fixup! feat: add autogroup:member, autogroup:tagged

Author: vdovhanych

CHANGELOG.md

@@ -123,6 +123,7 @@ working in v1 and not tested might be broken in v2 (and vice versa).
 - Add documentation for routes
   [#2496](https://github.com/juanfont/headscale/pull/2496)
 - Add support for `autogroup:member`, `autogroup:tagged`
+  [#2572](https://github.com/juanfont/headscale/pull/2572)
 
 ## 0.25.1 (2025-02-25)
 

hscontrol/policy/v2/types.go

@@ -382,10 +382,10 @@ func (p Prefix) Resolve(_ *Policy, _ types.Users, nodes types.Nodes) (*netipx.IP
 type AutoGroup string
 
 const (
-	AutoGroupMember   AutoGroup = "autogroup:member"
 	AutoGroupInternet AutoGroup = "autogroup:internet"
-	AutoGroupTagged   AutoGroup = "autogroup:tagged"
+	AutoGroupMember   AutoGroup = "autogroup:member"
 	AutoGroupNonRoot  AutoGroup = "autogroup:nonroot"
+	AutoGroupTagged   AutoGroup = "autogroup:tagged"
 
 	// These are not yet implemented.
 	AutoGroupSelf AutoGroup = "autogroup:self"
@@ -394,8 +394,8 @@ const (
 var autogroups = []AutoGroup{
 	AutoGroupInternet,
 	AutoGroupMember,
-	AutoGroupTagged,
 	AutoGroupNonRoot,
+	AutoGroupTagged,
 }
 
 func (ag AutoGroup) Validate() error {
@@ -423,27 +423,59 @@ func (ag AutoGroup) Resolve(p *Policy, users types.Users, nodes types.Nodes) (*n
 
 	case AutoGroupMember:
 		// autogroup:member represents all untagged devices in the tailnet.
+		tagMap, err := resolveTagOwners(p, users, nodes)
+		if err != nil {
+			return nil, err
+		}
+
 		for _, node := range nodes {
+			// Skip if node has forced tags
 			if len(node.ForcedTags) != 0 {
 				continue
 			}
+
+			// Skip if node has any allowed requested tags
+			hasAllowedTag := false
 			if node.Hostinfo != nil && len(node.Hostinfo.RequestTags) != 0 {
+				for _, tag := range node.Hostinfo.RequestTags {
+					if tagips, ok := tagMap[Tag(tag)]; ok && node.InIPSet(tagips) {
+						hasAllowedTag = true
+						break
+					}
+				}
+			}
+			if hasAllowedTag {
 				continue
 			}
+
+			// Node is a member if it has no forced tags and no allowed requested tags
 			node.AppendToIPSet(&build)
 		}
 
 		return build.IPSet()
 
 	case AutoGroupTagged:
 		// autogroup:tagged represents all devices with a tag in the tailnet.
+		tagMap, err := resolveTagOwners(p, users, nodes)
+		if err != nil {
+			return nil, err
+		}
+
 		for _, node := range nodes {
+			// Include if node has forced tags
 			if len(node.ForcedTags) != 0 {
 				node.AppendToIPSet(&build)
 				continue
 			}
+
+			// Include if node has any allowed requested tags
 			if node.Hostinfo != nil && len(node.Hostinfo.RequestTags) != 0 {
-				node.AppendToIPSet(&build)
+				for _, tag := range node.Hostinfo.RequestTags {
+					if _, ok := tagMap[Tag(tag)]; ok {
+						node.AppendToIPSet(&build)
+						break
+					}
+				}
 			}
 		}
 
@@ -958,6 +990,7 @@ type Policy struct {
 }
 
 var (
+	// TODO(kradalby): Add these checks for tagOwners and autoApprovers
 	autogroupForSrc       = []AutoGroup{AutoGroupMember, AutoGroupTagged}
 	autogroupForDst       = []AutoGroup{AutoGroupInternet, AutoGroupMember, AutoGroupTagged}
 	autogroupForSSHSrc    = []AutoGroup{AutoGroupMember, AutoGroupTagged}
@@ -1280,19 +1313,3 @@ func unmarshalPolicy(b []byte) (*Policy, error) {
 const (
 	expectedTokenItems = 2
 )
-
-var allIPSet *netipx.IPSet
-
-func allIPs() *netipx.IPSet {
-	if allIPSet != nil {
-		return allIPSet
-	}
-
-	var build netipx.IPSetBuilder
-	build.AddPrefix(netip.MustParsePrefix("::/0"))
-	build.AddPrefix(netip.MustParsePrefix("0.0.0.0/0"))
-
-	allTheIps, _ := build.IPSet()
-
-	return allTheIps
-}

