ssh/tailssh: handle not-authenticated-yet connections in matchRule

Also make more fields in conn.info thread safe, there was previously a data race here. Fixes #5110 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2025-10-09 16:11:23 +00:00 · 2022-07-21 08:46:55 -07:00
parent 41e60dae80
commit 480fd6c797
3 changed files with 75 additions and 14 deletions
--- a/ssh/tailssh/tailssh_test.go
+++ b/ssh/tailssh/tailssh_test.go
@@ -47,13 +47,26 @@ func TestMatchRule(t *testing.T) {
 		wantErr  error
 		wantUser string
 	}{
+		{
+			name: "invalid-conn",
+			rule: &tailcfg.SSHRule{
+				Action:     someAction,
+				Principals: []*tailcfg.SSHPrincipal{{Any: true}},
+				SSHUsers: map[string]string{
+					"*": "ubuntu",
+				},
+			},
+			wantErr: errInvalidConn,
+		},
 		{
 			name:    "nil-rule",
+			ci:      &sshConnInfo{},
 			rule:    nil,
 			wantErr: errNilRule,
 		},
 		{
 			name:    "nil-action",
+			ci:      &sshConnInfo{},
 			rule:    &tailcfg.SSHRule{},
 			wantErr: errNilAction,
 		},
@@ -180,6 +193,7 @@ func TestMatchRule(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &conn{
 				info: tt.ci,
+				srv:  &server{logf: t.Logf},
 			}
 			got, gotUser, err := c.matchRule(tt.rule, nil)
 			if err != tt.wantErr {