tailscale/ipn/ipnlocal/local_test.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package ipnlocal

import (
	"context"
	"encoding/binary"
	"encoding/json"
	"errors"
	"fmt"
	"maps"
	"math"
	"net"
	"net/http"
	"net/netip"
	"os"
	"path/filepath"
	"reflect"
	"slices"
	"strings"
	"sync"
	"testing"
	"time"

	"github.com/google/go-cmp/cmp"
	"github.com/google/go-cmp/cmp/cmpopts"
	memro "go4.org/mem"
	"go4.org/netipx"
	"golang.org/x/net/dns/dnsmessage"
	"tailscale.com/appc"
	"tailscale.com/appc/appctest"
	"tailscale.com/clientupdate"
	"tailscale.com/control/controlclient"
	"tailscale.com/drive"
	"tailscale.com/drive/driveimpl"
	"tailscale.com/health"
	"tailscale.com/hostinfo"
	"tailscale.com/ipn"
	"tailscale.com/ipn/conffile"
	"tailscale.com/ipn/ipnauth"
	"tailscale.com/ipn/store/mem"
	"tailscale.com/net/netcheck"
	"tailscale.com/net/netmon"
	"tailscale.com/net/tsaddr"
	"tailscale.com/net/tsdial"
	"tailscale.com/tailcfg"
	"tailscale.com/tsd"
	"tailscale.com/tstest"
	"tailscale.com/types/dnstype"
	"tailscale.com/types/ipproto"
	"tailscale.com/types/key"
	"tailscale.com/types/logger"
	"tailscale.com/types/logid"
	"tailscale.com/types/netmap"
	"tailscale.com/types/opt"
	"tailscale.com/types/ptr"
	"tailscale.com/types/views"
	"tailscale.com/util/dnsname"
	"tailscale.com/util/eventbus"
	"tailscale.com/util/mak"
	"tailscale.com/util/must"
	"tailscale.com/util/set"
	"tailscale.com/util/syspolicy"
	"tailscale.com/util/syspolicy/setting"
	"tailscale.com/util/syspolicy/source"
	"tailscale.com/wgengine"
	"tailscale.com/wgengine/filter"
	"tailscale.com/wgengine/filter/filtertype"
	"tailscale.com/wgengine/wgcfg"
)

func fakeStoreRoutes(*appc.RouteInfo) error { return nil }

func inRemove(ip netip.Addr) bool {
	for _, pfx := range removeFromDefaultRoute {
		if pfx.Contains(ip) {
			return true
		}
	}
	return false
}

func makeNodeKeyFromID(nodeID tailcfg.NodeID) key.NodePublic {
	raw := make([]byte, 32)
	binary.BigEndian.PutUint64(raw[24:], uint64(nodeID))
	return key.NodePublicFromRaw32(memro.B(raw))
}

func makeDiscoKeyFromID(nodeID tailcfg.NodeID) (ret key.DiscoPublic) {
	raw := make([]byte, 32)
	binary.BigEndian.PutUint64(raw[24:], uint64(nodeID))
	return key.DiscoPublicFromRaw32(memro.B(raw))
}

func TestShrinkDefaultRoute(t *testing.T) {
	tests := []struct {
		route     string
		in        []string
		out       []string
		localIPFn func(netip.Addr) bool // true if this machine's local IP address should be "in" after shrinking.
	}{
		{
			route: "0.0.0.0/0",
			in:    []string{"1.2.3.4", "25.0.0.1"},
			out: []string{
				"10.0.0.1",
				"10.255.255.255",
				"192.168.0.1",
				"192.168.255.255",
				"172.16.0.1",
				"172.31.255.255",
				"100.101.102.103",
				"224.0.0.1",
				"169.254.169.254",
				// Some random IPv6 stuff that shouldn't be in a v4
				// default route.
				"fe80::",
				"2601::1",
			},
			localIPFn: func(ip netip.Addr) bool { return !inRemove(ip) && ip.Is4() },
		},
		{
			route: "::/0",
			in:    []string{"::1", "2601::1"},
			out: []string{
				"fe80::1",
				"ff00::1",
				tsaddr.TailscaleULARange().Addr().String(),
			},
			localIPFn: func(ip netip.Addr) bool { return !inRemove(ip) && ip.Is6() },
		},
	}

	// Construct a fake local network environment to make this test hermetic.
	// localInterfaceRoutes and hostIPs would normally come from calling interfaceRoutes,
	// and localAddresses would normally come from calling interfaces.LocalAddresses.
	var b netipx.IPSetBuilder
	for _, c := range []string{"127.0.0.0/8", "192.168.9.0/24", "fe80::/32"} {
		p := netip.MustParsePrefix(c)
		b.AddPrefix(p)
	}
	localInterfaceRoutes, err := b.IPSet()
	if err != nil {
		t.Fatal(err)
	}
	hostIPs := []netip.Addr{
		netip.MustParseAddr("127.0.0.1"),
		netip.MustParseAddr("192.168.9.39"),
		netip.MustParseAddr("fe80::1"),
		netip.MustParseAddr("fe80::437d:feff:feca:49a7"),
	}
	localAddresses := []netip.Addr{
		netip.MustParseAddr("192.168.9.39"),
	}

	for _, test := range tests {
		def := netip.MustParsePrefix(test.route)
		got, err := shrinkDefaultRoute(def, localInterfaceRoutes, hostIPs)
		if err != nil {
			t.Fatalf("shrinkDefaultRoute(%q): %v", test.route, err)
		}
		for _, ip := range test.in {
			if !got.Contains(netip.MustParseAddr(ip)) {
				t.Errorf("shrink(%q).Contains(%v) = false, want true", test.route, ip)
			}
		}
		for _, ip := range test.out {
			if got.Contains(netip.MustParseAddr(ip)) {
				t.Errorf("shrink(%q).Contains(%v) = true, want false", test.route, ip)
			}
		}
		for _, ip := range localAddresses {
			want := test.localIPFn(ip)
			if gotContains := got.Contains(ip); gotContains != want {
				t.Errorf("shrink(%q).Contains(%v) = %v, want %v", test.route, ip, gotContains, want)
			}
		}
	}
}

func TestPeerRoutes(t *testing.T) {
	pp := netip.MustParsePrefix
	tests := []struct {
		name  string
		peers []wgcfg.Peer
		want  []netip.Prefix
	}{
		{
			name: "small_v4",
			peers: []wgcfg.Peer{
				{
					AllowedIPs: []netip.Prefix{
						pp("100.101.102.103/32"),
					},
				},
			},
			want: []netip.Prefix{
				pp("100.101.102.103/32"),
			},
		},
		{
			name: "big_v4",
			peers: []wgcfg.Peer{
				{
					AllowedIPs: []netip.Prefix{
						pp("100.101.102.103/32"),
						pp("100.101.102.104/32"),
						pp("100.101.102.105/32"),
					},
				},
			},
			want: []netip.Prefix{
				pp("100.64.0.0/10"),
			},
		},
		{
			name: "has_1_v6",
			peers: []wgcfg.Peer{
				{
					AllowedIPs: []netip.Prefix{
						pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b240/128"),
					},
				},
			},
			want: []netip.Prefix{
				pp("fd7a:115c:a1e0::/48"),
			},
		},
		{
			name: "has_2_v6",
			peers: []wgcfg.Peer{
				{
					AllowedIPs: []netip.Prefix{
						pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b240/128"),
						pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b241/128"),
					},
				},
			},
			want: []netip.Prefix{
				pp("fd7a:115c:a1e0::/48"),
			},
		},
		{
			name: "big_v4_big_v6",
			peers: []wgcfg.Peer{
				{
					AllowedIPs: []netip.Prefix{
						pp("100.101.102.103/32"),
						pp("100.101.102.104/32"),
						pp("100.101.102.105/32"),
						pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b240/128"),
						pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b241/128"),
					},
				},
			},
			want: []netip.Prefix{
				pp("100.64.0.0/10"),
				pp("fd7a:115c:a1e0::/48"),
			},
		},
		{
			name: "output-should-be-sorted",
			peers: []wgcfg.Peer{
				{
					AllowedIPs: []netip.Prefix{
						pp("100.64.0.2/32"),
						pp("10.0.0.0/16"),
					},
				},
				{
					AllowedIPs: []netip.Prefix{
						pp("100.64.0.1/32"),
						pp("10.0.0.0/8"),
					},
				},
			},
			want: []netip.Prefix{
				pp("10.0.0.0/8"),
				pp("10.0.0.0/16"),
				pp("100.64.0.1/32"),
				pp("100.64.0.2/32"),
			},
		},
		{
			name: "skip-unmasked-prefixes",
			peers: []wgcfg.Peer{
				{
					PublicKey: key.NewNode().Public(),
					AllowedIPs: []netip.Prefix{
						pp("100.64.0.2/32"),
						pp("10.0.0.100/16"),
					},
				},
			},
			want: []netip.Prefix{
				pp("100.64.0.2/32"),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got := peerRoutes(t.Logf, tt.peers, 2)
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("got = %v; want %v", got, tt.want)
			}
		})
	}
}

func TestPeerAPIBase(t *testing.T) {
	tests := []struct {
		name string
		nm   *netmap.NetworkMap
		peer *tailcfg.Node
		want string
	}{
		{
			name: "nil_netmap",
			peer: new(tailcfg.Node),
			want: "",
		},
		{
			name: "nil_peer",
			nm:   new(netmap.NetworkMap),
			want: "",
		},
		{
			name: "self_only_4_them_both",
			nm: &netmap.NetworkMap{
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						netip.MustParsePrefix("100.64.1.1/32"),
					},
				}).View(),
			},
			peer: &tailcfg.Node{
				Addresses: []netip.Prefix{
					netip.MustParsePrefix("100.64.1.2/32"),
					netip.MustParsePrefix("fe70::2/128"),
				},
				Hostinfo: (&tailcfg.Hostinfo{
					Services: []tailcfg.Service{
						{Proto: "peerapi4", Port: 444},
						{Proto: "peerapi6", Port: 666},
					},
				}).View(),
			},
			want: "http://100.64.1.2:444",
		},
		{
			name: "self_only_6_them_both",
			nm: &netmap.NetworkMap{
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						netip.MustParsePrefix("fe70::1/128"),
					},
				}).View(),
			},
			peer: &tailcfg.Node{
				Addresses: []netip.Prefix{
					netip.MustParsePrefix("100.64.1.2/32"),
					netip.MustParsePrefix("fe70::2/128"),
				},
				Hostinfo: (&tailcfg.Hostinfo{
					Services: []tailcfg.Service{
						{Proto: "peerapi4", Port: 444},
						{Proto: "peerapi6", Port: 666},
					},
				}).View(),
			},
			want: "http://[fe70::2]:666",
		},
		{
			name: "self_both_them_only_4",
			nm: &netmap.NetworkMap{
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						netip.MustParsePrefix("100.64.1.1/32"),
						netip.MustParsePrefix("fe70::1/128"),
					},
				}).View(),
			},
			peer: &tailcfg.Node{
				Addresses: []netip.Prefix{
					netip.MustParsePrefix("100.64.1.2/32"),
					netip.MustParsePrefix("fe70::2/128"),
				},
				Hostinfo: (&tailcfg.Hostinfo{
					Services: []tailcfg.Service{
						{Proto: "peerapi4", Port: 444},
					},
				}).View(),
			},
			want: "http://100.64.1.2:444",
		},
		{
			name: "self_both_them_only_6",
			nm: &netmap.NetworkMap{
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						netip.MustParsePrefix("100.64.1.1/32"),
						netip.MustParsePrefix("fe70::1/128"),
					},
				}).View(),
			},
			peer: &tailcfg.Node{
				Addresses: []netip.Prefix{
					netip.MustParsePrefix("100.64.1.2/32"),
					netip.MustParsePrefix("fe70::2/128"),
				},
				Hostinfo: (&tailcfg.Hostinfo{
					Services: []tailcfg.Service{
						{Proto: "peerapi6", Port: 666},
					},
				}).View(),
			},
			want: "http://[fe70::2]:666",
		},
		{
			name: "self_both_them_no_peerapi_service",
			nm: &netmap.NetworkMap{
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						netip.MustParsePrefix("100.64.1.1/32"),
						netip.MustParsePrefix("fe70::1/128"),
					},
				}).View(),
			},
			peer: &tailcfg.Node{
				Addresses: []netip.Prefix{
					netip.MustParsePrefix("100.64.1.2/32"),
					netip.MustParsePrefix("fe70::2/128"),
				},
			},
			want: "",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got := peerAPIBase(tt.nm, tt.peer.View())
			if got != tt.want {
				t.Errorf("got %q; want %q", got, tt.want)
			}
		})
	}
}

type panicOnUseTransport struct{}

func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {
	panic("unexpected HTTP request")
}

func newTestLocalBackend(t testing.TB) *LocalBackend {
	return newTestLocalBackendWithSys(t, tsd.NewSystem())
}

// newTestLocalBackendWithSys creates a new LocalBackend with the given tsd.System.
// If the state store or engine are not set in sys, they will be set to a new
// in-memory store and fake userspace engine, respectively.
func newTestLocalBackendWithSys(t testing.TB, sys *tsd.System) *LocalBackend {
	var logf logger.Logf = logger.Discard
	if _, ok := sys.StateStore.GetOK(); !ok {
		sys.Set(new(mem.Store))
	}
	if _, ok := sys.Engine.GetOK(); !ok {
		eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set, sys.HealthTracker(), sys.UserMetricsRegistry(), sys.Bus.Get())
		if err != nil {
			t.Fatalf("NewFakeUserspaceEngine: %v", err)
		}
		t.Cleanup(eng.Close)
		sys.Set(eng)
	}
	lb, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
	if err != nil {
		t.Fatalf("NewLocalBackend: %v", err)
	}
	t.Cleanup(lb.Shutdown)
	return lb
}

// Issue 1573: don't generate a machine key if we don't want to be running.
func TestLazyMachineKeyGeneration(t *testing.T) {
	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })

	lb := newTestLocalBackend(t)
	lb.SetHTTPTestClient(&http.Client{
		Transport: panicOnUseTransport{}, // validate we don't send HTTP requests
	})

	if err := lb.Start(ipn.Options{}); err != nil {
		t.Fatalf("Start: %v", err)
	}

	// Give the controlclient package goroutines (if they're
	// accidentally started) extra time to schedule and run (and thus
	// hit panicOnUseTransport).
	time.Sleep(500 * time.Millisecond)
}

func TestZeroExitNodeViaLocalAPI(t *testing.T) {
	lb := newTestLocalBackend(t)
	user := &ipnauth.TestActor{}

	// Give it an initial exit node in use.
	if _, err := lb.EditPrefsAs(&ipn.MaskedPrefs{
		ExitNodeIDSet: true,
		Prefs: ipn.Prefs{
			ExitNodeID: "foo",
		},
	}, user); err != nil {
		t.Fatalf("enabling first exit node: %v", err)
	}

	// SetUseExitNodeEnabled(false) "remembers" the prior exit node.
	if _, err := lb.SetUseExitNodeEnabled(user, false); err != nil {
		t.Fatal("expected failure")
	}

	// Zero the exit node
	pv, err := lb.EditPrefsAs(&ipn.MaskedPrefs{
		ExitNodeIDSet: true,
		Prefs: ipn.Prefs{
			ExitNodeID: "",
		},
	}, user)

	if err != nil {
		t.Fatalf("enabling first exit node: %v", err)
	}

	// We just set the internal exit node to the empty string, so InternalExitNodePrior should
	// also be zero'd
	if got, want := pv.InternalExitNodePrior(), tailcfg.StableNodeID(""); got != want {
		t.Fatalf("unexpected InternalExitNodePrior %q, want: %q", got, want)
	}

}

func TestSetUseExitNodeEnabled(t *testing.T) {
	lb := newTestLocalBackend(t)
	user := &ipnauth.TestActor{}

	// Can't turn it on if it never had an old value.
	if _, err := lb.SetUseExitNodeEnabled(user, true); err == nil {
		t.Fatal("expected success")
	}

	// But we can turn it off when it's already off.
	if _, err := lb.SetUseExitNodeEnabled(user, false); err != nil {
		t.Fatal("expected failure")
	}

	// Give it an initial exit node in use.
	if _, err := lb.EditPrefsAs(&ipn.MaskedPrefs{
		ExitNodeIDSet: true,
		Prefs: ipn.Prefs{
			ExitNodeID: "foo",
		},
	}, user); err != nil {
		t.Fatalf("enabling first exit node: %v", err)
	}

	// Now turn off that exit node.
	if prefs, err := lb.SetUseExitNodeEnabled(user, false); err != nil {
		t.Fatal("expected failure")
	} else {
		if g, w := prefs.ExitNodeID(), tailcfg.StableNodeID(""); g != w {
			t.Fatalf("unexpected exit node ID %q; want %q", g, w)
		}
		if g, w := prefs.InternalExitNodePrior(), tailcfg.StableNodeID("foo"); g != w {
			t.Fatalf("unexpected exit node prior %q; want %q", g, w)
		}
	}

	// And turn it back on.
	if prefs, err := lb.SetUseExitNodeEnabled(user, true); err != nil {
		t.Fatal("expected failure")
	} else {
		if g, w := prefs.ExitNodeID(), tailcfg.StableNodeID("foo"); g != w {
			t.Fatalf("unexpected exit node ID %q; want %q", g, w)
		}
		if g, w := prefs.InternalExitNodePrior(), tailcfg.StableNodeID("foo"); g != w {
			t.Fatalf("unexpected exit node prior %q; want %q", g, w)
		}
	}

	// Verify we block setting an Internal field.
	if _, err := lb.EditPrefsAs(&ipn.MaskedPrefs{
		InternalExitNodePriorSet: true,
	}, user); err == nil {
		t.Fatalf("unexpected success; want an error trying to set an internal field")
	}
}

func makeExitNode(id tailcfg.NodeID, opts ...peerOptFunc) tailcfg.NodeView {
	return makePeer(id, append([]peerOptFunc{withCap(26), withSuggest(), withExitRoutes()}, opts...)...)
}

func TestConfigureExitNode(t *testing.T) {
	controlURL := "https://localhost:1/"
	exitNode1 := makeExitNode(1, withName("node-1"), withDERP(1), withAddresses(netip.MustParsePrefix("100.64.1.1/32")))
	exitNode2 := makeExitNode(2, withName("node-2"), withDERP(2), withAddresses(netip.MustParsePrefix("100.64.1.2/32")))
	selfNode := makeExitNode(3, withName("node-3"), withDERP(1), withAddresses(netip.MustParsePrefix("100.64.1.3/32")))
	clientNetmap := buildNetmapWithPeers(selfNode, exitNode1, exitNode2)

	report := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 5 * time.Millisecond,
			2: 10 * time.Millisecond,
		},
		PreferredDERP: 1,
	}

