feat: add autogroup:member, autogroup:tagged #2572
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Revisions
✅ AI review completed for r3 HelpReact with emojis to give feedback on AI-generated reviews:
We'd love to hear from you—reach out anytime at [email protected]. |
ghost
approved these changes
May 7, 2025
hscontrol/policy/v2/types.go
Outdated
Comment on lines
1286
to
1298
| func allIPs() *netipx.IPSet { | ||
| if allIPSet != nil { | ||
| return allIPSet | ||
| } | ||
|
|
||
| var build netipx.IPSetBuilder | ||
| build.AddPrefix(netip.MustParsePrefix("::/0")) | ||
| build.AddPrefix(netip.MustParsePrefix("0.0.0.0/0")) | ||
|
|
||
| allTheIps, _ := build.IPSet() | ||
|
|
||
| return allTheIps | ||
| } |
There was a problem hiding this comment.
In allIPs() function, the IPSet is being built but not stored in the global allIPSet variable. This means the caching mechanism isn't working - the function always builds a new set even if it's already been created.
Comment on lines
+1143
to
+1253
| func TestACLAutogroupMember(t *testing.T) { | ||
| IntegrationSkip(t) | ||
| t.Parallel() | ||
|
|
||
| scenario := aclScenario(t, | ||
| &policyv1.ACLPolicy{ | ||
| ACLs: []policyv1.ACL{ | ||
| { | ||
| Action: "accept", | ||
| Sources: []string{"autogroup:member"}, | ||
| Destinations: []string{"autogroup:member:*"}, | ||
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that untagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } | ||
|
|
||
| func TestACLAutogroupTagged(t *testing.T) { | ||
| IntegrationSkip(t) | ||
| t.Parallel() | ||
|
|
||
| scenario := aclScenario(t, | ||
| &policyv1.ACLPolicy{ | ||
| ACLs: []policyv1.ACL{ | ||
| { | ||
| Action: "accept", | ||
| Sources: []string{"autogroup:tagged"}, | ||
| Destinations: []string{"autogroup:tagged:*"}, | ||
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that tagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The integration tests for autogroup:member and autogroup:tagged have duplicated code structures. Consider extracting a common test helper function that takes the autogroup type and condition check as parameters to reduce duplication and increase maintainability.
kradalby
requested changes
May 9, 2025
| [#2438](https://github.com/juanfont/headscale/pull/2438) | ||
| - Add documentation for routes | ||
| [#2496](https://github.com/juanfont/headscale/pull/2496) | ||
| - Add support for `autogroup:member`, `autogroup:tagged` |
Collaborator
|
Great start! |
ghost
approved these changes
May 9, 2025
Comment on lines
+1162
to
+1194
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that untagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Both TestACLAutogroupMember and TestACLAutogroupTagged contain similar error handling and test setup logic. Consider extracting a helper function to reduce duplication and improve maintainability.
ghost
reviewed
May 9, 2025
There was a problem hiding this comment.
The error message in validateAutogroupForSSHDst incorrectly states 'for SSH sources' but should say 'for SSH destinations' to match the function's purpose.
vdovhanych
commented
May 9, 2025
Contributor
Author
vdovhanych
left a comment
There was a problem hiding this comment.
Most of the comments are for me to better understand the logic, i was getting lost in it a bit.
| [#2438](https://github.com/juanfont/headscale/pull/2438) | ||
| - Add documentation for routes | ||
| [#2496](https://github.com/juanfont/headscale/pull/2496) | ||
| - Add support for `autogroup:member`, `autogroup:tagged` |
kradalby
approved these changes
May 16, 2025
Collaborator
kradalby
left a comment
There was a problem hiding this comment.
I think this looks great, I am happy to merge this and add more tests as we continue testing.
Contributor
Author
Okay, cool. I will squash the fixup commit. |
Collaborator
|
None of them seem to out of place, let's leave them and then we can update them as needed |
Collaborator
|
I'll run the tests when you have squashed and if all passes I'll merge it |
2b3ee90 to
54d7e61
Compare
Contributor
Author
|
Squashed |
ghost
approved these changes
May 16, 2025
Comment on lines
+1143
to
+1253
| func TestACLAutogroupMember(t *testing.T) { | ||
| IntegrationSkip(t) | ||
| t.Parallel() | ||
|
|
||
| scenario := aclScenario(t, | ||
| &policyv1.ACLPolicy{ | ||
| ACLs: []policyv1.ACL{ | ||
| { | ||
| Action: "accept", | ||
| Sources: []string{"autogroup:member"}, | ||
| Destinations: []string{"autogroup:member:*"}, | ||
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that untagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags != nil && status.Self.Tags.Len() > 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } | ||
|
|
||
| func TestACLAutogroupTagged(t *testing.T) { | ||
| IntegrationSkip(t) | ||
| t.Parallel() | ||
|
|
||
| scenario := aclScenario(t, | ||
| &policyv1.ACLPolicy{ | ||
| ACLs: []policyv1.ACL{ | ||
| { | ||
| Action: "accept", | ||
| Sources: []string{"autogroup:tagged"}, | ||
| Destinations: []string{"autogroup:tagged:*"}, | ||
| }, | ||
| }, | ||
| }, | ||
| 2, | ||
| ) | ||
| defer scenario.ShutdownAssertNoPanics(t) | ||
|
|
||
| allClients, err := scenario.ListTailscaleClients() | ||
| require.NoError(t, err) | ||
|
|
||
| err = scenario.WaitForTailscaleSync() | ||
| require.NoError(t, err) | ||
|
|
||
| // Test that tagged nodes can access each other | ||
| for _, client := range allClients { | ||
| status, err := client.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| for _, peer := range allClients { | ||
| if client.Hostname() == peer.Hostname() { | ||
| continue | ||
| } | ||
|
|
||
| status, err := peer.Status() | ||
| require.NoError(t, err) | ||
| if status.Self.Tags == nil || status.Self.Tags.Len() == 0 { | ||
| continue | ||
| } | ||
|
|
||
| fqdn, err := peer.FQDN() | ||
| require.NoError(t, err) | ||
|
|
||
| url := fmt.Sprintf("http://%s/etc/hostname", fqdn) | ||
| t.Logf("url from %s to %s", client.Hostname(), url) | ||
|
|
||
| result, err := client.Curl(url) | ||
| assert.Len(t, result, 13) | ||
| require.NoError(t, err) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The integration tests for autogroup:member and autogroup:tagged have nearly identical structure and logic. Consider extracting a common test helper function that takes the autogroup type and filter conditions as parameters to reduce duplication.
ghost
reviewed
May 16, 2025
There was a problem hiding this comment.
In the validateAutogroupForSSHDst function, the error message incorrectly refers to 'SSH sources' instead of 'SSH destinations', which could be confusing during troubleshooting.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements two autogroups
autogroup:memberandautogroup:tagged. I talked with @kradalby about leaving outautogroup:selffor now, as that is a bit trickier in the end.The logic of the autogroups and test is taken from the draft pr #2230, but it has been implemented for the new policy structure.