feat: add autogroup:self (#2789)

2025-11-07 21:02:51 -05:00 · 2025-10-16 12:59:52 +02:00
parent fddc7117e4
commit c2a58a304d
15 changed files with 1448 additions and 26 deletions
--- a/integration/acl_test.go
+++ b/integration/acl_test.go
@@ -1536,3 +1536,100 @@ func TestACLAutogroupTagged(t *testing.T) {
 		}
 	}
 }
+
+// Test that only devices owned by the same user can access each other and cannot access devices of other users
+func TestACLAutogroupSelf(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		&policyv2.Policy{
+			ACLs: []policyv2.ACL{
+				{
+					Action:  "accept",
+					Sources: []policyv2.Alias{ptr.To(policyv2.AutoGroupMember)},
+					Destinations: []policyv2.AliasWithPorts{
+						aliasWithPorts(ptr.To(policyv2.AutoGroupSelf), tailcfg.PortRangeAny),
+					},
+				},
+			},
+		},
+		2,
+	)
+	defer scenario.ShutdownAssertNoPanics(t)
+
+	err := scenario.WaitForTailscaleSyncWithPeerCount(1, integrationutil.PeerSyncTimeout(), integrationutil.PeerSyncRetryInterval())
+	require.NoError(t, err)
+
+	user1Clients, err := scenario.GetClients("user1")
+	require.NoError(t, err)
+
+	user2Clients, err := scenario.GetClients("user2")
+	require.NoError(t, err)
+
+	// Test that user1's devices can access each other
+	for _, client := range user1Clients {
+		for _, peer := range user1Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			fqdn, err := peer.FQDN()
+			require.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s (user1) to %s (user1)", client.Hostname(), fqdn)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			require.NoError(t, err)
+		}
+	}
+
+	// Test that user2's devices can access each other
+	for _, client := range user2Clients {
+		for _, peer := range user2Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			fqdn, err := peer.FQDN()
+			require.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s (user2) to %s (user2)", client.Hostname(), fqdn)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			require.NoError(t, err)
+		}
+	}
+
+	// Test that devices from different users cannot access each other
+	for _, client := range user1Clients {
+		for _, peer := range user2Clients {
+			fqdn, err := peer.FQDN()
+			require.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s (user1) to %s (user2) - should FAIL", client.Hostname(), fqdn)
+
+			result, err := client.Curl(url)
+			assert.Empty(t, result, "user1 should not be able to access user2's devices with autogroup:self")
+			assert.Error(t, err, "connection from user1 to user2 should fail")
+		}
+	}
+
+	for _, client := range user2Clients {
+		for _, peer := range user1Clients {
+			fqdn, err := peer.FQDN()
+			require.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s (user2) to %s (user1) - should FAIL", client.Hostname(), fqdn)
+
+			result, err := client.Curl(url)
+			assert.Empty(t, result, "user2 should not be able to access user1's devices with autogroup:self")
+			assert.Error(t, err, "connection from user2 to user1 should fail")
+		}
+	}
+}
--- a/integration/ssh_test.go
+++ b/integration/ssh_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/ptr"
 )

 func isSSHNoAccessStdError(stderr string) bool {
@@ -458,3 +459,84 @@ func assertSSHNoAccessStdError(t *testing.T, err error, stderr string) {
 		t.Errorf("expected stderr output suggesting access denied, got: %s", stderr)
 	}
 }
+
+// TestSSHAutogroupSelf tests that SSH with autogroup:self works correctly:
+// - Users can SSH to their own devices
+// - Users cannot SSH to other users' devices
+func TestSSHAutogroupSelf(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := sshScenario(t,
+		&policyv2.Policy{
+			ACLs: []policyv2.ACL{
+				{
+					Action:   "accept",
+					Protocol: "tcp",
+					Sources:  []policyv2.Alias{wildcard()},
+					Destinations: []policyv2.AliasWithPorts{
+						aliasWithPorts(wildcard(), tailcfg.PortRangeAny),
+					},
+				},
+			},
+			SSHs: []policyv2.SSH{
+				{
+					Action: "accept",
+					Sources: policyv2.SSHSrcAliases{
+						ptr.To(policyv2.AutoGroupMember),
+					},
+					Destinations: policyv2.SSHDstAliases{
+						ptr.To(policyv2.AutoGroupSelf),
+					},
+					Users: []policyv2.SSHUser{policyv2.SSHUser("ssh-it-user")},
+				},
+			},
+		},
+		2, // 2 clients per user
+	)
+	defer scenario.ShutdownAssertNoPanics(t)
+
+	user1Clients, err := scenario.ListTailscaleClients("user1")
+	assertNoErrListClients(t, err)
+
+	user2Clients, err := scenario.ListTailscaleClients("user2")
+	assertNoErrListClients(t, err)
+
+	err = scenario.WaitForTailscaleSync()
+	assertNoErrSync(t, err)
+
+	// Test that user1's devices can SSH to each other
+	for _, client := range user1Clients {
+		for _, peer := range user1Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	// Test that user2's devices can SSH to each other
+	for _, client := range user2Clients {
+		for _, peer := range user2Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	// Test that user1 cannot SSH to user2's devices
+	for _, client := range user1Clients {
+		for _, peer := range user2Clients {
+			assertSSHPermissionDenied(t, client, peer)
+		}
+	}
+
+	// Test that user2 cannot SSH to user1's devices
+	for _, client := range user2Clients {
+		for _, peer := range user1Clients {
+			assertSSHPermissionDenied(t, client, peer)
+		}
+	}
+}