Load ACL policy on headscale startup

2024-11-23 18:15:26 +00:00 · 2021-07-04 13:24:05 +02:00 · 2021-07-04 13:24:05 +02:00 · 202d6b506f
commit 202d6b506f
parent 401e6aec32
4 changed files with 18 additions and 3 deletions
--- a/acls.go
+++ b/acls.go
@ -22,7 +22,7 @@ const errorInvalidTag = Error("invalid tag")
 const errorInvalidNamespace = Error("invalid namespace")
 const errorInvalidPortFormat = Error("invalid port format")

-func (h *Headscale) LoadPolicy(path string) error {
+func (h *Headscale) LoadAclPolicy(path string) error {
 	policyFile, err := os.Open(path)
 	if err != nil {
 		return err
@ -40,7 +40,12 @@ func (h *Headscale) LoadPolicy(path string) error {
 	}

 	h.aclPolicy = &policy
-	return err
+	rules, err := h.generateACLRules()
+	if err != nil {
+		return err
+	}
+	h.aclRules = rules
+	return nil
 }

 func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
--- a/api.go
+++ b/api.go
@ -373,7 +373,7 @@ func (h *Headscale) getMapResponse(mKey wgkey.Key, req tailcfg.MapRequest, m Mac
 		DNS:          []netaddr.IP{},
 		SearchPaths:  []string{},
 		Domain:       "foobar@example.com",
-		PacketFilter: tailcfg.FilterAllowAll,
+		PacketFilter: *h.aclRules,
 		DERPMap:      h.cfg.DerpMap,
 		UserProfiles: []tailcfg.UserProfile{},
 	}
--- a/app.go
+++ b/app.go
@ -50,6 +50,7 @@ type Headscale struct {
 	privateKey *wgkey.Private

 	aclPolicy *ACLPolicy
+	aclRules  *[]tailcfg.FilterRule

 	pollMu         sync.Mutex
 	clientsPolling map[uint64]chan []byte // this is by all means a hackity hack
@ -84,7 +85,9 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
 		dbString:   dbString,
 		privateKey: privKey,
 		publicKey:  &pubKey,
+		aclRules:   &tailcfg.FilterAllowAll, // default allowall
 	}
+
 	err = h.initDB()
 	if err != nil {
 		return nil, err
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@ -119,6 +119,13 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	// We are doing this here, as in the future could be cool to have it also hot-reload
+	err = h.LoadAclPolicy(absPath(viper.GetString("acl_policy_path")))
+	if err != nil {
+		log.Printf("Could not load the ACL policy: %s", err)
+	}
+
 	return h, nil
 }