From e91c378bd42a4339a36df045ac2ef9aca61a217a Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Wed, 10 Aug 2022 15:35:26 +0200 Subject: [PATCH] Replace machine key with node key in preparation for Noise in auth related stuff --- api.go | 8 +++--- cmd/headscale/cli/nodes.go | 2 +- grpcv1.go | 4 +-- oidc.go | 52 +++++++++++++++++++------------------- 4 files changed, 33 insertions(+), 33 deletions(-) diff --git a/api.go b/api.go index ff0de0c4..9760da0d 100644 --- a/api.go +++ b/api.go @@ -112,8 +112,8 @@ func (h *Headscale) RegisterWebAPI( writer http.ResponseWriter, req *http.Request, ) { - machineKeyStr := req.URL.Query().Get("key") - if machineKeyStr == "" { + nodeKeyStr := req.URL.Query().Get("key") + if nodeKeyStr == "" { writer.Header().Set("Content-Type", "text/plain; charset=utf-8") writer.WriteHeader(http.StatusBadRequest) _, err := writer.Write([]byte("Wrong params")) @@ -129,7 +129,7 @@ func (h *Headscale) RegisterWebAPI( var content bytes.Buffer if err := registerWebAPITemplate.Execute(&content, registerWebAPITemplateConfig{ - Key: machineKeyStr, + Key: nodeKeyStr, }); err != nil { log.Error(). Str("func", "RegisterWebAPI"). @@ -251,7 +251,7 @@ func (h *Headscale) RegistrationHandler( } h.registrationCache.Set( - machineKeyStr, + newMachine.NodeKey, newMachine, registerCacheExpiration, ) diff --git a/cmd/headscale/cli/nodes.go b/cmd/headscale/cli/nodes.go index c2b1e950..a4f2a693 100644 --- a/cmd/headscale/cli/nodes.go +++ b/cmd/headscale/cli/nodes.go @@ -108,7 +108,7 @@ var registerNodeCmd = &cobra.Command{ if err != nil { ErrorOutput( err, - fmt.Sprintf("Error getting machine key from flag: %s", err), + fmt.Sprintf("Error getting node key from flag: %s", err), output, ) diff --git a/grpcv1.go b/grpcv1.go index b1e5c1ee..e3db5dd4 100644 --- a/grpcv1.go +++ b/grpcv1.go @@ -159,7 +159,7 @@ func (api headscaleV1APIServer) RegisterMachine( ) (*v1.RegisterMachineResponse, error) { log.Trace(). Str("namespace", request.GetNamespace()). - Str("machine_key", request.GetKey()). + Str("node_key", request.GetKey()). Msg("Registering machine") machine, err := api.h.RegisterMachineFromAuthCallback( @@ -199,7 +199,7 @@ func (api headscaleV1APIServer) SetTags( err := validateTag(tag) if err != nil { return &v1.SetTagsResponse{ - Machine: nil, + Machine: nil, }, status.Error(codes.InvalidArgument, err.Error()) } } diff --git a/oidc.go b/oidc.go index d995c976..a9309191 100644 --- a/oidc.go +++ b/oidc.go @@ -27,7 +27,7 @@ const ( errOIDCAllowedDomains = Error("authenticated principal does not match any allowed domain") errOIDCAllowedUsers = Error("authenticated principal does not match any allowed user") errOIDCInvalidMachineState = Error("requested machine state key expired before authorisation completed") - errOIDCMachineKeyMissing = Error("could not get machine key from cache") + errOIDCNodeKeyMissing = Error("could not get node key from cache") ) type IDTokenClaims struct { @@ -68,26 +68,26 @@ func (h *Headscale) initOIDC() error { } // RegisterOIDC redirects to the OIDC provider for authentication -// Puts machine key in cache so the callback can retrieve it using the oidc state param +// Puts node key in cache so the callback can retrieve it using the oidc state param // Listens in /oidc/register/:mKey. func (h *Headscale) RegisterOIDC( writer http.ResponseWriter, req *http.Request, ) { vars := mux.Vars(req) - machineKeyStr, ok := vars["mkey"] - if !ok || machineKeyStr == "" { + nodeKeyStr, ok := vars["nkey"] + if !ok || nodeKeyStr == "" { log.Error(). Caller(). - Msg("Missing machine key in URL") - http.Error(writer, "Missing machine key in URL", http.StatusBadRequest) + Msg("Missing node key in URL") + http.Error(writer, "Missing node key in URL", http.StatusBadRequest) return } log.Trace(). Caller(). - Str("machine_key", machineKeyStr). + Str("node_key", nodeKeyStr). Msg("Received oidc register call") randomBlob := make([]byte, randomByteSize) @@ -102,8 +102,8 @@ func (h *Headscale) RegisterOIDC( stateStr := hex.EncodeToString(randomBlob)[:32] - // place the machine key into the state cache, so it can be retrieved later - h.registrationCache.Set(stateStr, machineKeyStr, registerCacheExpiration) + // place the node key into the state cache, so it can be retrieved later + h.registrationCache.Set(stateStr, nodeKeyStr, registerCacheExpiration) // Add any extra parameter provided in the configuration to the Authorize Endpoint request extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams)) @@ -178,7 +178,7 @@ func (h *Headscale) OIDCCallback( return } - machineKey, machineExists, err := h.validateMachineForOIDCCallback(writer, state, claims) + nodeKey, machineExists, err := h.validateMachineForOIDCCallback(writer, state, claims) if err != nil || machineExists { return } @@ -196,7 +196,7 @@ func (h *Headscale) OIDCCallback( return } - if err := h.registerMachineForOIDCCallback(writer, namespace, machineKey); err != nil { + if err := h.registerMachineForOIDCCallback(writer, namespace, nodeKey); err != nil { return } @@ -401,7 +401,7 @@ func (h *Headscale) validateMachineForOIDCCallback( writer http.ResponseWriter, state string, claims *IDTokenClaims, -) (*key.MachinePublic, bool, error) { +) (*key.NodePublic, bool, error) { // retrieve machinekey from state cache machineKeyIf, machineKeyFound := h.registrationCache.Get(state) if !machineKeyFound { @@ -420,14 +420,14 @@ func (h *Headscale) validateMachineForOIDCCallback( return nil, false, errOIDCInvalidMachineState } - var machineKey key.MachinePublic - machineKeyFromCache, machineKeyOK := machineKeyIf.(string) - err := machineKey.UnmarshalText( - []byte(MachinePublicKeyEnsurePrefix(machineKeyFromCache)), + var nodeKey key.NodePublic + nodeKeyFromCache, nodeKeyOK := machineKeyIf.(string) + err := nodeKey.UnmarshalText( + []byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)), ) if err != nil { log.Error(). - Msg("could not parse machine public key") + Msg("could not parse node public key") writer.Header().Set("Content-Type", "text/plain; charset=utf-8") writer.WriteHeader(http.StatusBadRequest) _, werr := writer.Write([]byte("could not parse public key")) @@ -441,11 +441,11 @@ func (h *Headscale) validateMachineForOIDCCallback( return nil, false, err } - if !machineKeyOK { - log.Error().Msg("could not get machine key from cache") + if !nodeKeyOK { + log.Error().Msg("could not get node key from cache") writer.Header().Set("Content-Type", "text/plain; charset=utf-8") writer.WriteHeader(http.StatusInternalServerError) - _, err := writer.Write([]byte("could not get machine key from cache")) + _, err := writer.Write([]byte("could not get node key from cache")) if err != nil { log.Error(). Caller(). @@ -453,14 +453,14 @@ func (h *Headscale) validateMachineForOIDCCallback( Msg("Failed to write response") } - return nil, false, errOIDCMachineKeyMissing + return nil, false, errOIDCNodeKeyMissing } // retrieve machine information if it exist // The error is not important, because if it does not // exist, then this is a new machine and we will move // on to registration. - machine, _ := h.GetMachineByMachineKey(machineKey) + machine, _ := h.GetMachineByNodeKey(nodeKey) if machine != nil { log.Trace(). @@ -516,7 +516,7 @@ func (h *Headscale) validateMachineForOIDCCallback( return nil, true, nil } - return &machineKey, false, nil + return &nodeKey, false, nil } func getNamespaceName( @@ -596,12 +596,12 @@ func (h *Headscale) findOrCreateNewNamespaceForOIDCCallback( func (h *Headscale) registerMachineForOIDCCallback( writer http.ResponseWriter, namespace *Namespace, - machineKey *key.MachinePublic, + nodeKey *key.NodePublic, ) error { - machineKeyStr := MachinePublicKeyStripPrefix(*machineKey) + nodeKeyStr := NodePublicKeyStripPrefix(*nodeKey) if _, err := h.RegisterMachineFromAuthCallback( - machineKeyStr, + nodeKeyStr, namespace.Name, RegisterMethodOIDC, ); err != nil {