []ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:admin"},
+						Destinations: []string{"lan:*", "firewall:*", "group:admin:*"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"group:family"},
+						Destinations: []string{"lan:*", "firewall:*", "group:admin:*"},
+					},
+				},
+			},
+			machine: types.Machine{
+				// lima1
+				IPAddresses: types.MachineAddresses{
+					netip.MustParseAddr("100.77.51.52"),
+					netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:624d:3334"),
+				},
+				User: types.User{Name: "test-admin"},
+			},
+			peers: types.Machines{
+				{
+					// lima2
+					IPAddresses: types.MachineAddresses{
+						netip.MustParseAddr("100.121.119.6"),
+						netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:6279:7706"),
+					},
+					User: types.User{Name: "test-family-member"},
+				},
+			},
+			want: []tailcfg.FilterRule{
+				{
+					SrcIPs: []string{
+						"100.77.51.52/32",
+						"fd7a:115c:a1e0:ab12:4843:cd96:624d:3334/128",
+					},
+					DstPorts: []tailcfg.NetPortRange{
+						// This is the host known as firewall
+						{
+							IP:    "100.77.51.52",
+							Bits:  intp(32),
+							Ports: tailcfg.PortRangeAny,
+						},
+						// This is the network known as firewall
+						{
+							IP:    "100.77.51.52",
+							Bits:  intp(32),
+							Ports: tailcfg.PortRangeAny,
+						},
+						{
+							IP:    "fd7a:115c:a1e0:ab12:4843:cd96:624d:3334",
+							Bits:  intp(128),
+							Ports: tailcfg.PortRangeAny,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "issue-1347-multiple-users-does-not-work-lima2",
+			pol: ACLPolicy{
+				Groups: Groups{
+					"group:admin":  []string{"test-admin"},
+					"group:family": []string{"test-family-member"},
+				},
+				Hosts: map[string]netip.Prefix{
+					"lima2": netip.MustParsePrefix("100.121.119.6/32"),
+
+					"firewall": netip.MustParsePrefix("100.77.51.52/32"),
+					"lan":      netip.MustParsePrefix("192.168.1.0/24"),
+				},
+				ACLs: []ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:admin"},
+						Destinations: []string{"lan:*", "firewall:*", "group:admin:*"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"group:family"},
+						Destinations: []string{"lan:*", "firewall:*", "group:admin:*"},
+					},
+				},
+			},
+			machine: types.Machine{
+				// lima2
+				IPAddresses: types.MachineAddresses{
+					netip.MustParseAddr("100.121.119.6"),
+					netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:6279:7706"),
+				},
+				User: types.User{Name: "test-family-member"},
+			},
+			peers: types.Machines{
+				{
+					// lima1
+					IPAddresses: types.MachineAddresses{
+						netip.MustParseAddr("100.77.51.52"),
+						netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:624d:3334"),
+					},
+					User: types.User{Name: "test-admin"},
+				},
+			},
+			want: []tailcfg.FilterRule{},
+		},
 	}
 
 	for _, tt := range tests {