Kristoffer Dalby
2bf1200483
policy: fix autogroup:self propagation and optimize cache invalidation ( #2807 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-10-23 17:57:41 +02:00
Kristoffer Dalby
66826232ff
integration: add tests for api bypass ( #2811 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-10-22 16:30:25 +02:00
Kristoffer Dalby
1cdea7ed9b
stricter hostname validation and replace ( #2383 )
2025-10-22 13:50:39 +02:00
Kristoffer Dalby
c87471136b
integration: eventually fixups ( #2799 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-10-17 08:28:30 +02:00
Kristoffer Dalby
4912769ab3
update dependencies ( #2798 )
2025-10-16 19:03:30 +02:00
Stavros Kois
c07cc491bf
add health command ( #2659 )
...
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Deploy docs / deploy (push) Has been cancelled
Tests / test (push) Has been cancelled
* add health command
* update health check implementation to allow for more checks to added over time
* add change changelog entry
2025-10-16 12:00:11 +00:00
Vitalij Dovhanyc
c2a58a304d
feat: add autogroup:self ( #2789 )
2025-10-16 12:59:52 +02:00
Kristoffer Dalby
fddc7117e4
stability and race conditions in auth and node store ( #2781 )
...
This PR addresses some consistency issues that was introduced or discovered with the nodestore.
nodestore:
Now returns the node that is being put or updated when it is finished. This closes a race condition where when we read it back, we do not necessarily get the node with the given change and it ensures we get all the other updates from that batch write.
auth:
Authentication paths have been unified and simplified. It removes a lot of bad branches and ensures we only do the minimal work.
A comprehensive auth test set has been created so we do not have to run integration tests to validate auth and it has allowed us to generate test cases for all the branches we currently know of.
integration:
added a lot more tooling and checks to validate that nodes reach the expected state when they come up and down. Standardised between the different auth models. A lot of this is to support or detect issues in the changes to nodestore (races) and auth (inconsistencies after login and reaching correct state)
This PR was assisted, particularly tests, by claude code.
2025-10-16 12:17:43 +02:00
Andrey Bobelev
c4a8c038cd
fix: return valid AuthUrl in followup request on expired reg id
...
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
- tailscale client gets a new AuthUrl and sets entry in the regcache
- regcache entry expires
- client doesn't know about that
- client always polls followup request а gets error
When user clicks "Login" in the app (after cache expiry), they visit
invalid URL and get "node not found in registration cache". Some clients
on Windows for e.g. can't get a new AuthUrl without restart the app.
To fix that we can issue a new reg id and return user a new valid
AuthUrl.
RegisterNode is refactored to be created with NewRegisterNode() to
autocreate channel and other stuff.
2025-10-11 05:57:39 +02:00
Kristoffer Dalby
2938d03878
policy: reject unsupported fields ( #2764 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
2025-09-12 14:47:56 +02:00
Kristoffer Dalby
4893cdac74
integration: make timestamp const
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
476f30ab20
state: ensure netinfo is preserved and not removed
...
the client will send a lot of fields as `nil` if they have
not changed. NetInfo, which is inside Hostinfo, is one of those
fields and we often would override the whole hostinfo meaning that
we would remove netinfo if it hadnt changed.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
233dffc186
lint and leftover
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
9b962956b5
integration: Eventually, debug output, lint and format
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
3b16b75fe6
integration: rework retry for waiting for node sync
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
9d236571f4
state/nodestore: in memory representation of nodes
...
Initial work on a nodestore which stores all of the nodes
and their relations in memory with relationship for peers
precalculated.
It is a copy-on-write structure, replacing the "snapshot"
when a change to the structure occurs. It is optimised for reads,
and while batches are not fast, they are grouped together
to do less of the expensive peer calculation if there are many
changes rapidly.
Writes will block until commited, while reads are never
blocked.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
306d8e1bd4
integration: validate expected online status in ping
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
4927e9d590
fix: improve mapresponses and profiles extraction in hi tool
...
