Open
Conversation
Kraken-OffSec
commented
Sep 2, 2025
Kraken-OffSec
commented
- have read the CONTRIBUTING.md file
- raised a GitHub issue or discussed it on the projects chat beforehand
- added unit tests
- added integration tests
- updated documentation if needed
- updated CHANGELOG.md
Update ExpireApiKey and DeleteApiKey handlers to accept either ID or prefix for identifying the API key. Returns InvalidArgument error if neither or both are provided. Add tests for: - Expire by ID - Expire by prefix (backwards compatibility) - Delete by ID - Delete by prefix (backwards compatibility) - Error when neither ID nor prefix provided - Error when both ID and prefix provided Updates #2986
Add --id flag as an alternative to --prefix for expiring and deleting API keys. This allows users to use the ID shown in 'headscale apikeys list' output, which is more convenient than the prefix. Either --id or --prefix must be provided; both flags are optional but at least one is required. Updates #2986
Extend TestApiKeyCommand to test the new --id flag for expire and delete commands, verifying that API keys can be managed by their database ID in addition to the existing --prefix method. Updates #2986
When autogroup:self was combined with other ACL rules (e.g., group:admin -> *:*), tagged nodes became invisible to users who should have access. The BuildPeerMap function had two code paths: - Global filter path: used symmetric OR logic (if either can access, both see each other) - Autogroup:self path: used asymmetric logic (only add peer if that specific direction has access) This caused problems with one-way rules like admin -> tagged-server. The admin could access the server, but since the server couldn't access the admin, neither was added to the other's peer list. Fix by using symmetric visibility in the autogroup:self path, matching the global filter path behavior: if either node can access the other, both should see each other as peers. Credit: vdovhanych <vdovhanych@users.noreply.github.com> Fixes #2990
Refactor the RequestTags migration (202601121700-migrate-hostinfo-request-tags) to use PolicyManager.NodeCanHaveTag() instead of reimplementing tag validation. Changes: - NewHeadscaleDatabase now accepts *types.Config to allow migrations access to policy configuration - Add loadPolicyBytes helper to load policy from file or DB based on config - Add standalone GetPolicy(tx *gorm.DB) for use during migrations - Replace custom tag validation logic with PolicyManager Benefits: - Full HuJSON parsing support (not just JSON) - Proper group expansion via PolicyManager - Support for nested tags and autogroups - Works with both file and database policy modes - Single source of truth for tag validation Co-Authored-By: Shourya Gautam <shouryamgautam@gmail.com>
Add validation for SSH source/destination combinations that enforces Tailscale's security model: - Tags/autogroup:tagged cannot SSH to user-owned devices - autogroup:self destination requires source to contain only users/groups - Username destinations require source to be that same single user only - Wildcard (*) is no longer supported as SSH destination; use autogroup:member or autogroup:tagged instead The validateSSHSrcDstCombination() function is called during policy validation to reject invalid configurations at load time. Fixes #3009 Fixes #3010
Update unit tests to use valid SSH patterns that conform to Tailscale's security model: - Change group->user destinations to group->tag - Change tag->user destinations to tag->tag - Update expected error messages for new validation format - Add proper tagged/untagged node setup in filter tests Updates #3009 Updates #3010
- Fix deprecated flake output attributes (overlay -> overlays.default, devShell -> devShells.default, defaultPackage -> packages.default) - Use stdenv.hostPlatform.system instead of deprecated prev.system - Update grpc-gateway 2.24.0 -> 2.27.4 - Update protobuf-language-server - Update nixpkgs
Notable updates: - tailscale.com v1.86.5 -> v1.94.0 - modernc.org/sqlite v1.39.1 -> v1.44.3 - modernc.org/libc v1.66.10 -> v1.67.6 - google.golang.org/grpc v1.75.1 -> v1.78.0
tailscale.com v1.94.0 moved derp.Server to the derpserver subpackage. Update imports and type references accordingly.
Regenerated with updated grpc-gateway and tailscale dependencies.
Signed-off-by: Kristoffer Dalby <kristoffer@dalby.cc>
This always prints a TRC message on `preauthkeys create`. Since we don't print anything for `apikeys create` either we might as well remove it.
A node is expired when the requested expiration is either now or in the past.
