2023-05-10 09:24:05 +02:00
|
|
|
package hscontrol
|
2022-08-14 21:15:58 +02:00
|
|
|
|
|
|
|
import (
|
2024-02-08 17:28:19 +01:00
|
|
|
"context"
|
2023-11-23 08:31:33 +01:00
|
|
|
"encoding/json"
|
2022-08-19 14:20:24 +02:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2022-08-14 21:15:58 +02:00
|
|
|
"net/http"
|
2022-08-19 14:20:24 +02:00
|
|
|
"time"
|
2022-08-14 21:15:58 +02:00
|
|
|
|
2024-02-08 17:28:19 +01:00
|
|
|
"github.com/juanfont/headscale/hscontrol/db"
|
2023-05-21 18:37:59 +02:00
|
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
2023-05-11 09:09:18 +02:00
|
|
|
"github.com/juanfont/headscale/hscontrol/util"
|
2022-08-14 21:15:58 +02:00
|
|
|
"github.com/rs/zerolog/log"
|
2022-08-19 14:20:24 +02:00
|
|
|
"gorm.io/gorm"
|
2022-08-14 21:15:58 +02:00
|
|
|
"tailscale.com/tailcfg"
|
2022-08-19 14:20:24 +02:00
|
|
|
"tailscale.com/types/key"
|
2024-07-18 10:01:59 +02:00
|
|
|
"tailscale.com/types/ptr"
|
2022-08-14 21:15:58 +02:00
|
|
|
)
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
type AuthProvider interface {
|
|
|
|
RegisterHandler(http.ResponseWriter, *http.Request)
|
|
|
|
AuthURL(key.MachinePublic) string
|
|
|
|
}
|
|
|
|
|
2023-12-09 18:09:24 +01:00
|
|
|
func logAuthFunc(
|
|
|
|
registerRequest tailcfg.RegisterRequest,
|
|
|
|
machineKey key.MachinePublic,
|
|
|
|
) (func(string), func(string), func(error, string)) {
|
|
|
|
return func(msg string) {
|
|
|
|
log.Info().
|
|
|
|
Caller().
|
|
|
|
Str("machine_key", machineKey.ShortString()).
|
|
|
|
Str("node_key", registerRequest.NodeKey.ShortString()).
|
|
|
|
Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
|
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
|
|
|
Str("followup", registerRequest.Followup).
|
|
|
|
Time("expiry", registerRequest.Expiry).
|
|
|
|
Msg(msg)
|
|
|
|
},
|
|
|
|
func(msg string) {
|
|
|
|
log.Trace().
|
|
|
|
Caller().
|
|
|
|
Str("machine_key", machineKey.ShortString()).
|
|
|
|
Str("node_key", registerRequest.NodeKey.ShortString()).
|
|
|
|
Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
|
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
|
|
|
Str("followup", registerRequest.Followup).
|
|
|
|
Time("expiry", registerRequest.Expiry).
|
|
|
|
Msg(msg)
|
|
|
|
},
|
|
|
|
func(err error, msg string) {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Str("machine_key", machineKey.ShortString()).
|
|
|
|
Str("node_key", registerRequest.NodeKey.ShortString()).
|
|
|
|
Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
|
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
|
|
|
Str("followup", registerRequest.Followup).
|
|
|
|
Time("expiry", registerRequest.Expiry).
|
|
|
|
Err(err).
|
|
|
|
Msg(msg)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
// handleRegister is the logic for registering a client.
|
2023-06-06 17:14:56 +02:00
|
|
|
func (h *Headscale) handleRegister(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
req *http.Request,
|
2024-05-17 14:58:33 +02:00
|
|
|
regReq tailcfg.RegisterRequest,
|
2022-08-19 14:20:24 +02:00
|
|
|
machineKey key.MachinePublic,
|
|
|
|
) {
|
2024-09-11 18:27:49 +02:00
|
|
|
logInfo, logTrace, _ := logAuthFunc(regReq, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
now := time.Now().UTC()
|
2023-12-09 18:09:24 +01:00
|
|
|
logTrace("handleRegister called, looking up machine in DB")
|
2024-05-17 14:58:33 +02:00
|
|
|
node, err := h.db.GetNodeByAnyKey(machineKey, regReq.NodeKey, regReq.OldNodeKey)
|
2023-12-09 18:09:24 +01:00
|
|
|
logTrace("handleRegister database lookup has returned")
|
2022-08-19 14:20:24 +02:00
|
|
|
if errors.Is(err, gorm.ErrRecordNotFound) {
|
2023-09-24 13:42:05 +02:00
|
|
|
// If the node has AuthKey set, handle registration via PreAuthKeys
|
2024-05-17 14:58:33 +02:00
|
|
|
if regReq.Auth != nil && regReq.Auth.AuthKey != "" {
|
|
|
|
h.handleAuthKey(writer, regReq, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the node is waiting for interactive login.
