headscale

mirror of https://github.com/juanfont/headscale.git synced 2026-03-23 18:01:19 +01:00

Files

Kristoffer Dalby 1f32c8bf61 policy/v2: add IsTagged() guards to prevent panics on tagged nodes

Three related issues where User().ID() is called on potentially tagged
nodes without first checking IsTagged():

1. compileACLWithAutogroupSelf: the autogroup:self block at line 166
   lacks the !node.IsTagged() guard that compileSSHPolicy already has.
   If a tagged node is the compilation target, node.User().ID() may
   panic. Tagged nodes should never participate in autogroup:self.

2. compileSSHPolicy: the IsTagged() check is on the right side of &&,
   so n.User().ID() evaluates first and may panic before short-circuit
   can prevent it. Swap to !n.IsTagged() && n.User().ID() == ... to
   match the already-correct order in compileACLWithAutogroupSelf.

3. invalidateAutogroupSelfCache: calls User().ID() at ~10 sites
   without IsTagged() guards. Tagged nodes don't participate in
   autogroup:self, so they should be skipped when collecting affected
   users and during cache lookup. Tag status transitions are handled
   by using the non-tagged version's user ID.

Fixes #2990

2026-02-03 16:53:15 +01:00

matcher

matcher: Add func for comparing Dests and TheInternet

2025-11-02 13:19:59 +01:00

policyutil

make tags first class node owner (#2885 )

2025-12-02 12:01:25 +01:00

policy/v2: add IsTagged() guards to prevent panics on tagged nodes

2026-02-03 16:53:15 +01:00

pm.go

tags: process tags on registration, simplify policy (#2931 )

2025-12-08 18:51:07 +01:00