When a PreAuthKey is deleted, the database correctly sets auth_key_id to NULL on referencing nodes via ON DELETE SET NULL. However, the NodeStore (in-memory cache) retains the old AuthKeyID value. When nodes send MapRequests (e.g., after tailscaled restart), GORM's Updates() tries to persist the stale AuthKeyID, causing a foreign key constraint error when trying to reference a deleted PreAuthKey. Fix this by adding AuthKeyID and AuthKey to the Omit() call in all three places where nodes are updated via GORM's Updates(): - persistNodeToDB (MapRequest processing) - HandleNodeFromAuthPath (re-auth via web/OIDC) - HandleNodeFromPreAuthKey (re-registration with preauth key) This tells GORM to never touch the auth_key_id column or AuthKey association during node updates, letting the database handle the foreign key relationship correctly. Added TestDeletedPreAuthKeyNotRecreatedOnNodeUpdate to verify that deleted PreAuthKeys are not recreated when nodes send MapRequests.
Previously, nodes with empty filter rules (e.g., tagged servers that are only destinations, never sources) were skipped entirely in BuildPeerMap. This could cause visibility issues when using autogroup:self with multiple user groups. Remove the len(filter) == 0 skip condition so all nodes are included in nodeMatchers. Empty filters result in empty matchers where CanAccess() returns false, but the node still needs to be in the map so symmetric visibility works correctly: if node A can access node B, both should see each other regardless of B's filter rules. Add comprehensive tests for: - Multi-group scenarios where autogroup:self is used by privileged users - Nodes with empty filters remaining visible to authorized peers - Combined access rules (autogroup:self + tags in same rule) Updates #2990
…self path In compileACLWithAutogroupSelf, when a group contains a non-existent user, Group.Resolve() returns a partial IPSet (with IPs from valid users) alongside an error. The code was discarding the entire result via `continue`, losing valid IPs. The non-autogroup-self path (compileFilterRules) already handles this correctly by logging the error and using the IPSet if non-empty. Remove the `continue` on error for both source and destination resolution, matching the existing behavior in compileFilterRules. Also reorder the IsTagged check before User().ID() comparison in the same-user node filter to prevent nil dereference on tagged nodes that have no User set. Fixes #2990
Three related issues where User().ID() is called on potentially tagged nodes without first checking IsTagged(): 1. compileACLWithAutogroupSelf: the autogroup:self block at line 166 lacks the !node.IsTagged() guard that compileSSHPolicy already has. If a tagged node is the compilation target, node.User().ID() may panic. Tagged nodes should never participate in autogroup:self. 2. compileSSHPolicy: the IsTagged() check is on the right side of &&, so n.User().ID() evaluates first and may panic before short-circuit can prevent it. Swap to !n.IsTagged() && n.User().ID() == ... to match the already-correct order in compileACLWithAutogroupSelf. 3. invalidateAutogroupSelfCache: calls User().ID() at ~10 sites without IsTagged() guards. Tagged nodes don't participate in autogroup:self, so they should be skipped when collecting affected users and during cache lookup. Tag status transitions are handled by using the non-tagged version's user ID. Fixes #2990
Per Tailscale documentation, the wildcard (*) source includes "any approved subnets" — the actually-advertised-and-approved routes from nodes, not the autoApprover policy prefixes. Change Asterix.resolve() to return just the base CGNAT+ULA set, and add approved subnet routes as separate SrcIPs entries in the filter compilation path. This preserves individual route prefixes that would otherwise be merged by IPSet (e.g., 10.0.0.0/8 absorbing 10.33.0.0/16). Also swap rule ordering in compileGrantWithAutogroupSelf() to emit non-self destination rules before autogroup:self rules, matching the Tailscale FilterRule wire format ordering. Remove the unused AutoApproverPolicy.prefixes() method. Updates #2180
Add exit route check in ReduceFilterRules to prevent exit nodes from receiving packet filter rules for destinations that only overlap via exit routes. Remove resolved SUBNET_ROUTE_FILTER_RULES grant skip entries and update error message formatting for grant validation. Updates #2180