- Fix directory hierarchy flattening by using full paths instead of filepath.Base()
- Remove redundant container hostname prefixes from directory names
- Strip top-level directory from tar extraction to avoid nested structure
- Ensure parent directories exist before creating files
- Results in clean structure: control_logs/mapresponses/1-ts-client/file.json
2025-09-09 09:40:00 +02:00
Kristoffer Dalby
8e25f7f9dd
bunch of qol ( #2748 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-08-27 17:09:13 +02:00
Kristoffer Dalby
a058bf3cd3
mapper: produce map before poll ( #2628 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-07-28 11:15:53 +02:00
Kristoffer Dalby
9779adc0b7
integration: run headscale with delve and debug symbols ( #2689 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-07-24 17:44:09 +02:00
Kian-Meng Ang
3123d5286b
Fix typos
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Deploy docs / deploy (push) Waiting to run
Tests / test (push) Waiting to run
Found via `codespell -L shs,hastable,userr`
2025-07-21 12:06:07 +02:00
Kristoffer Dalby
044193bf34
integration: Use Eventually around external calls ( #2685 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=386 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Deploy docs / deploy (push) Has been cancelled
Tests / test (push) Has been cancelled
2025-07-13 17:37:11 +02:00
Kristoffer Dalby
c6d7b512bd
integration: replace time.Sleep with assert.EventuallyWithT ( #2680 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=386 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-07-10 23:38:55 +02:00
Kristoffer Dalby
afc11e1f0c
cmd/hi: fixes and qol ( #2649 )
2025-06-23 13:43:14 +02:00
seiuneko
d325211617
feat: add verify client config for embedded DERP ( #2260 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* feat: add verify client config for embedded DERP
* refactor: embedded DERP no longer verify clients via HTTP
- register the `headscale://` protocol in `http.DefaultTransport` to intercept network requests
- update configuration to use a single boolean option `verify_clients`
* refactor: use `http.HandlerFunc` for type definition
* refactor: some renaming and restructuring
* chore: some renaming and fix lint
* test: fix TestDERPVerifyEndpoint
- `tailscale debug derp` use random node private key
* test: add verify clients integration test for embedded DERP server
* fix: apply code review suggestions
* chore: merge upstream changes
* fix: apply code review suggestions
---------
Co-authored-by: Kristoffer Dalby <kristoffer@dalby.cc >
2025-06-18 09:24:53 +02:00
Greg Dietsche
d2879b2b36
web: change node registration parameter order ( #2607 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
This change makes editing the generated command easier.
For example, after pasting into a terminal, the cursor position will be
near the username portion which requires editing.
2025-05-21 11:18:53 +02:00
Kristoffer Dalby
a52f1df180
policy: remove v1 code ( #2600 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy: remove v1 code
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* db: update test with v1 removal
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: start moving to v2 policy
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: add ssh unmarshal tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog: add entry
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: remove v1 comment
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: remove comment out case
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* cleanup skipv1
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: remove v1 prefix workaround
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: add all node ips if prefix/host is ts ip
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-20 13:57:26 +02:00
Vitalij Dovhanyc
6750414db1
feat: add autogroup:member, autogroup:tagged ( #2572 )
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
Deploy docs / deploy (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-05-17 11:07:34 +02:00
Kristoffer Dalby
43943aeee9
bring back last_seen in database ( #2579 )
...
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=386 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
* db: add back last_seen to the database
Fixes #2574
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: ensure last_seen is set
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-10 09:49:08 +02:00
Kristoffer Dalby
45e38cb080
policy: reduce routes sent to peers based on packetfilter ( #2561 )
...
* notifier: use convenience funcs
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: reduce routes based on policy
Fixes #2365
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* hsic: more helper methods
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: more test cases
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: add route with filter acl integration test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: correct route reduce test, now failing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* mapper: compare peer routes against node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* hs: more output to debug strings
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* types/node: slice.ContainsFunc
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: more reduce route test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog: add entry for route filter
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-04 21:52:47 +02:00
Kristoffer Dalby
b9868f6516
Make more granular SSH tests for both Policies ( #2555 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy/v1: dont consider empty if ssh has rules
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: replace time.Duration with model.Duration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: add autogroup and ssh validation
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: replace time.Duration with model.Duration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: replace old ssh tests with more granular test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: skip v1 tests expected to fail (missing error handling)
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: skip v1 group tests, old bugs wont be fixed
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: user valid policy for ssh
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* Changelog, add ssh section
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* nix update
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-04 12:05:41 +00:00
Kristoffer Dalby
eb1ecefd9e
auth: ensure that routes are autoapproved when the node is stored ( #2550 )
...
* integration: ensure route is set before node joins, reproduce
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* auth: ensure that routes are autoapproved when the node is stored
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-01 07:05:42 +02:00
Kristoffer Dalby
6b6509eeeb
notify nodes after owner change ( #2543 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* proto: user id as identifier for move node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* gen: regenr
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* grpc: move, use userid, one tx, send update
Updates #2467
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: update move cli tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-30 18:33:38 +02:00
Kristoffer Dalby
8f9fbf16f1
types/authkey: include user object in response ( #2542 )
...
* types/authkey: include user object, not string
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* make preauthkeys use id
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: wire up user id for auth keys
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-30 11:45:08 +02:00
Kristoffer Dalby
f1206328dc
fix webauth + autoapprove routes ( #2528 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* types/node: add helper funcs for node tags
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* types/node: add DebugString method for node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: add String func to AutoApprover interface
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: simplify, use slices.Contains
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: debug, use nodes.DebugString
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v1: fix potential nil pointer in NodeCanApproveRoute
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v1: slices.Contains
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration/tsic: fix diff in login commands
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: fix webauth running with wrong scenario
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: move common oidc opts to func
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: require node count, more verbose
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* auth: remove uneffective route approve
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* .github/workflows: fmt
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration/tsic: add id func
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: remove call that might be nil
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: test autoapprovers against web/authkey x group/tag/user
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: unique network id per scenario
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* Revert "integration: move common oidc opts to func"
This reverts commit 7e9d165d4a900c304f1083b665f1a24a26e06e55.
