webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method

Browse Source 
The implementations define it to verify whether the actor has the requested access to a login profile.

Updates #14823

Signed-off-by: Nick Khyl <nickk@tailscale.com>
This commit is contained in:
Nick Khyl
2025-01-29 15:34:20 -06:00
committed by Nick Khyl
parent 4e7f4086b2
commit 081595de63
4 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ipn/ipnserver/actor.go
+8
View File
@@ -58,6 +58,14 @@ func newActor(logf logger.Logf, c net.Conn) (*actor, error) {
return &actor{logf: logf, ci: ci, clientID: clientID, isLocalSystem: connIsLocalSystem(ci)}, nil
}
// CheckProfileAccess implements [ipnauth.Actor].
func (a *actor) CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ipnauth.ProfileAccess) error {
if profile.LocalUserID() != a.UserID() {
return errors.New("the target profile does not belong to the user")
}
return errors.New("the requested operation is not allowed")
}
// IsLocalSystem implements [ipnauth.Actor].
func (a *actor) IsLocalSystem() bool {
return a.isLocalSystem