cmd: add policy check command (#2553)

2025-05-06 07:36:41 +00:00 · 2025-05-02 13:58:30 +03:00 · 2025-05-02 13:58:30 +03:00 · 93afb03f67
commit 93afb03f67
parent e4d10ad964
2 changed files with 38 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -71,13 +71,11 @@ working in v1 and not tested might be broken in v2 (and vice versa).
 **We do need help testing this code**


-#### Other breaking
-
- Disallow `server_url` and `base_domain` to be equal
-  [#2544](https://github.com/juanfont/headscale/pull/2544)

 #### Other breaking changes

+- Disallow `server_url` and `base_domain` to be equal
+  [#2544](https://github.com/juanfont/headscale/pull/2544)
 - Return full user in API for pre auth keys instead of string
  [#2542](https://github.com/juanfont/headscale/pull/2542)
 - Pre auth key API/CLI now uses ID over username
@ -86,6 +84,8 @@ working in v1 and not tested might be broken in v2 (and vice versa).
 ### Changes

 - Use Go 1.24 [#2427](https://github.com/juanfont/headscale/pull/2427)
+- Add `headscale policy check` command to check policy
+  [#2553](https://github.com/juanfont/headscale/pull/2553)
 - `oidc.map_legacy_users` and `oidc.strip_email_domain` has been removed
  [#2411](https://github.com/juanfont/headscale/pull/2411)
 - Add more information to `/debug` endpoint
--- a/cmd/headscale/cli/policy.go
+++ b/cmd/headscale/cli/policy.go
@ -6,6 +6,7 @@ import (
 	"os"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/policy"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@ -19,6 +20,12 @@ func init() {
 		log.Fatal().Err(err).Msg("")
 	}
 	policyCmd.AddCommand(setPolicy)
+
+	checkPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := checkPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(checkPolicy)
 }

 var policyCmd = &cobra.Command{
@ -85,3 +92,30 @@ var setPolicy = &cobra.Command{
 		SuccessOutput(nil, "Policy updated.", "")
 	},
 }
+
+var checkPolicy = &cobra.Command{
+	Use:   "check",
+	Short: "Check the Policy file for errors",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
+		}
+
+		_, err = policy.NewPolicyManager(policyBytes, nil, nil)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
+		}
+
+		SuccessOutput(nil, "Policy is valid", "")
+	},
+}