allow users to be defined with @ in v1 (#2495)

* allow users to be defined with @ in v1 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove integration test rewrite hack Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove test rewrite hack Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add @ to integration tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * a bit to agressive removeals Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix last test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-03-30 13:19:05 +02:00 · 2025-03-30 13:19:05 +02:00 · e3521be705
commit e3521be705
parent f52f15ff08
12 changed files with 76 additions and 150 deletions
--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@ -97,19 +97,6 @@ func TestTheInternet(t *testing.T) {
 	}
 }

-// addAtForFilterV1 returns a copy of the given userslice
-// and adds "@" character to the Name field.
-// This is a "compatibility" move to allow the old tests
-// to run against the "new" format which requires "@".
-func addAtForFilterV1(users types.Users) types.Users {
-	ret := make(types.Users, len(users))
-	for idx := range users {
-		ret[idx] = users[idx]
-		ret[idx].Name = ret[idx].Name + "@"
-	}
-	return ret
-}
-
 func TestReduceFilterRules(t *testing.T) {
 	users := types.Users{
 		types.User{Model: gorm.Model{ID: 1}, Name: "mickael"},
@ -780,11 +767,7 @@ func TestReduceFilterRules(t *testing.T) {
 			t.Run(fmt.Sprintf("%s-v%d", tt.name, version), func(t *testing.T) {
 				var pm PolicyManager
 				var err error
-				if version == 1 {
-					pm, err = pmf(addAtForFilterV1(users), append(tt.peers, tt.node))
-				} else {
-					pm, err = pmf(users, append(tt.peers, tt.node))
-				}
+				pm, err = pmf(users, append(tt.peers, tt.node))
 				require.NoError(t, err)
 				got := pm.Filter()
 				got = ReduceFilterRules(tt.node, got)
--- a/hscontrol/policy/v1/acls.go
+++ b/hscontrol/policy/v1/acls.go
@ -969,6 +969,10 @@ var (
 func findUserFromToken(users []types.User, token string) (types.User, error) {
 	var potentialUsers []types.User

+	// This adds the v2 support to looking up users with the new required
+	// policyv2 format where usernames have @ at the end if they are not emails.
+	token = strings.TrimSuffix(token, "@")
+
 	for _, user := range users {
 		if user.ProviderIdentifier.Valid && user.ProviderIdentifier.String == token {
 			// Prioritize ProviderIdentifier match and exit early
--- a/hscontrol/policy/v1/acls_test.go
+++ b/hscontrol/policy/v1/acls_test.go
@ -2964,6 +2964,16 @@ func TestFindUserByToken(t *testing.T) {
 			want:    types.User{},
 			wantErr: true,
 		},
+		{
+			name: "test-v2-format-working",
+			users: []types.User{
+				{ProviderIdentifier: sql.NullString{Valid: false, String: ""}, Name: "user1", Email: "another1@example.com"},
+				{ProviderIdentifier: sql.NullString{Valid: false, String: ""}, Name: "user2", Email: "another2@example.com"},
+			},
+			token:   "user2",
+			want:    types.User{ProviderIdentifier: sql.NullString{Valid: false, String: ""}, Name: "user2", Email: "another2@example.com"},
+			wantErr: false,
+		},
 	}

 	for _, tt := range tests {