Updated changelog

Do not strip nodekey prefix on handle expired
Added more logging
2025-12-15 09:02:52 +00:00 · 2022-11-15 21:28:26 +01:00 · 2022-11-15 21:28:26 +01:00 · 2022-11-15 21:28:26 +01:00 · 2022-11-15 21:28:26 +01:00 · 2022-11-15 11:36:38 +01:00
17 changed files with 584 additions and 349 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -65,7 +65,6 @@ jobs:
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
-            type=raw,value=latest
            type=sha
      - name: Login to DockerHub
        uses: docker/login-action@v1
@@ -125,13 +124,12 @@ jobs:
            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
            ghcr.io/${{ github.repository_owner }}/headscale
          flavor: |
-            latest=false
+            suffix=-debug,onlatest=true
          tags: |
-            type=semver,pattern={{version}}-debug
-            type=semver,pattern={{major}}.{{minor}}-debug
-            type=semver,pattern={{major}}-debug
-            type=raw,value=latest-debug
-            type=sha,suffix=-debug
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
@@ -161,69 +159,3 @@ jobs:
        run: |
          rm -rf /tmp/.buildx-cache-debug
          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug
-
-  docker-alpine-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-alpine
-          key: ${{ runner.os }}-buildx-alpine-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-alpine-
-      - name: Docker meta
-        id: meta-alpine
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            latest=false
-          tags: |
-            type=semver,pattern={{version}}-alpine
-            type=semver,pattern={{major}}.{{minor}}-alpine
-            type=semver,pattern={{major}}-alpine
-            type=raw,value=latest-alpine
-            type=sha,suffix=-alpine
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.alpine
-          tags: ${{ steps.meta-alpine.outputs.tags }}
-          labels: ${{ steps.meta-alpine.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-alpine
-          cache-to: type=local,dest=/tmp/.buildx-cache-alpine-new
-          build-args: |
-            VERSION=${{ steps.meta-alpine.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-alpine
-          mv /tmp/.buildx-cache-alpine-new /tmp/.buildx-cache-alpine
--- a/.github/workflows/test-integration-v2-general-auth.yml
+++ b/.github/workflows/test-integration-v2-general-auth.yml
@@ -1,35 +0,0 @@
-name: Integration Test v2
-
-on: [pull_request]
-
-jobs:
-  integration-test-v2:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v14.1
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_v2_auth_web_flow
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### BREAKING

 - Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+- Removed Alpine Linux container image [#962](https://github.com/juanfont/headscale/pull/962)

 ### Changes

@@ -25,6 +26,7 @@
 - Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905)
 - Fix some DNS config issues [#660](https://github.com/juanfont/headscale/issues/660)
 - Make it possible to disable TS2019 with build flag [#928](https://github.com/juanfont/headscale/pull/928)
+- Fix OIDC registration issues [#960](https://github.com/juanfont/headscale/pull/960) and [#971](https://github.com/juanfont/headscale/pull/971)

 ## 0.16.4 (2022-08-21)

--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -1,24 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.19.0-alpine AS build
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN apk add gcc musl-dev
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
-RUN strip /go/bin/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM docker.io/alpine:latest
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-EXPOSE 8080/tcp
-CMD ["headscale"]
--- a/11
+++ b/11
@@ -68,17 +68,6 @@ test_integration_v2_general:
 		golang:1 \
 		go test $(TAGS) -failfast ./... -timeout 60m -parallel 6

-
-test_integration_v2_auth_web_flow:
-	docker run \
-		-t --rm \
-		-v ~/.cache/hs-integration-go:/go \
-		--name headscale-test-suite \
-		-v $$PWD:$$PWD -w $$PWD/integration \
-		-v /var/run/docker.sock:/var/run/docker.sock \
-		golang:1 \
-		go test ./... -timeout 60m -parallel 6 -run TestAuthWebFlow
-
 coverprofile_func:
 	go tool cover -func=coverage.out

--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -134,7 +134,9 @@ var registerNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(response.Machine, fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
+		SuccessOutput(
+			response.Machine,
+			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
 	},
 }

--- a/integration/auth_web_flow_test.go
+++ b/integration/auth_web_flow_test.go
@@ -10,6 +10,8 @@ import (
 	"net/url"
 	"strings"
 	"testing"
+
+	"github.com/juanfont/headscale/integration/hsic"
 )

 var errParseAuthPage = errors.New("failed to parse auth page")
@@ -35,7 +37,7 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 		"namespace2": len(TailscaleVersions),
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("webauthping"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -76,13 +78,16 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 	}
 }

-func (s *AuthWebFlowScenario) CreateHeadscaleEnv(namespaces map[string]int) error {
-	err := s.StartHeadscale()
+func (s *AuthWebFlowScenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
 	if err != nil {
 		return err
 	}

-	err = s.Headscale().WaitForReady()
+	err = headscale.WaitForReady()
 	if err != nil {
 		return err
 	}
@@ -99,7 +104,7 @@ func (s *AuthWebFlowScenario) CreateHeadscaleEnv(namespaces map[string]int) erro
 			return err
 		}