When an ACL has non-autogroup destinations (groups, users, tags, hosts) alongside autogroup:self, emit non-self grants before self grants to match Tailscale's filter rule ordering. ACLs with only autogroup destinations (self + member) preserve the policy-defined order. This fixes ACL-A17, ACL-SF07, and ACL-SF11 compat test failures. Updates #2180
When an ACL source list contains a wildcard (*) alongside explicit sources (tags, groups, hosts, etc.), Tailscale preserves the individual IPs from non-wildcard sources in SrcIPs alongside the merged wildcard CGNAT ranges. Previously, headscale's IPSetBuilder would merge all sources into a single set, absorbing the explicit IPs into the wildcard range. Track non-wildcard resolved addresses separately during source resolution, then append their individual IP strings to the output when a wildcard is also present. This fixes the remaining 5 ACL compat test failures (K01 and M06 subtests). Updates #2180
Compile grant app fields into CapGrant FilterRules matching Tailscale SaaS behavior. Key changes: - Generate CapGrant rules in compileFilterRules and compileGrantWithAutogroupSelf, with node-specific /32 and /128 Dsts for autogroup:self grants - Add reversed companion rules for drive→drive-sharer and relay→relay-target capabilities, ordered by original cap name - Narrow broad CapGrant Dsts to node-specific prefixes in ReduceFilterRules via new reduceCapGrantRule helper - Skip merging CapGrant rules in mergeFilterRules to preserve per-capability structure - Remove ip+app mutual exclusivity validation (Tailscale accepts both) - Add semantic JSON comparison for RawMessage types and netip.Prefix comparators in test infrastructure Reduces grant compat test skips from 99 to 41 (58 newly passing). Updates #2180
Compile grants with "via" field into FilterRules that are placed only on nodes matching the via tag and actually advertising the destination subnets. Key behavior: - Filter rules go exclusively to via-nodes with matching approved routes - Destination subnets not advertised by the via node are silently dropped - App-only via grants (no ip field) produce no packet filter rules - Via grants are skipped in the global compileFilterRules since they are node-specific Reduces grant compat test skips from 41 to 30 (11 newly passing). Updates #2180
Implement comprehensive grant validation including: accept empty sources/destinations (they produce no rules), validate grant ip/app field requirements, capability name format, autogroup constraints, via tag existence, and default route CIDR restrictions. Updates #2180
Add autogroup:danger-all as a valid source alias that matches ALL IP addresses including non-Tailscale addresses. When used as a source, it resolves to 0.0.0.0/0 + ::/0 internally but produces SrcIPs: ["*"] in filter rules. When used as a destination, it is rejected with an error matching Tailscale SaaS behavior. Key changes: - Add AutoGroupDangerAll constant and validation - Add sourcesHaveDangerAll() helper and hasDangerAll parameter to srcIPsWithRoutes() across all compilation paths - Add ErrAutogroupDangerAllDst for destination rejection - Remove 3 AUTOGROUP_DANGER_ALL skip entries (K6, K7, K8) Updates #2180
compileViaGrant only handled *Prefix destinations, skipping *AutoGroup entirely. This meant via grants with dst=[autogroup:internet] produced no filter rules even when the node was an exit node with approved exit routes. Switch the destination loop from a type assertion to a type switch that handles both *Prefix (subnet routes) and *AutoGroup (exit routes via autogroup:internet). Also check ExitRoutes() in addition to SubnetRoutes() so the function doesn't bail early when a node only has exit routes. Updates #2180
Via grants steer routes to specific nodes per viewer. Until now, all clients saw the same routes for each peer because route assembly was viewer-independent. This implements per-viewer route visibility so that via-designated peers serve routes only to matching viewers, while non-designated peers have those routes withdrawn. Add ViaRouteResult type (Include/Exclude prefix lists) and ViaRoutesForPeer to the PolicyManager interface. The v2 implementation iterates via grants, resolves sources against the viewer, matches destinations against the peer's advertised routes (both subnet and exit), and categorizes prefixes by whether the peer has the via tag. Add RoutesForPeer to State which composes global primary election, via Include/Exclude filtering, exit routes, and ACL reduction. When no via grants exist, it falls back to existing behavior. Update the mapper to call RoutesForPeer per-peer instead of using a single route function for all peers. The route function now returns all routes (subnet + exit), and TailNode filters exit routes out of the PrimaryRoutes field for HA tracking. Updates #2180
