Support ACL Tests #657

New Issue

adam · 2025-12-29T02:21:41+01:00

adam commented

2025-12-29 02:21:41 +01:00

Originally created by @EtaoinWu on GitHub (Mar 1, 2024).

Why

ACL tests is a tailscale feature that allows ACL creators to do a sanity check on an ACL. It is a quality of life feature for access management.

// in ACL.hujson
{
  // ... other config
  "tests": [
    {
      "src": "alice-pc",
      "proto": "tcp",
      "accept": [ "jump-server:22", "tag:printer:80" ],
      "deny": [ "bob-laptop:443" ],
    },
  ],
}

Headscale currently parses but ignores ACL tests in an ACL config hujson or yaml file.

Description

Implement ACL testing as described in tailscale's KB. Note that the struct ACLTest misses some fields as defined by tailscale.

Originally created by @EtaoinWu on GitHub (Mar 1, 2024). ## Why ACL `tests` is a tailscale feature that allows ACL creators to do a sanity check on an ACL. It is a quality of life feature for access management. ```javascript // in ACL.hujson { // ... other config "tests": [ { "src": "alice-pc", "proto": "tcp", "accept": [ "jump-server:22", "tag:printer:80" ], "deny": [ "bob-laptop:443" ], }, ], } ``` Headscale currently parses but [ignores](https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls_types.go#L40) ACL tests in an ACL config hujson or yaml file. ## Description Implement ACL testing as described in tailscale's [KB](https://tailscale.com/kb/1337/acl-syntax#tests). Note that the struct `ACLTest` misses some fields as defined by tailscale.

adam added the enhancement no-stale-bot policy 📝 labels 2025-12-29 02:21:41 +01:00

adam commented

2025-12-29 02:21:41 +01:00

@github-actions[bot] commented on GitHub (Aug 7, 2024):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Aug 7, 2024): This issue is stale because it has been open for 90 days with no activity.

adam commented

2025-12-29 02:21:41 +01:00

@github-actions[bot] commented on GitHub (Aug 14, 2024):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Aug 14, 2024): This issue was closed because it has been inactive for 14 days since being marked as stale.

adam commented

2025-12-29 02:21:42 +01:00

@wrbbz commented on GitHub (Jul 22, 2025):

@kradalby , sorry for tagging you directly
Why is this issue closed as "not planned"? Is it somehow out of scope? Or just due to the inactivity?

It would be a nice to have feature. As it could help to create and maintain an ACLs

@wrbbz commented on GitHub (Jul 22, 2025): @kradalby , sorry for tagging you directly Why is this issue closed as "not planned"? Is it somehow out of scope? Or just due to the inactivity? It would be a nice to have feature. As it could help to create and maintain an ACLs

adam commented

2025-12-29 02:21:42 +01:00

@kradalby commented on GitHub (Jul 23, 2025):

I opened it again, yes inactivity. But will like to point out that there is no space for this feature in the roadmap for a while. If someone wants to take a stab at it, this is a pretty good standalone part of the code base.

@kradalby commented on GitHub (Jul 23, 2025): I opened it again, yes inactivity. But will like to point out that there is no space for this feature in the roadmap for a while. If someone wants to take a stab at it, this is a pretty good standalone part of the code base.

adam referenced this issue

2025-12-29 02:27:49 +01:00

Policy: autogroup support #1032

adam referenced this issue

2025-12-29 03:21:03 +01:00

[PR #1917] [MERGED] add autogroup:internet, fix reduce filter rules #2396

adam referenced this issue

2025-12-29 03:21:48 +01:00

[PR #2230] [CLOSED] feat: Add autogroup ACLs #2559

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#657