syspolicy: add exit node related policies (#10172)

Adds policy keys ExitNodeID and ExitNodeIP. Uses the policy keys to determine the exit node in preferences. Fixes tailscale/corp#15683 Signed-off-by: Claire Wang <claire@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2023-11-29 16:48:25 -05:00
parent ecd1ccb917
commit 8af503b0c5
6 changed files with 311 additions and 15 deletions
--- a/util/syspolicy/handler.go
+++ b/util/syspolicy/handler.go
@@ -6,6 +6,7 @@ package syspolicy
 import (
 	"errors"
 	"sync/atomic"
+	"testing"
 )

 var (
@@ -56,3 +57,10 @@ func RegisterHandler(h Handler) {
 		panic("handler was already used before registration")
 	}
 }
+
+func SetHandlerForTest(tb testing.TB, h Handler) {
+	tb.Helper()
+	oldHandler := handler
+	handler = h
+	tb.Cleanup(func() { handler = oldHandler })
+}
--- a/util/syspolicy/policy_keys.go
+++ b/util/syspolicy/policy_keys.go
@@ -10,6 +10,11 @@ const (
 	ControlURL Key = "LoginURL"  // default ""; if blank, ipn uses ipn.DefaultControlURL.
 	LogTarget  Key = "LogTarget" // default ""; if blank logging uses logtail.DefaultHost.
 	Tailnet    Key = "Tailnet"   // default ""; if blank, no tailnet name is sent to the server.
+	// ExitNodeID is the exit node's node id. default ""; if blank, no exit node is forced.
+	// Exit node ID takes precedence over exit node IP.
+	// To find the node ID, go to /api.md#device.
+	ExitNodeID Key = "ExitNodeID"
+	ExitNodeIP Key = "ExitNodeIP" // default ""; if blank, no exit node is forced. Value is exit node IP.

 	// Keys with a string value that specifies an option: "always", "never", "user-decides".
 	// The default is "user-decides" unless otherwise stated.
--- a/util/syspolicy/syspolicy_test.go
+++ b/util/syspolicy/syspolicy_test.go
@@ -24,13 +24,6 @@ type testHandler struct {

 var someOtherError = errors.New("error other than not found")

-func setHandlerForTest(tb testing.TB, h Handler) {
-	tb.Helper()
-	oldHandler := handler
-	handler = h
-	tb.Cleanup(func() { handler = oldHandler })
-}
-
 func (th *testHandler) ReadString(key string) (string, error) {
 	if key != string(th.key) {
 		th.t.Errorf("ReadString(%q) want %q", key, th.key)
@@ -95,7 +88,7 @@ func TestGetString(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setHandlerForTest(t, &testHandler{
+			SetHandlerForTest(t, &testHandler{
 				t:   t,
 				key: tt.key,
 				s:   tt.handlerValue,
@@ -152,7 +145,7 @@ func TestGetUint64(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setHandlerForTest(t, &testHandler{
+			SetHandlerForTest(t, &testHandler{
 				t:   t,
 				key: tt.key,
 				u64: tt.handlerValue,
@@ -204,7 +197,7 @@ func TestGetBoolean(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setHandlerForTest(t, &testHandler{
+			SetHandlerForTest(t, &testHandler{
 				t:   t,
 				key: tt.key,
 				b:   tt.handlerValue,
@@ -265,7 +258,7 @@ func TestGetPreferenceOption(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setHandlerForTest(t, &testHandler{
+			SetHandlerForTest(t, &testHandler{
 				t:   t,
 				key: tt.key,
 				s:   tt.handlerValue,
@@ -322,7 +315,7 @@ func TestGetVisibility(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setHandlerForTest(t, &testHandler{
+			SetHandlerForTest(t, &testHandler{
 				t:   t,
 				key: tt.key,
 				s:   tt.handlerValue,
@@ -389,7 +382,7 @@ func TestGetDuration(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setHandlerForTest(t, &testHandler{
+			SetHandlerForTest(t, &testHandler{
 				t:   t,
 				key: tt.key,
 				s:   tt.handlerValue,