From a942fcf50ace9ef0059f189fc399421159057b75 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Tue, 29 Oct 2024 08:40:15 -0400 Subject: [PATCH] fix autoapprove Signed-off-by: Kristoffer Dalby --- hscontrol/app.go | 4 ++++ hscontrol/db/routes.go | 2 +- hscontrol/policy/pm.go | 6 +++--- hscontrol/poll.go | 3 +++ 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/hscontrol/app.go b/hscontrol/app.go index eea7315b..6859bf49 100644 --- a/hscontrol/app.go +++ b/hscontrol/app.go @@ -478,6 +478,8 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router { return router } +// TODO(kradalby): Do a variant of this, and polman which only updates the node that has changed. +// Maybe we should attempt a new in memory state and not go via the DB? func usersChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) error { users, err := db.ListUsers() if err != nil { @@ -499,6 +501,8 @@ func usersChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *not return nil } +// TODO(kradalby): Do a variant of this, and polman which only updates the node that has changed. +// Maybe we should attempt a new in memory state and not go via the DB? func nodesChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) error { nodes, err := db.ListNodes() if err != nil { diff --git a/hscontrol/db/routes.go b/hscontrol/db/routes.go index ebb08563..dcf238ab 100644 --- a/hscontrol/db/routes.go +++ b/hscontrol/db/routes.go @@ -644,7 +644,7 @@ func EnableAutoApprovedRoutes( approvedRoutes = append(approvedRoutes, advertisedRoute) } else { // TODO(kradalby): figure out how to get this to depend on less stuff - approvedIps, err := polMan.IPsForUser(approvedAlias) + approvedIps, err := polMan.ExpandAlias(approvedAlias) if err != nil { return fmt.Errorf("expanding alias %q for autoApprovers: %w", approvedAlias, err) } diff --git a/hscontrol/policy/pm.go b/hscontrol/policy/pm.go index 0e175557..7dbaed33 100644 --- a/hscontrol/policy/pm.go +++ b/hscontrol/policy/pm.go @@ -18,7 +18,7 @@ type PolicyManager interface { SSHPolicy(*types.Node) (*tailcfg.SSHPolicy, error) Tags(*types.Node) []string ApproversForRoute(netip.Prefix) []string - IPsForUser(string) (*netipx.IPSet, error) + ExpandAlias(string) (*netipx.IPSet, error) SetPolicy([]byte) (bool, error) SetUsers(users []types.User) (bool, error) SetNodes(nodes types.Nodes) (bool, error) @@ -172,8 +172,8 @@ func (pm *PolicyManagerV1) ApproversForRoute(route netip.Prefix) []string { return approvers } -func (pm *PolicyManagerV1) IPsForUser(user string) (*netipx.IPSet, error) { - ips, err := pm.pol.ExpandAlias(pm.nodes, pm.users, user) +func (pm *PolicyManagerV1) ExpandAlias(alias string) (*netipx.IPSet, error) { + ips, err := pm.pol.ExpandAlias(pm.nodes, pm.users, alias) if err != nil { return nil, err } diff --git a/hscontrol/poll.go b/hscontrol/poll.go index d41744cd..e6047d45 100644 --- a/hscontrol/poll.go +++ b/hscontrol/poll.go @@ -488,6 +488,9 @@ func (m *mapSession) handleEndpointUpdate() { return } + // TODO(kradalby): Only update the node that has actually changed + nodesChangedHook(m.h.db, m.h.polMan, m.h.nodeNotifier) + if m.h.polMan != nil { // update routes with peer information err := m.h.db.EnableAutoApprovedRoutes(m.h.polMan, m.node)