✨ feat: implements APIs for managing ACLs

Headscale currently lacks the APIs to manange the ACLs. The only way possible currently is to load the ACLs via file and changes to the policy requires reloading the headscale process. This also makes it difficult to integrate your headscale via APIs with no ACL management. This commit introduces two APIs that allow your to get and set the policy.
pallabpain · Mar 5, 2024 · 4331948 · 4331948
1 parent a244eab
commit 4331948
Show file tree

Hide file tree

Showing 32 changed files with 1,628 additions and 465 deletions.
diff --git a/.gitignore b/.gitignore
@@ -45,3 +45,6 @@ integration_test/etc/config.dump.yaml
 /site
 
 __debug_bin
+
+acl.json
+
diff --git a/Makefile b/Makefile
@@ -17,7 +17,7 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)
 
 
 build:
-	nix build
+	nix build --extra-experimental-features nix-command
 
 dev: lint test build
 

diff --git a/cmd/headscale/cli/acl.go b/cmd/headscale/cli/acl.go
@@ -0,0 +1,94 @@
+package cli
+
+import (
+	"io"
+	"os"
+
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/types"
+)
+
+func init() {
+	rootCmd.AddCommand(aclCmd)
+	aclCmd.AddCommand(getACL)
+
+	setACL.Flags().StringP("policy", "p", "", "Path to a policy file in JSON format")
+	if err := setACL.MarkFlagRequired("policy"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	aclCmd.AddCommand(setACL)
+}
+
+var aclCmd = &cobra.Command{
+	Use:     "acl",
+	Short:   "Manage the Headscale ACL Policy",
+	Aliases: []string{"acl"},
+}
+
+var getACL = &cobra.Command{
+	Use:     "get",
+	Short:   "Print the current ACL Policy JSON",
+	Aliases: []string{"show", "view", "fetch"},
+	Run: func(cmd *cobra.Command, args []string) {
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.GetACLRequest{}
+
+		response, err := client.GetACL(ctx, request)
+		if err != nil {
+			log.Fatal().Err(err).Msg("Cannot get ACL Policy")
+
+			return
+		}
+
+		SuccessOutput(response.GetPolicy(), "", "json")
+	},
+}
+
+var setACL = &cobra.Command{
+	Use:   "set",
+	Short: "Updates the ACL Policy",
+	Long: `
+	Updates the existing ACL Policy with the provided policy. The policy must be a valid JSON object.
+	This command only works when the acl.policy_mode is set to "db", and the policy will be stored in the database.`,
+	Aliases: []string{"put", "update"},
+	Run: func(cmd *cobra.Command, args []string) {
+		policyPath, _ := cmd.Flags().GetString("policy")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error opening the policy file")
+
+			return
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error reading the policy file")
+
+			return
+		}
+
+		acl := types.ACL{Policy: policyBytes}
+
+		request := &v1.SetACLRequest{Policy: acl.Proto().GetPolicy()}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		if _, err := client.SetACL(ctx, request); err != nil {
+			log.Fatal().Err(err).Msg("Failed to set ACL Policy")
+
+			return
+		}
+
+		SuccessOutput(nil, "ACL Policy updated.", "")
+	},
+}
diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
@@ -8,16 +8,16 @@ import (
 	"os"
 	"reflect"
 
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
-	"github.com/juanfont/headscale/hscontrol/policy"
-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"gopkg.in/yaml.v3"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 )
 
 const (
@@ -39,21 +39,6 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 		return nil, err
 	}
 
-	// We are doing this here, as in the future could be cool to have it also hot-reload
-
-	if cfg.ACL.PolicyPath != "" {
-		aclPath := util.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		pol, err := policy.LoadACLPolicyFromPath(aclPath)
-		if err != nil {
-			log.Fatal().
-				Str("path", aclPath).
-				Err(err).
-				Msg("Could not load the ACL policy")
-		}
-
-		app.ACLPolicy = pol
-	}
-
 	return app, nil
 }
 
@@ -89,7 +74,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 
 		// Try to give the user better feedback if we cannot write to the headscale
 		// socket.
-		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) //nolint
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) // nolint
 		if err != nil {
 			if os.IsPermission(err) {
 				log.Fatal().
@@ -167,13 +152,13 @@ func SuccessOutput(result interface{}, override string, outputFormat string) {
 			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	default:
-		//nolint
+		// nolint
 		fmt.Println(override)
 
 		return
 	}
 
-	//nolint
+	// nolint
 	fmt.Println(string(jsonBytes))
 }
 

diff --git a/config-example.yaml b/config-example.yaml
@@ -203,7 +203,9 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+acl:
+  policy_path: ""
+  policy_mode: "db"
 
 ## DNS
 #
Original file line number	Diff line number	Diff line change
Expand Up		@@ -45,3 +45,6 @@ integration_test/etc/config.dump.yaml
		/site

		__debug_bin

		acl.json
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,7 +17,7 @@ PROTO_SOURCES = $(call rwildcard,,*.proto) @@
     build:
-    	nix build
+    	nix build --extra-experimental-features nix-command
     dev: lint test build
@@ Expand Down @@