Mirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-23 02:24:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Merge eb1af6b947 into 4e1834adaf

Browse source
This commit is contained in:
Matan Baruch 2026-01-21 15:40:06 +00:00 committed by GitHub
commit 91592a8059
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 1008 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -90,6 +90,7 @@ sequentially through each stable release, selecting the latest patch version ava
### Changes
- Add App Connector support for domain-based routing through designated connector nodes [#2987](https://github.com/juanfont/headscale/pull/2987)
- Smarter change notifications send partial map updates and node removals instead of full maps [#2961](https://github.com/juanfont/headscale/pull/2961)
- Send lightweight endpoint and DERP region updates instead of full maps [#2856](https://github.com/juanfont/headscale/pull/2856)
- Add NixOS module in repository for faster iteration [#2857](https://github.com/juanfont/headscale/pull/2857)

1
docs/about/features.md
View file

@ -33,6 +33,7 @@ provides on overview of Headscale's feature and compatibility with the Tailscale
- [x] Basic registration
- [x] Update user profile from identity provider
- [ ] OIDC groups cannot be used in ACLs
- [x] [App Connectors](https://tailscale.com/kb/1281/app-connectors) - Route traffic to specific domains through designated connector nodes
- [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))
- [ ] [Serve](https://tailscale.com/kb/1312/serve) ([#1234](https://github.com/juanfont/headscale/issues/1921))
- [ ] [Network flow logs](https://tailscale.com/kb/1219/network-flow-logs) ([#1687](https://github.com/juanfont/headscale/issues/1687))

62
docs/ref/acls.md
View file

@ -285,3 +285,65 @@ Used in Tailscale SSH rules to allow access to any user except root. Can only be
"users": ["autogroup:nonroot"]
}
```
## App Connectors
Headscale supports [App Connectors](https://tailscale.com/kb/1281/app-connectors), which allow you to route traffic to specific domains through designated connector nodes. This is useful for accessing internal applications or services that are only reachable from certain nodes in your tailnet.
App connectors are configured in the `appConnectors` field of your ACL policy:
```json
{
"tagOwners": {
"tag:connector": ["admin@"]
},
"appConnectors": [
{
"name": "Internal Apps",
"connectors": ["tag:connector"],
"domains": ["internal.example.com", "*.corp.example.com"],
"routes": ["10.0.0.0/8"]
}
]
}
```
### Configuration Fields
| Field | Required | Description |
|-------|----------|-------------|
| `name` | No | A human-readable name for this app connector configuration |
| `connectors` | Yes | A list of tags (e.g., `tag:connector`) or `*` (all nodes) that identifies which nodes can serve as connectors |
| `domains` | Yes | A list of domain names to route through the connector. Supports wildcards like `*.example.com` |
| `routes` | No | Optional list of IP prefixes to pre-configure as routes (in addition to dynamically discovered routes from DNS) |
### How It Works
1. Configure tagged nodes as app connectors in your ACL policy
2. Nodes with the specified tags that advertise themselves as app connectors will receive the domain configuration
3. When clients query DNS for the configured domains, traffic is automatically routed through the connector nodes
4. The connector nodes resolve the DNS and forward traffic to the destination
### Example: Multiple Connectors
```json
{
"tagOwners": {
"tag:web-connector": ["admin@"],
"tag:db-connector": ["admin@"]
},
"appConnectors": [
{
"name": "Web Applications",
"connectors": ["tag:web-connector"],
"domains": ["*.internal.example.com", "dashboard.corp.example.com"]
},
{
"name": "Database Access",
"connectors": ["tag:db-connector"],
"domains": ["db.internal.example.com"],
"routes": ["10.20.30.0/24"]
}
]
}
```

49
hscontrol/mapper/builder.go
View file

@ -1,6 +1,7 @@
package mapper
import (
"encoding/json"
"errors"
"net/netip"
"sort"
@ -8,6 +9,7 @@ import (
"github.com/juanfont/headscale/hscontrol/policy"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/rs/zerolog/log"
"tailscale.com/tailcfg"
"tailscale.com/types/views"
"tailscale.com/util/multierr"
@ -86,11 +88,58 @@ func (b *MapResponseBuilder) WithSelfNode() *MapResponseBuilder {
return b
}
// Add app connector capabilities if this node is advertising as an app connector
b.addAppConnectorCapabilities(nv, tailnode)
b.resp.Node = tailnode
return b
}
// addAppConnectorCapabilities adds app connector capabilities to a node's CapMap
// if the node is advertising as an app connector and has matching policy configuration.