	tests := []struct {
		name                   string
		prefs                  ipn.Prefs
		netMap                 *netmap.NetworkMap
		report                 *netcheck.Report
		changePrefs            *ipn.MaskedPrefs
		useExitNodeEnabled     *bool
		exitNodeIDPolicy       *tailcfg.StableNodeID
		exitNodeIPPolicy       *netip.Addr
		exitNodeAllowedIDs     []tailcfg.StableNodeID // nil if all IDs are allowed for auto exit nodes
		exitNodeAllowOverride  bool                   // whether [syspolicy.AllowExitNodeOverride] should be set to true
		wantChangePrefsErr     error                  // if non-nil, the error we expect from [LocalBackend.EditPrefsAs]
		wantPrefs              ipn.Prefs
		wantExitNodeToggleErr  error // if non-nil, the error we expect from [LocalBackend.SetUseExitNodeEnabled]
		wantHostinfoExitNodeID tailcfg.StableNodeID
	}{
		{
			name: "exit-node-id-via-prefs", // set exit node ID via prefs
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:         ipn.Prefs{ExitNodeID: exitNode1.StableID()},
				ExitNodeIDSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(),
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "exit-node-ip-via-prefs", // set exit node IP via prefs (should be resolved to an ID)
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:         ipn.Prefs{ExitNodeIP: exitNode1.Addresses().At(0).Addr()},
				ExitNodeIPSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(),
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-exit-node-via-prefs/any", // set auto exit node via prefs
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:           ipn.Prefs{AutoExitNode: "any"},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode1.StableID(),
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-exit-node-via-prefs/set-exit-node-id-via-prefs", // setting exit node ID explicitly should disable auto exit node
			prefs: ipn.Prefs{
				ControlURL:   controlURL,
				AutoExitNode: "any",
				ExitNodeID:   exitNode1.StableID(),
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:         ipn.Prefs{ExitNodeID: exitNode2.StableID()},
				ExitNodeIDSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode2.StableID(),
				AutoExitNode: "", // should be unset
			},
			wantHostinfoExitNodeID: exitNode2.StableID(),
		},
		{
			name: "auto-exit-node-via-prefs/any/no-report", // set auto exit node via prefs, but no report means we can't resolve the exit node ID
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:           ipn.Prefs{AutoExitNode: "any"},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   unresolvedExitNodeID, // cannot resolve; traffic will be dropped
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-exit-node-via-prefs/any/no-netmap", // similarly, but without a netmap (no exit node should be selected)
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:           ipn.Prefs{AutoExitNode: "any"},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   unresolvedExitNodeID, // cannot resolve; traffic will be dropped
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-exit-node-via-prefs/foo", // set auto exit node via prefs with an unknown/unsupported expression
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:           ipn.Prefs{AutoExitNode: "foo"},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode1.StableID(), // unknown exit node expressions should work as "any"
				AutoExitNode: "foo",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-exit-node-via-prefs/off", // toggle the exit node off after it was set to "any"
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:           ipn.Prefs{AutoExitNode: "any"},
				AutoExitNodeSet: true,
			},
			useExitNodeEnabled: ptr.To(false),
			wantPrefs: ipn.Prefs{
				ControlURL:            controlURL,
				ExitNodeID:            "",
				AutoExitNode:          "",
				InternalExitNodePrior: "auto:any",
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-exit-node-via-prefs/on", // toggle the exit node on
			prefs: ipn.Prefs{
				ControlURL:            controlURL,
				InternalExitNodePrior: "auto:any",
			},
			netMap:             clientNetmap,
			report:             report,
			useExitNodeEnabled: ptr.To(true),
			wantPrefs: ipn.Prefs{
				ControlURL:            controlURL,
				ExitNodeID:            exitNode1.StableID(),
				AutoExitNode:          "any",
				InternalExitNodePrior: "auto:any",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "id-via-policy", // set exit node ID via syspolicy
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			exitNodeIDPolicy: ptr.To(exitNode1.StableID()),
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(),
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "id-via-policy/cannot-override-via-prefs/by-id", // syspolicy should take precedence over prefs
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			exitNodeIDPolicy: ptr.To(exitNode1.StableID()),
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					ExitNodeID: exitNode2.StableID(), // this should be ignored
				},
				ExitNodeIDSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(),
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
			wantChangePrefsErr:     errManagedByPolicy,
		},
		{
			name: "id-via-policy/cannot-override-via-prefs/by-ip", // syspolicy should take precedence over prefs
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			exitNodeIDPolicy: ptr.To(exitNode1.StableID()),
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					ExitNodeIP: exitNode2.Addresses().At(0).Addr(), // this should be ignored
				},
				ExitNodeIPSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(),
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
			wantChangePrefsErr:     errManagedByPolicy,
		},
		{
			name: "id-via-policy/cannot-override-via-prefs/by-auto-expr", // syspolicy should take precedence over prefs
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			exitNodeIDPolicy: ptr.To(exitNode1.StableID()),
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					AutoExitNode: "any", // this should be ignored
				},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(),
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
			wantChangePrefsErr:     errManagedByPolicy,
		},
		{
			name: "ip-via-policy", // set exit node IP via syspolicy (should be resolved to an ID)
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			exitNodeIPPolicy: ptr.To(exitNode2.Addresses().At(0).Addr()),
			wantPrefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode2.StableID(),
			},
			wantHostinfoExitNodeID: exitNode2.StableID(),
		},
		{
			name: "auto-any-via-policy", // set auto exit node via syspolicy (an exit node should be selected)
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode1.StableID(),
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-any-via-policy/no-report", // set auto exit node via syspolicy without a netcheck report (no exit node should be selected)
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			report:           nil,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   unresolvedExitNodeID,
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-any-via-policy/no-netmap", // similarly, but without a netmap (no exit node should be selected)
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           nil,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   unresolvedExitNodeID,
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-any-via-policy/no-netmap/with-existing", // set auto exit node via syspolicy without a netmap, but with a previously set exit node ID
			prefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode2.StableID(), // should be retained
			},
			netMap:             nil,
			report:             report,
			exitNodeIDPolicy:   ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowedIDs: nil, // not configured, so all exit node IDs are implicitly allowed
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode2.StableID(),
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: exitNode2.StableID(),
		},
		{
			name: "auto-any-via-policy/no-netmap/with-allowed-existing", // same, but now with a syspolicy setting that explicitly allows the existing exit node ID
			prefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode2.StableID(), // should be retained
			},
			netMap:           nil,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowedIDs: []tailcfg.StableNodeID{
				exitNode2.StableID(), // the current exit node ID is allowed
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode2.StableID(),
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: exitNode2.StableID(),
		},
		{
			name: "auto-any-via-policy/no-netmap/with-disallowed-existing", // same, but now with a syspolicy setting that does not allow the existing exit node ID
			prefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode2.StableID(), // not allowed by [syspolicy.AllowedSuggestedExitNodes]
			},
			netMap:           nil,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowedIDs: []tailcfg.StableNodeID{
				exitNode1.StableID(), // a different exit node ID; the current one is not allowed
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   unresolvedExitNodeID, // we don't have a netmap yet, and the current exit node ID is not allowed; block traffic
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-any-via-policy/with-netmap/with-allowed-existing", // same, but now with a syspolicy setting that does not allow the existing exit node ID
			prefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode1.StableID(), // not allowed by [syspolicy.AllowedSuggestedExitNodes]
			},
			netMap:           clientNetmap,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowedIDs: []tailcfg.StableNodeID{
				exitNode2.StableID(), // a different exit node ID; the current one is not allowed
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode2.StableID(), // we have a netmap; switch to the best allowed exit node
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: exitNode2.StableID(),
		},
		{
			name: "auto-any-via-policy/with-netmap/switch-to-better", // if all exit nodes are allowed, switch to the best one once we have a netmap
			prefs: ipn.Prefs{
				ControlURL: controlURL,
				ExitNodeID: exitNode2.StableID(),
			},
			netMap:           clientNetmap,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:any")),
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode1.StableID(), // switch to the best exit node
				AutoExitNode: "any",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-foo-via-policy", // set auto exit node via syspolicy with an unknown/unsupported expression
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:           clientNetmap,
			report:           report,
			exitNodeIDPolicy: ptr.To(tailcfg.StableNodeID("auto:foo")),
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode1.StableID(), // unknown exit node expressions should work as "any"
				AutoExitNode: "foo",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-foo-via-edit-prefs", // set auto exit node via EditPrefs with an unknown/unsupported expression
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap: clientNetmap,
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs:           ipn.Prefs{AutoExitNode: "foo"},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode1.StableID(), // unknown exit node expressions should work as "any"
				AutoExitNode: "foo",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-any-via-policy/toggle-off", // cannot toggle off the exit node if it was set via syspolicy
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:                clientNetmap,
			report:                report,
			exitNodeIDPolicy:      ptr.To(tailcfg.StableNodeID("auto:any")),
			useExitNodeEnabled:    ptr.To(false), // should fail with an error
			wantExitNodeToggleErr: errManagedByPolicy,
			wantPrefs: ipn.Prefs{
				ControlURL:            controlURL,
				ExitNodeID:            exitNode1.StableID(), // still enforced by the policy setting
				AutoExitNode:          "any",
				InternalExitNodePrior: "",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-any-via-policy/allow-override/change", // changing the exit node is allowed by [syspolicy.AllowExitNodeOverride]
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:                clientNetmap,
			report:                report,
			exitNodeIDPolicy:      ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowOverride: true, // allow changing the exit node
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					ExitNodeID: exitNode2.StableID(), // change the exit node ID
				},
				ExitNodeIDSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				ExitNodeID:   exitNode2.StableID(), // overridden by user
				AutoExitNode: "",                   // cleared, as we are setting the exit node ID explicitly
			},
			wantHostinfoExitNodeID: exitNode2.StableID(),
		},
		{
			name: "auto-any-via-policy/allow-override/clear", // clearing the exit node ID is not allowed by [syspolicy.AllowExitNodeOverride]
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:                clientNetmap,
			report:                report,
			exitNodeIDPolicy:      ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowOverride: true, // allow changing, but not disabling, the exit node
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					ExitNodeID: "", // clearing the exit node ID disables the exit node and should not be allowed
				},
				ExitNodeIDSet: true,
			},
			wantChangePrefsErr: errManagedByPolicy, // edit prefs should fail with an error
			wantPrefs: ipn.Prefs{
				ControlURL:            controlURL,
				ExitNodeID:            exitNode1.StableID(), // still enforced by the policy setting
				AutoExitNode:          "any",
				InternalExitNodePrior: "",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-any-via-policy/allow-override/toggle-off", // similarly, toggling off the exit node is not allowed even with [syspolicy.AllowExitNodeOverride]
			prefs: ipn.Prefs{
				ControlURL: controlURL,
			},
			netMap:                clientNetmap,
			report:                report,
			exitNodeIDPolicy:      ptr.To(tailcfg.StableNodeID("auto:any")),
			exitNodeAllowOverride: true,          // allow changing, but not disabling, the exit node
			useExitNodeEnabled:    ptr.To(false), // should fail with an error
			wantExitNodeToggleErr: errManagedByPolicy,
			wantPrefs: ipn.Prefs{
				ControlURL:            controlURL,
				ExitNodeID:            exitNode1.StableID(), // still enforced by the policy setting
				AutoExitNode:          "any",
				InternalExitNodePrior: "",
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
		{
			name: "auto-any-via-initial-prefs/no-netmap/clear-auto-exit-node",
			prefs: ipn.Prefs{
				ControlURL:   controlURL,
				AutoExitNode: ipn.AnyExitNode,
			},
			netMap: nil, // no netmap; exit node cannot be resolved
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					AutoExitNode: "", // clear the auto exit node
				},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				AutoExitNode: "", // cleared
				ExitNodeID:   "", // has never been resolved, so it should be cleared as well
			},
			wantHostinfoExitNodeID: "",
		},
		{
			name: "auto-any-via-initial-prefs/with-netmap/clear-auto-exit-node",
			prefs: ipn.Prefs{
				ControlURL:   controlURL,
				AutoExitNode: ipn.AnyExitNode,
			},
			netMap: clientNetmap, // has a netmap; exit node will be resolved
			report: report,
			changePrefs: &ipn.MaskedPrefs{
				Prefs: ipn.Prefs{
					AutoExitNode: "", // clear the auto exit node
				},
				AutoExitNodeSet: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:   controlURL,
				AutoExitNode: "",                   // cleared
				ExitNodeID:   exitNode1.StableID(), // a resolved exit node ID should be retained
			},
			wantHostinfoExitNodeID: exitNode1.StableID(),
		},
	}
	syspolicy.RegisterWellKnownSettingsForTest(t)
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// Configure policy settings, if any.
			store := source.NewTestStore(t)
			if tt.exitNodeIDPolicy != nil {
				store.SetStrings(source.TestSettingOf(syspolicy.ExitNodeID, string(*tt.exitNodeIDPolicy)))
			}
			if tt.exitNodeIPPolicy != nil {
				store.SetStrings(source.TestSettingOf(syspolicy.ExitNodeIP, tt.exitNodeIPPolicy.String()))
			}
			if tt.exitNodeAllowedIDs != nil {
				store.SetStringLists(source.TestSettingOf(syspolicy.AllowedSuggestedExitNodes, toStrings(tt.exitNodeAllowedIDs)))
			}
			if tt.exitNodeAllowOverride {
				store.SetBooleans(source.TestSettingOf(syspolicy.AllowExitNodeOverride, true))
			}
			if store.IsEmpty() {
				// No syspolicy settings, so don't register a store.
				// This allows the test to run in parallel with other tests.
				t.Parallel()
			} else {
				// Register the store for syspolicy settings to make them available to the LocalBackend.
				syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, store)
			}

			// Create a new LocalBackend with the given prefs.
			// Any syspolicy settings will be applied to the initial prefs.
			lb := newTestLocalBackend(t)
			lb.SetPrefsForTest(tt.prefs.Clone())
			// Then set the netcheck report and netmap, if any.
			if tt.report != nil {
				lb.MagicConn().SetLastNetcheckReportForTest(t.Context(), tt.report)
			}
			if tt.netMap != nil {
				lb.SetControlClientStatus(lb.cc, controlclient.Status{NetMap: tt.netMap})
			}

			user := &ipnauth.TestActor{}
			// If we have a changePrefs, apply it.
			if tt.changePrefs != nil {
				_, err := lb.EditPrefsAs(tt.changePrefs, user)
				checkError(t, err, tt.wantChangePrefsErr, true)
			}

			// If we need to flip exit node toggle on or off, do it.
			if tt.useExitNodeEnabled != nil {
				_, err := lb.SetUseExitNodeEnabled(user, *tt.useExitNodeEnabled)
				checkError(t, err, tt.wantExitNodeToggleErr, true)
			}

			// Now check the prefs.
			opts := []cmp.Option{
				cmpopts.EquateComparable(netip.Addr{}, netip.Prefix{}),
			}
			if diff := cmp.Diff(&tt.wantPrefs, lb.Prefs().AsStruct(), opts...); diff != "" {
				t.Errorf("Prefs(+got -want): %v", diff)
			}

			// And check Hostinfo.
			if got := lb.hostinfo.ExitNodeID; got != tt.wantHostinfoExitNodeID {
				t.Errorf("Hostinfo.ExitNodeID got %s, want %s", got, tt.wantHostinfoExitNodeID)
			}
		})
	}
}

func TestPrefsChangeDisablesExitNode(t *testing.T) {
	tests := []struct {
		name                 string
		netMap               *netmap.NetworkMap
		prefs                ipn.Prefs
		change               ipn.MaskedPrefs
		wantDisablesExitNode bool
	}{
		{
			name: "has-exit-node-id/no-change",
			prefs: ipn.Prefs{
				ExitNodeID: "test-exit-node",
			},
			change:               ipn.MaskedPrefs{},
			wantDisablesExitNode: false,
		},
		{
			name: "has-exit-node-ip/no-change",
			prefs: ipn.Prefs{
				ExitNodeIP: netip.MustParseAddr("100.100.1.1"),
			},
			change:               ipn.MaskedPrefs{},
			wantDisablesExitNode: false,
		},
		{
			name: "has-auto-exit-node/no-change",
			prefs: ipn.Prefs{
				AutoExitNode: ipn.AnyExitNode,
			},
			change:               ipn.MaskedPrefs{},
			wantDisablesExitNode: false,
		},
		{
			name: "has-exit-node-id/non-exit-node-change",
			prefs: ipn.Prefs{
				ExitNodeID: "test-exit-node",
			},
			change: ipn.MaskedPrefs{
				WantRunningSet:            true,
				HostnameSet:               true,
				ExitNodeAllowLANAccessSet: true,
				Prefs: ipn.Prefs{
					WantRunning:            true,
					Hostname:               "test-hostname",
					ExitNodeAllowLANAccess: true,
				},
			},
			wantDisablesExitNode: false,
		},
		{
			name: "has-exit-node-ip/non-exit-node-change",
			prefs: ipn.Prefs{
				ExitNodeIP: netip.MustParseAddr("100.100.1.1"),
			},
			change: ipn.MaskedPrefs{
				WantRunningSet: true,
				RouteAllSet:    true,
				ShieldsUpSet:   true,
				Prefs: ipn.Prefs{
					WantRunning: false,
					RouteAll:    false,
					ShieldsUp:   true,
				},
			},
			wantDisablesExitNode: false,
		},
		{
			name: "has-auto-exit-node/non-exit-node-change",
			prefs: ipn.Prefs{
				AutoExitNode: ipn.AnyExitNode,
			},
			change: ipn.MaskedPrefs{
				CorpDNSSet:                true,
				RouteAllSet:               true,
				ExitNodeAllowLANAccessSet: true,
				Prefs: ipn.Prefs{
					CorpDNS:                true,
					RouteAll:               false,
					ExitNodeAllowLANAccess: true,
				},
			},
			wantDisablesExitNode: false,
		},
		{
			name: "has-exit-node-id/change-exit-node-id",
			prefs: ipn.Prefs{
				ExitNodeID: "exit-node-1",
			},
			change: ipn.MaskedPrefs{
				ExitNodeIDSet: true,
				Prefs: ipn.Prefs{
					ExitNodeID: "exit-node-2",
				},
			},
			wantDisablesExitNode: false, // changing the exit node ID does not disable it
		},
		{
			name: "has-exit-node-id/enable-auto-exit-node",
			prefs: ipn.Prefs{
				ExitNodeID: "exit-node-1",
			},
			change: ipn.MaskedPrefs{
				AutoExitNodeSet: true,
				Prefs: ipn.Prefs{
					AutoExitNode: ipn.AnyExitNode,
				},
			},
			wantDisablesExitNode: false, // changing the exit node ID does not disable it
		},
		{
			name: "has-exit-node-id/clear-exit-node-id",
			prefs: ipn.Prefs{
				ExitNodeID: "exit-node-1",
			},
			change: ipn.MaskedPrefs{
				ExitNodeIDSet: true,
				Prefs: ipn.Prefs{
					ExitNodeID: "",
				},
			},
			wantDisablesExitNode: true, // clearing the exit node ID disables it
		},
		{
			name: "has-auto-exit-node/clear-exit-node-id",
			prefs: ipn.Prefs{
				AutoExitNode: ipn.AnyExitNode,
			},
			change: ipn.MaskedPrefs{
				ExitNodeIDSet: true,
				Prefs: ipn.Prefs{
					ExitNodeID: "",
				},
			},
			wantDisablesExitNode: true, // clearing the exit node ID disables auto exit node as well...
		},
		{
			name: "has-auto-exit-node/clear-exit-node-id/but-keep-auto-exit-node",
			prefs: ipn.Prefs{
				AutoExitNode: ipn.AnyExitNode,
			},
			change: ipn.MaskedPrefs{
				ExitNodeIDSet:   true,
				AutoExitNodeSet: true,
				Prefs: ipn.Prefs{
					ExitNodeID:   "",
					AutoExitNode: ipn.AnyExitNode,
				},
			},
			wantDisablesExitNode: false, // ... unless we explicitly keep the auto exit node enabled
		},
		{
			name: "has-auto-exit-node/clear-exit-node-ip",
			prefs: ipn.Prefs{
				AutoExitNode: ipn.AnyExitNode,
			},
			change: ipn.MaskedPrefs{
				ExitNodeIPSet: true,
				Prefs: ipn.Prefs{
					ExitNodeIP: netip.Addr{},
				},
			},
			wantDisablesExitNode: false, // auto exit node is still enabled
		},
		{
			name: "has-auto-exit-node/clear-auto-exit-node",
			prefs: ipn.Prefs{
				AutoExitNode: ipn.AnyExitNode,
			},
			change: ipn.MaskedPrefs{
				AutoExitNodeSet: true,
				Prefs: ipn.Prefs{
					AutoExitNode: "",
				},
			},
			wantDisablesExitNode: true, // clearing the auto exit while the exit node ID is unresolved disables exit node usage
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			lb := newTestLocalBackend(t)
			if tt.netMap != nil {
				lb.SetControlClientStatus(lb.cc, controlclient.Status{NetMap: tt.netMap})
			}
			// Set the initial prefs via SetPrefsForTest
			// to apply necessary adjustments.
			lb.SetPrefsForTest(tt.prefs.Clone())
			initialPrefs := lb.Prefs()

			// Check whether changeDisablesExitNodeLocked correctly identifies the change.
			if got := lb.changeDisablesExitNodeLocked(initialPrefs, &tt.change); got != tt.wantDisablesExitNode {
				t.Errorf("disablesExitNode: got %v; want %v", got, tt.wantDisablesExitNode)
			}

			// Apply the change and check if it the actual behavior matches the expectation.
			gotPrefs, err := lb.EditPrefsAs(&tt.change, &ipnauth.TestActor{})
			if err != nil {
				t.Fatalf("EditPrefsAs failed: %v", err)
			}
			gotDisabledExitNode := initialPrefs.ExitNodeID() != "" && gotPrefs.ExitNodeID() == ""
			if gotDisabledExitNode != tt.wantDisablesExitNode {
				t.Errorf("disabledExitNode: got %v; want %v", gotDisabledExitNode, tt.wantDisablesExitNode)
			}
		})
	}
}

func TestExitNodeNotifyOrder(t *testing.T) {
	const controlURL = "https://localhost:1/"

	report := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 5 * time.Millisecond,
			2: 10 * time.Millisecond,
		},
		PreferredDERP: 1,
	}

	exitNode1 := makeExitNode(1, withName("node-1"), withDERP(1), withAddresses(netip.MustParsePrefix("100.64.1.1/32")))
	exitNode2 := makeExitNode(2, withName("node-2"), withDERP(2), withAddresses(netip.MustParsePrefix("100.64.1.2/32")))
	selfNode := makeExitNode(3, withName("node-3"), withDERP(1), withAddresses(netip.MustParsePrefix("100.64.1.3/32")))
	clientNetmap := buildNetmapWithPeers(selfNode, exitNode1, exitNode2)

	lb := newTestLocalBackend(t)
	lb.sys.MagicSock.Get().SetLastNetcheckReportForTest(lb.ctx, report)
	lb.SetPrefsForTest(&ipn.Prefs{
		ControlURL:   controlURL,
		AutoExitNode: ipn.AnyExitNode,
	})

	nw := newNotificationWatcher(t, lb, ipnauth.Self)

	// Updating the netmap should trigger both a netmap notification
	// and an exit node ID notification (since an exit node is selected).
	// The netmap notification should be sent first.
	nw.watch(0, []wantedNotification{
		wantNetmapNotify(clientNetmap),
		wantExitNodeIDNotify(exitNode1.StableID()),
	})
	lb.SetControlClientStatus(lb.cc, controlclient.Status{NetMap: clientNetmap})
	nw.check()
}

func wantNetmapNotify(want *netmap.NetworkMap) wantedNotification {
	return wantedNotification{
		name: "Netmap",
		cond: func(t testing.TB, _ ipnauth.Actor, n *ipn.Notify) bool {
			return n.NetMap == want
		},
	}
}

func wantExitNodeIDNotify(want tailcfg.StableNodeID) wantedNotification {
	return wantedNotification{
		name: fmt.Sprintf("ExitNodeID-%s", want),
		cond: func(_ testing.TB, _ ipnauth.Actor, n *ipn.Notify) bool {
			return n.Prefs != nil && n.Prefs.Valid() && n.Prefs.ExitNodeID() == want
		},
	}
}

func TestInternalAndExternalInterfaces(t *testing.T) {
	type interfacePrefix struct {
		i   netmon.Interface
		pfx netip.Prefix
	}

	masked := func(ips ...interfacePrefix) (pfxs []netip.Prefix) {
		for _, ip := range ips {
			pfxs = append(pfxs, ip.pfx.Masked())
		}
		return pfxs
	}
	iList := func(ips ...interfacePrefix) (il netmon.InterfaceList) {
		for _, ip := range ips {
			il = append(il, ip.i)
		}
		return il
	}
	newInterface := func(name, pfx string, wsl2, loopback bool) interfacePrefix {
		ippfx := netip.MustParsePrefix(pfx)
		ip := netmon.Interface{
			Interface: &net.Interface{},
			AltAddrs: []net.Addr{
				netipx.PrefixIPNet(ippfx),
			},
		}
		if loopback {
			ip.Flags = net.FlagLoopback
		}
		if wsl2 {
			ip.HardwareAddr = []byte{0x00, 0x15, 0x5d, 0x00, 0x00, 0x00}
		}
		return interfacePrefix{i: ip, pfx: ippfx}
	}
	var (
		en0      = newInterface("en0", "10.20.2.5/16", false, false)
		en1      = newInterface("en1", "192.168.1.237/24", false, false)
		wsl      = newInterface("wsl", "192.168.5.34/24", true, false)
		loopback = newInterface("lo0", "127.0.0.1/8", false, true)
	)

	tests := []struct {
		name    string
		goos    string
		il      netmon.InterfaceList
		wantInt []netip.Prefix
		wantExt []netip.Prefix
	}{
		{
			name: "single-interface",
			goos: "linux",
			il: iList(
				en0,
				loopback,
			),
			wantInt: masked(loopback),
			wantExt: masked(en0),
		},
		{
			name: "multiple-interfaces",
			goos: "linux",
			il: iList(
				en0,
				en1,
				wsl,
				loopback,
			),
			wantInt: masked(loopback),
			wantExt: masked(en0, en1, wsl),
		},
		{
			name: "wsl2",
			goos: "windows",
			il: iList(
				en0,
				en1,
				wsl,
				loopback,
			),
			wantInt: masked(loopback, wsl),
			wantExt: masked(en0, en1),
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			gotInt, gotExt, err := internalAndExternalInterfacesFrom(tc.il, tc.goos)
			if err != nil {
				t.Fatal(err)
			}
			if !reflect.DeepEqual(gotInt, tc.wantInt) {
				t.Errorf("unexpected internal prefixes\ngot %v\nwant %v", gotInt, tc.wantInt)
			}
			if !reflect.DeepEqual(gotExt, tc.wantExt) {
				t.Errorf("unexpected external prefixes\ngot %v\nwant %v", gotExt, tc.wantExt)
			}
		})
	}
}

func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
	tests := []struct {
		name   string
		peers  []*tailcfg.Node
		filter []filter.Match
		want   bool
	}{
		{
			name: "empty",
			want: false,
		},
		{
			name: "no-unsigned",
			peers: []*tailcfg.Node{
				{ID: 1},
			},
			want: false,
		},
		{
			name: "unsigned-good",
			peers: []*tailcfg.Node{
				{ID: 1, UnsignedPeerAPIOnly: true},
			},
			want: false,
		},
		{
			name: "unsigned-bad",
			peers: []*tailcfg.Node{
				{
					ID:                  1,
					UnsignedPeerAPIOnly: true,
					AllowedIPs: []netip.Prefix{
						netip.MustParsePrefix("100.64.0.0/32"),
					},
				},
			},
			filter: []filter.Match{
				{
					Srcs: []netip.Prefix{netip.MustParsePrefix("100.64.0.0/32")},
					Dsts: []filter.NetPortRange{
						{
							Net: netip.MustParsePrefix("100.99.0.0/32"),
						},
					},
				},
			},
			want: true,
		},
		{
			name: "unsigned-bad-src-is-superset",
			peers: []*tailcfg.Node{
				{
					ID:                  1,
					UnsignedPeerAPIOnly: true,
					AllowedIPs: []netip.Prefix{
						netip.MustParsePrefix("100.64.0.0/32"),
					},
				},
			},
			filter: []filter.Match{
				{
					Srcs: []netip.Prefix{netip.MustParsePrefix("100.64.0.0/24")},
					Dsts: []filter.NetPortRange{
						{
							Net: netip.MustParsePrefix("100.99.0.0/32"),
						},
					},
				},
			},
			want: true,
		},
		{
			name: "unsigned-okay-because-no-dsts",
			peers: []*tailcfg.Node{
				{
					ID:                  1,
					UnsignedPeerAPIOnly: true,
					AllowedIPs: []netip.Prefix{
						netip.MustParsePrefix("100.64.0.0/32"),
					},
				},
			},
			filter: []filter.Match{
				{
					Srcs: []netip.Prefix{netip.MustParsePrefix("100.64.0.0/32")},
					Caps: []filter.CapMatch{
						{
							Dst: netip.MustParsePrefix("100.99.0.0/32"),
							Cap: "foo",
						},
					},
				},
			},
			want: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := packetFilterPermitsUnlockedNodes(peersMap(nodeViews(tt.peers)), tt.filter); got != tt.want {
				t.Errorf("got %v, want %v", got, tt.want)
			}
		})
	}
}

func TestStatusPeerCapabilities(t *testing.T) {
	tests := []struct {
		name                     string
		peers                    []tailcfg.NodeView
		expectedPeerCapabilities map[tailcfg.StableNodeID][]tailcfg.NodeCapability
		expectedPeerCapMap       map[tailcfg.StableNodeID]tailcfg.NodeCapMap
	}{
		{
			name: "peers-with-capabilities",
			peers: []tailcfg.NodeView{
				(&tailcfg.Node{
					ID:              1,
					StableID:        "foo",
					Key:             makeNodeKeyFromID(1),
					IsWireGuardOnly: true,
					Hostinfo:        (&tailcfg.Hostinfo{}).View(),
					Capabilities:    []tailcfg.NodeCapability{tailcfg.CapabilitySSH},
					CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
						tailcfg.CapabilitySSH: nil,
					}),
				}).View(),
				(&tailcfg.Node{
					ID:           2,
					StableID:     "bar",
					Key:          makeNodeKeyFromID(2),
					Hostinfo:     (&tailcfg.Hostinfo{}).View(),
					Capabilities: []tailcfg.NodeCapability{tailcfg.CapabilityAdmin},
					CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
						tailcfg.CapabilityAdmin: {`{"test": "true}`},
					}),
				}).View(),
				(&tailcfg.Node{
					ID:           3,
					StableID:     "baz",
					Key:          makeNodeKeyFromID(3),
					Hostinfo:     (&tailcfg.Hostinfo{}).View(),
					Capabilities: []tailcfg.NodeCapability{tailcfg.CapabilityOwner},
					CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
						tailcfg.CapabilityOwner: nil,
					}),
				}).View(),
			},
			expectedPeerCapabilities: map[tailcfg.StableNodeID][]tailcfg.NodeCapability{
				tailcfg.StableNodeID("foo"): {tailcfg.CapabilitySSH},
				tailcfg.StableNodeID("bar"): {tailcfg.CapabilityAdmin},
				tailcfg.StableNodeID("baz"): {tailcfg.CapabilityOwner},
			},
			expectedPeerCapMap: map[tailcfg.StableNodeID]tailcfg.NodeCapMap{
				tailcfg.StableNodeID("foo"): (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
					tailcfg.CapabilitySSH: nil,
				}),
				tailcfg.StableNodeID("bar"): (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
					tailcfg.CapabilityAdmin: {`{"test": "true}`},
				}),
				tailcfg.StableNodeID("baz"): (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
					tailcfg.CapabilityOwner: nil,
				}),
			},
		},
		{
			name: "peers-without-capabilities",
			peers: []tailcfg.NodeView{
				(&tailcfg.Node{
					ID:              1,
					StableID:        "foo",
					Key:             makeNodeKeyFromID(1),
					IsWireGuardOnly: true,
					Hostinfo:        (&tailcfg.Hostinfo{}).View(),
				}).View(),
				(&tailcfg.Node{
					ID:       2,
					StableID: "bar",
					Key:      makeNodeKeyFromID(2),
					Hostinfo: (&tailcfg.Hostinfo{}).View(),
				}).View(),
			},
		},
	}
	b := newTestLocalBackend(t)

