testdata: convert .json to .hujson with header comments

Rename all 594 test data files from .json to .hujson and add
descriptive header comments to each file documenting what policy
rules are under test and what outcome is expected.

Update test loaders in all 5 _test.go files to parse HuJSON via
hujson.Parse/Standardize/Pack before json.Unmarshal.

Add cross-dependency warning to via_compat_test.go documenting
that GRANT-V29/V30/V31/V36 are shared with TestGrantsCompat.

Add .gitignore exemption for testdata HuJSON files.
This commit is contained in:
Kristoffer Dalby
2026-03-30 17:08:26 +00:00
parent f693cc0851
commit 30dce30a9d
600 changed files with 3493 additions and 18 deletions
+1
View File
@@ -29,6 +29,7 @@ config*.yaml
!config-example.yaml
derp.yaml
*.hujson
!hscontrol/policy/v2/testdata/*/*.hujson
*.key
/db.sqlite
*.sqlite3
@@ -27,6 +27,7 @@ import (
"github.com/juanfont/headscale/hscontrol/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/tailscale/hujson"
"gorm.io/gorm"
"tailscale.com/tailcfg"
)
@@ -220,10 +221,14 @@ func loadACLTestFile(t *testing.T, path string) aclTestFile {
content, err := os.ReadFile(path)
require.NoError(t, err, "failed to read test file %s", path)
ast, err := hujson.Parse(content)
require.NoError(t, err, "failed to parse HuJSON in %s", path)
ast.Standardize()
var tf aclTestFile
err = json.Unmarshal(content, &tf)
require.NoError(t, err, "failed to parse test file %s", path)
err = json.Unmarshal(ast.Pack(), &tf)
require.NoError(t, err, "failed to unmarshal test file %s", path)
return tf
}
@@ -255,13 +260,13 @@ func TestACLCompat(t *testing.T) {
t.Parallel()
files, err := filepath.Glob(
filepath.Join("testdata", "acl_results", "ACL-*.json"),
filepath.Join("testdata", "acl_results", "ACL-*.hujson"),
)
require.NoError(t, err, "failed to glob test files")
require.NotEmpty(
t,
files,
"no ACL-*.json test files found in testdata/acl_results/",
"no ACL-*.hujson test files found in testdata/acl_results/",
)
t.Logf("Loaded %d ACL test files", len(files))
@@ -31,6 +31,7 @@ import (
"github.com/juanfont/headscale/hscontrol/policy/policyutil"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/stretchr/testify/require"
"github.com/tailscale/hujson"
"gorm.io/gorm"
"tailscale.com/tailcfg"
)
@@ -316,10 +317,14 @@ func loadGrantTestFile(t *testing.T, path string) grantTestFile {
content, err := os.ReadFile(path)
require.NoError(t, err, "failed to read test file %s", path)
ast, err := hujson.Parse(content)
require.NoError(t, err, "failed to parse HuJSON in %s", path)
ast.Standardize()
var tf grantTestFile
err = json.Unmarshal(content, &tf)
require.NoError(t, err, "failed to parse test file %s", path)
err = json.Unmarshal(ast.Pack(), &tf)
require.NoError(t, err, "failed to unmarshal test file %s", path)
return tf
}
@@ -357,9 +362,9 @@ var grantSkipReasons = map[string]string{
func TestGrantsCompat(t *testing.T) {
t.Parallel()
files, err := filepath.Glob(filepath.Join("testdata", "grant_results", "GRANT-*.json"))
files, err := filepath.Glob(filepath.Join("testdata", "grant_results", "GRANT-*.hujson"))
require.NoError(t, err, "failed to glob test files")
require.NotEmpty(t, files, "no GRANT-*.json test files found in testdata/grant_results/")
require.NotEmpty(t, files, "no GRANT-*.hujson test files found in testdata/grant_results/")
t.Logf("Loaded %d grant test files", len(files))
