net/tshttpproxy: add macOS support for system proxy

Adds a setter for proxyFunc to allow macOS to pull defined
system proxies. Disallows overriding if proxyFunc is set via config.

Updates tailscale/corp#30668

Signed-off-by: Will Hannah <willh@tailscale.com>

net/tshttpproxy/tshttpproxy.go

@@ -31,13 +31,34 @@ func InvalidateCache() {
 	noProxyUntil = time.Time{}
 }
 
+// proxyQueryFn is a function type that accepts a request URL and returns one of:
+// a proxy server URL to be used for the request,
+// nil if no proxy is enabled for the request,
+// an error if proxy settings cannot be resolved.
+type proxyQueryFn func(*url.URL) (*url.URL, error)
+
 var (
 	mu           sync.Mutex
 	noProxyUntil time.Time         // if non-zero, time at which ProxyFromEnvironment should check again
 	config       *httpproxy.Config // used to create proxyFunc
-	proxyFunc    func(*url.URL) (*url.URL, error)
+	proxyFunc    proxyQueryFn
 )
 
+// SetProxyFunc can be used by clients to set a platform-specific function for proxy resolution.
+// If config is set when this function is called, an error will be returned.
+func SetProxyFunc(fn proxyQueryFn) error {
+	mu.Lock()
+	defer mu.Unlock()
+
+	// Allow override only if config is not set
+	if config == nil {
+		proxyFunc = fn
+		return nil
+	}
+
+	return fmt.Errorf("tshttpproxy: SetProxyFunc can only be called when config is not set")
+}
+
 func getProxyFunc() func(*url.URL) (*url.URL, error) {
 	// Create config/proxyFunc if it's not created
 	mu.Lock()