authorizer,server: update PeerCaps to ACL grants

Now that ACL grants have been launched publicly, update the names of these functions to match the preferred terminology. Leave authorizer.PeerCaps as a temporary migration shim for now. Signed-off-by: M. J. Fromberger <[email protected]>
tailscale · Dec 16, 2023 · 51483e0 · 51483e0
1 parent 75c9717
commit 51483e0
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 17 deletions.
diff --git a/authorizer/authorizer_test.go b/authorizer/authorizer_test.go
@@ -11,14 +11,16 @@ import (
 	"tailscale.com/tailcfg"
 )
 
+const tailsqlCap = "tailscale.com/cap/tailsql"
+
 var (
 	taggedNode = &apitype.WhoIsResponse{
 		Node: &tailcfg.Node{Name: "fake.ts.net", Tags: []string{"tag:special"}},
 		UserProfile: &tailcfg.UserProfile{
 			ID: 1, LoginName: "[email protected]", DisplayName: "Some P. User",
 		},
 		CapMap: tailcfg.PeerCapMap{
-			"https://tailscale.com/cap/tailsql": []tailcfg.RawMessage{
+			tailsqlCap: []tailcfg.RawMessage{
 				`{"src":["main","alt"]}`,
 			},
 		},
@@ -29,15 +31,15 @@ var (
 			ID: 1, LoginName: "[email protected]", DisplayName: "Some P. User",
 		},
 		CapMap: tailcfg.PeerCapMap{
-			"https://tailscale.com/cap/tailsql": []tailcfg.RawMessage{
+			tailsqlCap: []tailcfg.RawMessage{
 				`{"src":["main"]}`,
 			},
 		},
 	}
 )
 
-func TestPeerCaps(t *testing.T) {
-	auth := authorizer.PeerCaps(t.Logf)
+func TestACLGrants(t *testing.T) {
+	auth := authorizer.ACLGrants(t.Logf)
 	tests := []struct {
 		src string
 		rsp *apitype.WhoIsResponse

diff --git a/authorizer/peercaps.go b/authorizer/peercaps.go
@@ -15,15 +15,17 @@ import (
 
 // tailsqlCap is the default name of the tailsql capability.
 const tailsqlCap = "tailscale.com/cap/tailsql"
-const tailsqlCapHTTP = "https://" + tailsqlCap
 
-// PeerCaps returns an authorization function that uses peer capabilities from
-// the tailnet to check access for query sources.
-// If logf == nil, logs are sent to log.Printf.
-//
-// TODO(creachadair): As of 10-Aug-2023 peer capabilities are an experimental
-// feature that only works on tailnets where enaled.
+// PeerCaps is a temporary migration alias for ACLGrants.
+// Deprecated: Use ACLGrants directly for new code.
 func PeerCaps(logf logger.Logf) func(string, *apitype.WhoIsResponse) error {
+	return ACLGrants(logf)
+}
+
+// ACLGrants returns an authorization function that uses ACL grants from the
+// tailnet to check access for query sources.
+// If logf == nil, logs are sent to log.Printf.
+func ACLGrants(logf logger.Logf) func(string, *apitype.WhoIsResponse) error {
 	if logf == nil {
 		logf = log.Printf
 	}
@@ -45,7 +47,7 @@ func PeerCaps(logf logger.Logf) func(string, *apitype.WhoIsResponse) error {
 		// result without the prefix, try again with it. Remove this once the
 		// policy has been updated on the server side.
 		if err == nil && len(rules) == 0 {
-			rules, err = tailcfg.UnmarshalCapJSON[rule](who.CapMap, tailsqlCapHTTP)
+			rules, err = tailcfg.UnmarshalCapJSON[rule](who.CapMap, "https://"+tailsqlCap)
 		}
 		if err != nil || len(rules) == 0 {
 			return errors.New("not authorized for access tailsql")

diff --git a/server/tailsql/internal_test.go b/server/tailsql/internal_test.go
@@ -76,7 +76,7 @@ func TestOptions(t *testing.T) {
 	if diff := cmp.Diff(want, opts); diff != "" {
 		t.Errorf("Parsed options (-want, +got)\n%s", diff)
 	}
-	opts.Authorize = authorizer.PeerCaps(nil)
+	opts.Authorize = authorizer.ACLGrants(nil)
 
 	// Test that we can populate options from the config.
 	t.Run("Options", func(t *testing.T) {
@@ -96,6 +96,8 @@ func TestOptions(t *testing.T) {
 
 	// Test that the authorizer works.
 	t.Run("Authorize", func(t *testing.T) {
+		const tailsqlCap = "tailscale.com/cap/tailsql"
+
 		admin := &apitype.WhoIsResponse{
 			Node: new(tailcfg.Node), // must be non-nil in a valid response
 			UserProfile: &tailcfg.UserProfile{

diff --git a/server/tailsql/options.go b/server/tailsql/options.go
@@ -199,8 +199,6 @@ func (o Options) logf() logger.Logf {
 	return o.Logf
 }
 
-const tailsqlCap = "https://tailscale.com/cap/tailsql"
-
 // authorize returns an authorization callback based on the Access field of o.
 func (o Options) authorize() func(src string, who *apitype.WhoIsResponse) error {
 	if o.Authorize != nil {

diff --git a/server/tailsql/tailsql_test.go b/server/tailsql/tailsql_test.go
@@ -183,7 +183,7 @@ func TestServer(t *testing.T) {
 			DisplayName: "some user",
 		},
 		CapMap: tailcfg.PeerCapMap{
-			"https://tailscale.com/cap/tailsql": []tailcfg.RawMessage{
+			"tailscale.com/cap/tailsql": []tailcfg.RawMessage{
 				`{"src":["*"]}`,
 			},
 		},
@@ -195,7 +195,7 @@ func TestServer(t *testing.T) {
 			{Anchor: testAnchor, URL: testURL},
 		},
 		UIRewriteRules: testUIRules,
-		Authorize:      authorizer.PeerCaps(nil),
+		Authorize:      authorizer.ACLGrants(nil),
 		QueryContext: func(ctx context.Context, src, query string) context.Context {
 			contextHookData[0] = src
 			contextHookData[1] = query