Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-09-02 13:47:00 +02:00
Code Issues Projects Releases Wiki Activity

stuff auth lint

Browse Source 
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2025-08-18 22:31:51 +02:00
parent 2a906cd15e
commit 3a92b14c1a
No known key found for this signature in database
24 changed files with 296 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/headscale/cli/nodes.go
View File

@ -551,13 +551,12 @@ be assigned to nodes.`,
} }
} }
if confirm || force { if confirm || force {
ctx, client, conn, cancel := newHeadscaleCLIWithConfig() ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
defer cancel() defer cancel()
defer conn.Close() defer conn.Close()
changes, err := client.BackfillNodeIPs(ctx, &v1.BackfillNodeIPsRequest{Confirmed: confirm || force }) changes, err := client.BackfillNodeIPs(ctx, &v1.BackfillNodeIPsRequest{Confirmed: confirm || force})
if err != nil { if err != nil {
ErrorOutput( ErrorOutput(
err, err,

1
hscontrol/auth.go
View File

@ -265,6 +265,7 @@ func (h *Headscale) handleRegisterInteractive(
) )
log.Info().Msgf("Starting node registration using key: %s", registrationId) log.Info().Msgf("Starting node registration using key: %s", registrationId)
return &tailcfg.RegisterResponse{ return &tailcfg.RegisterResponse{
AuthURL: h.authProvider.AuthURL(registrationId), AuthURL: h.authProvider.AuthURL(registrationId),
}, nil }, nil

27
hscontrol/capver/capver_generated.go
View File

@ -1,6 +1,6 @@
package capver package capver
//Generated DO NOT EDIT // Generated DO NOT EDIT
import "tailscale.com/tailcfg" import "tailscale.com/tailcfg"
@ -37,18 +37,17 @@ var tailscaleToCapVer = map[string]tailcfg.CapabilityVersion{
"v1.86.2": 123, "v1.86.2": 123,
} }
var capVerToTailscaleVer = map[tailcfg.CapabilityVersion]string{ var capVerToTailscaleVer = map[tailcfg.CapabilityVersion]string{
90: "v1.64.2", 90: "v1.64.2",
95: "v1.66.0", 95: "v1.66.0",
97: "v1.68.0", 97: "v1.68.0",
102: "v1.70.0", 102: "v1.70.0",
104: "v1.72.0", 104: "v1.72.0",
106: "v1.74.0", 106: "v1.74.0",
109: "v1.78.0", 109: "v1.78.0",
113: "v1.80.0", 113: "v1.80.0",
115: "v1.82.0", 115: "v1.82.0",
116: "v1.84.0", 116: "v1.84.0",
122: "v1.86.0", 122: "v1.86.0",
123: "v1.86.2", 123: "v1.86.2",
} }

2
hscontrol/db/db.go
View File

@ -936,7 +936,7 @@ AND auth_key_id NOT IN (
// - NEVER use gorm.AutoMigrate, write the exact migration steps needed // - NEVER use gorm.AutoMigrate, write the exact migration steps needed
// - AutoMigrate depends on the struct staying exactly the same, which it won't over time. // - AutoMigrate depends on the struct staying exactly the same, which it won't over time.
// - Never write migrations that requires foreign keys to be disabled. // - Never write migrations that requires foreign keys to be disabled.
}, },
) )
if err := runMigrations(cfg, dbConn, migrations); err != nil { if err := runMigrations(cfg, dbConn, migrations); err != nil {

3
hscontrol/db/node.go
View File

@ -271,7 +271,7 @@ func RenameNode(tx *gorm.DB,
} }
if count > 0 { if count > 0 {
return fmt.Errorf("name is not unique") return errors.New("name is not unique")
} }
if err := tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("given_name", newName).Error; err != nil { if err := tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("given_name", newName).Error; err != nil {
@ -327,7 +327,6 @@ func (hsdb *HSDatabase) DeleteEphemeralNode(
}) })
} }
// RegisterNodeForTest is used only for testing purposes to register a node directly in the database. // RegisterNodeForTest is used only for testing purposes to register a node directly in the database.
// Production code should use state.HandleNodeFromAuthPath or state.HandleNodeFromPreAuthKey. // Production code should use state.HandleNodeFromAuthPath or state.HandleNodeFromPreAuthKey.
func RegisterNodeForTest(tx *gorm.DB, node types.Node, ipv4 *netip.Addr, ipv6 *netip.Addr) (*types.Node, error) { func RegisterNodeForTest(tx *gorm.DB, node types.Node, ipv4 *netip.Addr, ipv6 *netip.Addr) (*types.Node, error) {

