policy/v2: add SSH compatibility testdata from Tailscale SaaS

Add 39 test fixtures captured from Tailscale SaaS API responses to validate SSH policy compilation parity. Each JSON file contains the SSH policy section and expected compiled SSHRule arrays for 5 test nodes (3 user-owned, 2 tagged). Test series: SSH-A (basic), SSH-B (specific sources), SSH-C (destination combos), SSH-D (localpart), SSH-E (edge cases), SSH-F (multi-rule), SSH-G (acceptEnv). The data-driven TestSSHDataCompat harness uses cmp.Diff with principal order tolerance but strict rule ordering (first-match-wins semantics require exact order). Updates #3049
2026-03-11 20:55:15 +09:00 · 2026-02-24 19:40:04 +00:00
parent 0acf09bdd2
commit 6c59d3e601
40 changed files with 3498 additions and 0 deletions
--- a/hscontrol/policy/v2/tailscale_ssh_data_compat_test.go
+++ b/hscontrol/policy/v2/tailscale_ssh_data_compat_test.go
@@ -0,0 +1,344 @@
+// This file is "generated" by Claude.
+// It contains a data-driven test that reads SSH-*.json test files captured
+// from Tailscale SaaS. Each file contains:
+//   - The SSH section of the policy
+//   - The expected SSHPolicy rules for each of 5 test nodes
+//
+// The test loads each JSON file, constructs a full policy from the SSH section,
+// applies it through headscale's SSH policy compilation, and compares the output
+// against Tailscale's actual behavior.
+//
+// Tests that are known to fail due to unimplemented features or known
+// differences are skipped with a TODO comment explaining the root cause.
+// As headscale's SSH implementation improves, tests should be removed
+// from the skip list.
+//
+// Test data source: testdata/ssh_results/SSH-*.json
+// Captured from: Tailscale SaaS API + tailscale debug localapi
+
+package v2
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+	"tailscale.com/tailcfg"
+)
+
+// sshTestFile represents the JSON structure of a captured SSH test file.
+type sshTestFile struct {
+	TestID     string                    `json:"test_id"`
+	PolicyFile string                    `json:"policy_file"`
+	SSHSection json.RawMessage           `json:"ssh_section"`
+	Nodes      map[string]sshNodeCapture `json:"nodes"`
+}
+
+// sshNodeCapture represents the expected SSH rules for a single node.
+type sshNodeCapture struct {
+	Rules json.RawMessage `json:"rules"`
+}
+
+// setupSSHDataCompatUsers returns the 3 test users for SSH data-driven
+// compatibility tests. The user configuration matches the Tailscale test
+// environment with email domains preserved for localpart matching:
+//   - kratail2tid@example.com (converted from @passkey)
+//   - kristoffer@dalby.cc (kept as-is — different domain for localpart exclusion)
+//   - monitorpasskeykradalby@example.com (converted from @passkey)
+func setupSSHDataCompatUsers() types.Users {
+	return types.Users{
+		{
+			Model: gorm.Model{ID: 1},
+			Name:  "kratail2tid",
+			Email: "kratail2tid@example.com",
+		},
+		{
+			Model: gorm.Model{ID: 2},
+			Name:  "kristoffer",
+			Email: "kristoffer@dalby.cc",
+		},
+		{
+			Model: gorm.Model{ID: 3},
+			Name:  "monitorpasskeykradalby",
+			Email: "monitorpasskeykradalby@example.com",
+		},
+	}
+}
+
+// setupSSHDataCompatNodes returns the 5 test nodes for SSH data-driven
+// compatibility tests. Node GivenNames match the keys in the JSON files:
+//   - user1 (owned by kratail2tid)
+//   - user-kris (owned by kristoffer)
+//   - user-mon (owned by monitorpasskeykradalby)
+//   - tagged-server (tag:server)
+//   - tagged-prod (tag:prod)
+func setupSSHDataCompatNodes(users types.Users) types.Nodes {
+	return types.Nodes{
+		&types.Node{
+			ID:        1,
+			GivenName: "user1",
+			User:      &users[0],
+			UserID:    &users[0].ID,
