auth: generalise auth flow and introduce AuthVerdict

Generalise the registration pipeline to a more general auth pipeline supporting both node registrations and SSH check auth requests. Rename RegistrationID to AuthID, unexport AuthRequest fields, and introduce AuthVerdict to unify the auth finish API. Add the urlParam generic helper for extracting typed URL parameters from chi routes, used by the new auth request handler. Updates #1850
2026-04-18 23:10:10 +02:00 · 2026-02-24 18:48:57 +00:00
parent 30338441c1
commit cb3b6949ea
19 changed files with 443 additions and 336 deletions
--- a/hscontrol/util/util.go
+++ b/hscontrol/util/util.go
@@ -295,8 +295,8 @@ func IsCI() bool {
 // 3. If normalisation fails → generate invalid-<random> replacement
 //
 // Returns the guaranteed-valid hostname to use.
-func EnsureHostname(hostinfo *tailcfg.Hostinfo, machineKey, nodeKey string) string {
-	if hostinfo == nil || hostinfo.Hostname == "" {
+func EnsureHostname(hostinfo tailcfg.HostinfoView, machineKey, nodeKey string) string {
+	if !hostinfo.Valid() || hostinfo.Hostname() == "" {
 		key := cmp.Or(machineKey, nodeKey)
 		if key == "" {
 			return "unknown-node"
@@ -310,7 +310,7 @@ func EnsureHostname(hostinfo *tailcfg.Hostinfo, machineKey, nodeKey string) stri
 		return "node-" + keyPrefix
 	}

-	lowercased := strings.ToLower(hostinfo.Hostname)
+	lowercased := strings.ToLower(hostinfo.Hostname())

 	err := ValidateHostname(lowercased)
 	if err == nil {
--- a/hscontrol/util/util_test.go
+++ b/hscontrol/util/util_test.go
@@ -1070,7 +1070,7 @@ func TestEnsureHostname(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()

-			got := EnsureHostname(tt.hostinfo, tt.machineKey, tt.nodeKey)
+			got := EnsureHostname(tt.hostinfo.View(), tt.machineKey, tt.nodeKey)
 			// For invalid hostnames, we just check the prefix since the random part varies
 			if strings.HasPrefix(tt.want, "invalid-") {
 				if !strings.HasPrefix(got, "invalid-") {
@@ -1255,7 +1255,7 @@ func TestEnsureHostnameWithHostinfo(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()

-			gotHostname := EnsureHostname(tt.hostinfo, tt.machineKey, tt.nodeKey)
+			gotHostname := EnsureHostname(tt.hostinfo.View(), tt.machineKey, tt.nodeKey)
 			// For invalid hostnames, we just check the prefix since the random part varies
 			if strings.HasPrefix(tt.wantHostname, "invalid-") {
 				if !strings.HasPrefix(gotHostname, "invalid-") {
@@ -1284,7 +1284,7 @@ func TestEnsureHostname_DNSLabelLimit(t *testing.T) {

 			hostinfo := &tailcfg.Hostinfo{Hostname: hostname}

-			result := EnsureHostname(hostinfo, "mkey", "nkey")
+			result := EnsureHostname(hostinfo.View(), "mkey", "nkey")
 			if len(result) > 63 {
 				t.Errorf("test case %d: hostname length = %d, want <= 63", i, len(result))
 			}
@@ -1300,8 +1300,8 @@ func TestEnsureHostname_Idempotent(t *testing.T) {
 		OS:       "linux",
 	}

-	hostname1 := EnsureHostname(originalHostinfo, "mkey", "nkey")
-	hostname2 := EnsureHostname(originalHostinfo, "mkey", "nkey")
+	hostname1 := EnsureHostname(originalHostinfo.View(), "mkey", "nkey")
+	hostname2 := EnsureHostname(originalHostinfo.View(), "mkey", "nkey")

 	if hostname1 != hostname2 {
 		t.Errorf("hostnames not equal: %v != %v", hostname1, hostname2)