Kristoffer Dalby ebdbe03639 policy: validate autogroup:self sources in ACL rules ...

Tailscale validates that autogroup:self destinations in ACL rules can
only be used when ALL sources are users, groups, autogroup:member, or
wildcard (*). Previously, Headscale only performed this validation for
SSH rules.
Add validateACLSrcDstCombination() to enforce that tags, autogroup:tagged,
hosts, and raw IPs cannot be used as sources with autogroup:self
destinations. Invalid policies like `tag:client → autogroup:self:*` are
now rejected at validation time, matching Tailscale behavior.
Wildcard (*) is allowed because autogroup:self evaluation narrows it
per-node to only the node's own IPs.

Updates #3036

2026-02-05 19:29:16 +01:00

..

filter_test.go

policy: add ICMP protocols to default and export constants

2026-02-05 19:29:16 +01:00

filter.go

policy/v2: add Caller() to log statements in compileACLWithAutogroupSelf

2026-02-03 16:53:15 +01:00

policy_test.go

policy/v2: add test for issue #2990 same-user tagged device

2026-02-03 16:53:15 +01:00

policy.go

policy/v2: add IsTagged() guards to prevent panics on tagged nodes

2026-02-03 16:53:15 +01:00

tailscale_compat_test.go

policy: validate autogroup:self sources in ACL rules

2026-02-05 19:29:16 +01:00

types_test.go

policy: update tests for SSH validation rules

2026-01-21 17:01:30 +00:00

types.go

policy: validate autogroup:self sources in ACL rules

2026-02-05 19:29:16 +01:00

utils_test.go

integration: replace time.Sleep with assert.EventuallyWithT (#2680)

2025-07-10 23:38:55 +02:00

utils.go

modernize: run gopls modernize to bring up to 1.25 (#2920)

2025-12-01 19:40:25 +01:00