ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method

The implementations define it to verify whether the actor has the requested access to a login profile. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-12-06 12:52:00 +00:00 · 2025-01-29 15:34:20 -06:00
parent 4e7f4086b2
commit 081595de63
4 changed files with 27 additions and 1 deletions
--- a/ipn/ipnauth/test_actor.go
+++ b/ipn/ipnauth/test_actor.go
@@ -4,6 +4,8 @@
 package ipnauth

 import (
+	"errors"
+
 	"tailscale.com/ipn"
 )

@@ -17,7 +19,6 @@ type TestActor struct {
 	CID         ClientID          // non-zero if the actor represents a connected LocalAPI client
 	LocalSystem bool              // whether the actor represents the special Local System account on Windows
 	LocalAdmin  bool              // whether the actor has local admin access
-
 }

 // UserID implements [Actor].
@@ -29,6 +30,11 @@ func (a *TestActor) Username() (string, error) { return a.Name, a.NameErr }
 // ClientID implements [Actor].
 func (a *TestActor) ClientID() (_ ClientID, ok bool) { return a.CID, a.CID != NoClientID }

+// CheckProfileAccess implements [Actor].
+func (a *TestActor) CheckProfileAccess(profile ipn.LoginProfileView, _ ProfileAccess) error {
+	return errors.New("profile access denied")
+}
+
 // IsLocalSystem implements [Actor].
 func (a *TestActor) IsLocalSystem() bool { return a.LocalSystem }