TestSSHCheckModeNegativeCLI verifies that `headscale auth reject` properly denies an SSH check.
(t *testing.T)
| 1349 | // TestSSHCheckModeNegativeCLI verifies that `headscale auth reject` |
| 1350 | // properly denies an SSH check. |
| 1351 | func TestSSHCheckModeNegativeCLI(t *testing.T) { |
| 1352 | IntegrationSkip(t) |
| 1353 | |
| 1354 | scenario := sshScenario(t, sshCheckPolicy(), "ssh-negcli", 1) |
| 1355 | defer scenario.ShutdownAssertNoPanics(t) |
| 1356 | |
| 1357 | allClients, err := scenario.ListTailscaleClients() |
| 1358 | requireNoErrListClients(t, err) |
| 1359 | |
| 1360 | user1Clients, err := scenario.ListTailscaleClients("user1") |
| 1361 | requireNoErrListClients(t, err) |
| 1362 | |
| 1363 | headscale, err := scenario.Headscale() |
| 1364 | require.NoError(t, err) |
| 1365 | |
| 1366 | err = scenario.WaitForTailscaleSync() |
| 1367 | requireNoErrSync(t, err) |
| 1368 | |
| 1369 | _, err = scenario.ListTailscaleClientsFQDNs() |
| 1370 | requireNoErrListFQDN(t, err) |
| 1371 | |
| 1372 | for _, client := range user1Clients { |
| 1373 | for _, peer := range allClients { |
| 1374 | if client.Hostname() == peer.Hostname() { |
| 1375 | continue |
| 1376 | } |
| 1377 | |
| 1378 | sshResult := doSSHCheck(t, client, peer) |
| 1379 | authID := findSSHCheckAuthID(t, headscale) |
| 1380 | |
| 1381 | // Reject via CLI |
| 1382 | _, err := headscale.Execute( |
| 1383 | []string{ |
| 1384 | "headscale", "auth", "reject", |
| 1385 | "--auth-id", authID, |
| 1386 | }, |
| 1387 | ) |
| 1388 | require.NoError(t, err) |
| 1389 | |
| 1390 | select { |
| 1391 | case result := <-sshResult: |
| 1392 | require.Error(t, result.err, "SSH should be rejected") |
| 1393 | assert.Empty(t, result.stdout, "no command output expected on rejection") |
| 1394 | case <-time.After(30 * time.Second): |
| 1395 | t.Fatal("SSH did not complete after auth rejection") |
| 1396 | } |
| 1397 | } |
| 1398 | } |
| 1399 | } |
| 1400 | |
| 1401 | // TestSSHLocalpart tests that SSH with localpart:*@<domain> works correctly. |
| 1402 | // localpart maps the local-part of each user's OIDC email to an OS user, |
nothing calls this directly
no test coverage detected