-		err = s.runTailscaleUp(namespaceName, s.Headscale().GetEndpoint())
+		err = s.runTailscaleUp(namespaceName, headscale.GetEndpoint())
 		if err != nil {
 			return err
 		}
@@ -145,8 +150,13 @@ func (s *AuthWebFlowScenario) runTailscaleUp(
 }

 func (s *AuthWebFlowScenario) runHeadscaleRegister(namespaceStr string, loginURL *url.URL) error {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
 	log.Printf("loginURL: %s", loginURL)
-	loginURL.Host = fmt.Sprintf("%s:8080", s.Headscale().GetIP())
+	loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
 	loginURL.Scheme = "http"

 	httpClient := &http.Client{}
@@ -177,8 +187,10 @@ func (s *AuthWebFlowScenario) runHeadscaleRegister(namespaceStr string, loginURL
 	key := keySep[1]
 	log.Printf("registering node %s", key)

-	if headscale, ok := s.controlServers["headscale"]; ok {
-		_, err = headscale.Execute([]string{"headscale", "-n", namespaceStr, "nodes", "register", "--key", key})
+	if headscale, err := s.Headscale(); err == nil {
+		_, err = headscale.Execute(
+			[]string{"headscale", "-n", namespaceStr, "nodes", "register", "--key", key},
+		)
 		if err != nil {
 			log.Printf("failed to register node: %s", err)

--- a/integration/cli_test.go
+++ b/integration/cli_test.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/stretchr/testify/assert"
 )

@@ -36,11 +37,14 @@ func TestNamespaceCommand(t *testing.T) {
 		"namespace2": 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clins"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	var listNamespaces []v1.Namespace
-	err = executeAndUnmarshal(scenario.Headscale(),
+	err = executeAndUnmarshal(headscale,
 		[]string{
 			"headscale",
 			"namespaces",
@@ -61,7 +65,7 @@ func TestNamespaceCommand(t *testing.T) {
 		result,
 	)

-	_, err = scenario.Headscale().Execute(
+	_, err = headscale.Execute(
 		[]string{
 			"headscale",
 			"namespaces",
@@ -75,7 +79,7 @@ func TestNamespaceCommand(t *testing.T) {
 	assert.NoError(t, err)

 	var listAfterRenameNamespaces []v1.Namespace
-	err = executeAndUnmarshal(scenario.Headscale(),
+	err = executeAndUnmarshal(headscale,
 		[]string{
 			"headscale",
 			"namespaces",
@@ -114,7 +118,10 @@ func TestPreAuthKeyCommand(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipak"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	keys := make([]*v1.PreAuthKey, count)
@@ -123,7 +130,7 @@ func TestPreAuthKeyCommand(t *testing.T) {
 	for index := 0; index < count; index++ {
 		var preAuthKey v1.PreAuthKey
 		err := executeAndUnmarshal(
-			scenario.Headscale(),
+			headscale,
 			[]string{
 				"headscale",
 				"preauthkeys",
@@ -149,7 +156,7 @@ func TestPreAuthKeyCommand(t *testing.T) {

 	var listedPreAuthKeys []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -202,7 +209,7 @@ func TestPreAuthKeyCommand(t *testing.T) {
 	}

 	// Test key expiry
-	_, err = scenario.Headscale().Execute(
+	_, err = headscale.Execute(
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -216,7 +223,7 @@ func TestPreAuthKeyCommand(t *testing.T) {

 	var listedPreAuthKeysAfterExpire []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -251,12 +258,15 @@ func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipaknaexp"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	var preAuthKey v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -273,7 +283,7 @@ func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {

 	var listedPreAuthKeys []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -313,12 +323,15 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipakresueeph"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	var preAuthReusableKey v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -335,7 +348,7 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {

 	var preAuthEphemeralKey v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -355,7 +368,7 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {

 	var listedPreAuthKeys []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
--- a/integration/control.go
+++ b/integration/control.go
@@ -13,4 +13,7 @@ type ControlServer interface {
 	CreateNamespace(namespace string) error
 	CreateAuthKey(namespace string) (*v1.PreAuthKey, error)
 	ListMachinesInNamespace(namespace string) ([]*v1.Machine, error)
+	GetCert() []byte
+	GetHostname() string
+	GetIP() string
 }
--- a/integration/general_test.go
+++ b/integration/general_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 	"time"

+	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/rs/zerolog/log"
 )

@@ -22,7 +23,7 @@ func TestPingAllByIP(t *testing.T) {
 		"namespace2": len(TailscaleVersions),
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("pingallbyip"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -77,7 +78,7 @@ func TestPingAllByHostname(t *testing.T) {
 		"namespace4": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("pingallbyname"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -144,7 +145,7 @@ func TestTaildrop(t *testing.T) {
 		"taildrop": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("taildrop"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -271,7 +272,7 @@ func TestResolveMagicDNS(t *testing.T) {
 		"magicdns2": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("magicdns"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@@ -1,52 +1,83 @@
 package hsic

 import (
-	"archive/tar"
 	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
-	"io"
 	"log"
+	"math/big"
+	"net"
 	"net/http"
-	"path/filepath"
+	"time"

 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
 )

 const (
-	hsicHashLength    = 6
-	dockerContextPath = "../."
-	aclPolicyPath     = "/etc/headscale/acl.hujson"
+	hsicHashLength       = 6
+	dockerContextPath    = "../."
+	aclPolicyPath        = "/etc/headscale/acl.hujson"
+	tlsCertPath          = "/etc/headscale/tls.cert"
+	tlsKeyPath           = "/etc/headscale/tls.key"
+	headscaleDefaultPort = 8080
 )

 var errHeadscaleStatusCodeNotOk = errors.New("headscale status code not ok")

 type HeadscaleInContainer struct {
 	hostname string
-	port     int

 	pool      *dockertest.Pool
 	container *dockertest.Resource
 	network   *dockertest.Network