func (b *MapResponseBuilder) addAppConnectorCapabilities(nv types.NodeView, tailnode *tailcfg.Node) {
configs := b.mapper.state.AppConnectorConfigForNode(nv)
if len(configs) == 0 {
return
}
// Initialize CapMap if nil
if tailnode.CapMap == nil {
tailnode.CapMap = make(tailcfg.NodeCapMap)
}
// Build the app connector attributes for the capability
attrs := make([]tailcfg.RawMessage, 0, len(configs))
for _, cfg := range configs {
// Convert the config to JSON for the capability
attrJSON, err := json.Marshal(cfg)
if err != nil {
log.Warn().
Err(err).
Uint64("node.id", uint64(nv.ID())).
Str("app_connector.name", cfg.Name).
Msg("Failed to marshal app connector config")
continue
}
attrs = append(attrs, tailcfg.RawMessage(attrJSON))
}
if len(attrs) > 0 {
// The capability key is "tailscale.com/app-connectors" as per Tailscale protocol
tailnode.CapMap[tailcfg.NodeCapability("tailscale.com/app-connectors")] = attrs
log.Debug().
Uint64("node.id", uint64(nv.ID())).
Str("node.name", nv.Hostname()).
Int("app_connectors.count", len(attrs)).
Msg("Added app connector capabilities to node")
}
}
func (b *MapResponseBuilder) WithDebugType(t debugType) *MapResponseBuilder {
if debugDumpMapResponsePath != "" {
b.debugType = t

8
hscontrol/policy/pm.go
View file

@ -32,10 +32,18 @@ type PolicyManager interface {
// NodeCanApproveRoute reports whether the given node can approve the given route.
NodeCanApproveRoute(types.NodeView, netip.Prefix) bool
// AppConnectorConfigForNode returns the app connector configuration for a node
// that is advertising itself as an app connector.
AppConnectorConfigForNode(node types.NodeView) []AppConnectorAttr
Version() int
DebugString() string
}
// AppConnectorAttr describes a set of domains serviced by app connectors.
// Re-exported from v2 package for convenience.
type AppConnectorAttr = policyv2.AppConnectorAttr
// NewPolicyManager returns a new policy manager.
func NewPolicyManager(pol []byte, users []types.User, nodes views.Slice[types.NodeView]) (PolicyManager, error) {
var polMan PolicyManager

355
hscontrol/policy/v2/appconnector_test.go Normal file
View file

@ -0,0 +1,355 @@
package v2
import (
"net/netip"
"testing"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gorm.io/gorm"
"tailscale.com/tailcfg"
"tailscale.com/types/opt"
)
func TestAppConnectorPolicyParsing(t *testing.T) {
tests := []struct {
name string
policyJSON string
wantConnector []AppConnector
wantErr bool
}{
{
name: "basic app connector",
policyJSON: `{
"tagOwners": {
"tag:connector": ["user@example.com"]
},
"appConnectors": [
{
"name": "Internal Apps",
"connectors": ["tag:connector"],
"domains": ["internal.example.com", "*.corp.example.com"]
}
]
}`,
wantConnector: []AppConnector{
{
Name: "Internal Apps",
Connectors: []string{"tag:connector"},
Domains: []string{"internal.example.com", "*.corp.example.com"},
},
},
wantErr: false,
},
{
name: "app connector with routes",
policyJSON: `{
"tagOwners": {
"tag:connector": ["user@example.com"]
},
"appConnectors": [
{
"name": "VPN Connector",
"connectors": ["tag:connector"],
"domains": ["vpn.example.com"],
"routes": ["10.0.0.0/8", "192.168.0.0/16"]
}
]
}`,
wantConnector: []AppConnector{
{
Name: "VPN Connector",
Connectors: []string{"tag:connector"},
Domains: []string{"vpn.example.com"},
Routes: []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8"), netip.MustParsePrefix("192.168.0.0/16")},
},
},
wantErr: false,
},
{
name: "wildcard connector",
policyJSON: `{
"appConnectors": [
{
"name": "Any Connector",
"connectors": ["*"],