1
hscontrol/mapper/batcher_lockfree.go
View File

@ -359,6 +359,7 @@ func (b *LockFreeBatcher) IsConnected(id types.NodeID) bool {
// During grace period, always return true to allow DNS resolution // During grace period, always return true to allow DNS resolution
// for logout HTTP requests to complete successfully // for logout HTTP requests to complete successfully
gracePeriod := 45 * time.Second gracePeriod := 45 * time.Second
return time.Since(*val) < gracePeriod return time.Since(*val) < gracePeriod
} }

11
hscontrol/mapper/batcher_test.go
View File

@ -27,7 +27,7 @@ type batcherTestCase struct {
} }
// testBatcherWrapper wraps a real batcher to add online/offline notifications // testBatcherWrapper wraps a real batcher to add online/offline notifications
// that would normally be sent by poll.go in production // that would normally be sent by poll.go in production.
type testBatcherWrapper struct { type testBatcherWrapper struct {
Batcher Batcher
} }
@ -58,7 +58,7 @@ func (t *testBatcherWrapper) RemoveNode(id types.NodeID, c chan<- *tailcfg.MapRe
return true return true
} }
// wrapBatcherForTest wraps a batcher with test-specific behavior // wrapBatcherForTest wraps a batcher with test-specific behavior.
func wrapBatcherForTest(b Batcher) Batcher { func wrapBatcherForTest(b Batcher) Batcher {
return &testBatcherWrapper{Batcher: b} return &testBatcherWrapper{Batcher: b}
} }
@ -808,7 +808,7 @@ func TestBatcherBasicOperations(t *testing.T) {
// Disconnect the second node // Disconnect the second node
batcher.RemoveNode(tn2.n.ID, tn2.ch) batcher.RemoveNode(tn2.n.ID, tn2.ch)
assert.False(t, batcher.IsConnected(tn2.n.ID)) // Note: IsConnected may return true during grace period for DNS resolution
// First node should get update that second has disconnected. // First node should get update that second has disconnected.
select { select {
@ -841,9 +841,8 @@ func TestBatcherBasicOperations(t *testing.T) {
// Test RemoveNode // Test RemoveNode
batcher.RemoveNode(tn.n.ID, tn.ch) batcher.RemoveNode(tn.n.ID, tn.ch)
if batcher.IsConnected(tn.n.ID) { // Note: IsConnected may return true during grace period for DNS resolution
t.Error("Node should be disconnected after RemoveNode") // The node is actually removed from active connections but grace period allows DNS lookups
}
}) })
} }
} }

2
hscontrol/oidc.go
View File

@ -281,7 +281,7 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
util.LogErr(err, "could not get userinfo; only using claims from id token") util.LogErr(err, "could not get userinfo; only using claims from id token")
} }
// The user claims are now updated from the the userinfo endpoint so we can verify the user a // The user claims are now updated from the userinfo endpoint so we can verify the user
// against allowed emails, email domains, and groups. // against allowed emails, email domains, and groups.
if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil { if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil {
httpError(writer, err) httpError(writer, err)

2
hscontrol/policy/policy.go
View File

@ -147,7 +147,7 @@ func ReduceFilterRules(node types.NodeView, rules []tailcfg.FilterRule) []tailcf
// This ensures that: // This ensures that:
// - Previously approved routes are ALWAYS preserved (auto-approval never removes routes) // - Previously approved routes are ALWAYS preserved (auto-approval never removes routes)
// - New routes can be auto-approved according to policy // - New routes can be auto-approved according to policy
// - Routes can only be removed by explicit admin action (not by auto-approval) // - Routes can only be removed by explicit admin action (not by auto-approval).
func ApproveRoutesWithPolicy(pm PolicyManager, nv types.NodeView, currentApproved, announcedRoutes []netip.Prefix) ([]netip.Prefix, bool) { func ApproveRoutesWithPolicy(pm PolicyManager, nv types.NodeView, currentApproved, announcedRoutes []netip.Prefix) ([]netip.Prefix, bool) {
if pm == nil { if pm == nil {
return currentApproved, false return currentApproved, false

