ipn/ipnlocal/serve: remove grant header truncation logic
Given that we filter based on the usercaps argument now, truncation should not be necessary anymore. Updates tailscale/corp/#28372 Signed-off-by: Gesa Stupperich <gesa@tailscale.com>
This commit is contained in:
committed by
Gesa Stupperich
parent
576aacd459
commit
d6fa899eba
+6
-31
@@ -65,7 +65,6 @@ func init() {
|
||||
const (
|
||||
contentTypeHeader = "Content-Type"
|
||||
grpcBaseContentType = "application/grpc"
|
||||
grantHeaderMaxSize = 15360 // 15 KiB
|
||||
)
|
||||
|
||||
// ErrETagMismatch signals that the given
|
||||
@@ -932,7 +931,7 @@ func encTailscaleHeaderValue(v string) string {
|
||||
}
|
||||
|
||||
func (b *LocalBackend) addTailscaleGrantHeader(r *httputil.ProxyRequest) {
|
||||
r.Out.Header.Del("Tailscale-User-Capabilities")
|
||||
r.Out.Header.Del("Tailscale-App-Capabilities")
|
||||
|
||||
c, ok := serveHTTPContextKey.ValueOk(r.Out.Context())
|
||||
if !ok || c.Funnel != nil {
|
||||
@@ -954,37 +953,13 @@ func (b *LocalBackend) addTailscaleGrantHeader(r *httputil.ProxyRequest) {
|
||||
}
|
||||
}
|
||||
|
||||
serialized, truncated, err := serializeUpToNBytes(peerCapsFiltered, grantHeaderMaxSize)
|
||||
peerCapsSerialized, err := json.Marshal(peerCapsFiltered)
|
||||
if err != nil {
|
||||
b.logf("serve: failed to serialize PeerCapMap: %v", err)
|
||||
b.logf("serve: failed to serialize filtered PeerCapMap: %v", err)
|
||||
return
|
||||
}
|
||||
if truncated {
|
||||
b.logf("serve: serialized PeerCapMap exceeds %d bytes, forwarding truncated PeerCapMap", grantHeaderMaxSize)
|
||||
}
|
||||
|
||||
r.Out.Header.Set("Tailscale-User-Capabilities", encTailscaleHeaderValue(serialized))
|
||||
}
|
||||
|
||||
// serializeUpToNBytes serializes capMap. It arbitrarily truncates entries from the capMap
|
||||
// if the size of the serialized capMap would exceed N bytes.
|
||||
func serializeUpToNBytes(capMap tailcfg.PeerCapMap, N int) (string, bool, error) {
|
||||
numBytes := 0
|
||||
capped := false
|
||||
result := tailcfg.PeerCapMap{}
|
||||
for k, v := range capMap {
|
||||
numBytes += len(k) + len(v)
|
||||
if numBytes > N {
|
||||
capped = true
|
||||
break
|
||||
}
|
||||
result[k] = v
|
||||
}
|
||||
marshalled, err := json.Marshal(result)
|
||||
if err != nil {
|
||||
return "", false, err
|
||||
}
|
||||
return string(marshalled), capped, nil
|
||||
r.Out.Header.Set("Tailscale-App-Capabilities", encTailscaleHeaderValue(string(peerCapsSerialized)))
|
||||
}
|
||||
|
||||
// serveWebHandler is an http.HandlerFunc that maps incoming requests to the
|
||||
@@ -1010,12 +985,12 @@ func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "unknown proxy destination", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
// Inject user capabilities to forward into the request context
|
||||
// Inject app capabilities to forward into the request context
|
||||
c, ok := serveHTTPContextKey.ValueOk(r.Context())
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
c.PeerCapsFilter = h.UserCaps()
|
||||
c.PeerCapsFilter = h.AcceptAppCaps()
|
||||
h := p.(http.Handler)
|
||||
// Trim the mount point from the URL path before proxying. (#6571)
|
||||
if r.URL.Path != "/" {
|
||||
|
||||
Reference in New Issue
Block a user