do not allow preauth keys to be deleted if assigned to node (#2396)

* do not allow preauth keys to be deleted if assigned to node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-02-01 09:31:13 +00:00 · 2025-02-01 09:31:13 +00:00 · 9bd143852f
commit 9bd143852f
parent d57a55c024
5 changed files with 54 additions and 4 deletions
--- a/hscontrol/db/db.go
+++ b/hscontrol/db/db.go
@ -582,6 +582,24 @@ COMMIT;
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			// Add back constraint so you cannot delete preauth keys that
+			// is still used by a node.
+			{
+				ID: "202501311657",
+				Migrate: func(tx *gorm.DB) error {
+					err := tx.AutoMigrate(&types.PreAuthKey{})
+					if err != nil {
+						return err
+					}
+					err = tx.AutoMigrate(&types.Node{})
+					if err != nil {
+						return err
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)

--- a/hscontrol/db/preauth_keys_test.go
+++ b/hscontrol/db/preauth_keys_test.go
@ -2,10 +2,13 @@ package db

 import (
 	"sort"
+	"testing"
 	"time"

 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"gopkg.in/check.v1"
 	"tailscale.com/types/ptr"
 )
@ -175,3 +178,25 @@ func (*Suite) TestPreAuthKeyACLTags(c *check.C) {
 	sort.Sort(sort.StringSlice(gotTags))
 	c.Assert(gotTags, check.DeepEquals, tags)
 }
+
+func TestCannotDeleteAssignedPreAuthKey(t *testing.T) {
+	db, err := newSQLiteTestDB()
+	require.NoError(t, err)
+	user, err := db.CreateUser(types.User{Name: "test8"})
+	assert.NoError(t, err)
+
+	key, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, []string{"tag:good"})
+	assert.NoError(t, err)
+
+	node := types.Node{
+		ID:             0,
+		Hostname:       "testest",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      ptr.To(key.ID),
+	}
+	db.DB.Save(&node)
+
+	err = db.DB.Delete(key).Error
+	require.ErrorContains(t, err, "constraint failed: FOREIGN KEY constraint failed")
+}