auth: ensure that routes are autoapproved when the node is stored (#2550)

* integration: ensure route is set before node joins, reproduce Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: ensure that routes are autoapproved when the node is stored Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-01 08:05:42 +03:00 · 2025-05-01 08:05:42 +03:00 · eb1ecefd9e
commit eb1ecefd9e
parent 6b6509eeeb
4 changed files with 57 additions and 14 deletions
--- a/hscontrol/oidc.go
+++ b/hscontrol/oidc.go
@ -528,7 +528,23 @@ func (a *AuthProviderOIDC) handleRegistration(
 		return false, fmt.Errorf("updating resources using node: %w", err)
 	}

-	if !updateSent {
+	// This is a bit of a back and forth, but we have a bit of a chicken and egg
+	// dependency here.
+	// Because the way the policy manager works, we need to have the node
+	// in the database, then add it to the policy manager and then we can
+	// approve the route. This means we get this dance where the node is
+	// first added to the database, then we add it to the policy manager via
+	// nodesChangedHook and then we can auto approve the routes.
+	// As that only approves the struct object, we need to save it again and
+	// ensure we send an update.
+	// This works, but might be another good candidate for doing some sort of
+	// eventbus.
+	routesChanged := policy.AutoApproveRoutes(a.polMan, node)
+	if err := a.db.DB.Save(node).Error; err != nil {
+		return false, fmt.Errorf("saving auto approved routes to node: %w", err)
+	}
+
+	if !updateSent || routesChanged {
 		ctx := types.NotifyCtx(context.Background(), "oidc-expiry-self", node.Hostname)
 		a.notifier.NotifyByNodeID(
 			ctx,