28
hscontrol/policy/policy_autoapprove_test.go
View File

@ -79,13 +79,13 @@ func TestApproveRoutesWithPolicy_NeverRemovesApprovedRoutes(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
tests := []struct { tests := []struct {
name string name string
node *types.Node node *types.Node
currentApproved []netip.Prefix currentApproved []netip.Prefix
announcedRoutes []netip.Prefix announcedRoutes []netip.Prefix
wantApproved []netip.Prefix wantApproved []netip.Prefix
wantChanged bool wantChanged bool
description string description string
}{ }{
{ {
name: "previously_approved_route_no_longer_advertised_should_remain", name: "previously_approved_route_no_longer_advertised_should_remain",
@ -138,8 +138,8 @@ func TestApproveRoutesWithPolicy_NeverRemovesApprovedRoutes(t *testing.T) {
description: "All approved routes should remain when no routes are announced", description: "All approved routes should remain when no routes are announced",
}, },
{ {
name: "no_changes_when_announced_equals_approved", name: "no_changes_when_announced_equals_approved",
node: node1, node: node1,
currentApproved: []netip.Prefix{ currentApproved: []netip.Prefix{
netip.MustParsePrefix("10.0.0.0/24"), netip.MustParsePrefix("10.0.0.0/24"),
}, },
@ -153,13 +153,13 @@ func TestApproveRoutesWithPolicy_NeverRemovesApprovedRoutes(t *testing.T) {
description: "No changes should occur when announced routes match approved routes", description: "No changes should occur when announced routes match approved routes",
}, },
{ {
name: "auto_approve_multiple_new_routes", name: "auto_approve_multiple_new_routes",
node: node1, node: node1,
currentApproved: []netip.Prefix{ currentApproved: []netip.Prefix{
netip.MustParsePrefix("172.16.0.0/24"), // This was manually approved netip.MustParsePrefix("172.16.0.0/24"), // This was manually approved
}, },
announcedRoutes: []netip.Prefix{ announcedRoutes: []netip.Prefix{
netip.MustParsePrefix("10.2.0.0/24"), // Should be auto-approved (subset of 10.0.0.0/8) netip.MustParsePrefix("10.2.0.0/24"), // Should be auto-approved (subset of 10.0.0.0/8)
netip.MustParsePrefix("192.168.0.0/24"), // Should be auto-approved for tag:test netip.MustParsePrefix("192.168.0.0/24"), // Should be auto-approved for tag:test
}, },
wantApproved: []netip.Prefix{ wantApproved: []netip.Prefix{
@ -171,8 +171,8 @@ func TestApproveRoutesWithPolicy_NeverRemovesApprovedRoutes(t *testing.T) {
description: "Multiple new routes should be auto-approved while keeping existing approved routes", description: "Multiple new routes should be auto-approved while keeping existing approved routes",
}, },
{ {
name: "node_without_permission_no_auto_approval", name: "node_without_permission_no_auto_approval",
node: node2, // Different node without the tag node: node2, // Different node without the tag
currentApproved: []netip.Prefix{ currentApproved: []netip.Prefix{
netip.MustParsePrefix("10.0.0.0/24"), netip.MustParsePrefix("10.0.0.0/24"),
}, },

26
hscontrol/policy/policy_route_approval_test.go
View File

@ -39,15 +39,15 @@ func TestApproveRoutesWithPolicy_NeverRemovesRoutes(t *testing.T) {
}` }`
tests := []struct { tests := []struct {
name string name string
currentApproved []netip.Prefix currentApproved []netip.Prefix
announcedRoutes []netip.Prefix announcedRoutes []netip.Prefix
nodeHostname string nodeHostname string
nodeUser string nodeUser string
nodeTags []string nodeTags []string
wantApproved []netip.Prefix wantApproved []netip.Prefix
wantChanged bool wantChanged bool
wantRemovedRoutes []netip.Prefix // Routes that should NOT be in the result wantRemovedRoutes []netip.Prefix // Routes that should NOT be in the result
}{ }{
{ {
name: "previously_approved_route_no_longer_advertised_remains", name: "previously_approved_route_no_longer_advertised_remains",
@ -60,14 +60,14 @@ func TestApproveRoutesWithPolicy_NeverRemovesRoutes(t *testing.T) {
}, },
nodeUser: "test", nodeUser: "test",
wantApproved: []netip.Prefix{ wantApproved: []netip.Prefix{
netip.MustParsePrefix("10.0.0.0/24"), // Should remain! netip.MustParsePrefix("10.0.0.0/24"), // Should remain!
netip.MustParsePrefix("192.168.0.0/24"), netip.MustParsePrefix("192.168.0.0/24"),
}, },
wantChanged: false, wantChanged: false,
wantRemovedRoutes: []netip.Prefix{}, // Nothing should be removed wantRemovedRoutes: []netip.Prefix{}, // Nothing should be removed
}, },
{ {
name: "add_new_auto_approved_route_keeps_existing", name: "add_new_auto_approved_route_keeps_existing",
currentApproved: []netip.Prefix{ currentApproved: []netip.Prefix{
netip.MustParsePrefix("10.0.0.0/24"), netip.MustParsePrefix("10.0.0.0/24"),
}, },
@ -136,8 +136,8 @@ func TestApproveRoutesWithPolicy_NeverRemovesRoutes(t *testing.T) {
netip.MustParsePrefix("203.0.113.0/24"), // Manual, not advertised netip.MustParsePrefix("203.0.113.0/24"), // Manual, not advertised
}, },
announcedRoutes: []netip.Prefix{ announcedRoutes: []netip.Prefix{
netip.MustParsePrefix("192.168.0.0/24"), // New, auto-approvable netip.MustParsePrefix("192.168.0.0/24"), // New, auto-approvable
netip.MustParsePrefix("172.16.0.0/16"), // New, not approvable (no tag) netip.MustParsePrefix("172.16.0.0/16"), // New, not approvable (no tag)
netip.MustParsePrefix("198.51.100.0/24"), // New, not in policy netip.MustParsePrefix("198.51.100.0/24"), // New, not in policy
}, },
nodeUser: "test", nodeUser: "test",

