webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tsnet: enable node registration via federated identity

Browse Source 
Updates: tailscale.com/corp#34148

Signed-off-by: Gesa Stupperich <gesa@tailscale.com>
This commit is contained in:
Gesa Stupperich
2025-11-25 08:45:11 +00:00
committed by Gesa Stupperich
parent 957a443b23
commit 536188c1b5
7 changed files with 522 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files
feature/oauthkey/oauthkey.go
+44 -37
View File
@@ -33,54 +33,22 @@ func init() {
// false. The "baseURL" defaults to https://api.tailscale.com.
// The passed in tags are required, and must be non-empty. These will be
// set on the authkey generated by the OAuth2 dance.
func resolveAuthKey(ctx context.Context, v string, tags []string) (string, error) {
if !strings.HasPrefix(v, "tskey-client-") {
return v, nil
func resolveAuthKey(ctx context.Context, clientSecret string, tags []string) (string, error) {
if !strings.HasPrefix(clientSecret, "tskey-client-") {
return clientSecret, nil
}
if len(tags) == 0 {
return "", errors.New("oauth authkeys require --advertise-tags")
}
clientSecret, named, _ := strings.Cut(v, "?")
attrs, err := url.ParseQuery(named)
strippedSecret, ephemeral, preauth, baseURL, err := parseOptionalAttributes(clientSecret)
if err != nil {
return "", err
}
for k := range attrs {
switch k {
case "ephemeral", "preauthorized", "baseURL":
default:
return "", fmt.Errorf("unknown attribute %q", k)
}
}
getBool := func(name string, def bool) (bool, error) {
v := attrs.Get(name)
if v == "" {
return def, nil
}
ret, err := strconv.ParseBool(v)
if err != nil {
return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
}
return ret, nil
}
ephemeral, err := getBool("ephemeral", true)
if err != nil {
return "", err
}
preauth, err := getBool("preauthorized", false)
if err != nil {
return "", err
}
baseURL := "https://api.tailscale.com"
if v := attrs.Get("baseURL"); v != "" {
baseURL = v
}
credentials := clientcredentials.Config{
ClientID: "some-client-id", // ignored
ClientSecret: clientSecret,
ClientSecret: strippedSecret,
TokenURL: baseURL + "/api/v2/oauth/token",
}
@@ -106,3 +74,42 @@ func resolveAuthKey(ctx context.Context, v string, tags []string) (string, error
}
return authkey, nil
}
func parseOptionalAttributes(clientSecret string) (strippedSecret string, ephemeral bool, preauth bool, baseURL string, err error) {
strippedSecret, named, _ := strings.Cut(clientSecret, "?")
attrs, err := url.ParseQuery(named)
if err != nil {
return "", false, false, "", err
}
for k := range attrs {
switch k {
case "ephemeral", "preauthorized", "baseURL":
default:
return "", false, false, "", fmt.Errorf("unknown attribute %q", k)
}
}
getBool := func(name string, def bool) (bool, error) {
v := attrs.Get(name)
if v == "" {
return def, nil
}
ret, err := strconv.ParseBool(v)
if err != nil {
return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
}
return ret, nil
}
ephemeral, err = getBool("ephemeral", true)
if err != nil {
return "", false, false, "", err
}
preauth, err = getBool("preauthorized", false)
if err != nil {
return "", false, false, "", err
}
baseURL = "https://api.tailscale.com"
if v := attrs.Get("baseURL"); v != "" {
baseURL = v
}
return strippedSecret, ephemeral, preauth, baseURL, nil
}
feature/oauthkey/oauthkey_test.go
+187
View File
@@ -0,0 +1,187 @@
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
package oauthkey
import (
"context"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestResolveAuthKey(t *testing.T) {
tests := []struct {
name string
clientID string
tags []string
wantAuthKey string
wantErr bool
}{
{
name: "keys without client secret prefix pass through unchanged",
clientID: "tskey-auth-regular",
tags: []string{"tag:test"},
wantAuthKey: "tskey-auth-regular",
wantErr: false,
},
{
name: "client secret without advertised tags",
clientID: "tskey-client-abc",
tags: nil,
wantAuthKey: "",
wantErr: true,
},
{
name: "client secret with default attributes",
clientID: "tskey-client-abc",
tags: []string{"tag:test"},
wantAuthKey: "tskey-auth-xyz",
wantErr: false,
},
{
name: "client secret with custom attributes",
clientID: "tskey-client-abc?ephemeral=false&preauthorized=true",
tags: []string{"tag:test"},
wantAuthKey: "tskey-auth-xyz",
wantErr: false,
},
{
name: "client secret with unknown attribute",
clientID: "tskey-client-abc?unknown=value",
tags: []string{"tag:test"},
wantAuthKey: "",
wantErr: true,
},
{
name: "oauth client secret with invalid attribute value",
clientID: "tskey-client-abc?ephemeral=invalid",
tags: []string{"tag:test"},
wantAuthKey: "",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
srv := mockControlServer(t)
defer srv.Close()
// resolveAuthKey reads custom control plane URLs off the baseURL attribute
// on the client secret string. Therefore, append the baseURL attribute with
// the mock control server URL to any client secret in order to hit the mock
// server instead of the default control API.
