fix: incorrect splitting of alias and port ranges

jsiebens · Jan 15, 2024 · c1ea283 · c1ea283
1 parent 6a5d448
commit c1ea283
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 12 deletions.
diff --git a/internal/domain/acl.go b/internal/domain/acl.go
@@ -307,19 +307,15 @@ func (a ACLPolicy) expandMachineToDstPorts(m *Machine, ports []string) ([]tailcf
 }
 
 func (a ACLPolicy) expandMachineDestToNetPortRanges(m *Machine, dest string) (bool, []tailcfg.NetPortRange) {
-	tokens := strings.Split(dest, ":")
-	if len(tokens) < 2 || len(tokens) > 3 {
+	lastInd := strings.LastIndex(dest, ":")
+	if lastInd == -1 {
 		return false, nil
 	}
 
-	var alias string
-	if len(tokens) == 2 {
-		alias = tokens[0]
-	} else {
-		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
-	}
+	alias := dest[:lastInd]
+	portRange := dest[lastInd+1:]
 
-	ports, err := a.expandValuePortToPortRange(tokens[len(tokens)-1])
+	ports, err := a.expandValuePortToPortRange(portRange)
 	if err != nil {
 		return false, nil
 	}
@@ -329,18 +325,18 @@ func (a ACLPolicy) expandMachineDestToNetPortRanges(m *Machine, dest string) (bo
 		return false, nil
 	}
 
-	dests := []tailcfg.NetPortRange{}
+	var netPortRanges []tailcfg.NetPortRange
 	for _, d := range ips {
 		for _, p := range ports {
 			pr := tailcfg.NetPortRange{
 				IP:    d,
 				Ports: p,
 			}
-			dests = append(dests, pr)
+			netPortRanges = append(netPortRanges, pr)
 		}
 	}
 
-	return alias == AutoGroupSelf, dests
+	return alias == AutoGroupSelf, netPortRanges
 }
 
 func (a ACLPolicy) expandMachineAlias(m *Machine, alias string, src bool, u *User) []string {

diff --git a/internal/domain/acl_test.go b/internal/domain/acl_test.go
@@ -794,3 +794,39 @@ func TestACLPolicy_FindAutoApprovedIPs(t *testing.T) {
 		})
 	}
 }
+
+func TestACLPolicy_BuildFilterRulesWithAdvertisedRoutes(t *testing.T) {
+	route1 := netip.MustParsePrefix("fd7a:115c:a1e0:b1a:0:1:a3c:0/120")
+	p1 := createMachine("john@example.com", "tag:trusted")
+
+	policy := ACLPolicy{
+		ACLs: []ACL{
+			{
+				Action: "accept",
+				Src:    []string{"tag:trusted"},
+				Dst:    []string{"fd7a:115c:a1e0:b1a:0:1:a3c:0/120:*"},
+			},
+		},
+	}
+
+	dst := createMachine("john@example.com")
+	dst.AllowIPs = []netip.Prefix{route1}
+
+	actualRules := policy.BuildFilterRules([]Machine{*p1}, dst)
+	expectedRules := []tailcfg.FilterRule{
+		{
+			SrcIPs: p1.IPs(),
+			DstPorts: []tailcfg.NetPortRange{
+				{
+					IP: route1.String(),
+					Ports: tailcfg.PortRange{
+						First: 0,
+						Last:  65535,
+					},
+				},
+			},
+		},
+	}
+
+	assert.Equal(t, expectedRules, actualRules)
+}