@@ -25,6 +25,7 @@ import (
"github.com/juanfont/headscale/hscontrol/policy/policyutil"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/stretchr/testify/require"
"github.com/tailscale/hujson"
"gorm.io/gorm"
"tailscale.com/tailcfg"
)
@@ -71,10 +72,14 @@ func loadRoutesTestFile(t *testing.T, path string) routesTestFile {
content, err := os.ReadFile(path)
require.NoError(t, err, "failed to read test file %s", path)
ast, err := hujson.Parse(content)
require.NoError(t, err, "failed to parse HuJSON in %s", path)
ast.Standardize()
var tf routesTestFile
err = json.Unmarshal(content, &tf)
require.NoError(t, err, "failed to parse test file %s", path)
err = json.Unmarshal(ast.Pack(), &tf)
require.NoError(t, err, "failed to unmarshal test file %s", path)
return tf
}
@@ -188,13 +193,13 @@ func TestRoutesCompat(t *testing.T) {
t.Parallel()
files, err := filepath.Glob(
filepath.Join("testdata", "routes_results", "ROUTES-*.json"),
filepath.Join("testdata", "routes_results", "ROUTES-*.hujson"),
)
require.NoError(t, err, "failed to glob test files")
require.NotEmpty(
t,
files,
"no ROUTES-*.json test files found in testdata/routes_results/",
"no ROUTES-*.hujson test files found in testdata/routes_results/",
)
t.Logf("Loaded %d routes test files", len(files))
@@ -29,6 +29,7 @@ import (
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/stretchr/testify/require"
"github.com/tailscale/hujson"
"gorm.io/gorm"
"tailscale.com/tailcfg"
)
@@ -191,10 +192,14 @@ func loadSSHTestFile(t *testing.T, path string) sshTestFile {
content, err := os.ReadFile(path)
require.NoError(t, err, "failed to read test file %s", path)
ast, err := hujson.Parse(content)
require.NoError(t, err, "failed to parse HuJSON in %s", path)
ast.Standardize()
var tf sshTestFile
err = json.Unmarshal(content, &tf)
require.NoError(t, err, "failed to parse test file %s", path)
err = json.Unmarshal(ast.Pack(), &tf)
require.NoError(t, err, "failed to unmarshal test file %s", path)
return tf
}
@@ -226,13 +231,13 @@ func TestSSHDataCompat(t *testing.T) {
t.Parallel()
files, err := filepath.Glob(
filepath.Join("testdata", "ssh_results", "SSH-*.json"),
filepath.Join("testdata", "ssh_results", "SSH-*.hujson"),
)
require.NoError(t, err, "failed to glob test files")
require.NotEmpty(
t,
files,
"no SSH-*.json test files found in testdata/ssh_results/",
"no SSH-*.hujson test files found in testdata/ssh_results/",
)
t.Logf("Loaded %d SSH test files", len(files))
@@ -1,3 +1,8 @@
// ACL-A01
//
// ACL: accept: src=['autogroup:member'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-A01",
"timestamp": "2026-03-17T14:16:33Z",
@@ -1,3 +1,8 @@
// ACL-A02
//
// ACL: accept: src=['autogroup:tagged'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-A02",
"timestamp": "2026-03-17T14:16:44Z",
@@ -1,3 +1,8 @@
// ACL-A03
//
// ACL: accept: src=['autogroup:member', 'tag:client'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-A03",
"timestamp": "2026-03-17T14:16:54Z",
@@ -1,3 +1,8 @@
// ACL-A04
//
// ACL: accept: src=['*'] dst=['autogroup:self:*']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-A04",
"timestamp": "2026-03-17T14:17:04Z",
@@ -1,3 +1,8 @@
// ACL-A05
//
// ACL: accept: src=['*'] dst=['autogroup:internet:*']
//
// Expected: No filter rules
{
"test_id": "ACL-A05",
"timestamp": "2026-03-17T14:17:15Z",
@@ -1,3 +1,8 @@
// ACL-A06
//