"domains": ["app.example.com"]
}
]
}`,
wantConnector: []AppConnector{
{
Name: "Any Connector",
Connectors: []string{"*"},
Domains: []string{"app.example.com"},
},
},
wantErr: false,
},
{
name: "app connector with undefined tag",
policyJSON: `{
"appConnectors": [
{
"name": "Bad Connector",
"connectors": ["tag:undefined"],
"domains": ["app.example.com"]
}
]
}`,
wantErr: true,
},
{
name: "app connector without domains",
policyJSON: `{
"tagOwners": {
"tag:connector": ["user@example.com"]
},
"appConnectors": [
{
"name": "No Domains",
"connectors": ["tag:connector"],
"domains": []
}
]
}`,
wantErr: true,
},
{
name: "app connector without connectors",
policyJSON: `{
"appConnectors": [
{
"name": "No Connectors",
"connectors": [],
"domains": ["app.example.com"]
}
]
}`,
wantErr: true,
},
{
name: "app connector with invalid domain",
policyJSON: `{
"tagOwners": {
"tag:connector": ["user@example.com"]
},
"appConnectors": [
{
"name": "Invalid Domain",
"connectors": ["tag:connector"],
"domains": [""]
}
]
}`,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
policy, err := unmarshalPolicy([]byte(tt.policyJSON))
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
require.NotNil(t, policy)
assert.Equal(t, tt.wantConnector, policy.AppConnectors)
})
}
}
func TestAppConnectorConfigForNode(t *testing.T) {
policyJSON := `{
"tagOwners": {
"tag:connector": ["user@example.com"],
"tag:other": ["user@example.com"]
},
"appConnectors": [
{
"name": "Internal Apps",
"connectors": ["tag:connector"],
"domains": ["internal.example.com", "*.corp.example.com"]
},
{
"name": "VPN Apps",
"connectors": ["tag:connector"],
"domains": ["vpn.example.com"],
"routes": ["10.0.0.0/8"]
},
{
"name": "Other Apps",
"connectors": ["tag:other"],
"domains": ["other.example.com"]
}
]
}`
users := []types.User{
{Model: gorm.Model{ID: 1}, Email: "user@example.com"},
}
uid := uint(1)
ipv4 := netip.MustParseAddr("100.64.0.1")
// Node with tag:connector that IS advertising as app connector
connectorNode := &types.Node{
ID: 1,
UserID: &uid,
IPv4: &ipv4,
Tags: []string{"tag:connector"},
Hostinfo: &tailcfg.Hostinfo{
AppConnector: opt.NewBool(true),
},
}
// Node with tag:connector that is NOT advertising as app connector
notAdvertisingNode := &types.Node{
ID: 2,
UserID: &uid,
IPv4: &ipv4,
Tags: []string{"tag:connector"},
Hostinfo: &tailcfg.Hostinfo{
AppConnector: opt.NewBool(false),
},
}
// Node with different tag that IS advertising
otherTagNode := &types.Node{
ID: 3,
UserID: &uid,
IPv4: &ipv4,
Tags: []string{"tag:other"},
Hostinfo: &tailcfg.Hostinfo{
AppConnector: opt.NewBool(true),
},
}
// Node without any matching tag
noTagNode := &types.Node{
ID: 4,
UserID: &uid,
IPv4: &ipv4,
Tags: []string{"tag:unrelated"},
Hostinfo: &tailcfg.Hostinfo{
AppConnector: opt.NewBool(true),
},
}
nodes := types.Nodes{connectorNode, notAdvertisingNode, otherTagNode, noTagNode}
pm, err := NewPolicyManager([]byte(policyJSON), users, nodes.ViewSlice())
require.NoError(t, err)
tests := []struct {
name string
node *types.Node
wantLen int
wantName string
}{
{
name: "connector node gets matching configs",
node: connectorNode,
wantLen: 2, // Internal Apps and VPN Apps
wantName: "Internal Apps",
},
{
name: "non-advertising node gets no config",
node: notAdvertisingNode,
wantLen: 0,
},
{
name: "other tag node gets other config",
node: otherTagNode,
wantLen: 1, // Other Apps
wantName: "Other Apps",
},
{
name: "unrelated tag gets no config",
node: noTagNode,
wantLen: 0,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
configs := pm.AppConnectorConfigForNode(tt.node.View())
