From 5cdb401b258aec2a3f3dc5a875c496a431197d39 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Wed, 18 Feb 2026 09:47:36 +0000
Subject: [PATCH] integration: add TestSSHLocalpart integration test

Add integration test for localpart:*@<domain> SSH user mapping using
OIDC login to provide real email addresses. The test covers three
scenarios:

- MemberAndTagged: localpart with autogroup:member+autogroup:tagged
  destinations, verifying per-user SSH access and cross-user denial
- AutogroupSelf: localpart with autogroup:self, verifying cross-user
  SSH is denied
- LocalpartPlusRoot: localpart combined with explicit "root" user,
  verifying both mappings work simultaneously

Also refactor SSH test helpers to support custom SSH usernames via
doSSHWithRetryAsUser and broaden SSH access denied error detection
to cover the "does not permit you to SSH as user" variant.

Updates #3049
---
 integration/ssh_test.go | 276 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 273 insertions(+), 3 deletions(-)

diff --git a/integration/ssh_test.go b/integration/ssh_test.go
index 45bc2dc7..2cb468d7 100644
--- a/integration/ssh_test.go
+++ b/integration/ssh_test.go
@@ -10,6 +10,7 @@ import (
 	policyv2 "github.com/juanfont/headscale/hscontrol/policy/v2"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/oauth2-proxy/mockoidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"tailscale.com/tailcfg"
@@ -20,7 +21,8 @@ func isSSHNoAccessStdError(stderr string) bool {
 		// Since https://github.com/tailscale/tailscale/pull/14853
 		strings.Contains(stderr, "failed to evaluate SSH policy") ||
 		// Since https://github.com/tailscale/tailscale/pull/16127
-		strings.Contains(stderr, "tailnet policy does not permit you to SSH to this node")
+		// Covers both "to this node" and "as user <name>" variants.
+		strings.Contains(stderr, "tailnet policy does not permit you to SSH")
 }
 
 func sshScenario(t *testing.T, policy *policyv2.Policy, clientsPerUser int) *Scenario {
@@ -420,15 +422,27 @@ func doSSHWithoutRetry(t *testing.T, client TailscaleClient, peer TailscaleClien
 func doSSHWithRetry(t *testing.T, client TailscaleClient, peer TailscaleClient, retry bool) (string, string, error) {
 	t.Helper()
 
+	return doSSHWithRetryAsUser(t, client, peer, "ssh-it-user", retry)
+}
+
+func doSSHWithRetryAsUser(
+	t *testing.T,
+	client TailscaleClient,
+	peer TailscaleClient,
+	sshUser string,
+	retry bool,
+) (string, string, error) {
+	t.Helper()
+
 	peerFQDN, _ := peer.FQDN()
 
 	command := []string{
 		"/usr/bin/ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
-		fmt.Sprintf("%s@%s", "ssh-it-user", peerFQDN),
+		fmt.Sprintf("%s@%s", sshUser, peerFQDN),
 		"'hostname'",
 	}
 
-	log.Printf("Running from %s to %s", client.Hostname(), peer.Hostname())
+	log.Printf("Running from %s to %s as %s", client.Hostname(), peer.Hostname(), sshUser)
 	log.Printf("Command: %s", strings.Join(command, " "))
 
 	var (
@@ -499,6 +513,31 @@ func assertSSHNoAccessStdError(t *testing.T, err error, stderr string) {
 	}
 }
 
