Make more granular SSH tests for both Policies (#2555)

* policy/v1: dont consider empty if ssh has rules

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* policy/v2: replace time.Duration with model.Duration

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* policy/v2: add autogroup and ssh validation

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* policy/v2: replace time.Duration with model.Duration

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* policy: replace old ssh tests with more granular test

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* policy: skip v1 tests expected to fail (missing error handling)

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* policy: skip v1 group tests, old bugs wont be fixed

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* integration: user valid policy for ssh

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* Changelog, add ssh section

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* nix update

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/policy/v1/acls_test.go

@@ -2159,200 +2159,6 @@ func Test_getTags(t *testing.T) {
 	}
 }
 
-func TestSSHRules(t *testing.T) {
-	users := []types.User{
-		{
-			Name: "user1",
-		},
-	}
-	tests := []struct {
-		name  string
-		node  types.Node
-		peers types.Nodes
-		pol   ACLPolicy
-		want  *tailcfg.SSHPolicy
-	}{
-		{
-			name: "peers-can-connect",
-			node: types.Node{
-				Hostname: "testnodes",
-				IPv4:     iap("100.64.99.42"),
-				UserID:   0,
-				User:     users[0],
-			},
-			peers: types.Nodes{
-				&types.Node{
-					Hostname: "testnodes2",
-					IPv4:     iap("100.64.0.1"),
-					UserID:   0,
-					User:     users[0],
-				},
-			},
-			pol: ACLPolicy{
-				Groups: Groups{
-					"group:test": []string{"user1"},
-				},
-				Hosts: Hosts{
-					"client": netip.PrefixFrom(netip.MustParseAddr("100.64.99.42"), 32),
-				},
-				ACLs: []ACL{
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"*:*"},
-					},
-				},
-				SSHs: []SSH{
-					{
-						Action:       "accept",
-						Sources:      []string{"group:test"},
-						Destinations: []string{"client"},
-						Users:        []string{"autogroup:nonroot"},
-					},
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"client"},
-						Users:        []string{"autogroup:nonroot"},
-					},
-					{
-						Action:       "accept",
-						Sources:      []string{"group:test"},
-						Destinations: []string{"100.64.99.42"},
-						Users:        []string{"autogroup:nonroot"},
-					},
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"100.64.99.42"},
-						Users:        []string{"autogroup:nonroot"},
-					},
-				},
-			},
-			want: &tailcfg.SSHPolicy{Rules: []*tailcfg.SSHRule{
-				{
-					Principals: []*tailcfg.SSHPrincipal{
-						{
-							UserLogin: "user1",
-						},
-					},
-					SSHUsers: map[string]string{
-						"autogroup:nonroot": "=",
-					},
-					Action: &tailcfg.SSHAction{
-						Accept:                   true,
-						AllowAgentForwarding:     true,
-						AllowLocalPortForwarding: true,
-					},
-				},
-				{
-					SSHUsers: map[string]string{
-						"autogroup:nonroot": "=",
-					},
-					Principals: []*tailcfg.SSHPrincipal{
-						{
-							Any: true,
-						},
-					},
-					Action: &tailcfg.SSHAction{
-						Accept:                   true,
-						AllowAgentForwarding:     true,
-						AllowLocalPortForwarding: true,
-					},
-				},
-				{
-					Principals: []*tailcfg.SSHPrincipal{
-						{
-							UserLogin: "user1",
-						},
-					},
-					SSHUsers: map[string]string{
-						"autogroup:nonroot": "=",
-					},
-					Action: &tailcfg.SSHAction{
-						Accept:                   true,
-						AllowAgentForwarding:     true,
-						AllowLocalPortForwarding: true,
-					},
-				},
-				{
-					SSHUsers: map[string]string{
-						"autogroup:nonroot": "=",
-					},
-					Principals: []*tailcfg.SSHPrincipal{
-						{
-							Any: true,
-						},
-					},
-					Action: &tailcfg.SSHAction{
-						Accept:                   true,
-						AllowAgentForwarding:     true,
-						AllowLocalPortForwarding: true,
-					},
-				},
-			}},
-		},
-		{
-			name: "peers-cannot-connect",
-			node: types.Node{
-				Hostname: "testnodes",
-				IPv4:     iap("100.64.0.1"),
-				UserID:   0,
-				User:     users[0],
-			},
-			peers: types.Nodes{
-				&types.Node{
-					Hostname: "testnodes2",
-					IPv4:     iap("100.64.99.42"),
-					UserID:   0,
-					User:     users[0],
-				},
-			},
-			pol: ACLPolicy{
-				Groups: Groups{
-					"group:test": []string{"user1"},
-				},
-				Hosts: Hosts{
-					"client": netip.PrefixFrom(netip.MustParseAddr("100.64.99.42"), 32),
-				},
-				ACLs: []ACL{
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"*:*"},
-					},
-				},
-				SSHs: []SSH{
-					{
-						Action:       "accept",
-						Sources:      []string{"group:test"},
-						Destinations: []string{"100.64.99.42"},
-						Users:        []string{"autogroup:nonroot"},
-					},
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"100.64.99.42"},
-						Users:        []string{"autogroup:nonroot"},
-					},
-				},
-			},
-			want: &tailcfg.SSHPolicy{Rules: nil},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := tt.pol.CompileSSHPolicy(&tt.node, users, tt.peers)
-			require.NoError(t, err)
-
-			if diff := cmp.Diff(tt.want, got); diff != "" {
-				t.Errorf("TestSSHRules() unexpected result (-want +got):\n%s", diff)
-			}
-		})
-	}
-}
-
 func TestParseDestination(t *testing.T) {
 	tests := []struct {
 		dest      string