Experimental implementation of Policy v2 (#2214)

* utility iterator for ipset Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * split policy -> policy and v1 This commit split out the common policy logic and policy implementation into separate packages. policy contains functions that are independent of the policy implementation, this typically means logic that works on tailcfg types and generic formats. In addition, it defines the PolicyManager interface which the v1 implements. v1 is a subpackage which implements the PolicyManager using the "original" policy implementation. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use polivyv1 definitions in integration tests These can be marshalled back into JSON, which the new format might not be able to. Also, just dont change it all to JSON strings for now. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * formatter: breaks lines Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove compareprefix, use tsaddr version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove getacl test, add back autoapprover Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use policy manager tag handling Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * rename display helper for user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * introduce policy v2 package policy v2 is built from the ground up to be stricter and follow the same pattern for all types of resolvers. TODO introduce aliass resolver Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * wire up policyv2 in integration testing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * split policy v2 tests into seperate workflow to work around github limit Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add policy manager output to /debug Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-03-10 16:20:29 +01:00 · 2025-03-10 16:20:29 +01:00 · 87326f5c4f
commit 87326f5c4f
parent b6fbd37539
41 changed files with 5883 additions and 2118 deletions
--- a/hscontrol/policy/pm.go
+++ b/hscontrol/policy/pm.go
@ -1,219 +1,81 @@
 package policy

 import (
-	"fmt"
-	"io"
 	"net/netip"
-	"os"
-	"sync"

+	policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
+	policyv2 "github.com/juanfont/headscale/hscontrol/policy/v2"
 	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/rs/zerolog/log"
-	"go4.org/netipx"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/deephash"
+)
+
+var (
+	polv2 = envknob.Bool("HEADSCALE_EXPERIMENTAL_POLICY_V2")
 )

 type PolicyManager interface {
 	Filter() []tailcfg.FilterRule
 	SSHPolicy(*types.Node) (*tailcfg.SSHPolicy, error)
-	Tags(*types.Node) []string
-	ApproversForRoute(netip.Prefix) []string
-	ExpandAlias(string) (*netipx.IPSet, error)
 	SetPolicy([]byte) (bool, error)
 	SetUsers(users []types.User) (bool, error)
 	SetNodes(nodes types.Nodes) (bool, error)
+	// NodeCanHaveTag reports whether the given node can have the given tag.
+	NodeCanHaveTag(*types.Node, string) bool

 	// NodeCanApproveRoute reports whether the given node can approve the given route.
 	NodeCanApproveRoute(*types.Node, netip.Prefix) bool
+
+	Version() int
+	DebugString() string
 }

-func NewPolicyManagerFromPath(path string, users []types.User, nodes types.Nodes) (PolicyManager, error) {
-	policyFile, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer policyFile.Close()
-
-	policyBytes, err := io.ReadAll(policyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	return NewPolicyManager(policyBytes, users, nodes)
-}
-
-func NewPolicyManager(polB []byte, users []types.User, nodes types.Nodes) (PolicyManager, error) {
-	var pol *ACLPolicy
+// NewPolicyManager returns a new policy manager, the version is determined by
+// the environment flag "HEADSCALE_EXPERIMENTAL_POLICY_V2".
+func NewPolicyManager(pol []byte, users []types.User, nodes types.Nodes) (PolicyManager, error) {
+	var polMan PolicyManager
 	var err error
-	if polB != nil && len(polB) > 0 {
-		pol, err = LoadACLPolicyFromBytes(polB)
+	if polv2 {
+		polMan, err = policyv2.NewPolicyManager(pol, users, nodes)
 		if err != nil {
-			return nil, fmt.Errorf("parsing policy: %w", err)
+			return nil, err
+		}
+	} else {
+		polMan, err = policyv1.NewPolicyManager(pol, users, nodes)
+		if err != nil {
+			return nil, err
 		}
 	}

-	pm := PolicyManagerV1{
-		pol:   pol,
-		users: users,
-		nodes: nodes,
-	}
-
-	_, err = pm.updateLocked()
-	if err != nil {
-		return nil, err
-	}
-
-	return &pm, nil
+	return polMan, err
 }

-func NewPolicyManagerForTest(pol *ACLPolicy, users []types.User, nodes types.Nodes) (PolicyManager, error) {
-	pm := PolicyManagerV1{
-		pol:   pol,
-		users: users,
-		nodes: nodes,
-	}
+// PolicyManagersForTest returns all available PostureManagers to be used
+// in tests to validate them in tests that try to determine that they
+// behave the same.
+func PolicyManagersForTest(pol []byte, users []types.User, nodes types.Nodes) ([]PolicyManager, error) {
+	var polMans []PolicyManager

