v2

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2026 License: BSD-3-Clause Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const Wildcard = Asterix(0)

Variables

View Source 
var (
	ErrSSHTagSourceToUserDest             = errors.New("tags in SSH source cannot access user-owned devices")
	ErrSSHUserDestRequiresSameUser        = errors.New("user destination requires source to contain only that same user")
	ErrSSHAutogroupSelfRequiresUserSource = errors.New("autogroup:self destination requires source to contain only users or groups, not tags or autogroup:tagged")
	ErrSSHTagSourceToAutogroupMember      = errors.New("tags in SSH source cannot access autogroup:member (user-owned devices)")
	ErrSSHWildcardDestination             = errors.New("wildcard (*) is not supported as SSH destination")
)

SSH validation errors.

View Source 
var ErrAutogroupSelfRequiresPerNodeResolution = errors.New("autogroup:self requires per-node resolution and cannot be resolved in this context")
View Source 
var ErrCircularReference = errors.New("circular reference detected")
View Source 
var ErrInvalidAction = errors.New("invalid action")
View Source 
var ErrInvalidTagOwner = errors.New("tag owner is not an Alias")

ErrInvalidTagOwner is returned when a tag owner is not an Alias type.

View Source 
var ErrUndefinedTagReference = errors.New("references undefined tag")

Functions

This section is empty.

Types

type ACL 

type ACL struct {
	Action       Action           `json:"action"`
	Protocol     Protocol         `json:"proto"`
	Sources      Aliases          `json:"src"`
	Destinations []AliasWithPorts `json:"dst"`
}

func (*ACL) UnmarshalJSON added in v0.27.0 

func (a *ACL) UnmarshalJSON(b []byte) error

UnmarshalJSON implements custom unmarshalling for ACL that ignores fields starting with '#'. headscale-admin uses # in some field names to add metadata, so we will ignore those to ensure it doesnt break. https://github.com/GoodiesHQ/headscale-admin/blob/214a44a9c15c92d2b42383f131b51df10c84017c/src/lib/common/acl.svelte.ts#L38

type Action added in v0.27.0 

type Action string

Action represents the action to take for an ACL rule. 

const (
	ActionAccept Action = "accept"
)

func (Action) MarshalJSON added in v0.27.0 

func (a Action) MarshalJSON() ([]byte, error)

MarshalJSON implements JSON marshaling for Action.

func (Action) String added in v0.27.0 

func (a Action) String() string

String returns the string representation of the Action.

func (*Action) UnmarshalJSON added in v0.27.0 

func (a *Action) UnmarshalJSON(b []byte) error

UnmarshalJSON implements JSON unmarshaling for Action.

type Alias 

type Alias interface {
	Validate() error
	UnmarshalJSON([]byte) error

	// Resolve resolves the Alias to an IPSet. The IPSet will contain all the IP
	// addresses that the Alias represents within Headscale. It is the product
	// of the Alias and the Policy, Users and Nodes.
	// This is an interface definition and the implementation is independent of
	// the Alias type.
	Resolve(*Policy, types.Users, views.Slice[types.NodeView]) (*netipx.IPSet, error)
}

type AliasEnc 

type AliasEnc struct{ Alias }

AliasEnc is used to deserialize a Alias.

func (*AliasEnc) UnmarshalJSON 

func (ve *AliasEnc) UnmarshalJSON(b []byte) error

type AliasWithPorts 

type AliasWithPorts struct {
	Alias
	Ports []tailcfg.PortRange
}

func (AliasWithPorts) MarshalJSON added in v0.27.0 

func (a AliasWithPorts) MarshalJSON() ([]byte, error)

MarshalJSON marshals the AliasWithPorts to JSON.

func (*AliasWithPorts) UnmarshalJSON 

func (ve *AliasWithPorts) UnmarshalJSON(b []byte) error

type Aliases 

type Aliases []Alias

func (Aliases) MarshalJSON added in v0.27.0 

func (a Aliases) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Aliases to JSON.

func (Aliases) Resolve 

func (a Aliases) Resolve(p *Policy, users types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (*Aliases) UnmarshalJSON 

func (a *Aliases) UnmarshalJSON(b []byte) error

type Asterix 

type Asterix int

func (Asterix) MarshalJSON added in v0.27.0 

func (a Asterix) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Asterix to JSON.

