policy: allow the tailscale.com/cap/secrets capability

It's setec's official cap; allowlist it so it can be granted via policy.
This commit is contained in:
Kristoffer Dalby
2026-06-23 07:09:15 +02:00
parent 036760df02
commit 66937040f2
2 changed files with 28 additions and 0 deletions
+4
View File
@@ -2271,6 +2271,10 @@ var tailscaleCapAllowlist = map[tailcfg.PeerCapability]bool{
tailcfg.PeerCapabilityWebUI: true, // tailscale.com/cap/webui
tailcfg.PeerCapabilityKubernetes: true, // tailscale.com/cap/kubernetes
tailcfg.PeerCapabilityTsIDP: true, // tailscale.com/cap/tsidp
// tailscale.com/cap/secrets is the capability used by setec
// (github.com/tailscale/setec); allow it so it can be granted via policy.
tailcfg.PeerCapability("tailscale.com/cap/secrets"): true,
}
// validateGrantSrcDstCombination validates [Grant]-specific source/destination
+24
View File
@@ -6244,3 +6244,27 @@ func TestUnmarshalPolicySSHTests(t *testing.T) {
})
}
}
func TestValidateCapabilityName(t *testing.T) {
tests := []struct {
name string
cap string
wantErr error
}{
{name: "custom domain allowed", cap: "example.com/cap/foo", wantErr: nil},
{name: "allowlisted tailscale cap", cap: "tailscale.com/cap/drive", wantErr: nil},
{name: "setec secrets cap allowed", cap: "tailscale.com/cap/secrets", wantErr: nil},
{name: "non-allowlisted tailscale cap rejected", cap: "tailscale.com/cap/nope", wantErr: ErrCapNameTailscaleDomain},
{name: "url scheme rejected", cap: "https://tailscale.com/cap/drive", wantErr: ErrCapNameInvalidForm},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validateCapabilityName(tt.cap)
if tt.wantErr == nil {
require.NoError(t, err)
} else {
require.ErrorIs(t, err, tt.wantErr)
}
})
}
}