assert.Len(t, configs, tt.wantLen)
if tt.wantLen > 0 && tt.wantName != "" {
assert.Equal(t, tt.wantName, configs[0].Name)
}
})
}
}
func TestAppConnectorWildcardConnector(t *testing.T) {
policyJSON := `{
"appConnectors": [
{
"name": "All Connectors",
"connectors": ["*"],
"domains": ["*.example.com"]
}
]
}`
users := []types.User{
{Model: gorm.Model{ID: 1}, Email: "user@example.com"},
}
uid := uint(1)
ipv4 := netip.MustParseAddr("100.64.0.1")
// Any node advertising as connector should match wildcard
node := &types.Node{
ID: 1,
UserID: &uid,
IPv4: &ipv4,
Tags: []string{"tag:anyvalue"},
Hostinfo: &tailcfg.Hostinfo{
AppConnector: opt.NewBool(true),
},
}
nodes := types.Nodes{node}
pm, err := NewPolicyManager([]byte(policyJSON), users, nodes.ViewSlice())
require.NoError(t, err)
configs := pm.AppConnectorConfigForNode(node.View())
require.Len(t, configs, 1)
assert.Equal(t, "All Connectors", configs[0].Name)
assert.Equal(t, []string{"*.example.com"}, configs[0].Domains)
}
func TestValidateAppConnectorDomain(t *testing.T) {
tests := []struct {
domain string
wantErr bool
}{
{"example.com", false},
{"sub.example.com", false},
{"*.example.com", false},
{"a.b.c.example.com", false},
{"", true},
{".example.com", true},
{"example.com.", true},
{"example..com", true},
{"*.", true},
}
for _, tt := range tests {
t.Run(tt.domain, func(t *testing.T) {
err := validateAppConnectorDomain(tt.domain)
if tt.wantErr {
assert.Error(t, err)
} else {
assert.NoError(t, err)
}
})
}
}

74
hscontrol/policy/v2/policy.go
View file

@ -1074,3 +1074,77 @@ func resolveTagOwners(p *Policy, users types.Users, nodes views.Slice[types.Node
return ret, nil
}
// AppConnectorConfigForNode returns the app connector configuration for a node
// that is advertising itself as an app connector.
// Returns nil if the node is not configured as an app connector or doesn't advertise as one.
func (pm *PolicyManager) AppConnectorConfigForNode(node types.NodeView) []AppConnectorAttr {
if pm == nil || pm.pol == nil {
return nil
}
// Check if node advertises as an app connector
if !node.Hostinfo().Valid() {
return nil
}
appConnector, ok := node.Hostinfo().AppConnector().Get()
if !ok || !appConnector {
return nil
}
pm.mu.Lock()
defer pm.mu.Unlock()
return pm.appConnectorConfigForNodeLocked(node)
}
// appConnectorConfigForNodeLocked returns the app connector config for a node.
// pm.mu must be held.
func (pm *PolicyManager) appConnectorConfigForNodeLocked(node types.NodeView) []AppConnectorAttr {
if pm.pol == nil || len(pm.pol.AppConnectors) == 0 {
return nil
}
var configs []AppConnectorAttr
for _, ac := range pm.pol.AppConnectors {
if pm.nodeMatchesConnector(node, ac.Connectors) {
configs = append(configs, AppConnectorAttr(ac))
}
}
return configs
}
// nodeMatchesConnector checks if a node matches any of the connector specifications.
func (pm *PolicyManager) nodeMatchesConnector(node types.NodeView, connectors []string) bool {
for _, connector := range connectors {
// Wildcard matches any advertising connector
if connector == "*" {
return true
}
// Check if it's a tag reference
if strings.HasPrefix(connector, "tag:") {
if node.HasTag(connector) {
return true
}
}
}
return false
}
// AppConnectorAttr describes a set of domains serviced by specified app connectors.
// This is similar to the Tailscale appctype.AppConnectorAttr structure.
type AppConnectorAttr struct {
// Name is the name of this collection of domains.
Name string `json:"name,omitempty"`
// Connectors enumerates the app connectors which service these domains.