func (Asterix) Resolve 

func (a Asterix) Resolve(_ *Policy, _ types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (Asterix) String 

func (a Asterix) String() string

func (Asterix) UnmarshalJSON 

func (a Asterix) UnmarshalJSON(b []byte) error

func (Asterix) Validate 

func (a Asterix) Validate() error

type AutoApprover 

type AutoApprover interface {
	CanBeAutoApprover() bool
	UnmarshalJSON([]byte) error
	String() string
}

type AutoApproverEnc 

type AutoApproverEnc struct{ AutoApprover }

AutoApproverEnc is used to deserialize a AutoApprover.

func (*AutoApproverEnc) UnmarshalJSON 

func (ve *AutoApproverEnc) UnmarshalJSON(b []byte) error

type AutoApproverPolicy 

type AutoApproverPolicy struct {
	Routes   map[netip.Prefix]AutoApprovers `json:"routes,omitempty"`
	ExitNode AutoApprovers                  `json:"exitNode,omitempty"`
}

func (AutoApproverPolicy) MarshalJSON added in v0.27.0 

func (ap AutoApproverPolicy) MarshalJSON() ([]byte, error)

MarshalJSON marshals the AutoApproverPolicy to JSON.

type AutoApprovers 

type AutoApprovers []AutoApprover

func (AutoApprovers) MarshalJSON added in v0.27.0 

func (aa AutoApprovers) MarshalJSON() ([]byte, error)

MarshalJSON marshals the AutoApprovers to JSON.

func (*AutoApprovers) UnmarshalJSON 

func (aa *AutoApprovers) UnmarshalJSON(b []byte) error

type AutoGroup 

type AutoGroup string

AutoGroup is a special string which is always prefixed with `autogroup:`. 

const (
	AutoGroupInternet AutoGroup = "autogroup:internet"
	AutoGroupMember   AutoGroup = "autogroup:member"
	AutoGroupNonRoot  AutoGroup = "autogroup:nonroot"
	AutoGroupTagged   AutoGroup = "autogroup:tagged"
	AutoGroupSelf     AutoGroup = "autogroup:self"
)

func (*AutoGroup) Is 

func (ag *AutoGroup) Is(c AutoGroup) bool

func (AutoGroup) MarshalJSON added in v0.27.0 

func (ag AutoGroup) MarshalJSON() ([]byte, error)

MarshalJSON marshals the AutoGroup to JSON.

func (AutoGroup) Resolve 

func (ag AutoGroup) Resolve(p *Policy, users types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (AutoGroup) String added in v0.27.0 

func (ag AutoGroup) String() string

func (*AutoGroup) UnmarshalJSON 

func (ag *AutoGroup) UnmarshalJSON(b []byte) error

func (AutoGroup) Validate 

func (ag AutoGroup) Validate() error

type Group 

type Group string

Group is a special string which is always prefixed with `group:`.

func (Group) CanBeAutoApprover 

func (g Group) CanBeAutoApprover() bool

func (Group) CanBeTagOwner 

func (g Group) CanBeTagOwner() bool

func (Group) MarshalJSON added in v0.27.0 

func (g Group) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Group to JSON.

func (Group) Resolve 

func (g Group) Resolve(p *Policy, users types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (Group) String 

func (g Group) String() string

String returns the string representation of the Group.

func (*Group) UnmarshalJSON 

func (g *Group) UnmarshalJSON(b []byte) error

func (Group) Validate 

func (g Group) Validate() error

type Groups 

type Groups map[Group]Usernames

Groups are a map of Group to a list of Username.

func (Groups) Contains 

func (g Groups) Contains(group *Group) error

func (Groups) MarshalJSON added in v0.27.0 

func (g Groups) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Groups to JSON.

func (*Groups) UnmarshalJSON 

func (g *Groups) UnmarshalJSON(b []byte) error

UnmarshalJSON overrides the default JSON unmarshalling for Groups to ensure that each group name is validated using the isGroup function. This ensures that all group names conform to the expected format, which is always prefixed with "group:". If any group name is invalid, an error is returned.

type Host 

type Host string

Host is a string that represents a hostname.

func (Host) MarshalJSON added in v0.27.0 

func (h Host) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Host to JSON.

