Files
headscale/hscontrol
Kristoffer Dalby 0c577301c6 policy/v2: ignore implementation-specific SSH check action fields
The recapture of the SSH golden corpus by tscap revealed five fields
on tailcfg.SSHAction that the headscale compiler emits with different
defaults from Tailscale SaaS for "check" actions:

  - SessionDuration: headscale uses SSHCheckPeriodDefault (12h) when
    the rule omits checkPeriod; SaaS emits 0s.

  - AllowAgentForwarding, AllowLocalPortForwarding,
    AllowRemotePortForwarding: filter.go sshCheck/sshAccept hardcode
    these to true; SaaS emits false on check.

  - HoldAndDelegate URL template: headscale embeds /from/…?ssh_user=
    so its own check handler can identify the requested SSH user; SaaS
    omits both the /from/ path segment and the ssh_user query
    parameter.

These are deliberate headscale design choices, not capture artifacts:
tscap pulls SSHRules straight out of the netmap as a json.RawMessage
and never rewrites them, so the new captures are the authoritative
SaaS output.

Pass an IgnoreFields option to cmp.Diff for those five fields so the
SSH compat test stops flagging the divergence on every check rule, and
add a follow-up presence assertion that asserts headscale and SaaS
agree on whether each rule has HoldAndDelegate set so a regression
that drops the URL entirely is still caught.

71 → 56 SSH compat failures; the residual 56 are unrelated bugs in
compileSSHPolicy (missing rules, duplicate principals) that surface
on a different set of files.

Updates #3157
2026-04-09 06:19:17 +00:00
..
2026-03-03 05:59:40 +01:00
2026-03-01 13:38:22 +01:00
2026-03-01 13:38:22 +01:00
2026-03-01 13:38:22 +01:00