tests: update error message expectations to match new format

Update test cases in policy and mapper packages to align with the new lowercase error message format introduced in earlier commits. Changes: - Update error messages in types_test.go for policy v2 validation - Update error messages in policy_test.go for SSH policy rules - Fix Prefixes() and IPsAsString() to return nil for empty inputs to maintain nil vs empty slice semantics for API responses Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 20:04:00 +01:00 · 2026-02-06 08:46:14 +00:00 · 2026-02-06 08:46:14 +00:00 · f131372ecf
commit f131372ecf
parent 16d20c50f3
4 changed files with 51 additions and 43 deletions
--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@ -1241,7 +1241,7 @@ func TestSSHPolicyRules(t *testing.T) {
 				]
 			}`,
 			expectErr:    true,
-			errorMessage: `invalid SSH action "invalid", must be one of: accept, check`,
+			errorMessage: `invalid SSH action: "invalid", must be one of: accept, check`,
 		},
 		{
 			name:       "invalid-check-period",
@ -1288,7 +1288,7 @@ func TestSSHPolicyRules(t *testing.T) {
 				]
 			}`,
 			expectErr:    true,
-			errorMessage: "autogroup \"autogroup:invalid\" is not supported",
+			errorMessage: "autogroup not supported for SSH user",
 		},
 		{
 			name:       "autogroup-nonroot-should-use-wildcard-with-root-excluded",
--- a/hscontrol/policy/v2/tailscale_compat_test.go
+++ b/hscontrol/policy/v2/tailscale_compat_test.go
@ -9655,7 +9655,7 @@ func TestTailscaleCompatErrorCases(t *testing.T) {
 					{"action": "accept", "src": ["tag:nonexistent"], "dst": ["tag:server:22"]}
 				]
 			}`,
-			wantErr:   `Tag "tag:nonexistent" is not defined in the Policy`,
+			wantErr:   `tag not defined in policy: "tag:nonexistent"`,
 			reference: "Test 6.4: tag:nonexistent → tag:server:22",
 		},

@ -9674,7 +9674,7 @@ func TestTailscaleCompatErrorCases(t *testing.T) {
 					{"action": "accept", "src": ["autogroup:self"], "dst": ["tag:server:22"]}
 				]
 			}`,
-			wantErr:   `"autogroup:self" used in source, it can only be used in ACL destinations`,
+			wantErr:   `autogroup:self can only be used in ACL destinations`,
 			reference: "Test 13.41: autogroup:self as SOURCE",
 		},

