feat: support client verify for derp

This commit is contained in:
117503445 2024-08-07 23:40:41 +08:00 committed by ArcticLampyrid
parent e7245856c5
commit 13454a3f2d
No known key found for this signature in database
GPG key ID: DC72A2519E77D6CF
2 changed files with 73 additions and 0 deletions

View file

@ -457,6 +457,8 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1). router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
Methods(http.MethodGet) Methods(http.MethodGet)
router.HandleFunc("/verify", h.VerifyHandler).Methods(http.MethodPost)
if h.cfg.DERP.ServerEnabled { if h.cfg.DERP.ServerEnabled {
router.HandleFunc("/derp", h.DERPServer.DERPHandler) router.HandleFunc("/derp", h.DERPServer.DERPHandler)
router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler) router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)

View file

@ -4,6 +4,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"io"
"net/http" "net/http"
"strconv" "strconv"
"strings" "strings"
@ -56,6 +57,76 @@ func parseCabailityVersion(req *http.Request) (tailcfg.CapabilityVersion, error)
return tailcfg.CapabilityVersion(clientCapabilityVersion), nil return tailcfg.CapabilityVersion(clientCapabilityVersion), nil
} }
// see https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159, Derp use verifyClientsURL to verify whether a client is allowed to connect to the DERP server.
func (h *Headscale) VerifyHandler(
writer http.ResponseWriter,
req *http.Request,
) {
if req.Method != http.MethodPost {
http.Error(writer, "Wrong method", http.StatusMethodNotAllowed)
return
}
log.Debug().
Str("handler", "/verify").
Msg("verify client")
body, err := io.ReadAll(req.Body)
if err != nil {
log.Error().
Str("handler", "/verify").
Err(err).
Msg("Cannot read request body")
http.Error(writer, "Internal error", http.StatusInternalServerError)
return
}
var derpAdmitClientRequest tailcfg.DERPAdmitClientRequest
if err := json.Unmarshal(body, &derpAdmitClientRequest); err != nil {
log.Error().
Caller().
Err(err).
Msg("Cannot parse derpAdmitClientRequest")
http.Error(writer, "Internal error", http.StatusInternalServerError)
return
}
nodes, err := h.db.ListNodes()
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Cannot list nodes")
http.Error(writer, "Internal error", http.StatusInternalServerError)
}
for _, node := range nodes {
log.Debug().Str("node", node.NodeKey.String()).Msg("Node")
}
allow := false
// Check if the node is in the list of nodes
for _, node := range nodes {
if node.NodeKey == derpAdmitClientRequest.NodePublic {
allow = true
break
}
}
resp := tailcfg.DERPAdmitClientResponse{
Allow: allow,
}
writer.Header().Set("Content-Type", "application/json")
writer.WriteHeader(http.StatusOK)
err = json.NewEncoder(writer).Encode(resp)
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
}
// KeyHandler provides the Headscale pub key // KeyHandler provides the Headscale pub key
// Listens in /key. // Listens in /key.
func (h *Headscale) KeyHandler( func (h *Headscale) KeyHandler(