+			IPv4:      ptrAddr("100.90.199.68"),
+			IPv6:      ptrAddr("fd7a:115c:a1e0::2d01:c747"),
+			Hostinfo:  &tailcfg.Hostinfo{},
+		},
+		&types.Node{
+			ID:        2,
+			GivenName: "user-kris",
+			User:      &users[1],
+			UserID:    &users[1].ID,
+			IPv4:      ptrAddr("100.110.121.96"),
+			IPv6:      ptrAddr("fd7a:115c:a1e0::1737:7960"),
+			Hostinfo:  &tailcfg.Hostinfo{},
+		},
+		&types.Node{
+			ID:        3,
+			GivenName: "user-mon",
+			User:      &users[2],
+			UserID:    &users[2].ID,
+			IPv4:      ptrAddr("100.103.90.82"),
+			IPv6:      ptrAddr("fd7a:115c:a1e0::9e37:5a52"),
+			Hostinfo:  &tailcfg.Hostinfo{},
+		},
+		&types.Node{
+			ID:        4,
+			GivenName: "tagged-server",
+			IPv4:      ptrAddr("100.108.74.26"),
+			IPv6:      ptrAddr("fd7a:115c:a1e0::b901:4a87"),
+			Tags:      []string{"tag:server"},
+			Hostinfo:  &tailcfg.Hostinfo{},
+		},
+		&types.Node{
+			ID:        5,
+			GivenName: "tagged-prod",
+			IPv4:      ptrAddr("100.103.8.15"),
+			IPv6:      ptrAddr("fd7a:115c:a1e0::5b37:80f"),
+			Tags:      []string{"tag:prod"},
+			Hostinfo:  &tailcfg.Hostinfo{},
+		},
+	}
+}
+
+// convertSSHPolicyEmails converts Tailscale SaaS email domains to
+// headscale-compatible format in the raw policy JSON.
+//
+// Tailscale uses provider-specific email formats:
+//   - kratail2tid@passkey (passkey auth)
+//   - kristoffer@dalby.cc (email auth — kept as-is)
+//   - monitorpasskeykradalby@passkey (passkey auth)
+//
+// The @passkey domain is converted to @example.com. The @dalby.cc domain
+// is kept as-is to preserve localpart matching semantics (kristoffer should
+// NOT match localpart:*@example.com, just as it doesn't match
+// localpart:*@passkey in Tailscale SaaS).
+func convertSSHPolicyEmails(s string) string {
+	s = strings.ReplaceAll(s, "@passkey", "@example.com")
+
+	return s
+}
+
+// constructSSHFullPolicy builds a complete headscale policy from the
+// ssh_section captured from Tailscale SaaS.
+//
+// The base policy includes:
+//   - groups matching the Tailscale test environment
+//   - tagOwners for tag:server and tag:prod
+//   - A permissive ACL allowing all traffic (matches the grants wildcard
+//     in the original Tailscale policy)
+//   - The SSH section from the test file
+func constructSSHFullPolicy(sshSection json.RawMessage) string {
+	// Base policy template with groups, tagOwners, and ACLs
+	// User references match the converted email addresses.
+	const basePolicyPrefix = `{
+	"groups": {
+		"group:admins": ["kratail2tid@example.com"],
+		"group:developers": ["kristoffer@dalby.cc", "kratail2tid@example.com"],
+		"group:empty": []
+	},
+	"tagOwners": {
+		"tag:server": ["kratail2tid@example.com"],
+		"tag:prod": ["kratail2tid@example.com"]
+	},
+	"acls": [{"action": "accept", "src": ["*"], "dst": ["*:*"]}]`
+
+	// Handle null or empty SSH section
+	if len(sshSection) == 0 || string(sshSection) == "null" {
+		// No SSH section at all (like SSH-E4)
+		return basePolicyPrefix + "\n}"
+	}
+
+	sshStr := string(sshSection)
+
+	// Convert Tailscale email domains
+	sshStr = convertSSHPolicyEmails(sshStr)
+
+	return basePolicyPrefix + `,
+	"ssh": ` + sshStr + "\n}"
+}
+
+// loadSSHTestFile loads and parses a single SSH test JSON file.
+func loadSSHTestFile(t *testing.T, path string) sshTestFile {
+	t.Helper()
+
+	content, err := os.ReadFile(path)
+	require.NoError(t, err, "failed to read test file %s", path)
+
+	var tf sshTestFile
+
+	err = json.Unmarshal(content, &tf)
+	require.NoError(t, err, "failed to parse test file %s", path)
+
+	return tf
+}
+
+// sshSkipReasons documents why each skipped test fails and what needs to be
+// fixed. Tests are grouped by root cause to identify high-impact changes.
