policy/v2: clean up dead error variables, stale TODO, and test skip reasons

Remove unused error variables (ErrGrantViaNotSupported, ErrGrantEmptySources, ErrGrantEmptyDestinations, ErrGrantViaOnlyTag) and the stale TODO for via implementation. Update compat test skip reasons to reflect that user:*@passkey wildcard is a known unsupported feature, not a pending implementation.

Updates #2180

hscontrol/policy/v2/tailscale_grants_compat_test.go

@@ -324,52 +324,36 @@ func loadGrantTestFile(t *testing.T, path string) grantTestFile {
 	return tf
 }
 
-// Skip categories document WHY tests are expected to fail and WHAT needs to be
+// Skip categories document WHY tests are expected to differ from Tailscale SaaS.
-// implemented to fix them. Tests are grouped by root cause to identify high-impact
+// Tests are grouped by root cause.
-// changes.
 //
-// Impact summary (highest first):
+//	USER_PASSKEY_WILDCARD - 2 tests: user:*@passkey wildcard pattern not supported
 //
-//	USER_PASSKEY_WILDCARD              -   2 tests: user:*@passkey wildcard pattern unresolvable
+// Total: 2 tests skipped, ~246 tests expected to pass.
-//
-// Total: 2 tests skipped, ~235 tests expected to pass.
 var grantSkipReasons = map[string]string{
-	// ========================================================================
 	// USER_PASSKEY_WILDCARD (2 tests)
 	//
-	// TODO: Handle user:*@passkey wildcard pattern in grant src/dst.
-	//
 	// Tailscale SaaS policies can use user:*@passkey as a wildcard matching
-	// all passkey-authenticated users. headscale's convertPolicyUserEmails
+	// all passkey-authenticated users. headscale does not support passkey
-	// only converts specific user@passkey addresses (not the wildcard form),
+	// authentication and has no equivalent for this wildcard pattern.
-	// so the filter compiler logs "user not found: token user:*@passkey"
+	"GRANT-K20": "USER_PASSKEY_WILDCARD: src=user:*@passkey not supported in headscale",
-	// and produces no rules.
+	"GRANT-K21": "USER_PASSKEY_WILDCARD: dst=user:*@passkey not supported in headscale",
-	//
-	// Fix: Either convert user:*@passkey to a headscale-compatible wildcard,
-	// or resolve it to all known users during filter compilation.
-	// ========================================================================
-	"GRANT-K20": "USER_PASSKEY_WILDCARD: src=user:*@passkey, dst=tag:server — source can't be resolved, no rules produced",
-	"GRANT-K21": "USER_PASSKEY_WILDCARD: src=*, dst=user:*@passkey — destination can't be resolved, no rules produced",
 }
 
-// TestGrantsCompat is a data-driven test that loads all 237 GRANT-*.json
+// TestGrantsCompat is a data-driven test that loads all GRANT-*.json
 // test files captured from Tailscale SaaS and compares headscale's grants
 // engine output against the real Tailscale behavior.
 //
 // Each JSON file contains:
 //   - A full policy (groups, tagOwners, hosts, autoApprovers, grants, optionally acls)
-//   - For success cases: expected packet_filter_rules per node (8 nodes)
+//   - For success cases: expected packet_filter_rules per node
 //   - For error cases: expected error message
 //
 // The test converts Tailscale user email formats (@passkey, @dalby.cc) to
 // headscale format (@example.com) and runs the policy through unmarshalPolicy,
 // validate, compileFilterRulesForNode, and ReduceFilterRules.
 //
-// Skip category impact summary (highest first):
+// 2 tests are skipped for user:*@passkey wildcard (not supported in headscale).
-//
-//	USER_PASSKEY_WILDCARD              -   2 tests: user:*@passkey wildcard pattern unresolvable
-//
-// Total: 2 tests skipped, ~235 tests expected to pass.
 func TestGrantsCompat(t *testing.T) {
 	t.Parallel()
 

hscontrol/policy/v2/tailscale_ssh_data_compat_test.go

@@ -204,12 +204,11 @@ func loadSSHTestFile(t *testing.T, path string) sshTestFile {
 //
 // 37 of 39 tests are expected to pass.
 var sshSkipReasons = map[string]string{
-	// user:*@domain source alias not yet implemented.
+	// user:*@passkey wildcard pattern not supported in headscale.
-	// These tests use "src": ["user:*@passkey"] which requires UserWildcard
+	// headscale does not support passkey authentication and has no
-	// alias type support. Will be added in a follow-up PR that implements
+	// equivalent for this wildcard pattern.
-	// user:*@domain across all contexts (ACLs, grants, tagOwners, autoApprovers).
+	"SSH-B5":  "user:*@passkey wildcard not supported in headscale",
-	"SSH-B5":  "user:*@domain source alias not yet implemented",
+	"SSH-D10": "user:*@passkey wildcard not supported in headscale",
-	"SSH-D10": "user:*@domain source alias not yet implemented",
 }
 
 // TestSSHDataCompat is a data-driven test that loads all SSH-*.json test files

hscontrol/policy/v2/types.go

@@ -69,14 +69,10 @@ var (
 var (
 	ErrGrantMissingIPOrApp             = errors.New("grants must specify either 'ip' or 'app' field")
 	ErrGrantInvalidViaTag              = errors.New("grant 'via' tag is not defined in policy")
-	ErrGrantViaNotSupported            = errors.New("grant 'via' routing is not yet supported in headscale")
-	ErrGrantEmptySources               = errors.New("grant sources cannot be empty")
-	ErrGrantEmptyDestinations          = errors.New("grant destinations cannot be empty")
 	ErrProtocolPortInvalidFormat       = errors.New("expected only one colon in Internet protocol and port type")
 	ErrCapNameInvalidForm              = errors.New("capability name must have the form {domain}/{path}")
 	ErrCapNameTailscaleDomain          = errors.New("capability name must not be in the tailscale.com domain")
 	ErrGrantAutogroupSelfInvalidSource = errors.New("autogroup:self can only be used with users, groups, or supported autogroups")
-	ErrGrantViaOnlyTag                 = errors.New("via can only be a tag")
 	ErrGrantAppWithAutogroupInternet   = errors.New("cannot use app grants with autogroup:internet")
 	ErrGrantDefaultRouteCIDR           = errors.New("to allow all IP addresses, use \"*\" or \"autogroup:internet\"")
 )
@@ -1899,7 +1895,6 @@ type Grant struct {
 	InternetProtocols []ProtocolPort     `json:"ip,omitempty"`
 	App               tailcfg.PeerCapMap `json:"app,omitzero"`
 
-	// TODO(kradalby): implement via
 	Via []Tag `json:"via,omitzero"`
 }