feat: add support for 'always' value in ssh check period

internal/domain/acl_ssh_policy.go

@@ -39,15 +39,9 @@ func (a ACLPolicy) BuildSSHPolicy(srcs []Machine, dst *Machine) *tailcfg.SSHPoli
 			AllowLocalPortForwarding: true,
 		}
 
-		if rule.Action == "check" && rule.CheckPeriod == "" {
+		if rule.Action == "check" {
 			action = &tailcfg.SSHAction{
-				HoldAndDelegate: "https://unused/machine/ssh/action/$SRC_NODE_ID/to/$DST_NODE_ID",
-			}
-		}
-
-		if rule.Action == "check" && rule.CheckPeriod != "" {
-			action = &tailcfg.SSHAction{
-				HoldAndDelegate: "https://unused/machine/ssh/action/$SRC_NODE_ID/to/$DST_NODE_ID/" + rule.CheckPeriod,
+				HoldAndDelegate: "https://unused/machine/ssh/action/$SRC_NODE_ID/to/$DST_NODE_ID/" + safeCheckPeriod(rule.CheckPeriod),
 			}
 		}
 
@@ -157,3 +151,10 @@ func buildSSHUsers(users []string) map[string]string {
 
 	return m
 }
+
+func safeCheckPeriod(period string) string {
+	if period == "" {
+		return "always"
+	}
+	return period
+}

internal/handlers/ssh_action.go

@@ -45,10 +45,11 @@ func (h *SSHActionHandlers) StartAuth(c echo.Context) error {
 		return logError(err)
 	}
 
-	if data.CheckPeriod != "" {
+	if data.CheckPeriod != "" && data.CheckPeriod != "always" {
 		checkPeriod, err := time.ParseDuration(data.CheckPeriod)
 		if err != nil {
-			return logError(err)
+			_ = logError(err)
+			goto check
 		}
 
 		machine, err := h.repository.GetMachine(ctx, data.SrcMachineID)
@@ -71,6 +72,7 @@ func (h *SSHActionHandlers) StartAuth(c echo.Context) error {
 		}
 	}
 
+check:
 	key := util.RandStringBytes(8)
 	request := &domain.SSHActionRequest{
 		Key:          key,