policy/v2: make default (#2546)

* policy/v2: make default Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: do not run v1 tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: fix potential nil pointers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: fix test failures in v2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-29 17:27:41 +03:00 · 2025-04-29 17:27:41 +03:00 · 2b38f7bef7
commit 2b38f7bef7
parent 9a4d0e1a99
9 changed files with 35 additions and 202 deletions
--- a/hscontrol/mapper/mapper_test.go
+++ b/hscontrol/mapper/mapper_test.go
@ -346,7 +346,7 @@ func Test_fullMapResponse(t *testing.T) {
 						{
 							"action": "accept",
 							"src": ["100.64.0.2"],
-							"dst": ["user1:*"],
+							"dst": ["user1@:*"],
 						},
 					],
 				}
@ -382,7 +382,7 @@ func Test_fullMapResponse(t *testing.T) {
 						},
 					},
 				},
-				SSHPolicy: &tailcfg.SSHPolicy{},
+				SSHPolicy: nil,
 				UserProfiles: []tailcfg.UserProfile{
 					{ID: tailcfg.UserID(user1.ID), LoginName: "user1", DisplayName: "user1"},
 					{ID: tailcfg.UserID(user2.ID), LoginName: "user2", DisplayName: "user2"},
--- a/hscontrol/policy/pm.go
+++ b/hscontrol/policy/pm.go
@ -11,7 +11,7 @@ import (
 )

 var (
-	polv2 = envknob.Bool("HEADSCALE_EXPERIMENTAL_POLICY_V2")
+	polv1 = envknob.Bool("HEADSCALE_POLICY_V1")
 )

 type PolicyManager interface {
@ -35,13 +35,13 @@ type PolicyManager interface {
 func NewPolicyManager(pol []byte, users []types.User, nodes types.Nodes) (PolicyManager, error) {
 	var polMan PolicyManager
 	var err error
-	if polv2 {
-		polMan, err = policyv2.NewPolicyManager(pol, users, nodes)
+	if polv1 {
+		polMan, err = policyv1.NewPolicyManager(pol, users, nodes)
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		polMan, err = policyv1.NewPolicyManager(pol, users, nodes)
+		polMan, err = policyv2.NewPolicyManager(pol, users, nodes)
 		if err != nil {
 			return nil, err
 		}
--- a/hscontrol/policy/v2/filter.go
+++ b/hscontrol/policy/v2/filter.go
@ -38,7 +38,7 @@ func (pol *Policy) compileFilterRules(
 			log.Trace().Err(err).Msgf("resolving source ips")
 		}

-		if len(srcIPs.Prefixes()) == 0 {
+		if srcIPs == nil || len(srcIPs.Prefixes()) == 0 {
 			continue
 		}

@ -56,6 +56,10 @@ func (pol *Policy) compileFilterRules(
 				log.Trace().Err(err).Msgf("resolving destination ips")
 			}

+			if ips == nil {
+				continue
+			}
+
 			for _, pref := range ips.Prefixes() {
 				for _, port := range dest.Ports {
 					pr := tailcfg.NetPortRange{
@ -162,6 +166,10 @@ func (pol *Policy) compileSSHPolicy(
 func ipSetToPrefixStringList(ips *netipx.IPSet) []string {
 	var out []string

+	if ips == nil {
+		return out
+	}
+
 	for _, pref := range ips.Prefixes() {
 		out = append(out, pref.String())
 	}