|
|
|
|
@ -22,6 +22,7 @@ import ( |
|
|
|
|
|
|
|
|
|
"github.com/peterbourgon/ff/v3/ffcli" |
|
|
|
|
"github.com/tailscale/hujson" |
|
|
|
|
"golang.org/x/oauth2/clientcredentials" |
|
|
|
|
"tailscale.com/util/httpm" |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
@ -42,9 +43,9 @@ func modifiedExternallyError() { |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { |
|
|
|
|
func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { |
|
|
|
|
return func(ctx context.Context, args []string) error { |
|
|
|
|
controlEtag, err := getACLETag(ctx, tailnet, apiKey) |
|
|
|
|
controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
@ -73,7 +74,7 @@ func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) |
|
|
|
|
return nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil { |
|
|
|
|
if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -83,9 +84,9 @@ func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { |
|
|
|
|
func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { |
|
|
|
|
return func(ctx context.Context, args []string) error { |
|
|
|
|
controlEtag, err := getACLETag(ctx, tailnet, apiKey) |
|
|
|
|
controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
@ -113,16 +114,16 @@ func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) |
|
|
|
|
return nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil { |
|
|
|
|
if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
return nil |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { |
|
|
|
|
func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { |
|
|
|
|
return func(ctx context.Context, args []string) error { |
|
|
|
|
controlEtag, err := getACLETag(ctx, tailnet, apiKey) |
|
|
|
|
controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
@ -151,8 +152,24 @@ func main() { |
|
|
|
|
log.Fatal("set envvar TS_TAILNET to your tailnet's name") |
|
|
|
|
} |
|
|
|
|
apiKey, ok := os.LookupEnv("TS_API_KEY") |
|
|
|
|
if !ok { |
|
|
|
|
log.Fatal("set envvar TS_API_KEY to your Tailscale API key") |
|
|
|
|
oauthId, oiok := os.LookupEnv("TS_OAUTH_ID") |
|
|
|
|
oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET") |
|
|
|
|
if !ok && (!oiok || !osok) { |
|
|
|
|
log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret") |
|
|
|
|
} |
|
|
|
|
if ok && (oiok || osok) { |
|
|
|
|
log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET") |
|
|
|
|
} |
|
|
|
|
var client *http.Client |
|
|
|
|
if oiok { |
|
|
|
|
oauthConfig := &clientcredentials.Config{ |
|
|
|
|
ClientID: oauthId, |
|
|
|
|
ClientSecret: oauthSecret, |
|
|
|
|
TokenURL: fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer), |
|
|
|
|
} |
|
|
|
|
client = oauthConfig.Client(context.Background()) |
|
|
|
|
} else { |
|
|
|
|
client = http.DefaultClient |
|
|
|
|
} |
|
|
|
|
cache, err := LoadCache(*cacheFname) |
|
|
|
|
if err != nil { |
|
|
|
|
@ -169,7 +186,7 @@ func main() { |
|
|
|
|
ShortUsage: "gitops-pusher [options] apply", |
|
|
|
|
ShortHelp: "Pushes changes to CONTROL", |
|
|
|
|
LongHelp: `Pushes changes to CONTROL`, |
|
|
|
|
Exec: apply(cache, tailnet, apiKey), |
|
|
|
|
Exec: apply(cache, client, tailnet, apiKey), |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
testCmd := &ffcli.Command{ |
|
|
|
|
@ -177,7 +194,7 @@ func main() { |
|
|
|
|
ShortUsage: "gitops-pusher [options] test", |
|
|
|
|
ShortHelp: "Tests ACL changes", |
|
|
|
|
LongHelp: "Tests ACL changes", |
|
|
|
|
Exec: test(cache, tailnet, apiKey), |
|
|
|
|
Exec: test(cache, client, tailnet, apiKey), |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
cksumCmd := &ffcli.Command{ |
|
|
|
|
@ -185,7 +202,7 @@ func main() { |
|
|
|
|
ShortUsage: "Shows checksums of ACL files", |
|
|
|
|
ShortHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", |
|
|
|
|
LongHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", |
|
|
|
|
Exec: getChecksums(cache, tailnet, apiKey), |
|
|
|
|
Exec: getChecksums(cache, client, tailnet, apiKey), |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
root := &ffcli.Command{ |
|
|
|
|
@ -228,7 +245,7 @@ func sumFile(fname string) (string, error) { |
|
|
|
|
return fmt.Sprintf("%x", h.Sum(nil)), nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error { |
|
|
|
|
func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname, oldEtag string) error { |
|
|
|
|
fin, err := os.Open(policyFname) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
@ -244,7 +261,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri |
|
|
|
|
req.Header.Set("Content-Type", "application/hujson") |
|
|
|
|
req.Header.Set("If-Match", `"`+oldEtag+`"`) |
|
|
|
|
|
|
|
|
|
resp, err := http.DefaultClient.Do(req) |
|
|
|
|
resp, err := client.Do(req) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
@ -265,7 +282,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri |
|
|
|
|
return nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error { |
|
|
|
|
func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname string) error { |
|
|
|
|
data, err := os.ReadFile(policyFname) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
@ -283,7 +300,7 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error |
|
|
|
|
req.SetBasicAuth(apiKey, "") |
|
|
|
|
req.Header.Set("Content-Type", "application/hujson") |
|
|
|
|
|
|
|
|
|
resp, err := http.DefaultClient.Do(req) |
|
|
|
|
resp, err := client.Do(req) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
@ -346,7 +363,7 @@ type ACLTestErrorDetail struct { |
|
|
|
|
Errors []string `json:"errors"` |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) { |
|
|
|
|
func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) { |
|
|
|
|
req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil) |
|
|
|
|
if err != nil { |
|
|
|
|
return "", err |
|
|
|
|
@ -355,7 +372,7 @@ func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) { |
|
|
|
|
req.SetBasicAuth(apiKey, "") |
|
|
|
|
req.Header.Set("Accept", "application/hujson") |
|
|
|
|
|
|
|
|
|
resp, err := http.DefaultClient.Do(req) |
|
|
|
|
resp, err := client.Do(req) |
|
|
|
|
if err != nil { |
|
|
|
|
return "", err |
|
|
|
|
} |
|
|
|
|
|
Vladimir Pouzanov
3 years ago
committed by
GitHub