|
|
|
|
//
|
|
|
|
// TODO(juan): We could use this field to improve our protocol implementation,
|
|
|
|
// and hold the request until the client closes it, or the interactive
|
2023-09-24 13:42:05 +02:00
|
|
|
// login is completed (i.e., the user registers the node).
|
2022-08-19 14:20:24 +02:00
|
|
|
// This is not implemented yet, as it is no strictly required. The only side-effect
|
|
|
|
// is that the client will hammer headscale with requests until it gets a
|
|
|
|
// successful RegisterResponse.
|
2024-05-17 14:58:33 +02:00
|
|
|
if regReq.Followup != "" {
|
2023-12-09 18:09:24 +01:00
|
|
|
logTrace("register request is a followup")
|
2023-11-19 22:37:04 +01:00
|
|
|
if _, ok := h.registrationCache.Get(machineKey.String()); ok {
|
2023-12-09 18:09:24 +01:00
|
|
|
logTrace("Node is waiting for interactive login")
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
select {
|
|
|
|
case <-req.Context().Done():
|
|
|
|
return
|
2023-03-20 11:14:34 +01:00
|
|
|
case <-time.After(registrationHoldoff):
|
2024-05-17 14:58:33 +02:00
|
|
|
h.handleNewNode(writer, regReq, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-12-09 18:09:24 +01:00
|
|
|
logInfo("Node not found in database, creating new")
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// The node did not have a key to authenticate, which means
|
2022-08-19 14:20:24 +02:00
|
|
|
// that we rely on a method that calls back some how (OpenID or CLI)
|
2023-09-24 13:42:05 +02:00
|
|
|
// We create the node and then keep it around until a callback
|
2022-08-19 14:20:24 +02:00
|
|
|
// happens
|
2023-09-24 13:42:05 +02:00
|
|
|
newNode := types.Node{
|
2023-11-19 22:37:04 +01:00
|
|
|
MachineKey: machineKey,
|
2024-05-17 14:58:33 +02:00
|
|
|
Hostname: regReq.Hostinfo.Hostname,
|
|
|
|
NodeKey: regReq.NodeKey,
|
2022-08-19 14:20:24 +02:00
|
|
|
LastSeen: &now,
|
|
|
|
Expiry: &time.Time{},
|
|
|
|
}
|
|
|
|
|
2024-05-17 14:58:33 +02:00
|
|
|
if !regReq.Expiry.IsZero() {
|
2023-12-09 18:09:24 +01:00
|
|
|
logTrace("Non-zero expiry time requested")
|
2024-05-17 14:58:33 +02:00
|
|
|
newNode.Expiry = ®Req.Expiry
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
h.registrationCache.Set(
|
2023-11-19 22:37:04 +01:00
|
|
|
machineKey.String(),
|
2023-09-24 13:42:05 +02:00
|
|
|
newNode,
|
2022-08-19 14:20:24 +02:00
|
|
|
)
|
|
|
|
|
2024-05-17 14:58:33 +02:00
|
|
|
h.handleNewNode(writer, regReq, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// The node is already in the DB. This could mean one of the following:
|
|
|
|
// - The node is authenticated and ready to /map
|
2022-12-09 17:56:43 +01:00
|
|
|
// - We are doing a key refresh
|
2023-09-24 13:42:05 +02:00
|
|
|
// - The node is logged out (or expired) and pending to be authorized. TODO(juan): We need to keep alive the connection here
|
|
|
|
if node != nil {
|
2022-12-09 17:56:43 +01:00
|
|
|
// (juan): For a while we had a bug where we were not storing the MachineKey for the nodes using the TS2021,
|
|
|
|
// due to a misunderstanding of the protocol https://github.com/juanfont/headscale/issues/1054
|
2023-09-24 13:42:05 +02:00
|
|
|
// So if we have a not valid MachineKey (but we were able to fetch the node with the NodeKeys), we update it.