// ACL: accept: src=['*'] dst=['autogroup:member:*']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-A06",
"timestamp": "2026-03-17T14:17:25Z",
@@ -1,3 +1,8 @@
// ACL-A07
//
// ACL: accept: src=['*'] dst=['autogroup:self:*', 'tag:server:22']
//
// Expected: Rules on tagged-server, user-kris, user-mon, user1
{
"test_id": "ACL-A07",
"timestamp": "2026-03-17T14:17:36Z",
@@ -1,3 +1,8 @@
// ACL-A08
//
// ACL: accept: src=['*'] dst=['autogroup:tagged:*']
//
// Expected: Rules on exit-node, subnet-router, tagged-client, tagged-prod, tagged-server
{
"test_id": "ACL-A08",
"timestamp": "2026-03-17T14:17:47Z",
@@ -1,3 +1,8 @@
// ACL-A09
//
// ACL: accept: src=['autogroup:member'] dst=['autogroup:self:*']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-A09",
"timestamp": "2026-03-17T14:17:57Z",
@@ -1,3 +1,8 @@
// ACL-A10
//
// ACL: accept: src=['kratail2tid@passkey'] dst=['autogroup:self:*']
//
// Expected: Rules on user1
{
"test_id": "ACL-A10",
"timestamp": "2026-03-17T14:18:08Z",
@@ -1,3 +1,8 @@
// ACL-A11
//
// ACL: accept: src=['group:admins'] dst=['autogroup:self:*']
//
// Expected: Rules on user1
{
"test_id": "ACL-A11",
"timestamp": "2026-03-17T14:18:18Z",
@@ -1,3 +1,8 @@
// ACL-A12
//
// ACL: accept: src=['*'] dst=['autogroup:self:22']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-A12",
"timestamp": "2026-03-17T14:18:28Z",
@@ -1,3 +1,8 @@
// ACL-A13
//
// ACL: accept: src=['*'] dst=['autogroup:self:80-443']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-A13",
"timestamp": "2026-03-17T14:18:39Z",
@@ -1,3 +1,8 @@
// ACL-A14
//
// ACL: accept: src=['*'] dst=['autogroup:self:22,80,443']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-A14",
"timestamp": "2026-03-17T14:18:49Z",
@@ -1,3 +1,8 @@
// ACL-A15
//
// ACL: accept: src=['autogroup:member', 'autogroup:tagged'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-A15",
"timestamp": "2026-03-17T14:19:00Z",
@@ -1,3 +1,8 @@
// ACL-A16
//
// ACL: accept: src=['autogroup:member', 'autogroup:tagged'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-A16",
"timestamp": "2026-03-17T14:19:10Z",
@@ -1,3 +1,8 @@
// ACL-A17
//
// ACL: accept: src=['*'] dst=['autogroup:self:*', 'tag:server:22', 'autogroup:member:80']
//
// Expected: Rules on tagged-server, user-kris, user-mon, user1
{
"test_id": "ACL-A17",
"timestamp": "2026-03-17T14:19:21Z",
@@ -1,3 +1,8 @@
// ACL-AH01
//
// ACL: accept: src=['internal', 'subnet24'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-AH01",
"timestamp": "2026-03-17T14:19:31Z",
@@ -1,3 +1,8 @@
// ACL-AH02
//
// ACL: accept: src=['internal', '100.108.74.26'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AH02",
"timestamp": "2026-03-17T14:19:42Z",
@@ -1,3 +1,8 @@
// ACL-AH03
//
// ACL: accept: src=['*'] dst=['internal:22', 'subnet24:80', 'tag:server:443']
//
// Expected: Rules on subnet-router, tagged-server
{
"test_id": "ACL-AH03",
"timestamp": "2026-03-17T14:19:52Z",
@@ -1,3 +1,8 @@
// ACL-AH04
//
// ACL: accept: src=['internal', '10.0.0.0/8'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AH04",
"timestamp": "2026-03-17T14:20:02Z",
@@ -1,3 +1,8 @@
// ACL-AH05
//
// ACL: accept: src=['*'] dst=['internal:22']
//
// Expected: Rules on subnet-router
{
"test_id": "ACL-AH05",
"timestamp": "2026-03-17T14:20:13Z",
@@ -1,3 +1,8 @@
// ACL-AH06
//
// ACL: accept: src=['*'] dst=['10.0.0.0/8:22']
//
// Expected: Rules on subnet-router
{
"test_id": "ACL-AH06",
"timestamp": "2026-03-17T14:20:23Z",
@@ -1,3 +1,10 @@
// ACL-AR01
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:client'] dst=['tag:server:80,443']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AR01",
"timestamp": "2026-03-17T14:20:34Z",
@@ -1,3 +1,11 @@
// ACL-AR02
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:client'] dst=['tag:server:80,443']
// accept: src=['*'] dst=['tag:server:53'] proto=udp
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AR02",
"timestamp": "2026-03-17T14:20:44Z",
@@ -1,3 +1,11 @@
// ACL-AR03
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:client'] dst=['tag:server:80']
// accept: src=['tag:client'] dst=['tag:server:443']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AR03",
"timestamp": "2026-03-17T14:20:55Z",
@@ -1,3 +1,11 @@
// ACL-AR04
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:prod'] dst=['tag:server:22']
// accept: src=['tag:router'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AR04",
"timestamp": "2026-03-17T14:21:05Z",
@@ -1,3 +1,12 @@
// ACL-AR05
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:client'] dst=['tag:server:80']
// accept: src=['tag:prod'] dst=['tag:server:22']
// accept: src=['tag:prod'] dst=['tag:server:443']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AR05",
"timestamp": "2026-03-17T14:21:16Z",
@@ -1,3 +1,10 @@
// ACL-AR06
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['*'] dst=['tag:server:80']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AR06",
"timestamp": "2026-03-17T14:21:26Z",
@@ -1,3 +1,8 @@
// ACL-AT01
//
// ACL: accept: src=['tag:server', 'tag:client', 'tag:prod', 'tag:router', 'tag:exit'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-AT01",
"timestamp": "2026-03-17T14:21:36Z",
@@ -1,3 +1,8 @@
// ACL-AT02
//
// ACL: accept: src=['*'] dst=['tag:server:22', 'tag:client:22', 'tag:prod:22', 'tag:router:22', 'tag:exit:22']
//
// Expected: Rules on exit-node, subnet-router, tagged-client, tagged-prod, tagged-server
{
"test_id": "ACL-AT02",
"timestamp": "2026-03-17T14:21:47Z",
@@ -1,3 +1,8 @@
// ACL-AT03
//
// ACL: accept: src=['tag:server', 'tag:client', 'tag:prod', 'tag:router', 'tag:exit'] dst=['autogroup:member:22']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-AT03",
"timestamp": "2026-03-17T14:21:57Z",
@@ -1,3 +1,10 @@
// ACL-AT04
//
// ACLs:
// accept: src=['autogroup:tagged'] dst=['tag:server:22']
// accept: src=['autogroup:member'] dst=['tag:server:80']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AT04",
"timestamp": "2026-03-17T14:22:08Z",
@@ -1,3 +1,10 @@
// ACL-AT05
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:server'] dst=['tag:client:22']
//
// Expected: Rules on tagged-client, tagged-server
{
"test_id": "ACL-AT05",
"timestamp": "2026-03-17T14:22:18Z",
@@ -1,3 +1,12 @@
// ACL-AT06
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:server'] dst=['tag:prod:5432']
// accept: src=['tag:prod'] dst=['tag:client:80']
// accept: src=['tag:client'] dst=['tag:prod:443']
//
// Expected: Rules on tagged-client, tagged-prod, tagged-server
{
"test_id": "ACL-AT06",
"timestamp": "2026-03-17T14:22:29Z",
@@ -1,3 +1,8 @@
// ACL-AU01
//
// ACL: accept: src=['kristoffer@dalby.cc'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AU01",
"timestamp": "2026-03-17T14:22:39Z",