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			b.setNetMapLocked(&netmap.NetworkMap{
				SelfNode: (&tailcfg.Node{
					MachineAuthorized: true,
					Addresses:         ipps("100.101.101.101"),
				}).View(),
				Peers: tt.peers,
			})
			got := b.Status()
			for _, peer := range got.Peer {
				if !reflect.DeepEqual(peer.Capabilities, tt.expectedPeerCapabilities[peer.ID]) {
					t.Errorf("peer capabilities: expected %v got %v", tt.expectedPeerCapabilities, peer.Capabilities)
				}
				if !reflect.DeepEqual(peer.CapMap, tt.expectedPeerCapMap[peer.ID]) {
					t.Errorf("peer capmap: expected %v got %v", tt.expectedPeerCapMap, peer.CapMap)
				}
			}
		})
	}
}

// legacyBackend was the interface between Tailscale frontends
// (e.g. cmd/tailscale, iOS/MacOS/Windows GUIs) and the tailscale
// backend (e.g. cmd/tailscaled) running on the same machine.
// (It has nothing to do with the interface between the backends
// and the cloud control plane.)
type legacyBackend interface {
	// SetNotifyCallback sets the callback to be called on updates
	// from the backend to the client.
	SetNotifyCallback(func(ipn.Notify))
	// Start starts or restarts the backend, typically when a
	// frontend client connects.
	Start(ipn.Options) error
}

// Verify that LocalBackend still implements the legacyBackend interface
// for now, at least until the macOS and iOS clients move off of it.
var _ legacyBackend = (*LocalBackend)(nil)

func TestWatchNotificationsCallbacks(t *testing.T) {
	b := new(LocalBackend)
	n := new(ipn.Notify)
	b.WatchNotifications(context.Background(), 0, func() {
		b.mu.Lock()
		defer b.mu.Unlock()

		// Ensure a watcher has been installed.
		if len(b.notifyWatchers) != 1 {
			t.Fatalf("unexpected number of watchers in new LocalBackend, want: 1 got: %v", len(b.notifyWatchers))
		}
		// Send a notification. Range over notifyWatchers to get the channel
		// because WatchNotifications doesn't expose the handle for it.
		for _, sess := range b.notifyWatchers {
			select {
			case sess.ch <- n:
			default:
				t.Fatalf("could not send notification")
			}
		}
	}, func(roNotify *ipn.Notify) bool {
		if roNotify != n {
			t.Fatalf("unexpected notification received. want: %v got: %v", n, roNotify)
		}
		return false
	})

	// Ensure watchers have been cleaned up.
	b.mu.Lock()
	defer b.mu.Unlock()
	if len(b.notifyWatchers) != 0 {
		t.Fatalf("unexpected number of watchers in new LocalBackend, want: 0 got: %v", len(b.notifyWatchers))
	}
}

// tests LocalBackend.updateNetmapDeltaLocked
func TestUpdateNetmapDelta(t *testing.T) {
	b := newTestLocalBackend(t)
	if b.currentNode().UpdateNetmapDelta(nil) {
		t.Errorf("updateNetmapDeltaLocked() = true, want false with nil netmap")
	}

	nm := &netmap.NetworkMap{}
	for i := range 5 {
		id := tailcfg.NodeID(i + 1)
		nm.Peers = append(nm.Peers, (&tailcfg.Node{
			ID:  id,
			Key: makeNodeKeyFromID(id),
		}).View())
	}
	b.currentNode().SetNetMap(nm)

	someTime := time.Unix(123, 0)
	muts, ok := netmap.MutationsFromMapResponse(&tailcfg.MapResponse{
		PeersChangedPatch: []*tailcfg.PeerChange{
			{
				NodeID:     1,
				DERPRegion: 1,
			},
			{
				NodeID: 2,
				Online: ptr.To(true),
			},
			{
				NodeID: 3,
				Online: ptr.To(false),
			},
			{
				NodeID:   4,
				LastSeen: ptr.To(someTime),
			},
		},
	}, someTime)
	if !ok {
		t.Fatal("netmap.MutationsFromMapResponse failed")
	}

	if !b.currentNode().UpdateNetmapDelta(muts) {
		t.Fatalf("updateNetmapDeltaLocked() = false, want true with new netmap")
	}

	wants := []*tailcfg.Node{
		{
			ID:       1,
			Key:      makeNodeKeyFromID(1),
			HomeDERP: 1,
		},
		{
			ID:     2,
			Key:    makeNodeKeyFromID(2),
			Online: ptr.To(true),
		},
		{
			ID:     3,
			Key:    makeNodeKeyFromID(3),
			Online: ptr.To(false),
		},
		{
			ID:       4,
			Key:      makeNodeKeyFromID(4),
			LastSeen: ptr.To(someTime),
		},
	}
	for _, want := range wants {
		gotv, ok := b.currentNode().NodeByID(want.ID)
		if !ok {
			t.Errorf("netmap.Peer %v missing from b.profile.Peers", want.ID)
			continue
		}
		got := gotv.AsStruct()
		if !reflect.DeepEqual(got, want) {
			t.Errorf("netmap.Peer %v wrong.\n got: %v\nwant: %v", want.ID, logger.AsJSON(got), logger.AsJSON(want))
		}
	}
}

// tests WhoIs and indirectly that setNetMapLocked updates b.nodeByAddr correctly.
func TestWhoIs(t *testing.T) {
	b := newTestLocalBackend(t)
	b.setNetMapLocked(&netmap.NetworkMap{
		SelfNode: (&tailcfg.Node{
			ID:        1,
			User:      10,
			Key:       makeNodeKeyFromID(1),
			Addresses: []netip.Prefix{netip.MustParsePrefix("100.101.102.103/32")},
		}).View(),
		Peers: []tailcfg.NodeView{
			(&tailcfg.Node{
				ID:        2,
				User:      20,
				Key:       makeNodeKeyFromID(2),
				Addresses: []netip.Prefix{netip.MustParsePrefix("100.200.200.200/32")},
			}).View(),
		},
		UserProfiles: map[tailcfg.UserID]tailcfg.UserProfileView{
			10: (&tailcfg.UserProfile{
				DisplayName: "Myself",
			}).View(),
			20: (&tailcfg.UserProfile{
				DisplayName: "Peer",
			}).View(),
		},
	})
	tests := []struct {
		q        string
		want     tailcfg.NodeID // 0 means want ok=false
		wantName string
	}{
		{"100.101.102.103:0", 1, "Myself"},
		{"100.101.102.103:123", 1, "Myself"},
		{"100.200.200.200:0", 2, "Peer"},
		{"100.200.200.200:123", 2, "Peer"},
		{"100.4.0.4:404", 0, ""},
	}
	for _, tt := range tests {
		t.Run(tt.q, func(t *testing.T) {
			nv, up, ok := b.WhoIs("", netip.MustParseAddrPort(tt.q))
			var got tailcfg.NodeID
			if ok {
				got = nv.ID()
			}
			if got != tt.want {
				t.Errorf("got nodeID %v; want %v", got, tt.want)
			}
			if up.DisplayName != tt.wantName {
				t.Errorf("got name %q; want %q", up.DisplayName, tt.wantName)
			}
		})
	}
}

func TestWireguardExitNodeDNSResolvers(t *testing.T) {
	type tc struct {
		name          string
		id            tailcfg.StableNodeID
		peers         []*tailcfg.Node
		wantOK        bool
		wantResolvers []*dnstype.Resolver
	}

	tests := []tc{
		{
			name:          "no peers",
			id:            "1",
			wantOK:        false,
			wantResolvers: nil,
		},
		{
			name: "non wireguard peer",
			id:   "1",
			peers: []*tailcfg.Node{
				{
					ID:                   1,
					StableID:             "1",
					IsWireGuardOnly:      false,
					ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
				},
			},
			wantOK:        false,
			wantResolvers: nil,
		},
		{
			name: "no matching IDs",
			id:   "2",
			peers: []*tailcfg.Node{
				{
					ID:                   1,
					StableID:             "1",
					IsWireGuardOnly:      true,
					ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
				},
			},
			wantOK:        false,
			wantResolvers: nil,
		},
		{
			name: "wireguard peer",
			id:   "1",
			peers: []*tailcfg.Node{
				{
					ID:                   1,
					StableID:             "1",
					IsWireGuardOnly:      true,
					ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
				},
			},
			wantOK:        true,
			wantResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
		},
	}

	for _, tc := range tests {
		peers := peersMap(nodeViews(tc.peers))
		nm := &netmap.NetworkMap{}
		gotResolvers, gotOK := wireguardExitNodeDNSResolvers(nm, peers, tc.id)

		if gotOK != tc.wantOK || !resolversEqual(t, gotResolvers, tc.wantResolvers) {
			t.Errorf("case: %s: got %v, %v, want %v, %v", tc.name, gotOK, gotResolvers, tc.wantOK, tc.wantResolvers)
		}
	}
}

func TestDNSConfigForNetmapForExitNodeConfigs(t *testing.T) {
	type tc struct {
		name                 string
		exitNode             tailcfg.StableNodeID
		peers                []tailcfg.NodeView
		dnsConfig            *tailcfg.DNSConfig
		wantDefaultResolvers []*dnstype.Resolver
		wantRoutes           map[dnsname.FQDN][]*dnstype.Resolver
	}

	defaultResolvers := []*dnstype.Resolver{{Addr: "default.example.com"}}
	wgResolvers := []*dnstype.Resolver{{Addr: "wg.example.com"}}
	peers := []tailcfg.NodeView{
		(&tailcfg.Node{
			ID:                   1,
			StableID:             "wg",
			IsWireGuardOnly:      true,
			ExitNodeDNSResolvers: wgResolvers,
			Hostinfo:             (&tailcfg.Hostinfo{}).View(),
		}).View(),
		// regular tailscale exit node with DNS capabilities
		(&tailcfg.Node{
			Cap:      26,
			ID:       2,
			StableID: "ts",
			Hostinfo: (&tailcfg.Hostinfo{}).View(),
		}).View(),
	}
	exitDOH := peerAPIBase(&netmap.NetworkMap{Peers: peers}, peers[0]) + "/dns-query"
	routes := map[dnsname.FQDN][]*dnstype.Resolver{
		"route.example.com.": {{Addr: "route.example.com"}},
	}
	stringifyRoutes := func(routes map[dnsname.FQDN][]*dnstype.Resolver) map[string][]*dnstype.Resolver {
		if routes == nil {
			return nil
		}
		m := make(map[string][]*dnstype.Resolver)
		for k, v := range routes {
			m[string(k)] = v
		}
		return m
	}

	tests := []tc{
		{
			name:                 "noExit/noRoutes/noResolver",
			exitNode:             "",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{},
			wantDefaultResolvers: nil,
			wantRoutes:           nil,
		},
		{
			name:                 "tsExit/noRoutes/noResolver",
			exitNode:             "ts",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{},
			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
			wantRoutes:           nil,
		},
		{
			name:                 "tsExit/noRoutes/defaultResolver",
			exitNode:             "ts",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{Resolvers: defaultResolvers},
			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
			wantRoutes:           nil,
		},

		// The following two cases may need to be revisited. For a shared-in
		// exit node split-DNS may effectively break, furthermore in the future
		// if different nodes observe different DNS configurations, even a
		// tailnet local exit node may present a different DNS configuration,
		// which may not meet expectations in some use cases.
		// In the case where a default resolver is set, the default resolver
		// should also perhaps take precedence also.
		{
			name:                 "tsExit/routes/noResolver",
			exitNode:             "ts",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
			wantRoutes:           nil,
		},
		{
			name:                 "tsExit/routes/defaultResolver",
			exitNode:             "ts",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
			wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
			wantRoutes:           nil,
		},

		// WireGuard exit nodes with DNS capabilities provide a "fallback" type
		// behavior, they have a lower precedence than a default resolver, but
		// otherwise allow split-DNS to operate as normal, and are used when
		// there is no default resolver.
		{
			name:                 "wgExit/noRoutes/noResolver",
			exitNode:             "wg",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{},
			wantDefaultResolvers: wgResolvers,
			wantRoutes:           nil,
		},
		{
			name:                 "wgExit/noRoutes/defaultResolver",
			exitNode:             "wg",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{Resolvers: defaultResolvers},
			wantDefaultResolvers: defaultResolvers,
			wantRoutes:           nil,
		},
		{
			name:                 "wgExit/routes/defaultResolver",
			exitNode:             "wg",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
			wantDefaultResolvers: defaultResolvers,
			wantRoutes:           routes,
		},
		{
			name:                 "wgExit/routes/noResolver",
			exitNode:             "wg",
			peers:                peers,
			dnsConfig:            &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
			wantDefaultResolvers: wgResolvers,
			wantRoutes:           routes,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			nm := &netmap.NetworkMap{
				Peers: tc.peers,
				DNS:   *tc.dnsConfig,
			}

			prefs := &ipn.Prefs{ExitNodeID: tc.exitNode, CorpDNS: true}
			got := dnsConfigForNetmap(nm, peersMap(tc.peers), prefs.View(), false, t.Logf, "")
			if !resolversEqual(t, got.DefaultResolvers, tc.wantDefaultResolvers) {
				t.Errorf("DefaultResolvers: got %#v, want %#v", got.DefaultResolvers, tc.wantDefaultResolvers)
			}
			if !routesEqual(t, got.Routes, tc.wantRoutes) {
				t.Errorf("Routes: got %#v, want %#v", got.Routes, tc.wantRoutes)
			}
		})
	}
}

func TestOfferingAppConnector(t *testing.T) {
	for _, shouldStore := range []bool{false, true} {
		b := newTestBackend(t)
		if b.OfferingAppConnector() {
			t.Fatal("unexpected offering app connector")
		}
		if shouldStore {
			b.appConnector = appc.NewAppConnector(t.Logf, nil, &appc.RouteInfo{}, fakeStoreRoutes)
		} else {
			b.appConnector = appc.NewAppConnector(t.Logf, nil, nil, nil)
		}
		if !b.OfferingAppConnector() {
			t.Fatal("unexpected not offering app connector")
		}
	}
}

func TestRouteAdvertiser(t *testing.T) {
	b := newTestBackend(t)
	testPrefix := netip.MustParsePrefix("192.0.0.8/32")

	ra := appc.RouteAdvertiser(b)
	must.Do(ra.AdvertiseRoute(testPrefix))

	routes := b.Prefs().AdvertiseRoutes()
	if routes.Len() != 1 || routes.At(0) != testPrefix {
		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
	}

	must.Do(ra.UnadvertiseRoute(testPrefix))

	routes = b.Prefs().AdvertiseRoutes()
	if routes.Len() != 0 {
		t.Fatalf("got routes %v, want none", routes)
	}
}

func TestRouterAdvertiserIgnoresContainedRoutes(t *testing.T) {
	b := newTestBackend(t)
	testPrefix := netip.MustParsePrefix("192.0.0.0/24")
	ra := appc.RouteAdvertiser(b)
	must.Do(ra.AdvertiseRoute(testPrefix))

	routes := b.Prefs().AdvertiseRoutes()
	if routes.Len() != 1 || routes.At(0) != testPrefix {
		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
	}

	must.Do(ra.AdvertiseRoute(netip.MustParsePrefix("192.0.0.8/32")))

	// the above /32 is not added as it is contained within the /24
	routes = b.Prefs().AdvertiseRoutes()
	if routes.Len() != 1 || routes.At(0) != testPrefix {
		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
	}
}

func TestObserveDNSResponse(t *testing.T) {
	for _, shouldStore := range []bool{false, true} {
		b := newTestBackend(t)

		// ensure no error when no app connector is configured
		if err := b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
			t.Errorf("ObserveDNSResponse: %v", err)
		}

		rc := &appctest.RouteCollector{}
		if shouldStore {
			b.appConnector = appc.NewAppConnector(t.Logf, rc, &appc.RouteInfo{}, fakeStoreRoutes)
		} else {
			b.appConnector = appc.NewAppConnector(t.Logf, rc, nil, nil)
		}
		b.appConnector.UpdateDomains([]string{"example.com"})
		b.appConnector.Wait(context.Background())

		if err := b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
			t.Errorf("ObserveDNSResponse: %v", err)
		}
		b.appConnector.Wait(context.Background())
		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
		if !slices.Equal(rc.Routes(), wantRoutes) {
			t.Fatalf("got routes %v, want %v", rc.Routes(), wantRoutes)
		}
	}
}

func TestCoveredRouteRangeNoDefault(t *testing.T) {
	tests := []struct {
		existingRoute netip.Prefix
		newRoute      netip.Prefix
		want          bool
	}{
		{
			existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
			newRoute:      netip.MustParsePrefix("192.0.0.1/32"),
			want:          true,
		},
		{
			existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
			newRoute:      netip.MustParsePrefix("192.0.0.2/32"),
			want:          false,
		},
		{
			existingRoute: netip.MustParsePrefix("192.0.0.0/24"),
			newRoute:      netip.MustParsePrefix("192.0.0.1/32"),
			want:          true,
		},
		{
			existingRoute: netip.MustParsePrefix("192.0.0.0/16"),
			newRoute:      netip.MustParsePrefix("192.0.0.0/24"),
			want:          true,
		},
		{
			existingRoute: netip.MustParsePrefix("0.0.0.0/0"),
			newRoute:      netip.MustParsePrefix("192.0.0.0/24"),
			want:          false,
		},
		{
			existingRoute: netip.MustParsePrefix("::/0"),
			newRoute:      netip.MustParsePrefix("2001:db8::/32"),
			want:          false,
		},
	}

	for _, tt := range tests {
		got := coveredRouteRangeNoDefault([]netip.Prefix{tt.existingRoute}, tt.newRoute)
		if got != tt.want {
			t.Errorf("coveredRouteRange(%v, %v) = %v, want %v", tt.existingRoute, tt.newRoute, got, tt.want)
		}
	}
}

func TestReconfigureAppConnector(t *testing.T) {
	b := newTestBackend(t)
	b.reconfigAppConnectorLocked(b.NetMap(), b.pm.prefs)
	if b.appConnector != nil {
		t.Fatal("unexpected app connector")
	}

	b.EditPrefs(&ipn.MaskedPrefs{
		Prefs: ipn.Prefs{
			AppConnector: ipn.AppConnectorPrefs{
				Advertise: true,
			},
		},
		AppConnectorSet: true,
	})
	b.reconfigAppConnectorLocked(b.NetMap(), b.pm.prefs)
	if b.appConnector == nil {
		t.Fatal("expected app connector")
	}

	appCfg := `{
		"name": "example",
		"domains": ["example.com"],
		"connectors": ["tag:example"]
	}`

	nm := &netmap.NetworkMap{
		SelfNode: (&tailcfg.Node{
			Name: "example.ts.net",
			Tags: []string{"tag:example"},
			CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
				"tailscale.com/app-connectors": {tailcfg.RawMessage(appCfg)},
			}),
		}).View(),
	}

	b.currentNode().SetNetMap(nm)

	b.reconfigAppConnectorLocked(b.NetMap(), b.pm.prefs)
	b.appConnector.Wait(context.Background())

	want := []string{"example.com"}
	if !slices.Equal(b.appConnector.Domains().AsSlice(), want) {
		t.Fatalf("got domains %v, want %v", b.appConnector.Domains(), want)
	}
	if v, _ := b.hostinfo.AppConnector.Get(); !v {
		t.Fatalf("expected app connector service")
	}

	// disable the connector in order to assert that the service is removed
	b.EditPrefs(&ipn.MaskedPrefs{
		Prefs: ipn.Prefs{
			AppConnector: ipn.AppConnectorPrefs{
				Advertise: false,
			},
		},
		AppConnectorSet: true,
	})
	b.reconfigAppConnectorLocked(b.NetMap(), b.pm.prefs)
	if b.appConnector != nil {
		t.Fatal("expected no app connector")
	}
	if v, _ := b.hostinfo.AppConnector.Get(); v {
		t.Fatalf("expected no app connector service")
	}
}

func TestBackfillAppConnectorRoutes(t *testing.T) {
	// Create backend with an empty app connector.
	b := newTestBackend(t)
	// newTestBackend creates a backend with a non-nil netmap,
	// but this test requires a nil netmap.
	// Otherwise, instead of backfilling, [LocalBackend.reconfigAppConnectorLocked]
	// uses the domains and routes from netmap's [appctype.AppConnectorAttr].
	// Additionally, a non-nil netmap makes reconfigAppConnectorLocked
	// asynchronous, resulting in a flaky test.
	// Therefore, we set the netmap to nil to simulate a fresh backend start
	// or a profile switch where the netmap is not yet available.
	b.setNetMapLocked(nil)
	if err := b.Start(ipn.Options{}); err != nil {
		t.Fatal(err)
	}
	if _, err := b.EditPrefs(&ipn.MaskedPrefs{
		Prefs: ipn.Prefs{
			AppConnector: ipn.AppConnectorPrefs{Advertise: true},
		},
		AppConnectorSet: true,
	}); err != nil {
		t.Fatal(err)
	}
	b.reconfigAppConnectorLocked(b.NetMap(), b.pm.prefs)

	// Smoke check that AdvertiseRoutes doesn't have the test IP.
	ip := netip.MustParseAddr("1.2.3.4")
	routes := b.Prefs().AdvertiseRoutes().AsSlice()
	if slices.Contains(routes, netip.PrefixFrom(ip, ip.BitLen())) {
		t.Fatalf("AdvertiseRoutes %v on a fresh backend already contains advertised route for %v", routes, ip)
	}

	// Store the test IP in profile data, but not in Prefs.AdvertiseRoutes.
	b.ControlKnobs().AppCStoreRoutes.Store(true)
	if err := b.storeRouteInfo(&appc.RouteInfo{
		Domains: map[string][]netip.Addr{
			"example.com": {ip},
		},
	}); err != nil {
		t.Fatal(err)
	}

	// Mimic b.authReconfigure for the app connector bits.
	b.mu.Lock()
	b.reconfigAppConnectorLocked(b.NetMap(), b.pm.prefs)
	b.mu.Unlock()
	b.readvertiseAppConnectorRoutes()

	// Check that Prefs.AdvertiseRoutes got backfilled with routes stored in
	// profile data.
	routes = b.Prefs().AdvertiseRoutes().AsSlice()
	if !slices.Contains(routes, netip.PrefixFrom(ip, ip.BitLen())) {
		t.Fatalf("AdvertiseRoutes %v was not backfilled from stored app connector routes with %v", routes, ip)
	}
}

func resolversEqual(t *testing.T, a, b []*dnstype.Resolver) bool {
	if a == nil && b == nil {
		return true
	}
	if a == nil || b == nil {
		t.Errorf("resolversEqual: a == nil || b == nil : %#v != %#v", a, b)
		return false
	}
	if len(a) != len(b) {
		t.Errorf("resolversEqual: len(a) != len(b) : %#v != %#v", a, b)
		return false
	}
	for i := range a {
		if !a[i].Equal(b[i]) {
			t.Errorf("resolversEqual: a != b [%d]: %v != %v", i, *a[i], *b[i])
			return false
		}
	}
	return true
}

func routesEqual(t *testing.T, a, b map[dnsname.FQDN][]*dnstype.Resolver) bool {
	if len(a) != len(b) {
		t.Logf("routes: len(a) != len(b): %d != %d", len(a), len(b))
		return false
	}
	for name := range a {
		if !resolversEqual(t, a[name], b[name]) {
			t.Logf("routes: a != b [%s]: %v != %v", name, a[name], b[name])
			return false
		}
	}
	return true
}