 	// optional config
+	port      int
 	aclPolicy *headscale.ACLPolicy
 	env       []string
+	tlsCert   []byte
+	tlsKey    []byte
 }

 type Option = func(c *HeadscaleInContainer)

 func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 	return func(hsic *HeadscaleInContainer) {
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_ACL_POLICY_PATH=%s", aclPolicyPath))
+
 		hsic.aclPolicy = acl
 	}
 }

+func WithTLS() Option {
+	return func(hsic *HeadscaleInContainer) {
+		cert, key, err := createCertificate()
+		if err != nil {
+			log.Fatalf("failed to create certificates for headscale test: %s", err)
+		}
+
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
+		hsic.env = append(hsic.env, "HEADSCALE_TLS_CLIENT_AUTH_MODE=disabled")
+
+		hsic.tlsCert = cert
+		hsic.tlsKey = key
+	}
+}
+
 func WithConfigEnv(configEnv map[string]string) Option {
 	return func(hsic *HeadscaleInContainer) {
 		env := []string{}
@@ -59,9 +90,23 @@ func WithConfigEnv(configEnv map[string]string) Option {
 	}
 }

+func WithPort(port int) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.port = port
+	}
+}
+
+func WithTestName(testName string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hash, _ := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
+
+		hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
+		hsic.hostname = hostname
+	}
+}
+
 func New(
 	pool *dockertest.Pool,
-	port int,
 	network *dockertest.Network,
 	opts ...Option,
 ) (*HeadscaleInContainer, error) {
@@ -71,11 +116,10 @@ func New(
 	}

 	hostname := fmt.Sprintf("hs-%s", hash)
-	portProto := fmt.Sprintf("%d/tcp", port)

 	hsic := &HeadscaleInContainer{
 		hostname: hostname,
-		port:     port,
+		port:     headscaleDefaultPort,

 		pool:    pool,
 		network: network,
@@ -85,9 +129,9 @@ func New(
 		opt(hsic)
 	}

-	if hsic.aclPolicy != nil {
-		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_ACL_POLICY_PATH=%s", aclPolicyPath))
-	}
+	log.Println("NAME: ", hsic.hostname)
+
+	portProto := fmt.Sprintf("%d/tcp", hsic.port)

 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile.debug",
@@ -95,7 +139,7 @@ func New(
 	}

 	runOptions := &dockertest.RunOptions{
-		Name:         hostname,
+		Name:         hsic.hostname,
 		ExposedPorts: []string{portProto},
 		Networks:     []*dockertest.Network{network},
 		// Cmd:          []string{"headscale", "serve"},
@@ -108,7 +152,7 @@ func New(
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
-	err = pool.RemoveContainerByName(hostname)
+	err = pool.RemoveContainerByName(hsic.hostname)
 	if err != nil {
 		return nil, err
 	}
@@ -123,7 +167,7 @@ func New(
 	if err != nil {
 		return nil, fmt.Errorf("could not start headscale container: %w", err)
 	}
-	log.Printf("Created %s container\n", hostname)
+	log.Printf("Created %s container\n", hsic.hostname)

 	hsic.container = container

@@ -144,9 +188,25 @@ func New(
 		}
 	}

+	if hsic.hasTLS() {
+		err = hsic.WriteFile(tlsCertPath, hsic.tlsCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+
+		err = hsic.WriteFile(tlsKeyPath, hsic.tlsKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS key to container: %w", err)
+		}
+	}
+
 	return hsic, nil
 }

+func (t *HeadscaleInContainer) hasTLS() bool {
+	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
+}
+
 func (t *HeadscaleInContainer) Shutdown() error {
 	return t.pool.Purge(t.container)
 }
@@ -154,8 +214,6 @@ func (t *HeadscaleInContainer) Shutdown() error {
 func (t *HeadscaleInContainer) Execute(
 	command []string,
 ) (string, error) {
-	log.Println("command", command)
-	log.Printf("running command for %s\n", t.hostname)
 	stdout, stderr, err := dockertestutil.ExecuteCommand(
 		t.container,
 		command,
@@ -164,11 +222,11 @@ func (t *HeadscaleInContainer) Execute(
 	if err != nil {
 		log.Printf("command stderr: %s\n", stderr)

-		return "", err
-	}
+		if stdout != "" {
+			log.Printf("command stdout: %s\n", stdout)
+		}

-	if stdout != "" {
-		log.Printf("command stdout: %s\n", stdout)
+		return "", err
 	}

 	return stdout, nil
@@ -183,11 +241,7 @@ func (t *HeadscaleInContainer) GetPort() string {
 }

 func (t *HeadscaleInContainer) GetHealthEndpoint() string {
-	hostEndpoint := fmt.Sprintf("%s:%d",
-		t.GetIP(),
-		t.port)
-
-	return fmt.Sprintf("http://%s/health", hostEndpoint)
+	return fmt.Sprintf("%s/health", t.GetEndpoint())
 }

 func (t *HeadscaleInContainer) GetEndpoint() string {
@@ -195,17 +249,39 @@ func (t *HeadscaleInContainer) GetEndpoint() string {
 		t.GetIP(),
 		t.port)

