ipn/{ipnlocal,localapi}, cmd/tailscale: add logout command

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-07 21:06:31 -07:00
parent 11127666b2
commit 3167e55ddf
7 changed files with 176 additions and 38 deletions
@@ -100,11 +100,22 @@ func (s Status) String() string {
 }

 type LoginGoal struct {
-	_            structs.Incomparable
-	wantLoggedIn bool                 // true if we *want* to be logged in
-	token        *tailcfg.Oauth2Token // oauth token to use when logging in
-	flags        LoginFlags           // flags to use when logging in
-	url          string               // auth url that needs to be visited
+	_               structs.Incomparable
+	wantLoggedIn    bool                 // true if we *want* to be logged in
+	token           *tailcfg.Oauth2Token // oauth token to use when logging in
+	flags           LoginFlags           // flags to use when logging in
+	url             string               // auth url that needs to be visited
+	loggedOutResult chan<- error
+}
+
+func (g *LoginGoal) sendLogoutError(err error) {
+	if g.loggedOutResult == nil {
+		return
+	}
+	select {
+	case g.loggedOutResult <- err:
+	default:
+	}
 }

 // Client connects to a tailcontrol server for a node.
@@ -363,6 +374,7 @@ func (c *Client) authRoutine() {

 		if !goal.wantLoggedIn {
 			err := c.direct.TryLogout(ctx)
+			goal.sendLogoutError(err)
 			if err != nil {
 				report(err, "TryLogout")
 				bo.BackOff(ctx, err)
@@ -402,7 +414,8 @@ func (c *Client) authRoutine() {
 				report(err, f)
 				bo.BackOff(ctx, err)
 				continue
-			} else if url != "" {
+			}
+			if url != "" {
 				if goal.url != "" {
 					err = fmt.Errorf("[unexpected] server required a new URL?")
 					report(err, "WaitLoginURL")
@@ -682,18 +695,42 @@ func (c *Client) Login(t *tailcfg.Oauth2Token, flags LoginFlags) {
 	c.cancelAuth()
 }

-func (c *Client) Logout() {
-	c.logf("client.Logout()")
+func (c *Client) StartLogout() {
+	c.logf("client.StartLogout()")

 	c.mu.Lock()
 	c.loginGoal = &LoginGoal{
 		wantLoggedIn: false,
 	}
 	c.mu.Unlock()
-
 	c.cancelAuth()
 }

+func (c *Client) Logout(ctx context.Context) error {
+	c.logf("client.Logout()")
+
+	errc := make(chan error, 1)
+
+	c.mu.Lock()
+	c.loginGoal = &LoginGoal{
+		wantLoggedIn:    false,
+		loggedOutResult: errc,
+	}
+	c.mu.Unlock()
+	c.cancelAuth()
+
+	timer := time.NewTimer(10 * time.Second)
+	defer timer.Stop()
+	select {
+	case err := <-errc:
+		return err
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-timer.C:
+		return context.DeadlineExceeded
+	}
+}
+
 // UpdateEndpoints sets the client's discovered endpoints and sends
 // them to the control server if they've changed.
 //
@@ -261,15 +261,14 @@ const (
 func (c *Direct) TryLogout(ctx context.Context) error {
 	c.logf("direct.TryLogout()")

-	c.mu.Lock()
-	defer c.mu.Unlock()
+	mustRegen, newURL, err := c.doLogin(ctx, loginOpt{Logout: true})
+	c.logf("TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)

-	// TODO(crawshaw): Tell the server. This node key should be
-	// immediately invalidated.
-	//if !c.persist.PrivateNodeKey.IsZero() {
-	//}
+	c.mu.Lock()
 	c.persist = persist.Persist{}
-	return nil
+	c.mu.Unlock()
+
+	return err
 }

 func (c *Direct) TryLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags) (url string, err error) {
@@ -298,10 +297,11 @@ func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL strin
 }

 type loginOpt struct {
-	Token *tailcfg.Oauth2Token
-	Flags LoginFlags
-	Regen bool
-	URL   string
+	Token  *tailcfg.Oauth2Token
+	Flags  LoginFlags
+	Regen  bool
+	URL    string
+	Logout bool
 }

 func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
@@ -324,14 +324,18 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}

 	regen := opt.Regen
-	if expired {
-		c.logf("Old key expired -> regen=true")
-		systemd.Status("key expired; run 'tailscale up' to authenticate")
-		regen = true
-	}
-	if (opt.Flags & LoginInteractive) != 0 {
-		c.logf("LoginInteractive -> regen=true")
-		regen = true
+	if opt.Logout {
+		c.logf("logging out...")
+	} else {
+		if expired {
+			c.logf("Old key expired -> regen=true")
+			systemd.Status("key expired; run 'tailscale up' to authenticate")
+			regen = true
+		}
+		if (opt.Flags & LoginInteractive) != 0 {
+			c.logf("LoginInteractive -> regen=true")
+			regen = true
+		}
 	}

 	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, opt.URL != "")
@@ -348,8 +352,12 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}

 	var oldNodeKey wgkey.Key
-	if opt.URL != "" {
-	} else if regen || persist.PrivateNodeKey.IsZero() {
+	switch {
+	case opt.Logout:
+		tryingNewKey = persist.PrivateNodeKey
+	case opt.URL != "":
+		// Nothing.
+	case regen || persist.PrivateNodeKey.IsZero():
 		c.logf("Generating a new nodekey.")
 		persist.OldPrivateNodeKey = persist.PrivateNodeKey
 		key, err := wgkey.NewPrivate()
@@ -358,7 +366,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			return regen, opt.URL, err
 		}
 		tryingNewKey = key
-	} else {
+	default:
 		// Try refreshing the current key first
 		tryingNewKey = persist.PrivateNodeKey
 	}
@@ -367,6 +375,9 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}

 	if tryingNewKey.IsZero() {
+		if opt.Logout {
+			return false, "", errors.New("no nodekey to log out")
+		}
 		log.Fatalf("tryingNewKey is empty, give up")
 	}
 	if backendLogID == "" {
@@ -382,6 +393,9 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		Followup:   opt.URL,
 		Timestamp:  &now,
 	}
+	if opt.Logout {
+		request.Expiry = time.Unix(123, 0) // far in the past
+	}
 	c.logf("RegisterReq: onode=%v node=%v fup=%v",
 		request.OldNodeKey.ShortString(),
 		request.NodeKey.ShortString(), opt.URL != "")
@@ -403,6 +417,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			c.logf("RegisterReq sign error: %v", err)
 		}
 	}
+	if debugRegister {
+		j, _ := json.MarshalIndent(request, "", "\t")
+		c.logf("RegisterRequest: %s", j)
+	}
+
 	bodyData, err := encode(request, &serverKey, &machinePrivKey)
 	if err != nil {
 		return regen, opt.URL, err
@@ -431,6 +450,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return regen, opt.URL, fmt.Errorf("register request: %v", err)
 	}
+	if debugRegister {
+		j, _ := json.MarshalIndent(resp, "", "\t")
+		c.logf("RegisterResponse: %s", j)
+	}
+
 	// Log without PII:
 	c.logf("RegisterReq: got response; nodeKeyExpired=%v, machineAuthorized=%v; authURL=%v",
 		resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")
@@ -902,7 +926,10 @@ func decode(res *http.Response, v interface{}, serverKey *wgkey.Key, mkey *wgkey
 	return decodeMsg(msg, v, serverKey, mkey)
 }

-var debugMap, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
+var (
+	debugMap, _      = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
+	debugRegister, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_REGISTER"))
+)

 var jsonEscapedZero = []byte(`\u0000`)