// dnsResponse is a test helper that creates a DNS response buffer for the given domain and address
func dnsResponse(domain, address string) []byte {
	addr := netip.MustParseAddr(address)
	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
	b.EnableCompression()
	b.StartAnswers()
	switch addr.BitLen() {
	case 32:
		b.AResource(
			dnsmessage.ResourceHeader{
				Name:  dnsmessage.MustNewName(domain),
				Type:  dnsmessage.TypeA,
				Class: dnsmessage.ClassINET,
				TTL:   0,
			},
			dnsmessage.AResource{
				A: addr.As4(),
			},
		)
	case 128:
		b.AAAAResource(
			dnsmessage.ResourceHeader{
				Name:  dnsmessage.MustNewName(domain),
				Type:  dnsmessage.TypeAAAA,
				Class: dnsmessage.ClassINET,
				TTL:   0,
			},
			dnsmessage.AAAAResource{
				AAAA: addr.As16(),
			},
		)
	default:
		panic("invalid address length")
	}
	return must.Get(b.Finish())
}

func TestSetExitNodeIDPolicy(t *testing.T) {
	zeroValHostinfoView := new(tailcfg.Hostinfo).View()
	pfx := netip.MustParsePrefix
	tests := []struct {
		name                  string
		exitNodeIPKey         bool
		exitNodeIDKey         bool
		exitNodeID            string
		exitNodeIP            string
		prefs                 *ipn.Prefs
		exitNodeIPWant        string
		exitNodeIDWant        string
		autoExitNodeWant      ipn.ExitNodeExpression
		prefsChanged          bool
		nm                    *netmap.NetworkMap
		lastSuggestedExitNode tailcfg.StableNodeID
	}{
		{
			name:           "ExitNodeID key is set",
			exitNodeIDKey:  true,
			exitNodeID:     "123",
			exitNodeIDWant: "123",
			prefsChanged:   true,
		},
		{
			name:           "ExitNodeID key not set",
			exitNodeIDKey:  true,
			exitNodeIDWant: "",
			prefsChanged:   false,
		},
		{
			name:           "ExitNodeID key set, ExitNodeIP preference set",
			exitNodeIDKey:  true,
			exitNodeID:     "123",
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIDWant: "123",
			prefsChanged:   true,
		},
		{
			name:           "ExitNodeID key not set, ExitNodeIP key set",
			exitNodeIPKey:  true,
			exitNodeIP:     "127.0.0.1",
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIPWant: "127.0.0.1",
			prefsChanged:   false,
		},
		{
			name:           "ExitNodeIP key set, existing ExitNodeIP pref",
			exitNodeIPKey:  true,
			exitNodeIP:     "127.0.0.1",
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIPWant: "127.0.0.1",
			prefsChanged:   false,
		},
		{
			name:           "existing preferences match policy",
			exitNodeIDKey:  true,
			exitNodeID:     "123",
			prefs:          &ipn.Prefs{ExitNodeID: tailcfg.StableNodeID("123")},
			exitNodeIDWant: "123",
			prefsChanged:   false,
		},
		{
			name:           "ExitNodeIP set if net map does not have corresponding node",
			exitNodeIPKey:  true,
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIP:     "127.0.0.1",
			exitNodeIPWant: "127.0.0.1",
			prefsChanged:   false,
			nm: &netmap.NetworkMap{
				Name: "foo.tailnet",
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						pfx("100.102.103.104/32"),
						pfx("100::123/128"),
					},
				}).View(),
				Peers: []tailcfg.NodeView{
					(&tailcfg.Node{
						ID:   201,
						Name: "a.tailnet",
						Key:  makeNodeKeyFromID(201),
						Addresses: []netip.Prefix{
							pfx("100.0.0.201/32"),
							pfx("100::201/128"),
						},
					}).View(),
					(&tailcfg.Node{
						ID:   202,
						Name: "b.tailnet",
						Key:  makeNodeKeyFromID(202),
						Addresses: []netip.Prefix{
							pfx("100::202/128"),
						},
					}).View(),
				},
			},
		},
		{
			name:           "ExitNodeIP cleared if net map has corresponding node - policy matches prefs",
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIPKey:  true,
			exitNodeIP:     "127.0.0.1",
			exitNodeIPWant: "",
			exitNodeIDWant: "123",
			prefsChanged:   true,
			nm: &netmap.NetworkMap{
				Name: "foo.tailnet",
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						pfx("100.102.103.104/32"),
						pfx("100::123/128"),
					},
				}).View(),
				Peers: []tailcfg.NodeView{
					(&tailcfg.Node{
						ID:       123,
						Name:     "a.tailnet",
						StableID: tailcfg.StableNodeID("123"),
						Key:      makeNodeKeyFromID(123),
						Addresses: []netip.Prefix{
							pfx("127.0.0.1/32"),
							pfx("100::201/128"),
						},
						Hostinfo: zeroValHostinfoView,
					}).View(),
					(&tailcfg.Node{
						ID:   202,
						Name: "b.tailnet",
						Key:  makeNodeKeyFromID(202),
						Addresses: []netip.Prefix{
							pfx("100::202/128"),
						},
						Hostinfo: zeroValHostinfoView,
					}).View(),
				},
			},
		},
		{
			name:           "ExitNodeIP cleared if net map has corresponding node - no policy set",
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIPWant: "",
			exitNodeIDWant: "123",
			prefsChanged:   true,
			nm: &netmap.NetworkMap{
				Name: "foo.tailnet",
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						pfx("100.102.103.104/32"),
						pfx("100::123/128"),
					},
				}).View(),
				Peers: []tailcfg.NodeView{
					(&tailcfg.Node{
						ID:       123,
						Name:     "a.tailnet",
						StableID: tailcfg.StableNodeID("123"),
						Key:      makeNodeKeyFromID(123),
						Addresses: []netip.Prefix{
							pfx("127.0.0.1/32"),
							pfx("100::201/128"),
						},
						Hostinfo: zeroValHostinfoView,
					}).View(),
					(&tailcfg.Node{
						ID:   202,
						Name: "b.tailnet",
						Key:  makeNodeKeyFromID(202),
						Addresses: []netip.Prefix{
							pfx("100::202/128"),
						},
						Hostinfo: zeroValHostinfoView,
					}).View(),
				},
			},
		},
		{
			name:           "ExitNodeIP cleared if net map has corresponding node - different exit node IP in policy",
			exitNodeIPKey:  true,
			prefs:          &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
			exitNodeIP:     "100.64.5.6",
			exitNodeIPWant: "",
			exitNodeIDWant: "123",
			prefsChanged:   true,
			nm: &netmap.NetworkMap{
				Name: "foo.tailnet",
				SelfNode: (&tailcfg.Node{
					Addresses: []netip.Prefix{
						pfx("100.102.103.104/32"),
						pfx("100::123/128"),
					},
				}).View(),
				Peers: []tailcfg.NodeView{
					(&tailcfg.Node{
						ID:       123,
						Name:     "a.tailnet",
						StableID: tailcfg.StableNodeID("123"),
						Key:      makeNodeKeyFromID(123),
						Addresses: []netip.Prefix{
							pfx("100.64.5.6/32"),
							pfx("100::201/128"),
						},
						Hostinfo: zeroValHostinfoView,
					}).View(),
					(&tailcfg.Node{
						ID:   202,
						Name: "b.tailnet",
						Key:  makeNodeKeyFromID(202),
						Addresses: []netip.Prefix{
							pfx("100::202/128"),
						},
						Hostinfo: zeroValHostinfoView,
					}).View(),
				},
			},
		},
		{
			name:                  "ExitNodeID key is set to auto:any and last suggested exit node is populated",
			exitNodeIDKey:         true,
			exitNodeID:            "auto:any",
			lastSuggestedExitNode: "123",
			exitNodeIDWant:        "123",
			autoExitNodeWant:      "any",
			prefsChanged:          true,
		},
		{
			name:             "ExitNodeID key is set to auto:any and last suggested exit node is not populated",
			exitNodeIDKey:    true,
			exitNodeID:       "auto:any",
			exitNodeIDWant:   "auto:any",
			autoExitNodeWant: "any",
			prefsChanged:     true,
		},
		{
			name:                  "ExitNodeID key is set to auto:foo and last suggested exit node is populated",
			exitNodeIDKey:         true,
			exitNodeID:            "auto:foo",
			lastSuggestedExitNode: "123",
			exitNodeIDWant:        "123",
			autoExitNodeWant:      "foo",
			prefsChanged:          true,
		},
		{
			name:             "ExitNodeID key is set to auto:foo and last suggested exit node is not populated",
			exitNodeIDKey:    true,
			exitNodeID:       "auto:foo",
			exitNodeIDWant:   "auto:any", // should be "auto:any" for compatibility with existing clients
			autoExitNodeWant: "foo",
			prefsChanged:     true,
		},
	}

	syspolicy.RegisterWellKnownSettingsForTest(t)

	for _, test := range tests {
		t.Run(test.name, func(t *testing.T) {
			b := newTestBackend(t)

			policyStore := source.NewTestStore(t)
			if test.exitNodeIDKey {
				policyStore.SetStrings(source.TestSettingOf(syspolicy.ExitNodeID, test.exitNodeID))
			}
			if test.exitNodeIPKey {
				policyStore.SetStrings(source.TestSettingOf(syspolicy.ExitNodeIP, test.exitNodeIP))
			}
			syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)

			if test.nm == nil {
				test.nm = new(netmap.NetworkMap)
			}
			if test.prefs == nil {
				test.prefs = ipn.NewPrefs()
			}
			pm := must.Get(newProfileManager(new(mem.Store), t.Logf, new(health.Tracker)))
			pm.prefs = test.prefs.View()
			b.currentNode().SetNetMap(test.nm)
			b.pm = pm
			b.lastSuggestedExitNode = test.lastSuggestedExitNode
			prefs := b.pm.prefs.AsStruct()
			if changed := b.reconcilePrefsLocked(prefs); changed != test.prefsChanged {
				t.Errorf("wanted prefs changed %v, got prefs changed %v", test.prefsChanged, changed)
			}

			// Both [LocalBackend.SetPrefsForTest] and [LocalBackend.EditPrefs]
			// apply syspolicy settings to the current profile's preferences. Therefore,
			// we pass the current, unmodified preferences and expect the effective
			// preferences to change.
			b.SetPrefsForTest(pm.CurrentPrefs().AsStruct())

			if got := b.Prefs().ExitNodeID(); got != tailcfg.StableNodeID(test.exitNodeIDWant) {
				t.Errorf("ExitNodeID: got %q; want %q", got, test.exitNodeIDWant)
			}
			if got := b.Prefs().ExitNodeIP(); test.exitNodeIPWant == "" {
				if got.String() != "invalid IP" {
					t.Errorf("ExitNodeIP: got %v want invalid IP", got)
				}
			} else if got.String() != test.exitNodeIPWant {
				t.Errorf("ExitNodeIP: got %q; want %q", got, test.exitNodeIPWant)
			}
			if got := b.Prefs().AutoExitNode(); got != test.autoExitNodeWant {
				t.Errorf("AutoExitNode: got %q; want %q", got, test.autoExitNodeWant)
			}
		})
	}
}

func TestUpdateNetmapDeltaAutoExitNode(t *testing.T) {
	peer1 := makePeer(1, withCap(26), withSuggest(), withOnline(true), withExitRoutes())
	peer2 := makePeer(2, withCap(26), withSuggest(), withOnline(true), withExitRoutes())
	derpMap := &tailcfg.DERPMap{
		Regions: map[int]*tailcfg.DERPRegion{
			1: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t1",
						RegionID: 1,
					},
				},
			},
			2: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t2",
						RegionID: 2,
					},
				},
			},
		},
	}
	report := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 10 * time.Millisecond,
			2: 5 * time.Millisecond,
			3: 30 * time.Millisecond,
		},
		PreferredDERP: 2,
	}
	tests := []struct {
		name                  string
		lastSuggestedExitNode tailcfg.StableNodeID
		netmap                *netmap.NetworkMap
		muts                  []*tailcfg.PeerChange
		exitNodeIDWant        tailcfg.StableNodeID
		report                *netcheck.Report
	}{
		{
			// selected auto exit node goes offline
			name: "exit-node-goes-offline",
			// PreferredDERP is 2, and it's also the region with the lowest latency.
			// So, peer2 should be selected as the exit node.
			lastSuggestedExitNode: peer2.StableID(),
			netmap: &netmap.NetworkMap{
				Peers: []tailcfg.NodeView{
					peer1,
					peer2,
				},
				DERPMap: derpMap,
			},
			muts: []*tailcfg.PeerChange{
				{
					NodeID: 1,
					Online: ptr.To(true),
				},
				{
					NodeID: 2,
					Online: ptr.To(false), // the selected exit node goes offline
				},
			},
			exitNodeIDWant: peer1.StableID(),
			report:         report,
		},
		{
			// other exit node goes offline doesn't change selected auto exit node that's still online
			name:                  "other-node-goes-offline",
			lastSuggestedExitNode: peer2.StableID(),
			netmap: &netmap.NetworkMap{
				Peers: []tailcfg.NodeView{
					peer1,
					peer2,
				},
				DERPMap: derpMap,
			},
			muts: []*tailcfg.PeerChange{
				{
					NodeID: 1,
					Online: ptr.To(false), // a different exit node goes offline
				},
				{
					NodeID: 2,
					Online: ptr.To(true),
				},
			},
			exitNodeIDWant: peer2.StableID(),
			report:         report,
		},
	}

	syspolicy.RegisterWellKnownSettingsForTest(t)
	policyStore := source.NewTestStoreOf(t, source.TestSettingOf(
		syspolicy.ExitNodeID, "auto:any",
	))
	syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			b := newTestLocalBackend(t)
			b.currentNode().SetNetMap(tt.netmap)
			b.lastSuggestedExitNode = tt.lastSuggestedExitNode
			b.sys.MagicSock.Get().SetLastNetcheckReportForTest(b.ctx, tt.report)
			b.SetPrefsForTest(b.pm.CurrentPrefs().AsStruct())

			allDone := make(chan bool, 1)
			defer b.goTracker.AddDoneCallback(func() {
				b.mu.Lock()
				defer b.mu.Unlock()
				if b.goTracker.RunningGoroutines() > 0 {
					return
				}
				select {
				case allDone <- true:
				default:
				}
			})()

			someTime := time.Unix(123, 0)
			muts, ok := netmap.MutationsFromMapResponse(&tailcfg.MapResponse{
				PeersChangedPatch: tt.muts,
			}, someTime)
			if !ok {
				t.Fatal("netmap.MutationsFromMapResponse failed")
			}

			if b.pm.prefs.ExitNodeID() != tt.lastSuggestedExitNode {
				t.Fatalf("did not set exit node ID to last suggested exit node despite auto policy")
			}

			was := b.goTracker.StartedGoroutines()
			got := b.UpdateNetmapDelta(muts)
			if !got {
				t.Error("got false from UpdateNetmapDelta")
			}
			startedGoroutine := b.goTracker.StartedGoroutines() != was

			wantChange := tt.exitNodeIDWant != tt.lastSuggestedExitNode
			if startedGoroutine != wantChange {
				t.Errorf("got startedGoroutine %v, want %v", startedGoroutine, wantChange)
			}
			if startedGoroutine {
				select {
				case <-time.After(5 * time.Second):
					t.Fatal("timed out waiting for goroutine to finish")
				case <-allDone:
				}
			}
			b.mu.Lock()
			gotExitNode := b.pm.prefs.ExitNodeID()
			b.mu.Unlock()
			if gotExitNode != tt.exitNodeIDWant {
				t.Fatalf("exit node ID after UpdateNetmapDelta = %v; want %v", gotExitNode, tt.exitNodeIDWant)
			}
		})
	}
}

func TestAutoExitNodeSetNetInfoCallback(t *testing.T) {
	b := newTestLocalBackend(t)
	hi := hostinfo.New()
	ni := tailcfg.NetInfo{LinkType: "wired"}
	hi.NetInfo = &ni
	b.hostinfo = hi
	k := key.NewMachine()
	var cc *mockControl
	opts := controlclient.Options{
		ServerURL: "https://example.com",
		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
			return k, nil
		},
		Dialer: tsdial.NewDialer(netmon.NewStatic()),
		Logf:   b.logf,
	}
	cc = newClient(t, opts)
	b.cc = cc
	syspolicy.RegisterWellKnownSettingsForTest(t)
	policyStore := source.NewTestStoreOf(t, source.TestSettingOf(
		syspolicy.ExitNodeID, "auto:any",
	))
	syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)
	peer1 := makePeer(1, withCap(26), withDERP(3), withSuggest(), withExitRoutes())
	peer2 := makePeer(2, withCap(26), withDERP(2), withSuggest(), withExitRoutes())
	selfNode := tailcfg.Node{
		Addresses: []netip.Prefix{
			netip.MustParsePrefix("100.64.1.1/32"),
			netip.MustParsePrefix("fe70::1/128"),
		},
		HomeDERP: 2,
	}
	defaultDERPMap := &tailcfg.DERPMap{
		Regions: map[int]*tailcfg.DERPRegion{
			1: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t1",
						RegionID: 1,
					},
				},
			},
			2: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t2",
						RegionID: 2,
					},
				},
			},
			3: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t3",
						RegionID: 3,
					},
				},
			},
		},
	}
	b.currentNode().SetNetMap(&netmap.NetworkMap{
		SelfNode: selfNode.View(),
		Peers: []tailcfg.NodeView{
			peer1,
			peer2,
		},
		DERPMap: defaultDERPMap,
	})
	b.lastSuggestedExitNode = peer1.StableID()
	b.SetPrefsForTest(b.pm.CurrentPrefs().AsStruct())
	if eid := b.Prefs().ExitNodeID(); eid != peer1.StableID() {
		t.Errorf("got initial exit node %v, want %v", eid, peer1.StableID())
	}
	b.refreshAutoExitNode = true
	b.sys.MagicSock.Get().SetLastNetcheckReportForTest(b.ctx, &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 10 * time.Millisecond,
			2: 5 * time.Millisecond,
			3: 30 * time.Millisecond,
		},
		PreferredDERP: 2,
	})
	b.setNetInfo(&ni)
	if eid := b.Prefs().ExitNodeID(); eid != peer2.StableID() {
		t.Errorf("got final exit node %v, want %v", eid, peer2.StableID())
	}
}

func TestSetControlClientStatusAutoExitNode(t *testing.T) {
	peer1 := makePeer(1, withCap(26), withSuggest(), withExitRoutes(), withOnline(true), withNodeKey())
	peer2 := makePeer(2, withCap(26), withSuggest(), withExitRoutes(), withOnline(true), withNodeKey())
	derpMap := &tailcfg.DERPMap{
		Regions: map[int]*tailcfg.DERPRegion{
			1: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t1",
						RegionID: 1,
					},
				},
			},
			2: {
				Nodes: []*tailcfg.DERPNode{
					{
						Name:     "t2",
						RegionID: 2,
					},
				},
			},
		},
	}
	report := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 10 * time.Millisecond,
			2: 5 * time.Millisecond,
			3: 30 * time.Millisecond,
		},
		PreferredDERP: 1,
	}
	nm := &netmap.NetworkMap{
		Peers: []tailcfg.NodeView{
			peer1,
			peer2,
		},
		DERPMap: derpMap,
	}
	b := newTestLocalBackend(t)
	syspolicy.RegisterWellKnownSettingsForTest(t)
	policyStore := source.NewTestStoreOf(t, source.TestSettingOf(
		syspolicy.ExitNodeID, "auto:any",
	))
	syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)
	b.currentNode().SetNetMap(nm)
	// Peer 2 should be the initial exit node, as it's better than peer 1
	// in terms of latency and DERP region.
	b.lastSuggestedExitNode = peer2.StableID()
	b.sys.MagicSock.Get().SetLastNetcheckReportForTest(b.ctx, report)
	b.SetPrefsForTest(b.pm.CurrentPrefs().AsStruct())
	offlinePeer2 := makePeer(2, withCap(26), withSuggest(), withExitRoutes(), withOnline(false), withNodeKey())
	updatedNetmap := &netmap.NetworkMap{
		Peers: []tailcfg.NodeView{
			peer1,
			offlinePeer2,
		},
		DERPMap: derpMap,
	}
	b.SetControlClientStatus(b.cc, controlclient.Status{NetMap: updatedNetmap})
	// But now that peer 2 is offline, we should switch to peer 1.
	wantExitNode := peer1.StableID()
	gotExitNode := b.Prefs().ExitNodeID()
	if gotExitNode != wantExitNode {
		t.Errorf("did not switch exit nodes despite auto exit node going offline: got %q; want %q", gotExitNode, wantExitNode)
	}
}

func TestApplySysPolicy(t *testing.T) {
	tests := []struct {
		name           string
		prefs          ipn.Prefs
		wantPrefs      ipn.Prefs
		wantAnyChange  bool
		stringPolicies map[syspolicy.Key]string
	}{
		{
			name: "empty prefs without policies",
		},
		{
			name: "prefs set without policies",
			prefs: ipn.Prefs{
				ControlURL:             "1",
				ShieldsUp:              true,
				ForceDaemon:            true,
				ExitNodeAllowLANAccess: true,
				CorpDNS:                true,
				RouteAll:               true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:             "1",
				ShieldsUp:              true,
				ForceDaemon:            true,
				ExitNodeAllowLANAccess: true,
				CorpDNS:                true,
				RouteAll:               true,
			},
		},
		{
			name: "empty prefs with policies",
			wantPrefs: ipn.Prefs{
				ControlURL:             "1",
				ShieldsUp:              true,
				ForceDaemon:            true,
				ExitNodeAllowLANAccess: true,
				CorpDNS:                true,
				RouteAll:               true,
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.ControlURL:                "1",
				syspolicy.EnableIncomingConnections: "never",
				syspolicy.EnableServerMode:          "always",
				syspolicy.ExitNodeAllowLANAccess:    "always",
				syspolicy.EnableTailscaleDNS:        "always",
				syspolicy.EnableTailscaleSubnets:    "always",
			},
		},
		{
			name: "prefs set with matching policies",
			prefs: ipn.Prefs{
				ControlURL:  "1",
				ShieldsUp:   true,
				ForceDaemon: true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:  "1",
				ShieldsUp:   true,
				ForceDaemon: true,
			},
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.ControlURL:                "1",
				syspolicy.EnableIncomingConnections: "never",
				syspolicy.EnableServerMode:          "always",
				syspolicy.ExitNodeAllowLANAccess:    "never",
				syspolicy.EnableTailscaleDNS:        "never",
				syspolicy.EnableTailscaleSubnets:    "never",
			},
		},
		{
			name: "prefs set with conflicting policies",
			prefs: ipn.Prefs{
				ControlURL:             "1",
				ShieldsUp:              true,
				ForceDaemon:            true,
				ExitNodeAllowLANAccess: false,
				CorpDNS:                true,
				RouteAll:               false,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:             "2",
				ShieldsUp:              false,
				ForceDaemon:            false,
				ExitNodeAllowLANAccess: true,
				CorpDNS:                false,
				RouteAll:               true,
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.ControlURL:                "2",
				syspolicy.EnableIncomingConnections: "always",
				syspolicy.EnableServerMode:          "never",
				syspolicy.ExitNodeAllowLANAccess:    "always",
				syspolicy.EnableTailscaleDNS:        "never",
				syspolicy.EnableTailscaleSubnets:    "always",
			},
		},
		{
			name: "prefs set with neutral policies",
			prefs: ipn.Prefs{
				ControlURL:             "1",
				ShieldsUp:              true,
				ForceDaemon:            true,
				ExitNodeAllowLANAccess: false,
				CorpDNS:                true,
				RouteAll:               true,
			},
			wantPrefs: ipn.Prefs{
				ControlURL:             "1",
				ShieldsUp:              true,
				ForceDaemon:            true,
				ExitNodeAllowLANAccess: false,
				CorpDNS:                true,
				RouteAll:               true,
			},
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.EnableIncomingConnections: "user-decides",
				syspolicy.EnableServerMode:          "user-decides",
				syspolicy.ExitNodeAllowLANAccess:    "user-decides",
				syspolicy.EnableTailscaleDNS:        "user-decides",
				syspolicy.EnableTailscaleSubnets:    "user-decides",
			},
		},
		{
			name: "ControlURL",
			wantPrefs: ipn.Prefs{
				ControlURL: "set",
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.ControlURL: "set",
			},
		},
		{
			name: "enable AutoUpdate apply does not unset check",
			prefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: true,
					Apply: opt.NewBool(false),
				},
			},
			wantPrefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: true,
					Apply: opt.NewBool(true),
				},
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.ApplyUpdates: "always",
			},
		},
		{
			name: "disable AutoUpdate apply does not unset check",
			prefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: true,
					Apply: opt.NewBool(true),
				},
			},
			wantPrefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: true,
					Apply: opt.NewBool(false),
				},
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.ApplyUpdates: "never",
			},
		},
		{
			name: "enable AutoUpdate check does not unset apply",
			prefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: false,
					Apply: opt.NewBool(true),
				},
			},
			wantPrefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: true,
					Apply: opt.NewBool(true),
				},
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.CheckUpdates: "always",
			},
		},
		{
			name: "disable AutoUpdate check does not unset apply",
			prefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: true,
					Apply: opt.NewBool(true),
				},
			},
			wantPrefs: ipn.Prefs{
				AutoUpdate: ipn.AutoUpdatePrefs{
					Check: false,
					Apply: opt.NewBool(true),
				},
			},
			wantAnyChange: true,
			stringPolicies: map[syspolicy.Key]string{
				syspolicy.CheckUpdates: "never",
			},
		},
	}

	syspolicy.RegisterWellKnownSettingsForTest(t)