Connectors []string `json:"connectors,omitempty"`
// Domains enumerates the domains serviced by the specified app connectors.
Domains []string `json:"domains,omitempty"`
// Routes enumerates the predetermined routes to be advertised.
Routes []netip.Prefix `json:"routes,omitempty"`
}

98
hscontrol/policy/v2/types.go
View file

@ -37,6 +37,15 @@ var ErrCircularReference = errors.New("circular reference detected")
var ErrUndefinedTagReference = errors.New("references undefined tag")
// App Connector validation errors.
var (
ErrAppConnectorMissingConnectors = errors.New("appConnector must have at least one connector")
ErrAppConnectorMissingDomains = errors.New("appConnector must have at least one domain")
ErrAppConnectorUndefinedTag = errors.New("appConnector references undefined tag")
ErrAppConnectorDomainEmpty = errors.New("domain cannot be empty")
ErrAppConnectorDomainInvalid = errors.New("invalid domain format")
)
type Asterix int
func (a Asterix) Validate() error {
@ -1510,6 +1519,29 @@ type Policy struct {
ACLs []ACL `json:"acls,omitempty"`
AutoApprovers AutoApproverPolicy `json:"autoApprovers"`
SSHs []SSH `json:"ssh,omitempty"`
AppConnectors []AppConnector `json:"appConnectors,omitempty"`
}
// AppConnector defines an app connector configuration that allows routing
// traffic to specific domains through designated connector nodes.
// See https://tailscale.com/kb/1281/app-connectors for more information.
type AppConnector struct {
// Name is a human-readable name for this app connector configuration.
Name string `json:"name,omitempty"`
// Connectors is a list of tags or "*" that identifies which nodes
// can serve as connectors for these domains.
// Examples: ["tag:connector"], ["*"]
Connectors []string `json:"connectors"`
// Domains is a list of domain names that should be routed through
// the connector. Supports wildcards like "*.example.com".
Domains []string `json:"domains"`
// Routes is an optional list of IP prefixes that should be
// pre-configured as routes for the connector (in addition to
// dynamically discovered routes from DNS resolution).
Routes []netip.Prefix `json:"routes,omitempty"`
}
// MarshalJSON is deliberately not implemented for Policy.
@ -1813,6 +1845,39 @@ func (p *Policy) validate() error {
}
}
// Validate app connectors
for _, ac := range p.AppConnectors {
if len(ac.Connectors) == 0 {
errs = append(errs, fmt.Errorf("%w: %q", ErrAppConnectorMissingConnectors, ac.Name))
}
if len(ac.Domains) == 0 {
errs = append(errs, fmt.Errorf("%w: %q", ErrAppConnectorMissingDomains, ac.Name))
}
// Validate connector references
for _, connector := range ac.Connectors {
if connector == "*" {
continue
}
if isTag(connector) {
tag := Tag(connector)
err := p.TagOwners.Contains(&tag)
if err != nil {
errs = append(errs, fmt.Errorf("%w: appConnector %q references %q", ErrAppConnectorUndefinedTag, ac.Name, connector))
}
}
}
// Validate domain format
for _, domain := range ac.Domains {
err := validateAppConnectorDomain(domain)
if err != nil {
errs = append(errs, fmt.Errorf("%w: appConnector %q has invalid domain %q", err, ac.Name, domain))
}
}
}
if len(errs) > 0 {
return multierr.New(errs...)
}
@ -2098,3 +2163,36 @@ func (p *Policy) usesAutogroupSelf() bool {
return false
}
// validateAppConnectorDomain validates an app connector domain.
// Valid domains can be:
// - A fully qualified domain name (e.g., "example.com")
// - A wildcard subdomain (e.g., "*.example.com").