+	if t.hasTLS() {
+		return fmt.Sprintf("https://%s", hostEndpoint)
+	}
+
 	return fmt.Sprintf("http://%s", hostEndpoint)
 }

+func (t *HeadscaleInContainer) GetCert() []byte {
+	return t.tlsCert
+}
+
+func (t *HeadscaleInContainer) GetHostname() string {
+	return t.hostname
+}
+
 func (t *HeadscaleInContainer) WaitForReady() error {
 	url := t.GetHealthEndpoint()

 	log.Printf("waiting for headscale to be ready at %s", url)

+	client := &http.Client{}
+
+	if t.hasTLS() {
+		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()      //nolint
+		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint
+		client = &http.Client{Transport: insecureTransport}
+	}
+
 	return t.pool.Retry(func() error {
-		resp, err := http.Get(url) //nolint
+		resp, err := client.Get(url) //nolint
 		if err != nil {
+			log.Printf("ready err: %s", err)
+
 			return fmt.Errorf("headscale is not ready: %w", err)
 		}

@@ -292,55 +368,87 @@ func (t *HeadscaleInContainer) ListMachinesInNamespace(
 }

 func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
-	dirPath, fileName := filepath.Split(path)
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}

-	file := bytes.NewReader(data)
+//nolint
+func createCertificate() ([]byte, []byte, error) {
+	// From:
+	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/

-	buf := bytes.NewBuffer([]byte{})
-
-	tarWriter := tar.NewWriter(buf)
-
-	header := &tar.Header{
-		Name: fileName,
-		Size: file.Size(),
-		// Mode:    int64(stat.Mode()),
-		// ModTime: stat.ModTime(),
-	}
-
-	err := tarWriter.WriteHeader(header)
-	if err != nil {
-		return fmt.Errorf("failed write file header to tar: %w", err)
-	}
-
-	_, err = io.Copy(tarWriter, file)
-	if err != nil {
-		return fmt.Errorf("failed to copy file to tar: %w", err)
-	}
-
-	err = tarWriter.Close()
-	if err != nil {
-		return fmt.Errorf("failed to close tar: %w", err)
-	}
-
-	log.Printf("tar: %s", buf.String())
-
-	// Ensure the directory is present inside the container
-	_, err = t.Execute([]string{"mkdir", "-p", dirPath})
-	if err != nil {
-		return fmt.Errorf("failed to ensure directory: %w", err)
-	}
-
-	err = t.pool.Client.UploadToContainer(
-		t.container.Container.ID,
-		docker.UploadToContainerOptions{
-			NoOverwriteDirNonDir: false,
-			Path:                 dirPath,
-			InputStream:          bytes.NewReader(buf.Bytes()),
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
 		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(30 * time.Minute),
+		IsCA:      true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1658),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(30 * time.Minute),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		cert,
+		ca,
+		&certPrivKey.PublicKey,
+		caPrivKey,
 	)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}

-	return nil
+	certPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPrivKeyPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
 }
--- a/integration/integrationutil/util.go
+++ b/integration/integrationutil/util.go
@@ -0,0 +1,77 @@
+package integrationutil
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+	"path/filepath"
+
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+func WriteFileToContainer(
+	pool *dockertest.Pool,
+	container *dockertest.Resource,
+	path string,
+	data []byte,
+) error {
+	dirPath, fileName := filepath.Split(path)
+
+	file := bytes.NewReader(data)
+
+	buf := bytes.NewBuffer([]byte{})
+
+	tarWriter := tar.NewWriter(buf)
+
+	header := &tar.Header{
+		Name: fileName,
+		Size: file.Size(),
+		// Mode:    int64(stat.Mode()),
+		// ModTime: stat.ModTime(),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return fmt.Errorf("failed write file header to tar: %w", err)
+	}
+
+	_, err = io.Copy(tarWriter, file)
+	if err != nil {
+		return fmt.Errorf("failed to copy file to tar: %w", err)
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return fmt.Errorf("failed to close tar: %w", err)
+	}
+
+	log.Printf("tar: %s", buf.String())
+
+	// Ensure the directory is present inside the container
+	_, _, err = dockertestutil.ExecuteCommand(
+		container,
+		[]string{"mkdir", "-p", dirPath},
+		[]string{},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to ensure directory: %w", err)
+	}
+
+	err = pool.Client.UploadToContainer(
+		container.Container.ID,
+		docker.UploadToContainerOptions{
+			NoOverwriteDirNonDir: false,
+			Path:                 dirPath,
+			InputStream:          bytes.NewReader(buf.Bytes()),
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/integration/scenario.go
+++ b/integration/scenario.go
@@ -15,22 +15,28 @@ import (
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/ory/dockertest/v3"
+	"github.com/puzpuzpuz/xsync/v2"
 )

 const (
 	scenarioHashLength = 6
 	maxWait            = 60 * time.Second
-	headscalePort      = 8080
 )