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			settings := make([]source.TestSetting[string], 0, len(tt.stringPolicies))
			for p, v := range tt.stringPolicies {
				settings = append(settings, source.TestSettingOf(p, v))
			}
			policyStore := source.NewTestStoreOf(t, settings...)
			syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)

			t.Run("unit", func(t *testing.T) {
				prefs := tt.prefs.Clone()

				lb := newTestLocalBackend(t)
				gotAnyChange := lb.applySysPolicyLocked(prefs)

				if gotAnyChange && prefs.Equals(&tt.prefs) {
					t.Errorf("anyChange but prefs is unchanged: %v", prefs.Pretty())
				}
				if !gotAnyChange && !prefs.Equals(&tt.prefs) {
					t.Errorf("!anyChange but prefs changed from %v to %v", tt.prefs.Pretty(), prefs.Pretty())
				}
				if gotAnyChange != tt.wantAnyChange {
					t.Errorf("anyChange=%v, want %v", gotAnyChange, tt.wantAnyChange)
				}
				if !prefs.Equals(&tt.wantPrefs) {
					t.Errorf("prefs=%v, want %v", prefs.Pretty(), tt.wantPrefs.Pretty())
				}
			})

			t.Run("status update", func(t *testing.T) {
				// Profile manager fills in blank ControlURL but it's not set
				// in most test cases to avoid cluttering them, so adjust for
				// that.
				usePrefs := tt.prefs.Clone()
				if usePrefs.ControlURL == "" {
					usePrefs.ControlURL = ipn.DefaultControlURL
				}
				wantPrefs := tt.wantPrefs.Clone()
				if wantPrefs.ControlURL == "" {
					wantPrefs.ControlURL = ipn.DefaultControlURL
				}

				pm := must.Get(newProfileManager(new(mem.Store), t.Logf, new(health.Tracker)))
				pm.prefs = usePrefs.View()

				b := newTestBackend(t)
				b.mu.Lock()
				b.pm = pm
				b.mu.Unlock()

				b.SetControlClientStatus(b.cc, controlclient.Status{})
				if !b.Prefs().Equals(wantPrefs.View()) {
					t.Errorf("prefs=%v, want %v", b.Prefs().Pretty(), wantPrefs.Pretty())
				}
			})
		})
	}
}

func TestPreferencePolicyInfo(t *testing.T) {
	tests := []struct {
		name         string
		initialValue bool
		wantValue    bool
		wantChange   bool
		policyValue  string
		policyError  error
	}{
		{
			name:         "force enable modify",
			initialValue: false,
			wantValue:    true,
			wantChange:   true,
			policyValue:  "always",
		},
		{
			name:         "force enable unchanged",
			initialValue: true,
			wantValue:    true,
			policyValue:  "always",
		},
		{
			name:         "force disable modify",
			initialValue: true,
			wantValue:    false,
			wantChange:   true,
			policyValue:  "never",
		},
		{
			name:         "force disable unchanged",
			initialValue: false,
			wantValue:    false,
			policyValue:  "never",
		},
		{
			name:         "unforced enabled",
			initialValue: true,
			wantValue:    true,
			policyValue:  "user-decides",
		},
		{
			name:         "unforced disabled",
			initialValue: false,
			wantValue:    false,
			policyValue:  "user-decides",
		},
		{
			name:         "blank enabled",
			initialValue: true,
			wantValue:    true,
			policyValue:  "",
		},
		{
			name:         "blank disabled",
			initialValue: false,
			wantValue:    false,
			policyValue:  "",
		},
		{
			name:         "unset enabled",
			initialValue: true,
			wantValue:    true,
			policyError:  syspolicy.ErrNoSuchKey,
		},
		{
			name:         "unset disabled",
			initialValue: false,
			wantValue:    false,
			policyError:  syspolicy.ErrNoSuchKey,
		},
		{
			name:         "error enabled",
			initialValue: true,
			wantValue:    true,
			policyError:  errors.New("test error"),
		},
		{
			name:         "error disabled",
			initialValue: false,
			wantValue:    false,
			policyError:  errors.New("test error"),
		},
	}

	syspolicy.RegisterWellKnownSettingsForTest(t)

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			for _, pp := range preferencePolicies {
				t.Run(string(pp.key), func(t *testing.T) {
					s := source.TestSetting[string]{
						Key:   pp.key,
						Error: tt.policyError,
						Value: tt.policyValue,
					}
					policyStore := source.NewTestStoreOf(t, s)
					syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)

					prefs := defaultPrefs.AsStruct()
					pp.set(prefs, tt.initialValue)

					lb := newTestLocalBackend(t)
					gotAnyChange := lb.applySysPolicyLocked(prefs)

					if gotAnyChange != tt.wantChange {
						t.Errorf("anyChange=%v, want %v", gotAnyChange, tt.wantChange)
					}
					got := pp.get(prefs.View())
					if got != tt.wantValue {
						t.Errorf("pref=%v, want %v", got, tt.wantValue)
					}
				})
			}
		})
	}
}

func TestOnTailnetDefaultAutoUpdate(t *testing.T) {
	tests := []struct {
		before, after  opt.Bool
		container      opt.Bool
		tailnetDefault bool
	}{
		{
			before:         opt.Bool(""),
			tailnetDefault: true,
			after:          opt.NewBool(true),
		},
		{
			before:         opt.Bool(""),
			tailnetDefault: false,
			after:          opt.NewBool(false),
		},
		{
			before:         opt.Bool("unset"),
			tailnetDefault: true,
			after:          opt.NewBool(true),
		},
		{
			before:         opt.Bool("unset"),
			tailnetDefault: false,
			after:          opt.NewBool(false),
		},
		{
			before:         opt.NewBool(false),
			tailnetDefault: true,
			after:          opt.NewBool(false),
		},
		{
			before:         opt.NewBool(true),
			tailnetDefault: false,
			after:          opt.NewBool(true),
		},
		{
			before:         opt.Bool(""),
			container:      opt.NewBool(true),
			tailnetDefault: true,
			after:          opt.Bool(""),
		},
		{
			before:         opt.NewBool(false),
			container:      opt.NewBool(true),
			tailnetDefault: true,
			after:          opt.NewBool(false),
		},
		{
			before:         opt.NewBool(true),
			container:      opt.NewBool(true),
			tailnetDefault: false,
			after:          opt.NewBool(true),
		},
	}
	for _, tt := range tests {
		t.Run(fmt.Sprintf("before=%s,after=%s", tt.before, tt.after), func(t *testing.T) {
			b := newTestBackend(t)
			b.hostinfo = hostinfo.New()
			b.hostinfo.Container = tt.container
			p := ipn.NewPrefs()
			p.AutoUpdate.Apply = tt.before
			if err := b.pm.setPrefsNoPermCheck(p.View()); err != nil {
				t.Fatal(err)
			}
			b.onTailnetDefaultAutoUpdate(tt.tailnetDefault)
			want := tt.after
			// On platforms that don't support auto-update we can never
			// transition to auto-updates being enabled. The value should
			// remain unchanged after onTailnetDefaultAutoUpdate.
			if !clientupdate.CanAutoUpdate() {
				want = tt.before
			}
			if got := b.pm.CurrentPrefs().AutoUpdate().Apply; got != want {
				t.Errorf("got: %q, want %q", got, want)
			}
		})
	}
}

func TestTCPHandlerForDst(t *testing.T) {
	b := newTestBackend(t)
	tests := []struct {
		desc      string
		dst       string
		intercept bool
	}{
		{
			desc:      "intercept port 80 (Web UI) on quad100 IPv4",
			dst:       "100.100.100.100:80",
			intercept: true,
		},
		{
			desc:      "intercept port 80 (Web UI) on quad100 IPv6",
			dst:       "[fd7a:115c:a1e0::53]:80",
			intercept: true,
		},
		{
			desc:      "don't intercept port 80 on local ip",
			dst:       "100.100.103.100:80",
			intercept: false,
		},
		{
			desc:      "intercept port 8080 (Taildrive) on quad100 IPv4",
			dst:       "[fd7a:115c:a1e0::53]:8080",
			intercept: true,
		},
		{
			desc:      "don't intercept port 8080 on local ip",
			dst:       "100.100.103.100:8080",
			intercept: false,
		},
		{
			desc:      "don't intercept port 9080 on quad100 IPv4",
			dst:       "100.100.100.100:9080",
			intercept: false,
		},
		{
			desc:      "don't intercept port 9080 on quad100 IPv6",
			dst:       "[fd7a:115c:a1e0::53]:9080",
			intercept: false,
		},
		{
			desc:      "don't intercept port 9080 on local ip",
			dst:       "100.100.103.100:9080",
			intercept: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.dst, func(t *testing.T) {
			t.Log(tt.desc)
			src := netip.MustParseAddrPort("100.100.102.100:51234")
			h, _ := b.TCPHandlerForDst(src, netip.MustParseAddrPort(tt.dst))
			if !tt.intercept && h != nil {
				t.Error("intercepted traffic we shouldn't have")
			} else if tt.intercept && h == nil {
				t.Error("failed to intercept traffic we should have")
			}
		})
	}
}

func TestTCPHandlerForDstWithVIPService(t *testing.T) {
	b := newTestBackend(t)
	svcIPMap := tailcfg.ServiceIPMappings{
		"svc:foo": []netip.Addr{
			netip.MustParseAddr("100.101.101.101"),
			netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:6565:6565"),
		},
		"svc:bar": []netip.Addr{
			netip.MustParseAddr("100.99.99.99"),
			netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:626b:628b"),
		},
		"svc:baz": []netip.Addr{
			netip.MustParseAddr("100.133.133.133"),
			netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:cd96:8585:8585"),
		},
	}
	svcIPMapJSON, err := json.Marshal(svcIPMap)
	if err != nil {
		t.Fatal(err)
	}
	b.setNetMapLocked(
		&netmap.NetworkMap{
			SelfNode: (&tailcfg.Node{
				Name: "example.ts.net",
				CapMap: tailcfg.NodeCapMap{
					tailcfg.NodeAttrServiceHost: []tailcfg.RawMessage{tailcfg.RawMessage(svcIPMapJSON)},
				},
			}).View(),
			UserProfiles: map[tailcfg.UserID]tailcfg.UserProfileView{
				tailcfg.UserID(1): (&tailcfg.UserProfile{
					LoginName:     "someone@example.com",
					DisplayName:   "Some One",
					ProfilePicURL: "https://example.com/photo.jpg",
				}).View(),
			},
		},
	)

	err = b.setServeConfigLocked(
		&ipn.ServeConfig{
			Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
				"svc:foo": {
					TCP: map[uint16]*ipn.TCPPortHandler{
						882: {HTTP: true},
						883: {HTTPS: true},
					},
					Web: map[ipn.HostPort]*ipn.WebServerConfig{
						"foo.example.ts.net:882": {
							Handlers: map[string]*ipn.HTTPHandler{
								"/": {Proxy: "http://127.0.0.1:3000"},
							},
						},
						"foo.example.ts.net:883": {
							Handlers: map[string]*ipn.HTTPHandler{
								"/": {Text: "test"},
							},
						},
					},
				},
				"svc:bar": {
					TCP: map[uint16]*ipn.TCPPortHandler{
						990: {TCPForward: "127.0.0.1:8443"},
						991: {TCPForward: "127.0.0.1:5432", TerminateTLS: "bar.test.ts.net"},
					},
				},
				"svc:qux": {
					TCP: map[uint16]*ipn.TCPPortHandler{
						600: {HTTPS: true},
					},
					Web: map[ipn.HostPort]*ipn.WebServerConfig{
						"qux.example.ts.net:600": {
							Handlers: map[string]*ipn.HTTPHandler{
								"/": {Text: "qux"},
							},
						},
					},
				},
			},
		},
		"",
	)
	if err != nil {
		t.Fatal(err)
	}

	tests := []struct {
		desc      string
		dst       string
		intercept bool
	}{
		{
			desc:      "intercept port 80 (Web UI) on quad100 IPv4",
			dst:       "100.100.100.100:80",
			intercept: true,
		},
		{
			desc:      "intercept port 80 (Web UI) on quad100 IPv6",
			dst:       "[fd7a:115c:a1e0::53]:80",
			intercept: true,
		},
		{
			desc:      "don't intercept port 80 on local ip",
			dst:       "100.100.103.100:80",
			intercept: false,
		},
		{
			desc:      "intercept port 8080 (Taildrive) on quad100 IPv4",
			dst:       "100.100.100.100:8080",
			intercept: true,
		},
		{
			desc:      "intercept port 8080 (Taildrive) on quad100 IPv6",
			dst:       "[fd7a:115c:a1e0::53]:8080",
			intercept: true,
		},
		{
			desc:      "don't intercept port 8080 on local ip",
			dst:       "100.100.103.100:8080",
			intercept: false,
		},
		{
			desc:      "don't intercept port 9080 on quad100 IPv4",
			dst:       "100.100.100.100:9080",
			intercept: false,
		},
		{
			desc:      "don't intercept port 9080 on quad100 IPv6",
			dst:       "[fd7a:115c:a1e0::53]:9080",
			intercept: false,
		},
		{
			desc:      "don't intercept port 9080 on local ip",
			dst:       "100.100.103.100:9080",
			intercept: false,
		},
		// VIP service destinations
		{
			desc:      "intercept port 882 (HTTP) on service foo IPv4",
			dst:       "100.101.101.101:882",
			intercept: true,
		},
		{
			desc:      "intercept port 882 (HTTP) on service foo IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:6565:6565]:882",
			intercept: true,
		},
		{
			desc:      "intercept port 883 (HTTPS) on service foo IPv4",
			dst:       "100.101.101.101:883",
			intercept: true,
		},
		{
			desc:      "intercept port 883 (HTTPS) on service foo IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:6565:6565]:883",
			intercept: true,
		},
		{
			desc:      "intercept port 990 (TCPForward) on service bar IPv4",
			dst:       "100.99.99.99:990",
			intercept: true,
		},
		{
			desc:      "intercept port 990 (TCPForward) on service bar IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:990",
			intercept: true,
		},
		{
			desc:      "intercept port 991 (TCPForward with TerminateTLS) on service bar IPv4",
			dst:       "100.99.99.99:990",
			intercept: true,
		},
		{
			desc:      "intercept port 991 (TCPForward with TerminateTLS) on service bar IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:990",
			intercept: true,
		},
		{
			desc:      "don't intercept port 4444 on service foo IPv4",
			dst:       "100.101.101.101:4444",
			intercept: false,
		},
		{
			desc:      "don't intercept port 4444 on service foo IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:6565:6565]:4444",
			intercept: false,
		},
		{
			desc:      "don't intercept port 600 on unknown service IPv4",
			dst:       "100.22.22.22:883",
			intercept: false,
		},
		{
			desc:      "don't intercept port 600 on unknown service IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:883",
			intercept: false,
		},
		{
			desc:      "don't intercept port 600 (HTTPS) on service baz IPv4",
			dst:       "100.133.133.133:600",
			intercept: false,
		},
		{
			desc:      "don't intercept port 600 (HTTPS) on service baz IPv6",
			dst:       "[fd7a:115c:a1e0:ab12:4843:cd96:8585:8585]:600",
			intercept: false,
		},
	}

	for _, tt := range tests {
		t.Run(tt.dst, func(t *testing.T) {
			t.Log(tt.desc)
			src := netip.MustParseAddrPort("100.100.102.100:51234")
			h, _ := b.TCPHandlerForDst(src, netip.MustParseAddrPort(tt.dst))
			if !tt.intercept && h != nil {
				t.Error("intercepted traffic we shouldn't have")
			} else if tt.intercept && h == nil {
				t.Error("failed to intercept traffic we should have")
			}
		})
	}
}

func TestDriveManageShares(t *testing.T) {
	tests := []struct {
		name     string
		disabled bool
		existing []*drive.Share
		add      *drive.Share
		remove   string
		rename   [2]string
		expect   any
	}{
		{
			name: "append",
			existing: []*drive.Share{
				{Name: "b"},
				{Name: "d"},
			},
			add: &drive.Share{Name: "  E  "},
			expect: []*drive.Share{
				{Name: "b"},
				{Name: "d"},
				{Name: "e"},
			},
		},
		{
			name: "prepend",
			existing: []*drive.Share{
				{Name: "b"},
				{Name: "d"},
			},
			add: &drive.Share{Name: "  A  "},
			expect: []*drive.Share{
				{Name: "a"},
				{Name: "b"},
				{Name: "d"},
			},
		},
		{
			name: "insert",
			existing: []*drive.Share{
				{Name: "b"},
				{Name: "d"},
			},
			add: &drive.Share{Name: "  C  "},
			expect: []*drive.Share{
				{Name: "b"},
				{Name: "c"},
				{Name: "d"},
			},
		},
		{
			name: "replace",
			existing: []*drive.Share{
				{Name: "b", Path: "i"},
				{Name: "d"},
			},
			add: &drive.Share{Name: "  B  ", Path: "ii"},
			expect: []*drive.Share{
				{Name: "b", Path: "ii"},
				{Name: "d"},
			},
		},
		{
			name:   "add_bad_name",
			add:    &drive.Share{Name: "$"},
			expect: drive.ErrInvalidShareName,
		},
		{
			name:     "add_disabled",
			disabled: true,
			add:      &drive.Share{Name: "a"},
			expect:   drive.ErrDriveNotEnabled,
		},
		{
			name: "remove",
			existing: []*drive.Share{
				{Name: "a"},
				{Name: "b"},
				{Name: "c"},
			},
			remove: "b",
			expect: []*drive.Share{
				{Name: "a"},
				{Name: "c"},
			},
		},
		{
			name: "remove_non_existing",
			existing: []*drive.Share{
				{Name: "a"},
				{Name: "b"},
				{Name: "c"},
			},
			remove: "D",
			expect: os.ErrNotExist,
		},
		{
			name:     "remove_disabled",
			disabled: true,
			remove:   "b",
			expect:   drive.ErrDriveNotEnabled,
		},
		{
			name: "rename",
			existing: []*drive.Share{
				{Name: "a"},
				{Name: "b"},
			},
			rename: [2]string{"a", "  C  "},
			expect: []*drive.Share{
				{Name: "b"},
				{Name: "c"},
			},
		},
		{
			name: "rename_not_exist",
			existing: []*drive.Share{
				{Name: "a"},
				{Name: "b"},
			},
			rename: [2]string{"d", "c"},
			expect: os.ErrNotExist,
		},
		{
			name: "rename_exists",
			existing: []*drive.Share{
				{Name: "a"},
				{Name: "b"},
			},
			rename: [2]string{"a", "b"},
			expect: os.ErrExist,
		},
		{
			name:   "rename_bad_name",
			rename: [2]string{"a", "$"},
			expect: drive.ErrInvalidShareName,
		},
		{
			name:     "rename_disabled",
			disabled: true,
			rename:   [2]string{"a", "c"},
			expect:   drive.ErrDriveNotEnabled,
		},
	}

	drive.DisallowShareAs = true
	t.Cleanup(func() {
		drive.DisallowShareAs = false
	})

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			b := newTestBackend(t)
			b.mu.Lock()
			if tt.existing != nil {
				b.driveSetSharesLocked(tt.existing)
			}
			if !tt.disabled {
				nm := ptr.To(*b.currentNode().NetMap())
				self := nm.SelfNode.AsStruct()
				self.CapMap = tailcfg.NodeCapMap{tailcfg.NodeAttrsTaildriveShare: nil}
				nm.SelfNode = self.View()
				b.currentNode().SetNetMap(nm)
				b.sys.Set(driveimpl.NewFileSystemForRemote(b.logf))
			}
			b.mu.Unlock()

			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
			t.Cleanup(cancel)

			result := make(chan views.SliceView[*drive.Share, drive.ShareView], 1)

			var wg sync.WaitGroup
			wg.Add(1)
			go b.WatchNotifications(
				ctx,
				0,
				func() { wg.Done() },
				func(n *ipn.Notify) bool {
					select {
					case result <- n.DriveShares:
					default:
						//
					}
					return false
				},
			)
			wg.Wait()

			var err error
			switch {
			case tt.add != nil:
				err = b.DriveSetShare(tt.add)
			case tt.remove != "":
				err = b.DriveRemoveShare(tt.remove)
			default:
				err = b.DriveRenameShare(tt.rename[0], tt.rename[1])
			}

			switch e := tt.expect.(type) {
			case error:
				if !errors.Is(err, e) {
					t.Errorf("expected error, want: %v got: %v", e, err)
				}
			case []*drive.Share:
				if err != nil {
					t.Errorf("unexpected error: %v", err)
				} else {
					r := <-result

					got, err := json.MarshalIndent(r, "", "  ")
					if err != nil {
						t.Fatalf("can't marshal got: %v", err)
					}
					want, err := json.MarshalIndent(e, "", "  ")
					if err != nil {
						t.Fatalf("can't marshal want: %v", err)
					}
					if diff := cmp.Diff(string(got), string(want)); diff != "" {
						t.Errorf("wrong shares; (-got+want):%v", diff)
					}
				}
			}
		})
	}
}

func TestValidPopBrowserURL(t *testing.T) {
	b := newTestBackend(t)
	tests := []struct {
		desc          string
		controlURL    string
		popBrowserURL string
		want          bool
	}{
		{"saas_login", "https://login.tailscale.com", "https://login.tailscale.com/a/foo", true},
		{"saas_controlplane", "https://controlplane.tailscale.com", "https://controlplane.tailscale.com/a/foo", true},
		{"saas_root", "https://login.tailscale.com", "https://tailscale.com/", true},
		{"saas_bad_hostname", "https://login.tailscale.com", "https://example.com/a/foo", false},
		{"localhost", "http://localhost", "http://localhost/a/foo", true},
		{"custom_control_url_https", "https://example.com", "https://example.com/a/foo", true},
		{"custom_control_url_https_diff_domain", "https://example.com", "https://other.com/a/foo", true},
		{"custom_control_url_http", "http://example.com", "http://example.com/a/foo", true},
		{"custom_control_url_http_diff_domain", "http://example.com", "http://other.com/a/foo", true},
		{"bad_scheme", "https://example.com", "http://example.com/a/foo", false},
	}
	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			if _, err := b.EditPrefs(&ipn.MaskedPrefs{
				ControlURLSet: true,
				Prefs: ipn.Prefs{
					ControlURL: tt.controlURL,
				},
			}); err != nil {
				t.Fatal(err)
			}

			got := b.validPopBrowserURL(tt.popBrowserURL)
			if got != tt.want {
				t.Errorf("got %v, want %v", got, tt.want)
			}
		})
	}
}

func TestRoundTraffic(t *testing.T) {
	tests := []struct {
		name  string
		bytes int64
		want  float64
	}{
		{name: "under 5 bytes", bytes: 4, want: 4},
		{name: "under 1000 bytes", bytes: 987, want: 990},
		{name: "under 10_000 bytes", bytes: 8875, want: 8900},
		{name: "under 100_000 bytes", bytes: 77777, want: 78000},
		{name: "under 1_000_000 bytes", bytes: 666523, want: 670000},
		{name: "under 10_000_000 bytes", bytes: 22556677, want: 23000000},
		{name: "under 1_000_000_000 bytes", bytes: 1234234234, want: 1200000000},
		{name: "under 1_000_000_000 bytes", bytes: 123423423499, want: 123400000000},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if result := roundTraffic(tt.bytes); result != tt.want {
				t.Errorf("unexpected rounding got %v want %v", result, tt.want)
			}
		})
	}
}

