mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-08 00:50:20 +09:00
1ef18fb010
policy check previously ran the full policy engine in-process inside the CLI, building a sandbox PolicyManager from the file and the database. That duplicated the engine's runtime dependencies onto the CLI and forced --bypass-grpc-and-access-database-directly to pull in full server config validation. nblock hit it on PR #3229: passing --bypass with a real config produced a flood of 'Fatal config error:' lines from validateServerConfig because the cobra init early-return for 'policy check' skipped --config registration and OnInitialize. Make 'policy check' a thin frontend for the new CheckPolicy gRPC method. The server-side handler builds a fresh PolicyManager from the request bytes and the state's live users/nodes, runs SetPolicy on the sandbox so the tests block executes, and returns the result through gRPC status. No persistence, no policy_mode coupling. --bypass-grpc-and-access-database-directly keeps doing what its name says — opens the DB directly for cases where the server is not running — but is no longer the only way to evaluate a tests block. Drop the 'policy check' early-return in cmd/headscale/cli/root.go (added in PR #2580 when check was syntax-only). All paths now need either gRPC or direct DB access, both of which want the config and flags the rest of cobra init sets up. integration/cli_policy_test.go covers the matrix nblock asked about: policy_mode={file,database} x fixture={acl-only, acl+passing-tests, acl+failing-tests} x bypass={false,true} = 12 rows. acl-only and acl-plus-passing-tests must pass; acl-plus-failing-tests must surface 'test(s) failed'; the policy_mode axis proves check does not depend on where the server stores its current policy. Updates #1803