mirror of
https://github.com/juanfont/headscale.git
synced 2024-11-10 17:12:33 +08:00
Added more acl test hujsons
This commit is contained in:
Juan Font
parent
5644dadaf9
commit
bbd6a67c46
2 changed files with 135 additions and 6 deletions
|
|
@ -5,6 +5,10 @@
|
||||||
"user1@example.com",
|
"user1@example.com",
|
||||||
"user2@example.com",
|
"user2@example.com",
|
||||||
],
|
],
|
||||||
|
"group:example2": [
|
||||||
|
"user1@example.com",
|
||||||
|
"user2@example.com",
|
||||||
|
],
|
||||||
},
|
},
|
||||||
// Declare hostname aliases to use in place of IP addresses or subnets.
|
// Declare hostname aliases to use in place of IP addresses or subnets.
|
||||||
"Hosts": {
|
"Hosts": {
|
||||||
|
|
@ -33,8 +37,8 @@
|
||||||
{
|
{
|
||||||
"Action": "accept",
|
"Action": "accept",
|
||||||
"Users": [
|
"Users": [
|
||||||
"group:engineering",
|
"group:example2",
|
||||||
"president@example.com"
|
"192.168.1.1"
|
||||||
],
|
],
|
||||||
"Ports": [
|
"Ports": [
|
||||||
"*:22,3389",
|
"*:22,3389",
|
||||||
|
|
@ -47,7 +51,7 @@
|
||||||
{
|
{
|
||||||
"Action": "accept",
|
"Action": "accept",
|
||||||
"Users": [
|
"Users": [
|
||||||
"group:engineers"
|
"group:example"
|
||||||
],
|
],
|
||||||
"Ports": [
|
"Ports": [
|
||||||
"tag:production:*"
|
"tag:production:*"
|
||||||
|
|
@ -58,11 +62,11 @@
|
||||||
{
|
{
|
||||||
"Action": "accept",
|
"Action": "accept",
|
||||||
"Users": [
|
"Users": [
|
||||||
"my-subnet",
|
"example-host-2",
|
||||||
"192.168.1.0/24"
|
"192.168.1.0/24"
|
||||||
],
|
],
|
||||||
"Ports": [
|
"Ports": [
|
||||||
"my-subnet:*",
|
"example-host-1:*",
|
||||||
"192.168.1.0/24:*"
|
"192.168.1.0/24:*"
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
|
@ -83,7 +87,7 @@
|
||||||
{
|
{
|
||||||
"Action": "accept",
|
"Action": "accept",
|
||||||
"Users": [
|
"Users": [
|
||||||
"group:montreal-users"
|
"example-host-1"
|
||||||
],
|
],
|
||||||
"Ports": [
|
"Ports": [
|
||||||
"tag:montreal-webserver:80,443"
|
"tag:montreal-webserver:80,443"
|
||||||
|
|
|
||||||
125
tests/acls/acl_policy_invalid.hujson
Normal file
125
tests/acls/acl_policy_invalid.hujson
Normal file
|
|
@ -0,0 +1,125 @@
|
||||||
|
{
|
||||||
|
// Declare static groups of users beyond those in the identity service.
|
||||||
|
"Groups": {
|
||||||
|
"group:example": [
|
||||||
|
"user1@example.com",
|
||||||
|
"user2@example.com",
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// Declare hostname aliases to use in place of IP addresses or subnets.
|
||||||
|
"Hosts": {
|
||||||
|
"example-host-1": "100.100.100.100",
|
||||||
|
"example-host-2": "100.100.101.100/24",
|
||||||
|
},
|
||||||
|
// Define who is allowed to use which tags.
|
||||||
|
"TagOwners": {
|
||||||
|
// Everyone in the montreal-admins or global-admins group are
|
||||||
|
// allowed to tag servers as montreal-webserver.
|
||||||
|
"tag:montreal-webserver": [
|
||||||
|
"group:montreal-admins",
|
||||||
|
"group:global-admins",
|
||||||
|
],
|
||||||
|
// Only a few admins are allowed to create API servers.
|
||||||
|
"tag:api-server": [
|
||||||
|
"group:global-admins",
|
||||||
|
"example-host-1",
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// Access control lists.
|
||||||
|
"ACLs": [
|
||||||
|
// Engineering users, plus the president, can access port 22 (ssh)
|
||||||
|
// and port 3389 (remote desktop protocol) on all servers, and all
|
||||||
|
// ports on git-server or ci-server.
|
||||||
|
{
|
||||||
|
"Action": "accept",
|
||||||
|
"Users": [
|
||||||
|
"group:engineering",
|
||||||
|
"president@example.com"
|
||||||
|
],
|
||||||
|
"Ports": [
|
||||||
|
"*:22,3389",
|
||||||
|
"git-server:*",
|
||||||
|
"ci-server:*"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// Allow engineer users to access any port on a device tagged with
|
||||||
|
// tag:production.
|
||||||
|
{
|
||||||
|
"Action": "accept",
|
||||||
|
"Users": [
|
||||||
|
"group:engineers"
|
||||||
|
],
|
||||||
|
"Ports": [
|
||||||
|
"tag:production:*"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts
|
||||||
|
// on both networks.
|
||||||
|
{
|
||||||
|
"Action": "accept",
|
||||||
|
"Users": [
|
||||||
|
"my-subnet",
|
||||||
|
"192.168.1.0/24"
|
||||||
|
],
|
||||||
|
"Ports": [
|
||||||
|
"my-subnet:*",
|
||||||
|
"192.168.1.0/24:*"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// Allow every user of your network to access anything on the network.
|
||||||
|
// Comment out this section if you want to define specific ACL
|
||||||
|
// restrictions above.
|
||||||
|
{
|
||||||
|
"Action": "accept",
|
||||||
|
"Users": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"Ports": [
|
||||||
|
"*:*"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// All users in Montreal are allowed to access the Montreal web
|
||||||
|
// servers.
|
||||||
|
{
|
||||||
|
"Action": "accept",
|
||||||
|
"Users": [
|
||||||
|
"group:montreal-users"
|
||||||
|
],
|
||||||
|
"Ports": [
|
||||||
|
"tag:montreal-webserver:80,443"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
// Montreal web servers are allowed to make outgoing connections to
|
||||||
|
// the API servers, but only on https port 443.
|
||||||
|
// In contrast, this doesn't grant API servers the right to initiate
|
||||||
|
// any connections.
|
||||||
|
{
|
||||||
|
"Action": "accept",
|
||||||
|
"Users": [
|
||||||
|
"tag:montreal-webserver"
|
||||||
|
],
|
||||||
|
"Ports": [
|
||||||
|
"tag:api-server:443"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
// Declare tests to check functionality of ACL rules
|
||||||
|
"Tests": [
|
||||||
|
{
|
||||||
|
"User": "user1@example.com",
|
||||||
|
"Allow": [
|
||||||
|
"example-host-1:22",
|
||||||
|
"example-host-2:80"
|
||||||
|
],
|
||||||
|
"Deny": [
|
||||||
|
"exapmle-host-2:100"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"User": "user2@example.com",
|
||||||
|
"Allow": [
|
||||||
|
"100.60.3.4:22"
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue