Split code into modules

This is a massive commit that restructures the code into modules: db/ All functions related to modifying the Database types/ All type definitions and methods that can be exclusivly used on these types without dependencies policy/ All Policy related code, now without dependencies on the Database. policy/matcher/ Dedicated code to match machines in a list of FilterRules Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-10-31 21:17:43 +09:00 · 2023-05-21 19:37:59 +03:00
parent 14e29a7bee
commit feb15365b5
51 changed files with 4677 additions and 4290 deletions
--- a/integration/acl_test.go
+++ b/integration/acl_test.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/policy"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/stretchr/testify/assert"
@@ -45,7 +45,7 @@ var veryLargeDestination = []string{
 	"208.0.0.0/4:*",
 }

-func aclScenario(t *testing.T, policy *hscontrol.ACLPolicy, clientsPerUser int) *Scenario {
+func aclScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario {
 	t.Helper()
 	scenario, err := NewScenario()
 	assert.NoError(t, err)
@@ -92,7 +92,7 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 	// they can access minus one (them self).
 	tests := map[string]struct {
 		users  map[string]int
-		policy hscontrol.ACLPolicy
+		policy policy.ACLPolicy
 		want   map[string]int
 	}{
 		// Test that when we have no ACL, each client netmap has
@@ -102,8 +102,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user1": 2,
 				"user2": 2,
 			},
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"*"},
@@ -123,8 +123,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user1": 2,
 				"user2": 2,
 			},
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"user1"},
@@ -149,8 +149,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user1": 2,
 				"user2": 2,
 			},
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"user1"},
@@ -186,8 +186,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user1": 2,
 				"user2": 2,
 			},
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"user1"},
@@ -214,8 +214,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user1": 2,
 				"user2": 2,
 			},
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"user1"},
@@ -282,8 +282,8 @@ func TestACLAllowUser80Dst(t *testing.T) {
 	IntegrationSkip(t)

 	scenario := aclScenario(t,
-		&hscontrol.ACLPolicy{
-			ACLs: []hscontrol.ACL{
+		&policy.ACLPolicy{
+			ACLs: []policy.ACL{
 				{
 					Action:       "accept",
 					Sources:      []string{"user1"},
@@ -338,11 +338,11 @@ func TestACLDenyAllPort80(t *testing.T) {
 	IntegrationSkip(t)

 	scenario := aclScenario(t,
-		&hscontrol.ACLPolicy{
+		&policy.ACLPolicy{
 			Groups: map[string][]string{
 				"group:integration-acl-test": {"user1", "user2"},
 			},
-			ACLs: []hscontrol.ACL{
+			ACLs: []policy.ACL{
 				{
 					Action:       "accept",
 					Sources:      []string{"group:integration-acl-test"},
@@ -387,8 +387,8 @@ func TestACLAllowUserDst(t *testing.T) {
 	IntegrationSkip(t)

 	scenario := aclScenario(t,
-		&hscontrol.ACLPolicy{
-			ACLs: []hscontrol.ACL{
+		&policy.ACLPolicy{
+			ACLs: []policy.ACL{
 				{
 					Action:       "accept",
 					Sources:      []string{"user1"},
@@ -445,8 +445,8 @@ func TestACLAllowStarDst(t *testing.T) {
 	IntegrationSkip(t)

 	scenario := aclScenario(t,
-		&hscontrol.ACLPolicy{
-			ACLs: []hscontrol.ACL{
+		&policy.ACLPolicy{
+			ACLs: []policy.ACL{
 				{
 					Action:       "accept",
 					Sources:      []string{"user1"},
@@ -504,11 +504,11 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 	IntegrationSkip(t)

 	scenario := aclScenario(t,
-		&hscontrol.ACLPolicy{
-			Hosts: hscontrol.Hosts{
+		&policy.ACLPolicy{
+			Hosts: policy.Hosts{
 				"all": netip.MustParsePrefix("100.64.0.0/24"),
 			},
-			ACLs: []hscontrol.ACL{
+			ACLs: []policy.ACL{
 				// Everyone can curl test3
 				{
 					Action:       "accept",
@@ -603,16 +603,16 @@ func TestACLNamedHostsCanReach(t *testing.T) {
 	IntegrationSkip(t)

 	tests := map[string]struct {
-		policy hscontrol.ACLPolicy
+		policy policy.ACLPolicy
 	}{
 		"ipv4": {
-			policy: hscontrol.ACLPolicy{
-				Hosts: hscontrol.Hosts{
+			policy: policy.ACLPolicy{
+				Hosts: policy.Hosts{
 					"test1": netip.MustParsePrefix("100.64.0.1/32"),
 					"test2": netip.MustParsePrefix("100.64.0.2/32"),
 					"test3": netip.MustParsePrefix("100.64.0.3/32"),
 				},
-				ACLs: []hscontrol.ACL{
+				ACLs: []policy.ACL{
 					// Everyone can curl test3
 					{
 						Action:       "accept",
@@ -629,13 +629,13 @@ func TestACLNamedHostsCanReach(t *testing.T) {
 			},
 		},
 		"ipv6": {
-			policy: hscontrol.ACLPolicy{
-				Hosts: hscontrol.Hosts{
+			policy: policy.ACLPolicy{
+				Hosts: policy.Hosts{
 					"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
 					"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
 					"test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"),
 				},
-				ACLs: []hscontrol.ACL{
+				ACLs: []policy.ACL{
 					// Everyone can curl test3
 					{
 						Action:       "accept",
@@ -854,11 +854,11 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
 	IntegrationSkip(t)

 	tests := map[string]struct {
-		policy hscontrol.ACLPolicy
+		policy policy.ACLPolicy
 	}{
 		"ipv4": {
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"100.64.0.1"},
@@ -868,8 +868,8 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
 			},
 		},
 		"ipv6": {
-			policy: hscontrol.ACLPolicy{
-				ACLs: []hscontrol.ACL{
+			policy: policy.ACLPolicy{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"fd7a:115c:a1e0::1"},
@@ -879,12 +879,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
 			},
 		},
 		"hostv4cidr": {
-			policy: hscontrol.ACLPolicy{
-				Hosts: hscontrol.Hosts{
+			policy: policy.ACLPolicy{
+				Hosts: policy.Hosts{
 					"test1": netip.MustParsePrefix("100.64.0.1/32"),
 					"test2": netip.MustParsePrefix("100.64.0.2/32"),
 				},
-				ACLs: []hscontrol.ACL{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"test1"},
@@ -894,12 +894,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
 			},
 		},
 		"hostv6cidr": {
-			policy: hscontrol.ACLPolicy{
-				Hosts: hscontrol.Hosts{
+			policy: policy.ACLPolicy{
+				Hosts: policy.Hosts{
 					"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
 					"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
 				},
-				ACLs: []hscontrol.ACL{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"test1"},
@@ -909,12 +909,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
 			},
 		},
 		"group": {
-			policy: hscontrol.ACLPolicy{
+			policy: policy.ACLPolicy{
 				Groups: map[string][]string{
 					"group:one": {"user1"},
 					"group:two": {"user2"},
 				},
-				ACLs: []hscontrol.ACL{
+				ACLs: []policy.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"group:one"},