types,mapper,integration: enable Taildrive and add cap/drive grant lifecycle test

Add NodeAttrsTaildriveShare and NodeAttrsTaildriveAccess to the node capability map, enabling Taildrive file sharing when granted via policy. Add integration test verifying the full cap/drive grant lifecycle. Updates #2180
2026-04-10 19:17:25 +02:00 · 2026-03-23 09:43:30 +00:00
parent 9b1a6b6c05
commit d243adaedd
4 changed files with 494 additions and 9 deletions
--- a/hscontrol/mapper/tail_test.go
+++ b/hscontrol/mapper/tail_test.go
@@ -75,9 +75,11 @@ func TestTailNode(t *testing.T) {
 				MachineAuthorized: true,

 				CapMap: tailcfg.NodeCapMap{
-					tailcfg.CapabilityFileSharing: []tailcfg.RawMessage{},
-					tailcfg.CapabilityAdmin:       []tailcfg.RawMessage{},
-					tailcfg.CapabilitySSH:         []tailcfg.RawMessage{},
+					tailcfg.CapabilityFileSharing:    []tailcfg.RawMessage{},
+					tailcfg.CapabilityAdmin:          []tailcfg.RawMessage{},
+					tailcfg.CapabilitySSH:            []tailcfg.RawMessage{},
+					tailcfg.NodeAttrsTaildriveShare:  []tailcfg.RawMessage{},
+					tailcfg.NodeAttrsTaildriveAccess: []tailcfg.RawMessage{},
 				},
 			},
 			wantErr: false,
@@ -164,9 +166,11 @@ func TestTailNode(t *testing.T) {
 				MachineAuthorized: true,

 				CapMap: tailcfg.NodeCapMap{
-					tailcfg.CapabilityFileSharing: []tailcfg.RawMessage{},
-					tailcfg.CapabilityAdmin:       []tailcfg.RawMessage{},
-					tailcfg.CapabilitySSH:         []tailcfg.RawMessage{},
+					tailcfg.CapabilityFileSharing:    []tailcfg.RawMessage{},
+					tailcfg.CapabilityAdmin:          []tailcfg.RawMessage{},
+					tailcfg.CapabilitySSH:            []tailcfg.RawMessage{},
+					tailcfg.NodeAttrsTaildriveShare:  []tailcfg.RawMessage{},
+					tailcfg.NodeAttrsTaildriveAccess: []tailcfg.RawMessage{},
 				},
 			},
 			wantErr: false,
@@ -189,9 +193,11 @@ func TestTailNode(t *testing.T) {
 				MachineAuthorized: true,

 				CapMap: tailcfg.NodeCapMap{
-					tailcfg.CapabilityFileSharing: []tailcfg.RawMessage{},
-					tailcfg.CapabilityAdmin:       []tailcfg.RawMessage{},
-					tailcfg.CapabilitySSH:         []tailcfg.RawMessage{},
+					tailcfg.CapabilityFileSharing:    []tailcfg.RawMessage{},
+					tailcfg.CapabilityAdmin:          []tailcfg.RawMessage{},
+					tailcfg.CapabilitySSH:            []tailcfg.RawMessage{},
+					tailcfg.NodeAttrsTaildriveShare:  []tailcfg.RawMessage{},
+					tailcfg.NodeAttrsTaildriveAccess: []tailcfg.RawMessage{},
 				},
 			},
 			wantErr: false,
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@@ -1144,6 +1144,12 @@ func (nv NodeView) TailNode(
 		capMap[tailcfg.CapabilityFileSharing] = []tailcfg.RawMessage{}
 	}

+	// Enable Taildrive sharing and access on all nodes. The actual
+	// access control is enforced by cap/drive grants in FilterRules;
+	// without a matching grant these attributes alone do nothing.
+	capMap[tailcfg.NodeAttrsTaildriveShare] = []tailcfg.RawMessage{}
+	capMap[tailcfg.NodeAttrsTaildriveAccess] = []tailcfg.RawMessage{}
+
 	tNode := tailcfg.Node{
 		//nolint:gosec // G115: NodeID values are within int64 range
 		ID:       tailcfg.NodeID(nv.ID()),