hscontrol/policy/v2/types_test.go

@@ -359,7 +359,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 	],
 }
 `,
-			wantErr: `AutoGroup is invalid, got: "autogroup:invalid", must be one of [autogroup:internet autogroup:member autogroup:tagged autogroup:nonroot]`,
+			wantErr: `AutoGroup is invalid, got: "autogroup:invalid", must be one of [autogroup:internet autogroup:member autogroup:nonroot autogroup:tagged]`,
 		},
 		{
 			name: "undefined-hostname-errors-2490",
@@ -766,85 +766,128 @@ func TestResolvePolicy(t *testing.T) {
 			want:      []netip.Prefix{tsaddr.AllIPv4(), tsaddr.AllIPv6()},
 		},
 		{
-			name:      "autogroup-member-basic",
+			name:      "autogroup-member-comprehensive",
 			toResolve: ptr.To(AutoGroup(AutoGroupMember)),
 			nodes: types.Nodes{
+				// Node with no tags (should be included)
 				{
 					User: users["testuser"],
 					IPv4: ap("100.100.101.1"),
 				},
+				// Node with forced tags (should be excluded)
 				{
 					User:       users["testuser"],
 					ForcedTags: []string{"tag:test"},
 					IPv4:       ap("100.100.101.2"),
 				},
+				// Node with allowed requested tag (should be excluded)
 				{
 					User: users["testuser"],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{"tag:test"},
 					},
 					IPv4: ap("100.100.101.3"),
 				},
+				// Node with non-allowed requested tag (should be included)
 				{
-					User: users["notme"],
+					User: users["testuser"],
+					Hostinfo: &tailcfg.Hostinfo{
+						RequestTags: []string{"tag:notallowed"},
+					},
 					IPv4: ap("100.100.101.4"),
 				},
-			},
-			want: []netip.Prefix{mp("100.100.101.1/32"), mp("100.100.101.4/32")},
-		},
-		{
-			name:      "autogroup-member-multiple-users",
-			toResolve: ptr.To(AutoGroup(AutoGroupMember)),
-			nodes: types.Nodes{
-				{
-					User: users["user1"],
-					IPv4: ap("100.100.101.1"),
-				},
-				{
-					User: users["user2"],
-					IPv4: ap("100.100.101.2"),
-				},
+				// Node with multiple requested tags, one allowed (should be excluded)
 				{
-					User:       users["user3"],
-					ForcedTags: []string{"tag:test"},
-					IPv4:       ap("100.100.101.3"),
+					User: users["testuser"],
+					Hostinfo: &tailcfg.Hostinfo{
+						RequestTags: []string{"tag:test", "tag:notallowed"},
+					},
+					IPv4: ap("100.100.101.5"),
 				},
+				// Node with multiple requested tags, none allowed (should be included)
 				{
-					User: users["user4"],
+					User: users["testuser"],
 					Hostinfo: &tailcfg.Hostinfo{
-						RequestTags: []string{"tag:test"},
+						RequestTags: []string{"tag:notallowed1", "tag:notallowed2"},
 					},
-					IPv4: ap("100.100.101.4"),
+					IPv4: ap("100.100.101.6"),
+				},
+			},
+			pol: &Policy{
+				TagOwners: TagOwners{
+					Tag("tag:test"): Owners{ptr.To(Username("testuser@"))},
 				},
 			},
-			want: []netip.Prefix{mp("100.100.101.1/32"), mp("100.100.101.2/32")},
+			want: []netip.Prefix{
+				mp("100.100.101.1/32"), // No tags
+				mp("100.100.101.4/32"), // Non-allowed requested tag
+				mp("100.100.101.6/32"), // Multiple non-allowed requested tags
+			},
 		},
 		{
 			name:      "autogroup-tagged",
 			toResolve: ptr.To(AutoGroup(AutoGroupTagged)),
 			nodes: types.Nodes{
+				// Node with no tags (should be excluded)
 				{
 					User: users["testuser"],
 					IPv4: ap("100.100.101.1"),
 				},
+				// Node with forced tag (should be included)
 				{
 					User:       users["testuser"],
 					ForcedTags: []string{"tag:test"},
 					IPv4:       ap("100.100.101.2"),
 				},
+				// Node with allowed requested tag (should be included)
 				{
 					User: users["testuser"],
 					Hostinfo: &tailcfg.Hostinfo{
 						RequestTags: []string{"tag:test"},
 					},
 					IPv4: ap("100.100.101.3"),
 				},
+				// Node with non-allowed requested tag (should be excluded)
 				{
-					User: users["notme"],
+					User: users["testuser"],
+					Hostinfo: &tailcfg.Hostinfo{
+						RequestTags: []string{"tag:notallowed"},
+					},
 					IPv4: ap("100.100.101.4"),
 				},
+				// Node with multiple requested tags, one allowed (should be included)
+				{
+					User: users["testuser"],
+					Hostinfo: &tailcfg.Hostinfo{
+						RequestTags: []string{"tag:test", "tag:notallowed"},
+					},
+					IPv4: ap("100.100.101.5"),
+				},
+				// Node with multiple requested tags, none allowed (should be excluded)
+				{
+					User: users["testuser"],
+					Hostinfo: &tailcfg.Hostinfo{
+						RequestTags: []string{"tag:notallowed1", "tag:notallowed2"},
+					},
+					IPv4: ap("100.100.101.6"),
+				},
+				// Node with multiple forced tags (should be included)
+				{
+					User:       users["testuser"],
+					ForcedTags: []string{"tag:test", "tag:other"},
+					IPv4:       ap("100.100.101.7"),
+				},
+			},
+			pol: &Policy{
+				TagOwners: TagOwners{
+					Tag("tag:test"): Owners{ptr.To(Username("testuser@"))},
+				},
+			},
+			want: []netip.Prefix{
+				mp("100.100.101.2/31"), // Forced tag and allowed requested tag consecutive IPs are put in 31 prefix
+				mp("100.100.101.5/32"), // Multiple requested tags, one allowed
+				mp("100.100.101.7/32"), // Multiple forced tags
 			},
-			want: []netip.Prefix{mp("100.100.101.2/31")},
 		},
 		{
 			name:      "autogroup-invalid",
@@ -1013,7 +1056,7 @@ func TestResolveAutoApprovers(t *testing.T) {
 			name: "mixed-routes-and-exit-nodes",
 			policy: &Policy{
 				Groups: Groups{
-					"group:testgroup": Usernames{"user1", "user2"},
+					"group:testgroup": Usernames{"user1@", "user2@"},
 				},
 				AutoApprovers: AutoApproverPolicy{
 					Routes: map[netip.Prefix]AutoApprovers{