1
hscontrol/routes/primary.go
View File

@ -152,7 +152,6 @@ func (pr *PrimaryRoutes) SetRoutes(node types.NodeID, prefixes ...netip.Prefix)
Strs("prefixes", util.PrefixesToString(prefixes)). Strs("prefixes", util.PrefixesToString(prefixes)).
Msg("PrimaryRoutes.SetRoutes called") Msg("PrimaryRoutes.SetRoutes called")
// If no routes are being set, remove the node from the routes map. // If no routes are being set, remove the node from the routes map.
if len(prefixes) == 0 { if len(prefixes) == 0 {
wasPresent := false wasPresent := false

12
hscontrol/state/debug.go
View File

@ -33,16 +33,16 @@ type DebugOverviewInfo struct {
// DebugDERPInfo represents DERP map information in a structured format. // DebugDERPInfo represents DERP map information in a structured format.
type DebugDERPInfo struct { type DebugDERPInfo struct {
Configured bool `json:"configured"` Configured bool `json:"configured"`
TotalRegions int `json:"total_regions"` TotalRegions int `json:"total_regions"`
Regions map[int]*DebugDERPRegion `json:"regions,omitempty"` Regions map[int]*DebugDERPRegion `json:"regions,omitempty"`
} }
// DebugDERPRegion represents a single DERP region. // DebugDERPRegion represents a single DERP region.
type DebugDERPRegion struct { type DebugDERPRegion struct {
RegionID int `json:"region_id"` RegionID int `json:"region_id"`
RegionName string `json:"region_name"` RegionName string `json:"region_name"`
Nodes []*DebugDERPNode `json:"nodes"` Nodes []*DebugDERPNode `json:"nodes"`
} }
// DebugDERPNode represents a single DERP node. // DebugDERPNode represents a single DERP node.