|
2023-11-19 22:37:04 +01:00
|
|
|
if err != nil || node.MachineKey.IsZero() {
|
2023-09-24 13:42:05 +02:00
|
|
|
if err := h.db.NodeSetMachineKey(node, machineKey); err != nil {
|
2022-12-09 17:56:43 +01:00
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Str("func", "RegistrationHandler").
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-12-09 17:56:43 +01:00
|
|
|
Err(err).
|
|
|
|
Msg("Error saving machine key to database")
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-19 14:20:24 +02:00
|
|
|
// If the NodeKey stored in headscale is the same as the key presented in a registration
|
|
|
|
// request, then we have a node that is either:
|
|
|
|
// - Trying to log out (sending a expiry in the past)
|
2023-09-24 13:42:05 +02:00
|
|
|
// - A valid, registered node, looking for /map
|
|
|
|
// - Expired node wanting to reauthenticate
|
2024-05-17 14:58:33 +02:00
|
|
|
if node.NodeKey.String() == regReq.NodeKey.String() {
|
2022-08-19 14:20:24 +02:00
|
|
|
// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
|
|
|
|
// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
|
2024-05-17 14:58:33 +02:00
|
|
|
if !regReq.Expiry.IsZero() &&
|
|
|
|
regReq.Expiry.UTC().Before(now) {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
h.handleNodeLogOut(writer, *node)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// If node is not expired, and it is register, we have a already accepted this node,
|
2022-08-19 14:20:24 +02:00
|
|
|
// let it proceed with a valid registration
|
2023-09-24 13:42:05 +02:00
|
|
|
if !node.IsExpired() {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
h.handleNodeWithValidRegistration(writer, *node)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
|
2024-05-17 14:58:33 +02:00
|
|
|
if node.NodeKey.String() == regReq.OldNodeKey.String() &&
|
2023-09-24 13:42:05 +02:00
|
|
|
!node.IsExpired() {
|
|
|
|
h.handleNodeKeyRefresh(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer,
|
2024-05-17 14:58:33 +02:00
|
|
|
regReq,
|
2023-09-24 13:42:05 +02:00
|
|
|
*node,
|
2022-08-19 14:20:24 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-02-05 10:45:35 +01:00
|
|
|
// When logged out and reauthenticating with OIDC, the OldNodeKey is not passed, but the NodeKey has changed
|
2024-05-17 14:58:33 +02:00
|
|
|
if node.NodeKey.String() != regReq.NodeKey.String() &&
|
|
|
|
regReq.OldNodeKey.IsZero() && !node.IsExpired() {
|
2024-02-05 10:45:35 +01:00
|
|
|
h.handleNodeKeyRefresh(
|
|
|
|
writer,
|
2024-05-17 14:58:33 +02:00
|
|
|
regReq,
|
2024-02-05 10:45:35 +01:00
|
|
|
*node,
|
|
|
|
)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-05-17 14:58:33 +02:00
|
|
|
if regReq.Followup != "" {
|
2023-03-20 11:14:34 +01:00
|
|
|
select {
|
|
|
|
case <-req.Context().Done():
|
|
|
|
return
|
|
|
|
case <-time.After(registrationHoldoff):
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// The node has expired or it is logged out
|
2024-05-17 14:58:33 +02:00
|
|
|
h.handleNodeExpiredOrLoggedOut(writer, regReq, *node, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2022-12-09 17:56:43 +01:00
|
|
|
// TODO(juan): RegisterRequest includes an Expiry time, that we could optionally use
|
2023-09-24 13:42:05 +02:00
|
|
|
node.Expiry = &time.Time{}
|
2022-12-09 17:56:43 +01:00
|
|
|
|
|
|
|
// If we are here it means the client needs to be reauthorized,
|
|
|
|
// we need to make sure the NodeKey matches the one in the request
|
|
|
|
// TODO(juan): What happens when using fast user switching between two
|
|
|
|
// headscale-managed tailnets?
