make acl_policy_path fatal if policy.path is not set

The alias manager in Cobra has some sharp edges and it seem to not work as we expect, causing it to have some silent failures with both config files and ENV. This commits makes the new policy.path variable mandatory and fixes the issue where the config file would not load. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
juanfont · Aug 19, 2024 · b6a3012 · b6a3012
1 parent 0582659
commit b6a3012
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 5 deletions.
diff --git a/config-example.yaml b/config-example.yaml
@@ -224,8 +224,8 @@ policy:
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-# Please not that for the DNS configuration to have any effect,
-# clients must have the `--accept-ds=true` option enabled. This is the
+# Please note that for the DNS configuration to have any effect,
+# clients must have the `--accept-dns=true` option enabled. This is the
 # default for the Tailscale client. This option is enabled by default
 # in the Tailscale client.
 #

diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go
@@ -292,7 +292,7 @@ func LoadConfig(path string, isFile bool) error {
 	// https://github.com/spf13/viper/issues/560
 
 	// Alias the old ACL Policy path with the new configuration option.
-	depr.warnWithAlias("policy.path", "acl_policy_path")
+	depr.fatalIfNewKeyIsNotUsed("policy.path", "acl_policy_path")
 
 	// Move dns_config -> dns
 	depr.warn("dns_config.override_local_dns")

diff --git a/hscontrol/types/config_test.go b/hscontrol/types/config_test.go
@@ -161,6 +161,25 @@ func TestReadConfig(t *testing.T) {
 			},
 			wantErr: "",
 		},
+		{
+			name:       "policy-path-is-loaded",
+			configPath: "testdata/policy-path-is-loaded.yaml",
+			setup: func(t *testing.T) (any, error) {
+				cfg, err := GetHeadscaleConfig()
+				if err != nil {
+					return nil, err
+				}
+
+				return map[string]string{
+					"policy.mode": string(cfg.Policy.Mode),
+					"policy.path": cfg.Policy.Path,
+				}, err
+			},
+			want: map[string]string{
+				"policy.mode": "file",
+				"policy.path": "/etc/policy.hujson",
+			},
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/hscontrol/types/testdata/policy-path-is-loaded.yaml b/hscontrol/types/testdata/policy-path-is-loaded.yaml
@@ -0,0 +1,18 @@
+noise:
+  private_key_path: "private_key.pem"
+
+prefixes:
+  v6: fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
+
+database:
+  type: sqlite3
+
+server_url: "https://derp.no"
+
+acl_policy_path: "/etc/acl_policy.yaml"
+policy:
+  type: file
+  path: "/etc/policy.hujson"
+
+dns.magic_dns: false
diff --git a/integration/hsic/config.go b/integration/hsic/config.go
@@ -13,7 +13,7 @@ noise:
 func DefaultConfigEnv() map[string]string {
 	return map[string]string{
 		"HEADSCALE_LOG_LEVEL":                         "trace",
-		"HEADSCALE_ACL_POLICY_PATH":                   "",
+		"HEADSCALE_POLICY_PATH":                       "",
 		"HEADSCALE_DATABASE_TYPE":                     "sqlite",
 		"HEADSCALE_DATABASE_SQLITE_PATH":              "/tmp/integration_test_db.sqlite3",
 		"HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT": "30m",

diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go
@@ -82,7 +82,7 @@ type Option = func(c *HeadscaleInContainer)
 func WithACLPolicy(acl *policy.ACLPolicy) Option {
 	return func(hsic *HeadscaleInContainer) {
 		// TODO(kradalby): Move somewhere appropriate
-		hsic.env["HEADSCALE_ACL_POLICY_PATH"] = aclPolicyPath
+		hsic.env["HEADSCALE_POLICY_PATH"] = aclPolicyPath
 
 		hsic.aclPolicy = acl
 	}