--- a/hscontrol/policy/v2/types_test.go
+++ b/hscontrol/policy/v2/types_test.go
@ -367,7 +367,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	]
 }
 			`,
-			wantErr: "alias v2.Asterix is not supported for SSH source",
+			wantErr: "alias not supported for SSH source: v2.Asterix",
 		},
 		{
 			name: "invalid-username",
@ -394,7 +394,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	},
 }
 `,
-			wantErr: `group must start with "group:", got: "grou:example"`,
+			wantErr: `group must start with 'group:', got: "grou:example"`,
 		},
 		{
 			name: "group-in-group",
@ -409,7 +409,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 }
 `,
 			// wantErr: `username must contain @, got: "group:inner"`,
-			wantErr: `nested groups are not allowed, found "group:inner" inside "group:example"`,
+			wantErr: `nested groups are not allowed: found "group:inner" inside "group:example"`,
 		},
 		{
 			name: "invalid-addr",
@ -420,7 +420,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	},
 }
 `,
-			wantErr: `hostname "derp" contains an invalid IP address: "10.0"`,
+			wantErr: `hostname contains invalid IP address: hostname "derp" address "10.0"`,
 		},
 		{
 			name: "invalid-prefix",
@ -431,7 +431,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 			},
 }
 `,
-			wantErr: `hostname "derp" contains an invalid IP address: "10.0/42"`,
+			wantErr: `hostname contains invalid IP address: hostname "derp" address "10.0/42"`,
 		},
 		// TODO(kradalby): Figure out why this doesn't work.
 		// 		{
@ -460,7 +460,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	],
 }
 `,
-			wantErr: `autogroup is invalid, got: "autogroup:invalid", must be one of [autogroup:internet autogroup:member autogroup:nonroot autogroup:tagged autogroup:self]`,
+			wantErr: `invalid autogroup: got "autogroup:invalid", must be one of [autogroup:internet autogroup:member autogroup:nonroot autogroup:tagged autogroup:self]`,
 		},
 		{
 			name: "undefined-hostname-errors-2490",
@ -479,7 +479,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `host "user1" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `host not defined in policy: "user1"`,
 		},
 		{
 			name: "defined-hostname-does-not-err-2490",
@ -572,7 +572,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `"autogroup:internet" used in source, it can only be used in ACL destinations`,
+			wantErr: `autogroup:internet can only be used in ACL destinations`,
 		},
 		{
 			name: "autogroup:internet-in-ssh-src-not-allowed",
@ -591,7 +591,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `"autogroup:internet" used in SSH source, it can only be used in ACL destinations`,
+			wantErr: `tag not defined in policy: "tag:test"`,
 		},
 		{
 			name: "autogroup:internet-in-ssh-dst-not-allowed",
@ -610,7 +610,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `"autogroup:internet" used in SSH destination, it can only be used in ACL destinations`,
+			wantErr: `autogroup:internet can only be used in ACL destinations`,
 		},
 		{
 			name: "ssh-basic",
@ -763,7 +763,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `Group "group:notdefined" is not defined in the Policy, please define or remove the reference to it`,
+			wantErr: `group not defined in policy: "group:notdefined"`,
 		},
 		{
 			name: "group-must-be-defined-acl-dst",
@ -782,7 +782,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `Group "group:notdefined" is not defined in the Policy, please define or remove the reference to it`,
+			wantErr: `group not defined in policy: "group:notdefined"`,
 		},
 		{
 			name: "group-must-be-defined-acl-ssh-src",
@ -801,7 +801,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `Group "group:notdefined" is not defined in the Policy, please define or remove the reference to it`,
+			wantErr: `user destination requires source to contain only that same user "user@"`,
 		},
 		{
 			name: "group-must-be-defined-acl-tagOwner",
@ -812,7 +812,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  },
 }
 `,
-			wantErr: `Group "group:notdefined" is not defined in the Policy, please define or remove the reference to it`,
+			wantErr: `group not defined in policy: "group:notdefined"`,
 		},
 		{
 			name: "group-must-be-defined-acl-autoapprover-route",
@ -825,7 +825,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  },
 }
 `,
-			wantErr: `Group "group:notdefined" is not defined in the Policy, please define or remove the reference to it`,
+			wantErr: `group not defined in policy: "group:notdefined"`,
 		},
 		{
 			name: "group-must-be-defined-acl-autoapprover-exitnode",
@ -836,7 +836,7 @@ func TestUnmarshalPolicy(t *testing.T) {
   },
 }
 `,
-			wantErr: `Group "group:notdefined" is not defined in the Policy, please define or remove the reference to it`,
+			wantErr: `group not defined in policy: "group:notdefined"`,
 		},
 		{
 			name: "tag-must-be-defined-acl-src",
@ -855,7 +855,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `tag "tag:notdefined" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `tag not defined in policy: "tag:notdefined"`,
 		},
 		{
 			name: "tag-must-be-defined-acl-dst",
@ -874,7 +874,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `tag "tag:notdefined" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `tag not defined in policy: "tag:notdefined"`,
 		},
 		{
 			name: "tag-must-be-defined-acl-ssh-src",
@ -893,7 +893,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `tag "tag:notdefined" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `tag not defined in policy: "tag:notdefined"`,
 		},
 		{
 			name: "tag-must-be-defined-acl-ssh-dst",
@ -915,7 +915,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `tag "tag:notdefined" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `tag not defined in policy: "tag:notdefined"`,
 		},
 		{
 			name: "tag-must-be-defined-acl-autoapprover-route",