func (Host) Resolve 

func (h Host) Resolve(p *Policy, _ types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (Host) String added in v0.27.0 

func (h Host) String() string

func (*Host) UnmarshalJSON 

func (h *Host) UnmarshalJSON(b []byte) error

func (Host) Validate 

func (h Host) Validate() error

type Hosts 

type Hosts map[Host]Prefix

Hosts are alias for IP addresses or subnets.

func (Hosts) MarshalJSON added in v0.27.0 

func (h Hosts) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Hosts to JSON.

func (*Hosts) UnmarshalJSON 

func (h *Hosts) UnmarshalJSON(b []byte) error

type Owner 

type Owner interface {
	CanBeTagOwner() bool
	UnmarshalJSON([]byte) error
	String() string
}

type OwnerEnc 

type OwnerEnc struct{ Owner }

OwnerEnc is used to deserialize a Owner.

func (*OwnerEnc) UnmarshalJSON 

func (ve *OwnerEnc) UnmarshalJSON(b []byte) error

type Owners 

type Owners []Owner

func (Owners) MarshalJSON added in v0.27.0 

func (o Owners) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Owners to JSON.

func (*Owners) UnmarshalJSON 

func (o *Owners) UnmarshalJSON(b []byte) error

type Policy 

type Policy struct {
	Groups        Groups             `json:"groups,omitempty"`
	Hosts         Hosts              `json:"hosts,omitempty"`
	TagOwners     TagOwners          `json:"tagOwners,omitempty"`
	ACLs          []ACL              `json:"acls,omitempty"`
	AutoApprovers AutoApproverPolicy `json:"autoApprovers"`
	SSHs          []SSH              `json:"ssh,omitempty"`
	// contains filtered or unexported fields
}

Policy represents a Tailscale Network Policy. TODO(kradalby): Add validation method checking: All users exists All groups and users are valid tag TagOwners Everything referred to in ACLs exists in other entities.

type PolicyManager 

type PolicyManager struct {
	// contains filtered or unexported fields
}

func NewPolicyManager 

func NewPolicyManager(b []byte, users []types.User, nodes views.Slice[types.NodeView]) (*PolicyManager, error)

NewPolicyManager creates a new PolicyManager from a policy file and a list of users and nodes. It returns an error if the policy file is invalid. The policy manager will update the filter rules based on the users and nodes.

func (*PolicyManager) BuildPeerMap added in v0.27.0 

func (pm *PolicyManager) BuildPeerMap(nodes views.Slice[types.NodeView]) map[types.NodeID][]types.NodeView

BuildPeerMap constructs peer relationship maps for the given nodes. For global filters, it uses the global filter matchers for all nodes. For autogroup:self policies (empty global filter), it builds per-node peer maps using each node's specific filter rules.

func (*PolicyManager) DebugString 

func (pm *PolicyManager) DebugString() string

func (*PolicyManager) Filter 

func (pm *PolicyManager) Filter() ([]tailcfg.FilterRule, []matcher.Match)

Filter returns the current filter rules for the entire tailnet and the associated matchers.

func (*PolicyManager) FilterForNode added in v0.27.0 

func (pm *PolicyManager) FilterForNode(node types.NodeView) ([]tailcfg.FilterRule, error)

FilterForNode returns the filter rules for a specific node, already reduced to only include rules relevant to that node. If the policy uses autogroup:self, this returns node-specific compiled rules. Otherwise, it returns the global filter reduced for this node.

func (*PolicyManager) MatchersForNode added in v0.27.0 

func (pm *PolicyManager) MatchersForNode(node types.NodeView) ([]matcher.Match, error)

MatchersForNode returns the matchers for peer relationship determination for a specific node. These are UNREDUCED matchers - they include all rules where the node could be either source or destination. This is different from FilterForNode which returns REDUCED rules for packet filtering.

For global policies: returns the global matchers (same for all nodes) For autogroup:self: returns node-specific matchers from unreduced compiled rules

func (*PolicyManager) NodeCanApproveRoute 

func (pm *PolicyManager) NodeCanApproveRoute(node types.NodeView, route netip.Prefix) bool

func (*PolicyManager) NodeCanHaveTag 

func (pm *PolicyManager) NodeCanHaveTag(node types.NodeView, tag string) bool

NodeCanHaveTag checks if a node can have the specified tag during client-initiated registration or reauth flows (e.g., tailscale up --advertise-tags).

