add support for sshTests (#30)

nitper · web-flow · commit 6197dea6024d · 2025-05-27T17:06:23.000-07:00
https://tailscale.com/kb/1337/policy-syntax#sshtests
diff --git a/Makefile b/Makefile
@@ -5,4 +5,4 @@ testdata:
 		-f testdata/input-parent.hujson \
 		-d testdata/departments/ \
 		-o testdata/output-file-to-compare-to.hujson \
-		-allow=acls,autoApprovers,grants,groups,ipsets,ssh,tests
+		-allow=acls,autoApprovers,grants,groups,ipsets,ssh,tests,sshTests
diff --git a/main.go b/main.go
@@ -36,6 +36,7 @@ var (
 		"ssh":             handleArray(),
 		"tagOwners":       handleObject(),
 		"tests":           handleArray(),
+		"sshTests":        handleArray(),
 		"hosts":           handleObject(),
 	}
 )
diff --git a/testdata/departments/engineering/acls.json b/testdata/departments/engineering/acls.json
@@ -2,15 +2,24 @@
 	"acls": [
 		{
 			"action": "accept",
-			"src": [
-				"engineering@example.com"
-			],
-			"dst": [
-				"tag:json-rule:22"
-			],
-			"srcPosture": [
-				"posture:latestMac"
-			]
+			"src": ["engineering@example.com"],
+			"dst": ["tag:json-rule:22"],
+			"srcPosture": ["posture:latestMac"]
+		}
+	],
+	"ssh": [
+		{
+			"action": "accept",
+			"src": ["engineering@example.com"],
+			"dst": ["autogroup:self"],
+			"users": ["root", "autogroup:nonroot"]
+		}
+	],
+	"sshTests": [
+		{
+			"src": ["engineering@example.com"],
+			"dst": ["autogroup:self"],
+			"accept": ["root", "autogroup:nonroot"]
 		}
 	]
 }
diff --git a/testdata/input-parent.hujson b/testdata/input-parent.hujson
@@ -56,6 +56,14 @@
 		},
 	],
 
+	"sshTests": [
+		{
+			"src":    ["autogroup:member"],
+			"dst":    ["autogroup:self"],
+			"accept":  ["root", "autogroup:nonroot"],
+		},
+	],
+
 	"tagOwners": {
 		"tag:parent": [],
 		"tag:user1": [
diff --git a/testdata/output-file-to-compare-to.hujson b/testdata/output-file-to-compare-to.hujson
@@ -152,6 +152,13 @@
       "dst":    ["autogroup:self"],
       "users":  ["root", "autogroup:nonroot"],
     },
+    // from `testdata/departments/engineering/acls.json`
+    {
+      "action": "accept",
+      "src":    ["engineering@example.com"],
+      "dst":    ["autogroup:self"],
+      "users":  ["root", "autogroup:nonroot"],
+    },
     // from `testdata/departments/finance/ssh.hujson`
     {
       "action": "accept",
@@ -167,6 +174,21 @@
     },
   ],
 
+  "sshTests": [
+    // from `testdata/input-parent.hujson`
+    {
+      "src":    ["autogroup:member"],
+      "dst":    ["autogroup:self"],
+      "accept": ["root", "autogroup:nonroot"],
+    },
+    // from `testdata/departments/engineering/acls.json`
+    {
+      "src":    ["engineering@example.com"],
+      "dst":    ["autogroup:self"],
+      "accept": ["root", "autogroup:nonroot"],
+    },
+  ],
+
   "tagOwners": {
     // from `testdata/input-parent.hujson`
     "tag:parent": [],

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ var (`
`36`	`36`	`"ssh": handleArray(),`
`37`	`37`	`"tagOwners": handleObject(),`
`38`	`38`	`"tests": handleArray(),`
	`39`	`+ "sshTests": handleArray(),`
`39`	`40`	`"hosts": handleObject(),`
`40`	`41`	`}`
`41`	`42`	`)`