func validateAppConnectorDomain(domain string) error {
if domain == "" {
return ErrAppConnectorDomainEmpty
}
// Check for wildcard domains
if strings.HasPrefix(domain, "*.") {
// Remove the "*." prefix and validate the rest
rest := domain[2:]
if rest == "" {
return fmt.Errorf("%w: wildcard domain must have a base domain", ErrAppConnectorDomainInvalid)
}
domain = rest
}
// Basic validation - domain should not start or end with dots
if strings.HasPrefix(domain, ".") || strings.HasSuffix(domain, ".") {
return fmt.Errorf("%w: domain cannot start or end with a dot", ErrAppConnectorDomainInvalid)
}
// Check for empty labels
if strings.Contains(domain, "..") {
return fmt.Errorf("%w: domain cannot have empty labels", ErrAppConnectorDomainInvalid)
}
return nil
}

5
hscontrol/state/state.go
View file

@ -862,6 +862,11 @@ func (s *State) NodeCanHaveTag(node types.NodeView, tag string) bool {
return s.polMan.NodeCanHaveTag(node, tag)
}
// AppConnectorConfigForNode returns the app connector configuration for a node.
func (s *State) AppConnectorConfigForNode(node types.NodeView) []policy.AppConnectorAttr {
return s.polMan.AppConnectorConfigForNode(node)
}
// SetPolicy updates the policy configuration.
func (s *State) SetPolicy(pol []byte) (bool, error) {
return s.polMan.SetPolicy(pol)

355
integration/appconnector_test.go Normal file
View file

@ -0,0 +1,355 @@
package integration
import (
"encoding/json"
"testing"
"time"
policyv2 "github.com/juanfont/headscale/hscontrol/policy/v2"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/integrationutil"
"github.com/juanfont/headscale/integration/tsic"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"tailscale.com/tailcfg"
)
// TestAppConnectorBasic tests that app connector configuration is properly
// propagated to nodes that advertise as app connectors and match the policy.
func TestAppConnectorBasic(t *testing.T) {
IntegrationSkip(t)
// Policy with app connector configuration
policy := &policyv2.Policy{
TagOwners: policyv2.TagOwners{
"tag:connector": policyv2.Owners{usernameOwner("user1@")},
},
ACLs: []policyv2.ACL{
{
Action: "accept",
Sources: []policyv2.Alias{wildcard()},
Destinations: []policyv2.AliasWithPorts{
aliasWithPorts(wildcard(), tailcfg.PortRangeAny),
},
},
},
AppConnectors: []policyv2.AppConnector{
{
Name: "Internal Apps",
Connectors: []string{"tag:connector"},
Domains: []string{"internal.example.com", "*.corp.example.com"},
},
{
Name: "VPN Apps",
Connectors: []string{"tag:connector"},
Domains: []string{"vpn.example.com"},
Routes: []string{"10.0.0.0/8"},
},
},
}
spec := ScenarioSpec{
NodesPerUser: 0, // We'll create nodes manually with specific tags
Users: []string{"user1"},
}
scenario, err := NewScenario(spec)
require.NoError(t, err)
defer scenario.ShutdownAssertNoPanics(t)
err = scenario.CreateHeadscaleEnv(
[]tsic.Option{},
hsic.WithACLPolicy(policy),
hsic.WithTestName("appconnector"),
hsic.WithEmbeddedDERPServerOnly(),
hsic.WithTLS(),
)
require.NoError(t, err)
headscale, err := scenario.Headscale()
require.NoError(t, err)
userMap, err := headscale.MapUsers()
require.NoError(t, err)
// Create a tagged node with tag:connector using PreAuthKey (tags-as-identity)
taggedKey, err := scenario.CreatePreAuthKeyWithTags(
userMap["user1"].GetId(), false, false, []string{"tag:connector"},
)
require.NoError(t, err)
connectorNode, err := scenario.CreateTailscaleNode(
"head",
tsic.WithNetwork(scenario.networks[scenario.testDefaultNetwork]),
tsic.WithNetfilter("off"),
)
require.NoError(t, err)
err = connectorNode.Login(headscale.GetEndpoint(), taggedKey.GetKey())
require.NoError(t, err)
err = connectorNode.WaitForRunning(integrationutil.PeerSyncTimeout())
require.NoError(t, err)
// Verify the node has the tag:connector tag
assert.EventuallyWithT(t, func(c *assert.CollectT) {