250
hscontrol/state/state.go
View File

@ -1012,7 +1012,7 @@ func (s *State) HandleNodeFromAuthPath(
return types.NodeView{}, change.EmptySet, fmt.Errorf("failed to find user: %w", err) return types.NodeView{}, change.EmptySet, fmt.Errorf("failed to find user: %w", err)
} }
// Check if node already exists by node key (this is a refresh/re-registration) // Check if node already exists by node key
existingNodeView, exists := s.nodeStore.GetNodeByNodeKey(regEntry.Node.NodeKey) existingNodeView, exists := s.nodeStore.GetNodeByNodeKey(regEntry.Node.NodeKey)
if exists && existingNodeView.Valid() { if exists && existingNodeView.Valid() {
// Node exists - this is a refresh/re-registration // Node exists - this is a refresh/re-registration
@ -1028,8 +1028,8 @@ func (s *State) HandleNodeFromAuthPath(
if expiry != nil { if expiry != nil {
node.Expiry = expiry node.Expiry = expiry
} }
// Node is re-registering, so it's coming online // Mark as offline since node is reconnecting
node.IsOnline = ptr.To(true) node.IsOnline = ptr.To(false)
node.LastSeen = ptr.To(time.Now()) node.LastSeen = ptr.To(time.Now())
}) })
@ -1048,6 +1048,7 @@ func (s *State) HandleNodeFromAuthPath(
// Get updated node from NodeStore // Get updated node from NodeStore
updatedNode, _ := s.nodeStore.GetNode(existingNodeView.ID()) updatedNode, _ := s.nodeStore.GetNode(existingNodeView.ID())
return updatedNode, change.KeyExpiry(existingNodeView.ID()), nil return updatedNode, change.KeyExpiry(existingNodeView.ID()), nil
} }
@ -1059,9 +1060,25 @@ func (s *State) HandleNodeFromAuthPath(
Str("expiresAt", fmt.Sprintf("%v", expiry)). Str("expiresAt", fmt.Sprintf("%v", expiry)).
Msg("Registering new node from auth callback") Msg("Registering new node from auth callback")
// Check if node exists with same machine key
var existingMachineNode *types.Node
if nv, exists := s.nodeStore.GetNodeByMachineKey(regEntry.Node.MachineKey); exists && nv.Valid() {
existingMachineNode = nv.AsStruct()
}
// Check for different user registration
if existingMachineNode != nil && existingMachineNode.UserID != uint(userID) {
return types.NodeView{}, change.EmptySet, hsdb.ErrDifferentRegisteredUser
}
// Prepare the node for registration // Prepare the node for registration
nodeToRegister := regEntry.Node nodeToRegister := regEntry.Node
nodeToRegister.UserID = uint(userID)
nodeToRegister.User = *user
nodeToRegister.RegisterMethod = registrationMethod nodeToRegister.RegisterMethod = registrationMethod
if expiry != nil {
nodeToRegister.Expiry = expiry
}
// Handle IP allocation // Handle IP allocation
var ipv4, ipv6 *netip.Addr var ipv4, ipv6 *netip.Addr
@ -1092,16 +1109,47 @@ func (s *State) HandleNodeFromAuthPath(
nodeToRegister.GivenName = givenName nodeToRegister.GivenName = givenName
} }
savedNode, err := s.registerOrUpdateNode(nodeRegistrationHelper{ var savedNode *types.Node
node: &nodeToRegister, if existingMachineNode != nil && existingMachineNode.UserID == uint(userID) {
userID: userID, // Update existing node - NodeStore first, then database
user: user, s.nodeStore.UpdateNode(existingMachineNode.ID, func(node *types.Node) {
expiry: expiry, node.NodeKey = nodeToRegister.NodeKey
updateExistingNode: updateFunc, node.DiscoKey = nodeToRegister.DiscoKey
postSaveCallback: nil, // No post-save callback needed node.Hostname = nodeToRegister.Hostname
}) node.Hostinfo = nodeToRegister.Hostinfo
if err != nil { node.Endpoints = nodeToRegister.Endpoints
return types.NodeView{}, change.EmptySet, err node.RegisterMethod = nodeToRegister.RegisterMethod
if expiry != nil {
node.Expiry = expiry
}
node.IsOnline = ptr.To(false)
node.LastSeen = ptr.To(time.Now())
})
// Save to database
savedNode, err = hsdb.Write(s.db.DB, func(tx *gorm.DB) (*types.Node, error) {
if err := tx.Save(&nodeToRegister).Error; err != nil {
return nil, fmt.Errorf("failed to save node: %w", err)
}
return &nodeToRegister, nil
})
if err != nil {
return types.NodeView{}, change.EmptySet, err
}
} else {
// New node - database first to get ID, then NodeStore
savedNode, err = hsdb.Write(s.db.DB, func(tx *gorm.DB) (*types.Node, error) {
if err := tx.Save(&nodeToRegister).Error; err != nil {
return nil, fmt.Errorf("failed to save node: %w", err)