func (b *LocalBackend) SetPrefsForTest(newp *ipn.Prefs) {
	if newp == nil {
		panic("SetPrefsForTest got nil prefs")
	}
	unlock := b.lockAndGetUnlock()
	defer unlock()
	b.setPrefsLockedOnEntry(newp, unlock)
}

type peerOptFunc func(*tailcfg.Node)

func makePeer(id tailcfg.NodeID, opts ...peerOptFunc) tailcfg.NodeView {
	node := &tailcfg.Node{
		ID:                id,
		Key:               makeNodeKeyFromID(id),
		DiscoKey:          makeDiscoKeyFromID(id),
		StableID:          tailcfg.StableNodeID(fmt.Sprintf("stable%d", id)),
		Name:              fmt.Sprintf("peer%d", id),
		Online:            ptr.To(true),
		MachineAuthorized: true,
		HomeDERP:          int(id),
	}
	for _, opt := range opts {
		opt(node)
	}
	return node.View()
}

func withName(name string) peerOptFunc {
	return func(n *tailcfg.Node) {
		n.Name = name
	}
}

func withDERP(region int) peerOptFunc {
	return func(n *tailcfg.Node) {
		n.HomeDERP = region
	}
}

func withoutDERP() peerOptFunc {
	return func(n *tailcfg.Node) {
		n.HomeDERP = 0
	}
}

func withLocation(loc tailcfg.LocationView) peerOptFunc {
	return func(n *tailcfg.Node) {
		var hi *tailcfg.Hostinfo
		if n.Hostinfo.Valid() {
			hi = n.Hostinfo.AsStruct()
		} else {
			hi = new(tailcfg.Hostinfo)
		}
		hi.Location = loc.AsStruct()

		n.Hostinfo = hi.View()
	}
}

func withLocationPriority(pri int) peerOptFunc {
	return func(n *tailcfg.Node) {
		var hi *tailcfg.Hostinfo
		if n.Hostinfo.Valid() {
			hi = n.Hostinfo.AsStruct()
		} else {
			hi = new(tailcfg.Hostinfo)
		}
		if hi.Location == nil {
			hi.Location = new(tailcfg.Location)
		}
		hi.Location.Priority = pri

		n.Hostinfo = hi.View()
	}
}

func withExitRoutes() peerOptFunc {
	return func(n *tailcfg.Node) {
		n.AllowedIPs = append(n.AllowedIPs, tsaddr.ExitRoutes()...)
	}
}

func withSuggest() peerOptFunc {
	return func(n *tailcfg.Node) {
		mak.Set(&n.CapMap, tailcfg.NodeAttrSuggestExitNode, []tailcfg.RawMessage{})
	}
}

func withCap(version tailcfg.CapabilityVersion) peerOptFunc {
	return func(n *tailcfg.Node) {
		n.Cap = version
	}
}

func withOnline(isOnline bool) peerOptFunc {
	return func(n *tailcfg.Node) {
		n.Online = &isOnline
	}
}

func withNodeKey() peerOptFunc {
	return func(n *tailcfg.Node) {
		n.Key = key.NewNode().Public()
	}
}

func withAddresses(addresses ...netip.Prefix) peerOptFunc {
	return func(n *tailcfg.Node) {
		n.Addresses = append(n.Addresses, addresses...)
	}
}

func deterministicRegionForTest(t testing.TB, want views.Slice[int], use int) selectRegionFunc {
	t.Helper()

	if !views.SliceContains(want, use) {
		t.Errorf("invalid test: use %v is not in want %v", use, want)
	}

	return func(got views.Slice[int]) int {
		if !views.SliceEqualAnyOrder(got, want) {
			t.Errorf("candidate regions = %v, want %v", got, want)
		}
		return use
	}
}

func deterministicNodeForTest(t testing.TB, want views.Slice[tailcfg.StableNodeID], wantLast tailcfg.StableNodeID, use tailcfg.StableNodeID) selectNodeFunc {
	t.Helper()

	if !views.SliceContains(want, use) {
		t.Errorf("invalid test: use %v is not in want %v", use, want)
	}

	return func(got views.Slice[tailcfg.NodeView], last tailcfg.StableNodeID) tailcfg.NodeView {
		var ret tailcfg.NodeView

		gotIDs := make([]tailcfg.StableNodeID, got.Len())
		for i, nv := range got.All() {
			if !nv.Valid() {
				t.Fatalf("invalid node at index %v", i)
			}
			gotIDs[i] = nv.StableID()
			if nv.StableID() == use {
				ret = nv
			}
		}
		if !views.SliceEqualAnyOrder(views.SliceOf(gotIDs), want) {
			t.Errorf("candidate nodes = %v, want %v", gotIDs, want)
		}
		if last != wantLast {
			t.Errorf("last node = %v, want %v", last, wantLast)
		}
		if !ret.Valid() {
			t.Fatalf("did not find matching node in %v, want %v", gotIDs, use)
		}

		return ret
	}
}

func TestSuggestExitNode(t *testing.T) {
	t.Parallel()

	defaultDERPMap := &tailcfg.DERPMap{
		Regions: map[int]*tailcfg.DERPRegion{
			1: {
				Latitude:  32,
				Longitude: -97,
			},
			2: {},
			3: {},
		},
	}

	preferred1Report := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 10 * time.Millisecond,
			2: 20 * time.Millisecond,
			3: 30 * time.Millisecond,
		},
		PreferredDERP: 1,
	}
	noLatency1Report := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 0,
			2: 0,
			3: 0,
		},
		PreferredDERP: 1,
	}
	preferredNoneReport := &netcheck.Report{
		RegionLatency: map[int]time.Duration{
			1: 10 * time.Millisecond,
			2: 20 * time.Millisecond,
			3: 30 * time.Millisecond,
		},
		PreferredDERP: 0,
	}

	dallas := tailcfg.Location{
		Latitude:  32.779167,
		Longitude: -96.808889,
		Priority:  100,
	}
	sanJose := tailcfg.Location{
		Latitude:  37.3382082,
		Longitude: -121.8863286,
		Priority:  20,
	}
	fortWorth := tailcfg.Location{
		Latitude:  32.756389,
		Longitude: -97.3325,
		Priority:  150,
	}
	fortWorthLowPriority := tailcfg.Location{
		Latitude:  32.756389,
		Longitude: -97.3325,
		Priority:  100,
	}

	peer1 := makePeer(1,
		withExitRoutes(),
		withSuggest())
	peer2DERP1 := makePeer(2,
		withDERP(1),
		withExitRoutes(),
		withSuggest())
	peer3 := makePeer(3,
		withExitRoutes(),
		withSuggest())
	peer4DERP3 := makePeer(4,
		withDERP(3),
		withExitRoutes(),
		withSuggest())
	dallasPeer5 := makePeer(5,
		withName("Dallas"),
		withoutDERP(),
		withExitRoutes(),
		withSuggest(),
		withLocation(dallas.View()))
	sanJosePeer6 := makePeer(6,
		withName("San Jose"),
		withoutDERP(),
		withExitRoutes(),
		withSuggest(),
		withLocation(sanJose.View()))
	fortWorthPeer7 := makePeer(7,
		withName("Fort Worth"),
		withoutDERP(),
		withExitRoutes(),
		withSuggest(),
		withLocation(fortWorth.View()))
	fortWorthPeer8LowPriority := makePeer(8,
		withName("Fort Worth Low"),
		withoutDERP(),
		withExitRoutes(),
		withSuggest(),
		withLocation(fortWorthLowPriority.View()))

	selfNode := tailcfg.Node{
		Addresses: []netip.Prefix{
			netip.MustParsePrefix("100.64.1.1/32"),
			netip.MustParsePrefix("fe70::1/128"),
		},
	}

	defaultNetmap := &netmap.NetworkMap{
		SelfNode: selfNode.View(),
		DERPMap:  defaultDERPMap,
		Peers: []tailcfg.NodeView{
			peer2DERP1,
			peer3,
		},
	}
	locationNetmap := &netmap.NetworkMap{
		SelfNode: selfNode.View(),
		DERPMap:  defaultDERPMap,
		Peers: []tailcfg.NodeView{
			dallasPeer5,
			sanJosePeer6,
		},
	}
	largeNetmap := &netmap.NetworkMap{
		SelfNode: selfNode.View(),
		DERPMap:  defaultDERPMap,
		Peers: []tailcfg.NodeView{
			peer1,
			peer2DERP1,
			peer3,
			peer4DERP3,
			dallasPeer5,
			sanJosePeer6,
			fortWorthPeer7,
		},
	}

	tests := []struct {
		name string

		lastReport     *netcheck.Report
		netMap         *netmap.NetworkMap
		lastSuggestion tailcfg.StableNodeID

		allowPolicy []tailcfg.StableNodeID

		wantRegions []int
		useRegion   int

		wantNodes []tailcfg.StableNodeID

		wantID       tailcfg.StableNodeID
		wantName     string
		wantLocation tailcfg.LocationView

		wantError error
	}{
		{
			name:       "2 exit nodes in same region",
			lastReport: preferred1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					peer1,
					peer2DERP1,
				},
			},
			wantNodes: []tailcfg.StableNodeID{
				"stable1",
				"stable2",
			},
			wantName: "peer1",
			wantID:   "stable1",
		},
		{
			name:        "2 exit nodes different regions unknown latency",
			lastReport:  noLatency1Report,
			netMap:      defaultNetmap,
			wantRegions: []int{1, 3}, // the only regions with peers
			useRegion:   1,
			wantName:    "peer2",
			wantID:      "stable2",
		},
		{
			name: "2 derp based exit nodes, different regions, equal latency",
			lastReport: &netcheck.Report{
				RegionLatency: map[int]time.Duration{
					1: 10,
					2: 20,
					3: 10,
				},
				PreferredDERP: 1,
			},
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					peer1,
					peer3,
				},
			},
			wantRegions: []int{1, 2},
			useRegion:   1,
			wantName:    "peer1",
			wantID:      "stable1",
		},
		{
			name:         "mullvad nodes, no derp based exit nodes",
			lastReport:   noLatency1Report,
			netMap:       locationNetmap,
			wantID:       "stable5",
			wantLocation: dallas.View(),
			wantName:     "Dallas",
		},
		{
			name:       "nearby mullvad nodes with different priorities",
			lastReport: noLatency1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					dallasPeer5,
					sanJosePeer6,
					fortWorthPeer7,
				},
			},
			wantID:       "stable7",
			wantLocation: fortWorth.View(),
			wantName:     "Fort Worth",
		},
		{
			name:       "nearby mullvad nodes with same priorities",
			lastReport: noLatency1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					dallasPeer5,
					sanJosePeer6,
					fortWorthPeer8LowPriority,
				},
			},
			wantNodes:    []tailcfg.StableNodeID{"stable5", "stable8"},
			wantID:       "stable5",
			wantLocation: dallas.View(),
			wantName:     "Dallas",
		},
		{
			name:       "mullvad nodes, remaining node is not in preferred derp",
			lastReport: noLatency1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					dallasPeer5,
					sanJosePeer6,
					peer4DERP3,
				},
			},
			useRegion: 3,
			wantID:    "stable4",
			wantName:  "peer4",
		},
		{
			name:       "no peers",
			lastReport: noLatency1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
			},
		},
		{
			name:       "nil report",
			lastReport: nil,
			netMap:     largeNetmap,
			wantError:  ErrNoPreferredDERP,
		},
		{
			name:       "no preferred derp region",
			lastReport: preferredNoneReport,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
			},
			wantError: ErrNoPreferredDERP,
		},
		{
			name:       "nil netmap",
			lastReport: noLatency1Report,
			netMap:     nil,
			wantError:  ErrNoPreferredDERP,
		},
		{
			name:       "nil derpmap",
			lastReport: noLatency1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  nil,
				Peers: []tailcfg.NodeView{
					dallasPeer5,
				},
			},
			wantError: ErrNoPreferredDERP,
		},
		{
			name:       "missing suggestion capability",
			lastReport: noLatency1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					makePeer(1, withExitRoutes()),
					makePeer(2, withLocation(dallas.View()), withExitRoutes()),
				},
			},
		},
		{
			name:       "prefer last node",
			lastReport: preferred1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					peer1,
					peer2DERP1,
				},
			},
			lastSuggestion: "stable2",
			wantNodes: []tailcfg.StableNodeID{
				"stable1",
				"stable2",
			},
			wantName: "peer2",
			wantID:   "stable2",
		},
		{
			name:           "found better derp node",
			lastSuggestion: "stable3",
			lastReport:     preferred1Report,
			netMap:         defaultNetmap,
			wantID:         "stable2",
			wantName:       "peer2",
		},
		{
			name:           "prefer last mullvad node",
			lastSuggestion: "stable2",
			lastReport:     preferred1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					dallasPeer5,
					sanJosePeer6,
					fortWorthPeer8LowPriority,
				},
			},
			wantNodes:    []tailcfg.StableNodeID{"stable5", "stable8"},
			wantID:       "stable5",
			wantName:     "Dallas",
			wantLocation: dallas.View(),
		},
		{
			name:           "prefer better mullvad node",
			lastSuggestion: "stable2",
			lastReport:     preferred1Report,
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				DERPMap:  defaultDERPMap,
				Peers: []tailcfg.NodeView{
					dallasPeer5,
					sanJosePeer6,
					fortWorthPeer7,
				},
			},
			wantNodes:    []tailcfg.StableNodeID{"stable7"},
			wantID:       "stable7",
			wantName:     "Fort Worth",
			wantLocation: fortWorth.View(),
		},
		{
			name:       "large netmap",
			lastReport: preferred1Report,
			netMap:     largeNetmap,
			wantNodes:  []tailcfg.StableNodeID{"stable1", "stable2"},
			wantID:     "stable2",
			wantName:   "peer2",
		},
		{
			name:        "no allowed suggestions",
			lastReport:  preferred1Report,
			netMap:      largeNetmap,
			allowPolicy: []tailcfg.StableNodeID{},
		},
		{
			name:        "only derp suggestions",
			lastReport:  preferred1Report,
			netMap:      largeNetmap,
			allowPolicy: []tailcfg.StableNodeID{"stable1", "stable2", "stable3"},
			wantNodes:   []tailcfg.StableNodeID{"stable1", "stable2"},
			wantID:      "stable2",
			wantName:    "peer2",
		},
		{
			name:         "only mullvad suggestions",
			lastReport:   preferred1Report,
			netMap:       largeNetmap,
			allowPolicy:  []tailcfg.StableNodeID{"stable5", "stable6", "stable7"},
			wantID:       "stable7",
			wantName:     "Fort Worth",
			wantLocation: fortWorth.View(),
		},
		{
			name:        "only worst derp",
			lastReport:  preferred1Report,
			netMap:      largeNetmap,
			allowPolicy: []tailcfg.StableNodeID{"stable3"},
			wantID:      "stable3",
			wantName:    "peer3",
		},
		{
			name:         "only worst mullvad",
			lastReport:   preferred1Report,
			netMap:       largeNetmap,
			allowPolicy:  []tailcfg.StableNodeID{"stable6"},
			wantID:       "stable6",
			wantName:     "San Jose",
			wantLocation: sanJose.View(),
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			wantRegions := tt.wantRegions
			if wantRegions == nil {
				wantRegions = []int{tt.useRegion}
			}
			selectRegion := deterministicRegionForTest(t, views.SliceOf(wantRegions), tt.useRegion)

			wantNodes := tt.wantNodes
			if wantNodes == nil {
				wantNodes = []tailcfg.StableNodeID{tt.wantID}
			}
			selectNode := deterministicNodeForTest(t, views.SliceOf(wantNodes), tt.lastSuggestion, tt.wantID)

			var allowList set.Set[tailcfg.StableNodeID]
			if tt.allowPolicy != nil {
				allowList = set.SetOf(tt.allowPolicy)
			}

			nb := newNodeBackend(t.Context(), eventbus.New())
			defer nb.shutdown(errShutdown)
			nb.SetNetMap(tt.netMap)

			got, err := suggestExitNode(tt.lastReport, nb, tt.lastSuggestion, selectRegion, selectNode, allowList)
			if got.Name != tt.wantName {
				t.Errorf("name=%v, want %v", got.Name, tt.wantName)
			}
			if got.ID != tt.wantID {
				t.Errorf("ID=%v, want %v", got.ID, tt.wantID)
			}
			if tt.wantError == nil && err != nil {
				t.Errorf("err=%v, want no error", err)
			}
			if tt.wantError != nil && !errors.Is(err, tt.wantError) {
				t.Errorf("err=%v, want %v", err, tt.wantError)
			}
			if !reflect.DeepEqual(got.Location, tt.wantLocation) {
				t.Errorf("location=%v, want %v", got.Location, tt.wantLocation)
			}
		})
	}
}

func TestSuggestExitNodePickWeighted(t *testing.T) {
	location10 := tailcfg.Location{
		Priority: 10,
	}
	location20 := tailcfg.Location{
		Priority: 20,
	}

	tests := []struct {
		name       string
		candidates []tailcfg.NodeView
		wantIDs    []tailcfg.StableNodeID
	}{
		{
			name: "different priorities",
			candidates: []tailcfg.NodeView{
				makePeer(2, withExitRoutes(), withLocation(location20.View())),
				makePeer(3, withExitRoutes(), withLocation(location10.View())),
			},
			wantIDs: []tailcfg.StableNodeID{"stable2"},
		},
		{
			name: "same priorities",
			candidates: []tailcfg.NodeView{
				makePeer(2, withExitRoutes(), withLocation(location10.View())),
				makePeer(3, withExitRoutes(), withLocation(location10.View())),
			},
			wantIDs: []tailcfg.StableNodeID{"stable2", "stable3"},
		},
		{
			name:       "<1 candidates",
			candidates: []tailcfg.NodeView{},
		},
		{
			name: "1 candidate",
			candidates: []tailcfg.NodeView{
				makePeer(2, withExitRoutes(), withLocation(location20.View())),
			},
			wantIDs: []tailcfg.StableNodeID{"stable2"},
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got := pickWeighted(tt.candidates)
			gotIDs := make([]tailcfg.StableNodeID, 0, len(got))
			for _, n := range got {
				if !n.Valid() {
					gotIDs = append(gotIDs, "<invalid>")
					continue
				}
				gotIDs = append(gotIDs, n.StableID())
			}
			if !views.SliceEqualAnyOrder(views.SliceOf(gotIDs), views.SliceOf(tt.wantIDs)) {
				t.Errorf("node IDs = %v, want %v", gotIDs, tt.wantIDs)
			}
		})
	}
}

func TestSuggestExitNodeLongLatDistance(t *testing.T) {
	tests := []struct {
		name     string
		fromLat  float64
		fromLong float64
		toLat    float64
		toLong   float64
		want     float64
	}{
		{
			name:     "zero values",
			fromLat:  0,
			fromLong: 0,
			toLat:    0,
			toLong:   0,
			want:     0,
		},
		{
			name:     "valid values",
			fromLat:  40.73061,
			fromLong: -73.935242,
			toLat:    37.3382082,
			toLong:   -121.8863286,
			want:     4117266.873301274,
		},
		{
			name:     "valid values, locations in north and south of equator",
			fromLat:  40.73061,
			fromLong: -73.935242,
			toLat:    -33.861481,
			toLong:   151.205475,
			want:     15994089.144368416,
		},
	}
	// The wanted values are computed using a more precise algorithm using the WGS84 model but
	// longLatDistance uses a spherical approximation for simplicity. To account for this, we allow for
	// 10km of error.
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got := longLatDistance(tt.fromLat, tt.fromLong, tt.toLat, tt.toLong)
			const maxError = 10000 // 10km
			if math.Abs(got-tt.want) > maxError {
				t.Errorf("distance=%vm, want within %vm of %vm", got, maxError, tt.want)
			}
		})
	}
}

func TestSuggestExitNodeTrafficSteering(t *testing.T) {
	city := &tailcfg.Location{
		Country:     "Canada",
		CountryCode: "CA",
		City:        "Montreal",
		CityCode:    "MTR",
		Latitude:    45.5053,
		Longitude:   -73.5525,
	}
	noLatLng := &tailcfg.Location{
		Country:     "Canada",
		CountryCode: "CA",
		City:        "Montreal",
		CityCode:    "MTR",
	}

	selfNode := tailcfg.Node{
		ID: 0, // randomness is seeded off NetMap.SelfNode.ID
		Addresses: []netip.Prefix{
			netip.MustParsePrefix("100.64.1.1/32"),
			netip.MustParsePrefix("fe70::1/128"),
		},
		CapMap: tailcfg.NodeCapMap{
			tailcfg.NodeAttrTrafficSteering: []tailcfg.RawMessage{},
		},
	}

	for _, tt := range []struct {
		name string

		netMap      *netmap.NetworkMap
		lastExit    tailcfg.StableNodeID
		allowPolicy []tailcfg.StableNodeID

		wantID   tailcfg.StableNodeID
		wantName string
		wantLoc  *tailcfg.Location
		wantPri  int

		wantErr error
	}{
		{
			name:    "no-netmap",
			netMap:  nil,
			wantErr: ErrNoNetMap,
		},
		{
			name: "no-nodes",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers:    []tailcfg.NodeView{},
			},
			wantID: "",
		},
		{
			name: "no-exit-nodes",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1),
				},
			},
			wantID: "",
		},
		{
			name: "exit-node-without-suggestion",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes()),
				},
			},
			wantID: "",
		},
		{
			name: "suggested-exit-node-without-routes",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withSuggest()),
				},
			},
			wantID: "",
		},
		{
			name: "suggested-exit-node",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest()),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
		},
		{
			name: "suggest-exit-node-stable-pick",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest()),
					makePeer(2,
						withExitRoutes(),
						withSuggest()),
					makePeer(3,
						withExitRoutes(),
						withSuggest()),
					makePeer(4,
						withExitRoutes(),
						withSuggest()),
				},
			},
			// Change this, if the hashing function changes.
			wantID:   "stable3",
			wantName: "peer3",
		},
		{
			name: "exit-nodes-with-and-without-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(1)),
					makePeer(2,
						withExitRoutes(),
						withSuggest()),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
			wantPri:  1,
		},
		{
			name: "exit-nodes-without-and-with-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest()),
					makePeer(2,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(1)),
				},
			},
			wantID:   "stable2",
			wantName: "peer2",
			wantPri:  1,
		},
		{
			name: "exit-nodes-with-negative-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(-1)),
					makePeer(2,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(-2)),
					makePeer(3,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(-3)),
					makePeer(4,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(-4)),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
			wantPri:  -1,
		},
		{
			name: "exit-nodes-no-priority-beats-negative-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(-1)),
					makePeer(2,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(-2)),
					makePeer(3,
						withExitRoutes(),
						withSuggest()),
				},
			},
			wantID:   "stable3",
			wantName: "peer3",
		},
		{
			name: "exit-nodes-same-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(1)),
					makePeer(2,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(2)), // top
					makePeer(3,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(1)),
					makePeer(4,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(2)), // top
					makePeer(5,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(2)), // top
					makePeer(6,
						withExitRoutes(),
						withSuggest()),
					makePeer(7,
						withExitRoutes(),
						withSuggest(),
						withLocationPriority(2)), // top
				},
			},
			wantID:   "stable5",
			wantName: "peer5",
			wantPri:  2,
		},
		{
			name: "suggested-exit-node-with-city",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocation(city.View())),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
			wantLoc:  city,
		},
		{
			name: "suggested-exit-node-with-city-and-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocation(city.View()),
						withLocationPriority(1)),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
			wantLoc:  city,
			wantPri:  1,
		},
		{
			name: "suggested-exit-node-without-latlng",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocation(noLatLng.View())),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
			wantLoc:  noLatLng,
		},
		{
			name: "suggested-exit-node-without-latlng-with-priority",
			netMap: &netmap.NetworkMap{
				SelfNode: selfNode.View(),
				Peers: []tailcfg.NodeView{
					makePeer(1,
						withExitRoutes(),
						withSuggest(),
						withLocation(noLatLng.View()),
						withLocationPriority(1)),
				},
			},
			wantID:   "stable1",
			wantName: "peer1",
			wantLoc:  noLatLng,
			wantPri:  1,
		},
	} {
		t.Run(tt.name, func(t *testing.T) {
			var allowList set.Set[tailcfg.StableNodeID]
			if tt.allowPolicy != nil {
				allowList = set.SetOf(tt.allowPolicy)
			}