 var (
 	errNoHeadscaleAvailable = errors.New("no headscale available")
 	errNoNamespaceAvailable = errors.New("no namespace available")
-	TailscaleVersions       = []string{
+
+	// Tailscale started adding TS2021 support in CapabilityVersion>=28 (v1.24.0), but
+	// proper support in Headscale was only added for CapabilityVersion>=39 clients (v1.30.0).
+	tailscaleVersions2021 = []string{
 		"head",
 		"unstable",
 		"1.32.1",
 		"1.30.2",
+	}
+
+	tailscaleVersions2019 = []string{
 		"1.28.0",
 		"1.26.2",
 		"1.24.2",
@@ -38,13 +44,20 @@ var (
 		"1.20.4",
 		"1.18.2",
 		"1.16.2",
-
-		// These versions seem to fail when fetching from apt.
-		// "1.14.6",
-		// "1.12.4",
-		// "1.10.2",
-		// "1.8.7",
 	}
+
+	// tailscaleVersionsUnavailable = []string{
+	// 	// These versions seem to fail when fetching from apt.
+	// 	"1.14.6",
+	// 	"1.12.4",
+	// 	"1.10.2",
+	// 	"1.8.7",
+	// }.
+
+	TailscaleVersions = append(
+		tailscaleVersions2021,
+		tailscaleVersions2019...,
+	)
 )

 type Namespace struct {
@@ -59,12 +72,14 @@ type Namespace struct {
 type Scenario struct {
 	// TODO(kradalby): support multiple headcales for later, currently only
 	// use one.
-	controlServers map[string]ControlServer
+	controlServers *xsync.MapOf[string, ControlServer]

 	namespaces map[string]*Namespace

 	pool    *dockertest.Pool
 	network *dockertest.Network
+
+	headscaleLock sync.Mutex
 }

 func NewScenario() (*Scenario, error) {
@@ -99,7 +114,7 @@ func NewScenario() (*Scenario, error) {
 	}

 	return &Scenario{
-		controlServers: make(map[string]ControlServer),
+		controlServers: xsync.NewMapOf[ControlServer](),
 		namespaces:     make(map[string]*Namespace),

 		pool:    pool,
@@ -108,12 +123,17 @@ func NewScenario() (*Scenario, error) {
 }

 func (s *Scenario) Shutdown() error {
-	for _, control := range s.controlServers {
+	s.controlServers.Range(func(_ string, control ControlServer) bool {
 		err := control.Shutdown()
 		if err != nil {
-			return fmt.Errorf("failed to tear down control: %w", err)
+			log.Printf(
+				"Failed to shut down control: %s",
+				fmt.Errorf("failed to tear down control: %w", err),
+			)
 		}
-	}
+
+		return true
+	})

 	for namespaceName, namespace := range s.namespaces {
 		for _, client := range namespace.Clients {
@@ -150,36 +170,31 @@ func (s *Scenario) Namespaces() []string {
 // Note: These functions assume that there is a _single_ headscale instance for now

 // TODO(kradalby): make port and headscale configurable, multiple instances support?
-func (s *Scenario) StartHeadscale() error {
-	headscale, err := hsic.New(s.pool, headscalePort, s.network,
-		hsic.WithACLPolicy(
-			&headscale.ACLPolicy{
-				ACLs: []headscale.ACL{
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"*:*"},
-					},
-				},
-			},
-		),
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create headscale container: %w", err)
+func (s *Scenario) Headscale(opts ...hsic.Option) (ControlServer, error) {
+	s.headscaleLock.Lock()
+	defer s.headscaleLock.Unlock()
+
+	if headscale, ok := s.controlServers.Load("headscale"); ok {
+		return headscale, nil
 	}

-	s.controlServers["headscale"] = headscale
+	headscale, err := hsic.New(s.pool, s.network, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create headscale container: %w", err)
+	}

-	return nil
-}
+	err = headscale.WaitForReady()
+	if err != nil {
+		return nil, fmt.Errorf("failed reach headscale container: %w", err)
+	}

-func (s *Scenario) Headscale() *hsic.HeadscaleInContainer {
-	//nolint
-	return s.controlServers["headscale"].(*hsic.HeadscaleInContainer)
+	s.controlServers.Store("headscale", headscale)
+
+	return headscale, nil
 }

 func (s *Scenario) CreatePreAuthKey(namespace string) (*v1.PreAuthKey, error) {
-	if headscale, ok := s.controlServers["headscale"]; ok {
+	if headscale, err := s.Headscale(); err == nil {
 		key, err := headscale.CreateAuthKey(namespace)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create namespace: %w", err)
@@ -192,7 +207,7 @@ func (s *Scenario) CreatePreAuthKey(namespace string) (*v1.PreAuthKey, error) {
 }

 func (s *Scenario) CreateNamespace(namespace string) error {
-	if headscale, ok := s.controlServers["headscale"]; ok {
+	if headscale, err := s.Headscale(); err == nil {
 		err := headscale.CreateNamespace(namespace)
 		if err != nil {
 			return fmt.Errorf("failed to create namespace: %w", err)
@@ -222,16 +237,36 @@ func (s *Scenario) CreateTailscaleNodesInNamespace(
 				version = TailscaleVersions[i%len(TailscaleVersions)]
 			}

+			headscale, err := s.Headscale()
+			if err != nil {
+				return fmt.Errorf("failed to create tailscale node: %w", err)
+			}
+
+			cert := headscale.GetCert()
+			hostname := headscale.GetHostname()
+
 			namespace.createWaitGroup.Add(1)

 			go func() {
 				defer namespace.createWaitGroup.Done()