status, err := connectorNode.Status()
assert.NoError(c, err)
assert.NotNil(c, status.Self.Tags, "Node should have tags")
if status.Self.Tags != nil {
assert.Contains(c, status.Self.Tags.AsSlice(), "tag:connector", "Node should have tag:connector")
}
}, 30*time.Second, 500*time.Millisecond, "Waiting for node to have correct tags")
// Advertise as an app connector using tailscale set --advertise-connector
t.Log("Advertising node as app connector")
_, _, err = connectorNode.Execute([]string{
"tailscale", "set", "--advertise-connector",
})
require.NoError(t, err)
// Wait for the app connector capability to be propagated
t.Log("Waiting for app connector capability to be propagated")
assert.EventuallyWithT(t, func(c *assert.CollectT) {
netmap, err := connectorNode.Netmap()
assert.NoError(c, err)
if netmap == nil || netmap.SelfNode == nil {
assert.Fail(c, "Netmap or SelfNode is nil")
return
}
// Check for the app-connectors capability in CapMap
capMap := netmap.SelfNode.CapMap
if capMap == nil {
assert.Fail(c, "CapMap is nil")
return
}
appConnectorCap := tailcfg.NodeCapability("tailscale.com/app-connectors")
attrs, hasCapability := capMap[appConnectorCap]
assert.True(c, hasCapability, "Node should have app-connectors capability")
if hasCapability {
// Verify we have the expected number of app connector configs
assert.Len(c, attrs, 2, "Should have 2 app connector configs")
// Verify the content of the configs
var configs []policyv2.AppConnectorAttr
for _, attr := range attrs {
var cfg policyv2.AppConnectorAttr
err := json.Unmarshal([]byte(attr), &cfg)
assert.NoError(c, err)
configs = append(configs, cfg)
}
// Check that we have the expected domains
var allDomains []string
for _, cfg := range configs {
allDomains = append(allDomains, cfg.Domains...)
}
assert.Contains(c, allDomains, "internal.example.com")
assert.Contains(c, allDomains, "*.corp.example.com")
assert.Contains(c, allDomains, "vpn.example.com")
}
}, 60*time.Second, 1*time.Second, "App connector capability should be propagated")
t.Log("TestAppConnectorBasic PASSED: App connector configuration propagated correctly")
}
// TestAppConnectorNonMatchingTag tests that nodes without matching tags
// do not receive app connector configuration.
func TestAppConnectorNonMatchingTag(t *testing.T) {
IntegrationSkip(t)
// Policy with app connector configuration for tag:connector only
policy := &policyv2.Policy{
TagOwners: policyv2.TagOwners{
"tag:connector": policyv2.Owners{usernameOwner("user1@")},
"tag:other": policyv2.Owners{usernameOwner("user1@")},
},
ACLs: []policyv2.ACL{
{
Action: "accept",
Sources: []policyv2.Alias{wildcard()},
Destinations: []policyv2.AliasWithPorts{
aliasWithPorts(wildcard(), tailcfg.PortRangeAny),
},
},
},
AppConnectors: []policyv2.AppConnector{
{
Name: "Internal Apps",
Connectors: []string{"tag:connector"},
Domains: []string{"internal.example.com"},
},
},
}
spec := ScenarioSpec{
NodesPerUser: 0,
Users: []string{"user1"},
}
scenario, err := NewScenario(spec)
require.NoError(t, err)
defer scenario.ShutdownAssertNoPanics(t)
err = scenario.CreateHeadscaleEnv(
[]tsic.Option{},
hsic.WithACLPolicy(policy),
hsic.WithTestName("appconnector-nonmatch"),
hsic.WithEmbeddedDERPServerOnly(),
hsic.WithTLS(),
)
require.NoError(t, err)
headscale, err := scenario.Headscale()
require.NoError(t, err)
userMap, err := headscale.MapUsers()
require.NoError(t, err)
// Create a node with tag:other (not tag:connector)
taggedKey, err := scenario.CreatePreAuthKeyWithTags(
userMap["user1"].GetId(), false, false, []string{"tag:other"},
)
require.NoError(t, err)
otherNode, err := scenario.CreateTailscaleNode(
"head",
tsic.WithNetwork(scenario.networks[scenario.testDefaultNetwork]),
tsic.WithNetfilter("off"),
)
require.NoError(t, err)
err = otherNode.Login(headscale.GetEndpoint(), taggedKey.GetKey())
require.NoError(t, err)