+//
+// 37 of 39 tests are expected to pass.
+var sshSkipReasons = map[string]string{
+	// user:*@domain source alias not yet implemented.
+	// These tests use "src": ["user:*@passkey"] which requires UserWildcard
+	// alias type support. Will be added in a follow-up PR that implements
+	// user:*@domain across all contexts (ACLs, grants, tagOwners, autoApprovers).
+	"SSH-B5":  "user:*@domain source alias not yet implemented",
+	"SSH-D10": "user:*@domain source alias not yet implemented",
+}
+
+// TestSSHDataCompat is a data-driven test that loads all SSH-*.json test files
+// captured from Tailscale SaaS and compares headscale's SSH policy compilation
+// against the real Tailscale behavior.
+//
+// Each JSON file contains:
+//   - The SSH section of the policy
+//   - Expected SSH rules per node (5 nodes)
+//
+// The test constructs a full headscale policy from the SSH section, converts
+// Tailscale user email formats to headscale format, and runs the policy
+// through unmarshalPolicy and compileSSHPolicy.
+func TestSSHDataCompat(t *testing.T) {
+	t.Parallel()
+
+	files, err := filepath.Glob(
+		filepath.Join("testdata", "ssh_results", "SSH-*.json"),
+	)
+	require.NoError(t, err, "failed to glob test files")
+	require.NotEmpty(
+		t,
+		files,
+		"no SSH-*.json test files found in testdata/ssh_results/",
+	)
+
+	t.Logf("Loaded %d SSH test files", len(files))
+
+	users := setupSSHDataCompatUsers()
+	nodes := setupSSHDataCompatNodes(users)
+
+	for _, file := range files {
+		tf := loadSSHTestFile(t, file)
+
+		t.Run(tf.TestID, func(t *testing.T) {
+			t.Parallel()
+
+			// Check if this test is in the skip list
+			if reason, ok := sshSkipReasons[tf.TestID]; ok {
+				t.Skipf(
+					"TODO: %s — see sshSkipReasons comments for details",
+					reason,
+				)
+
+				return
+			}
+
+			// Construct full policy from SSH section
+			policyJSON := constructSSHFullPolicy(tf.SSHSection)
+
+			pol, err := unmarshalPolicy([]byte(policyJSON))
+			require.NoError(
+				t,
+				err,
+				"%s: policy should parse successfully\nPolicy:\n%s",
+				tf.TestID,
+				policyJSON,
+			)
+
+			for nodeName, capture := range tf.Nodes {
+				t.Run(nodeName, func(t *testing.T) {
+					node := findNodeByGivenName(nodes, nodeName)
+					require.NotNilf(
+						t,
+						node,
+						"node %s not found in test setup",
+						nodeName,
+					)
+
+					// Compile headscale SSH policy for this node
+					gotSSH, err := pol.compileSSHPolicy(
+						"unused-server-url",
+						users,
+						node.View(),
+						nodes.ViewSlice(),
+					)
+					require.NoError(
+						t,
+						err,
+						"%s/%s: failed to compile SSH policy",
+						tf.TestID,
+						nodeName,
+					)
+
+					// Parse expected rules from JSON capture
+					var wantRules []*tailcfg.SSHRule
+					if len(capture.Rules) > 0 &&
+						string(capture.Rules) != "null" {
+						err = json.Unmarshal(capture.Rules, &wantRules)
+						require.NoError(
+							t,
+							err,
+							"%s/%s: failed to unmarshal expected rules",
+							tf.TestID,
+							nodeName,
+						)
+					}
+
+					// Build expected SSHPolicy from the rules
+					var wantSSH *tailcfg.SSHPolicy
+					if len(wantRules) > 0 {
+						wantSSH = &tailcfg.SSHPolicy{Rules: wantRules}
+					}
+
+					// Normalize: treat empty-rules SSHPolicy as nil
+					if gotSSH != nil && len(gotSSH.Rules) == 0 {
+						gotSSH = nil
+					}
+
+					// Compare headscale output against Tailscale expected.
+					// EquateEmpty treats nil and empty slices as equal.
+					// Sort principals within rules (order doesn't matter).
+					// Do NOT sort rules — order matters (first-match-wins).