 				// TODO(kradalby): error handle this
-				tsClient, err := tsic.New(s.pool, version, s.network)
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					s.network,
+					tsic.WithHeadscaleTLS(cert),
+					tsic.WithHeadscaleName(hostname),
+				)
 				if err != nil {
 					// return fmt.Errorf("failed to add tailscale node: %w", err)
-					log.Printf("failed to add tailscale node: %s", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
 				}

 				namespace.Clients[tsClient.Hostname()] = tsClient
@@ -258,7 +293,13 @@ func (s *Scenario) RunTailscaleUp(
 				// TODO(kradalby): error handle this
 				_ = c.Up(loginServer, authKey)
 			}(client)
+
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
 		}
+
 		namespace.joinWaitGroup.Wait()

 		return nil
@@ -300,13 +341,8 @@ func (s *Scenario) WaitForTailscaleSync() error {
 // CreateHeadscaleEnv is a conventient method returning a set up Headcale
 // test environment with nodes of all versions, joined to the server with X
 // namespaces.
-func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int) error {
-	err := s.StartHeadscale()
-	if err != nil {
-		return err
-	}
-
-	err = s.Headscale().WaitForReady()
+func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int, opts ...hsic.Option) error {
+	headscale, err := s.Headscale(opts...)
 	if err != nil {
 		return err
 	}
@@ -327,7 +363,7 @@ func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int) error {
 			return err
 		}

-		err = s.RunTailscaleUp(namespaceName, s.Headscale().GetEndpoint(), key.GetKey())
+		err = s.RunTailscaleUp(namespaceName, headscale.GetEndpoint(), key.GetKey())
 		if err != nil {
 			return err
 		}
--- a/integration/scenario_test.go
+++ b/integration/scenario_test.go
@@ -34,12 +34,12 @@ func TestHeadscale(t *testing.T) {
 	}

 	t.Run("start-headscale", func(t *testing.T) {
-		err = scenario.StartHeadscale()
+		headscale, err := scenario.Headscale()
 		if err != nil {
 			t.Errorf("failed to create start headcale: %s", err)
 		}

-		err = scenario.Headscale().WaitForReady()
+		err = headscale.WaitForReady()
 		if err != nil {
 			t.Errorf("headscale failed to become ready: %s", err)
 		}
@@ -117,12 +117,11 @@ func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
 	}

 	t.Run("start-headscale", func(t *testing.T) {
-		err = scenario.StartHeadscale()
+		headscale, err := scenario.Headscale()
 		if err != nil {
 			t.Errorf("failed to create start headcale: %s", err)
 		}

-		headscale := scenario.Headscale()
 		err = headscale.WaitForReady()
 		if err != nil {
 			t.Errorf("headscale failed to become ready: %s", err)
@@ -157,7 +156,16 @@ func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
 			t.Errorf("failed to create preauthkey: %s", err)
 		}

-		err = scenario.RunTailscaleUp(namespace, scenario.Headscale().GetEndpoint(), key.GetKey())
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = scenario.RunTailscaleUp(
+			namespace,
+			headscale.GetEndpoint(),
+			key.GetKey(),
+		)
 		if err != nil {
 			t.Errorf("failed to login: %s", err)
 		}
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@@ -12,6 +12,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"github.com/juanfont/headscale"
 	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"tailscale.com/ipn/ipnstate"
@@ -20,13 +21,15 @@ import (
 const (
 	tsicHashLength    = 6
 	dockerContextPath = "../."
+	headscaleCertPath = "/usr/local/share/ca-certificates/headscale.crt"
 )

 var (
-	errTailscalePingFailed     = errors.New("ping failed")
-	errTailscaleNotLoggedIn    = errors.New("tailscale not logged in")
-	errTailscaleWrongPeerCount = errors.New("wrong peer count")
-	errTailscaleNotConnected   = errors.New("tailscale not connected")
+	errTailscalePingFailed             = errors.New("ping failed")
+	errTailscaleNotLoggedIn            = errors.New("tailscale not logged in")
+	errTailscaleWrongPeerCount         = errors.New("wrong peer count")
+	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
+	errTailscaleNotConnected           = errors.New("tailscale not connected")
 )

 type TailscaleInContainer struct {
@@ -40,12 +43,51 @@ type TailscaleInContainer struct {
 	// "cache"
 	ips  []netip.Addr
 	fqdn string
+
+	// optional config
+	headscaleCert     []byte
+	headscaleHostname string
+}
+
+type Option = func(c *TailscaleInContainer)
+
+func WithHeadscaleTLS(cert []byte) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleCert = cert
+	}
+}
+
+func WithOrCreateNetwork(network *dockertest.Network) Option {
+	return func(tsic *TailscaleInContainer) {
+		if network != nil {
+			tsic.network = network
+
+			return
+		}
+
+		network, err := dockertestutil.GetFirstOrCreateNetwork(
+			tsic.pool,
+			fmt.Sprintf("%s-network", tsic.hostname),
+		)
+		if err != nil {
+			log.Fatalf("failed to create network: %s", err)
+		}
+
+		tsic.network = network
+	}
+}
+
+func WithHeadscaleName(hsName string) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleHostname = hsName
+	}
 }

 func New(
 	pool *dockertest.Pool,
 	version string,
 	network *dockertest.Network,
+	opts ...Option,
 ) (*TailscaleInContainer, error) {
 	hash, err := headscale.GenerateRandomStringDNSSafe(tsicHashLength)
 	if err != nil {
@@ -54,20 +96,38 @@ func New(

 	hostname := fmt.Sprintf("ts-%s-%s", strings.ReplaceAll(version, ".", "-"), hash)

