util/syspolicy: add read boolean setting (#9592)

cmd/tailscaled/depaware.txt

@@ -352,6 +352,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
         tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+   W    tailscale.com/util/syspolicy                                 from tailscale.com/cmd/tailscaled
         tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+

cmd/tailscaled/tailscaled_windows.go

@@ -51,6 +51,7 @@
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/osdiag"
+	"tailscale.com/util/syspolicy"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
@@ -131,7 +132,7 @@ func runWindowsService(pol *logpolicy.Policy) error {
 		osdiag.LogSupportInfo(logger.WithPrefix(log.Printf, "Support Info: "), osdiag.LogSupportInfoReasonStartup)
 	}()
 
-	if logSCMInteractions, _ := winutil.GetPolicyInteger("LogSCMInteractions"); logSCMInteractions != 0 {
+	if logSCMInteractions, _ := syspolicy.GetBoolean(syspolicy.LogSCMInteractions, false); logSCMInteractions {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
 			syslogf = func(format string, args ...any) {
@@ -158,7 +159,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	syslogf("Service start pending")
 
 	svcAccepts := svc.AcceptStop
-	if flushDNSOnSessionUnlock, _ := winutil.GetPolicyInteger("FlushDNSOnSessionUnlock"); flushDNSOnSessionUnlock != 0 {
+	if flushDNSOnSessionUnlock, _ := syspolicy.GetBoolean(syspolicy.FlushDNSOnSessionUnlock, false); flushDNSOnSessionUnlock {
 		svcAccepts |= svc.AcceptSessionChange
 	}
 

tstest/integration/tailscaled_deps_test_windows.go

@@ -53,6 +53,7 @@
 	_ "tailscale.com/util/multierr"
 	_ "tailscale.com/util/osdiag"
 	_ "tailscale.com/util/osshare"
+	_ "tailscale.com/util/syspolicy"
 	_ "tailscale.com/util/winutil"
 	_ "tailscale.com/version"
 	_ "tailscale.com/version/distro"

util/syspolicy/handler.go

@@ -19,6 +19,8 @@ type Handler interface {
 	ReadString(key string) (string, error)
 	// ReadUInt64 reads the policy settings uint64 value given the key.
 	ReadUInt64(key string) (uint64, error)
+	// ReadBool reads the policy setting's boolean value, given the key.
+	ReadBoolean(key string) (bool, error)
 }
 
 // ErrNoSuchKey is returned when the specified key does not have a value set.
@@ -35,6 +37,10 @@ func (defaultHandler) ReadUInt64(_ string) (uint64, error) {
 	return 0, ErrNoSuchKey
 }
 
+func (defaultHandler) ReadBoolean(_ string) (bool, error) {
+	return false, ErrNoSuchKey
+}
+
 // markHandlerInUse is called before handler methods are called.
 func markHandlerInUse() {
 	handlerUsed.Store(true)

util/syspolicy/handler_windows.go

@@ -30,3 +30,11 @@ func (windowsHandler) ReadUInt64(key string) (uint64, error) {
 	}
 	return value, err
 }
+
+func (windowsHandler) ReadBoolean(key string) (bool, error) {
+	value, err := winutil.GetPolicyInteger(key)
+	if errors.Is(err, winutil.ErrNoValue) {
+		err = ErrNoSuchKey
+	}
+	return value != 0, err
+}

util/syspolicy/syspolicy.go

@@ -27,6 +27,15 @@ func GetUint64(key Key, defaultValue uint64) (uint64, error) {
 	return v, err
 }
 
+func GetBoolean(key Key, defaultValue bool) (bool, error) {
+	markHandlerInUse()
+	v, err := handler.ReadBoolean(string(key))
+	if errors.Is(err, ErrNoSuchKey) {
+		return defaultValue, nil
+	}
+	return v, err
+}
+
 // PreferenceOption is a policy that governs whether a boolean variable
 // is forcibly assigned an administrator-defined value, or allowed to receive
 // a user-defined value.

util/syspolicy/syspolicy_test.go

@@ -17,6 +17,7 @@ type testHandler struct {
 	key Key
 	s   string
 	u64 uint64
+	b   bool
 	err error
 }
 
@@ -43,6 +44,13 @@ func (th *testHandler) ReadUInt64(key string) (uint64, error) {
 	return th.u64, th.err
 }
 
+func (th *testHandler) ReadBoolean(key string) (bool, error) {
+	if key != string(th.key) {
+		th.t.Errorf("ReadBool(%q) want %q", key, th.key)
+	}
+	return th.b, th.err
+}
+
 func TestGetString(t *testing.T) {
 	tests := []struct {
 		name         string
@@ -157,6 +165,58 @@ func TestGetUint64(t *testing.T) {
 	}
 }
 
+func TestGetBoolean(t *testing.T) {
+	tests := []struct {
+		name         string
+		key          Key
+		handlerValue bool
+		handlerError error
+		defaultValue bool
+		wantValue    bool
+		wantError    error
+	}{
+		{
+			name:         "read existing value",
+			key:          FlushDNSOnSessionUnlock,
+			handlerValue: true,
+			wantValue:    true,
+		},
+		{
+			name:         "read non-existing value",
+			key:          LogSCMInteractions,
+			handlerValue: false,
+			handlerError: ErrNoSuchKey,
+			wantValue:    false,
+		},
+		{
+			name:         "reading value returns other error",
+			key:          FlushDNSOnSessionUnlock,
+			handlerError: someOtherError,
+			wantError:    someOtherError,
+			defaultValue: true,
+			wantValue:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			setHandlerForTest(t, &testHandler{
+				t:   t,
+				key: tt.key,
+				b:   tt.handlerValue,
+				err: tt.handlerError,
+			})
+			value, err := GetBoolean(tt.key, tt.defaultValue)
+			if err != tt.wantError {
+				t.Errorf("err=%q, want %q", err, tt.wantError)
+			}
+			if value != tt.wantValue {
+				t.Errorf("value=%v, want %v", value, tt.wantValue)
+			}
+		})
+	}
+}
+
 func TestGetPreferenceOption(t *testing.T) {
 	tests := []struct {
 		name         string