err = otherNode.WaitForRunning(integrationutil.PeerSyncTimeout())
require.NoError(t, err)
// Verify the node has the tag:other tag
assert.EventuallyWithT(t, func(c *assert.CollectT) {
status, err := otherNode.Status()
assert.NoError(c, err)
assert.NotNil(c, status.Self.Tags, "Node should have tags")
if status.Self.Tags != nil {
assert.Contains(c, status.Self.Tags.AsSlice(), "tag:other", "Node should have tag:other")
}
}, 30*time.Second, 500*time.Millisecond, "Waiting for node to have correct tags")
// Advertise as an app connector
t.Log("Advertising node as app connector (should NOT receive config)")
_, _, err = otherNode.Execute([]string{
"tailscale", "set", "--advertise-connector",
})
require.NoError(t, err)
// Wait a bit and verify the node does NOT have app connector capability
// Use a shorter timeout since we're checking for absence
time.Sleep(5 * time.Second)
netmap, err := otherNode.Netmap()
require.NoError(t, err)
if netmap != nil && netmap.SelfNode != nil && netmap.SelfNode.CapMap != nil {
appConnectorCap := tailcfg.NodeCapability("tailscale.com/app-connectors")
_, hasCapability := netmap.SelfNode.CapMap[appConnectorCap]
assert.False(t, hasCapability, "Node with non-matching tag should NOT have app-connectors capability")
}
t.Log("TestAppConnectorNonMatchingTag PASSED: Non-matching tag correctly excluded")
}
// TestAppConnectorWildcardConnector tests that a wildcard (*) connector
// matches all nodes that advertise as app connectors.
func TestAppConnectorWildcardConnector(t *testing.T) {
IntegrationSkip(t)
// Policy with wildcard connector
policy := &policyv2.Policy{
ACLs: []policyv2.ACL{
{
Action: "accept",
Sources: []policyv2.Alias{wildcard()},
Destinations: []policyv2.AliasWithPorts{
aliasWithPorts(wildcard(), tailcfg.PortRangeAny),
},
},
},
AppConnectors: []policyv2.AppConnector{
{
Name: "All Connectors",
Connectors: []string{"*"},
Domains: []string{"*.internal.example.com"},
},
},
}
spec := ScenarioSpec{
NodesPerUser: 1, // Create a regular user node
Users: []string{"user1"},
}
scenario, err := NewScenario(spec)
require.NoError(t, err)
defer scenario.ShutdownAssertNoPanics(t)
err = scenario.CreateHeadscaleEnv(
[]tsic.Option{
tsic.WithNetfilter("off"),
},
hsic.WithACLPolicy(policy),
hsic.WithTestName("appconnector-wildcard"),
hsic.WithEmbeddedDERPServerOnly(),
hsic.WithTLS(),
)
require.NoError(t, err)
user1Clients, err := scenario.ListTailscaleClients("user1")
require.NoError(t, err)
require.Len(t, user1Clients, 1)
regularNode := user1Clients[0]
// Advertise as an app connector - with wildcard, any node should work
t.Log("Advertising regular node as app connector with wildcard policy")
_, _, err = regularNode.Execute([]string{
"tailscale", "set", "--advertise-connector",
})
require.NoError(t, err)
// Wait for the app connector capability to be propagated
assert.EventuallyWithT(t, func(c *assert.CollectT) {
netmap, err := regularNode.Netmap()
assert.NoError(c, err)
if netmap == nil || netmap.SelfNode == nil {
assert.Fail(c, "Netmap or SelfNode is nil")
return
}
capMap := netmap.SelfNode.CapMap
if capMap == nil {
assert.Fail(c, "CapMap is nil")
return
}
appConnectorCap := tailcfg.NodeCapability("tailscale.com/app-connectors")
attrs, hasCapability := capMap[appConnectorCap]
assert.True(c, hasCapability, "Node should have app-connectors capability with wildcard connector")
if hasCapability {
assert.Len(c, attrs, 1, "Should have 1 app connector config")
// Verify the domain
var cfg policyv2.AppConnectorAttr
err := json.Unmarshal([]byte(attrs[0]), &cfg)
assert.NoError(c, err)
assert.Contains(c, cfg.Domains, "*.internal.example.com")
}
}, 60*time.Second, 1*time.Second, "App connector capability should be propagated with wildcard")
t.Log("TestAppConnectorWildcardConnector PASSED: Wildcard connector works correctly")
}