policy/v2: add sshtester compat runner

Replays recorded policy responses for the sshTests block. 200 captures must evaluate; non-200 captures must reject with the recorded body as a substring of the headscale error. Divergences are listed in knownSSHTesterDivergences.
2026-05-23 18:48:42 +09:00 · 2026-05-13 14:17:51 +00:00
parent 013dea4f40
commit 26eebcea5a
36 changed files with 676965 additions and 0 deletions
--- a/hscontrol/policy/v2/sshtester_compat_test.go
+++ b/hscontrol/policy/v2/sshtester_compat_test.go
@@ -0,0 +1,88 @@
+// Replay golden HuJSON captures under testdata/sshtest_results/*.hujson:
+// the 200 path requires headscale's evaluateSSHTests to pass; the
+// non-200 path requires headscale to reject the same input with the
+// captured error body as a substring. Divergences are listed in
+// knownSSHTesterDivergences with the engine gap each represents.
+
+package v2
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/juanfont/headscale/hscontrol/types/testcapture"
+	"github.com/stretchr/testify/require"
+)
+
+// knownSSHTesterDivergences names the engine gap for each capture where
+// headscale and upstream disagree.
+var knownSSHTesterDivergences = map[string]string{
+	"sshtest-malformed-dst-bare-ipv6": "bare-IPv6 sshTests dst: upstream parse-accepts then engine-rejects; headscale accepts (IPv4 mirror passes both sides)",
+}
+
+func TestSSHTesterCompat(t *testing.T) {
+	t.Parallel()
+
+	files, err := filepath.Glob(filepath.Join("testdata", "sshtest_results", "*.hujson"))
+	require.NoError(t, err, "failed to glob test files")
+
+	if len(files) == 0 {
+		t.Skip("no sshtest captures yet")
+	}
+
+	users := setupSSHDataCompatUsers()
+
+	for _, file := range files {
+		c, err := testcapture.Read(file)
+		require.NoError(t, err, "reading %s", file)
+
+		t.Run(c.TestID, func(t *testing.T) {
+			t.Parallel()
+
+			if reason, skip := knownSSHTesterDivergences[c.TestID]; skip {
+				t.Skip(reason)
+			}
+
+			// Each capture pins its own topology IPs; build nodes
+			// from the capture so host-alias dsts resolve.
+			nodes := buildGrantsNodesFromCapture(users, c)
+
+			policyJSON := []byte(c.Input.FullPolicy)
+
+			pm, parseErr := NewPolicyManager(policyJSON, users, nodes.ViewSlice())
+
+			if c.Input.APIResponseCode == 200 {
+				require.NoError(t, parseErr,
+					"tailscale accepted this policy; headscale must parse it")
+
+				_, setErr := pm.SetPolicy(policyJSON)
+				require.NoError(t, setErr,
+					"tailscale accepted this policy; headscale sshTests must pass")
+
+				return
+			}
+
+			var got error
+
+			switch {
+			case parseErr != nil:
+				got = parseErr
+			default:
+				_, setErr := pm.SetPolicy(policyJSON)
+				got = setErr
+			}
+
+			require.Error(t, got, "tailscale rejected; headscale must reject too")
+
+			if c.Input.APIResponseBody == nil || c.Input.APIResponseBody.Message == "" {
+				return
+			}
+
+			want := c.Input.APIResponseBody.Message
+			if !strings.Contains(got.Error(), want) {
+				t.Errorf("error body mismatch\n  tailscale wants: %q\n  headscale got:   %q", want, got.Error())
+			}
+		})
+	}
+}
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-accept-and-deny-same-user.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-accept-and-deny-same-user.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-accept-fail-no-ssh-rule.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-accept-fail-no-ssh-rule.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-accept-fail-wrong-login-user.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-accept-fail-wrong-login-user.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-acceptenv-no-effect.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-acceptenv-no-effect.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-action-check-treated-as-allowed.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-action-check-treated-as-allowed.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-allpass-autogroup-self-same-user.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-allpass-autogroup-self-same-user.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-allpass-basic-user-to-tag.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-allpass-basic-user-to-tag.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-both-tests-and-sshTests-both-pass.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-both-tests-and-sshTests-both-pass.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-both-tests-pass-sshTests-fail.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-both-tests-pass-sshTests-fail.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-checkperiod-no-effect.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-checkperiod-no-effect.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-deny-fail-policy-allows.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-deny-fail-policy-allows.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-deny-pass-cross-user-blocked.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-deny-pass-cross-user-blocked.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-deny-pass-no-rule.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-deny-pass-no-rule.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-dst-duplicate-tags.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-dst-duplicate-tags.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-group-as-src.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-group-as-src.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-host-alias-as-dst.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-host-alias-as-dst.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-ip-literal-src.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-ip-literal-src.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-dst-autogroup-internet.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-dst-autogroup-internet.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-dst-cidr.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-dst-cidr.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-dst-with-port.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-dst-with-port.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-empty-accept-and-deny.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-empty-accept-and-deny.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-empty-user.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-malformed-empty-user.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-mixed-acls-tcp22-allow-no-ssh-rule.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-mixed-acls-tcp22-allow-no-ssh-rule.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-mixed-acls-tcp22-deny-ssh-rule-allow.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-mixed-acls-tcp22-deny-ssh-rule-allow.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-mixed-grants-app-cap-with-ssh.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-mixed-grants-app-cap-with-ssh.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-multi-rule-disjoint-srcs.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-multi-rule-disjoint-srcs.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-tag-as-dst.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-tag-as-dst.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-tag-as-src.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-tag-as-src.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-literal-multi-rule.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-literal-multi-rule.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-localpart-domain-match.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-localpart-domain-match.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-localpart-domain-mismatch.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-localpart-domain-mismatch.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-nonroot-allows-alice.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-nonroot-allows-alice.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-nonroot-blocks-root.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-nonroot-blocks-root.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-root-only.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-root-only.hujson
--- a/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-wildcard.hujson
+++ b/hscontrol/policy/v2/testdata/sshtest_results/sshtest-user-wildcard.hujson