headscale/hscontrol/policy/policy_test.go at 3ca4ff8f3ff2df43abacfe9b12f5ce54a2faef6f

mirror of https://github.com/juanfont/headscale.git synced 2026-04-19 23:31:31 +02:00

Files

Kristoffer Dalby 0acf09bdd2 policy/v2: add localpart:*@domain SSH user compilation

Add support for localpart:*@<domain> entries in SSH policy users.
When a user SSHes into a target, their email local-part becomes the
OS username (e.g. alice@example.com → OS user alice).

Type system (types.go):
- SSHUser.IsLocalpart() and ParseLocalpart() for validation
- SSHUsers.LocalpartEntries(), NormalUsers(), ContainsLocalpart()
- Enforces format: localpart:*@<domain> (wildcard-only)
- UserWildcard.Resolve for user:*@domain SSH source aliases
- acceptEnv passthrough for SSH rules

Compilation (filter.go):
- resolveLocalparts: pure function mapping users to local-parts
  by email domain. No node walking, easy to test.
- groupSourcesByUser: single walk producing per-user principals
  with sorted user IDs, and tagged principals separately.
- ipSetToPrincipals: shared helper replacing 6 inline copies.
- selfPrincipalsForNode: self-access using pre-computed byUser.

The approach separates data gathering from rule assembly. Localpart
rules are interleaved per source user to match Tailscale SaaS
first-match-wins ordering.

Updates #3049

2026-02-28 05:14:11 -08:00

55 KiB

Raw Blame History

View Raw

55 KiB Raw Blame History

55 KiB

Raw Blame History