}
return &nodeToRegister, nil
})
if err != nil {
return types.NodeView{}, change.EmptySet, err
}
// Add to NodeStore after database creates the ID
s.nodeStore.PutNode(*savedNode)
} }
// Delete from registration cache // Delete from registration cache
@ -1114,13 +1162,17 @@ func (s *State) HandleNodeFromAuthPath(
} }
close(regEntry.Registered) close(regEntry.Registered)
// Finalize registration // Update policy manager
c, err := s.finalizeNodeRegistration(savedNode) nodesChange, err := s.updatePolicyManagerNodes()
if err != nil { if err != nil {
return savedNode.View(), c, err return savedNode.View(), change.NodeAdded(savedNode.ID), fmt.Errorf("failed to update policy manager: %w", err)
} }
return savedNode.View(), c, nil if !nodesChange.Empty() {
return savedNode.View(), nodesChange, nil
}
return savedNode.View(), change.NodeAdded(savedNode.ID), nil
} }
// HandleNodeFromPreAuthKey handles node registration using a pre-authentication key. // HandleNodeFromPreAuthKey handles node registration using a pre-authentication key.
@ -1145,29 +1197,17 @@ func (s *State) HandleNodeFromPreAuthKey(
if !regReq.Expiry.IsZero() && regReq.Expiry.Before(time.Now()) && pak.Ephemeral { if !regReq.Expiry.IsZero() && regReq.Expiry.Before(time.Now()) && pak.Ephemeral {
// Find the node to delete // Find the node to delete
var nodeToDelete types.NodeView var nodeToDelete types.NodeView
if nv, exists := s.nodeStore.GetNodeByMachineKey(machineKey); exists && nv.Valid() { for _, nv := range s.nodeStore.ListNodes().All() {
nodeToDelete = nv if nv.Valid() && nv.MachineKey() == machineKey {
nodeToDelete = nv
break
}
} }
if nodeToDelete.Valid() { if nodeToDelete.Valid() {
c, err := s.DeleteNode(nodeToDelete) c, err := s.DeleteNode(nodeToDelete)
if err != nil { if err != nil {
return types.NodeView{}, change.EmptySet, fmt.Errorf("deleting ephemeral node during logout: %w", err) return types.NodeView{}, change.EmptySet, fmt.Errorf("deleting ephemeral node during logout: %w", err)
} }
return types.NodeView{}, c, nil
}
return types.NodeView{}, change.EmptySet, nil
}
// Check if node already exists by node key (this is a refresh/re-registration)
existingNodeView, exists := s.nodeStore.GetNodeByNodeKey(regReq.NodeKey)
if exists && existingNodeView.Valid() {
// Node exists - this is a refresh/re-registration
log.Debug().
Str("node", regReq.Hostinfo.Hostname).
Str("machine_key", machineKey.ShortString()).
Str("node_key", regReq.NodeKey.ShortString()).
Str("user", pak.User.Username()).
Msg("Refreshing existing node registration with pre-auth key")
return types.NodeView{}, c, nil return types.NodeView{}, c, nil
} }
@ -1182,9 +1222,17 @@ func (s *State) HandleNodeFromPreAuthKey(
Str("user", pak.User.Username()). Str("user", pak.User.Username()).
Msg("Registering node with pre-auth key") Msg("Registering node with pre-auth key")
// Check if node already exists with same machine key
var existingNode *types.Node
if nv, exists := s.nodeStore.GetNodeByMachineKey(machineKey); exists && nv.Valid() {
existingNode = nv.AsStruct()
}
// Prepare the node for registration // Prepare the node for registration
nodeToRegister := types.Node{ nodeToRegister := types.Node{
Hostname: regReq.Hostinfo.Hostname, Hostname: regReq.Hostinfo.Hostname,
UserID: pak.User.ID,
User: pak.User,
MachineKey: machineKey, MachineKey: machineKey,
NodeKey: regReq.NodeKey, NodeKey: regReq.NodeKey,
Hostinfo: regReq.Hostinfo, Hostinfo: regReq.Hostinfo,
@ -1195,39 +1243,58 @@ func (s *State) HandleNodeFromPreAuthKey(
AuthKeyID: &pak.ID, AuthKeyID: &pak.ID,
} }
var expiry *time.Time
if !regReq.Expiry.IsZero() { if !regReq.Expiry.IsZero() {
nodeToRegister.Expiry = &regReq.Expiry nodeToRegister.Expiry = &regReq.Expiry
} }
// Post-save callback to use the pre-auth key // Handle IP allocation and existing node properties
postSaveFunc := func(tx *gorm.DB, savedNode *types.Node) error { var ipv4, ipv6 *netip.Addr
if !pak.Reusable {
return hsdb.UsePreAuthKey(tx, pak)
}
return nil
}
// Check if node already exists with same machine key for logging
var existingNode *types.Node
if nv, exists := s.nodeStore.GetNodeByMachineKey(machineKey); exists && nv.Valid() {