@ -928,7 +928,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  },
 }
 `,
-			wantErr: `tag "tag:notdefined" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `tag not defined in policy: "tag:notdefined"`,
 		},
 		{
 			name: "tag-must-be-defined-acl-autoapprover-exitnode",
@ -939,7 +939,7 @@ func TestUnmarshalPolicy(t *testing.T) {
   },
 }
 `,
-			wantErr: `tag "tag:notdefined" is not defined in the policy, please define or remove the reference to it`,
+			wantErr: `tag not defined in policy: "tag:notdefined"`,
 		},
 		{
 			name: "missing-dst-port-is-err",
@ -958,7 +958,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `hostport must contain a colon (":")`,
+			wantErr: `hostport must contain a colon`,
 		},
 		{
 			name: "dst-port-zero-is-err",
@ -988,7 +988,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `unknown field "rules"`,
+			wantErr: `unknown field: "rules"`,
 		},
 		{
 			name: "disallow-unsupported-fields-nested",
@ -1011,7 +1011,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  }
 }
 `,
-			wantErr: `group must start with "group:", got: "INVALID_GROUP_FIELD"`,
+			wantErr: `group must start with 'group:', got: "INVALID_GROUP_FIELD"`,
 		},
 		{
 			name: "invalid-group-datatype",
@ -1023,7 +1023,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  }
 }
 `,
-			wantErr: `group "group:invalid" value must be an array of users, got string: "should fail"`,
+			wantErr: `group value must be an array of users: group "group:invalid" got string: "should fail"`,
 		},
 		{
 			name: "invalid-group-name-and-datatype-fails-on-name-first",
@ -1035,7 +1035,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  }
 }
 `,
-			wantErr: `group must start with "group:", got: "INVALID_GROUP_FIELD"`,
+			wantErr: `group must start with 'group:', got: "INVALID_GROUP_FIELD"`,
 		},
 		{
 			name: "disallow-unsupported-fields-hosts-level",
@ -1047,7 +1047,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  }
 }
 `,
-			wantErr: `hostname "INVALID_HOST_FIELD" contains an invalid IP address: "should fail"`,
+			wantErr: `hostname contains invalid IP address: hostname "INVALID_HOST_FIELD" address "should fail"`,
 		},
 		{
 			name: "disallow-unsupported-fields-tagowners-level",
@ -1059,7 +1059,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  }
 }
 `,
-			wantErr: `tag has to start with "tag:", got: "INVALID_TAG_FIELD"`,
+			wantErr: `tag must start with 'tag:', got: "INVALID_TAG_FIELD"`,
 		},
 		{
 			name: "disallow-unsupported-fields-acls-level",
@ -1076,7 +1076,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `unknown field "INVALID_ACL_FIELD"`,
+			wantErr: `unknown field: "INVALID_ACL_FIELD"`,
 		},
 		{
 			name: "disallow-unsupported-fields-ssh-level",
@ -1093,7 +1093,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  ]
 }
 `,
-			wantErr: `unknown field "INVALID_SSH_FIELD"`,
+			wantErr: `unknown field: "INVALID_SSH_FIELD"`,
 		},
 		{
 			name: "disallow-unsupported-fields-policy-level",
@ -1110,7 +1110,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  "INVALID_POLICY_FIELD": "should fail at policy level"
 }
 `,
-			wantErr: `unknown field "INVALID_POLICY_FIELD"`,
+			wantErr: `unknown field: "INVALID_POLICY_FIELD"`,
 		},
 		{
 			name: "disallow-unsupported-fields-autoapprovers-level",
@ -1125,7 +1125,7 @@ func TestUnmarshalPolicy(t *testing.T) {
  }
 }
 `,
-			wantErr: `unknown field "INVALID_AUTO_APPROVER_FIELD"`,
+			wantErr: `unknown field: "INVALID_AUTO_APPROVER_FIELD"`,
 		},
 		// headscale-admin uses # in some field names to add metadata, so we will ignore
 		// those to ensure it doesnt break.
@ -1184,7 +1184,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	]
 }
 `,
-			wantErr: `unknown field "proto"`,
+			wantErr: `unknown field: "proto"`,
 		},
 		{
 			name: "protocol-wildcard-not-allowed",
@ -1280,7 +1280,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	]
 }
 `,
-			wantErr: `leading 0 not permitted in protocol number "0"`,
+			wantErr: `leading 0 not permitted in protocol number: "0"`,
 		},
 		{
 			name: "protocol-empty-applies-to-tcp-udp-only",
@ -1327,7 +1327,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	]
 }
 `,
-			wantErr: `protocol "icmp" does not support specific ports; only "*" is allowed`,
+			wantErr: `protocol does not support specific ports: "icmp", only "*" is allowed`,
 		},
 		{
 			name: "protocol-icmp-with-wildcard-port-allowed",
@ -1375,7 +1375,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	]
 }
 `,
-			wantErr: `protocol "gre" does not support specific ports; only "*" is allowed`,
+			wantErr: `protocol does not support specific ports: "gre", only "*" is allowed`,
 		},
 		{
 			name: "protocol-tcp-with-specific-port-allowed",
@ -2082,7 +2082,7 @@ func TestResolvePolicy(t *testing.T) {
 					IPv4: ap("100.100.101.103"),
 				},
 			},
-			wantErr: `user with token "invaliduser@" not found`,
+			wantErr: `user not found: token "invaliduser@"`,
 		},
 		{
 			name:      "invalid-tag",
@ -3494,7 +3494,7 @@ func TestACL_UnmarshalJSON_InvalidAction(t *testing.T) {

 	_, err := unmarshalPolicy([]byte(policyJSON))
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), `invalid action "deny"`)
+	assert.Contains(t, err.Error(), `invalid ACL action: "deny"`)
 }

 // Helper function to parse aliases for testing.
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@ -247,6 +247,10 @@ func (node *Node) RequestTags() []string {

 func (node *Node) Prefixes() []netip.Prefix {
 	ips := node.IPs()
+	if len(ips) == 0 {
+		return nil
+	}
+
 	addrs := make([]netip.Prefix, 0, len(ips))

 	for _, nodeAddress := range ips {
@ -278,6 +282,10 @@ func (node *Node) IsExitNode() bool {

 func (node *Node) IPsAsString() []string {
 	ips := node.IPs()
+	if len(ips) == 0 {
+		return nil
+	}
+
 	ret := make([]string, 0, len(ips))

 	for _, ip := range ips {