allow users to be defined with @ in v1 (#2495)

* allow users to be defined with @ in v1 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove integration test rewrite hack Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove test rewrite hack Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add @ to integration tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * a bit to agressive removeals Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix last test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-03-30 13:19:05 +02:00 · 2025-03-30 13:19:05 +02:00 · e3521be705
commit e3521be705
parent f52f15ff08
12 changed files with 76 additions and 150 deletions
--- a/hscontrol/db/node_test.go
+++ b/hscontrol/db/node_test.go
@ -440,16 +440,11 @@ func TestAutoApproveRoutes(t *testing.T) {
 				adb, err := newSQLiteTestDB()
 				require.NoError(t, err)

-				suffix := ""
-				if version == 1 {
-					suffix = "@"
-				}
-
-				user, err := adb.CreateUser(types.User{Name: "test" + suffix})
+				user, err := adb.CreateUser(types.User{Name: "test"})
 				require.NoError(t, err)
-				_, err = adb.CreateUser(types.User{Name: "test2" + suffix})
+				_, err = adb.CreateUser(types.User{Name: "test2"})
 				require.NoError(t, err)
-				taggedUser, err := adb.CreateUser(types.User{Name: "tagged" + suffix})
+				taggedUser, err := adb.CreateUser(types.User{Name: "tagged"})
 				require.NoError(t, err)

 				node := types.Node{
@ -572,7 +567,7 @@ func TestEphemeralGarbageCollectorLoads(t *testing.T) {
 	})
 	go e.Start()

-	for i := 0; i < want; i++ {
+	for i := range want {
 		go e.Schedule(types.NodeID(i), 1*time.Second)
 	}

--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@ -97,19 +97,6 @@ func TestTheInternet(t *testing.T) {
 	}
 }

-// addAtForFilterV1 returns a copy of the given userslice
-// and adds "@" character to the Name field.
-// This is a "compatibility" move to allow the old tests
-// to run against the "new" format which requires "@".
-func addAtForFilterV1(users types.Users) types.Users {
-	ret := make(types.Users, len(users))
-	for idx := range users {
-		ret[idx] = users[idx]
-		ret[idx].Name = ret[idx].Name + "@"
-	}
-	return ret
-}
-
 func TestReduceFilterRules(t *testing.T) {
 	users := types.Users{
 		types.User{Model: gorm.Model{ID: 1}, Name: "mickael"},
@ -780,11 +767,7 @@ func TestReduceFilterRules(t *testing.T) {
 			t.Run(fmt.Sprintf("%s-v%d", tt.name, version), func(t *testing.T) {
 				var pm PolicyManager
 				var err error
-				if version == 1 {
-					pm, err = pmf(addAtForFilterV1(users), append(tt.peers, tt.node))
-				} else {
-					pm, err = pmf(users, append(tt.peers, tt.node))
-				}
+				pm, err = pmf(users, append(tt.peers, tt.node))
 				require.NoError(t, err)
 				got := pm.Filter()
 				got = ReduceFilterRules(tt.node, got)
--- a/hscontrol/policy/v1/acls.go
+++ b/hscontrol/policy/v1/acls.go
@ -969,6 +969,10 @@ var (
 func findUserFromToken(users []types.User, token string) (types.User, error) {
 	var potentialUsers []types.User

+	// This adds the v2 support to looking up users with the new required
+	// policyv2 format where usernames have @ at the end if they are not emails.
+	token = strings.TrimSuffix(token, "@")
+
 	for _, user := range users {
 		if user.ProviderIdentifier.Valid && user.ProviderIdentifier.String == token {
 			// Prioritize ProviderIdentifier match and exit early
--- a/hscontrol/policy/v1/acls_test.go
+++ b/hscontrol/policy/v1/acls_test.go
@ -2964,6 +2964,16 @@ func TestFindUserByToken(t *testing.T) {
 			want:    types.User{},
 			wantErr: true,
 		},
+		{
+			name: "test-v2-format-working",
+			users: []types.User{
+				{ProviderIdentifier: sql.NullString{Valid: false, String: ""}, Name: "user1", Email: "another1@example.com"},
+				{ProviderIdentifier: sql.NullString{Valid: false, String: ""}, Name: "user2", Email: "another2@example.com"},
+			},
+			token:   "user2",
+			want:    types.User{ProviderIdentifier: sql.NullString{Valid: false, String: ""}, Name: "user2", Email: "another2@example.com"},
+			wantErr: false,
+		},
 	}

 	for _, tt := range tests {
--- a/hscontrol/util/dns.go
+++ b/hscontrol/util/dns.go
@ -196,7 +196,7 @@ func GenerateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	// and from what I can see, the generateMagicDNSRootDomains
 	// function is called only once over the lifetime of a server process.
 	prefixConstantParts := []string{}
-	for i := 0; i < maskBits/nibbleLen; i++ {
+	for i := range maskBits / nibbleLen {
 		prefixConstantParts = append(
 			[]string{string(nibbleStr[i])},
 			prefixConstantParts...)
@ -215,7 +215,7 @@ func GenerateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	} else {
 		domCount := 1 << (maskBits % nibbleLen)
 		fqdns = make([]dnsname.FQDN, 0, domCount)
-		for i := 0; i < domCount; i++ {
+		for i := range domCount {
 			varNibble := fmt.Sprintf("%x", i)
 			dom, err := makeDomain(varNibble)
 			if err != nil {
--- a/hscontrol/util/string_test.go
+++ b/hscontrol/util/string_test.go
@ -8,7 +8,7 @@ import (
 )

 func TestGenerateRandomStringDNSSafe(t *testing.T) {
-	for i := 0; i < 100000; i++ {
+	for range 100000 {
 		str, err := GenerateRandomStringDNSSafe(8)
 		require.NoError(t, err)
 		assert.Len(t, str, 8)