+func doSSHAsUser(t *testing.T, client TailscaleClient, peer TailscaleClient, sshUser string) (string, string, error) {
+	t.Helper()
+
+	return doSSHWithRetryAsUser(t, client, peer, sshUser, true)
+}
+
+func assertSSHHostnameAsUser(t *testing.T, client TailscaleClient, peer TailscaleClient, sshUser string) {
+	t.Helper()
+
+	result, _, err := doSSHAsUser(t, client, peer, sshUser)
+	require.NoError(t, err)
+
+	require.Contains(t, peer.ContainerID(), strings.ReplaceAll(result, "\n", ""))
+}
+
+func assertSSHPermissionDeniedAsUser(t *testing.T, client TailscaleClient, peer TailscaleClient, sshUser string) {
+	t.Helper()
+
+	result, stderr, err := doSSHWithRetryAsUser(t, client, peer, sshUser, false)
+
+	assert.Empty(t, result)
+
+	assertSSHNoAccessStdError(t, err, stderr)
+}
+
 // TestSSHAutogroupSelf tests that SSH with autogroup:self works correctly:
 // - Users can SSH to their own devices
 // - Users cannot SSH to other users' devices.
@@ -579,3 +618,234 @@ func TestSSHAutogroupSelf(t *testing.T) {
 		}
 	}
 }
+
+// TestSSHLocalpart tests that SSH with localpart:*@<domain> works correctly.
+// localpart maps the local-part of each user's OIDC email to an OS user,
+// so user1@headscale.net can SSH as local user "user1".
+// This requires OIDC login so that users have real email addresses.
+func TestSSHLocalpart(t *testing.T) {
+	IntegrationSkip(t)
+
+	baseACLs := []policyv2.ACL{
+		{
+			Action:   "accept",
+			Protocol: "tcp",
+			Sources:  []policyv2.Alias{wildcard()},
+			Destinations: []policyv2.AliasWithPorts{
+				aliasWithPorts(wildcard(), tailcfg.PortRangeAny),
+			},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		policy *policyv2.Policy
+		testFn func(t *testing.T, scenario *Scenario)
+	}{
+		{
+			name: "MemberAndTagged",
+			policy: &policyv2.Policy{
+				ACLs: baseACLs,
+				SSHs: []policyv2.SSH{
+					{
+						Action:  "accept",
+						Sources: policyv2.SSHSrcAliases{new(policyv2.AutoGroupMember)},
+						Destinations: policyv2.SSHDstAliases{
+							new(policyv2.AutoGroupMember),
+							new(policyv2.AutoGroupTagged),
+						},
+						Users: []policyv2.SSHUser{"localpart:*@headscale.net"},
+					},
+				},
+			},
+			testFn: func(t *testing.T, scenario *Scenario) {
+				t.Helper()
+
+				user1Clients, err := scenario.ListTailscaleClients("user1")
+				requireNoErrListClients(t, err)
+
+				user2Clients, err := scenario.ListTailscaleClients("user2")
+				requireNoErrListClients(t, err)
+
+				// user1 can SSH to user2's nodes as "user1" (localpart of user1@headscale.net)
+				for _, client := range user1Clients {
+					for _, peer := range user2Clients {
+						assertSSHHostnameAsUser(t, client, peer, "user1")
+					}
+				}
+
+				// user2 can SSH to user1's nodes as "user2" (localpart of user2@headscale.net)
+				for _, client := range user2Clients {
+					for _, peer := range user1Clients {
+						assertSSHHostnameAsUser(t, client, peer, "user2")
+					}
+				}
+
+				// user1 CANNOT SSH as "user2" — no rule maps user1's IPs to user2
+				for _, client := range user1Clients {
+					for _, peer := range user2Clients {
+						assertSSHPermissionDeniedAsUser(t, client, peer, "user2")
+					}
+				}
+
+				// user2 CANNOT SSH as "user1" — no rule maps user2's IPs to user1
+				for _, client := range user2Clients {
+					for _, peer := range user1Clients {
+						assertSSHPermissionDeniedAsUser(t, client, peer, "user1")
+					}
+				}
+			},
+		},
+		{
+			name: "AutogroupSelf",
+			policy: &policyv2.Policy{
+				ACLs: baseACLs,
+				SSHs: []policyv2.SSH{
+					{
+						Action:       "accept",
+						Sources:      policyv2.SSHSrcAliases{new(policyv2.AutoGroupMember)},
+						Destinations: policyv2.SSHDstAliases{new(policyv2.AutoGroupSelf)},
+						Users:        []policyv2.SSHUser{"localpart:*@headscale.net"},
+					},
+				},
+			},
+			testFn: func(t *testing.T, scenario *Scenario) {
+				t.Helper()
+
+				user1Clients, err := scenario.ListTailscaleClients("user1")