|
2024-05-17 14:58:33 +02:00
|
|
|
node.NodeKey = regReq.NodeKey
|
2022-08-20 11:46:44 +02:00
|
|
|
h.registrationCache.Set(
|
2023-11-19 22:37:04 +01:00
|
|
|
machineKey.String(),
|
2023-09-24 13:42:05 +02:00
|
|
|
*node,
|
2022-08-20 11:46:44 +02:00
|
|
|
)
|
|
|
|
|
2022-08-19 14:20:24 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-06-06 17:14:56 +02:00
|
|
|
// handleAuthKey contains the logic to manage auth key client registration
|
2022-08-19 14:20:24 +02:00
|
|
|
// When using Noise, the machineKey is Zero.
|
2023-06-06 17:14:56 +02:00
|
|
|
func (h *Headscale) handleAuthKey(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
registerRequest tailcfg.RegisterRequest,
|
|
|
|
machineKey key.MachinePublic,
|
|
|
|
) {
|
|
|
|
log.Debug().
|
2023-06-06 17:14:56 +02:00
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msgf("Processing auth key for %s", registerRequest.Hostinfo.Hostname)
|
|
|
|
resp := tailcfg.RegisterResponse{}
|
|
|
|
|
2023-05-21 18:37:59 +02:00
|
|
|
pak, err := h.db.ValidatePreAuthKey(registerRequest.Auth.AuthKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Err(err).
|
|
|
|
Msg("Failed authentication via AuthKey")
|
|
|
|
resp.MachineAuthorized = false
|
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Err(err).
|
|
|
|
Msg("Cannot encode message")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusUnauthorized)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to write response")
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("Failed authentication via AuthKey")
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Debug().
|
2023-06-06 17:14:56 +02:00
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("Authentication key was valid, proceeding to acquire IP addresses")
|
|
|
|
|
2023-11-19 22:37:04 +01:00
|
|
|
nodeKey := registerRequest.NodeKey
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// retrieve node information if it exist
|
2022-08-19 14:20:24 +02:00
|
|
|
// The error is not important, because if it does not
|
2023-09-24 13:42:05 +02:00
|
|
|
// exist, then this is a new node and we will move
|
2022-08-19 14:20:24 +02:00
|
|
|
// on to registration.
|
2023-09-24 13:42:05 +02:00
|
|
|
node, _ := h.db.GetNodeByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
|
|
|
|
if node != nil {
|
2022-08-19 14:20:24 +02:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
|
|
|
Msg("node was already registered before, refreshing with new auth key")
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
node.NodeKey = nodeKey
|
2024-07-18 10:01:59 +02:00
|
|
|
if pak.ID != 0 {
|
|
|
|
node.AuthKeyID = ptr.To(pak.ID)
|
2024-05-16 02:40:14 +02:00
|
|
|
}
|
|
|
|
|
2024-05-02 11:53:16 +02:00
|
|
|
node.Expiry = ®isterRequest.Expiry
|
|
|
|
node.User = pak.User
|
|
|
|
node.UserID = pak.UserID
|
|
|
|
err := h.db.DB.Save(node).Error
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Err(err).
|
2024-05-02 11:53:16 +02:00
|
|
|
Msg("failed to save node after logging in with auth key")
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
2022-08-25 12:43:15 +02:00
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
aclTags := pak.Proto().GetAclTags()
|
2022-08-25 12:43:15 +02:00
|
|
|
if len(aclTags) > 0 {
|
|
|
|
// This conditional preserves the existing behaviour, although SaaS would reset the tags on auth-key login
|
2024-02-08 17:28:19 +01:00
|
|
|
err = h.db.SetTags(node.ID, aclTags)
|
2022-09-23 09:58:06 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-09-23 09:58:06 +02:00
|
|
|
Strs("aclTags", aclTags).
|
|
|
|
Err(err).
