Compare commits

..

3 commits

Author SHA1 Message Date
Kristoffer Dalby
2ea807835a
Merge 45f5b15a9f into e2d5ee0927 2024-10-23 15:47:43 +00:00
Kristoffer Dalby
45f5b15a9f
resolve user identifier to stable ID
currently, the policy approach node to user matching
with a quite naive approach looking at the username
provided in the policy and matched it with the username
on the nodes. This worked ok as long as usernames were
unique and did not change.

As usernames are no longer guarenteed to be unique in
an OIDC environment we cant rely on this.

This changes the mechanism that matches the user string
(now user token) with nodes:

- first find all potential users by looking up:
  - database ID
  - provider ID (OIDC)
  - username/email

If more than one user is matching, then the query is
rejected, and zero matching nodes are returned.

When a single user is found, the node is matched against
the User database ID, which are also present on the actual
node.

This means that from this commit, users can use the following
to identify users in the policy:
- provider identity (iss + sub)
- username
- email
- database id

There are more changes coming to this, so it is not recommended
to start using any of these new abilities, with the exception
of email, which will not change since it includes an @.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-23 10:47:35 -05:00
Kristoffer Dalby
e2d5ee0927
cleanup linter warnings (#2206)
Some checks failed
Build / build (push) Has been cancelled
Build documentation / build (push) Has been cancelled
Build documentation / deploy (push) Has been cancelled
Tests / test (push) Has been cancelled
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-23 10:45:59 -05:00
4 changed files with 8 additions and 32 deletions

View file

@ -111,9 +111,7 @@ func generateUserProfiles(
func generateDNSConfig(
cfg *types.Config,
baseDomain string,
node *types.Node,
peers types.Nodes,
) *tailcfg.DNSConfig {
if cfg.DNSConfig == nil {
return nil
@ -545,12 +543,7 @@ func appendPeerChanges(
profiles := generateUserProfiles(node, changed)
dnsConfig := generateDNSConfig(
cfg,
cfg.BaseDomain,
node,
peers,
)
dnsConfig := generateDNSConfig(cfg, node)
tailPeers, err := tailNodes(changed, capVer, pol, cfg)
if err != nil {

View file

@ -114,24 +114,12 @@ func TestDNSConfigMapResponse(t *testing.T) {
}
nodeInShared1 := mach("test_get_shared_nodes_1", "shared1", 1)
nodeInShared2 := mach("test_get_shared_nodes_2", "shared2", 2)
nodeInShared3 := mach("test_get_shared_nodes_3", "shared3", 3)
node2InShared1 := mach("test_get_shared_nodes_4", "shared1", 1)
peersOfNodeInShared1 := types.Nodes{
nodeInShared1,
nodeInShared2,
nodeInShared3,
node2InShared1,
}
got := generateDNSConfig(
&types.Config{
DNSConfig: &dnsConfigOrig,
},
baseDomain,
nodeInShared1,
peersOfNodeInShared1,
)
if diff := cmp.Diff(tt.want, got, cmpopts.EquateEmpty()); diff != "" {

View file

@ -10,7 +10,6 @@ import (
"github.com/juanfont/headscale/hscontrol/types"
"github.com/rs/zerolog/log"
"golang.org/x/net/http2"
"golang.org/x/net/http2/h2c"
"tailscale.com/control/controlbase"
"tailscale.com/control/controlhttp"
"tailscale.com/tailcfg"
@ -101,18 +100,12 @@ func (h *Headscale) NoiseUpgradeHandler(
Methods(http.MethodPost)
router.HandleFunc("/machine/map", noiseServer.NoisePollNetMapHandler)
server := http.Server{
ReadTimeout: types.HTTPTimeout,
}
noiseServer.httpBaseConfig = &http.Server{
Handler: router,
ReadHeaderTimeout: types.HTTPTimeout,
}
noiseServer.http2Server = &http2.Server{}
server.Handler = h2c.NewHandler(router, noiseServer.http2Server)
noiseServer.http2Server.ServeConn(
noiseConn,
&http2.ServeConnOpts{

View file

@ -22,6 +22,8 @@ import (
"tailscale.com/wgengine/filter"
)
var allPorts = filter.PortRange{First: 0, Last: 0xffff}
// This test is both testing the routes command and the propagation of
// routes.
func TestEnablingRoutes(t *testing.T) {
@ -1249,11 +1251,11 @@ func TestSubnetRouteACL(t *testing.T) {
Dsts: []filter.NetPortRange{
{
Net: netip.MustParsePrefix("100.64.0.2/32"),
Ports: filter.PortRange{0, 0xffff},
Ports: allPorts,
},
{
Net: netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
Ports: filter.PortRange{0, 0xffff},
Ports: allPorts,
},
},
Caps: []filter.CapMatch{},
@ -1281,11 +1283,11 @@ func TestSubnetRouteACL(t *testing.T) {
Dsts: []filter.NetPortRange{
{
Net: netip.MustParsePrefix("100.64.0.1/32"),
Ports: filter.PortRange{0, 0xffff},
Ports: allPorts,
},
{
Net: netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
Ports: filter.PortRange{0, 0xffff},
Ports: allPorts,
},
},
Caps: []filter.CapMatch{},
@ -1303,7 +1305,7 @@ func TestSubnetRouteACL(t *testing.T) {
Dsts: []filter.NetPortRange{
{
Net: netip.MustParsePrefix("10.33.0.0/16"),
Ports: filter.PortRange{0, 0xffff},
Ports: allPorts,
},
},
Caps: []filter.CapMatch{},