feat: add autogroup:member, autogroup:tagged #2572
Merged
+329
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vdovhanych
requested review from
ohdearaugustin,
nblock,
juanfont and
kradalby
as code owners
Pull Request Revisions
✅ AI review completed for r3 HelpReact with emojis to give feedback on AI-generated reviews:
We'd love to hear from you—reach out anytime at [email protected]. |
![review-ai-agent[bot]](https://avatars.githubusercontent.com/in/1104228?s=60&v=4){kind=small}
hscontrol/policy/v2/types.go
Outdated
Comment on lines
1286
to
1298
| func allIPs() *netipx.IPSet { | ||
| if allIPSet != nil { | ||
| return allIPSet | ||
| } | ||
|
|
||
| var build netipx.IPSetBuilder | ||
| build.AddPrefix(netip.MustParsePrefix("::/0")) | ||
| build.AddPrefix(netip.MustParsePrefix("0.0.0.0/0")) | ||
|
|
||
| allTheIps, _ := build.IPSet() | ||
|
|
||
| return allTheIps | ||
| } |
There was a problem hiding this comment.
In allIPs() function, the IPSet is being built but not stored in the global allIPSet variable. This means the caching mechanism isn't working - the function always builds a new set even if it's already been created.
Comment on lines
+1143
to
+1253
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that untagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } | ||
|
|
||
| func TestACLAutogroupTagged(t *testing.T) { | ||
| IntegrationSkip(t) | ||
| t.Parallel() | ||
|
|
||
| scenario := aclScenario(t, | ||
| &policyv1.ACLPolicy{ | ||
| ACLs: []policyv1.ACL{ | ||
| { | ||
| Action: "accept", | ||
| Sources: []string{"autogroup:tagged"}, | ||
| Destinations: []string{"autogroup:tagged:*"}, | ||
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that tagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The integration tests for autogroup:member and autogroup:tagged have duplicated code structures. Consider extracting a common test helper function that takes the autogroup type and condition check as parameters to reduce duplication and increase maintainability.
kradalby
requested changes
May 9, 2025
| @@ -122,6 +122,7 @@ working in v1 and not tested might be broken in v2 (and vice versa). | |||
| [#2438](https://github.com/juanfont/headscale/pull/2438) | |||
| - Add documentation for routes | |||
| [#2496](https://github.com/juanfont/headscale/pull/2496) | |||
| - Add support for `autogroup:member`, `autogroup:tagged` | |||
|
Great start! |
Comment on lines
+1162
to
+1194
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that untagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Both TestACLAutogroupMember and TestACLAutogroupTagged contain similar error handling and test setup logic. Consider extracting a helper function to reduce duplication and improve maintainability.
There was a problem hiding this comment.
The error message in validateAutogroupForSSHDst incorrectly states 'for SSH sources' but should say 'for SSH destinations' to match the function's purpose.
vdovhanych
commented
May 9, 2025
| @@ -122,6 +122,7 @@ working in v1 and not tested might be broken in v2 (and vice versa). | |||
| [#2438](https://github.com/juanfont/headscale/pull/2438) | |||
| - Add documentation for routes | |||
| [#2496](https://github.com/juanfont/headscale/pull/2496) | |||
| - Add support for `autogroup:member`, `autogroup:tagged` | |||
kradalby
approved these changes
May 16, 2025
Okay, cool. I will squash the fixup commit. |
|
None of them seem to out of place, let's leave them and then we can update them as needed |
|
I'll run the tests when you have squashed and if all passes I'll merge it |
vdovhanych
force-pushed
the
add-autogroup-member-and-tagged
branch
from
2b3ee90 to
54d7e61
Compare
|
Squashed |
Comment on lines
+1143
to
+1253
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that untagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } | ||
|
|
||
| func TestACLAutogroupTagged(t *testing.T) { | ||
| IntegrationSkip(t) | ||
| t.Parallel() | ||
|
|
||
| scenario := aclScenario(t, | ||
| &policyv1.ACLPolicy{ | ||
| ACLs: []policyv1.ACL{ | ||
| { | ||
| Action: "accept", | ||
| Sources: []string{"autogroup:tagged"}, | ||
| Destinations: []string{"autogroup:tagged:*"}, | ||
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that tagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The integration tests for autogroup:member and autogroup:tagged have nearly identical structure and logic. Consider extracting a common test helper function that takes the autogroup type and filter conditions as parameters to reduce duplication.
There was a problem hiding this comment.
In the validateAutogroupForSSHDst function, the error message incorrectly refers to 'SSH sources' instead of 'SSH destinations', which could be confusing during troubleshooting.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements two autogroups
autogroup:memberandautogroup:tagged. I talked with @kradalby about leaving outautogroup:selffor now, as that is a bit trickier in the end.The logic of the autogroups and test is taken from the draft pr #2230, but it has been implemented for the new policy structure.