|
2023-09-24 13:42:05 +02:00
|
|
|
Msg("Failed to set tags after refreshing node")
|
2022-08-25 12:43:15 +02:00
|
|
|
|
2022-09-23 09:58:06 +02:00
|
|
|
return
|
|
|
|
}
|
2022-08-25 12:43:15 +02:00
|
|
|
}
|
2024-02-12 09:11:17 +01:00
|
|
|
|
2024-02-23 10:59:24 +01:00
|
|
|
ctx := types.NotifyCtx(context.Background(), "handle-authkey", "na")
|
2024-05-02 11:53:16 +02:00
|
|
|
h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{Type: types.StatePeerChanged, ChangeNodes: []types.NodeID{node.ID}})
|
2022-08-19 14:20:24 +02:00
|
|
|
} else {
|
|
|
|
now := time.Now().UTC()
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
nodeToRegister := types.Node{
|
2022-08-19 14:20:24 +02:00
|
|
|
Hostname: registerRequest.Hostinfo.Hostname,
|
2023-01-17 20:36:46 +01:00
|
|
|
UserID: pak.User.ID,
|
2024-02-08 17:28:19 +01:00
|
|
|
User: pak.User,
|
2023-11-19 22:37:04 +01:00
|
|
|
MachineKey: machineKey,
|
2023-05-21 18:37:59 +02:00
|
|
|
RegisterMethod: util.RegisterMethodAuthKey,
|
2022-08-19 14:20:24 +02:00
|
|
|
Expiry: ®isterRequest.Expiry,
|
|
|
|
NodeKey: nodeKey,
|
|
|
|
LastSeen: &now,
|
2023-11-23 08:31:33 +01:00
|
|
|
ForcedTags: pak.Proto().GetAclTags(),
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
2024-04-17 07:03:06 +02:00
|
|
|
ipv4, ipv6, err := h.ipAlloc.Next()
|
2024-02-18 19:31:29 +01:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Str("func", "RegistrationHandler").
|
|
|
|
Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
|
|
|
|
Err(err).
|
|
|
|
Msg("failed to allocate IP ")
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-05-16 02:40:14 +02:00
|
|
|
pakID := uint(pak.ID)
|
|
|
|
if pakID != 0 {
|
2024-07-18 10:01:59 +02:00
|
|
|
nodeToRegister.AuthKeyID = ptr.To(pak.ID)
|
2024-05-16 02:40:14 +02:00
|
|
|
}
|
2023-09-24 13:42:05 +02:00
|
|
|
node, err = h.db.RegisterNode(
|
|
|
|
nodeToRegister,
|
2024-04-17 07:03:06 +02:00
|
|
|
ipv4, ipv6,
|
2022-08-19 14:20:24 +02:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
2023-09-24 13:42:05 +02:00
|
|
|
Msg("could not register node")
|
2022-08-19 14:20:24 +02:00
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
err = h.db.Write(func(tx *gorm.DB) error {
|
2024-02-08 17:28:19 +01:00
|
|
|
return db.UsePreAuthKey(tx, pak)
|
|
|
|
})
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to use pre-auth key")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
resp.MachineAuthorized = true
|
2023-05-21 18:37:59 +02:00
|
|
|
resp.User = *pak.User.TailscaleUser()
|
2022-10-18 11:56:00 +02:00
|
|
|
// Provide LoginName when registering with pre-auth key
|
|
|
|
// Otherwise it will need to exec `tailscale up` twice to fetch the *LoginName*
|
2023-05-21 18:37:59 +02:00
|
|
|
resp.Login = *pak.User.TailscaleLogin()
|
2022-10-18 11:56:00 +02:00
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Err(err).
|
|
|
|
Msg("Cannot encode message")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to write response")
|
2024-02-08 17:28:19 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-08-19 14:20:24 +02:00
|
|
|
log.Info().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", registerRequest.Hostinfo.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("Successfully authenticated via AuthKey")
|
|
|
|
}
|
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
// handleNewNode returns the authorisation URL to the client based on what type
|
|
|
|
// of registration headscale is configured with.
|
|
|
|
// This url is then showed to the user by the local Tailscale client.
