feat: enforce isolation between WonderNets with empty ACL policy#87
Merged
feat: enforce isolation between WonderNets with empty ACL policy#87
Conversation
Switch from autogroup:self ACL policy (allows all traffic) to empty policy (deny all by default) to enforce network isolation between different users' WonderNets. Add E2E isolation test that verifies: - API isolation: users see only their own nodes - Network isolation: workers from different WonderNets cannot communicate Closes #84
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Use SetWonderNetIsolationPolicy instead of SetEmptyPolicy to preserve connectivity for already-joined workers after coordinator restart.
Add a new GitHub Actions job that runs the isolation E2E tests to verify that nodes in different WonderNets cannot communicate with each other.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
pkg/headscale/acl.go:100
- The functions GenerateEmptyPolicy and SetEmptyPolicy are not used anywhere in the codebase. The actual implementation uses SetWonderNetIsolationPolicy which generates proper isolation rules. These functions appear to be dead code that should either be removed or properly integrated if they serve a future purpose.
// SetEmptyPolicy sets an empty ACL policy (deny all by default, isolation enforced)
func (am *ACLManager) SetEmptyPolicy(ctx context.Context) error {
am.mu.Lock()
defer am.mu.Unlock()
policy := GenerateEmptyPolicy()
policyJSON, err := json.Marshal(policy)
if err != nil {
return fmt.Errorf("marshal policy: %w", err)
}
_, err = am.client.SetPolicy(ctx, &v1.SetPolicyRequest{Policy: string(policyJSON)})
return err
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Remove unused functions superseded by the meshBackend interface: - WonderNetManager.GetWonderNetNodes, GetNode, DeleteNode - ACLManager.SetEmptyPolicy and GenerateEmptyPolicy These methods were legacy implementations from before the meshBackend abstraction layer was introduced. The codebase now uses the abstracted versions in pkg/meshbackend/tailscale.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
autogroup:selfACL policy (which allows all traffic with*:*) to empty policy (deny all by default) to enforce network isolation between different users' WonderNetse2e/test-isolation.sh) that verifies both API and network isolationCloses #84
Test plan
./e2e/test-isolation.shto verify isolation works/coordinator/api/v1/nodes