@@ -1,3 +1,8 @@
// ACL-AU02
//
// ACL: accept: src=['monitorpasskeykradalby@passkey'] dst=['tag:prod:5432']
//
// Expected: Rules on tagged-prod
{
"test_id": "ACL-AU02",
"timestamp": "2026-03-17T14:22:49Z",
@@ -1,3 +1,8 @@
// ACL-AU03
//
// ACL: accept: src=['group:developers'] dst=['tag:server:22', 'tag:prod:5432']
//
// Expected: Rules on tagged-prod, tagged-server
{
"test_id": "ACL-AU03",
"timestamp": "2026-03-17T14:23:00Z",
@@ -1,3 +1,8 @@
// ACL-AU04
//
// ACL: accept: src=['*'] dst=['group:developers:22']
//
// Expected: Rules on user-kris, user1
{
"test_id": "ACL-AU04",
"timestamp": "2026-03-17T14:23:10Z",
@@ -1,3 +1,8 @@
// ACL-AU05
//
// ACL: accept: src=['*'] dst=['group:monitors:*']
//
// Expected: Rules on user-mon
{
"test_id": "ACL-AU05",
"timestamp": "2026-03-17T14:23:21Z",
@@ -1,3 +1,8 @@
// ACL-AU06
//
// ACL: accept: src=['group:admins', 'group:developers', 'group:monitors'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-AU06",
"timestamp": "2026-03-17T14:23:31Z",
@@ -1,3 +1,11 @@
// ACL-C01
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['autogroup:member'] dst=['tag:server:80']
// accept: src=['*'] dst=['tag:prod:5432']
//
// Expected: Rules on tagged-prod, tagged-server
{
"test_id": "ACL-C01",
"timestamp": "2026-03-17T14:23:42Z",
@@ -1,3 +1,11 @@
// ACL-C02
//
// ACLs:
// accept: src=['tag:client', 'autogroup:member'] dst=['tag:server:22']
// accept: src=['tag:prod'] dst=['tag:server:80']
// accept: src=['group:admins'] dst=['tag:prod:5432']
//
// Expected: Rules on tagged-prod, tagged-server
{
"test_id": "ACL-C02",
"timestamp": "2026-03-17T14:23:52Z",
@@ -1,3 +1,10 @@
// ACL-C03
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22', 'tag:prod:5432', 'webserver:80']
// accept: src=['autogroup:member'] dst=['autogroup:self:*']
//
// Expected: Rules on tagged-prod, tagged-server, user-kris, user-mon, user1
{
"test_id": "ACL-C03",
"timestamp": "2026-03-17T14:24:03Z",
@@ -1,3 +1,12 @@
// ACL-C04
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:server'] dst=['tag:prod:5432']
// accept: src=['autogroup:member'] dst=['autogroup:self:*']
// accept: src=['*'] dst=['autogroup:internet:*']
//
// Expected: Rules on tagged-prod, tagged-server, user-kris, user-mon, user1
{
"test_id": "ACL-C04",
"timestamp": "2026-03-17T14:24:13Z",
@@ -1,3 +1,8 @@
// ACL-C05
//
// ACL: accept: src=['*'] dst=['tag:server:22', 'tag:prod:5432', 'tag:client:80', 'tag:router:*', 'tag:exit:*', 'autogroup:member:443', 'autogroup:self:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-C05",
"timestamp": "2026-03-17T14:24:23Z",
@@ -1,3 +1,8 @@
// ACL-C06
//
// ACL: accept: src=['tag:client', 'tag:prod', 'tag:server', 'autogroup:member', 'group:admins'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-C06",
"timestamp": "2026-03-17T14:24:34Z",
@@ -1,3 +1,12 @@
// ACL-C07
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:client'] dst=['tag:server:80']
// accept: src=['tag:client'] dst=['tag:server:443']
// accept: src=['tag:client'] dst=['tag:server:8080']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-C07",
"timestamp": "2026-03-17T14:24:44Z",
@@ -1,3 +1,8 @@
// ACL-C08
//
// ACL: accept: src=['*'] dst=['tag:server:22', 'tag:prod:22', 'tag:client:22', 'tag:router:22', 'tag:exit:22']
//
// Expected: Rules on exit-node, subnet-router, tagged-client, tagged-prod, tagged-server
{
