Add notes about current ssh status

Signed-off-by: Kristoffer Dalby <kradalby@kradalby.no>

CHANGELOG.md

@@ -1,27 +1,15 @@
 # CHANGELOG
 
-## 0.17.0 (2022-11-26)
+## 0.17.0 (2022-XX-XX)
 
 ### BREAKING
 
-- `noise.private_key_path` has been added and is required for the new noise protocol.
 - Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
 - Removed Alpine Linux container image [#962](https://github.com/juanfont/headscale/pull/962)
 
-### Important Changes
-
-- Added support for Tailscale TS2021 protocol [#738](https://github.com/juanfont/headscale/pull/738)
-- Add experimental support for [SSH ACL](https://tailscale.com/kb/1018/acls/#tailscale-ssh) (see docs for limitations) [#847](https://github.com/juanfont/headscale/pull/847)
-  - Please note that this support should be considered _partially_ implemented
-  - SSH ACLs status:
-    - Support `accept` and `check` (SSH can be enabled and used for connecting and authentication)
-    - Rejecting connections **are not supported**, meaning that if you enable SSH, then assume that _all_ `ssh` connections **will be allowed**.
-    - If you decied to try this feature, please carefully managed permissions by blocking port `22` with regular ACLs or do _not_ set `--ssh` on your clients.
-    - We are currently improving our testing of the SSH ACLs, help us get an overview by testing and giving feedback.
-  - This feature should be considered dangerous and it is disabled by default. Enable by setting `HEADSCALE_EXPERIMENTAL_FEATURE_SSH=1`.
-
 ### Changes
 
+- Added support for Tailscale TS2021 protocol [#738](https://github.com/juanfont/headscale/pull/738)
 - Add ability to specify config location via env var `HEADSCALE_CONFIG` [#674](https://github.com/juanfont/headscale/issues/674)
 - Target Go 1.19 for Headscale [#778](https://github.com/juanfont/headscale/pull/778)
 - Target Tailscale v1.30.0 to build Headscale [#780](https://github.com/juanfont/headscale/pull/780)
@@ -41,6 +29,14 @@
 - Fix OIDC registration issues [#960](https://github.com/juanfont/headscale/pull/960) and [#971](https://github.com/juanfont/headscale/pull/971)
 - Add support for specifying NextDNS DNS-over-HTTPS resolver [#940](https://github.com/juanfont/headscale/pull/940)
 - Make more sslmode available for postgresql connection [#927](https://github.com/juanfont/headscale/pull/927)
+- Add experimental support for [SSH ACL](https://tailscale.com/kb/1018/acls/#tailscale-ssh) (see docs for limitations) [#847](https://github.com/juanfont/headscale/pull/847)
+  - Please note that this support should be considered _partially_ implemented
+  - SSH ACLs status:
+    - Support `accept` and `check` (SSH can be enabled and used for connecting and authentication)
+    - Rejecting connections **are not supported**, meaning that if you enable SSH, then assume that _all_ `ssh` connections **will be allowed**.
+    - If you decied to try this feature, please carefully managed permissions by blocking port `22` with regular ACLs or do _not_ set `--ssh` on your clients.
+    - We are currently improving our testing of the SSH ACLs, help us get an overview by testing and giving feedback.
+  - This feature should be considered dangerous and it is disabled by default. Enable by setting `HEADSCALE_EXPERIMENTAL_FEATURE_SSH=1`.
 
 ## 0.16.4 (2022-08-21)
 

acls.go

@@ -117,16 +117,7 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 }
 
 func (h *Headscale) UpdateACLRules() error {
-	machines, err := h.ListMachines()
-	if err != nil {
-		return err
-	}
-
-	if h.aclPolicy == nil {
-		return errEmptyPolicy
-	}
-
-	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
+	rules, err := h.generateACLRules()
 	if err != nil {
 		return err
 	}
@@ -150,17 +141,26 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }
 
-func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain bool) ([]tailcfg.FilterRule, error) {
+func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
 
-	for index, acl := range aclPolicy.ACLs {
+	if h.aclPolicy == nil {
+		return nil, errEmptyPolicy
+	}
+
+	machines, err := h.ListMachines()
+	if err != nil {
+		return nil, err
+	}
+
+	for index, acl := range h.aclPolicy.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}
 
 		srcIPs := []string{}
 		for innerIndex, src := range acl.Sources {
-			srcs, err := generateACLPolicySrcIP(machines, aclPolicy, src, stripEmaildomain)
+			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, src)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
@@ -180,12 +180,11 @@ func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain
 
 		destPorts := []tailcfg.NetPortRange{}
 		for innerIndex, dest := range acl.Destinations {
-			dests, err := generateACLPolicyDest(
+			dests, err := h.generateACLPolicyDest(
 				machines,
-				aclPolicy,
+				*h.aclPolicy,
 				dest,
 				needsWildcard,
-				stripEmaildomain,
 			)
 			if err != nil {
 				log.Error().
@@ -311,21 +310,19 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }
 