|
2023-09-24 13:42:05 +02:00
|
|
|
func (h *Headscale) handleNewNode(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
registerRequest tailcfg.RegisterRequest,
|
|
|
|
machineKey key.MachinePublic,
|
|
|
|
) {
|
2023-12-09 18:09:24 +01:00
|
|
|
logInfo, logTrace, logErr := logAuthFunc(registerRequest, machineKey)
|
|
|
|
|
2022-08-19 14:20:24 +02:00
|
|
|
resp := tailcfg.RegisterResponse{}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// The node registration is new, redirect the client to the registration URL
|
2023-12-09 18:09:24 +01:00
|
|
|
logTrace("The node seems to be new, sending auth url")
|
2022-11-15 15:08:49 +01:00
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
resp.AuthURL = h.authProvider.AuthURL(machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
2023-12-09 18:09:24 +01:00
|
|
|
logErr(err, "Cannot encode message")
|
2022-08-19 14:20:24 +02:00
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
2023-12-09 18:09:24 +01:00
|
|
|
logErr(err, "Failed to write response")
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
2023-12-09 18:09:24 +01:00
|
|
|
logInfo(fmt.Sprintf("Successfully sent auth url: %s", resp.AuthURL))
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
func (h *Headscale) handleNodeLogOut(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
2023-09-24 13:42:05 +02:00
|
|
|
node types.Node,
|
2022-08-19 14:20:24 +02:00
|
|
|
) {
|
|
|
|
resp := tailcfg.RegisterResponse{}
|
|
|
|
|
|
|
|
log.Info().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("Client requested logout")
|
|
|
|
|
2023-07-17 13:35:05 +02:00
|
|
|
now := time.Now()
|
2024-02-08 17:28:19 +01:00
|
|
|
err := h.db.NodeSetExpiry(node.ID, now)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
2023-09-24 13:42:05 +02:00
|
|
|
Msg("Failed to expire node")
|
2022-08-19 14:20:24 +02:00
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-02-23 10:59:24 +01:00
|
|
|
ctx := types.NotifyCtx(context.Background(), "logout-expiry", "na")
|
|
|
|
h.nodeNotifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, now), node.ID)
|
2023-12-09 18:09:24 +01:00
|
|
|
|
2022-08-19 14:20:24 +02:00
|
|
|
resp.AuthURL = ""
|
|
|
|
resp.MachineAuthorized = false
|
2022-12-09 17:56:43 +01:00
|
|
|
resp.NodeKeyExpired = true
|
2023-09-24 13:42:05 +02:00
|
|
|
resp.User = *node.User.TailscaleUser()
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Cannot encode message")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to write response")
|
2022-12-27 12:33:51 +01:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
if node.IsEphemeral() {
|
2024-04-21 18:28:17 +02:00
|
|
|
changedNodes, err := h.db.DeleteNode(&node, h.nodeNotifier.LikelyConnectedMap())
|
2022-12-27 12:33:51 +01:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Err(err).
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
|
|
|
Msg("Cannot delete ephemeral node from the database")
|
2022-12-27 12:33:51 +01:00
|
|
|
}
|
|
|
|
|
2024-02-23 10:59:24 +01:00
|
|
|
ctx := types.NotifyCtx(context.Background(), "logout-ephemeral", "na")
|
|
|
|
h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
|
2024-02-08 17:28:19 +01:00
|
|
|
Type: types.StatePeerRemoved,
|
2024-02-23 10:59:24 +01:00
|
|
|
Removed: []types.NodeID{node.ID},
|
|
|
|
})
|
|
|
|
if changedNodes != nil {
|
|
|
|
h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
|
|
|
|
Type: types.StatePeerChanged,
|
|
|
|
ChangeNodes: changedNodes,
|
|
|
|
})
|
2024-02-08 17:28:19 +01:00
|
|
|
}
|
|
|
|
|
2022-12-27 12:33:51 +01:00
|
|
|
return
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
log.Info().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("Successfully logged out")
|
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
func (h *Headscale) handleNodeWithValidRegistration(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
2023-09-24 13:42:05 +02:00
|
|
|
node types.Node,
|
2022-08-19 14:20:24 +02:00
|
|
|
) {
|
|
|
|
resp := tailcfg.RegisterResponse{}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
// The node registration is valid, respond with redirect to /map
|
2022-08-19 14:20:24 +02:00
|
|
|
log.Debug().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("Client is registered and we have the current NodeKey. All clear to /map")
|
|
|
|
|
|
|
|
resp.AuthURL = ""
|
|
|
|
resp.MachineAuthorized = true
|
2023-09-24 13:42:05 +02:00
|
|
|
resp.User = *node.User.TailscaleUser()
|
|
|
|
resp.Login = *node.User.TailscaleLogin()
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Cannot encode message")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to write response")
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Info().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
|
|
|
Msg("Node successfully authorized")
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
func (h *Headscale) handleNodeKeyRefresh(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
registerRequest tailcfg.RegisterRequest,
|
2023-09-24 13:42:05 +02:00
|
|
|
node types.Node,
|
2022-08-19 14:20:24 +02:00
|
|
|
) {
|
|
|
|
resp := tailcfg.RegisterResponse{}
|
|
|
|
|
2022-12-09 17:56:43 +01:00
|
|
|
log.Info().
