starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-19 07:54:17 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

integration: standardize test infrastructure options

Browse Source 
Make embedded DERP server and TLS the default configuration for all
integration tests, replacing the per-test opt-in model that led to
inconsistent and flaky test behavior.

Infrastructure changes:
- DefaultConfigEnv() includes embedded DERP server settings
- New() auto-generates a proper CA + server TLS certificate pair
- CA cert is installed into container trust stores and returned by
  GetCert() so clients and internal tools (curl) trust the server
- CreateCertificate() now returns (caCert, cert, key) instead of
  discarding the CA certificate
- Add WithPublicDERP() and WithoutTLS() opt-out options
- Remove WithTLS(), WithEmbeddedDERPServerOnly(), and WithDERPAsIP()
  since all their behavior is now the default or unnecessary

Test cleanup:
- Remove all redundant WithTLS/WithEmbeddedDERPServerOnly/WithDERPAsIP
  calls from test files
- Give every test a unique WithTestName by parameterizing aclScenario,
  sshScenario, and derpServerScenario helpers
- Add WithTestName to tests that were missing it
- Document all non-standard options with inline comments explaining
  why each is needed

Updates #3139
This commit is contained in:
Kristoffer Dalby
2026-03-16 09:15:46 +00:00
parent 87b8507ac9
commit e5ebe3205a
18 changed files with 209 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
integration/ssh_test.go
View File

@@ -27,7 +27,7 @@ func isSSHNoAccessStdError(stderr string) bool {
strings.Contains(stderr, "tailnet policy does not permit you to SSH")
}
func sshScenario(t *testing.T, policy *policyv2.Policy, clientsPerUser int) *Scenario {
func sshScenario(t *testing.T, policy *policyv2.Policy, testName string, clientsPerUser int) *Scenario {
t.Helper()
spec := ScenarioSpec{
@@ -50,7 +50,7 @@ func sshScenario(t *testing.T, policy *policyv2.Policy, clientsPerUser int) *Sce
tsic.WithDockerWorkdir("/"),
},
hsic.WithACLPolicy(policy),
hsic.WithTestName("ssh"),
hsic.WithTestName(testName),
)
require.NoError(t, err)
@@ -95,6 +95,7 @@ func TestSSHOneUserToAll(t *testing.T) {
},
},
},
"ssh-onetoall",
len(MustTestVersions),
)
defer scenario.ShutdownAssertNoPanics(t)
@@ -168,6 +169,7 @@ func TestSSHMultipleUsersAllToAll(t *testing.T) {
},
},
},
"ssh-multiall",
len(MustTestVersions),
)
defer scenario.ShutdownAssertNoPanics(t)
@@ -242,6 +244,7 @@ func TestSSHNoSSHConfigured(t *testing.T) {
},
SSHs: []policyv2.SSH{},
},
"ssh-nosshcfg",
len(MustTestVersions),
)
defer scenario.ShutdownAssertNoPanics(t)
@@ -293,6 +296,7 @@ func TestSSHIsBlockedInACL(t *testing.T) {
},
},
},
"ssh-blocked",
len(MustTestVersions),
)
defer scenario.ShutdownAssertNoPanics(t)
@@ -354,6 +358,7 @@ func TestSSHUserOnlyIsolation(t *testing.T) {
},
},
},
"ssh-isolation",
len(MustTestVersions),
)
defer scenario.ShutdownAssertNoPanics(t)
@@ -571,6 +576,7 @@ func TestSSHAutogroupSelf(t *testing.T) {
},
},
},
"ssh-agself",
2, // 2 clients per user
)
defer scenario.ShutdownAssertNoPanics(t)
@@ -811,7 +817,7 @@ func findNewSSHCheckAuthID(
func TestSSHOneUserToOneCheckModeCLI(t *testing.T) {
IntegrationSkip(t)
scenario := sshScenario(t, sshCheckPolicy(), 1)
scenario := sshScenario(t, sshCheckPolicy(), "ssh-checkcli", 1)
// defer scenario.ShutdownAssertNoPanics(t)
allClients, err := scenario.ListTailscaleClients()
@@ -920,7 +926,6 @@ func TestSSHOneUserToOneCheckModeOIDC(t *testing.T) {
hsic.WithACLPolicy(sshCheckPolicy()),
hsic.WithTestName("sshcheckoidc"),
hsic.WithConfigEnv(oidcMap),
hsic.WithTLS(),
hsic.WithFileInContainer(
"/tmp/hs_client_oidc_secret",
[]byte(scenario.mockOIDC.ClientSecret()),
@@ -1087,7 +1092,7 @@ func TestSSHCheckModeCheckPeriodCLI(t *testing.T) {
IntegrationSkip(t)
// 1 minute is the documented minimum checkPeriod
scenario := sshScenario(t, sshCheckPolicyWithPeriod(time.Minute), 1)
scenario := sshScenario(t, sshCheckPolicyWithPeriod(time.Minute), "ssh-checkperiod", 1)
defer scenario.ShutdownAssertNoPanics(t)
allClients, err := scenario.ListTailscaleClients()
@@ -1182,7 +1187,7 @@ func TestSSHCheckModeAutoApprove(t *testing.T) {
IntegrationSkip(t)
// 5 minute checkPeriod — long enough not to expire during test
scenario := sshScenario(t, sshCheckPolicyWithPeriod(5*time.Minute), 1)
scenario := sshScenario(t, sshCheckPolicyWithPeriod(5*time.Minute), "ssh-autoapprove", 1)
defer scenario.ShutdownAssertNoPanics(t)
allClients, err := scenario.ListTailscaleClients()
@@ -1247,7 +1252,7 @@ func TestSSHCheckModeAutoApprove(t *testing.T) {
func TestSSHCheckModeNegativeCLI(t *testing.T) {
IntegrationSkip(t)
scenario := sshScenario(t, sshCheckPolicy(), 1)
scenario := sshScenario(t, sshCheckPolicy(), "ssh-negcli", 1)
defer scenario.ShutdownAssertNoPanics(t)
allClients, err := scenario.ListTailscaleClients()
@@ -1509,7 +1514,6 @@ func TestSSHLocalpart(t *testing.T) {
hsic.WithTestName("sshlocalpart"),
hsic.WithACLPolicy(tt.policy),
hsic.WithConfigEnv(oidcMap),
hsic.WithTLS(),
hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
)
requireNoErrHeadscaleEnv(t, err)