headscale/hscontrol/db
Kristoffer Dalby 50165ce9e1
resolve user identifier to stable ID
currently, the policy approach node to user matching
with a quite naive approach looking at the username
provided in the policy and matched it with the username
on the nodes. This worked ok as long as usernames were
unique and did not change.

As usernames are no longer guarenteed to be unique in
an OIDC environment we cant rely on this.

This changes the mechanism that matches the user string
(now user token) with nodes:

- first find all potential users by looking up:
  - database ID
  - provider ID (OIDC)
  - username/email

If more than one user is matching, then the query is
rejected, and zero matching nodes are returned.

When a single user is found, the node is matched against
the User database ID, which are also present on the actual
node.

This means that from this commit, users can use the following
to identify users in the policy:
- provider identity (iss + sub)
- username
- email
- database id

There are more changes coming to this, so it is not recommended
to start using any of these new abilities, with the exception
of email, which will not change since it includes an @.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-23 22:31:37 -05:00
..
testdata use gorm serialiser instead of custom hooks (#2156) 2024-10-02 11:41:58 +02:00
api_key.go Replace database locks with transactions (#1701) 2024-02-08 17:28:19 +01:00
api_key_test.go Replace the timestamp based state system 2023-09-19 10:20:21 -05:00
db.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00
db_test.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00
ip.go use tsaddr library and cleanups (#2150) 2024-10-02 09:06:09 +02:00
ip_test.go use gorm serialiser instead of custom hooks (#2156) 2024-10-02 11:41:58 +02:00
node.go #2177 Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules applied (#2198) 2024-10-15 18:33:03 +02:00
node_test.go resolve user identifier to stable ID 2024-10-23 22:31:37 -05:00
policy.go reformat code (#2019) 2024-07-22 08:56:00 +02:00
preauth_keys.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00
preauth_keys_test.go make reauth test compat with tailscale head (#2167) 2024-10-03 12:01:48 +02:00
routes.go resolve user identifier to stable ID 2024-10-23 22:31:37 -05:00
routes_test.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00
suite_test.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00
text_serialiser.go use gorm serialiser instead of custom hooks (#2156) 2024-10-02 11:41:58 +02:00
users.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00
users_test.go Redo OIDC configuration (#2020) 2024-10-02 14:50:17 +02:00