set date for 0.24.1 release

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

CHANGELOG.md

@@ -1,8 +1,19 @@
 # CHANGELOG
 
-## Next
+## 0.24.1 (2025-01-23)
 
-## 0.24.0 (2024-01-17)
+### Changes
+
+- Fix migration issue with user table for PostgreSQL
+  [#2367](https://github.com/juanfont/headscale/pull/2367)
+- Relax username validation to allow emails
+  [#2364](https://github.com/juanfont/headscale/pull/2364)
+- Remove invalid routes and add stronger constraints for routes to avoid API panic
+  [#2371](https://github.com/juanfont/headscale/pull/2371)
+- Fix panic when `derp.update_frequency` is 0
+  [#2368](https://github.com/juanfont/headscale/pull/2368)
+
+## 0.24.0 (2025-01-17)
 
 ### Security fix: OIDC changes in Headscale 0.24.0
 

cmd/headscale/cli/routes.go

@@ -251,10 +251,15 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 			isPrimaryStr = strconv.FormatBool(route.GetIsPrimary())
 		}
 
+		var nodeName string
+		if route.GetNode() != nil {
+			nodeName = route.GetNode().GetGivenName()
+		}
+
 		tableData = append(tableData,
 			[]string{
 				strconv.FormatUint(route.GetId(), Base10),
-				route.GetNode().GetGivenName(),
+				nodeName,
 				route.GetPrefix(),
 				strconv.FormatBool(route.GetAdvertised()),
 				strconv.FormatBool(route.GetEnabled()),

hscontrol/app.go

@@ -245,11 +245,11 @@ func (h *Headscale) scheduledTasks(ctx context.Context) {
 
 	lastExpiryCheck := time.Unix(0, 0)
 
-	derpTicker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
-	defer derpTicker.Stop()
-	// If we dont want auto update, just stop the ticker
-	if !h.cfg.DERP.AutoUpdate {
-		derpTicker.Stop()
+	derpTickerChan := make(<-chan time.Time)
+	if h.cfg.DERP.AutoUpdate && h.cfg.DERP.UpdateFrequency != 0 {
+		derpTicker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
+		defer derpTicker.Stop()
+		derpTickerChan = derpTicker.C
 	}
 
 	var extraRecordsUpdate <-chan []tailcfg.DNSRecord
@@ -285,7 +285,7 @@ func (h *Headscale) scheduledTasks(ctx context.Context) {
 				h.nodeNotifier.NotifyAll(ctx, update)
 			}
 
-		case <-derpTicker.C:
+		case <-derpTickerChan:
 			log.Info().Msg("Fetching DERPMap updates")
 			h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
 			if h.cfg.DERP.ServerEnabled && h.cfg.DERP.AutomaticallyAddEmbeddedDerpRegion {

hscontrol/db/db.go

@@ -478,6 +478,38 @@ func NewHeadscaleDatabase(
 				// populate the user with more interesting information.
 				ID: "202407191627",
 				Migrate: func(tx *gorm.DB) error {
+					// Fix an issue where the automigration in GORM expected a constraint to
+					// exists that didnt, and add the one it wanted.
+					// Fixes https://github.com/juanfont/headscale/issues/2351
+					if cfg.Type == types.DatabasePostgres {
+						err := tx.Exec(`
+BEGIN;
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint
+        WHERE conname = 'uni_users_name'
+    ) THEN
+        ALTER TABLE users ADD CONSTRAINT uni_users_name UNIQUE (name);
+    END IF;
+END $$;
+
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1 FROM pg_constraint
+        WHERE conname = 'users_name_key'
+    ) THEN
+        ALTER TABLE users DROP CONSTRAINT users_name_key;
+    END IF;
+END $$;
+COMMIT;
+`).Error
+						if err != nil {
+							return fmt.Errorf("failed to rename constraint: %w", err)
+						}
+					}
+
 					err := tx.AutoMigrate(&types.User{})
 					if err != nil {
 						return err
@@ -521,6 +553,27 @@ func NewHeadscaleDatabase(
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			{
+				// Add a constraint to routes ensuring they cannot exist without a node.
+				ID: "202501221827",
+				Migrate: func(tx *gorm.DB) error {
+					// Remove any invalid routes associated with a node that does not exist.
+					if tx.Migrator().HasTable(&types.Route{}) && tx.Migrator().HasTable(&types.Node{}) {
+						err := tx.Exec("delete from routes where node_id not in (select id from nodes)").Error
+						if err != nil {
+							return err
+						}
+					}
+
+					err := tx.AutoMigrate(&types.Route{})
+					if err != nil {
+						return err
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)
 

