Fix up leftovers from kradalby PR

This commit is contained in:
Kristoffer Dalby 2021-10-19 18:25:59 +01:00 committed by GitHub
parent e7424222db
commit dbe193ad17
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 10 deletions

View file

@ -30,7 +30,7 @@ Headscale implements this coordination server.
- [x] Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10) - [x] Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10)
- [x] DNS (passing DNS servers to nodes) - [x] DNS (passing DNS servers to nodes)
- [x] Share nodes between ~~users~~ namespaces - [x] Share nodes between ~~users~~ namespaces
- [x] SSO (via OIDC) - [x] Single-Sign-On (via Open ID Connect)
- [x] MagicDNS (see `docs/`) - [x] MagicDNS (see `docs/`)
## Client OS support ## Client OS support
@ -109,13 +109,14 @@ Suggestions/PRs welcomed!
```json ```json
{ {
"oidc_issuer": "https://your-oidc.issuer.com/path", "oidc": {
"oidc_client_id": "your-oidc-client-id", "issuer": "https://your-oidc.issuer.com/path",
"oidc_client_secret": "your-oidc-client-secret" "client_id": "your-oidc-client-id",
"client_secret": "your-oidc-client-secret",
"domain_map": {
".*": "default-namespace"
}
} }
```
If `oidc_issuer` is set, headscale will attempt to send your users to the OIDC server for authentication, otherwise it will give instructions on how to authorise clients via the CLI.
6. Run the server 6. Run the server
@ -237,9 +238,12 @@ The fields starting with `db_` are used for the PostgreSQL connection informatio
OpenID Connect settings: OpenID Connect settings:
``` ```
"oidc_issuer": "https://your-oidc.issuer.com/path", oidc:
"oidc_client_id": "your-oidc-client-id", issuer: "https://your-oidc.issuer.com/path"
"oidc_client_secret": "your-oidc-client-secret" client_id: "your-oidc-client-id"
client_secret: "your-oidc-client-secret"
domain_map:
".*": default-namespace
``` ```

View file

@ -212,6 +212,10 @@ func (h *Headscale) OIDCCallback(c *gin.Context) {
c.String(http.StatusBadRequest, "email from claim could not be mapped to a namespace") c.String(http.StatusBadRequest, "email from claim could not be mapped to a namespace")
} }
// getNamespaceFromEmail passes the users email through a list of "matchers"
// and iterates through them until it matches and returns a namespace.
// If no match is found, an empty string will be returned.
// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.
func (h *Headscale) getNamespaceFromEmail(email string) (string, bool) { func (h *Headscale) getNamespaceFromEmail(email string) (string, bool) {
for match, namespace := range h.cfg.OIDC.MatchMap { for match, namespace := range h.cfg.OIDC.MatchMap {
regex := regexp.MustCompile(match) regex := regexp.MustCompile(match)