starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-24 01:28:49 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

integration: fix tags-only auth key tests

Browse Source 
- Rename TestTagsAuthKeyWithoutUserIgnoresAdvertisedTags to
  TestTagsAuthKeyWithoutUserRejectsAdvertisedTags to reflect actual
  behavior (PreAuthKey registrations reject advertised tags)
- Fix TestTagsAuthKeyWithoutUserInheritsTags to use ListNodes() without
  user filter since tags-only nodes don't have a user association

Updates #2977
This commit is contained in:
Kristoffer Dalby
2026-01-14 14:29:52 +00:00
parent 4ab06930a2
commit b8f3e09046
2 changed files with 18 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/test-integration.yaml vendored
View File

@@ -241,7 +241,7 @@ jobs:
- TestTagsAdminAPICannotSetInvalidFormat - TestTagsAdminAPICannotSetInvalidFormat
- TestTagsUserLoginReauthWithEmptyTagsRemovesAllTags - TestTagsUserLoginReauthWithEmptyTagsRemovesAllTags
- TestTagsAuthKeyWithoutUserInheritsTags - TestTagsAuthKeyWithoutUserInheritsTags
- TestTagsAuthKeyWithoutUserIgnoresAdvertisedTags - TestTagsAuthKeyWithoutUserRejectsAdvertisedTags
uses: ./.github/workflows/integration-test-template.yml uses: ./.github/workflows/integration-test-template.yml
secrets: inherit secrets: inherit
with: with:

43
integration/tags_test.go
View File

@@ -3039,8 +3039,9 @@ func TestTagsAuthKeyWithoutUserInheritsTags(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
// Wait for node to be registered and verify it has the key's tags // Wait for node to be registered and verify it has the key's tags
// Note: Tags-only nodes don't have a user, so we list all nodes
assert.EventuallyWithT(t, func(c *assert.CollectT) { assert.EventuallyWithT(t, func(c *assert.CollectT) {
nodes, err := headscale.ListNodes(tagTestUser) nodes, err := headscale.ListNodes()
assert.NoError(c, err) assert.NoError(c, err)
assert.Len(c, nodes, 1, "Should have exactly 1 node") assert.Len(c, nodes, 1, "Should have exactly 1 node")
@@ -3054,14 +3055,14 @@ func TestTagsAuthKeyWithoutUserInheritsTags(t *testing.T) {
t.Logf("Test 5.1 PASS: Node inherited tags from tags-only auth key") t.Logf("Test 5.1 PASS: Node inherited tags from tags-only auth key")
} }
// TestTagsAuthKeyWithoutUserIgnoresAdvertisedTags tests that when an auth key without // TestTagsAuthKeyWithoutUserRejectsAdvertisedTags tests that when an auth key without
// a user (tags-only) is used WITH --advertise-tags, the advertised tags are ignored // a user (tags-only) is used WITH --advertise-tags, the registration is rejected.
// and the auth key's tags are used instead. // PreAuthKey registrations do not allow client-requested tags.
// //
// Test 5.2: Auth key without user, with --advertise-tags (should be ignored) // Test 5.2: Auth key without user, with --advertise-tags (should be rejected)
// Setup: Run `tailscale up --advertise-tags="tag:second" --auth-key AUTH_KEY_WITH_TAGS_NO_USER` // Setup: Run `tailscale up --advertise-tags="tag:second" --auth-key AUTH_KEY_WITH_TAGS_NO_USER`
// Expected: Node registers with the auth key's tags (tag:valid-owned), NOT the advertised tags. // Expected: Registration fails with error containing "requested tags".
func TestTagsAuthKeyWithoutUserIgnoresAdvertisedTags(t *testing.T) { func TestTagsAuthKeyWithoutUserRejectsAdvertisedTags(t *testing.T) {
IntegrationSkip(t) IntegrationSkip(t)
policy := tagsTestPolicy() policy := tagsTestPolicy()
@@ -3079,7 +3080,7 @@ func TestTagsAuthKeyWithoutUserIgnoresAdvertisedTags(t *testing.T) {
err = scenario.CreateHeadscaleEnv( err = scenario.CreateHeadscaleEnv(
[]tsic.Option{}, []tsic.Option{},
hsic.WithACLPolicy(policy), hsic.WithACLPolicy(policy),
hsic.WithTestName("tags-authkey-no-user-ignore-advertise"), hsic.WithTestName("tags-authkey-no-user-reject-advertise"),
hsic.WithTLS(), hsic.WithTLS(),
) )
requireNoErrHeadscaleEnv(t, err) requireNoErrHeadscaleEnv(t, err)
@@ -3105,23 +3106,13 @@ func TestTagsAuthKeyWithoutUserIgnoresAdvertisedTags(t *testing.T) {
) )
require.NoError(t, err) require.NoError(t, err)
// Login with the tags-only auth key // Login should fail because ANY advertise-tags is rejected for PreAuthKey registrations
err = client.Login(headscale.GetEndpoint(), authKey.GetKey()) err = client.Login(headscale.GetEndpoint(), authKey.GetKey())
require.NoError(t, err) if err != nil {
t.Logf("Test 5.2 PASS: Registration correctly rejected with error: %v", err)
// Wait for node to be registered and verify it has the auth KEY's tags, NOT the advertised tags assert.ErrorContains(t, err, "requested tags")
assert.EventuallyWithT(t, func(c *assert.CollectT) { } else {
nodes, err := headscale.ListNodes(tagTestUser) t.Logf("Test 5.2 UNEXPECTED: Registration succeeded when it should have failed")
assert.NoError(c, err) t.Fail()
assert.Len(c, nodes, 1, "Should have exactly 1 node") }
if len(nodes) == 1 {
node := nodes[0]
t.Logf("Node registered with tags: %v (advertised: tag:second)", node.GetTags())
// Should have auth key's tags, NOT the advertised tags
assertNodeHasTagsWithCollect(c, node, []string{"tag:valid-owned"})
}
}, 30*time.Second, 500*time.Millisecond, "verifying node has auth key tags, not advertised tags")
t.Logf("Test 5.2 PASS: Advertised tags were correctly ignored, auth key tags used")
} }