Add integration tests validating that via grants correctly steer routes to designated nodes per client group: - TestGrantViaSubnetSteering: two routers advertise the same subnet, via grants steer each client group to a specific router. Verifies per-client route visibility, curl reachability, and traceroute path. - TestGrantViaExitNodeSteering: two exit nodes, via grants steer each client group to a designated exit node. Verifies exit routes are withdrawn from non-designated nodes and the client rejects setting a non-designated exit node. - TestGrantViaMixedSteering: cross-steering where subnet routes and exit routes go to different servers per client group. Verifies subnet traffic uses the subnet-designated server while exit traffic uses the exit-designated server. Also add autogroupp helper for constructing AutoGroup aliases in grant policy configurations. Updates #2180
compileFilterRules checked only pol.ACLs == nil to decide whether to return FilterAllowAll (permit-any). Policies that use only Grants (no ACLs) had nil ACLs, so the function short-circuited before compiling any CapGrant rules. This meant cap/relay, cap/drive, and any other App-based grant capabilities were silently ignored. Check both ACLs and Grants are empty before returning FilterAllowAll. Updates #2180
Add ConnectToNetwork to the TailscaleClient interface for multi-network test scenarios and implement peer relay ping support. Use these to test that cap/relay grants correctly enable peer-to-peer relay connections between tagged nodes. Updates #2180
…fecycle test Add NodeAttrsTaildriveShare and NodeAttrsTaildriveAccess to the node capability map, enabling Taildrive file sharing when granted via policy. Add integration test verifying the full cap/drive grant lifecycle. Updates #2180
Test companionCapGrantRules, sourcesHaveWildcard, sourcesHaveDangerAll, srcIPsWithRoutes, the FilterAllowAll fix for grant-only policies, compileViaGrant, compileGrantWithAutogroupSelf grant paths, and destinationsToNetPortRange autogroup:internet skipping. 51 subtests across 8 test functions covering all grant-specific code paths in filter.go that previously had no test coverage. Updates #2180
Test via route computation for viewer-peer pairs: self-steering returns empty, viewer not in source returns empty, peer without advertised destination returns empty, peer with/without via tag populates Include/Exclude respectively, mixed prefix and autogroup:internet destinations, and exit route steering. 7 subtests covering all code paths in ViaRoutesForPeer. Updates #2180
…uceRoutes filtering Add servertest grant policy control plane tests covering basic grants, via grants, and cap grants. Fix ReduceRoutes in State to apply route reduction to non-via routes first, then append via-included routes, preventing via grant routes from being incorrectly filtered. Updates #2180
Action.UnmarshalJSON produces the format 'action="unknown-action" is not supported: invalid ACL action', not the reversed format the test expected. Updates #2180
Via grants compile filter rules that depend on the node's route state (SubnetRoutes, ExitRoutes). Without per-node compilation, these rules were only included in the global filter path which explicitly skips via grants (compileFilterRules skips grants with non-empty Via fields). Add a needsPerNodeFilter flag that is true when the policy uses either autogroup:self or via grants. filterForNodeLocked now uses this flag instead of usesAutogroupSelf alone, ensuring via grant rules are compiled per-node through compileFilterRulesForNode/compileViaGrant. The filter cache also needs to account for route-dependent compilation: - nodesHavePolicyAffectingChanges now treats route changes as policy-affecting when needsPerNodeFilter is true, so SetNodes triggers updateLocked and clears caches through the normal flow. - invalidateGlobalPolicyCache now clears compiledFilterRulesMap (the unreduced per-node cache) alongside filterRulesMap when needsPerNodeFilter is true and routes changed. Updates #2180
Add three tests that verify control plane behavior for grant policies: - TestGrantViaSubnetFilterRules: verifies the router's PacketFilter contains destination rules for via-steered subnets. Without per-node filter compilation for via grants, these rules were missing and the router would drop forwarded traffic. - TestGrantViaExitNodeFilterRules: same verification for exit nodes with via grants steering autogroup:internet traffic. - TestGrantIPv6OnlyPrefixACL: verifies that address-based aliases (Prefix, Host) resolve to exactly the literal prefix and do not expand to include the matching node's other IP addresses. An IPv6-only host definition produces only IPv6 filter rules. Updates #2180
