policy/v2: add SSH compatibility testdata from Tailscale SaaS

Add 39 test fixtures captured from Tailscale SaaS API responses to validate SSH policy compilation parity. Each JSON file contains the SSH policy section and expected compiled SSHRule arrays for 5 test nodes (3 user-owned, 2 tagged). Test series: SSH-A (basic), SSH-B (specific sources), SSH-C (destination combos), SSH-D (localpart), SSH-E (edge cases), SSH-F (multi-rule), SSH-G (acceptEnv). The data-driven TestSSHDataCompat harness uses cmp.Diff with principal order tolerance but strict rule ordering (first-match-wins semantics require exact order). Updates #3049
2026-04-27 02:58:51 +02:00 · 2026-02-24 19:40:04 +00:00
parent 0acf09bdd2
commit 6c59d3e601
40 changed files with 3498 additions and 0 deletions
--- a/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json
+++ b/hscontrol/policy/v2/testdata/ssh_results/SSH-F3.json
@@ -0,0 +1,144 @@
+{
+  "test_id": "SSH-F3",
+  "policy_file": "ssh_policies/ssh_f3.json",
+  "ssh_section": [
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["localpart:*@passkey"] },
+    { "action": "accept", "src": ["autogroup:member"], "dst": ["tag:server"], "users": ["root"] }
+  ],
+  "nodes": {
+    "user1": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-kris": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "user-mon": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-server": {
+      "rules": [
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.90.199.68" }, { "nodeIP": "fd7a:115c:a1e0::2d01:c747" }],
+          "sshUsers": { "kratail2tid": "kratail2tid" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.110.121.96" }, { "nodeIP": "fd7a:115c:a1e0::1737:7960" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "root": "" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [{ "nodeIP": "100.103.90.82" }, { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }],
+          "sshUsers": { "monitorpasskeykradalby": "monitorpasskeykradalby" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        },
+        {
+          "principals": [
+            { "nodeIP": "100.103.90.82" },
+            { "nodeIP": "100.110.121.96" },
+            { "nodeIP": "100.90.199.68" },
+            { "nodeIP": "fd7a:115c:a1e0::1737:7960" },
+            { "nodeIP": "fd7a:115c:a1e0::2d01:c747" },
+            { "nodeIP": "fd7a:115c:a1e0::9e37:5a52" }
+          ],
+          "sshUsers": { "root": "root" },
+          "action": {
+            "accept": true,
+            "allowAgentForwarding": true,
+            "allowLocalPortForwarding": true,
+            "allowRemotePortForwarding": true
+          }
+        }
+      ]
+    },
+    "tagged-prod": { "rules": [] }
+  }
+}