hscontrol/db/db_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/netip"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"slices"
 	"sort"
@@ -23,7 +24,10 @@ import (
 	"zgo.at/zcache/v2"
 )
 
-func TestMigrations(t *testing.T) {
+// TestMigrationsSQLite is the main function for testing migrations,
+// we focus on SQLite correctness as it is the main database used in headscale.
+// All migrations that are worth testing should be added here.
+func TestMigrationsSQLite(t *testing.T) {
 	ipp := func(p string) netip.Prefix {
 		return netip.MustParsePrefix(p)
 	}
@@ -375,3 +379,58 @@ func TestConstraints(t *testing.T) {
 		})
 	}
 }
+
+func TestMigrationsPostgres(t *testing.T) {
+	tests := []struct {
+		name     string
+		dbPath   string
+		wantFunc func(*testing.T, *HSDatabase)
+	}{
+		{
+			name:   "user-idx-breaking",
+			dbPath: "testdata/pre-24-postgresdb.pssql.dump",
+			wantFunc: func(t *testing.T, h *HSDatabase) {
+				users, err := Read(h.DB, func(rx *gorm.DB) ([]types.User, error) {
+					return ListUsers(rx)
+				})
+				require.NoError(t, err)
+
+				for _, user := range users {
+					assert.NotEmpty(t, user.Name)
+					assert.Empty(t, user.ProfilePicURL)
+					assert.Empty(t, user.Email)
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u := newPostgresDBForTest(t)
+
+			pgRestorePath, err := exec.LookPath("pg_restore")
+			if err != nil {
+				t.Fatal("pg_restore not found in PATH. Please install it and ensure it is accessible.")
+			}
+
+			// Construct the pg_restore command
+			cmd := exec.Command(pgRestorePath, "--verbose", "--if-exists", "--clean", "--no-owner", "--dbname", u.String(), tt.dbPath)
+
+			// Set the output streams
+			cmd.Stdout = os.Stdout
+			cmd.Stderr = os.Stderr
+
+			// Execute the command
+			err = cmd.Run()
+			if err != nil {
+				t.Fatalf("failed to restore postgres database: %s", err)
+			}
+
+			db = newHeadscaleDBFromPostgresURL(t, u)
+
+			if tt.wantFunc != nil {
+				tt.wantFunc(t, db)
+			}
+		})
+	}
+}

hscontrol/db/suite_test.go

@@ -78,13 +78,11 @@ func newSQLiteTestDB() (*HSDatabase, error) {
 func newPostgresTestDB(t *testing.T) *HSDatabase {
 	t.Helper()
 
-	var err error
-	tmpDir, err = os.MkdirTemp("", "headscale-db-test-*")
-	if err != nil {
-		t.Fatal(err)
-	}
+	return newHeadscaleDBFromPostgresURL(t, newPostgresDBForTest(t))
+}
 
-	log.Printf("database path: %s", tmpDir+"/headscale_test.db")
+func newPostgresDBForTest(t *testing.T) *url.URL {
+	t.Helper()
 
 	ctx := context.Background()
 	srv, err := postgrestest.Start(ctx)
@@ -100,10 +98,16 @@ func newPostgresTestDB(t *testing.T) *HSDatabase {
 	t.Logf("created local postgres: %s", u)
 	pu, _ := url.Parse(u)
 