+					opts := cmp.Options{
+						cmpopts.SortSlices(func(a, b *tailcfg.SSHPrincipal) bool {
+							return a.NodeIP < b.NodeIP
+						}),
+						cmpopts.EquateEmpty(),
+					}
+					if diff := cmp.Diff(wantSSH, gotSSH, opts...); diff != "" {
+						t.Errorf(
+							"%s/%s: SSH policy mismatch (-tailscale +headscale):\n%s",
+							tf.TestID,
+							nodeName,
+							diff,
+						)
+					}
+				})
+			}
+		})
+	}
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A1.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A1.json
@@ -0,0 +1,51 @@
+{
+  "test_id": "SSH-A1",
+  "policy_file": "ssh_policies/ssh_a1.json",
+  "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A2.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A2.json
@@ -0,0 +1,53 @@
+{
+  "test_id": "SSH-A2",
+  "policy_file": "ssh_policies/ssh_a2.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A3.json
@@ -0,0 +1,58 @@
+{
+  "test_id": "SSH-A3",
+  "policy_file": "ssh_policies/ssh_a3.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["autogroup:self"],
+      "users": ["root", "autogroup:nonroot"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A4.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A4.json
@@ -0,0 +1,32 @@
+{
+  "test_id": "SSH-A4",
+  "policy_file": "ssh_policies/ssh_a4.json",
+  "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["ubuntu"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A5.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A5.json
@@ -0,0 +1,34 @@
+{
+  "test_id": "SSH-A5",
+  "policy_file": "ssh_policies/ssh_a5.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root", "ubuntu"] }
+  ],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A6.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A6.json
@@ -0,0 +1,98 @@
+{
+  "test_id": "SSH-A6",
+  "policy_file": "ssh_policies/ssh_a6.json",
+  "ssh_section": [
+    {
+      "action": "check",
+      "src": [
+        "autogroup:member"
+      ],
+      "dst": [
+        "autogroup:self"
+      ],
+      "users": [
+        "root"
+      ]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 43200000000000
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 43200000000000
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 43200000000000
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": []
+    },
+    "tagged-prod": {
+      "rules": []
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A7.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A7.json
@@ -0,0 +1,99 @@
+{
+  "test_id": "SSH-A7",
+  "policy_file": "ssh_policies/ssh_a7.json",
+  "ssh_section": [
+    {
+      "action": "check",
+      "src": [
+        "autogroup:member"
+      ],
+      "dst": [
+        "autogroup:self"
+      ],
+      "users": [
+        "root"
+      ],
+      "checkPeriod": "1h"
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": []
+    },
+    "tagged-prod": {
+      "rules": []
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-A8.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-A8.json
@@ -0,0 +1,99 @@
+{
+  "test_id": "SSH-A8",
+  "policy_file": "ssh_policies/ssh_a8.json",
+  "ssh_section": [
+    {
+      "action": "check",
+      "src": [
+        "autogroup:member"
+      ],
+      "dst": [
+        "autogroup:self"
+      ],
+      "users": [
+        "root"
+      ],
+      "checkPeriod": "always"
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 0
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 0
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 0
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": []
+    },
+    "tagged-prod": {
+      "rules": []
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-B1.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B1.json
@@ -0,0 +1,25 @@
+{
+  "test_id": "SSH-B1",
+  "policy_file": "ssh_policies/ssh_b1.json",
+  "ssh_section": [{ "action": "accept", "src": ["kristoffer@dalby.cc"], "dst": ["tag:server"], "users": ["root"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-B2.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B2.json
@@ -0,0 +1,30 @@
+{
+  "test_id": "SSH-B2",
+  "policy_file": "ssh_policies/ssh_b2.json",
+  "ssh_section": [{ "action": "accept", "src": ["group:developers"], "dst": ["tag:server"], "users": ["root"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-B3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B3.json
@@ -0,0 +1,25 @@
+{
+  "test_id": "SSH-B3",
+  "policy_file": "ssh_policies/ssh_b3.json",
+  "ssh_section": [{ "action": "accept", "src": ["tag:prod"], "dst": ["tag:server"], "users": ["root"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-B5.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B5.json
@@ -0,0 +1,30 @@
+{
+  "test_id": "SSH-B5",
+  "policy_file": "ssh_policies/ssh_b5.json",
+  "ssh_section": [{ "action": "accept", "src": ["user:*@passkey"], "dst": ["tag:server"], "users": ["root"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-B6.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-B6.json
@@ -0,0 +1,30 @@
+{
+  "test_id": "SSH-B6",
+  "policy_file": "ssh_policies/ssh_b6.json",
+  "ssh_section": [{ "action": "accept", "src": ["autogroup:tagged"], "dst": ["tag:server"], "users": ["root"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.8.15" },
+            { "nodeIP": "100.108.74.26" },
+            { "nodeIP": "fd7a:115c:a1e0::5b37:80f" },