-func generateACLPolicySrcIP(
+func (h *Headscale) generateACLPolicySrcIP(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	src string,
-	stripEmaildomain bool,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
+	return expandAlias(machines, aclPolicy, src, h.cfg.OIDC.StripEmaildomain)
 }
 
-func generateACLPolicyDest(
+func (h *Headscale) generateACLPolicyDest(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	dest string,
 	needsWildcard bool,
-	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
 	tokens := strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
@@ -349,7 +346,7 @@ func generateACLPolicyDest(
 		machines,
 		aclPolicy,
 		alias,
-		stripEmaildomain,
+		h.cfg.OIDC.StripEmaildomain,
 	)
 	if err != nil {
 		return nil, err

acls_test.go

@@ -54,7 +54,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_1.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 }
@@ -411,7 +411,7 @@ func (s *Suite) TestPortRange(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -425,7 +425,7 @@ func (s *Suite) TestProtocolParsing(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_protocols.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -439,7 +439,7 @@ func (s *Suite) TestPortWildcard(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -455,7 +455,7 @@ func (s *Suite) TestPortWildcardYAML(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.yaml")
 	c.Assert(err, check.IsNil)
 
-	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -495,10 +495,7 @@ func (s *Suite) TestPortNamespace(c *check.C) {
 	)
 	c.Assert(err, check.IsNil)
 
-	machines, err := app.ListMachines()
-	c.Assert(err, check.IsNil)
-
-	rules, err := generateACLRules(machines, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -538,10 +535,7 @@ func (s *Suite) TestPortGroup(c *check.C) {
 	err = app.LoadACLPolicy("./tests/acls/acl_policy_basic_groups.hujson")
 	c.Assert(err, check.IsNil)
 
-	machines, err := app.ListMachines()
-	c.Assert(err, check.IsNil)
-
-	rules, err := generateACLRules(machines, *app.aclPolicy, false)
+	rules, err := app.generateACLRules()
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 

integration/general_test.go

@@ -122,10 +122,6 @@ func TestPingAllByHostname(t *testing.T) {
 	}
 }
 
-// If subtests are parallel, then they will start before setup is run.
-// This might mean we approach setup slightly wrong, but for now, ignore
-// the linter
-// nolint:tparallel
 func TestTaildrop(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()

integration/scenario_test.go

@@ -21,10 +21,6 @@ func IntegrationSkip(t *testing.T) {
 	}
 }
 
-// If subtests are parallel, then they will start before setup is run.
-// This might mean we approach setup slightly wrong, but for now, ignore
-// the linter
-// nolint:tparallel
 func TestHeadscale(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
@@ -74,10 +70,6 @@ func TestHeadscale(t *testing.T) {
 	}
 }
 
-// If subtests are parallel, then they will start before setup is run.
-// This might mean we approach setup slightly wrong, but for now, ignore
-// the linter
-// nolint:tparallel
 func TestCreateTailscale(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
@@ -112,10 +104,6 @@ func TestCreateTailscale(t *testing.T) {
 	}
 }
 
-// If subtests are parallel, then they will start before setup is run.
-// This might mean we approach setup slightly wrong, but for now, ignore
-// the linter
-// nolint:tparallel
 func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()

platform_config.go

@@ -220,8 +220,8 @@ func (h *Headscale) ApplePlatformConfig(
 	}
 
 	switch platform {
-	case "macos-standalone":
-		if err := macosStandaloneTemplate.Execute(&payload, platformConfig); err != nil {
+	case "macos-standlone":
+		if err := macosStandloneTemplate.Execute(&payload, platformConfig); err != nil {
 			handleMacError(err)
 
 			return
@@ -390,7 +390,7 @@ var macosAppStoreTemplate = template.Must(template.New("macosTemplate").Parse(`
     </dict>
 `))
 
-var macosStandaloneTemplate = template.Must(template.New("macosStandaloneTemplate").Parse(`
+var macosStandloneTemplate = template.Must(template.New("macosStandloneTemplate").Parse(`
     <dict>
         <key>PayloadType</key>
         <string>io.tailscale.ipn.macsys</string>

templates/apple.html

@@ -92,7 +92,7 @@
         <code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
       </li>
       <li>
-        for standalone client:
+        for standlone client:
         <code>defaults write io.tailscale.ipn.macsys ControlURL {{.URL}}</code>
       </li>
     </ul>