From c994eba763035af1c4b45eae4663ee8b4253a1b7 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Thu, 21 Apr 2022 14:58:41 -0700
Subject: [PATCH] ssh/tailssh: simplify matchRule with Reject rules

Updates #3802

Change-Id: I59fe111eef5ac8abbcbcec922e293712a65a4830
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 ssh/tailssh/tailssh.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go
index a153f86de..5456e0151 100644
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -976,7 +976,10 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg
 	if c.ruleExpired(r) {
 		return nil, "", errRuleExpired
 	}
-	if !r.Action.Reject || r.SSHUsers != nil {
+	if !r.Action.Reject {
+		// For all but Reject rules, SSHUsers is required.
+		// If SSHUsers is nil or empty, mapLocalUser will return an
+		// empty string anyway.
 		localUser = mapLocalUser(r.SSHUsers, c.info.sshUser)
 		if localUser == "" {
 			return nil, "", errUserMatch