existingNode = nv.AsStruct()
}
savedNode, err := s.registerOrUpdateNode(nodeRegistrationHelper{
node: &nodeToRegister,
userID: types.UserID(pak.User.ID),
user: &pak.User,
expiry: expiry,
updateExistingNode: updateFunc,
postSaveCallback: postSaveFunc,
})
if err != nil {
return types.NodeView{}, change.EmptySet, fmt.Errorf("registering node: %w", err)
}
// Log re-authorization if it was an existing node
if existingNode != nil && existingNode.UserID == pak.User.ID { if existingNode != nil && existingNode.UserID == pak.User.ID {
// Reuse existing node properties
nodeToRegister.ID = existingNode.ID
nodeToRegister.GivenName = existingNode.GivenName
nodeToRegister.ApprovedRoutes = existingNode.ApprovedRoutes
ipv4 = existingNode.IPv4
ipv6 = existingNode.IPv6
} else {
// Allocate new IPs
ipv4, ipv6, err = s.ipAlloc.Next()
if err != nil {
return types.NodeView{}, change.EmptySet, fmt.Errorf("allocating IPs: %w", err)
}
}
nodeToRegister.IPv4 = ipv4
nodeToRegister.IPv6 = ipv6
// Ensure unique given name if not set
if nodeToRegister.GivenName == "" {
givenName, err := hsdb.EnsureUniqueGivenName(s.db.DB, nodeToRegister.Hostname)
if err != nil {
return types.NodeView{}, change.EmptySet, fmt.Errorf("failed to ensure unique given name: %w", err)
}
nodeToRegister.GivenName = givenName
}
var savedNode *types.Node
if existingNode != nil && existingNode.UserID == pak.User.ID {
// Update existing node - NodeStore first, then database
s.nodeStore.UpdateNode(existingNode.ID, func(node *types.Node) {
node.NodeKey = nodeToRegister.NodeKey
node.Hostname = nodeToRegister.Hostname
node.Hostinfo = nodeToRegister.Hostinfo
node.Endpoints = nodeToRegister.Endpoints
node.RegisterMethod = nodeToRegister.RegisterMethod
node.ForcedTags = nodeToRegister.ForcedTags
node.AuthKey = nodeToRegister.AuthKey
node.AuthKeyID = nodeToRegister.AuthKeyID
if nodeToRegister.Expiry != nil {
node.Expiry = nodeToRegister.Expiry
}
node.IsOnline = ptr.To(false)
node.LastSeen = ptr.To(time.Now())
})
log.Trace(). log.Trace().
Caller(). Caller().
Str("node", nodeToRegister.Hostname). Str("node", nodeToRegister.Hostname).
@ -1235,12 +1302,65 @@ func (s *State) HandleNodeFromPreAuthKey(
Str("node_key", regReq.NodeKey.ShortString()). Str("node_key", regReq.NodeKey.ShortString()).
Str("user", pak.User.Username()). Str("user", pak.User.Username()).
Msg("Node re-authorized") Msg("Node re-authorized")
// Save to database
savedNode, err = hsdb.Write(s.db.DB, func(tx *gorm.DB) (*types.Node, error) {
if err := tx.Save(&nodeToRegister).Error; err != nil {
return nil, fmt.Errorf("failed to save node: %w", err)
}
if !pak.Reusable {
err = hsdb.UsePreAuthKey(tx, pak)
if err != nil {
return nil, fmt.Errorf("using pre auth key: %w", err)
}
}
return &nodeToRegister, nil
})
if err != nil {
return types.NodeView{}, change.EmptySet, fmt.Errorf("writing node to database: %w", err)
}
} else {
// New node - database first to get ID, then NodeStore
savedNode, err = hsdb.Write(s.db.DB, func(tx *gorm.DB) (*types.Node, error) {
if err := tx.Save(&nodeToRegister).Error; err != nil {
return nil, fmt.Errorf("failed to save node: %w", err)
}
if !pak.Reusable {
err = hsdb.UsePreAuthKey(tx, pak)
if err != nil {
return nil, fmt.Errorf("using pre auth key: %w", err)
}
}
return &nodeToRegister, nil
})
if err != nil {
return types.NodeView{}, change.EmptySet, fmt.Errorf("writing node to database: %w", err)
}
// Add to NodeStore after database creates the ID
s.nodeStore.PutNode(*savedNode)
} }
// Finalize registration // Update policy managers
c, err := s.finalizeNodeRegistration(savedNode) usersChange, err := s.updatePolicyManagerUsers()
if err != nil { if err != nil {
return savedNode.View(), c, err return savedNode.View(), change.NodeAdded(savedNode.ID), fmt.Errorf("failed to update policy manager users: %w", err)
}
nodesChange, err := s.updatePolicyManagerNodes()
if err != nil {
return savedNode.View(), change.NodeAdded(savedNode.ID), fmt.Errorf("failed to update policy manager nodes: %w", err)
}
var c change.ChangeSet
if !usersChange.Empty() || !nodesChange.Empty() {
c = change.PolicyChange()
} else {
c = change.NodeAdded(savedNode.ID)
} }
return savedNode.View(), c, nil return savedNode.View(), c, nil

