cli: only validate bypass-grpc set policy

When adding the mode to bypass gRPC, a naive policy validation was added to both the gRPC set, and the bypass mode. This caused the policy to invalidate in unexpected ways as the gRPC already handles this validation in the backend. This commit moves the validation logic into the bypass branch. Fixes #2825 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-11-10 01:20:58 +01:00 · 2025-11-01 11:04:36 +01:00 · 2025-11-01 11:04:36 +01:00 · c54e9171cd
commit c54e9171cd
parent f9bb88ad24
1 changed files with 11 additions and 6 deletions
--- a/cmd/headscale/cli/policy.go
+++ b/cmd/headscale/cli/policy.go
@ -127,12 +127,6 @@ var setPolicy = &cobra.Command{
 			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
 		}

-		_, err = policy.NewPolicyManager(policyBytes, nil, views.Slice[types.NodeView]{})
-		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
-			return
-		}
-
 		if bypass, _ := cmd.Flags().GetBool(bypassFlag); bypass {
 			confirm := false
 			force, _ := cmd.Flags().GetBool("force")
@ -159,6 +153,17 @@ var setPolicy = &cobra.Command{
 				ErrorOutput(err, fmt.Sprintf("Failed to open database: %s", err), output)
 			}

+			users, err := d.ListUsers()
+			if err != nil {
+				ErrorOutput(err, fmt.Sprintf("Failed to load users for policy validation: %s", err), output)
+			}
+
+			_, err = policy.NewPolicyManager(policyBytes, users, views.Slice[types.NodeView]{})
+			if err != nil {
+				ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
+				return
+			}
+
 			_, err = d.SetPolicy(string(policyBytes))
 			if err != nil {
 				ErrorOutput(err, fmt.Sprintf("Failed to set ACL Policy: %s", err), output)