			// HACK: NetMap.AllCaps is populated by Control:
			if tt.netMap != nil {
				caps := maps.Keys(tt.netMap.SelfNode.CapMap().AsMap())
				tt.netMap.AllCaps = set.SetOf(slices.Collect(caps))
			}

			nb := newNodeBackend(t.Context(), eventbus.New())
			defer nb.shutdown(errShutdown)
			nb.SetNetMap(tt.netMap)

			got, err := suggestExitNodeUsingTrafficSteering(nb, allowList)
			if tt.wantErr == nil && err != nil {
				t.Fatalf("err=%v, want nil", err)
			}
			if tt.wantErr != nil && !errors.Is(err, tt.wantErr) {
				t.Fatalf("err=%v, want %v", err, tt.wantErr)
			}

			if got.Name != tt.wantName {
				t.Errorf("name=%q, want %q", got.Name, tt.wantName)
			}

			if got.ID != tt.wantID {
				t.Errorf("ID=%q, want %q", got.ID, tt.wantID)
			}

			wantLoc := tt.wantLoc
			if tt.wantPri != 0 {
				if wantLoc == nil {
					wantLoc = new(tailcfg.Location)
				}
				wantLoc.Priority = tt.wantPri
			}
			if diff := cmp.Diff(got.Location.AsStruct(), wantLoc); diff != "" {
				t.Errorf("location mismatch (+want -got)\n%s", diff)
			}
		})
	}
}

func TestMinLatencyDERPregion(t *testing.T) {
	tests := []struct {
		name       string
		regions    []int
		report     *netcheck.Report
		wantRegion int
	}{
		{
			name:       "regions, no latency values",
			regions:    []int{1, 2, 3},
			wantRegion: 0,
			report:     &netcheck.Report{},
		},
		{
			name:       "regions, different latency values",
			regions:    []int{1, 2, 3},
			wantRegion: 2,
			report: &netcheck.Report{
				RegionLatency: map[int]time.Duration{
					1: 10 * time.Millisecond,
					2: 5 * time.Millisecond,
					3: 30 * time.Millisecond,
				},
			},
		},
		{
			name:       "regions, same values",
			regions:    []int{1, 2, 3},
			wantRegion: 1,
			report: &netcheck.Report{
				RegionLatency: map[int]time.Duration{
					1: 10 * time.Millisecond,
					2: 10 * time.Millisecond,
					3: 10 * time.Millisecond,
				},
			},
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got := minLatencyDERPRegion(tt.regions, tt.report)
			if got != tt.wantRegion {
				t.Errorf("got region %v want region %v", got, tt.wantRegion)
			}
		})
	}
}

func TestEnableAutoUpdates(t *testing.T) {
	lb := newTestLocalBackend(t)

	_, err := lb.EditPrefs(&ipn.MaskedPrefs{
		AutoUpdateSet: ipn.AutoUpdatePrefsMask{
			ApplySet: true,
		},
		Prefs: ipn.Prefs{
			AutoUpdate: ipn.AutoUpdatePrefs{
				Apply: opt.NewBool(true),
			},
		},
	})
	// Enabling may fail, depending on which environment we are running this
	// test in.
	wantErr := !clientupdate.CanAutoUpdate()
	gotErr := err != nil
	if gotErr != wantErr {
		t.Fatalf("enabling auto-updates: got error: %v (%v); want error: %v", gotErr, err, wantErr)
	}

	// Disabling should always succeed.
	if _, err := lb.EditPrefs(&ipn.MaskedPrefs{
		AutoUpdateSet: ipn.AutoUpdatePrefsMask{
			ApplySet: true,
		},
		Prefs: ipn.Prefs{
			AutoUpdate: ipn.AutoUpdatePrefs{
				Apply: opt.NewBool(false),
			},
		},
	}); err != nil {
		t.Fatalf("disabling auto-updates: got error: %v", err)
	}
}

func TestReadWriteRouteInfo(t *testing.T) {
	// set up a backend with more than one profile
	b := newTestBackend(t)
	prof1 := ipn.LoginProfile{ID: "id1", Key: "key1"}
	prof2 := ipn.LoginProfile{ID: "id2", Key: "key2"}
	b.pm.knownProfiles["id1"] = prof1.View()
	b.pm.knownProfiles["id2"] = prof2.View()
	b.pm.currentProfile = prof1.View()

	// set up routeInfo
	ri1 := &appc.RouteInfo{}
	ri1.Wildcards = []string{"1"}

	ri2 := &appc.RouteInfo{}
	ri2.Wildcards = []string{"2"}

	// read before write
	readRi, err := b.readRouteInfoLocked()
	if readRi != nil {
		t.Fatalf("read before writing: want nil, got %v", readRi)
	}
	if err != ipn.ErrStateNotExist {
		t.Fatalf("read before writing: want %v, got %v", ipn.ErrStateNotExist, err)
	}

	// write the first routeInfo
	if err := b.storeRouteInfo(ri1); err != nil {
		t.Fatal(err)
	}

	// write the other routeInfo as the other profile
	if _, _, err := b.pm.SwitchToProfileByID("id2"); err != nil {
		t.Fatal(err)
	}
	if err := b.storeRouteInfo(ri2); err != nil {
		t.Fatal(err)
	}

	// read the routeInfo of the first profile
	if _, _, err := b.pm.SwitchToProfileByID("id1"); err != nil {
		t.Fatal(err)
	}
	readRi, err = b.readRouteInfoLocked()
	if err != nil {
		t.Fatal(err)
	}
	if !slices.Equal(readRi.Wildcards, ri1.Wildcards) {
		t.Fatalf("read prof1 routeInfo wildcards:  want %v, got %v", ri1.Wildcards, readRi.Wildcards)
	}

	// read the routeInfo of the second profile
	if _, _, err := b.pm.SwitchToProfileByID("id2"); err != nil {
		t.Fatal(err)
	}
	readRi, err = b.readRouteInfoLocked()
	if err != nil {
		t.Fatal(err)
	}
	if !slices.Equal(readRi.Wildcards, ri2.Wildcards) {
		t.Fatalf("read prof2 routeInfo wildcards:  want %v, got %v", ri2.Wildcards, readRi.Wildcards)
	}
}

func TestFillAllowedSuggestions(t *testing.T) {
	tests := []struct {
		name        string
		allowPolicy []string
		want        []tailcfg.StableNodeID
	}{
		{
			name: "unset",
		},
		{
			name:        "zero",
			allowPolicy: []string{},
			want:        []tailcfg.StableNodeID{},
		},
		{
			name:        "one",
			allowPolicy: []string{"one"},
			want:        []tailcfg.StableNodeID{"one"},
		},
		{
			name:        "many",
			allowPolicy: []string{"one", "two", "three", "four"},
			want:        []tailcfg.StableNodeID{"one", "three", "four", "two"}, // order should not matter
		},
		{
			name:        "preserve case",
			allowPolicy: []string{"ABC", "def", "gHiJ"},
			want:        []tailcfg.StableNodeID{"ABC", "def", "gHiJ"},
		},
	}
	syspolicy.RegisterWellKnownSettingsForTest(t)
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			policyStore := source.NewTestStoreOf(t, source.TestSettingOf(
				syspolicy.AllowedSuggestedExitNodes, tt.allowPolicy,
			))
			syspolicy.MustRegisterStoreForTest(t, "TestStore", setting.DeviceScope, policyStore)

			got := fillAllowedSuggestions()
			if got == nil {
				if tt.want == nil {
					return
				}
				t.Errorf("got nil, want %v", tt.want)
			}
			if tt.want == nil {
				t.Errorf("got %v, want nil", got)
			}

			if !got.Equal(set.SetOf(tt.want)) {
				t.Errorf("got %v, want %v", got, tt.want)
			}
		})
	}
}

func TestNotificationTargetMatch(t *testing.T) {
	tests := []struct {
		name      string
		target    notificationTarget
		actor     ipnauth.Actor
		wantMatch bool
	}{
		{
			name:      "AllClients/Nil",
			target:    allClients,
			actor:     nil,
			wantMatch: true,
		},
		{
			name:      "AllClients/NoUID/NoCID",
			target:    allClients,
			actor:     &ipnauth.TestActor{},
			wantMatch: true,
		},
		{
			name:      "AllClients/WithUID/NoCID",
			target:    allClients,
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.NoClientID},
			wantMatch: true,
		},
		{
			name:      "AllClients/NoUID/WithCID",
			target:    allClients,
			actor:     &ipnauth.TestActor{CID: ipnauth.ClientIDFrom("A")},
			wantMatch: true,
		},
		{
			name:      "AllClients/WithUID/WithCID",
			target:    allClients,
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.ClientIDFrom("A")},
			wantMatch: true,
		},
		{
			name:      "FilterByUID/Nil",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     nil,
			wantMatch: false,
		},
		{
			name:      "FilterByUID/NoUID/NoCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     &ipnauth.TestActor{},
			wantMatch: false,
		},
		{
			name:      "FilterByUID/NoUID/WithCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     &ipnauth.TestActor{CID: ipnauth.ClientIDFrom("A")},
			wantMatch: false,
		},
		{
			name:      "FilterByUID/SameUID/NoCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4"},
			wantMatch: true,
		},
		{
			name:      "FilterByUID/DifferentUID/NoCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-5-6-7-8"},
			wantMatch: false,
		},
		{
			name:      "FilterByUID/SameUID/WithCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.ClientIDFrom("A")},
			wantMatch: true,
		},
		{
			name:      "FilterByUID/DifferentUID/WithCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-5-6-7-8", CID: ipnauth.ClientIDFrom("A")},
			wantMatch: false,
		},
		{
			name:      "FilterByCID/Nil",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     nil,
			wantMatch: false,
		},
		{
			name:      "FilterByCID/NoUID/NoCID",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{},
			wantMatch: false,
		},
		{
			name:      "FilterByCID/NoUID/SameCID",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{CID: ipnauth.ClientIDFrom("A")},
			wantMatch: true,
		},
		{
			name:      "FilterByCID/NoUID/DifferentCID",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{CID: ipnauth.ClientIDFrom("B")},
			wantMatch: false,
		},
		{
			name:      "FilterByCID/WithUID/NoCID",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4"},
			wantMatch: false,
		},
		{
			name:      "FilterByCID/WithUID/SameCID",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.ClientIDFrom("A")},
			wantMatch: true,
		},
		{
			name:      "FilterByCID/WithUID/DifferentCID",
			target:    notificationTarget{clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.ClientIDFrom("B")},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/Nil",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4"},
			actor:     nil,
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/NoUID/NoCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/NoUID/SameCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{CID: ipnauth.ClientIDFrom("A")},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/NoUID/DifferentCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{CID: ipnauth.ClientIDFrom("B")},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/SameUID/NoCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4"},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/SameUID/SameCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.ClientIDFrom("A")},
			wantMatch: true,
		},
		{
			name:      "FilterByUID+CID/SameUID/DifferentCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-1-2-3-4", CID: ipnauth.ClientIDFrom("B")},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/DifferentUID/NoCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-5-6-7-8"},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/DifferentUID/SameCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-5-6-7-8", CID: ipnauth.ClientIDFrom("A")},
			wantMatch: false,
		},
		{
			name:      "FilterByUID+CID/DifferentUID/DifferentCID",
			target:    notificationTarget{userID: "S-1-5-21-1-2-3-4", clientID: ipnauth.ClientIDFrom("A")},
			actor:     &ipnauth.TestActor{UID: "S-1-5-21-5-6-7-8", CID: ipnauth.ClientIDFrom("B")},
			wantMatch: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			gotMatch := tt.target.match(tt.actor)
			if gotMatch != tt.wantMatch {
				t.Errorf("match: got %v; want %v", gotMatch, tt.wantMatch)
			}
		})
	}
}

type newTestControlFn func(tb testing.TB, opts controlclient.Options) controlclient.Client

func newLocalBackendWithTestControl(t *testing.T, enableLogging bool, newControl newTestControlFn) *LocalBackend {
	return newLocalBackendWithSysAndTestControl(t, enableLogging, tsd.NewSystem(), newControl)
}

func newLocalBackendWithSysAndTestControl(t *testing.T, enableLogging bool, sys *tsd.System, newControl newTestControlFn) *LocalBackend {
	logf := logger.Discard
	if enableLogging {
		logf = tstest.WhileTestRunningLogger(t)
	}

	if _, hasStore := sys.StateStore.GetOK(); !hasStore {
		store := new(mem.Store)
		sys.Set(store)
	}
	if _, hasEngine := sys.Engine.GetOK(); !hasEngine {
		e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set, sys.HealthTracker(), sys.UserMetricsRegistry(), sys.Bus.Get())
		if err != nil {
			t.Fatalf("NewFakeUserspaceEngine: %v", err)
		}
		t.Cleanup(e.Close)
		sys.Set(e)
	}

	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
	if err != nil {
		t.Fatalf("NewLocalBackend: %v", err)
	}
	t.Cleanup(b.Shutdown)
	b.DisablePortMapperForTest()

	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
		return newControl(t, opts), nil
	})
	return b
}

// notificationHandler is any function that can process (e.g., check) a notification.
// It returns whether the notification has been handled or should be passed to the next handler.
// The handler may be called from any goroutine, so it must avoid calling functions
// that are restricted to the goroutine running the test or benchmark function,
// such as [testing.common.FailNow] and [testing.common.Fatalf].
type notificationHandler func(testing.TB, ipnauth.Actor, *ipn.Notify) bool

// wantedNotification names a [notificationHandler] that processes a notification
// the test expects and wants to receive. The name is used to report notifications
// that haven't been received within the expected timeout.
type wantedNotification struct {
	name string
	cond notificationHandler
}

// notificationWatcher observes [LocalBackend] notifications as the specified actor,
// reporting missing but expected notifications using [testing.common.Error],
// and delegating the handling of unexpected notifications to the [notificationHandler]s.
type notificationWatcher struct {
	tb    testing.TB
	lb    *LocalBackend
	actor ipnauth.Actor

	mu          sync.Mutex
	mask        ipn.NotifyWatchOpt
	want        []wantedNotification  // notifications we want to receive
	unexpected  []notificationHandler // funcs that are called to check any other notifications
	ctxCancel   context.CancelFunc    // cancels the outstanding [LocalBackend.WatchNotificationsAs] call
	got         []*ipn.Notify         // all notifications, both wanted and unexpected, we've received so far
	gotWanted   []*ipn.Notify         // only the expected notifications; holds nil for any notification that hasn't been received
	gotWantedCh chan struct{}         // closed when we have received the last wanted notification
	doneCh      chan struct{}         // closed when [LocalBackend.WatchNotificationsAs] returns
}

func newNotificationWatcher(tb testing.TB, lb *LocalBackend, actor ipnauth.Actor) *notificationWatcher {
	return &notificationWatcher{tb: tb, lb: lb, actor: actor}
}

func (w *notificationWatcher) watch(mask ipn.NotifyWatchOpt, wanted []wantedNotification, unexpected ...notificationHandler) {
	w.tb.Helper()

	// Cancel any outstanding [LocalBackend.WatchNotificationsAs] calls.
	w.mu.Lock()
	ctxCancel := w.ctxCancel
	doneCh := w.doneCh
	w.mu.Unlock()
	if doneCh != nil {
		ctxCancel()
		<-doneCh
	}

	doneCh = make(chan struct{})
	gotWantedCh := make(chan struct{})
	ctx, ctxCancel := context.WithCancel(context.Background())
	w.tb.Cleanup(func() {
		ctxCancel()
		<-doneCh
	})

	w.mu.Lock()
	w.mask = mask
	w.want = wanted
	w.unexpected = unexpected
	w.ctxCancel = ctxCancel
	w.got = nil
	w.gotWanted = make([]*ipn.Notify, len(wanted))
	w.gotWantedCh = gotWantedCh
	w.doneCh = doneCh
	w.mu.Unlock()

	watchAddedCh := make(chan struct{})
	go func() {
		defer close(doneCh)
		if len(wanted) == 0 {
			close(gotWantedCh)
			if len(unexpected) == 0 {
				close(watchAddedCh)
				return
			}
		}

		var nextWantIdx int
		w.lb.WatchNotificationsAs(ctx, w.actor, w.mask, func() { close(watchAddedCh) }, func(notify *ipn.Notify) (keepGoing bool) {
			w.tb.Helper()

			w.mu.Lock()
			defer w.mu.Unlock()
			w.got = append(w.got, notify)

			wanted := false
			for i := nextWantIdx; i < len(w.want); i++ {
				if wanted = w.want[i].cond(w.tb, w.actor, notify); wanted {
					w.gotWanted[i] = notify
					nextWantIdx = i + 1
					break
				}
			}

			if wanted && nextWantIdx == len(w.want) {
				close(w.gotWantedCh)
				if len(w.unexpected) == 0 {
					// If we have received the last wanted notification,
					// and we don't have any handlers for the unexpected notifications,
					// we can stop the watcher right away.
					return false
				}

			}

			if !wanted {
				// If we've received a notification we didn't expect,
				// it could either be an unwanted notification caused by a bug
				// or just a miscellaneous one that's irrelevant for the current test.
				// Call unexpected notification handlers, if any, to
				// check and fail the test if necessary.
				for _, h := range w.unexpected {
					if h(w.tb, w.actor, notify) {
						break
					}
				}
			}

			return true
		})

	}()
	<-watchAddedCh
}

func (w *notificationWatcher) check() []*ipn.Notify {
	w.tb.Helper()

	w.mu.Lock()
	cancel := w.ctxCancel
	gotWantedCh := w.gotWantedCh
	checkUnexpected := len(w.unexpected) != 0
	doneCh := w.doneCh
	w.mu.Unlock()

	// Wait for up to 10 seconds to receive expected notifications.
	timeout := 10 * time.Second
	for {
		select {
		case <-gotWantedCh:
			if checkUnexpected {
				gotWantedCh = nil
				// But do not wait longer than 500ms for unexpected notifications after
				// the expected notifications have been received.
				timeout = 500 * time.Millisecond
				continue
			}
		case <-doneCh:
			// [LocalBackend.WatchNotificationsAs] has already returned, so no further
			// notifications will be received. There's no reason to wait any longer.
		case <-time.After(timeout):
		}
		cancel()
		<-doneCh
		break
	}

	// Report missing notifications, if any, and log all received notifications,
	// including both expected and unexpected ones.
	w.mu.Lock()
	defer w.mu.Unlock()
	if hasMissing := slices.Contains(w.gotWanted, nil); hasMissing {
		want := make([]string, len(w.want))
		got := make([]string, 0, len(w.want))
		for i, wn := range w.want {
			want[i] = wn.name
			if w.gotWanted[i] != nil {
				got = append(got, wn.name)
			}
		}
		w.tb.Errorf("Notifications(%s): got %q; want %q", actorDescriptionForTest(w.actor), strings.Join(got, ", "), strings.Join(want, ", "))
		for i, n := range w.got {
			w.tb.Logf("%d. %v", i, n)
		}
		return nil
	}

	return w.gotWanted
}

func actorDescriptionForTest(actor ipnauth.Actor) string {
	var parts []string
	if actor != nil {
		if name, _ := actor.Username(); name != "" {
			parts = append(parts, name)
		}
		if uid := actor.UserID(); uid != "" {
			parts = append(parts, string(uid))
		}
		if clientID, _ := actor.ClientID(); clientID != ipnauth.NoClientID {
			parts = append(parts, clientID.String())
		}
	}
	return fmt.Sprintf("Actor{%s}", strings.Join(parts, ", "))
}

func TestLoginNotifications(t *testing.T) {
	const (
		enableLogging = true
		controlURL    = "https://localhost:1/"
		loginURL      = "https://localhost:1/1"
	)

	wantBrowseToURL := wantedNotification{
		name: "BrowseToURL",
		cond: func(t testing.TB, actor ipnauth.Actor, n *ipn.Notify) bool {
			if n.BrowseToURL != nil && *n.BrowseToURL != loginURL {
				t.Errorf("BrowseToURL (%s): got %q; want %q", actorDescriptionForTest(actor), *n.BrowseToURL, loginURL)
				return false
			}
			return n.BrowseToURL != nil
		},
	}
	unexpectedBrowseToURL := func(t testing.TB, actor ipnauth.Actor, n *ipn.Notify) bool {
		if n.BrowseToURL != nil {
			t.Errorf("Unexpected BrowseToURL(%s): %v", actorDescriptionForTest(actor), n)
			return true
		}
		return false
	}

	tests := []struct {
		name            string
		logInAs         ipnauth.Actor
		urlExpectedBy   []ipnauth.Actor
		urlUnexpectedBy []ipnauth.Actor
	}{
		{
			name:          "NoObservers",
			logInAs:       &ipnauth.TestActor{UID: "A"},
			urlExpectedBy: []ipnauth.Actor{}, // ensure that it does not panic if no one is watching
		},
		{
			name:          "SingleUser",
			logInAs:       &ipnauth.TestActor{UID: "A"},
			urlExpectedBy: []ipnauth.Actor{&ipnauth.TestActor{UID: "A"}},
		},
		{
			name:          "SameUser/TwoSessions/NoCID",
			logInAs:       &ipnauth.TestActor{UID: "A"},
			urlExpectedBy: []ipnauth.Actor{&ipnauth.TestActor{UID: "A"}, &ipnauth.TestActor{UID: "A"}},
		},
		{
			name:            "SameUser/TwoSessions/OneWithCID",
			logInAs:         &ipnauth.TestActor{UID: "A", CID: ipnauth.ClientIDFrom("123")},
			urlExpectedBy:   []ipnauth.Actor{&ipnauth.TestActor{UID: "A", CID: ipnauth.ClientIDFrom("123")}},
			urlUnexpectedBy: []ipnauth.Actor{&ipnauth.TestActor{UID: "A"}},
		},
		{
			name:            "SameUser/TwoSessions/BothWithCID",
			logInAs:         &ipnauth.TestActor{UID: "A", CID: ipnauth.ClientIDFrom("123")},
			urlExpectedBy:   []ipnauth.Actor{&ipnauth.TestActor{UID: "A", CID: ipnauth.ClientIDFrom("123")}},
			urlUnexpectedBy: []ipnauth.Actor{&ipnauth.TestActor{UID: "A", CID: ipnauth.ClientIDFrom("456")}},
		},
		{
			name:            "DifferentUsers/NoCID",
			logInAs:         &ipnauth.TestActor{UID: "A"},
			urlExpectedBy:   []ipnauth.Actor{&ipnauth.TestActor{UID: "A"}},
			urlUnexpectedBy: []ipnauth.Actor{&ipnauth.TestActor{UID: "B"}},
		},
		{
			name:            "DifferentUsers/SameCID",
			logInAs:         &ipnauth.TestActor{UID: "A"},
			urlExpectedBy:   []ipnauth.Actor{&ipnauth.TestActor{UID: "A", CID: ipnauth.ClientIDFrom("123")}},
			urlUnexpectedBy: []ipnauth.Actor{&ipnauth.TestActor{UID: "B", CID: ipnauth.ClientIDFrom("123")}},
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			lb := newLocalBackendWithTestControl(t, enableLogging, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
				return newClient(tb, opts)
			})
			if _, err := lb.EditPrefs(&ipn.MaskedPrefs{ControlURLSet: true, Prefs: ipn.Prefs{ControlURL: controlURL}}); err != nil {
				t.Fatalf("(*EditPrefs).Start(): %v", err)
			}
			if err := lb.Start(ipn.Options{}); err != nil {
				t.Fatalf("(*LocalBackend).Start(): %v", err)
			}

			sessions := make([]*notificationWatcher, 0, len(tt.urlExpectedBy)+len(tt.urlUnexpectedBy))
			for _, actor := range tt.urlExpectedBy {
				session := newNotificationWatcher(t, lb, actor)
				session.watch(0, []wantedNotification{wantBrowseToURL})
				sessions = append(sessions, session)
			}
			for _, actor := range tt.urlUnexpectedBy {
				session := newNotificationWatcher(t, lb, actor)
				session.watch(0, nil, unexpectedBrowseToURL)
				sessions = append(sessions, session)
			}

			if err := lb.StartLoginInteractiveAs(context.Background(), tt.logInAs); err != nil {
				t.Fatal(err)
			}

			lb.cc.(*mockControl).send(nil, loginURL, false, nil)

			var wg sync.WaitGroup
			wg.Add(len(sessions))
			for _, sess := range sessions {
				go func() { // check all sessions in parallel
					sess.check()
					wg.Done()
				}()
			}
			wg.Wait()
		})
	}
}

