From 84cb5d0aed3fe13329a3e28fc9eb1efc587a3b86 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 19 Aug 2024 13:03:01 +0200 Subject: [PATCH] make acl_policy_path fatal if policy.path is not set (#2041) --- config-example.yaml | 4 ++-- hscontrol/types/config.go | 2 +- hscontrol/types/config_test.go | 19 +++++++++++++++++++ .../types/testdata/policy-path-is-loaded.yaml | 18 ++++++++++++++++++ integration/hsic/config.go | 2 +- integration/hsic/hsic.go | 2 +- 6 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 hscontrol/types/testdata/policy-path-is-loaded.yaml diff --git a/config-example.yaml b/config-example.yaml index 44e36b82..2735eaf7 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -241,8 +241,8 @@ policy: # - https://tailscale.com/kb/1081/magicdns/ # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ # -# Please not that for the DNS configuration to have any effect, -# clients must have the `--accept-ds=true` option enabled. This is the +# Please note that for the DNS configuration to have any effect, +# clients must have the `--accept-dns=true` option enabled. This is the # default for the Tailscale client. This option is enabled by default # in the Tailscale client. # diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go index bff80998..30fa1c6b 100644 --- a/hscontrol/types/config.go +++ b/hscontrol/types/config.go @@ -303,7 +303,7 @@ func LoadConfig(path string, isFile bool) error { // https://github.com/spf13/viper/issues/560 // Alias the old ACL Policy path with the new configuration option. - depr.warnWithAlias("policy.path", "acl_policy_path") + depr.fatalIfNewKeyIsNotUsed("policy.path", "acl_policy_path") // Move dns_config -> dns depr.warn("dns_config.override_local_dns") diff --git a/hscontrol/types/config_test.go b/hscontrol/types/config_test.go index 7cf562b1..2b36e45c 100644 --- a/hscontrol/types/config_test.go +++ b/hscontrol/types/config_test.go @@ -161,6 +161,25 @@ func TestReadConfig(t *testing.T) { }, wantErr: "", }, + { + name: "policy-path-is-loaded", + configPath: "testdata/policy-path-is-loaded.yaml", + setup: func(t *testing.T) (any, error) { + cfg, err := GetHeadscaleConfig() + if err != nil { + return nil, err + } + + return map[string]string{ + "policy.mode": string(cfg.Policy.Mode), + "policy.path": cfg.Policy.Path, + }, err + }, + want: map[string]string{ + "policy.mode": "file", + "policy.path": "/etc/policy.hujson", + }, + }, } for _, tt := range tests { diff --git a/hscontrol/types/testdata/policy-path-is-loaded.yaml b/hscontrol/types/testdata/policy-path-is-loaded.yaml new file mode 100644 index 00000000..da0d29cd --- /dev/null +++ b/hscontrol/types/testdata/policy-path-is-loaded.yaml @@ -0,0 +1,18 @@ +noise: + private_key_path: "private_key.pem" + +prefixes: + v6: fd7a:115c:a1e0::/48 + v4: 100.64.0.0/10 + +database: + type: sqlite3 + +server_url: "https://derp.no" + +acl_policy_path: "/etc/acl_policy.yaml" +policy: + type: file + path: "/etc/policy.hujson" + +dns.magic_dns: false diff --git a/integration/hsic/config.go b/integration/hsic/config.go index c4d8b283..244470f2 100644 --- a/integration/hsic/config.go +++ b/integration/hsic/config.go @@ -13,7 +13,7 @@ noise: func DefaultConfigEnv() map[string]string { return map[string]string{ "HEADSCALE_LOG_LEVEL": "trace", - "HEADSCALE_ACL_POLICY_PATH": "", + "HEADSCALE_POLICY_PATH": "", "HEADSCALE_DATABASE_TYPE": "sqlite", "HEADSCALE_DATABASE_SQLITE_PATH": "/tmp/integration_test_db.sqlite3", "HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT": "30m", diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go index 3794e085..0b5a6be3 100644 --- a/integration/hsic/hsic.go +++ b/integration/hsic/hsic.go @@ -82,7 +82,7 @@ type Option = func(c *HeadscaleInContainer) func WithACLPolicy(acl *policy.ACLPolicy) Option { return func(hsic *HeadscaleInContainer) { // TODO(kradalby): Move somewhere appropriate - hsic.env["HEADSCALE_ACL_POLICY_PATH"] = aclPolicyPath + hsic.env["HEADSCALE_POLICY_PATH"] = aclPolicyPath hsic.aclPolicy = acl }