state: introduce state

this commit moves all of the read and write logic, and all different parts of headscale that manages some sort of persistent and in memory state into a separate package. The goal of this is to clearly define the boundry between parts of the app which accesses and modifies data, and where it happens. Previously, different state (routes, policy, db and so on) was used directly, and sometime passed to functions as pointers. Now all access has to go through state. In the initial implementation, most of the same functions exists and have just been moved. In the future centralising this will allow us to optimise bottle necks with the database (in memory state) and make the different parts talking to eachother do so in the same way across headscale components. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-08-11 15:27:37 +00:00 · 2025-05-27 16:27:16 +02:00
parent a975b6a8b1
commit 1553f0ab53
17 changed files with 1390 additions and 1067 deletions
--- a/hscontrol/types/preauth_key.go
+++ b/hscontrol/types/preauth_key.go
@@ -1,12 +1,18 @@
 package types

 import (
+	"fmt"
 	"time"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )

+type PAKError string
+
+func (e PAKError) Error() string { return string(e) }
+func (e PAKError) Unwrap() error { return fmt.Errorf("preauth key error: %s", e) }
+
 // PreAuthKey describes a pre-authorization key usable in a particular user.
 type PreAuthKey struct {
 	ID        uint64 `gorm:"primary_key"`
@@ -48,3 +54,24 @@ func (key *PreAuthKey) Proto() *v1.PreAuthKey {

 	return &protoKey
 }
+
+// canUsePreAuthKey checks if a pre auth key can be used.
+func (pak *PreAuthKey) Validate() error {
+	if pak == nil {
+		return PAKError("invalid authkey")
+	}
+	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
+		return PAKError("authkey expired")
+	}
+
+	// we don't need to check if has been used before
+	if pak.Reusable {
+		return nil
+	}
+
+	if pak.Used {
+		return PAKError("authkey already used")
+	}
+
+	return nil
+}
--- a/hscontrol/types/preauth_key_test.go
+++ b/hscontrol/types/preauth_key_test.go
@@ -0,0 +1,128 @@
+package types
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestCanUsePreAuthKey(t *testing.T) {
+	now := time.Now()
+	past := now.Add(-time.Hour)
+	future := now.Add(time.Hour)
+
+	tests := []struct {
+		name    string
+		pak     *PreAuthKey
+		wantErr bool
+		err     PAKError
+	}{
+		{
+			name: "valid reusable key",
+			pak: &PreAuthKey{
+				Reusable:   true,
+				Used:       false,
+				Expiration: &future,
+			},
+			wantErr: false,
+		},
+		{
+			name: "valid non-reusable key",
+			pak: &PreAuthKey{
+				Reusable:   false,
+				Used:       false,
+				Expiration: &future,
+			},
+			wantErr: false,
+		},
+		{
+			name: "expired key",
+			pak: &PreAuthKey{
+				Reusable:   false,
+				Used:       false,
+				Expiration: &past,
+			},
+			wantErr: true,
+			err:     PAKError("authkey expired"),
+		},
+		{
+			name: "used non-reusable key",
+			pak: &PreAuthKey{
+				Reusable:   false,
+				Used:       true,
+				Expiration: &future,
+			},
+			wantErr: true,
+			err:     PAKError("authkey already used"),
+		},
+		{
+			name: "used reusable key",
+			pak: &PreAuthKey{
+				Reusable:   true,
+				Used:       true,
+				Expiration: &future,
+			},
+			wantErr: false,
+		},
+		{
+			name: "no expiration date",
+			pak: &PreAuthKey{
+				Reusable:   false,
+				Used:       false,
+				Expiration: nil,
+			},
+			wantErr: false,
+		},
+		{
+			name:    "nil preauth key",
+			pak:     nil,
+			wantErr: true,
+			err:     PAKError("invalid authkey"),
+		},
+		{
+			name: "expired and used key",
+			pak: &PreAuthKey{
+				Reusable:   false,
+				Used:       true,
+				Expiration: &past,
+			},
+			wantErr: true,
+			err:     PAKError("authkey expired"),
+		},
+		{
+			name: "no expiration and used key",
+			pak: &PreAuthKey{
+				Reusable:   false,
+				Used:       true,
+				Expiration: nil,
+			},
+			wantErr: true,
+			err:     PAKError("authkey already used"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.pak.Validate()
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("expected error but got none")
+				} else {
+					httpErr, ok := err.(PAKError)
+					if !ok {
+						t.Errorf("expected HTTPError but got %T", err)
+					} else {
+						if diff := cmp.Diff(tt.err, httpErr); diff != "" {
+							t.Errorf("unexpected error (-want +got):\n%s", diff)
+						}
+					}
+				}
+			} else {
+				if err != nil {
+					t.Errorf("expected no error but got %v", err)
+				}
+			}
+		})
+	}
+}