* remove cmd
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: clean docker images between runs in ci
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: run autoapprove test against differnt policy modes
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration/tsic: append, not overrwrite extra login args
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* .github/workflows: remove polv2
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-30 07:54:04 +02:00
Kristoffer Dalby
57861507ab
integration: remove failing resolvconf tests ( #2549 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-30 07:52:23 +02:00
Kristoffer Dalby
2b38f7bef7
policy/v2: make default ( #2546 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy/v2: make default
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: do not run v1 tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: fix potential nil pointers
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* mapper: fix test failures in v2
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-29 16:27:41 +02:00
Kristoffer Dalby
f783555469
integration: clean up unreferenced hs- networks ( #2534 )
2025-04-18 12:06:28 +02:00
nblock
1e0516b99d
Restore support for "Override local DNS" ( #2438 )
...
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name `dns.override_local_dns` but disable it by default to align it with
Tailscale's default behaviour.
Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.
With `dns.override_local_dns: false`:
```
Link 12 (tailscale0)
Current Scopes: DNS
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 100.100.100.100
DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]
```
With `dns.override_local_dns: true`:
```
Link 12 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 100.100.100.100
DNS Domain: tn.example.com ~.
```
[1] https://tailscale.com/kb/1054/dns#override-local-dns
Fixes : #2256
2025-04-17 17:16:59 +02:00
Nick
109989005d
ensure final dot on node name ( #2503 )
...
* ensure final dot on node name
This ensures that nodes which have a base domain set, will have a dot appended to their FQDN.
Resolves: https://github.com/juanfont/headscale/issues/2501
* improve OIDC TTL expire test
Waiting a bit more than the TTL of the OIDC token seems to remove some flakiness of this test. This furthermore makes use of a go func safe buffer which should avoid race conditions.
2025-04-11 12:39:08 +02:00
Kristoffer Dalby
5a18e91317
fix auto approver on register and new policy ( #2506 )
...
* fix issue auto approve route on register bug
This commit fixes an issue where routes where not approved
on a node during registration. This cause the auto approval
to require the node to readvertise the routes.
Fixes #2497
Fixes #2485
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* hsic: only set db policy if exist
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: calculate changed based on policy and filter
v1 is a bit simpler than v2, it does not pre calculate the auto approver map
and we cannot tell if it is changed.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-03-31 15:55:07 +02:00
Kristoffer Dalby
e3521be705
allow users to be defined with @ in v1 ( #2495 )
...
* allow users to be defined with @ in v1
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* remove integration test rewrite hack
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* remove test rewrite hack
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* add @ to integration tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* a bit to agressive removeals
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* fix last test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-03-30 11:19:05 +00:00
Kristoffer Dalby
cbc99010f0
populate serving from primary routes ( #2489 )
...
* populate serving from primary routes
Depends on #2464
Fixes #2480
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* also exit
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* fix route update outside of connection
there was a bug where routes would not be updated if
they changed while a node was connected and it was not part of an
autoapprove.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update expected test output, cli only shows service node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-03-28 13:22:15 +01:00
Kristoffer Dalby
603f3ad490
Multi network integration tests ( #2464 )
2025-03-21 11:49:32 +01:00
Kristoffer Dalby
87326f5c4f
Experimental implementation of Policy v2 ( #2214 )
...
* utility iterator for ipset
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* split policy -> policy and v1
This commit split out the common policy logic and policy implementation
into separate packages.
policy contains functions that are independent of the policy implementation,
this typically means logic that works on tailcfg types and generic formats.
In addition, it defines the PolicyManager interface which the v1 implements.
v1 is a subpackage which implements the PolicyManager using the "original"
policy implementation.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* use polivyv1 definitions in integration tests
These can be marshalled back into JSON, which the
new format might not be able to.
Also, just dont change it all to JSON strings for now.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* formatter: breaks lines
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* remove compareprefix, use tsaddr version
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* remove getacl test, add back autoapprover
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* use policy manager tag handling
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* rename display helper for user
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* introduce policy v2 package
policy v2 is built from the ground up to be stricter
and follow the same pattern for all types of resolvers.
TODO introduce
aliass
resolver
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* wire up policyv2 in integration testing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* split policy v2 tests into seperate workflow to work around github limit
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* add policy manager output to /debug
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-03-10 16:20:29 +01:00
Kristoffer Dalby
7891378f57
Redo route code ( #2422 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-26 16:22:55 +01:00
Kristoffer Dalby
16868190c8
fix double login URL with OIDC ( #2445 )
...
* factor out login url parser
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* move to not trigger test gen checker
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* return regresp or err after waiting for registration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-25 18:16:07 +01:00
Kristoffer Dalby
da2ca054b1
fix routes not being saved when new nodes registers ( #2444 )
...
* add test to validate exitnode propagation
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* save routes on register
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* no nil
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* add missing integration tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-23 23:10:25 +01:00
Kristoffer Dalby
bcff0eaae7
handle register auth errors ( #2435 )
...
* handle register auth errors
This commit handles register auth errors as the
Tailscale clients expect. It returns the error as
part of a tailcfg.RegisterResponse and not as a
http error.
In addition it fixes a nil pointer panic triggered
by not handling the errors as part of this chain.
Fixes #2434
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-23 17:02:46 +01:00