8
integration/acl_test.go
View File

@ -1317,7 +1317,7 @@ func TestACLAutogroupTagged(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
// Create nodes with proper naming // Create nodes with proper naming
for i := 0; i < spec.NodesPerUser; i++ { for i := range spec.NodesPerUser {
var tags []string var tags []string
var version string var version string
@ -1417,7 +1417,7 @@ func TestACLAutogroupTagged(t *testing.T) {
} }
} else { } else {
// This is an untagged node // This is an untagged node
assert.Len(ct, status.Peers(), 0, "untagged node %s should see 0 peers", hostname) assert.Empty(ct, status.Peers(), "untagged node %s should see 0 peers", hostname)
// Add to untagged list only once we've verified it // Add to untagged list only once we've verified it
found := false found := false
@ -1431,7 +1431,7 @@ func TestACLAutogroupTagged(t *testing.T) {
untaggedClients = append(untaggedClients, client) untaggedClients = append(untaggedClients, client)
} }
} }
}, 30*time.Second, 1*time.Second, fmt.Sprintf("verifying peer visibility for node %s", hostname)) }, 30*time.Second, 1*time.Second, "verifying peer visibility for node %s", hostname)
} }
// Verify we have the expected number of tagged and untagged nodes // Verify we have the expected number of tagged and untagged nodes
@ -1443,7 +1443,7 @@ func TestACLAutogroupTagged(t *testing.T) {
status, err := client.Status() status, err := client.Status()
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, status.Self.Tags, "tagged node %s should have tags", client.Hostname()) require.NotNil(t, status.Self.Tags, "tagged node %s should have tags", client.Hostname())
require.Greater(t, status.Self.Tags.Len(), 0, "tagged node %s should have at least one tag", client.Hostname()) require.Positive(t, status.Self.Tags.Len(), "tagged node %s should have at least one tag", client.Hostname())
t.Logf("Tagged node %s has tags: %v", client.Hostname(), status.Self.Tags) t.Logf("Tagged node %s has tags: %v", client.Hostname(), status.Self.Tags)
} }

4
integration/auth_oidc_test.go
View File

@ -124,7 +124,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
// //
// Known timing considerations: // Known timing considerations:
// - Nodes may expire at different times due to sequential login processing // - Nodes may expire at different times due to sequential login processing
// - The test must account for login time spread between first and last node // - The test must account for login time spread between first and last node.
func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) { func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
IntegrationSkip(t) IntegrationSkip(t)
@ -186,7 +186,7 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
// - Network and processing delays // - Network and processing delays
// - Safety margin for test reliability // - Safety margin for test reliability
loginTimeSpread := 1 * time.Minute // Account for sequential login delays loginTimeSpread := 1 * time.Minute // Account for sequential login delays
safetyBuffer := 30 * time.Second // Additional safety margin safetyBuffer := 30 * time.Second // Additional safety margin
totalWaitTime := shortAccessTTL + loginTimeSpread + safetyBuffer totalWaitTime := shortAccessTTL + loginTimeSpread + safetyBuffer
t.Logf("Waiting %v for OIDC tokens to expire (TTL: %v, spread: %v, buffer: %v)", t.Logf("Waiting %v for OIDC tokens to expire (TTL: %v, spread: %v, buffer: %v)",

2
integration/cli_test.go
View File

@ -390,7 +390,6 @@ func TestPreAuthKeyCommand(t *testing.T) {
) )
assertNoErr(t, err) assertNoErr(t, err)
assert.True(t, listedPreAuthKeysAfterExpire[1].GetExpiration().AsTime().Before(time.Now())) assert.True(t, listedPreAuthKeysAfterExpire[1].GetExpiration().AsTime().Before(time.Now()))
assert.True(t, listedPreAuthKeysAfterExpire[2].GetExpiration().AsTime().After(time.Now())) assert.True(t, listedPreAuthKeysAfterExpire[2].GetExpiration().AsTime().After(time.Now()))
assert.True(t, listedPreAuthKeysAfterExpire[3].GetExpiration().AsTime().After(time.Now())) assert.True(t, listedPreAuthKeysAfterExpire[3].GetExpiration().AsTime().After(time.Now()))
@ -450,7 +449,6 @@ func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {
// There is one key created by "scenario.CreateHeadscaleEnv" // There is one key created by "scenario.CreateHeadscaleEnv"
assert.Len(t, listedPreAuthKeys, 2) assert.Len(t, listedPreAuthKeys, 2)
assert.True(t, listedPreAuthKeys[1].GetExpiration().AsTime().After(time.Now())) assert.True(t, listedPreAuthKeys[1].GetExpiration().AsTime().After(time.Now()))
assert.True( assert.True(
t, t,

1
integration/scenario.go
View File

@ -449,6 +449,7 @@ func (s *Scenario) GetOrCreateUser(userStr string) *User {
Clients: make(map[string]TailscaleClient), Clients: make(map[string]TailscaleClient),
} }
s.users[userStr] = user s.users[userStr] = user
return user return user
} }

2
integration/tsic/tsic.go
View File

@ -626,7 +626,7 @@ func (t *TailscaleInContainer) IPv4() (netip.Addr, error) {
} }
} }
return netip.Addr{}, fmt.Errorf("no IPv4 address found") return netip.Addr{}, errors.New("no IPv4 address found")
} }
func (t *TailscaleInContainer) MustIPv4() netip.Addr { func (t *TailscaleInContainer) MustIPv4() netip.Addr {