mirror of
https://github.com/tailscale/tailscale.git
synced 2025-09-21 13:41:46 +02:00
21f21bd2a2
Fixes #16998 Updates #12614 Change-Id: Idf2b1657898111df4be31f356091b2376d0d7f0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
69 lines
1.5 KiB
Go
69 lines
1.5 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !ts_omit_syspolicy
|
|
|
|
package localapi
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"tailscale.com/util/httpm"
|
|
"tailscale.com/util/syspolicy/rsop"
|
|
"tailscale.com/util/syspolicy/setting"
|
|
)
|
|
|
|
func init() {
|
|
handler["policy/"] = (*Handler).servePolicy
|
|
}
|
|
|
|
func (h *Handler) servePolicy(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "policy access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
suffix, ok := strings.CutPrefix(r.URL.EscapedPath(), "/localapi/v0/policy/")
|
|
if !ok {
|
|
http.Error(w, "misconfigured", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
var scope setting.PolicyScope
|
|
if suffix == "" {
|
|
scope = setting.DefaultScope()
|
|
} else if err := scope.UnmarshalText([]byte(suffix)); err != nil {
|
|
http.Error(w, fmt.Sprintf("%q is not a valid scope", suffix), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
policy, err := rsop.PolicyFor(scope)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
var effectivePolicy *setting.Snapshot
|
|
switch r.Method {
|
|
case httpm.GET:
|
|
effectivePolicy = policy.Get()
|
|
case httpm.POST:
|
|
effectivePolicy, err = policy.Reload()
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
default:
|
|
http.Error(w, "unsupported method", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
e := json.NewEncoder(w)
|
|
e.SetIndent("", "\t")
|
|
e.Encode(effectivePolicy)
|
|
}
|