I have an issue with surprising ACL test failures. I have the following policy
"acls": [
{ "action": "accept", "users": ["tag:personal"], "ports": ["*:*"] },
],
"hosts": {
"laptop": "100.1.1.1",
},
"tests": [
{
"user": "tag:location",
"allow": [],
"deny": ["laptop:443"],
},
]
the following machines:
laptop: [tag:personal]
server: [tag:personal, tag:location]
and this test fails when server has tag:personal and passes when I untag it. That implies to me that the tests are somehow testing using other tags when testing tag:location.
Having the tests depend on the existing machines (when I don’t refer to that specific machine) feels unexpected. When I write a test like this, I want to test my rules about tag:location. This test should fail, because having tag:location isn’t enough to open a connection to laptop:443. It’s unrelated that a host tagged with tag:location also has tag:personal, which allows it to open the connection.
Otherwise, what’s the point of tests using "user": "tag:..."? I obviously want server to be able to do the things I tagged it to do, the other tags on the hosts under test should be irrelevant for "user:"tag...". This makes such a test useless anytime there is more than one tag involved on a machine.
Furthermore, this is the current policy which fails when it’s saved again because server was added after the policy was saved initially. This feels odd, shouldn’t a failure introduced by adding a machine either prevent the machine from being tagged or raise a notification or be surfaced somehow?
What can I do here?