split out reading policy and applying

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
fix loading policy manager
2024-11-26 08:53:05 +00:00 · 2024-10-26 18:29:27 -04:00 · 2024-10-26 18:19:14 -04:00
2 changed files with 71 additions and 54 deletions
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@ -88,7 +88,8 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *derpServer.DERPServer

-	polMan policy.PolicyManager
+	polManOnce sync.Once
+	polMan     policy.PolicyManager

 	mapper       *mapper.Mapper
 	nodeNotifier *notifier.Notifier
@ -531,8 +532,7 @@ func (h *Headscale) Serve() error {
 	}

 	var err error
-
-	if err = h.loadACLPolicy(); err != nil {
+	if err = h.loadPolicyManager(); err != nil {
 		return fmt.Errorf("failed to load ACL policy: %w", err)
 	}

@ -812,13 +812,21 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received SIGHUP, reloading ACL and Config")

-				// TODO(kradalby): Reload config on SIGHUP
-				// TODO(kradalby): Only update if we set a new policy
-				if err := h.loadACLPolicy(); err != nil {
-					log.Error().Err(err).Msg("failed to reload ACL policy")
+				if err := h.loadPolicyManager(); err != nil {
+					log.Error().Err(err).Msg("failed to reload Policy")
 				}

-				if h.polMan != nil {
+				pol, err := h.policyBytes()
+				if err != nil {
+					log.Error().Err(err).Msg("failed to get policy blob")
+				}
+
+				changed, err := h.polMan.SetPolicy(pol)
+				if err != nil {
+					log.Error().Err(err).Msg("failed to set new policy")
+				}
+
+				if changed {
 					log.Info().
 						Msg("ACL policy successfully reloaded, notifying nodes of change")

@ -1037,22 +1045,46 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 	return &machineKey, nil
 }

-func (h *Headscale) loadACLPolicy() error {
-	var (
-		pm policy.PolicyManager
-	)
-
+// policyBytes returns the appropriate policy for the
+// current configuration as a []byte array.
+func (h *Headscale) policyBytes() ([]byte, error) {
 	switch h.cfg.Policy.Mode {
 	case types.PolicyModeFile:
 		path := h.cfg.Policy.Path

 		// It is fine to start headscale without a policy file.
 		if len(path) == 0 {
-			return nil
+			return nil, nil
 		}

 		absPath := util.AbsolutePathFromConfigPath(path)
+		policyFile, err := os.Open(absPath)
+		if err != nil {
+			return nil, err
+		}
+		defer policyFile.Close()

+		return io.ReadAll(policyFile)
+
+	case types.PolicyModeDB:
+		p, err := h.db.GetPolicy()
+		if err != nil {
+			if errors.Is(err, types.ErrPolicyNotFound) {
+				return nil, nil
+			}
+
+			return nil, err
+		}
+
+		return []byte(p.Data), err
+	}
+
+	return nil, fmt.Errorf("unsupported policy mode: %s", h.cfg.Policy.Mode)
+}
+
+func (h *Headscale) loadPolicyManager() error {
+	var errOut error
+	h.polManOnce.Do(func() {
 		// Validate and reject configuration that would error when applied
 		// when creating a map response. This requires nodes, so there is still
 		// a scenario where they might be allowed if the server has no nodes
@ -1063,54 +1095,35 @@ func (h *Headscale) loadACLPolicy() error {
 		// allowed to be written to the database.
 		nodes, err := h.db.ListNodes()
 		if err != nil {
-			return fmt.Errorf("loading nodes from database to validate policy: %w", err)
+			errOut = fmt.Errorf("loading nodes from database to validate policy: %w", err)
+			return
 		}
 		users, err := h.db.ListUsers()
 		if err != nil {
-			return fmt.Errorf("loading users from database to validate policy: %w", err)
+			errOut = fmt.Errorf("loading users from database to validate policy: %w", err)
+			return
 		}

-		pm, err = policy.NewPolicyManagerFromPath(absPath, users, nodes)
+		pol, err := h.policyBytes()
 		if err != nil {
-			return fmt.Errorf("loading policy from file: %w", err)
+			errOut = fmt.Errorf("loading policy bytes: %w", err)
+			return
+		}
+
+		h.polMan, err = policy.NewPolicyManager(pol, users, nodes)
+		if err != nil {
+			errOut = fmt.Errorf("creating policy manager: %w", err)
+			return
 		}

 		if len(nodes) > 0 {
-			_, err = pm.SSHPolicy(nodes[0])
+			_, err = h.polMan.SSHPolicy(nodes[0])
 			if err != nil {
-				return fmt.Errorf("verifying SSH rules: %w", err)
+				errOut = fmt.Errorf("verifying SSH rules: %w", err)
+				return
 			}
 		}
+	})

-	case types.PolicyModeDB:
-		p, err := h.db.GetPolicy()
-		if err != nil {
-			if errors.Is(err, types.ErrPolicyNotFound) {
-				return nil
-			}
-
-			return fmt.Errorf("failed to get policy from database: %w", err)
-		}
-
-		nodes, err := h.db.ListNodes()
-		if err != nil {
-			return fmt.Errorf("loading nodes from database to validate policy: %w", err)
-		}
-		users, err := h.db.ListUsers()
-		if err != nil {
-			return fmt.Errorf("loading users from database to validate policy: %w", err)
-		}
-		pm, err = policy.NewPolicyManager([]byte(p.Data), users, nodes)
-		if err != nil {
-			return fmt.Errorf("loading policy from database: %w", err)
-		}
-	default:
-		log.Fatal().
-			Str("mode", string(h.cfg.Policy.Mode)).
-			Msg("Unknown ACL policy mode")
-	}
-
-	h.polMan = pm
-
-	return nil
+	return errOut
 }
--- a/hscontrol/policy/pm.go
+++ b/hscontrol/policy/pm.go
@ -40,9 +40,13 @@ func NewPolicyManagerFromPath(path string, users []types.User, nodes types.Nodes
 }

 func NewPolicyManager(polB []byte, users []types.User, nodes types.Nodes) (PolicyManager, error) {
-	pol, err := LoadACLPolicyFromBytes(polB)
-	if err != nil {
-		return nil, fmt.Errorf("parsing policy: %w", err)
+	var pol *ACLPolicy
+	var err error
+	if polB != nil && len(polB) > 0 {
+		pol, err = LoadACLPolicyFromBytes(polB)
+		if err != nil {
+			return nil, fmt.Errorf("parsing policy: %w", err)
+		}
 	}

 	pm := PolicyManagerV1{
Author	SHA1	Message	Date
Kristoffer Dalby	f2ab5e05c9	split out reading policy and applying Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-10-26 18:29:27 -04:00
Kristoffer Dalby	50b62ddfb3	fix loading policy manager Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-10-26 18:19:14 -04:00