feat: implements apis for managing headscale policy (#1792)

juanfont · Jul 18, 2024 · 58bd38a · 58bd38a
1 parent 00ff288
commit 58bd38a
Show file tree

Hide file tree

Showing 39 changed files with 1,872 additions and 564 deletions.
diff --git a/.github/workflows/test-integration.yaml b/.github/workflows/test-integration.yaml
@@ -18,6 +18,7 @@ jobs:
           - TestACLNamedHostsCanReachBySubnet
           - TestACLNamedHostsCanReach
           - TestACLDevice1CanAccessDevice2
+          - TestPolicyUpdateWhileRunningWithCLIInDatabase
           - TestOIDCAuthenticationPingAll
           - TestOIDCExpireNodesBasedOnTokenExpiry
           - TestAuthWebFlowAuthenticationPingAll
@@ -35,6 +36,7 @@ jobs:
           - TestNodeExpireCommand
           - TestNodeRenameCommand
           - TestNodeMoveCommand
+          - TestPolicyCommand
           - TestDERPServerScenario
           - TestPingAllByIP
           - TestPingAllByIPPublicDERP

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -44,6 +44,8 @@ after improving the test harness as part of adopting [#1460](https://github.com/
   - This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see [#1369](https://github.com/juanfont/headscale/issues/1369) for more information.
   - `use_username_in_magic_dns` can be used to turn this behaviour on again, but note that this option _will be removed_ when tags are fixed.
   - This option brings Headscales behaviour in line with Tailscale.
+- YAML files are no longer supported for headscale policy.  [#1792](https://github.com/juanfont/headscale/pull/1792)
+  - HuJSON is now the only supported format for policy.
 
 ### Changes
 
@@ -64,6 +66,7 @@ after improving the test harness as part of adopting [#1460](https://github.com/
 - Restore foreign keys and add constraints [#1562](https://github.com/juanfont/headscale/pull/1562)
 - Make registration page easier to use on mobile devices
 - Make write-ahead-log default on and configurable for SQLite [#1985](https://github.com/juanfont/headscale/pull/1985)
+- Add APIs for managing headscale policy. [#1792](https://github.com/juanfont/headscale/pull/1792)
 
 ## 0.22.3 (2023-05-12)
 

diff --git a/cmd/headscale/cli/policy.go b/cmd/headscale/cli/policy.go
@@ -0,0 +1,91 @@
+package cli
+
+import (
+	"io"
+	"os"
+
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+)
+
+func init() {
+	rootCmd.AddCommand(policyCmd)
+	policyCmd.AddCommand(getPolicy)
+
+	setPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := setPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(setPolicy)
+}
+
+var policyCmd = &cobra.Command{
+	Use:   "policy",
+	Short: "Manage the Headscale ACL Policy",
+}
+
+var getPolicy = &cobra.Command{
+	Use:     "get",
+	Short:   "Print the current ACL Policy",
+	Aliases: []string{"show", "view", "fetch"},
+	Run: func(cmd *cobra.Command, args []string) {
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.GetPolicyRequest{}
+
+		response, err := client.GetPolicy(ctx, request)
+		if err != nil {
+			log.Fatal().Err(err).Msg("Failed to get the policy")
+
+			return
+		}
+
+		// TODO(pallabpain): Maybe print this better?
+		SuccessOutput("", response.GetPolicy(), "hujson")
+	},
+}
+
+var setPolicy = &cobra.Command{
+	Use:   "set",
+	Short: "Updates the ACL Policy",
+	Long: `
+	Updates the existing ACL Policy with the provided policy. The policy must be a valid HuJSON object.
+	This command only works when the acl.policy_mode is set to "db", and the policy will be stored in the database.`,
+	Aliases: []string{"put", "update"},
+	Run: func(cmd *cobra.Command, args []string) {
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error opening the policy file")
+
+			return
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error reading the policy file")
+
+			return
+		}
+
+		request := &v1.SetPolicyRequest{Policy: string(policyBytes)}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		if _, err := client.SetPolicy(ctx, request); err != nil {
+			log.Fatal().Err(err).Msg("Failed to set ACL Policy")
+
+			return
+		}
+
+		SuccessOutput(nil, "Policy updated.", "")
+	},
+}
diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
@@ -8,16 +8,16 @@ import (
 	"os"
 	"reflect"
 
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
-	"github.com/juanfont/headscale/hscontrol/policy"
-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"gopkg.in/yaml.v3"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 )
 
 const (
@@ -39,21 +39,6 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 		return nil, err
 	}
 
-	// We are doing this here, as in the future could be cool to have it also hot-reload
-
-	if cfg.ACL.PolicyPath != "" {
-		aclPath := util.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		pol, err := policy.LoadACLPolicyFromPath(aclPath)
-		if err != nil {
-			log.Fatal().
-				Str("path", aclPath).
-				Err(err).
-				Msg("Could not load the ACL policy")
-		}
-
-		app.ACLPolicy = pol
-	}
-
 	return app, nil
 }
 
@@ -89,7 +74,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 
 		// Try to give the user better feedback if we cannot write to the headscale
 		// socket.
-		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) //nolint
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) // nolint
 		if err != nil {
 			if os.IsPermission(err) {
 				log.Fatal().
@@ -167,13 +152,13 @@ func SuccessOutput(result interface{}, override string, outputFormat string) {
 			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	default:
-		//nolint
+		// nolint
 		fmt.Println(override)
 
 		return
 	}
 
-	//nolint
+	// nolint
 	fmt.Println(string(jsonBytes))
 }
 

diff --git a/config-example.yaml b/config-example.yaml
@@ -203,10 +203,18 @@ log:
   format: text
   level: info
 
-# Path to a file containing ACL policies.
-# ACLs can be defined as YAML or HUJSON.
-# https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+## Policy
+# headscale supports Tailscale's ACL policies.
+# Please have a look to their KB to better
+# understand the concepts: https://tailscale.com/kb/1018/acls/
+policy:
+  # The mode can be "file" or "database" that defines
+  # where the ACL policies are stored and read from.
+  mode: file
+  # If the mode is set to "file", the
+  # path to a file containing ACL policies.
+  # The file can be in YAML or HuJSON format.
+  path: ""
 
 ## DNS
 #

diff --git a/gen/go/headscale/v1/apikey.pb.go b/gen/go/headscale/v1/apikey.pb.go
diff --git a/gen/go/headscale/v1/device.pb.go b/gen/go/headscale/v1/device.pb.go