+            { "nodeIP": "fd7a:115c:a1e0::b901:4a87" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-C1.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C1.json
@@ -0,0 +1,51 @@
+{
+  "test_id": "SSH-C1",
+  "policy_file": "ssh_policies/ssh_c1.json",
+  "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] }],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-C2.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C2.json
@@ -0,0 +1,32 @@
+{
+  "test_id": "SSH-C2",
+  "policy_file": "ssh_policies/ssh_c2.json",
+  "ssh_section": [{ "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-C3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C3.json
@@ -0,0 +1,27 @@
+{
+  "test_id": "SSH-C3",
+  "policy_file": "ssh_policies/ssh_c3.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["kristoffer@dalby.cc"], "dst": ["kristoffer@dalby.cc"], "users": ["root"] }
+  ],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": { "rules": [] },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-C4.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-C4.json
@@ -0,0 +1,54 @@
+{
+  "test_id": "SSH-C4",
+  "policy_file": "ssh_policies/ssh_c4.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server", "tag:prod"], "users": ["root"] }
+  ],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D10.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D10.json
@@ -0,0 +1,103 @@
+{
+  "test_id": "SSH-D10",
+  "policy_file": "ssh_policies/ssh_d10.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["user:*@passkey"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": { "rules": [] },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D11.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D11.json
@@ -0,0 +1,131 @@
+{
+  "test_id": "SSH-D11",
+  "policy_file": "ssh_policies/ssh_d11.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["localpart:*@passkey", "ubuntu"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D12.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D12.json
@@ -0,0 +1,131 @@
+{
+  "test_id": "SSH-D12",
+  "policy_file": "ssh_policies/ssh_d12.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["localpart:*@passkey", "ubuntu"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "", "ubuntu": "ubuntu" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D2.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D2.json
@@ -0,0 +1,126 @@
+{
+  "test_id": "SSH-D2",
+  "policy_file": "ssh_policies/ssh_d2.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D3.json
@@ -0,0 +1,126 @@
+{
+  "test_id": "SSH-D3",
+  "policy_file": "ssh_policies/ssh_d3.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey", "root"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D4.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D4.json
@@ -0,0 +1,131 @@
+{
+  "test_id": "SSH-D4",
+  "policy_file": "ssh_policies/ssh_d4.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["localpart:*@passkey", "autogroup:nonroot"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D5.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D5.json
@@ -0,0 +1,131 @@
+{
+  "test_id": "SSH-D5",
+  "policy_file": "ssh_policies/ssh_d5.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["localpart:*@passkey", "root", "autogroup:nonroot"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D6.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D6.json
@@ -0,0 +1,131 @@
+{
+  "test_id": "SSH-D6",
+  "policy_file": "ssh_policies/ssh_d6.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["localpart:*@passkey", "autogroup:nonroot"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D7.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D7.json
@@ -0,0 +1,131 @@
+{
+  "test_id": "SSH-D7",
+  "policy_file": "ssh_policies/ssh_d7.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["localpart:*@passkey", "root", "autogroup:nonroot"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "*": "=", "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D8.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D8.json
@@ -0,0 +1,73 @@
+{
+  "test_id": "SSH-D8",
+  "policy_file": "ssh_policies/ssh_d8.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["localpart:*@passkey"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-D9.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-D9.json
@@ -0,0 +1,78 @@
+{
+  "test_id": "SSH-D9",
+  "policy_file": "ssh_policies/ssh_d9.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["autogroup:self"],
+      "users": ["localpart:*@passkey", "root"]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-E3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E3.json
@@ -0,0 +1,12 @@
+{
+  "test_id": "SSH-E3",
+  "policy_file": "ssh_policies/ssh_e3.json",
+  "ssh_section": [],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-E4.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E4.json
@@ -0,0 +1,12 @@
+{
+  "test_id": "SSH-E4",
+  "policy_file": "ssh_policies/ssh_e4.json",
+  "ssh_section": null,
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": { "rules": [] },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-E5.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E5.json
@@ -0,0 +1,38 @@
+{
+  "test_id": "SSH-E5",
+  "policy_file": "ssh_policies/ssh_e5.json",
+  "ssh_section": [{ "action": "accept", "src": ["tag:prod"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.8.15" }, { "nodeIP": "fd7a:115c:a1e0::5b37:80f" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-E6.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-E6.json