+	return pu
+}
+
+func newHeadscaleDBFromPostgresURL(t *testing.T, pu *url.URL) *HSDatabase {
+	t.Helper()
+
 	pass, _ := pu.User.Password()
 	port, _ := strconv.Atoi(pu.Port())
 
-	db, err = NewHeadscaleDatabase(
+	db, err := NewHeadscaleDatabase(
 		types.DatabaseConfig{
 			Type: types.DatabasePostgres,
 			Postgres: types.PostgresConfig{

hscontrol/types/routes.go

@@ -13,7 +13,7 @@ import (
 type Route struct {
 	gorm.Model
 
-	NodeID uint64
+	NodeID uint64 `gorm:"not null"`
 	Node   *Node
 
 	// TODO(kradalby): change this custom type to netip.Prefix
@@ -79,7 +79,6 @@ func (rs Routes) Proto() []*v1.Route {
 	for _, route := range rs {
 		protoRoute := v1.Route{
 			Id:         uint64(route.ID),
-			Node:       route.Node.Proto(),
 			Prefix:     route.Prefix.String(),
 			Advertised: route.Advertised,
 			Enabled:    route.Enabled,
@@ -88,6 +87,10 @@ func (rs Routes) Proto() []*v1.Route {
 			UpdatedAt:  timestamppb.New(route.UpdatedAt),
 		}
 
+		if route.Node != nil {
+			protoRoute.Node = route.Node.Proto()
+		}
+
 		if route.DeletedAt.Valid {
 			protoRoute.DeletedAt = timestamppb.New(route.DeletedAt.Time)
 		}

hscontrol/types/users_test.go

@@ -1,10 +1,12 @@
 package types
 
 import (
+	"database/sql"
 	"encoding/json"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/juanfont/headscale/hscontrol/util"
 )
 