// TestConfigFileReload tests that the LocalBackend reloads its configuration
// when the configuration file changes.
func TestConfigFileReload(t *testing.T) {
	type testCase struct {
		name    string
		initial *conffile.Config
		updated *conffile.Config
		checkFn func(*testing.T, *LocalBackend)
	}

	tests := []testCase{
		{
			name: "hostname_change",
			initial: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version:  "alpha0",
					Hostname: ptr.To("initial-host"),
				},
			},
			updated: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version:  "alpha0",
					Hostname: ptr.To("updated-host"),
				},
			},
			checkFn: func(t *testing.T, b *LocalBackend) {
				if got := b.Prefs().Hostname(); got != "updated-host" {
					t.Errorf("hostname = %q; want updated-host", got)
				}
			},
		},
		{
			name: "start_advertising_services",
			initial: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version: "alpha0",
				},
			},
			updated: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version:           "alpha0",
					AdvertiseServices: []string{"svc:abc", "svc:def"},
				},
			},
			checkFn: func(t *testing.T, b *LocalBackend) {
				if got := b.Prefs().AdvertiseServices().AsSlice(); !reflect.DeepEqual(got, []string{"svc:abc", "svc:def"}) {
					t.Errorf("AdvertiseServices = %v; want [svc:abc, svc:def]", got)
				}
			},
		},
		{
			name: "change_advertised_services",
			initial: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version:           "alpha0",
					AdvertiseServices: []string{"svc:abc", "svc:def"},
				},
			},
			updated: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version:           "alpha0",
					AdvertiseServices: []string{"svc:abc", "svc:ghi"},
				},
			},
			checkFn: func(t *testing.T, b *LocalBackend) {
				if got := b.Prefs().AdvertiseServices().AsSlice(); !reflect.DeepEqual(got, []string{"svc:abc", "svc:ghi"}) {
					t.Errorf("AdvertiseServices = %v; want [svc:abc, svc:ghi]", got)
				}
			},
		},
		{
			name: "unset_advertised_services",
			initial: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version:           "alpha0",
					AdvertiseServices: []string{"svc:abc"},
				},
			},
			updated: &conffile.Config{
				Parsed: ipn.ConfigVAlpha{
					Version: "alpha0",
				},
			},
			checkFn: func(t *testing.T, b *LocalBackend) {
				if b.Prefs().AdvertiseServices().Len() != 0 {
					t.Errorf("got %d AdvertiseServices wants none", b.Prefs().AdvertiseServices().Len())
				}
			},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			dir := t.TempDir()
			path := filepath.Join(dir, "tailscale.conf")

			// Write initial config
			initialJSON, err := json.Marshal(tc.initial.Parsed)
			if err != nil {
				t.Fatal(err)
			}
			if err := os.WriteFile(path, initialJSON, 0644); err != nil {
				t.Fatal(err)
			}

			// Create backend with initial config
			tc.initial.Path = path
			tc.initial.Raw = initialJSON
			sys := tsd.NewSystem()
			sys.InitialConfig = tc.initial
			b := newTestLocalBackendWithSys(t, sys)

			// Update config file
			updatedJSON, err := json.Marshal(tc.updated.Parsed)
			if err != nil {
				t.Fatal(err)
			}
			if err := os.WriteFile(path, updatedJSON, 0644); err != nil {
				t.Fatal(err)
			}

			// Trigger reload
			if ok, err := b.ReloadConfig(); !ok || err != nil {
				t.Fatalf("ReloadConfig() = %v, %v; want true, nil", ok, err)
			}

			// Check outcome
			tc.checkFn(t, b)
		})
	}
}

func TestGetVIPServices(t *testing.T) {
	tests := []struct {
		name        string
		advertised  []string
		serveConfig *ipn.ServeConfig
		want        []*tailcfg.VIPService
	}{
		{
			"advertised-only",
			[]string{"svc:abc", "svc:def"},
			&ipn.ServeConfig{},
			[]*tailcfg.VIPService{
				{
					Name:   "svc:abc",
					Active: true,
				},
				{
					Name:   "svc:def",
					Active: true,
				},
			},
		},
		{
			"served-only",
			[]string{},
			&ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {Tun: true},
				},
			},
			[]*tailcfg.VIPService{
				{
					Name:  "svc:abc",
					Ports: []tailcfg.ProtoPortRange{{Ports: tailcfg.PortRangeAny}},
				},
			},
		},
		{
			"served-and-advertised",
			[]string{"svc:abc"},
			&ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {Tun: true},
				},
			},
			[]*tailcfg.VIPService{
				{
					Name:   "svc:abc",
					Active: true,
					Ports:  []tailcfg.ProtoPortRange{{Ports: tailcfg.PortRangeAny}},
				},
			},
		},
		{
			"served-and-advertised-different-service",
			[]string{"svc:def"},
			&ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {Tun: true},
				},
			},
			[]*tailcfg.VIPService{
				{
					Name:  "svc:abc",
					Ports: []tailcfg.ProtoPortRange{{Ports: tailcfg.PortRangeAny}},
				},
				{
					Name:   "svc:def",
					Active: true,
				},
			},
		},
		{
			"served-with-port-ranges-one-range-single",
			[]string{},
			&ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {TCP: map[uint16]*ipn.TCPPortHandler{
						80: {HTTPS: true},
					}},
				},
			},
			[]*tailcfg.VIPService{
				{
					Name:  "svc:abc",
					Ports: []tailcfg.ProtoPortRange{{Proto: 6, Ports: tailcfg.PortRange{First: 80, Last: 80}}},
				},
			},
		},
		{
			"served-with-port-ranges-one-range-multiple",
			[]string{},
			&ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {TCP: map[uint16]*ipn.TCPPortHandler{
						80: {HTTPS: true},
						81: {HTTPS: true},
						82: {HTTPS: true},
					}},
				},
			},
			[]*tailcfg.VIPService{
				{
					Name:  "svc:abc",
					Ports: []tailcfg.ProtoPortRange{{Proto: 6, Ports: tailcfg.PortRange{First: 80, Last: 82}}},
				},
			},
		},
		{
			"served-with-port-ranges-multiple-ranges",
			[]string{},
			&ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {TCP: map[uint16]*ipn.TCPPortHandler{
						80:   {HTTPS: true},
						81:   {HTTPS: true},
						82:   {HTTPS: true},
						1212: {HTTPS: true},
						1213: {HTTPS: true},
						1214: {HTTPS: true},
					}},
				},
			},
			[]*tailcfg.VIPService{
				{
					Name: "svc:abc",
					Ports: []tailcfg.ProtoPortRange{
						{Proto: 6, Ports: tailcfg.PortRange{First: 80, Last: 82}},
						{Proto: 6, Ports: tailcfg.PortRange{First: 1212, Last: 1214}},
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			lb := newLocalBackendWithTestControl(t, false, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
				return newClient(tb, opts)
			})
			lb.serveConfig = tt.serveConfig.View()
			prefs := &ipn.Prefs{
				AdvertiseServices: tt.advertised,
			}
			got := lb.vipServicesFromPrefsLocked(prefs.View())
			slices.SortFunc(got, func(a, b *tailcfg.VIPService) int {
				return strings.Compare(a.Name.String(), b.Name.String())
			})
			if !reflect.DeepEqual(tt.want, got) {
				t.Logf("want:")
				for _, s := range tt.want {
					t.Logf("%+v", s)
				}
				t.Logf("got:")
				for _, s := range got {
					t.Logf("%+v", s)
				}
				t.Fail()
				return
			}
		})
	}
}

func TestUpdatePrefsOnSysPolicyChange(t *testing.T) {
	const enableLogging = false

	type fieldChange struct {
		name string
		want any
	}

	wantPrefsChanges := func(want ...fieldChange) *wantedNotification {
		return &wantedNotification{
			name: "Prefs",
			cond: func(t testing.TB, actor ipnauth.Actor, n *ipn.Notify) bool {
				if n.Prefs != nil {
					prefs := reflect.Indirect(reflect.ValueOf(n.Prefs.AsStruct()))
					for _, f := range want {
						got := prefs.FieldByName(f.name).Interface()
						if !reflect.DeepEqual(got, f.want) {
							t.Errorf("%v: got %v; want %v", f.name, got, f.want)
						}
					}
				}
				return n.Prefs != nil
			},
		}
	}

	unexpectedPrefsChange := func(t testing.TB, _ ipnauth.Actor, n *ipn.Notify) bool {
		if n.Prefs != nil {
			t.Errorf("Unexpected Prefs: %v", n.Prefs.Pretty())
			return true
		}
		return false
	}

	tests := []struct {
		name           string
		initialPrefs   *ipn.Prefs
		stringSettings []source.TestSetting[string]
		want           *wantedNotification
	}{
		{
			name:           "ShieldsUp/True",
			stringSettings: []source.TestSetting[string]{source.TestSettingOf(syspolicy.EnableIncomingConnections, "never")},
			want:           wantPrefsChanges(fieldChange{"ShieldsUp", true}),
		},
		{
			name:           "ShieldsUp/False",
			initialPrefs:   &ipn.Prefs{ShieldsUp: true},
			stringSettings: []source.TestSetting[string]{source.TestSettingOf(syspolicy.EnableIncomingConnections, "always")},
			want:           wantPrefsChanges(fieldChange{"ShieldsUp", false}),
		},
		{
			name:           "ExitNodeID",
			stringSettings: []source.TestSetting[string]{source.TestSettingOf(syspolicy.ExitNodeID, "foo")},
			want:           wantPrefsChanges(fieldChange{"ExitNodeID", tailcfg.StableNodeID("foo")}),
		},
		{
			name:           "EnableRunExitNode",
			stringSettings: []source.TestSetting[string]{source.TestSettingOf(syspolicy.EnableRunExitNode, "always")},
			want:           wantPrefsChanges(fieldChange{"AdvertiseRoutes", []netip.Prefix{tsaddr.AllIPv4(), tsaddr.AllIPv6()}}),
		},
		{
			name: "Multiple",
			initialPrefs: &ipn.Prefs{
				ExitNodeAllowLANAccess: true,
			},
			stringSettings: []source.TestSetting[string]{
				source.TestSettingOf(syspolicy.EnableServerMode, "always"),
				source.TestSettingOf(syspolicy.ExitNodeAllowLANAccess, "never"),
				source.TestSettingOf(syspolicy.ExitNodeIP, "127.0.0.1"),
			},
			want: wantPrefsChanges(
				fieldChange{"ForceDaemon", true},
				fieldChange{"ExitNodeAllowLANAccess", false},
				fieldChange{"ExitNodeIP", netip.MustParseAddr("127.0.0.1")},
			),
		},
		{
			name: "NoChange",
			initialPrefs: &ipn.Prefs{
				CorpDNS:         true,
				ExitNodeID:      "foo",
				AdvertiseRoutes: []netip.Prefix{tsaddr.AllIPv4(), tsaddr.AllIPv6()},
			},
			stringSettings: []source.TestSetting[string]{
				source.TestSettingOf(syspolicy.EnableTailscaleDNS, "always"),
				source.TestSettingOf(syspolicy.ExitNodeID, "foo"),
				source.TestSettingOf(syspolicy.EnableRunExitNode, "always"),
			},
			want: nil, // syspolicy settings match the preferences; no change notification is expected.
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			syspolicy.RegisterWellKnownSettingsForTest(t)
			store := source.NewTestStoreOf[string](t)
			syspolicy.MustRegisterStoreForTest(t, "TestSource", setting.DeviceScope, store)

			lb := newLocalBackendWithTestControl(t, enableLogging, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
				return newClient(tb, opts)
			})
			if tt.initialPrefs != nil {
				lb.SetPrefsForTest(tt.initialPrefs)
			}
			if err := lb.Start(ipn.Options{}); err != nil {
				t.Fatalf("(*LocalBackend).Start(): %v", err)
			}

			nw := newNotificationWatcher(t, lb, &ipnauth.TestActor{})
			if tt.want != nil {
				nw.watch(0, []wantedNotification{*tt.want})
			} else {
				nw.watch(0, nil, unexpectedPrefsChange)
			}

			store.SetStrings(tt.stringSettings...)

			nw.check()
		})
	}
}

func TestUpdateIngressAndServiceHashLocked(t *testing.T) {
	prefs := ipn.NewPrefs().View()
	previousSC := &ipn.ServeConfig{
		Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
			"svc:abc": {Tun: true},
		},
	}
	tests := []struct {
		name              string
		hi                *tailcfg.Hostinfo
		hasPreviousSC     bool // whether to overwrite the ServeConfig hash in the Hostinfo using previousSC
		sc                *ipn.ServeConfig
		wantIngress       bool
		wantWireIngress   bool
		wantControlUpdate bool
	}{
		{
			name: "no_hostinfo_no_serve_config",
			hi:   nil,
		},
		{
			name: "empty_hostinfo_no_serve_config",
			hi:   &tailcfg.Hostinfo{},
		},
		{
			name: "empty_hostinfo_funnel_enabled",
			hi:   &tailcfg.Hostinfo{},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": true,
				},
			},
			wantIngress:       true,
			wantWireIngress:   false, // implied by wantIngress
			wantControlUpdate: true,
		},
		{
			name: "empty_hostinfo_service_configured",
			hi:   &tailcfg.Hostinfo{},
			sc: &ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {Tun: true},
				},
			},
			wantControlUpdate: true,
		},
		{
			name: "empty_hostinfo_funnel_disabled",
			hi:   &tailcfg.Hostinfo{},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": false,
				},
			},
			wantWireIngress:   true, // true if there is any AllowFunnel block
			wantControlUpdate: true,
		},
		{
			name: "empty_hostinfo_no_funnel_no_service",
			hi:   &tailcfg.Hostinfo{},
			sc: &ipn.ServeConfig{
				TCP: map[uint16]*ipn.TCPPortHandler{
					80: {HTTPS: true},
				},
			},
		},
		{
			name: "funnel_enabled_no_change",
			hi: &tailcfg.Hostinfo{
				IngressEnabled: true,
			},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": true,
				},
			},
			wantIngress:     true,
			wantWireIngress: false, // implied by wantIngress
		},
		{
			name:          "service_hash_no_change",
			hi:            &tailcfg.Hostinfo{},
			hasPreviousSC: true,
			sc: &ipn.ServeConfig{
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {Tun: true},
				},
			},
		},
		{
			name: "funnel_disabled_no_change",
			hi: &tailcfg.Hostinfo{
				WireIngress: true,
			},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": false,
				},
			},
			wantWireIngress: true, // true if there is any AllowFunnel block
		},
		{
			name:              "service_got_removed",
			hi:                &tailcfg.Hostinfo{},
			hasPreviousSC:     true,
			sc:                &ipn.ServeConfig{},
			wantControlUpdate: true,
		},
		{
			name: "funnel_changes_to_disabled",
			hi: &tailcfg.Hostinfo{
				IngressEnabled: true,
			},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": false,
				},
			},
			wantWireIngress:   true, // true if there is any AllowFunnel block
			wantControlUpdate: true,
		},
		{
			name: "funnel_changes_to_enabled",
			hi: &tailcfg.Hostinfo{
				WireIngress: true,
			},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": true,
				},
			},
			wantIngress:       true,
			wantWireIngress:   false, // implied by wantIngress
			wantControlUpdate: true,
		},
		{
			name: "both_funnel_and_service_changes",
			hi: &tailcfg.Hostinfo{
				IngressEnabled: true,
			},
			sc: &ipn.ServeConfig{
				AllowFunnel: map[ipn.HostPort]bool{
					"tailnet.xyz:443": false,
				},
				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
					"svc:abc": {Tun: true},
				},
			},
			wantWireIngress:   true, // true if there is any AllowFunnel block
			wantControlUpdate: true,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()
			b := newTestLocalBackend(t)
			b.hostinfo = tt.hi
			if tt.hasPreviousSC {
				b.mu.Lock()
				b.serveConfig = previousSC.View()
				b.hostinfo.ServicesHash = b.vipServiceHash(b.vipServicesFromPrefsLocked(prefs))
				b.mu.Unlock()
			}
			b.serveConfig = tt.sc.View()
			allDone := make(chan bool, 1)
			defer b.goTracker.AddDoneCallback(func() {
				b.mu.Lock()
				defer b.mu.Unlock()
				if b.goTracker.RunningGoroutines() > 0 {
					return
				}
				select {
				case allDone <- true:
				default:
				}
			})()

			was := b.goTracker.StartedGoroutines()
			b.updateIngressAndServiceHashLocked(prefs)

			if tt.hi != nil {
				if tt.hi.IngressEnabled != tt.wantIngress {
					t.Errorf("IngressEnabled = %v, want %v", tt.hi.IngressEnabled, tt.wantIngress)
				}
				if tt.hi.WireIngress != tt.wantWireIngress {
					t.Errorf("WireIngress = %v, want %v", tt.hi.WireIngress, tt.wantWireIngress)
				}
				b.mu.Lock()
				svcHash := b.vipServiceHash(b.vipServicesFromPrefsLocked(prefs))
				b.mu.Unlock()
				if tt.hi.ServicesHash != svcHash {
					t.Errorf("ServicesHash = %v, want %v", tt.hi.ServicesHash, svcHash)
				}
			}

			startedGoroutine := b.goTracker.StartedGoroutines() != was
			if startedGoroutine != tt.wantControlUpdate {
				t.Errorf("control update triggered = %v, want %v", startedGoroutine, tt.wantControlUpdate)
			}

			if startedGoroutine {
				select {
				case <-time.After(5 * time.Second):
					t.Fatal("timed out waiting for goroutine to finish")
				case <-allDone:
				}
			}
		})
	}
}

// TestSrcCapPacketFilter tests that LocalBackend handles packet filters with
// SrcCaps instead of Srcs (IPs)
func TestSrcCapPacketFilter(t *testing.T) {
	lb := newLocalBackendWithTestControl(t, false, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
		return newClient(tb, opts)
	})
	if err := lb.Start(ipn.Options{}); err != nil {
		t.Fatalf("(*LocalBackend).Start(): %v", err)
	}

	var k key.NodePublic
	must.Do(k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")))

	controlClient := lb.cc.(*mockControl)
	controlClient.send(nil, "", false, &netmap.NetworkMap{
		SelfNode: (&tailcfg.Node{
			Addresses: []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")},
		}).View(),
		Peers: []tailcfg.NodeView{
			(&tailcfg.Node{
				Addresses: []netip.Prefix{netip.MustParsePrefix("2.2.2.2/32")},
				ID:        2,
				Key:       k,
				CapMap:    tailcfg.NodeCapMap{"cap-X": nil}, // node 2 has cap
			}).View(),
			(&tailcfg.Node{
				Addresses: []netip.Prefix{netip.MustParsePrefix("3.3.3.3/32")},
				ID:        3,
				Key:       k,
				CapMap:    tailcfg.NodeCapMap{}, // node 3 does not have the cap
			}).View(),
		},
		PacketFilter: []filtertype.Match{{
			IPProto: views.SliceOf([]ipproto.Proto{ipproto.TCP}),
			SrcCaps: []tailcfg.NodeCapability{"cap-X"}, // cap in packet filter rule
			Dsts: []filtertype.NetPortRange{{
				Net: netip.MustParsePrefix("1.1.1.1/32"),
				Ports: filtertype.PortRange{
					First: 22,
					Last:  22,
				},
			}},
		}},
	})

	f := lb.GetFilterForTest()
	res := f.Check(netip.MustParseAddr("2.2.2.2"), netip.MustParseAddr("1.1.1.1"), 22, ipproto.TCP)
	if res != filter.Accept {
		t.Errorf("Check(2.2.2.2, ...) = %s, want %s", res, filter.Accept)
	}

	res = f.Check(netip.MustParseAddr("3.3.3.3"), netip.MustParseAddr("1.1.1.1"), 22, ipproto.TCP)
	if !res.IsDrop() {
		t.Error("IsDrop() for node without cap = false, want true")
	}
}

func TestDisplayMessages(t *testing.T) {
	b := newTestLocalBackend(t)

	// Pretend we're in a map poll so health updates get processed
	ht := b.HealthTracker()
	ht.SetIPNState("NeedsLogin", true)
	ht.GotStreamedMapResponse()

	b.mu.Lock()
	defer b.mu.Unlock()
	b.setNetMapLocked(&netmap.NetworkMap{
		DisplayMessages: map[tailcfg.DisplayMessageID]tailcfg.DisplayMessage{
			"test-message": {
				Title: "Testing",
			},
		},
	})

	state := ht.CurrentState()
	wantID := health.WarnableCode("control-health.test-message")
	_, ok := state.Warnings[wantID]

	if !ok {
		t.Errorf("no warning found with id %q", wantID)
	}
}

// TestDisplayMessagesURLFilter tests that we filter out any URLs that are not
// valid as a pop browser URL (see [LocalBackend.validPopBrowserURL]).
func TestDisplayMessagesURLFilter(t *testing.T) {
	b := newTestLocalBackend(t)

	// Pretend we're in a map poll so health updates get processed
	ht := b.HealthTracker()
	ht.SetIPNState("NeedsLogin", true)
	ht.GotStreamedMapResponse()

	b.mu.Lock()
	defer b.mu.Unlock()
	b.setNetMapLocked(&netmap.NetworkMap{
		DisplayMessages: map[tailcfg.DisplayMessageID]tailcfg.DisplayMessage{
			"test-message": {
				Title:    "Testing",
				Severity: tailcfg.SeverityHigh,
				PrimaryAction: &tailcfg.DisplayMessageAction{
					URL:   "https://www.evil.com",
					Label: "Phishing Link",
				},
			},
		},
	})

	state := ht.CurrentState()
	wantID := health.WarnableCode("control-health.test-message")
	got, ok := state.Warnings[wantID]

	if !ok {
		t.Fatalf("no warning found with id %q", wantID)
	}

	want := health.UnhealthyState{
		WarnableCode: wantID,
		Title:        "Testing",
		Severity:     health.SeverityHigh,
	}

	if diff := cmp.Diff(want, got); diff != "" {
		t.Errorf("Unexpected message content (-want/+got):\n%s", diff)
	}
}

// TestDisplayMessageIPNBus checks that we send health messages appropriately
// based on whether the watcher has sent the [ipn.NotifyHealthActions] watch
// option or not.
func TestDisplayMessageIPNBus(t *testing.T) {
	type test struct {
		name        string
		mask        ipn.NotifyWatchOpt
		wantWarning health.UnhealthyState
	}

	msgs := map[tailcfg.DisplayMessageID]tailcfg.DisplayMessage{
		"test-message": {
			Title:    "Message title",
			Text:     "Message text.",
			Severity: tailcfg.SeverityMedium,
			PrimaryAction: &tailcfg.DisplayMessageAction{
				URL:   "https://example.com",
				Label: "Learn more",
			},
		},
	}

	wantID := health.WarnableCode("control-health.test-message")

	for _, tt := range []test{
		{
			name: "older-client-no-actions",
			mask: 0,
			wantWarning: health.UnhealthyState{
				WarnableCode:  wantID,
				Severity:      health.SeverityMedium,
				Title:         "Message title",
				Text:          "Message text. Learn more: https://example.com", // PrimaryAction appended to text
				PrimaryAction: nil,                                             // PrimaryAction not included
			},
		},
		{
			name: "new-client-with-actions",
			mask: ipn.NotifyHealthActions,
			wantWarning: health.UnhealthyState{
				WarnableCode: wantID,
				Severity:     health.SeverityMedium,
				Title:        "Message title",
				Text:         "Message text.",
				PrimaryAction: &health.UnhealthyStateAction{
					URL:   "https://example.com",
					Label: "Learn more",
				},
			},
		},
	} {
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			lb := newLocalBackendWithTestControl(t, false, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
				return newClient(tb, opts)
			})

			ipnWatcher := newNotificationWatcher(t, lb, nil)
			ipnWatcher.watch(tt.mask, []wantedNotification{{
				name: fmt.Sprintf("warning with ID %q", wantID),
				cond: func(_ testing.TB, _ ipnauth.Actor, n *ipn.Notify) bool {
					if n.Health == nil {
						return false
					}
					got, ok := n.Health.Warnings[wantID]
					if ok {
						if diff := cmp.Diff(tt.wantWarning, got); diff != "" {
							t.Errorf("unexpected warning details (-want/+got):\n%s", diff)
							return true // we failed the test so tell the watcher we've seen what we need to to stop it waiting
						}
					} else {
						got := slices.Collect(maps.Keys(n.Health.Warnings))
						t.Logf("saw warnings: %v", got)
					}
					return ok
				},
			}})

			lb.SetPrefsForTest(&ipn.Prefs{
				ControlURL:  "https://localhost:1/",
				WantRunning: true,
				LoggedOut:   false,
			})
			if err := lb.Start(ipn.Options{}); err != nil {
				t.Fatalf("(*LocalBackend).Start(): %v", err)
			}

			cc := lb.cc.(*mockControl)

			// Assert that we are logged in and authorized, and also send our DisplayMessages
			cc.send(nil, "", true, &netmap.NetworkMap{
				SelfNode:        (&tailcfg.Node{MachineAuthorized: true}).View(),
				DisplayMessages: msgs,
			})

			// Tell the health tracker that we are in a map poll because
			// mockControl doesn't tell it
			lb.HealthTracker().GotStreamedMapResponse()

			// Assert that we got the expected notification
			ipnWatcher.check()
		})
	}
}

func checkError(tb testing.TB, got, want error, fatal bool) {
	tb.Helper()
	f := tb.Errorf
	if fatal {
		f = tb.Fatalf
	}
	if (want == nil) != (got == nil) ||
		(want != nil && got != nil && want.Error() != got.Error() && !errors.Is(got, want)) {
		f("gotErr: %v; wantErr: %v", got, want)
	}
}

func toStrings[T ~string](in []T) []string {
	out := make([]string, len(in))
	for i, v := range in {
		out[i] = string(v)
	}
	return out
}