-	// TODO(kradalby): figure out why we need to "refresh" the network here.
-	// network, err = dockertestutil.GetFirstOrCreateNetwork(pool, network.Network.Name)
-	// if err != nil {
-	// 	return nil, err
-	// }
+	tsic := &TailscaleInContainer{
+		version:  version,
+		hostname: hostname,
+
+		pool:    pool,
+		network: network,
+	}
+
+	for _, opt := range opts {
+		opt(tsic)
+	}

 	tailscaleOptions := &dockertest.RunOptions{
 		Name:     hostname,
 		Networks: []*dockertest.Network{network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
+		// Cmd: []string{
+		// 	"tailscaled", "--tun=tsdev",
+		// },
+		Entrypoint: []string{
+			"/bin/bash",
+			"-c",
+			"/bin/sleep 3 ; update-ca-certificates ; tailscaled --tun=tsdev",
 		},
 	}

+	if tsic.headscaleHostname != "" {
+		tailscaleOptions.ExtraHosts = []string{
+			"host.docker.internal:host-gateway",
+			fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
+		}
+	}
+
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
@@ -88,14 +148,20 @@ func New(
 	}
 	log.Printf("Created %s container\n", hostname)

-	return &TailscaleInContainer{
-		version:  version,
-		hostname: hostname,
+	tsic.container = container

-		pool:      pool,
-		container: container,
-		network:   network,
-	}, nil
+	if tsic.hasTLS() {
+		err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+	}
+
+	return tsic, nil
+}
+
+func (t *TailscaleInContainer) hasTLS() bool {
+	return len(t.headscaleCert) != 0
 }

 func (t *TailscaleInContainer) Shutdown() error {
@@ -113,8 +179,6 @@ func (t *TailscaleInContainer) Version() string {
 func (t *TailscaleInContainer) Execute(
 	command []string,
 ) (string, string, error) {
-	log.Println("command", command)
-	log.Printf("running command for %s\n", t.hostname)
 	stdout, stderr, err := dockertestutil.ExecuteCommand(
 		t.container,
 		command,
@@ -170,7 +234,10 @@ func (t *TailscaleInContainer) UpWithLoginURL(
 		t.hostname,
 	}

-	_, stderr, _ := t.Execute(command)
+	_, stderr, err := t.Execute(command)
+	if errors.Is(err, errTailscaleNotLoggedIn) {
+		return nil, errTailscaleCannotUpWithoutAuthkey
+	}

 	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
 	urlStr = strings.TrimSpace(urlStr)
@@ -314,6 +381,10 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string) error {
 	})
 }

+func (t *TailscaleInContainer) WriteFile(path string, data []byte) error {
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}
+
 func createTailscaleBuildOptions(version string) *dockertest.BuildOptions {
 	var tailscaleBuildOptions *dockertest.BuildOptions
 	switch version {
--- a/oidc.go
+++ b/oidc.go
@@ -76,19 +76,54 @@ func (h *Headscale) RegisterOIDC(
 ) {
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
-		log.Error().
-			Caller().
-			Msg("Missing node key in URL")
-		http.Error(writer, "Missing node key in URL", http.StatusBadRequest)
+
+	log.Debug().
+		Caller().
+		Str("node_key", nodeKeyStr).
+		Bool("ok", ok).
+		Msg("Received oidc register call")
+
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}

-	log.Trace().
-		Caller().
-		Str("node_key", nodeKeyStr).
-		Msg("Received oidc register call")
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
+
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().
+			Err(err).
+			Msg("Failed to parse incoming nodekey in OIDC registration")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}

 	randomBlob := make([]byte, randomByteSize)
 	if _, err := rand.Read(randomBlob); err != nil {
@@ -103,7 +138,7 @@ func (h *Headscale) RegisterOIDC(
 	stateStr := hex.EncodeToString(randomBlob)[:32]

 	// place the node key into the state cache, so it can be retrieved later
-	h.registrationCache.Set(stateStr, nodeKeyStr, registerCacheExpiration)
+	h.registrationCache.Set(stateStr, NodePublicKeyStripPrefix(nodeKey), registerCacheExpiration)

 	// Add any extra parameter provided in the configuration to the Authorize Endpoint request
 	extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
@@ -405,8 +440,8 @@ func (h *Headscale) validateMachineForOIDCCallback(
 	claims *IDTokenClaims,
 ) (*key.NodePublic, bool, error) {
 	// retrieve machinekey from state cache
-	machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
-	if !machineKeyFound {
+	nodeKeyIf, nodeKeyFound := h.registrationCache.Get(state)
+	if !nodeKeyFound {
 		log.Error().
 			Msg("requested machine state key expired before authorisation completed")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -419,20 +454,38 @@ func (h *Headscale) validateMachineForOIDCCallback(
 				Msg("Failed to write response")
 		}

-		return nil, false, errOIDCInvalidMachineState
+		return nil, false, errOIDCNodeKeyMissing
 	}

 	var nodeKey key.NodePublic
-	nodeKeyFromCache, nodeKeyOK := machineKeyIf.(string)
+	nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
+	if !nodeKeyOK {
+		log.Error().
+			Msg("requested machine state key is not a string")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("state is invalid"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return nil, false, errOIDCInvalidMachineState
+	}
+
 	err := nodeKey.UnmarshalText(
 		[]byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
 	)
 	if err != nil {
 		log.Error().
+			Str("nodeKey", nodeKeyFromCache).
+			Bool("nodeKeyOK", nodeKeyOK).
 			Msg("could not parse node public key")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
-		_, werr := writer.Write([]byte("could not parse public key"))
+		_, werr := writer.Write([]byte("could not parse node public key"))
 		if werr != nil {
 			log.Error().
 				Caller().
@@ -443,21 +496,6 @@ func (h *Headscale) validateMachineForOIDCCallback(
 		return nil, false, err
 	}

