fix tags not resolving to username if email is present (#2309)

* ensure valid tags is populated on user gets too Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * ensure forced tags are added Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove unused envvar in test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * debug log auth/unauth tags in policy man Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * defer shutdown in tags test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add tag test with groups Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add email, display name, picture to create user Updates #2166 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add ability to set display and email to cli Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add email to test users in integration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix issue where tags were only assigned to email, not username Fixes #2300 Fixes #2307 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * expand principles to correct login name and if fix an issue where nodeip principles might not expand to all relevant IPs instead of taking the first in a prefix. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix ssh unit test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update cli and oauth tests for users with email Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * index by test email Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix last test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-12-19 13:10:10 +01:00 · 2024-12-19 13:10:10 +01:00 · 770f3dcb93
commit 770f3dcb93
parent af4508b9dc
28 changed files with 409 additions and 230 deletions
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@ -2735,6 +2735,12 @@ func TestReduceFilterRules(t *testing.T) {
 }

 func Test_getTags(t *testing.T) {
+	users := []types.User{
+		{
+			Model: gorm.Model{ID: 1},
+			Name:  "joe",
+		},
+	}
 	type args struct {
 		aclPolicy *ACLPolicy
 		node      *types.Node
@ -2754,9 +2760,7 @@ func Test_getTags(t *testing.T) {
 					},
 				},
 				node: &types.Node{
-					User: types.User{
-						Name: "joe",
-					},
+					User: users[0],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{"tag:valid"},
 					},
@ -2774,9 +2778,7 @@ func Test_getTags(t *testing.T) {
 					},
 				},
 				node: &types.Node{
-					User: types.User{
-						Name: "joe",
-					},
+					User: users[0],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{"tag:valid", "tag:invalid"},
 					},
@ -2794,9 +2796,7 @@ func Test_getTags(t *testing.T) {
 					},
 				},
 				node: &types.Node{
-					User: types.User{
-						Name: "joe",
-					},
+					User: users[0],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{
 							"tag:invalid",
@ -2818,9 +2818,7 @@ func Test_getTags(t *testing.T) {
 					},
 				},
 				node: &types.Node{
-					User: types.User{
-						Name: "joe",
-					},
+					User: users[0],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{"tag:invalid", "very-invalid"},
 					},
@ -2834,9 +2832,7 @@ func Test_getTags(t *testing.T) {
 			args: args{
 				aclPolicy: &ACLPolicy{},
 				node: &types.Node{
-					User: types.User{
-						Name: "joe",
-					},
+					User: users[0],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{"tag:invalid", "very-invalid"},
 					},
@ -2849,6 +2845,7 @@ func Test_getTags(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			gotValid, gotInvalid := test.args.aclPolicy.TagsOfNode(
+				users,
 				test.args.node,
 			)
 			for _, valid := range gotValid {
@ -3542,6 +3539,11 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 }

 func TestSSHRules(t *testing.T) {
+	users := []types.User{
+		{
+			Name: "user1",
+		},
+	}
 	tests := []struct {
 		name  string
 		node  types.Node
@ -3555,18 +3557,14 @@ func TestSSHRules(t *testing.T) {
 				Hostname: "testnodes",
 				IPv4:     iap("100.64.99.42"),
 				UserID:   0,
-				User: types.User{
-					Name: "user1",
-				},
+				User:     users[0],
 			},
 			peers: types.Nodes{
 				&types.Node{
 					Hostname: "testnodes2",
 					IPv4:     iap("100.64.0.1"),
 					UserID:   0,
-					User: types.User{
-						Name: "user1",
-					},
+					User:     users[0],
 				},
 			},
 			pol: ACLPolicy{
@ -3679,18 +3677,14 @@ func TestSSHRules(t *testing.T) {
 				Hostname: "testnodes",
 				IPv4:     iap("100.64.0.1"),
 				UserID:   0,
-				User: types.User{
-					Name: "user1",
-				},
+				User:     users[0],
 			},
 			peers: types.Nodes{
 				&types.Node{
 					Hostname: "testnodes2",
 					IPv4:     iap("100.64.99.42"),
 					UserID:   0,
-					User: types.User{
-						Name: "user1",
-					},
+					User:     users[0],
 				},
 			},
 			pol: ACLPolicy{
@ -3728,7 +3722,7 @@ func TestSSHRules(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := tt.pol.CompileSSHPolicy(&tt.node, []types.User{}, tt.peers)
+			got, err := tt.pol.CompileSSHPolicy(&tt.node, users, tt.peers)
 			require.NoError(t, err)

 			if diff := cmp.Diff(tt.want, got); diff != "" {