"test_id": "ACL-C08",
"timestamp": "2026-03-17T14:24:55Z",
@@ -1,3 +1,12 @@
// ACL-C09
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['tag:client'] dst=['tag:prod:22']
// accept: src=['tag:server'] dst=['tag:prod:5432']
// ... (6 rules total)
//
// Expected: Rules on subnet-router, tagged-prod, tagged-server, user-kris, user-mon, user1
{
"test_id": "ACL-C09",
"timestamp": "2026-03-17T14:25:05Z",
@@ -1,3 +1,11 @@
// ACL-C10
//
// ACLs:
// accept: src=['autogroup:member'] dst=['autogroup:self:*']
// accept: src=['autogroup:member'] dst=['tag:server:22', 'tag:prod:5432']
// accept: src=['autogroup:tagged'] dst=['autogroup:tagged:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-C10",
"timestamp": "2026-03-17T14:25:16Z",
@@ -1,3 +1,10 @@
// ACL-D01
//
// ACLs:
// accept: src=['tag:client'] dst=['tag:server:22']
// accept: src=['*'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-D01",
"timestamp": "2026-03-17T14:25:26Z",
@@ -1,3 +1,8 @@
// ACL-D02
//
// ACL: accept: src=['tag:client'] dst=['tag:server:22', 'webserver:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-D02",
"timestamp": "2026-03-17T14:25:37Z",
@@ -1,3 +1,8 @@
// ACL-D03
//
// ACL: accept: src=['100.108.74.26', 'tag:server'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-D03",
"timestamp": "2026-03-17T14:25:47Z",
@@ -1,3 +1,8 @@
// ACL-D04
//
// ACL: accept: src=['100.108.74.26', 'webserver'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-D04",
"timestamp": "2026-03-17T14:25:57Z",
@@ -1,3 +1,8 @@
// ACL-D05
//
// ACL: accept: src=['*'] dst=['100.108.74.26:22', 'tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-D05",
"timestamp": "2026-03-17T14:26:08Z",
@@ -1,3 +1,8 @@
// ACL-D06
//
// ACL: accept: src=['*'] dst=['100.108.74.26:22', 'webserver:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-D06",
"timestamp": "2026-03-17T14:26:18Z",
@@ -1,3 +1,8 @@
// ACL-D07
//
// ACL: accept: src=['autogroup:member', 'autogroup:tagged'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-D07",
"timestamp": "2026-03-17T14:26:29Z",
@@ -1,3 +1,10 @@
// ACL-D08
//
// ACLs:
// accept: src=['*'] dst=['autogroup:self:*']
// accept: src=['kratail2tid@passkey'] dst=['kratail2tid@passkey:*']
//
// Expected: Rules on user-kris, user-mon, user1
{
"test_id": "ACL-D08",
"timestamp": "2026-03-17T14:26:39Z",
@@ -1,3 +1,8 @@
// ACL-E01
//
// ACL: accept: src=['100.108.74.26'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-E01",
"timestamp": "2026-03-17T14:26:50Z",
@@ -1,3 +1,8 @@
// ACL-E02
//
// ACL: accept: src=['tag:server'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-E02",
"timestamp": "2026-03-17T14:27:00Z",
@@ -1,3 +1,8 @@
// ACL-E03
//
// ACL: accept: src=['webserver'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-E03",
"timestamp": "2026-03-17T14:27:11Z",
@@ -1,3 +1,8 @@
// ACL-E04
//
// ACL: accept: src=['*'] dst=['100.108.74.26:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-E04",
"timestamp": "2026-03-17T14:27:21Z",
@@ -1,3 +1,8 @@
// ACL-E05
//
// ACL: accept: src=['*'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-E05",
"timestamp": "2026-03-17T14:27:32Z",
@@ -1,3 +1,8 @@
// ACL-E06
//
// ACL: accept: src=['*'] dst=['webserver:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-E06",
"timestamp": "2026-03-17T14:27:42Z",
@@ -1,3 +1,8 @@
// ACL-E07
//