if strings.HasPrefix(tt.clientID, "tskey-client") {
if !strings.Contains(tt.clientID, "?") {
tt.clientID += "?baseURL=" + srv.URL
} else {
tt.clientID += "&baseURL=" + srv.URL
}
}
got, err := resolveAuthKey(context.Background(), tt.clientID, tt.tags)
if tt.wantErr {
if err == nil {
t.Error("want error but got none")
return
}
return
}
if err != nil {
t.Errorf("want no error, got %q", err)
return
}
if got != tt.wantAuthKey {
t.Errorf("want authKey = %q, got %q", tt.wantAuthKey, got)
}
})
}
}
func TestResolveAuthKeyAttributes(t *testing.T) {
tests := []struct {
name string
clientSecret string
wantEphemeral bool
wantPreauth bool
wantBaseURL string
}{
{
name: "default values",
clientSecret: "tskey-client-abc",
wantEphemeral: true,
wantPreauth: false,
wantBaseURL: "https://api.tailscale.com",
},
{
name: "ephemeral=false",
clientSecret: "tskey-client-abc?ephemeral=false",
wantEphemeral: false,
wantPreauth: false,
wantBaseURL: "https://api.tailscale.com",
},
{
name: "preauthorized=true",
clientSecret: "tskey-client-abc?preauthorized=true",
wantEphemeral: true,
wantPreauth: true,
wantBaseURL: "https://api.tailscale.com",
},
{
name: "baseURL=https://api.example.com",
clientSecret: "tskey-client-abc?baseURL=https://api.example.com",
wantEphemeral: true,
wantPreauth: false,
wantBaseURL: "https://api.example.com",
},
{
name: "all custom values",
clientSecret: "tskey-client-abc?ephemeral=false&preauthorized=true&baseURL=https://api.example.com",
wantEphemeral: false,
wantPreauth: true,
wantBaseURL: "https://api.example.com",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
strippedSecret, ephemeral, preauth, baseURL, err := parseOptionalAttributes(tt.clientSecret)
if err != nil {
t.Fatalf("want no error, got %q", err)
}
if strippedSecret != "tskey-client-abc" {
t.Errorf("want tskey-client-abc, got %q", strippedSecret)
}
if ephemeral != tt.wantEphemeral {
t.Errorf("want ephemeral = %v, got %v", tt.wantEphemeral, ephemeral)
}
if preauth != tt.wantPreauth {
t.Errorf("want preauth = %v, got %v", tt.wantPreauth, preauth)
}
if baseURL != tt.wantBaseURL {
t.Errorf("want baseURL = %v, got %v", tt.wantBaseURL, baseURL)
}
})
}
}
func mockControlServer(t *testing.T) *httptest.Server {
t.Helper()
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch {
case strings.Contains(r.URL.Path, "/api/v2/oauth/token"):
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"access_token":"access-123","token_type":"Bearer","expires_in":3600}`))
case strings.Contains(r.URL.Path, "/api/v2/tailnet") && strings.Contains(r.URL.Path, "/keys"):
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"key":"tskey-auth-xyz"}`))
default:
w.WriteHeader(http.StatusNotFound)
}
}))
}