validate policy against nodes, error if not valid

[kradalby]

this commit aims to improve the feedback of "runtime" policy errors which would only manifest when the rules are compiled to filter rules with nodes.

this change will in;

file-based mode load the nodes from the db and try to compile the rules on start up and return an error if they would not work as intended.

database-based mode prevent a new ACL being written to the database if it does not compile with the current set of node.

Fixes #2073
Fixes #2044

Summary by CodeRabbit

• New Features

  • Enhanced validation for Access Control List (ACL) policies to prevent runtime errors from invalid configurations.
  • Improved error reporting with additional context when setting policies, aiding in better issue traceability.

• Bug Fixes

  • Resolved potential issues related to policy application by ensuring policies are validated against the current database state.
  • Added tests to validate error handling for invalid policy configurations, ensuring system integrity.

[coderabbitai]

Walkthrough

The changes enhance the loadACLPolicy function and the SetPolicy method, introducing validation for Access Control List (ACL) policies. The validation ensures that only correct configurations are accepted, preventing errors related to invalid policies. Error handling is improved by wrapping error messages with context, making it easier to trace issues. These modifications aim to bolster the robustness and reliability of policy management in the system.

Changes

Files	Change Summary
hscontrol/app.go	Enhanced loadACLPolicy function with validation logic for ACL policies, including error handling for node loading and policy compilation.
hscontrol/grpcv1.go	Updated SetPolicy method to replace variable handling and improve error reporting, adding validation against database nodes before policy application.
.github/workflows/test-integration.yaml	Added TestPolicyBrokenConfigCommand to improve testing coverage for invalid policy configurations.
integration/cli_test.go	Introduced TestPolicyBrokenConfigCommand to validate handling of invalid actions in policy configuration.
integration/dockertestutil/execute.go	Changed HEADSCALE_LOG_LEVEL environment variable from "disabled" to "info" for improved logging.
integration/hsic/hsic.go	Enhanced error handling in Execute method to provide more informative error messages during command execution.

Assessment against linked issues

Objective	Addressed	Explanation
Validate ACL before applying policies to prevent errors (#2044)	✅
Address "invalid action" error during node registration (#2073)	❌	Changes do not directly address node registration errors.

🐇 In fields of green, I hop with glee,
Policies now checked, as safe as can be!
No more errors to make me frown,
With valid rules, we’ll wear the crown!
Hooray for changes, let’s dance and play,
In our tailnet, we’ll frolic all day! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[kradalby]

@pallabpain What do you think about this?

[coderabbitai]

Actionable comments posted: 2

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between fffd9d7 and 4bd6936.

Files selected for processing (2)

• hscontrol/app.go (1 hunks)
• hscontrol/grpcv1.go (2 hunks)

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 4bd6936 and be6acdd.

Files selected for processing (4)

• .github/workflows/test-integration.yaml (1 hunks)
• integration/cli_test.go (1 hunks)
• integration/dockertestutil/execute.go (1 hunks)
• integration/hsic/hsic.go (1 hunks)

Additional comments not posted (4)

integration/dockertestutil/execute.go (1)

65-65: Approve the change in logging level but verify impact.

The change to set HEADSCALE_LOG_LEVEL to "info" is approved as it can aid in debugging. However, it's important to verify that this does not lead to excessive logging, especially in production environments, which could affect performance and log storage costs.

Run the following script to monitor log file sizes and performance during peak times:

Verification successful

---

Logging level change is consistent but verify appropriateness for use case.

The change to set HEADSCALE_LOG_LEVEL to "info" in integration/dockertestutil/execute.go aligns with the existing logging practices in the codebase. Ensure that this level is suitable for the intended environment, as it may increase log verbosity. Consider the impact on performance and log storage, especially in production settings.

• Check if "info" level logging is appropriate for the specific use case in integration/dockertestutil/execute.go.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Monitor log file sizes and system performance.

# Monitor log file growth over a 24-hour period.
find /var/log -type f -name '*.log' -exec ls -lh {} \; | awk '{ print $5, $9 }'

# Check system performance.
top -b -n1 | head -n 5

Length of output: 224

---

Script:

#!/bin/bash
# Search for logging configurations or usages in the codebase that might be affected by the change.
rg 'HEADSCALE_LOG_LEVEL' -A 5

# Check for any documentation or test files related to logging.
fd -e md -e go | xargs rg 'logging|HEADSCALE_LOG_LEVEL'

Length of output: 2499

integration/cli_test.go (1)

1680-1752: Review of the new test function TestPolicyBrokenConfigCommand.

The test function TestPolicyBrokenConfigCommand is well-structured and addresses the PR objectives effectively by testing the policy command with an invalid action. Here are some specific observations and suggestions:

1. Error Handling and Assertions:

   • The use of assert.ErrorContains to check for specific error messages is appropriate and ensures that the system reacts correctly to configuration errors.
   • It's good to see that the test checks both the failure of setting an invalid policy and the absence of any policy after the attempt, which confirms that no invalid data persists in the system.

2. Test Isolation and Cleanup:

   • The commented out defer scenario.Shutdown() on line 1686 should typically be enabled to ensure that resources are cleaned up after the test. If there's a specific reason for it being commented out (e.g., for debugging), it would be helpful to include a comment explaining this.

3. Policy Definition Clarity:

   • The policy is defined inline within the test. While this is acceptable for small examples, if policies become more complex or need to be reused across tests, consider defining them in a separate helper function or a test data file.

4. File Handling:

   • Writing to a hardcoded file path (/etc/headscale/policy.json) might lead to conflicts or require elevated permissions depending on the environment. If possible, use a temporary file or a mock file system for testing.

5. Documentation and Comments:

   • The comments within the test are clear and provide good documentation of what each step is intended to achieve. This is particularly useful in understanding the purpose of the test and the expected outcomes.

Overall, the test function is a valuable addition to the test suite, enhancing the robustness of the policy management feature by ensuring that only valid configurations are applied.

The implementation of the test function is correct and aligns with the objectives of the PR. Minor improvements could be made regarding resource cleanup and file handling to enhance the test's robustness and maintainability.

.github/workflows/test-integration.yaml (1)

40-40: Approval of the new test case addition.

The addition of TestPolicyBrokenConfigCommand is a positive step towards enhancing the robustness of policy command functionalities. It is crucial to ensure that this test covers all scenarios where policy configurations might fail, providing comprehensive feedback and preventing runtime errors.

The code changes are approved.

integration/hsic/hsic.go (1)

554-554: Enhanced error reporting in the Execute method.

The modification to include both stdout and stderr in the error message when command execution fails is a significant improvement. This change will aid in debugging and provide clearer context on what went wrong during command execution.

The code changes are approved.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between be6acdd and d5a3253.

Files selected for processing (1)

• integration/cli_test.go (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• integration/cli_test.go

[pallabpain]

@pallabpain What do you think about this?

Sorry, I did not get a chance to look at this. I was thinking more along the lines of validating the incoming policy bytes at the time of unmarshaling it into the ACL type. But this looks good. 👍🏼