can the policy be typed at parsetime?

Signed-off-by: Kristoffer Dalby <[email protected]>
juanfont · Feb 26, 2025 · 1a10a8a · 1a10a8a
1 parent 7891378
commit 1a10a8a
Show file tree

Hide file tree

Showing 37 changed files with 5,644 additions and 2,201 deletions.
diff --git a/.github/workflows/test-integration.yaml b/.github/workflows/test-integration.yaml
@@ -79,6 +79,7 @@ jobs:
           - TestSSHIsBlockedInACL
           - TestSSHUserOnlyIsolation
         database: [postgres, sqlite]
+        policy: ["v1", "v2"]
     env:
       # Github does not allow us to access secrets in pull requests,
       # so this env var is used to check if we have the secret or not.
@@ -126,6 +127,7 @@ jobs:
         if: steps.changed-files.outputs.files == 'true'
         env:
           USE_POSTGRES: ${{ matrix.database == 'postgres' && '1' || '0' }}
+          USE_POLICY_V2: ${{ matrix.policy == 'v2' && '1' || '0' }}
         with:
           attempt_limit: 5
           command: |
@@ -137,6 +139,7 @@ jobs:
               --volume /var/run/docker.sock:/var/run/docker.sock \
               --volume $PWD/control_logs:/tmp/control \
               --env HEADSCALE_INTEGRATION_POSTGRES=${{env.USE_POSTGRES}} \
+              --env HEADSCALE_EXPERIMENTAL_POLICY_V2=${{env.USE_POLICY_V2}} \
               golang:1 \
                 go run gotest.tools/gotestsum@latest -- ./... \
                   -failfast \
@@ -146,12 +149,12 @@ jobs:
       - uses: actions/upload-artifact@v4
         if: always() && steps.changed-files.outputs.files == 'true'
         with:
-          name: ${{ matrix.test }}-${{matrix.database}}-logs
+          name: ${{ matrix.test }}-${{matrix.database}}-${{matrix.policy}}-logs
           path: "control_logs/*.log"
       - uses: actions/upload-artifact@v4
         if: always() && steps.changed-files.outputs.files == 'true'
         with:
-          name: ${{ matrix.test }}-${{matrix.database}}-pprof
+          name: ${{ matrix.test }}-${{matrix.database}}-${{matrix.policy}}-pprof
           path: "control_logs/*.pprof.tar"
       - name: Setup a blocking tmux session
         if: ${{ env.HAS_TAILSCALE_SECRET }}

diff --git a/hscontrol/app.go b/hscontrol/app.go
@@ -194,10 +194,14 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 
 		var magicDNSDomains []dnsname.FQDN
 		if cfg.PrefixV4 != nil {
-			magicDNSDomains = append(magicDNSDomains, util.GenerateIPv4DNSRootDomain(*cfg.PrefixV4)...)
+			magicDNSDomains = append(
+				magicDNSDomains,
+				util.GenerateIPv4DNSRootDomain(*cfg.PrefixV4)...)
 		}
 		if cfg.PrefixV6 != nil {
-			magicDNSDomains = append(magicDNSDomains, util.GenerateIPv6DNSRootDomain(*cfg.PrefixV6)...)
+			magicDNSDomains = append(
+				magicDNSDomains,
+				util.GenerateIPv6DNSRootDomain(*cfg.PrefixV6)...)
 		}
 
 		// we might have routes already from Split DNS
@@ -459,11 +463,13 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router := mux.NewRouter()
 	router.Use(prometheusMiddleware)
 
-	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost, http.MethodGet)
+	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).
+		Methods(http.MethodPost, http.MethodGet)
 
 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
 	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
-	router.HandleFunc("/register/{registration_id}", h.authProvider.RegisterHandler).Methods(http.MethodGet)
+	router.HandleFunc("/register/{registration_id}", h.authProvider.RegisterHandler).
+		Methods(http.MethodGet)
 
 	if provider, ok := h.authProvider.(*AuthProviderOIDC); ok {
 		router.HandleFunc("/oidc/callback", provider.OIDCCallbackHandler).Methods(http.MethodGet)
@@ -523,7 +529,11 @@ func usersChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *not
 // Maybe we should attempt a new in memory state and not go via the DB?
 // Maybe this should be implemented as an event bus?
 // A bool is returned indicating if a full update was sent to all nodes
-func nodesChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) (bool, error) {
+func nodesChangedHook(
+	db *db.HSDatabase,
+	polMan policy.PolicyManager,
+	notif *notifier.Notifier,
+) (bool, error) {
 	nodes, err := db.ListNodes()
 	if err != nil {
 		return false, err
@@ -1140,9 +1150,10 @@ func (h *Headscale) loadPolicyManager() error {
 
 		h.polMan, err = policy.NewPolicyManager(pol, users, nodes)
 		if err != nil {
-			errOut = fmt.Errorf("creating policy manager: %w", err)
+			errOut = fmt.Errorf("creating policy manager v2: %w", err)
 			return
 		}
+		log.Info().Msgf("Using policy manager version: %d", h.polMan.Version())
 
 		if len(nodes) > 0 {
 			_, err = h.polMan.SSHPolicy(nodes[0])

diff --git a/hscontrol/db/db.go b/hscontrol/db/db.go
@@ -22,6 +22,7 @@ import (
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 	"gorm.io/gorm/schema"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/util/set"
 	"zgo.at/zcache/v2"
 )
@@ -655,7 +656,7 @@ AND auth_key_id NOT IN (
 					}
 
 					for nodeID, routes := range nodeRoutes {
-						slices.SortFunc(routes, util.ComparePrefix)
+						tsaddr.SortPrefixes(routes)
 						slices.Compact(routes)
 
 						data, err := json.Marshal(routes)