From 93afb03f6756983d85fe3f39666d21430a886dae Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Fri, 2 May 2025 13:58:30 +0300
Subject: [PATCH] cmd: add policy check command (#2553)

---
 CHANGELOG.md                |  8 ++++----
 cmd/headscale/cli/policy.go | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 18878d8f..c1d6fcc8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -71,13 +71,11 @@ working in v1 and not tested might be broken in v2 (and vice versa).
 **We do need help testing this code**
 
 
-#### Other breaking
-
-- Disallow `server_url` and `base_domain` to be equal
-  [#2544](https://github.com/juanfont/headscale/pull/2544)
 
 #### Other breaking changes
 
+- Disallow `server_url` and `base_domain` to be equal
+  [#2544](https://github.com/juanfont/headscale/pull/2544)
 - Return full user in API for pre auth keys instead of string
   [#2542](https://github.com/juanfont/headscale/pull/2542)
 - Pre auth key API/CLI now uses ID over username
@@ -86,6 +84,8 @@ working in v1 and not tested might be broken in v2 (and vice versa).
 ### Changes
 
 - Use Go 1.24 [#2427](https://github.com/juanfont/headscale/pull/2427)
+- Add `headscale policy check` command to check policy
+  [#2553](https://github.com/juanfont/headscale/pull/2553)
 - `oidc.map_legacy_users` and `oidc.strip_email_domain` has been removed
   [#2411](https://github.com/juanfont/headscale/pull/2411)
 - Add more information to `/debug` endpoint
diff --git a/cmd/headscale/cli/policy.go b/cmd/headscale/cli/policy.go
index d1349b5a..63f4a6bf 100644
--- a/cmd/headscale/cli/policy.go
+++ b/cmd/headscale/cli/policy.go
@@ -6,6 +6,7 @@ import (
 	"os"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/policy"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@@ -19,6 +20,12 @@ func init() {
 		log.Fatal().Err(err).Msg("")
 	}
 	policyCmd.AddCommand(setPolicy)
+
+	checkPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := checkPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(checkPolicy)
 }
 
 var policyCmd = &cobra.Command{
@@ -85,3 +92,30 @@ var setPolicy = &cobra.Command{
 		SuccessOutput(nil, "Policy updated.", "")
 	},
 }
+
+var checkPolicy = &cobra.Command{
+	Use:   "check",
+	Short: "Check the Policy file for errors",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
+		}
+
+		_, err = policy.NewPolicyManager(policyBytes, nil, nil)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
+		}
+
+		SuccessOutput(nil, "Policy is valid", "")
+	},
+}