This function is NOT used by the admin API's SetNodeTags - admins can set any existing tag on any node by calling State.SetNodeTags directly, which bypasses this authorization check.

func (*PolicyManager) SSHPolicy 

func (pm *PolicyManager) SSHPolicy(node types.NodeView) (*tailcfg.SSHPolicy, error)

func (*PolicyManager) SetNodes 

func (pm *PolicyManager) SetNodes(nodes views.Slice[types.NodeView]) (bool, error)

SetNodes updates the nodes in the policy manager and updates the filter rules.

func (*PolicyManager) SetPolicy 

func (pm *PolicyManager) SetPolicy(polB []byte) (bool, error)

func (*PolicyManager) SetUsers 

func (pm *PolicyManager) SetUsers(users []types.User) (bool, error)

SetUsers updates the users in the policy manager and updates the filter rules.

func (*PolicyManager) TagExists added in v0.28.0 

func (pm *PolicyManager) TagExists(tag string) bool

TagExists reports whether the given tag is defined in the policy.

func (*PolicyManager) Version 

func (pm *PolicyManager) Version() int

type Prefix 

type Prefix netip.Prefix

func (Prefix) MarshalJSON added in v0.27.0 

func (p Prefix) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Prefix to JSON.

func (Prefix) Resolve 

func (p Prefix) Resolve(_ *Policy, _ types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

Resolve resolves the Prefix to an IPSet. The IPSet will contain all the IP addresses that the Prefix represents within Headscale. It is the product of the Prefix and the Policy, Users, and Nodes.

See Policy, types.Users, and types.Nodes for more details.

func (Prefix) String 

func (p Prefix) String() string

func (*Prefix) UnmarshalJSON 

func (p *Prefix) UnmarshalJSON(b []byte) error

func (Prefix) Validate 

func (p Prefix) Validate() error

type Protocol added in v0.27.0 

type Protocol string

Protocol represents a network protocol with its IANA number and descriptions. 

const (
	ProtocolICMP     Protocol = "icmp"
	ProtocolIGMP     Protocol = "igmp"
	ProtocolIPv4     Protocol = "ipv4"
	ProtocolIPInIP   Protocol = "ip-in-ip"
	ProtocolTCP      Protocol = "tcp"
	ProtocolEGP      Protocol = "egp"
	ProtocolIGP      Protocol = "igp"
	ProtocolUDP      Protocol = "udp"
	ProtocolGRE      Protocol = "gre"
	ProtocolESP      Protocol = "esp"
	ProtocolAH       Protocol = "ah"
	ProtocolIPv6ICMP Protocol = "ipv6-icmp"
	ProtocolSCTP     Protocol = "sctp"
	ProtocolFC       Protocol = "fc"
	ProtocolWildcard Protocol = "*"
)

func (Protocol) Description added in v0.27.0 

func (p Protocol) Description() string

Description returns the human-readable description of the Protocol.

func (Protocol) MarshalJSON added in v0.27.0 

func (p Protocol) MarshalJSON() ([]byte, error)

MarshalJSON implements JSON marshaling for Protocol.

func (Protocol) String added in v0.27.0 

func (p Protocol) String() string

String returns the string representation of the Protocol.

func (*Protocol) UnmarshalJSON added in v0.27.0 

func (p *Protocol) UnmarshalJSON(b []byte) error

UnmarshalJSON implements JSON unmarshaling for Protocol.

type SSH 

type SSH struct {
	Action       SSHAction      `json:"action"`
	Sources      SSHSrcAliases  `json:"src"`
	Destinations SSHDstAliases  `json:"dst"`
	Users        SSHUsers       `json:"users"`
	CheckPeriod  model.Duration `json:"checkPeriod,omitempty"`
}

SSH controls who can ssh into which machines.

type SSHAction added in v0.27.0 

type SSHAction string

SSHAction represents the action to take for an SSH rule. 

const (
	SSHActionAccept SSHAction = "accept"
	SSHActionCheck  SSHAction = "check"
)

func (SSHAction) MarshalJSON added in v0.27.0 

func (a SSHAction) MarshalJSON() ([]byte, error)