-	if !nodeKeyOK {
-		log.Error().Msg("could not get node key from cache")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("could not get node key from cache"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
-		return nil, false, errOIDCNodeKeyMissing
-	}
-
 	// retrieve machine information if it exist
 	// The error is not important, because if it does not
 	// exist, then this is a new machine and we will move
--- a/protocol_common.go
+++ b/protocol_common.go
@@ -490,6 +490,7 @@ func (h *Headscale) handleNewMachineCommon(
 		Bool("noise", machineKey.IsZero()).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("The node seems to be new, sending auth url")
+
 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf(
 			"%s/oidc/register/%s",
@@ -528,6 +529,7 @@ func (h *Headscale) handleNewMachineCommon(
 	log.Info().
 		Caller().
 		Bool("noise", machineKey.IsZero()).
+		Str("AuthURL", resp.AuthURL).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("Successfully sent auth url")
 }
@@ -726,7 +728,7 @@ func (h *Headscale) handleMachineExpiredCommon(
 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	} else {
 		resp.AuthURL = fmt.Sprintf("%s/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
Author	SHA1	Message	Date
Juan Font Alonso	2d79179141	Updated changelog	2022-11-15 21:28:26 +01:00
Juan Font Alonso	275cc28193	Do not strip nodekey prefix on handle expired	2022-11-15 21:28:26 +01:00
Juan Font	c5ba7552c5	Added more logging	2022-11-15 21:28:26 +01:00
Juan Font	8909f801bb	Added more debug messages in OIDC registration	2022-11-15 21:28:26 +01:00
Steven Honson	3d4af52b3a	Releases: use flavor to set the tag suffix	2022-11-15 11:36:38 +01:00
Juan Font	6391555dab	Updated changelog	2022-11-15 08:42:29 +01:00
Juan Font	8cc5b2174b	Remove Alpine Linux container	2022-11-15 08:42:29 +01:00
Juan Font	9269dd01f5	Move Tailscale old versions to TS2019 list	2022-11-14 23:06:30 +01:00
Juan Font	ef68f17a96	Return the correct error on cache miss	2022-11-14 18:34:27 +01:00
Juan Font	f74266f8f8	OIDC code cleanup and harmonize with regular web auth	2022-11-14 18:34:27 +01:00
Kristoffer Dalby	46df219ed3	Add testname identifier to hs container Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	835288d864	Remove unused variable Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	93d56362af	Lock and unify headscale start/get method Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	4799859be0	Fix renamed method Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	8e44596171	less verbose command output Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	d479234058	Split ts versions into 2019/2021 for dedicated tests later Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	3fc5866de0	Remove duplicate function Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	f3c40086ac	Make TLS setup work automatically This commit injects the per-test-generated tls certs into the tailscale container and makes sure all can ping all. It does not test any of the DERP isolation yet. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	09ed21edd8	Remove duplicate function Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	456479eaa1	Rename and move wait for headscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	cb87852825	Add nolint to gosec stuff that doesnt matter because test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	69440058bb	Clean up cert function Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	9bc6ac0f35	Make TLS setup work automatically This commit injects the per-test-generated tls certs into the tailscale container and makes sure all can ping all. It does not test any of the DERP isolation yet. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Juan Font Alonso	89ff5c83d2	Add web flow auth integration tests	2022-11-14 08:47:02 +01:00
Juan Font Alonso	0a47d694be	Return the real port of the container	2022-11-14 08:47:02 +01:00
Juan Font Alonso	73c84d4f6a	Print hostname of the machine registered	2022-11-14 08:47:02 +01:00
Juan Font Alonso	a9251d6652	Fixed linter issues	2022-11-13 22:33:41 +01:00
Juan Font Alonso	f9c44f11d6	Added method to run tailscale up without authkey	2022-11-13 22:33:41 +01:00
Juan Font Alonso	1f8bd24a0d	Return stderr in tsic.Execute	2022-11-13 22:33:41 +01:00
Juan Font Alonso	7bf2eb3d71	Update Tailscale interface with new Execute signature	2022-11-13 22:33:41 +01:00
Juan Font Alonso	f5a5437917	disable interfacebloat linter	2022-11-13 18:30:00 +01:00
Juan Font Alonso	9989657c0f	Wait for tailscale client to be ready after tailscale up	2022-11-13 18:30:00 +01:00
Juan Font Alonso	cb2790984f	Added WaitForReady() to Tailscale interface When using running `tailscale up` in the AuthKey flow process, the tailscale client immediately enters PollMap after registration - avoiding a race condition. When using the web auth (up -> go to the Control website -> CLI `register`) the client is polling checking if it has been authorized. If we immediately ask for the client IP, as done in CreateHeadscaleEnv() we might have the client in NotReady status. This method provides a way to wait for the client to be ready. Signed-off-by: Juan Font Alonso <juanfontalonso@gmail.com>	2022-11-13 18:30:00 +01:00