tsnet: remove AuthenticatedAPITransport (API-over-noise) support
It never launched and I've lost hope of it launching and it's in my way now, so I guess it's time to say goodbye. Updates tailscale/corp#4383 Updates #17305 Change-Id: I2eb551d49f2fb062979cc307f284df4b3dfa5956 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
committed by
Brad Fitzpatrick
Brad Fitzpatrick
parent
c2f37c891c
commit
05a4c8e839
@@ -9,7 +9,6 @@ import (
|
||||
"cmp"
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/binary"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
@@ -6540,62 +6539,6 @@ func (b *LocalBackend) MagicConn() *magicsock.Conn {
|
||||
return b.sys.MagicSock.Get()
|
||||
}
|
||||
|
||||
type keyProvingNoiseRoundTripper struct {
|
||||
b *LocalBackend
|
||||
}
|
||||
|
||||
func (n keyProvingNoiseRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
b := n.b
|
||||
|
||||
var priv key.NodePrivate
|
||||
|
||||
b.mu.Lock()
|
||||
cc := b.ccAuto
|
||||
if nm := b.NetMap(); nm != nil {
|
||||
priv = nm.PrivateKey
|
||||
}
|
||||
b.mu.Unlock()
|
||||
if cc == nil {
|
||||
return nil, errors.New("no client")
|
||||
}
|
||||
if priv.IsZero() {
|
||||
return nil, errors.New("no netmap or private key")
|
||||
}
|
||||
rt, ep, err := cc.GetSingleUseNoiseRoundTripper(req.Context())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if ep == nil || ep.NodeKeyChallenge.IsZero() {
|
||||
go rt.RoundTrip(new(http.Request)) // return our reservation with a bogus request
|
||||
return nil, errors.New("this coordination server does not support API calls over the Noise channel")
|
||||
}
|
||||
|
||||
// QueryEscape the node key since it has a colon in it.
|
||||
nk := url.QueryEscape(priv.Public().String())
|
||||
req.SetBasicAuth(nk, "")
|
||||
|
||||
// genNodeProofHeaderValue returns the Tailscale-Node-Proof header's value to prove
|
||||
// to chalPub that we control claimedPrivate.
|
||||
genNodeProofHeaderValue := func(claimedPrivate key.NodePrivate, chalPub key.ChallengePublic) string {
|
||||
// TODO(bradfitz): cache this somewhere?
|
||||
box := claimedPrivate.SealToChallenge(chalPub, []byte(chalPub.String()))
|
||||
return claimedPrivate.Public().String() + " " + base64.StdEncoding.EncodeToString(box)
|
||||
}
|
||||
|
||||
// And prove we have the private key corresponding to the public key sent
|
||||
// tin the basic auth username.
|
||||
req.Header.Set("Tailscale-Node-Proof", genNodeProofHeaderValue(priv, ep.NodeKeyChallenge))
|
||||
|
||||
return rt.RoundTrip(req)
|
||||
}
|
||||
|
||||
// KeyProvingNoiseRoundTripper returns an http.RoundTripper that uses the LocalBackend's
|
||||
// DoNoiseRequest method and mutates the request to add an authorization header
|
||||
// to prove the client's nodekey.
|
||||
func (b *LocalBackend) KeyProvingNoiseRoundTripper() http.RoundTripper {
|
||||
return keyProvingNoiseRoundTripper{b}
|
||||
}
|
||||
|
||||
// DoNoiseRequest sends a request to URL over the control plane
|
||||
// Noise connection.
|
||||
func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
|
||||
|
||||
Reference in New Issue
Block a user