MarshalJSON implements JSON marshaling for SSHAction.

func (SSHAction) String added in v0.27.0 

func (a SSHAction) String() string

String returns the string representation of the SSHAction.

func (*SSHAction) UnmarshalJSON added in v0.27.0 

func (a *SSHAction) UnmarshalJSON(b []byte) error

UnmarshalJSON implements JSON unmarshaling for SSHAction.

type SSHDstAliases 

type SSHDstAliases []Alias

SSHDstAliases is a list of aliases that can be used as destinations in an SSH rule. It can be a list of usernames, tags or autogroups.

func (SSHDstAliases) MarshalJSON added in v0.27.0 

func (a SSHDstAliases) MarshalJSON() ([]byte, error)

MarshalJSON marshals the SSHDstAliases to JSON.

func (*SSHDstAliases) UnmarshalJSON 

func (a *SSHDstAliases) UnmarshalJSON(b []byte) error

type SSHSrcAliases 

type SSHSrcAliases []Alias

SSHSrcAliases is a list of aliases that can be used as sources in an SSH rule. It can be a list of usernames, groups, tags or autogroups.

func (SSHSrcAliases) MarshalJSON added in v0.27.0 

func (a SSHSrcAliases) MarshalJSON() ([]byte, error)

MarshalJSON marshals the SSHSrcAliases to JSON.

func (SSHSrcAliases) Resolve 

func (a SSHSrcAliases) Resolve(p *Policy, users types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (*SSHSrcAliases) UnmarshalJSON 

func (a *SSHSrcAliases) UnmarshalJSON(b []byte) error

type SSHUser 

type SSHUser string

func (SSHUser) MarshalJSON added in v0.27.0 

func (u SSHUser) MarshalJSON() ([]byte, error)

MarshalJSON marshals the SSHUser to JSON.

func (SSHUser) String 

func (u SSHUser) String() string

type SSHUsers added in v0.27.0 

type SSHUsers []SSHUser

func (SSHUsers) ContainsNonRoot added in v0.27.0 

func (u SSHUsers) ContainsNonRoot() bool

func (SSHUsers) ContainsRoot added in v0.27.0 

func (u SSHUsers) ContainsRoot() bool

func (SSHUsers) NormalUsers added in v0.27.0 

func (u SSHUsers) NormalUsers() []SSHUser

type Tag 

type Tag string

Tag is a special string which is always prefixed with `tag:`.

func (Tag) CanBeAutoApprover 

func (t Tag) CanBeAutoApprover() bool

func (Tag) CanBeTagOwner added in v0.28.0 

func (t Tag) CanBeTagOwner() bool

func (Tag) MarshalJSON added in v0.27.0 

func (t Tag) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Tag to JSON.

func (Tag) Resolve 

func (t Tag) Resolve(p *Policy, users types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (Tag) String 

func (t Tag) String() string

func (*Tag) UnmarshalJSON 

func (t *Tag) UnmarshalJSON(b []byte) error

func (Tag) Validate 

func (t Tag) Validate() error

type TagOwners 

type TagOwners map[Tag]Owners

TagOwners are a map of Tag to a list of the UserEntities that own the tag.

func (TagOwners) Contains 

func (to TagOwners) Contains(tagOwner *Tag) error

func (TagOwners) MarshalJSON added in v0.27.0 

func (to TagOwners) MarshalJSON() ([]byte, error)

MarshalJSON marshals the TagOwners to JSON.

type Username 

type Username string

Username is a string that represents a username, it must contain an @.

func (Username) CanBeAutoApprover 

func (u Username) CanBeAutoApprover() bool

func (Username) CanBeTagOwner 

func (u Username) CanBeTagOwner() bool

func (Username) MarshalJSON added in v0.27.0 

func (u Username) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Username to JSON.

func (Username) Resolve 

func (u Username) Resolve(_ *Policy, users types.Users, nodes views.Slice[types.NodeView]) (*netipx.IPSet, error)

func (*Username) String 

func (u *Username) String() string

func (*Username) UnmarshalJSON 

func (u *Username) UnmarshalJSON(b []byte) error

func (Username) Validate 

func (u Username) Validate() error

type Usernames 

type Usernames []Username

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.