// ACL: accept: src=['kratail2tid@passkey'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-E07",
"timestamp": "2026-03-17T14:27:52Z",
@@ -1,3 +1,8 @@
// ACL-E08
//
// ACL: accept: src=['group:admins'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-E08",
"timestamp": "2026-03-17T14:28:03Z",
@@ -1,3 +1,8 @@
// ACL-E09
//
// ACL: accept: src=['kratail2tid@passkey', 'group:admins'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-E09",
"timestamp": "2026-03-17T14:28:13Z",
@@ -1,3 +1,8 @@
// ACL-ERR01
//
// ACL: accept: src=['tag:nonexistent'] dst=['tag:server:22']
//
// Expected: Error — src=tag not found: "tag:nonexistent"
{
"test_id": "ACL-ERR01",
"timestamp": "2026-03-17T14:28:24Z",
@@ -1,3 +1,8 @@
// ACL-ERR02
//
// ACL: accept: src=['autogroup:self'] dst=['tag:server:22']
//
// Expected: Error — "autogroup:self" not valid on the src side of a rule
{
"test_id": "ACL-ERR02",
"timestamp": "2026-03-17T14:28:24Z",
@@ -1,3 +1,8 @@
// ACL-ERR03
//
// ACL: accept: src=['*'] dst=['autogroup:self']
//
// Expected: Error — dst="autogroup:self": port range "self": invalid first integer
{
"test_id": "ACL-ERR03",
"timestamp": "2026-03-17T14:28:24Z",
@@ -1,3 +1,8 @@
// ACL-ERR04
//
// ACL: accept: src=['tag:nonexistent'] dst=['*:*']
//
// Expected: Error — src=tag not found: "tag:nonexistent"
{
"test_id": "ACL-ERR04",
"timestamp": "2026-03-17T14:28:25Z",
@@ -1,3 +1,8 @@
// ACL-ERR05
//
// ACL: accept: src=['*'] dst=['tag:nonexistent:22']
//
// Expected: Error — dst="tag:nonexistent": tag not found: "tag:nonexistent"
{
"test_id": "ACL-ERR05",
"timestamp": "2026-03-17T14:28:25Z",
@@ -1,3 +1,8 @@
// ACL-ERR06
//
// ACL: deny: src=['tag:client'] dst=['tag:server:22']
//
// Expected: Error — action="deny" is not supported
{
"test_id": "ACL-ERR06",
"timestamp": "2026-03-17T14:28:25Z",
@@ -1,3 +1,8 @@
// ACL-ERR07
//
// ACL: accept: src=['*'] dst=['tag:server:ssh']
//
// Expected: Error — dst="tag:server:ssh": port range "ssh": invalid first integer
{
"test_id": "ACL-ERR07",
"timestamp": "2026-03-17T14:28:29Z",
@@ -1,3 +1,10 @@
// ACL-ERR08
//
// ACLs:
// accept: src=['*'] dst=['autogroup:self:*']
// accept: src=['tag:client'] dst=['autogroup:self:22']
//
// Expected: Error — autogroup:self can only be used with users, groups, or supported autogroups
{
"test_id": "ACL-ERR08",
"timestamp": "2026-03-17T14:28:34Z",
@@ -1,3 +1,10 @@
// ACL-ERR09
//
// ACLs:
// accept: src=['*'] dst=['autogroup:self:*']
// accept: src=['autogroup:tagged'] dst=['autogroup:self:22']
//
// Expected: Error — autogroup:self can only be used with users, groups, or supported autogroups
{
"test_id": "ACL-ERR09",
"timestamp": "2026-03-17T14:28:39Z",
@@ -1,3 +1,8 @@
// ACL-H01
//
// ACL: accept: src=['*'] dst=['webserver:80']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-H01",
"timestamp": "2026-03-17T14:28:44Z",
@@ -1,3 +1,8 @@
// ACL-H02
//
// ACL: accept: src=['webserver'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-H02",
"timestamp": "2026-03-17T14:28:59Z",
@@ -1,3 +1,8 @@
// ACL-H03
//
// ACL: accept: src=['internal'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-H03",
"timestamp": "2026-03-17T14:29:10Z",
@@ -1,3 +1,8 @@
// ACL-H04
//
// ACL: accept: src=['*'] dst=['internal:22']
//
// Expected: Rules on subnet-router
{
"test_id": "ACL-H04",
"timestamp": "2026-03-17T14:29:20Z",
@@ -1,3 +1,8 @@
// ACL-H05
//