|
2022-08-19 14:20:24 +02:00
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-08-19 14:20:24 +02:00
|
|
|
Msg("We have the OldNodeKey in the database. This is a key refresh")
|
|
|
|
|
2024-04-21 18:28:17 +02:00
|
|
|
err := h.db.Write(func(tx *gorm.DB) error {
|
2024-02-08 17:28:19 +01:00
|
|
|
return db.NodeSetNodeKey(tx, &node, registerRequest.NodeKey)
|
|
|
|
})
|
2023-05-21 18:37:59 +02:00
|
|
|
if err != nil {
|
2022-08-19 14:20:24 +02:00
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to update machine key in the database")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
resp.AuthURL = ""
|
2023-09-24 13:42:05 +02:00
|
|
|
resp.User = *node.User.TailscaleUser()
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Cannot encode message")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to write response")
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Info().
|
|
|
|
Caller().
|
|
|
|
Str("node_key", registerRequest.NodeKey.ShortString()).
|
|
|
|
Str("old_node_key", registerRequest.OldNodeKey.ShortString()).
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-12-09 17:56:43 +01:00
|
|
|
Msg("Node key successfully refreshed")
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
2023-09-24 13:42:05 +02:00
|
|
|
func (h *Headscale) handleNodeExpiredOrLoggedOut(
|
2022-08-19 14:20:24 +02:00
|
|
|
writer http.ResponseWriter,
|
2024-05-17 14:58:33 +02:00
|
|
|
regReq tailcfg.RegisterRequest,
|
2023-09-24 13:42:05 +02:00
|
|
|
node types.Node,
|
2022-08-19 14:20:24 +02:00
|
|
|
machineKey key.MachinePublic,
|
|
|
|
) {
|
|
|
|
resp := tailcfg.RegisterResponse{}
|
|
|
|
|
2024-05-17 14:58:33 +02:00
|
|
|
if regReq.Auth != nil && regReq.Auth.AuthKey != "" {
|
|
|
|
h.handleAuthKey(writer, regReq, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-12-09 17:56:43 +01:00
|
|
|
// The client has registered before, but has expired or logged out
|
|
|
|
log.Trace().
|
|
|
|
Caller().
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
2022-12-09 17:56:43 +01:00
|
|
|
Str("machine_key", machineKey.ShortString()).
|
2024-05-17 14:58:33 +02:00
|
|
|
Str("node_key", regReq.NodeKey.ShortString()).
|
|
|
|
Str("node_key_old", regReq.OldNodeKey.ShortString()).
|
2023-09-24 13:42:05 +02:00
|
|
|
Msg("Node registration has expired or logged out. Sending a auth url to register")
|
2022-12-09 17:56:43 +01:00
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
resp.AuthURL = h.authProvider.AuthURL(machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2023-11-23 08:31:33 +01:00
|
|
|
respBody, err := json.Marshal(resp)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Cannot encode message")
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
_, err = writer.Write(respBody)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to write response")
|
|
|
|
}
|
|
|
|
|
2022-12-09 17:56:43 +01:00
|
|
|
log.Trace().
|
2022-08-19 14:20:24 +02:00
|
|
|
Caller().
|
2022-12-09 17:56:43 +01:00
|
|
|
Str("machine_key", machineKey.ShortString()).
|
2024-05-17 14:58:33 +02:00
|
|
|
Str("node_key", regReq.NodeKey.ShortString()).
|
|
|
|
Str("node_key_old", regReq.OldNodeKey.ShortString()).
|
2023-09-24 13:42:05 +02:00
|
|
|
Str("node", node.Hostname).
|
|
|
|
Msg("Node logged out. Sent AuthURL for reauthentication")
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|