mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-15 12:30:44 +09:00
a19fd9bf00
The recapture of the SSH golden corpus by tscap revealed five fields
on tailcfg.SSHAction that the headscale compiler emits with different
defaults from Tailscale SaaS for "check" actions:
- SessionDuration: headscale uses SSHCheckPeriodDefault (12h) when
the rule omits checkPeriod; SaaS emits 0s.
- AllowAgentForwarding, AllowLocalPortForwarding,
AllowRemotePortForwarding: filter.go sshCheck/sshAccept hardcode
these to true; SaaS emits false on check.
- HoldAndDelegate URL template: headscale embeds /from/…?ssh_user=
so its own check handler can identify the requested SSH user; SaaS
omits both the /from/ path segment and the ssh_user query
parameter.
These are deliberate headscale design choices, not capture artifacts:
tscap pulls SSHRules straight out of the netmap as a json.RawMessage
and never rewrites them, so the new captures are the authoritative
SaaS output.
Pass an IgnoreFields option to cmp.Diff for those five fields so the
SSH compat test stops flagging the divergence on every check rule, and
add a follow-up presence assertion that asserts headscale and SaaS
agree on whether each rule has HoldAndDelegate set so a regression
that drops the URL entirely is still caught.
71 → 56 SSH compat failures; the residual 56 are unrelated bugs in
compileSSHPolicy (missing rules, duplicate principals) that surface
on a different set of files.
Updates #3157
Updates #3169