 func TestUnmarshallOIDCClaims(t *testing.T) {
@@ -73,3 +75,149 @@ func TestUnmarshallOIDCClaims(t *testing.T) {
 		})
 	}
 }
+
+func TestOIDCClaimsJSONToUser(t *testing.T) {
+	tests := []struct {
+		name    string
+		jsonstr string
+		want    User
+	}{
+		{
+			name: "normal-bool",
+			jsonstr: `
+{
+  "sub": "test",
+  "email": "test@test.no",
+  "email_verified": true
+}
+			`,
+			want: User{
+				Provider: util.RegisterMethodOIDC,
+				Email:    "test@test.no",
+				ProviderIdentifier: sql.NullString{
+					String: "/test",
+					Valid:  true,
+				},
+			},
+		},
+		{
+			name: "string-bool-true",
+			jsonstr: `
+{
+  "sub": "test2",
+  "email": "test2@test.no",
+  "email_verified": "true"
+}
+			`,
+			want: User{
+				Provider: util.RegisterMethodOIDC,
+				Email:    "test2@test.no",
+				ProviderIdentifier: sql.NullString{
+					String: "/test2",
+					Valid:  true,
+				},
+			},
+		},
+		{
+			name: "string-bool-false",
+			jsonstr: `
+{
+  "sub": "test3",
+  "email": "test3@test.no",
+  "email_verified": "false"
+}
+			`,
+			want: User{
+				Provider: util.RegisterMethodOIDC,
+				ProviderIdentifier: sql.NullString{
+					String: "/test3",
+					Valid:  true,
+				},
+			},
+		},
+		{
+			// From https://github.com/juanfont/headscale/issues/2333
+			name: "okta-oidc-claim-20250121",
+			jsonstr: `
+{
+  "sub": "00u7dr4qp7XXXXXXXXXX",
+  "name": "Tim Horton",
+  "email": "tim.horton@company.com",
+  "ver": 1,
+  "iss": "https://sso.company.com/oauth2/default",
+  "aud": "0oa8neto4tXXXXXXXXXX",
+  "iat": 1737455152,
+  "exp": 1737458752,
+  "jti": "ID.zzJz93koTunMKv5Bq-XXXXXXXXXXXXXXXXXXXXXXXXX",
+  "amr": [
+    "pwd"
+  ],
+  "idp": "00o42r3s2cXXXXXXXX",
+  "nonce": "nonce",
+  "preferred_username": "tim.horton@company.com",
+  "auth_time": 1000,
+  "at_hash": "preview_at_hash"
+}
+			`,
+			want: User{
+				Provider:    util.RegisterMethodOIDC,
+				DisplayName: "Tim Horton",
+				Name:        "tim.horton@company.com",
+				ProviderIdentifier: sql.NullString{
+					String: "https://sso.company.com/oauth2/default/00u7dr4qp7XXXXXXXXXX",
+					Valid:  true,
+				},
+			},
+		},
+		{
+			// From https://github.com/juanfont/headscale/issues/2333
+			name: "okta-oidc-claim-20250121",
+			jsonstr: `
+{
+  "aud": "79xxxxxx-xxxx-xxxx-xxxx-892146xxxxxx",
+  "iss": "https://login.microsoftonline.com//v2.0",
+  "iat": 1737346441,
+  "nbf": 1737346441,
+  "exp": 1737350341,
+  "aio": "AWQAm/8ZAAAABKne9EWr6ygVO2DbcRmoPIpRM819qqlP/mmK41AAWv/C2tVkld4+znbG8DaXFdLQa9jRUzokvsT7rt9nAT6Fg7QC+/ecDWsF5U+QX11f9Ox7ZkK4UAIWFcIXpuZZvRS7",
+  "email": "user@domain.com",
+  "name": "XXXXXX XXXX",
+  "oid": "54c2323d-5052-4130-9588-ad751909003f",
+  "preferred_username": "user@domain.com",
+  "rh": "1.AXUAXdg0Rfc11UifLDJv67ChfSluoXmD9z1EmK-JIUYuSK9cAQl1AA.",
+  "sid": "5250a0a2-0b4e-4e68-8652-b4e97866411d",
+  "sub": "I-70OQnj3TogrNSfkZQqB3f7dGwyBWSm1dolHNKrMzQ",
+  "tid": "<redacted>",
+  "uti": "zAuXeEtMM0GwcTAcOsBZAA",
+  "ver": "2.0"
+}
+			`,
+			want: User{
+				Provider:    util.RegisterMethodOIDC,
+				DisplayName: "XXXXXX XXXX",
+				Name:        "user@domain.com",
+				ProviderIdentifier: sql.NullString{
+					String: "https://login.microsoftonline.com//v2.0/I-70OQnj3TogrNSfkZQqB3f7dGwyBWSm1dolHNKrMzQ",
+					Valid:  true,
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var got OIDCClaims
+			if err := json.Unmarshal([]byte(tt.jsonstr), &got); err != nil {
+				t.Errorf("TestOIDCClaimsJSONToUser() error = %v", err)
+				return
+			}
+
+			var user User
+
+			user.FromClaim(&got)
+			if diff := cmp.Diff(user, tt.want); diff != "" {
+				t.Errorf("TestOIDCClaimsJSONToUser() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

hscontrol/util/dns.go

@@ -26,6 +26,11 @@ var invalidCharsInUserRegex = regexp.MustCompile("[^a-z0-9-.]+")
 
 var ErrInvalidUserName = errors.New("invalid user name")
 
+// ValidateUsername checks if a username is valid.
+// It must be at least 2 characters long, start with a letter, and contain
+// only letters, numbers, hyphens, dots, and underscores.
+// It cannot contain more than one '@'.
+// It cannot contain invalid characters.
 func ValidateUsername(username string) error {
 	// Ensure the username meets the minimum length requirement
 	if len(username) < 2 {
@@ -40,7 +45,11 @@ func ValidateUsername(username string) error {
 	atCount := 0
 	for _, char := range username {
 		switch {
-		case unicode.IsLetter(char), unicode.IsDigit(char), char == '-':
+		case unicode.IsLetter(char),
+			unicode.IsDigit(char),
+			char == '-',
+			char == '.',
+			char == '_':
 			// Valid characters
 		case char == '@':
 			atCount++