cmd/containerboot: add OAuth and WIF auth support (#18311)

Fixes tailscale/corp#34430 Signed-off-by: Raj Singh <raj@tailscale.com>
2026-01-07 16:22:14 -05:00
parent 6c67deff38
commit e66531041b
4 changed files with 131 additions and 10 deletions
@@ -5,7 +5,10 @@

 package main

-import "testing"
+import (
+	"strings"
+	"testing"
+)

 func Test_parseAcceptDNS(t *testing.T) {
 	tests := []struct {
@@ -106,3 +109,87 @@ func Test_parseAcceptDNS(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateAuthMethods(t *testing.T) {
+	tests := []struct {
+		name         string
+		authKey      string
+		clientID     string
+		clientSecret string
+		idToken      string
+		errContains  string
+	}{
+		{
+			name: "no_auth_method",
+		},
+		{
+			name:    "authkey_only",
+			authKey: "tskey-auth-xxx",
+		},
+		{
+			name:         "client_secret_only",
+			clientSecret: "tskey-client-xxx",
+		},
+		{
+			name:     "client_id_alone",
+			clientID: "client-id",
+		},
+		{
+			name:         "oauth_client_id_and_secret",
+			clientID:     "client-id",
+			clientSecret: "tskey-client-xxx",
+		},
+		{
+			name:     "wif_client_id_and_id_token",
+			clientID: "client-id",
+			idToken:  "id-token",
+		},
+		{
+			name:        "id_token_without_client_id",
+			idToken:     "id-token",
+			errContains: "TS_ID_TOKEN is set but TS_CLIENT_ID is not set",
+		},
+		{
+			name:         "authkey_with_client_secret",
+			authKey:      "tskey-auth-xxx",
+			clientSecret: "tskey-client-xxx",
+			errContains:  "TS_AUTHKEY cannot be used with",
+		},
+		{
+			name:        "authkey_with_wif",
+			authKey:     "tskey-auth-xxx",
+			clientID:    "client-id",
+			idToken:     "id-token",
+			errContains: "TS_AUTHKEY cannot be used with",
+		},
+		{
+			name:         "id_token_with_client_secret",
+			clientID:     "client-id",
+			clientSecret: "tskey-client-xxx",
+			idToken:      "id-token",
+			errContains:  "TS_ID_TOKEN and TS_CLIENT_SECRET cannot both be set",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := &settings{
+				AuthKey:      tt.authKey,
+				ClientID:     tt.clientID,
+				ClientSecret: tt.clientSecret,
+				IDToken:      tt.idToken,
+			}
+			err := s.validate()
+			if tt.errContains != "" {
+				if err == nil {
+					t.Fatal("expected error, got nil")
+				}
+				if !strings.Contains(err.Error(), tt.errContains) {
+					t.Errorf("error %q does not contain %q", err.Error(), tt.errContains)
+				}
+			} else if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}