util/syspolicy/policyclient: add Client interface to the syspolicy universebradfitz/syspolicy_key

This removes the dependency on syspolicy/... from LocalBackend and tailscaled when ts_omit_syspolicy is true. Updates #12614 Change-Id: I309deb0f50f8e7d6bc11454e4210bb3b358abc77 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
author: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-01-21 12:34:15 -0800
committer: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-01-21 14:34:19 -0800
commit: 3116dbefacba11586b99acd1dc0891adf40d76ca (patch)
tree: e04f0f450d3b8cd24e440016211f1b8174ce879a /control/controlclient
parent: b50d32059f1b33311dbba96a57c82d33a28f0e1f (diff)
download: tailscale-bradfitz/syspolicy_key.tar.xz
tailscale-bradfitz/syspolicy_key.zip
3 files changed, 19 insertions, 12 deletions
diff --git a/control/controlclient/direct.go b/control/controlclient/direct.go
index c436bc8b1..d3167d6e3 100644
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -6,6 +6,7 @@ package controlclient
 import (
 	"bufio"
 	"bytes"
+	"cmp"
 	"context"
 	"encoding/binary"
 	"encoding/json"
@@ -53,7 +54,8 @@ import (
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/singleflight"
-	"tailscale.com/util/syspolicy"
+	"tailscale.com/util/syspolicy/pkey"
+	"tailscale.com/util/syspolicy/policyclient"
 	"tailscale.com/util/systemd"
 	"tailscale.com/util/testenv"
 	"tailscale.com/util/zstdframe"
@@ -76,6 +78,7 @@ type Direct struct {
 	debugFlags                 []string
 	skipIPForwardingCheck      bool
 	pinger                     Pinger
+	polc                       policyclient.Client          // always non-nil
 	popBrowser                 func(url string)             // or nil
 	c2nHandler                 http.Handler                 // or nil
 	onClientVersion            func(*tailcfg.ClientVersion) // or nil
@@ -124,9 +127,10 @@ type Options struct {
 	Hostinfo                   *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
 	DiscoPublicKey             key.DiscoPublic
 	Logf                       logger.Logf
-	HTTPTestClient             *http.Client // optional HTTP client to use (for tests only)
-	NoiseTestClient            *http.Client // optional HTTP client to use for noise RPCs (tests only)
-	DebugFlags                 []string     // debug settings to send to control
+	PolicyClient               policyclient.Client // or nil for none
+	HTTPTestClient             *http.Client        // optional HTTP client to use (for tests only)
+	NoiseTestClient            *http.Client        // optional HTTP client to use for noise RPCs (tests only)
+	DebugFlags                 []string            // debug settings to send to control
 	HealthTracker              *health.Tracker
 	PopBrowserURL              func(url string)             // optional func to open browser
 	OnClientVersion            func(*tailcfg.ClientVersion) // optional func to inform GUI of client version status
@@ -296,6 +300,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		health:                     opts.HealthTracker,
 		skipIPForwardingCheck:      opts.SkipIPForwardingCheck,
 		pinger:                     opts.Pinger,
+		polc:                       cmp.Or(opts.PolicyClient, policyclient.Client(policyclient.NoPolicyClient{})),
 		popBrowser:                 opts.PopBrowserURL,
 		onClientVersion:            opts.OnClientVersion,
 		onTailnetDefaultAutoUpdate: opts.OnTailnetDefaultAutoUpdate,
@@ -606,7 +611,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		return regen, opt.URL, nil, err
 	}
 
-	tailnet, err := syspolicy.GetString(syspolicy.Tailnet, "")
+	tailnet, err := c.polc.GetString(pkey.Tailnet, "")
 	if err != nil {
 		c.logf("unable to provide Tailnet field in register request. err: %v", err)
 	}
@@ -636,7 +641,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			AuthKey: authKey,
 		}
 	}
-	err = signRegisterRequest(&request, c.serverURL, c.serverLegacyKey, machinePrivKey.Public())
+	err = signRegisterRequest(c.polc, &request, c.serverURL, c.serverLegacyKey, machinePrivKey.Public())
 	if err != nil {
 		// If signing failed, clear all related fields
 		request.SignatureType = tailcfg.SignatureNone
diff --git a/control/controlclient/sign_supported.go b/control/controlclient/sign_supported.go
index a5d42ad7d..439e6d36b 100644
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -18,7 +18,8 @@ import (
 	"github.com/tailscale/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/util/syspolicy"
+	"tailscale.com/util/syspolicy/pkey"
+	"tailscale.com/util/syspolicy/policyclient"
 )
 
 // getMachineCertificateSubject returns the exact name of a Subject that needs
@@ -30,8 +31,8 @@ import (
 // each RegisterRequest will be unsigned.
 //
 // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA"
-func getMachineCertificateSubject() string {
-	machineCertSubject, _ := syspolicy.GetString(syspolicy.MachineCertificateSubject, "")
+func getMachineCertificateSubject(polc policyclient.Client) string {
+	machineCertSubject, _ := polc.GetString(pkey.MachineCertificateSubject, "")
 	return machineCertSubject
 }
 
@@ -136,7 +137,7 @@ func findIdentity(subject string, st certstore.Store) (certstore.Identity, []*x5
 // using that identity's public key. In addition to the signature, the full
 // certificate chain is included so that the control server can validate the
 // certificate from a copy of the root CA's certificate.
-func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey key.MachinePublic) (err error) {
+func signRegisterRequest(polc policyclient.Client, req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey key.MachinePublic) (err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("signRegisterRequest: %w", err)
@@ -147,7 +148,7 @@ func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverP
 		return errBadRequest
 	}
 
-	machineCertificateSubject := getMachineCertificateSubject()
+	machineCertificateSubject := getMachineCertificateSubject(polc)
 	if machineCertificateSubject == "" {
 		return errCertificateNotConfigured
 	}
diff --git a/control/controlclient/sign_unsupported.go b/control/controlclient/sign_unsupported.go
index 5e161dcbc..f6c4ddc62 100644
--- a/control/controlclient/sign_unsupported.go
+++ b/control/controlclient/sign_unsupported.go
@@ -8,9 +8,10 @@ package controlclient
 import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/util/syspolicy/policyclient"
 )
 
 // signRegisterRequest on non-supported platforms always returns errNoCertStore.
-func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey key.MachinePublic) error {
+func signRegisterRequest(polc policyclient.Client, req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey key.MachinePublic) error {
 	return errNoCertStore
 }
author	Brad Fitzpatrick <bradfitz@tailscale.com>	2025-01-21 12:34:15 -0800
committer	Brad Fitzpatrick <bradfitz@tailscale.com>	2025-01-21 14:34:19 -0800
commit	3116dbefacba11586b99acd1dc0891adf40d76ca (patch)
tree	e04f0f450d3b8cd24e440016211f1b8174ce879a /control/controlclient
parent	b50d32059f1b33311dbba96a57c82d33a28f0e1f (diff)
download	tailscale-bradfitz/syspolicy_key.tar.xz tailscale-bradfitz/syspolicy_key.zip