starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-11 03:27:20 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity
Files
12a34f3895c4d66979d09c1ac44274b0b1564154
headscale/hscontrol
History
Kristoffer Dalby 12a34f3895 policy/v2: implement grant validation rules matching Tailscale SaaS 
Add five categories of grant validation that Tailscale enforces:

1. Capability name format: reject URL schemes (://) and restrict
   tailscale.com domain to an allowlist of user-grantable caps.

2. Grant-specific autogroup:self: reject wildcard (*) sources with
   autogroup:self destinations (stricter than ACL rules since * includes
   tags which cannot use autogroup:self).

3. App + autogroup:internet: reject app grants targeting
   autogroup:internet.

4. Raw default route CIDRs: reject 0.0.0.0/0 and ::/0 as grant
   destinations, requiring "*" or "autogroup:internet" instead.

5. Via field: non-tag values (e.g. autogroup:tagged) are caught at
   unmarshal time by Tag.UnmarshalJSON validation.

This resolves 23 ERROR_VALIDATION_GAP + 1 via validation test, reducing
the grant compat skip list from 28 to 5 remaining tests.

Updates #2180
2026-03-25 15:17:23 +00:00
..
assets
Swap favicon for updated version
2026-03-03 05:59:40 +01:00
capver
capver: regenerate from docker tags
2026-02-07 08:23:51 +01:00
db
all: fix test flakiness and improve test infrastructure
2026-03-14 02:52:28 -07:00
derp
all: fix golangci-lint issues (#3064)
2026-02-06 21:45:32 +01:00
dns
Fix typo in comment about fsnotify behavior
2026-02-27 15:23:06 +01:00
mapper
hscontrol/poll,state: fix grace period disconnect TOCTOU race
2026-03-19 07:05:58 +01:00
policy
policy/v2: implement grant validation rules matching Tailscale SaaS
2026-03-25 15:17:23 +00:00
routes
all: upgrade to Go 1.26rc2 and modernize codebase
2026-02-08 12:35:23 +01:00
servertest
hscontrol/servertest: fix test expectations for eventual consistency
2026-03-19 07:05:58 +01:00
state
hscontrol/state: fix online status reset during re-registration
2026-03-19 07:05:58 +01:00
templates
templates: generalise auth templates for web and OIDC
2026-02-25 21:28:05 +01:00
types
policy: include IPv6 in identity-based alias resolution
2026-03-25 15:17:23 +00:00
util
mapper/batcher: restructure internals for correctness
2026-03-14 02:52:28 -07:00
app.go
hscontrol: add servertest harness for in-process control plane testing
2026-03-19 07:05:58 +01:00
auth_tags_test.go
auth: generalise auth flow and introduce AuthVerdict
2026-02-25 21:28:05 +01:00
auth_test.go
all: fix test flakiness and improve test infrastructure
2026-03-14 02:52:28 -07:00
auth.go
Update docs for auth-id changes
2026-03-01 13:38:22 +01:00
debug.go
mapper: remove Batcher interface, rename to Batcher struct
2026-03-14 02:52:28 -07:00
grpcv1_test.go
hscontrol: add tests for deleting users with tagged nodes
2026-02-20 21:51:00 +01:00
grpcv1.go
hscontrol, cli: add auth register and approve commands
2026-02-25 21:28:05 +01:00
handlers.go
Update docs for auth-id changes
2026-03-01 13:38:22 +01:00
metrics.go
all: fix golangci-lint issues (#3064)
2026-02-06 21:45:32 +01:00
noise_test.go
noise: limit request body size to prevent unauthenticated OOM
2026-03-16 09:28:31 +01:00
noise.go
noise: limit request body size to prevent unauthenticated OOM
2026-03-16 09:28:31 +01:00
oidc_template_test.go
templates: generalise auth templates for web and OIDC
2026-02-25 21:28:05 +01:00
oidc_test.go
oidc: make email verification configurable
2025-12-18 11:42:32 +00:00
oidc.go
Update docs for auth-id changes
2026-03-01 13:38:22 +01:00
platform_config.go
all: fix golangci-lint issues (#3064)
2026-02-06 21:45:32 +01:00
poll_test.go
poll: fix poll test linter violations
2026-03-12 01:27:34 -07:00
poll.go
hscontrol/poll,state: fix grace period disconnect TOCTOU race
2026-03-19 07:05:58 +01:00
tailsql.go
all: fix golangci-lint issues (#3064)
2026-02-06 21:45:32 +01:00
templates_consistency_test.go
templates: generalise auth templates for web and OIDC
2026-02-25 21:28:05 +01:00