-	_, err := pm.updateLocked()
-	if err != nil {
-		return nil, err
-	}
-
-	return &pm, nil
-}
-
-type PolicyManagerV1 struct {
-	mu  sync.Mutex
-	pol *ACLPolicy
-
-	users []types.User
-	nodes types.Nodes
-
-	filterHash deephash.Sum
-	filter     []tailcfg.FilterRule
-}
-
-// updateLocked updates the filter rules based on the current policy and nodes.
-// It must be called with the lock held.
-func (pm *PolicyManagerV1) updateLocked() (bool, error) {
-	filter, err := pm.pol.CompileFilterRules(pm.users, pm.nodes)
-	if err != nil {
-		return false, fmt.Errorf("compiling filter rules: %w", err)
-	}
-
-	filterHash := deephash.Hash(&filter)
-	if filterHash == pm.filterHash {
-		return false, nil
-	}
-
-	pm.filter = filter
-	pm.filterHash = filterHash
-
-	return true, nil
-}
-
-func (pm *PolicyManagerV1) Filter() []tailcfg.FilterRule {
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-	return pm.filter
-}
-
-func (pm *PolicyManagerV1) SSHPolicy(node *types.Node) (*tailcfg.SSHPolicy, error) {
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-
-	return pm.pol.CompileSSHPolicy(node, pm.users, pm.nodes)
-}
-
-func (pm *PolicyManagerV1) SetPolicy(polB []byte) (bool, error) {
-	if len(polB) == 0 {
-		return false, nil
-	}
-
-	pol, err := LoadACLPolicyFromBytes(polB)
-	if err != nil {
-		return false, fmt.Errorf("parsing policy: %w", err)
-	}
-
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-
-	pm.pol = pol
-
-	return pm.updateLocked()
-}
-
-// SetUsers updates the users in the policy manager and updates the filter rules.
-func (pm *PolicyManagerV1) SetUsers(users []types.User) (bool, error) {
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-
-	pm.users = users
-	return pm.updateLocked()
-}
-
-// SetNodes updates the nodes in the policy manager and updates the filter rules.
-func (pm *PolicyManagerV1) SetNodes(nodes types.Nodes) (bool, error) {
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-	pm.nodes = nodes
-	return pm.updateLocked()
-}
-
-func (pm *PolicyManagerV1) Tags(node *types.Node) []string {
-	if pm == nil {
-		return nil
-	}
-
-	tags, invalid := pm.pol.TagsOfNode(pm.users, node)
-	log.Debug().Strs("authorised_tags", tags).Strs("unauthorised_tags", invalid).Uint64("node.id", node.ID.Uint64()).Msg("tags provided by policy")
-	return tags
-}
-
-func (pm *PolicyManagerV1) ApproversForRoute(route netip.Prefix) []string {
-	// TODO(kradalby): This can be a parse error of the address in the policy,
-	// in the new policy this will be typed and not a problem, in this policy
-	// we will just return empty list
-	if pm.pol == nil {
-		return nil
-	}
-	approvers, _ := pm.pol.AutoApprovers.GetRouteApprovers(route)
-	return approvers
-}
-
-func (pm *PolicyManagerV1) ExpandAlias(alias string) (*netipx.IPSet, error) {
-	ips, err := pm.pol.ExpandAlias(pm.nodes, pm.users, alias)
-	if err != nil {
-		return nil, err
-	}
-	return ips, nil
-}
-
-func (pm *PolicyManagerV1) NodeCanApproveRoute(node *types.Node, route netip.Prefix) bool {
-	if pm.pol == nil {
-		return false
-	}
-
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-
-	approvers, _ := pm.pol.AutoApprovers.GetRouteApprovers(route)
-
-	for _, approvedAlias := range approvers {
-		if approvedAlias == node.User.Username() {
-			return true
-		} else {
-			ips, err := pm.pol.ExpandAlias(pm.nodes, pm.users, approvedAlias)
-			if err != nil {
-				return false
-			}
-
-			// approvedIPs should contain all of node's IPs if it matches the rule, so check for first
-			if ips.Contains(*node.IPv4) {
-				return true
-			}
+	for _, pmf := range PolicyManagerFuncsForTest(pol) {
+		pm, err := pmf(users, nodes)
+		if err != nil {
+			return nil, err
 		}
+		polMans = append(polMans, pm)
 	}

-	return false
+	return polMans, nil
+}
+
+func PolicyManagerFuncsForTest(pol []byte) []func([]types.User, types.Nodes) (PolicyManager, error) {
+	var polmanFuncs []func([]types.User, types.Nodes) (PolicyManager, error)
+
+	polmanFuncs = append(polmanFuncs, func(u []types.User, n types.Nodes) (PolicyManager, error) {
+		return policyv1.NewPolicyManager(pol, u, n)
+	})
+	polmanFuncs = append(polmanFuncs, func(u []types.User, n types.Nodes) (PolicyManager, error) {
+		return policyv2.NewPolicyManager(pol, u, n)
+	})
+
+	return polmanFuncs
 }