Add NetworkSpec struct with optional Subnet field to ScenarioSpec.Networks. When Subnet is set, the Docker network is created with that specific CIDR instead of Docker's auto-assigned RFC1918 range. Fix all exit node integration tests to use curl + traceroute. Tailscale exit nodes strip locally-connected subnets from their forwarding filter (shrinkDefaultRoute + localInterfaceRoutes), so exit nodes cannot forward to IPs on their Docker network via the default route alone. This is by design: exit nodes provide internet access, not LAN access. To also get LAN access, the subnet must be explicitly advertised as a route — matching real-world Tailscale deployment requirements. - TestSubnetRouterMultiNetworkExitNode: advertise usernet1 subnet alongside exit route, upgraded from ping to curl + traceroute - TestGrantViaExitNodeSteering: usernet1 subnet in via grants and auto-approvers alongside autogroup:internet - TestGrantViaMixedSteering: externet subnet in auto-approvers and route advertisement for exit traffic Updates #2180
Add golden test data for via exit route steering and fix via exit grant compilation to match Tailscale SaaS behavior. Includes MapResponse golden tests for via grant route steering verification. Updates #2180
…utesForPeer Use per-node compilation path for via grants in BuildPeerMap and MatchersForNode to ensure via-granted nodes appear in peer maps. Fix ViaRoutesForPeer golden test route inference to correctly resolve via grant effects. Updates #2180
Remove TestGrantViaExitNodeSteering and TestGrantViaMixedSteering. Exit node traffic forwarding through via grants cannot be validated with curl/traceroute in Docker containers because Tailscale exit nodes strip locally-connected subnets from their forwarding filter. The correctness of via exit steering is validated by: - Golden MapResponse comparison (TestViaGrantMapCompat with GRANT-V31 and GRANT-V36) comparing full netmap output against Tailscale SaaS - Filter rule compatibility (TestGrantsCompat with GRANT-V14 through GRANT-V36) comparing per-node PacketFilter rules against Tailscale SaaS - TestGrantViaSubnetSteering (kept) validates via subnet steering with actual curl/traceroute through Docker, which works for subnet routes Updates #2180
…easons Remove unused error variables (ErrGrantViaNotSupported, ErrGrantEmptySources, ErrGrantEmptyDestinations, ErrGrantViaOnlyTag) and the stale TODO for via implementation. Update compat test skip reasons to reflect that user:*@passkey wildcard is a known unsupported feature, not a pending implementation. Updates #2180
Rename all 594 test data files from .json to .hujson and add descriptive header comments to each file documenting what policy rules are under test and what outcome is expected. Update test loaders in all 5 _test.go files to parse HuJSON via hujson.Parse/Standardize/Pack before json.Unmarshal. Add cross-dependency warning to via_compat_test.go documenting that GRANT-V29/V30/V31/V36 are shared with TestGrantsCompat. Add .gitignore exemption for testdata HuJSON files.
Strip fields not consumed by any test from all 594 HuJSON test data files:
grant_results/ (248 files, 21MB -> 1.8MB):
- Remove: timestamp, propagation_wait_seconds, input.policy_file,
input.grants_section, input.api_endpoint, input.api_method,
topology.nodes.mts_name, topology.nodes.socket, topology.nodes.user_id,
captures.commands, captures.packet_filter_matches, captures.whois
- V14-V16, V26-V36: keep stripped netmap (Peers.Name/AllowedIPs/PrimaryRoutes
+ PacketFilterRules) for via_compat_test.go compatibility
- V17-V25: strip netmap (old topology, incompatible with via_compat harness)
acl_results/ (215 files, 1.4MB -> 1.2MB):
- Remove: timestamp, propagation_wait_seconds, input.policy_file,
input.api_endpoint, input.api_response_code, entire topology section
(parsed by Go struct but completely ignored — nodes are hardcoded)
routes_results/ (92 files, unchanged — topology is actively used):
- Remove: timestamp, propagation_wait_seconds, input.policy_file,
input.api_endpoint, input.api_response_code
ssh_results/ (39 files, unchanged — minimal to begin with):
- Remove: policy_file
A light background with white primary font makes the selected menu entry unreadable.
The docs contain bare links that are not rendered without it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.