make tags first class node owner (#2885)

This PR changes tags to be something that exists on nodes in addition to users, to being its own thing. It is part of moving our tags support towards the correct tailscale compatible implementation. There are probably rough edges in this PR, but the intention is to get it in, and then start fixing bugs from 0.28.0 milestone (long standing tags issue) to discover what works and what doesnt. Updates #2417 Closes #2619
2026-04-25 01:59:07 +02:00 · 2025-12-02 12:01:25 +01:00
parent 705b239677
commit eb788cd007
49 changed files with 3102 additions and 757 deletions
--- a/hscontrol/db/preauth_keys_test.go
+++ b/hscontrol/db/preauth_keys_test.go
@@ -24,7 +24,7 @@ func TestCreatePreAuthKey(t *testing.T) {
 			test: func(t *testing.T, db *HSDatabase) {
 				t.Helper()

-				_, err := db.CreatePreAuthKey(12345, true, false, nil, nil)
+				_, err := db.CreatePreAuthKey(ptr.To(types.UserID(12345)), true, false, nil, nil)
 				assert.Error(t, err)
 			},
 		},
@@ -36,7 +36,7 @@ func TestCreatePreAuthKey(t *testing.T) {
 				user, err := db.CreateUser(types.User{Name: "test"})
 				require.NoError(t, err)

-				key, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
+				key, err := db.CreatePreAuthKey(user.TypedID(), true, false, nil, nil)
 				require.NoError(t, err)
 				assert.NotEmpty(t, key.Key)

@@ -83,7 +83,7 @@ func TestPreAuthKeyACLTags(t *testing.T) {
 				user, err := db.CreateUser(types.User{Name: "test-tags-1"})
 				require.NoError(t, err)

-				_, err = db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, []string{"badtag"})
+				_, err = db.CreatePreAuthKey(user.TypedID(), false, false, nil, []string{"badtag"})
 				assert.Error(t, err)
 			},
 		},
@@ -98,7 +98,7 @@ func TestPreAuthKeyACLTags(t *testing.T) {
 				expectedTags := []string{"tag:test1", "tag:test2"}
 				tagsWithDuplicate := []string{"tag:test1", "tag:test2", "tag:test2"}

-				_, err = db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, tagsWithDuplicate)
+				_, err = db.CreatePreAuthKey(user.TypedID(), false, false, nil, tagsWithDuplicate)
 				require.NoError(t, err)

 				listedPaks, err := db.ListPreAuthKeys(types.UserID(user.ID))
@@ -128,13 +128,13 @@ func TestCannotDeleteAssignedPreAuthKey(t *testing.T) {
 	user, err := db.CreateUser(types.User{Name: "test8"})
 	require.NoError(t, err)

-	key, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, []string{"tag:good"})
+	key, err := db.CreatePreAuthKey(user.TypedID(), false, false, nil, []string{"tag:good"})
 	require.NoError(t, err)

 	node := types.Node{
 		ID:             0,
 		Hostname:       "testest",
-		UserID:         user.ID,
+		UserID:         &user.ID,
 		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      ptr.To(key.ID),
 	}
@@ -180,7 +180,7 @@ func TestPreAuthKeyAuthentication(t *testing.T) {
 			validateResult: func(t *testing.T, pak *types.PreAuthKey) {
 				t.Helper()

-				assert.Equal(t, user.ID, pak.UserID)
+				assert.Equal(t, user.ID, *pak.UserID)
 				assert.NotEmpty(t, pak.Key) // Legacy keys have Key populated
 				assert.Empty(t, pak.Prefix) // Legacy keys have empty Prefix
 				assert.Nil(t, pak.Hash)     // Legacy keys have nil Hash
@@ -191,7 +191,7 @@ func TestPreAuthKeyAuthentication(t *testing.T) {
 			setupKey: func() string {
 				// Create new key via API
 				keyStr, err := db.CreatePreAuthKey(
-					types.UserID(user.ID),
+					user.TypedID(),
 					true, false, nil, []string{"tag:test"},
 				)
 				require.NoError(t, err)
@@ -203,7 +203,7 @@ func TestPreAuthKeyAuthentication(t *testing.T) {
 			validateResult: func(t *testing.T, pak *types.PreAuthKey) {
 				t.Helper()

-				assert.Equal(t, user.ID, pak.UserID)
+				assert.Equal(t, user.ID, *pak.UserID)
 				assert.Empty(t, pak.Key)       // New keys have empty Key
 				assert.NotEmpty(t, pak.Prefix) // New keys have Prefix
 				assert.NotNil(t, pak.Hash)     // New keys have Hash
@@ -214,7 +214,7 @@ func TestPreAuthKeyAuthentication(t *testing.T) {
 			name: "new_key_format_validation",
 			setupKey: func() string {
 				keyStr, err := db.CreatePreAuthKey(
-					types.UserID(user.ID),
+					user.TypedID(),
 					true, false, nil, nil,
 				)
 				require.NoError(t, err)
@@ -244,7 +244,7 @@ func TestPreAuthKeyAuthentication(t *testing.T) {
 			setupKey: func() string {
 				// Create valid key
 				key, err := db.CreatePreAuthKey(
-					types.UserID(user.ID),
+					user.TypedID(),
 					true, false, nil, nil,
 				)
 				require.NoError(t, err)
@@ -415,11 +415,11 @@ func TestMultipleLegacyKeysAllowed(t *testing.T) {
 	assert.Len(t, legacyKeys, 5, "should have created 5 legacy keys")

 	// Now create new bcrypt-based keys - these should have unique prefixes
-	key1, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
+	key1, err := db.CreatePreAuthKey(user.TypedID(), true, false, nil, nil)
 	require.NoError(t, err)
 	assert.NotEmpty(t, key1.Key)

-	key2, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
+	key2, err := db.CreatePreAuthKey(user.TypedID(), true, false, nil, nil)
 	require.NoError(t, err)
 	assert.NotEmpty(t, key2.Key)