+				requireNoErrListClients(t, err)
+
+				user2Clients, err := scenario.ListTailscaleClients("user2")
+				requireNoErrListClients(t, err)
+
+				// With autogroup:self, cross-user SSH should be denied regardless of localpart.
+				// user1 cannot SSH to user2's nodes as "user1"
+				for _, client := range user1Clients {
+					for _, peer := range user2Clients {
+						assertSSHPermissionDeniedAsUser(t, client, peer, "user1")
+					}
+				}
+
+				// user2 cannot SSH to user1's nodes as "user2"
+				for _, client := range user2Clients {
+					for _, peer := range user1Clients {
+						assertSSHPermissionDeniedAsUser(t, client, peer, "user2")
+					}
+				}
+
+				// user1 also cannot SSH to user2's nodes as "user2"
+				for _, client := range user1Clients {
+					for _, peer := range user2Clients {
+						assertSSHPermissionDeniedAsUser(t, client, peer, "user2")
+					}
+				}
+			},
+		},
+		{
+			name: "LocalpartPlusRoot",
+			policy: &policyv2.Policy{
+				ACLs: baseACLs,
+				SSHs: []policyv2.SSH{
+					{
+						Action:  "accept",
+						Sources: policyv2.SSHSrcAliases{new(policyv2.AutoGroupMember)},
+						Destinations: policyv2.SSHDstAliases{
+							new(policyv2.AutoGroupMember),
+							new(policyv2.AutoGroupTagged),
+						},
+						Users: []policyv2.SSHUser{
+							"localpart:*@headscale.net",
+							"root",
+						},
+					},
+				},
+			},
+			testFn: func(t *testing.T, scenario *Scenario) {
+				t.Helper()
+
+				user1Clients, err := scenario.ListTailscaleClients("user1")
+				requireNoErrListClients(t, err)
+
+				user2Clients, err := scenario.ListTailscaleClients("user2")
+				requireNoErrListClients(t, err)
+
+				// localpart works: user1 can SSH to user2's nodes as "user1"
+				for _, client := range user1Clients {
+					for _, peer := range user2Clients {
+						assertSSHHostnameAsUser(t, client, peer, "user1")
+					}
+				}
+
+				// root also works: user1 can SSH to user2's nodes as "root"
+				for _, client := range user1Clients {
+					for _, peer := range user2Clients {
+						assertSSHHostnameAsUser(t, client, peer, "root")
+					}
+				}
+
+				// user2 can SSH as "user2" (localpart)
+				for _, client := range user2Clients {
+					for _, peer := range user1Clients {
+						assertSSHHostnameAsUser(t, client, peer, "user2")
+					}
+				}
+
+				// user2 can SSH as "root"
+				for _, client := range user2Clients {
+					for _, peer := range user1Clients {
+						assertSSHHostnameAsUser(t, client, peer, "root")
+					}
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			spec := ScenarioSpec{
+				NodesPerUser: 1,
+				Users:        []string{"user1", "user2"},
+				OIDCUsers: []mockoidc.MockUser{
+					oidcMockUser("user1", true),
+					oidcMockUser("user2", true),
+				},
+			}
+
+			scenario, err := NewScenario(spec)
+
+			require.NoError(t, err)
+			defer scenario.ShutdownAssertNoPanics(t)
+
+			oidcMap := map[string]string{
+				"HEADSCALE_OIDC_ISSUER":             scenario.mockOIDC.Issuer(),
+				"HEADSCALE_OIDC_CLIENT_ID":          scenario.mockOIDC.ClientID(),
+				"CREDENTIALS_DIRECTORY_TEST":        "/tmp",
+				"HEADSCALE_OIDC_CLIENT_SECRET_PATH": "${CREDENTIALS_DIRECTORY_TEST}/hs_client_oidc_secret",
+			}
+
+			err = scenario.CreateHeadscaleEnvWithLoginURL(
+				[]tsic.Option{
+					tsic.WithSSH(),
+					tsic.WithNetfilter("off"),
+					tsic.WithPackages("openssh"),
+					tsic.WithExtraCommands("adduser user1", "adduser user2"),
+					tsic.WithDockerWorkdir("/"),
+				},
+				hsic.WithTestName("sshlocalpart"),
+				hsic.WithACLPolicy(tt.policy),
+				hsic.WithConfigEnv(oidcMap),
+				hsic.WithTLS(),
+				hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
+			)
+			requireNoErrHeadscaleEnv(t, err)
+
+			err = scenario.WaitForTailscaleSync()
+			requireNoErrSync(t, err)
+
+			_, err = scenario.ListTailscaleClientsFQDNs()
+			requireNoErrListFQDN(t, err)
+
+			tt.testFn(t, scenario)
+		})
+	}
+}