@@ -0,0 +1,240 @@
+{
+  "test_id": "SSH-E6",
+  "policy_file": "ssh_policies/ssh_e6.json",
+  "ssh_section": [
+    {
+      "action": "check",
+      "src": [
+        "autogroup:member"
+      ],
+      "dst": [
+        "tag:server"
+      ],
+      "users": [
+        "localpart:*@passkey"
+      ],
+      "checkPeriod": "1h"
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "root": ""
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "kratail2tid": "kratail2tid"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            }
+          ],
+          "sshUsers": {
+            "root": ""
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": ""
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "monitorpasskeykradalby": "monitorpasskeykradalby"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "root": ""
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            }
+          ],
+          "sshUsers": {
+            "kratail2tid": "kratail2tid"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            }
+          ],
+          "sshUsers": {
+            "root": ""
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": ""
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "monitorpasskeykradalby": "monitorpasskeykradalby"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 3600000000000
+          }
+        }
+      ]
+    },
+    "tagged-prod": {
+      "rules": []
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-F1.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F1.json
@@ -0,0 +1,74 @@
+{
+  "test_id": "SSH-F1",
+  "policy_file": "ssh_policies/ssh_f1.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["root"] },
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["autogroup:nonroot"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-F2.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F2.json
@@ -0,0 +1,111 @@
+{
+  "test_id": "SSH-F2",
+  "policy_file": "ssh_policies/ssh_f2.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": [
+        "autogroup:member"
+      ],
+      "dst": [
+        "tag:server"
+      ],
+      "users": [
+        "root"
+      ]
+    },
+    {
+      "action": "check",
+      "src": [
+        "autogroup:member"
+      ],
+      "dst": [
+        "tag:server"
+      ],
+      "users": [
+        "root"
+      ]
+    }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": []
+    },
+    "user-kris": {
+      "rules": []
+    },
+    "user-mon": {
+      "rules": []
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "holdAndDelegate": "unused-server-url/machine/ssh/action/from/$SRC_NODE_ID/to/$DST_NODE_ID?ssh_user=$SSH_USER&local_user=$LOCAL_USER",
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true,
+            "sessionDuration": 43200000000000
+          }
+        },
+        {
+          "principals": [
+            {
+              "nodeIP": "100.103.90.82"
+            },
+            {
+              "nodeIP": "100.110.121.96"
+            },
+            {
+              "nodeIP": "100.90.199.68"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::1737:7960"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::2d01:c747"
+            },
+            {
+              "nodeIP": "fd7a:115c:a1e0::9e37:5a52"
+            }
+          ],
+          "sshUsers": {
+            "root": "root"
+          },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": {
+      "rules": []
+    }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json
@@ -0,0 +1,144 @@
+{
+  "test_id": "SSH-F3",
+  "policy_file": "ssh_policies/ssh_f3.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] },
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-F4.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F4.json
@@ -0,0 +1,144 @@
+{
+  "test_id": "SSH-F4",
+  "policy_file": "ssh_policies/ssh_f4.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] },
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["autogroup:nonroot"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "*": "=", "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-F5.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F5.json
@@ -0,0 +1,177 @@
+{
+  "test_id": "SSH-F5",
+  "policy_file": "ssh_policies/ssh_f5.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["localpart:*@passkey"] },
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-G1.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-G1.json
@@ -0,0 +1,41 @@
+{
+  "test_id": "SSH-G1",
+  "policy_file": "ssh_policies/ssh_g1.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["root"],
+      "acceptEnv": ["GIT_EDITOR", "TERM"]
+    }
+  ],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          },
+          "acceptEnv": ["GIT_EDITOR", "TERM"]
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-G2.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-G2.json
@@ -0,0 +1,41 @@
+{
+  "test_id": "SSH-G2",
+  "policy_file": "ssh_policies/ssh_g2.json",
+  "ssh_section": [
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["tag:server"],
+      "users": ["root"],
+      "acceptEnv": ["GIT_*", "CUSTOM_VAR_?"]
+    }
+  ],
+  "nodes": {
+    "user1": { "rules": [] },
+    "user-kris": { "rules": [] },
+    "user-mon": { "rules": [] },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          },
+          "acceptEnv": ["GIT_*", "CUSTOM_VAR_?"]
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}