headscale/hscontrol
Kristoffer Dalby 1ef18fb010 cli/policy: route check through gRPC; bypass goes direct to DB
policy check previously ran the full policy engine in-process inside
the CLI, building a sandbox PolicyManager from the file and the
database. That duplicated the engine's runtime dependencies onto the
CLI and forced --bypass-grpc-and-access-database-directly to pull in
full server config validation. nblock hit it on PR #3229: passing
--bypass with a real config produced a flood of 'Fatal config error:'
lines from validateServerConfig because the cobra init early-return
for 'policy check' skipped --config registration and OnInitialize.

Make 'policy check' a thin frontend for the new CheckPolicy gRPC
method. The server-side handler builds a fresh PolicyManager from the
request bytes and the state's live users/nodes, runs SetPolicy on the
sandbox so the tests block executes, and returns the result through
gRPC status. No persistence, no policy_mode coupling.

--bypass-grpc-and-access-database-directly keeps doing what its name
says — opens the DB directly for cases where the server is not
running — but is no longer the only way to evaluate a tests block.

Drop the 'policy check' early-return in cmd/headscale/cli/root.go
(added in PR #2580 when check was syntax-only). All paths now need
either gRPC or direct DB access, both of which want the config and
flags the rest of cobra init sets up.

integration/cli_policy_test.go covers the matrix nblock asked about:
policy_mode={file,database} x fixture={acl-only, acl+passing-tests,
acl+failing-tests} x bypass={false,true} = 12 rows. acl-only and
acl-plus-passing-tests must pass; acl-plus-failing-tests must surface
'test(s) failed'; the policy_mode axis proves check does not depend
on where the server stores its current policy.

Updates #1803
2026-05-11 14:09:59 +00:00
..
assets assets: fix logo alignment and error icon centering 2026-04-13 17:23:47 +01:00
capver capver: regenerate for tailscale v1.96 2026-04-08 13:00:22 +01:00
db all: rephrase prose to fit codebase voice 2026-04-29 16:22:19 +01:00
derp all: fix golangci-lint issues (#3064) 2026-02-06 21:45:32 +01:00
dns Fix typo in comment about fsnotify behavior 2026-02-27 15:23:06 +01:00
mapper state: switch consumers to NodeStore primary routes 2026-04-29 18:08:39 +01:00
policy policy/v2: match default proto set for tests with no proto 2026-05-09 14:10:33 +00:00
servertest servertest: cover via-grant exit-node visibility end-to-end 2026-04-30 19:22:45 +01:00
state state: avoid nil deref in registration handlers when old user is missing 2026-05-06 07:23:02 +01:00
templates all: rephrase prose to fit codebase voice 2026-04-29 16:22:19 +01:00
types oidc: handle groups claim as string or array (FlexibleStringSlice) 2026-05-04 15:26:53 +02:00
util hscontrol: route hostname handling through dnsname and NodeStore 2026-04-18 15:12:21 +01:00
app.go app: add security headers middleware 2026-04-17 16:31:49 +01:00
app_test.go app: add security headers middleware 2026-04-17 16:31:49 +01:00
auth.go hscontrol: route hostname handling through dnsname and NodeStore 2026-04-18 15:12:21 +01:00
auth_tags_test.go state: note tagged-path coverage and self-healing behaviour for #3199 2026-04-29 13:06:38 +01:00
auth_test.go state: avoid nil deref in registration handlers when old user is missing 2026-05-06 07:23:02 +01:00
debug.go debug: explain URLIsNoise choice in ping callback 2026-04-17 16:31:49 +01:00
grpcv1.go cli/policy: route check through gRPC; bypass goes direct to DB 2026-05-11 14:09:59 +00:00
grpcv1_test.go all: rephrase prose to fit codebase voice 2026-04-29 16:22:19 +01:00
handlers.go oidc: render HTML error pages for browser-facing failures 2026-04-13 17:23:47 +01:00
handlers_test.go oidc: render HTML error pages for browser-facing failures 2026-04-13 17:23:47 +01:00
metrics.go all: fix golangci-lint issues (#3064) 2026-02-06 21:45:32 +01:00
noise.go noise: reject non-HEAD on PingResponseHandler 2026-04-17 16:31:49 +01:00
noise_test.go policy/v2: align SSH check action with SaaS wire format 2026-04-17 16:31:49 +01:00
oidc.go oidc: render HTML error pages for browser-facing failures 2026-04-13 17:23:47 +01:00
oidc_confirm_test.go oidc: add confirmation page for node registration 2026-04-10 14:09:57 +01:00
oidc_template_test.go oidc: render HTML error pages for browser-facing failures 2026-04-13 17:23:47 +01:00
oidc_test.go oidc: make email verification configurable 2025-12-18 11:42:32 +00:00
platform_config.go all: fix golangci-lint issues (#3064) 2026-02-06 21:45:32 +01:00
poll.go types: add node.expiry config, deprecate oidc.expiry 2026-04-08 13:00:22 +01:00
poll_test.go poll: fix poll test linter violations 2026-03-12 01:27:34 -07:00
tailsql.go all: fix golangci-lint issues (#3064) 2026-02-06 21:45:32 +01:00
templates_consistency_test.go Update links to Tailscale documentation 2026-04-18 09:33:41 +02:00