// ACL: accept: src=['*'] dst=['webserver:22', 'prodbox:5432']
//
// Expected: Rules on tagged-prod, tagged-server
{
"test_id": "ACL-H05",
"timestamp": "2026-03-17T14:29:31Z",
@@ -1,3 +1,8 @@
// ACL-H06
//
// ACL: accept: src=['webserver', 'tag:client'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-H06",
"timestamp": "2026-03-17T14:29:41Z",
@@ -1,3 +1,8 @@
// ACL-H07
//
// ACL: accept: src=['group:admins'] dst=['webserver:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-H07",
"timestamp": "2026-03-17T14:29:52Z",
@@ -1,3 +1,8 @@
// ACL-H08
//
// ACL: accept: src=['*'] dst=['subnet24:80']
//
// Expected: No filter rules
{
"test_id": "ACL-H08",
"timestamp": "2026-03-17T14:30:02Z",
@@ -1,3 +1,8 @@
// ACL-K01
//
// ACL: accept: src=['*', 'autogroup:member', 'autogroup:tagged', 'group:admins', 'tag:client', 'webserver', '100.90.199.68'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-K01",
"timestamp": "2026-03-17T14:30:13Z",
@@ -1,3 +1,8 @@
// ACL-K02
//
// ACL: accept: src=['tag:client'] dst=['tag:server:22', 'tag:prod:5432', 'webserver:80', 'prodbox:443', 'group:admins:8080', 'kratail2tid@passkey:3000', '100.108.74.26:9000']
//
// Expected: Rules on tagged-prod, tagged-server, user1
{
"test_id": "ACL-K02",
"timestamp": "2026-03-17T14:30:23Z",
@@ -1,3 +1,8 @@
// ACL-K03
//
// ACL: accept: src=['autogroup:member', 'autogroup:tagged', 'group:admins', 'group:developers', 'kratail2tid@passkey', 'tag:client', 'tag:prod', 'tag:server', 'webserver', 'prodbox'] dst=['*:*']
//
// Expected: Rules on 8 of 8 nodes
{
"test_id": "ACL-K03",
"timestamp": "2026-03-17T14:30:34Z",
@@ -1,3 +1,8 @@
// ACL-K04
//
// ACL: accept: src=['*'] dst=['tag:server:22', 'tag:server:80', 'tag:server:443', 'tag:prod:5432', 'tag:prod:3306', 'tag:client:80', 'tag:client:443', 'webserver:8080', 'prodbox:8080']
//
// Expected: Rules on tagged-client, tagged-prod, tagged-server
{
"test_id": "ACL-K04",
"timestamp": "2026-03-17T14:30:44Z",
@@ -1,3 +1,8 @@
// ACL-K05
//
// ACL: accept: src=['autogroup:member', 'group:admins', 'kratail2tid@passkey', 'tag:client', 'tag:prod', '100.83.200.69', '100.103.8.15'] dst=['tag:server:22', 'webserver:80', '100.108.74.26:443', 'group:admins:8080', 'kratail2tid@passkey:9000']
//
// Expected: Rules on tagged-server, user1
{
"test_id": "ACL-K05",
"timestamp": "2026-03-17T14:30:54Z",
@@ -1,3 +1,8 @@
// ACL-M01
//
// ACL: accept: src=['kratail2tid@passkey', 'tag:client', 'group:monitors'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-M01",
"timestamp": "2026-03-17T14:31:05Z",
@@ -1,3 +1,8 @@
// ACL-M02
//
// ACL: accept: src=['100.90.199.68', 'tag:client'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-M02",
"timestamp": "2026-03-17T14:31:15Z",
@@ -1,3 +1,8 @@
// ACL-M03
//
// ACL: accept: src=['webserver', 'tag:client'] dst=['tag:prod:5432']
//
// Expected: Rules on tagged-prod
{
"test_id": "ACL-M03",
"timestamp": "2026-03-17T14:31:26Z",
@@ -1,3 +1,8 @@
// ACL-M04
//
// ACL: accept: src=['group:admins', 'tag:client'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-M04",
"timestamp": "2026-03-17T14:31:36Z",
@@ -1,3 +1,8 @@
// ACL-M05
//
// ACL: accept: src=['kratail2tid@passkey', 'group:monitors'] dst=['tag:server:22']
//
// Expected: Rules on tagged-server
{
"test_id": "ACL-M05",
"timestamp": "2026-03-17T14:31:47Z",

Some files were not shown because too many files have changed in this diff Show More