fix webauth + autoapprove routes (#2528)
* types/node: add helper funcs for node tags Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: add DebugString method for node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add String func to AutoApprover interface Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: simplify, use slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: debug, use nodes.DebugString Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: fix potential nil pointer in NodeCanApproveRoute Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: fix diff in login commands Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: fix webauth running with wrong scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: move common oidc opts to func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: require node count, more verbose Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: remove uneffective route approve Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: fmt Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: add id func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: remove call that might be nil Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: test autoapprovers against web/authkey x group/tag/user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: unique network id per scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Revert "integration: move common oidc opts to func" This reverts commit 7e9d165d4a900c304f1083b665f1a24a26e06e55. * remove cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: clean docker images between runs in ci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: run autoapprove test against differnt policy modes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: append, not overrwrite extra login args Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: remove polv2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
GitHub
parent
57861507ab
commit
f1206328dc
17 changed files with 732 additions and 401 deletions
|
|
@ -18,6 +18,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/juanfont/headscale/hscontrol/types"
|
||||
"github.com/juanfont/headscale/hscontrol/util"
|
||||
"github.com/juanfont/headscale/integration/dockertestutil"
|
||||
"github.com/juanfont/headscale/integration/integrationutil"
|
||||
|
|
@ -194,7 +195,7 @@ func WithBuildTag(tag string) Option {
|
|||
// as part of the Login function.
|
||||
func WithExtraLoginArgs(args []string) Option {
|
||||
return func(tsic *TailscaleInContainer) {
|
||||
tsic.extraLoginArgs = args
|
||||
tsic.extraLoginArgs = append(tsic.extraLoginArgs, args...)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -383,7 +384,7 @@ func (t *TailscaleInContainer) Version() string {
|
|||
|
||||
// ID returns the Docker container ID of the TailscaleInContainer
|
||||
// instance.
|
||||
func (t *TailscaleInContainer) ID() string {
|
||||
func (t *TailscaleInContainer) ContainerID() string {
|
||||
return t.container.Container.ID
|
||||
}
|
||||
|
||||
|
|
@ -426,20 +427,21 @@ func (t *TailscaleInContainer) Logs(stdout, stderr io.Writer) error {
|
|||
)
|
||||
}
|
||||
|
||||
// Up runs the login routine on the given Tailscale instance.
|
||||
// This login mechanism uses the authorised key for authentication.
|
||||
func (t *TailscaleInContainer) Login(
|
||||
func (t *TailscaleInContainer) buildLoginCommand(
|
||||
loginServer, authKey string,
|
||||
) error {
|
||||
) []string {
|
||||
command := []string{
|
||||
"tailscale",
|
||||
"up",
|
||||
"--login-server=" + loginServer,
|
||||
"--authkey=" + authKey,
|
||||
"--hostname=" + t.hostname,
|
||||
fmt.Sprintf("--accept-routes=%t", t.withAcceptRoutes),
|
||||
}
|
||||
|
||||
if authKey != "" {
|
||||
command = append(command, "--authkey="+authKey)
|
||||
}
|
||||
|
||||
if t.extraLoginArgs != nil {
|
||||
command = append(command, t.extraLoginArgs...)
|
||||
}
|
||||
|
|
@ -458,6 +460,16 @@ func (t *TailscaleInContainer) Login(
|
|||
)
|
||||
}
|
||||
|
||||
return command
|
||||
}
|
||||
|
||||
// Login runs the login routine on the given Tailscale instance.
|
||||
// This login mechanism uses the authorised key for authentication.
|
||||
func (t *TailscaleInContainer) Login(
|
||||
loginServer, authKey string,
|
||||
) error {
|
||||
command := t.buildLoginCommand(loginServer, authKey)
|
||||
|
||||
if _, _, err := t.Execute(command, dockertestutil.ExecuteCommandTimeout(dockerExecuteTimeout)); err != nil {
|
||||
return fmt.Errorf(
|
||||
"%s failed to join tailscale client (%s): %w",
|
||||
|
|
@ -475,17 +487,7 @@ func (t *TailscaleInContainer) Login(
|
|||
func (t *TailscaleInContainer) LoginWithURL(
|
||||
loginServer string,
|
||||
) (loginURL *url.URL, err error) {
|
||||
command := []string{
|
||||
"tailscale",
|
||||
"up",
|
||||
"--login-server=" + loginServer,
|
||||
"--hostname=" + t.hostname,
|
||||
"--accept-routes=false",
|
||||
}
|
||||
|
||||
if t.extraLoginArgs != nil {
|
||||
command = append(command, t.extraLoginArgs...)
|
||||
}
|
||||
command := t.buildLoginCommand(loginServer, "")
|
||||
|
||||
stdout, stderr, err := t.Execute(command)
|
||||
if errors.Is(err, errTailscaleNotLoggedIn) {
|
||||
|
|
@ -646,7 +648,7 @@ func (t *TailscaleInContainer) Status(save ...bool) (*ipnstate.Status, error) {
|
|||
return &status, err
|
||||
}
|
||||
|
||||
// Status returns the ipnstate.Status of the Tailscale instance.
|
||||
// MustStatus returns the ipnstate.Status of the Tailscale instance.
|
||||
func (t *TailscaleInContainer) MustStatus() *ipnstate.Status {
|
||||
status, err := t.Status()
|
||||
if err != nil {
|
||||
|
|
@ -656,6 +658,21 @@ func (t *TailscaleInContainer) MustStatus() *ipnstate.Status {
|
|||
return status
|
||||
}
|
||||
|
||||
// MustID returns the ID of the Tailscale instance.
|
||||
func (t *TailscaleInContainer) MustID() types.NodeID {
|
||||
status, err := t.Status()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
id, err := strconv.ParseUint(string(status.Self.ID), 10, 64)
|
||||
if err != nil {
|
||||
panic(fmt.Sprintf("failed to parse ID: %s", err))
|
||||
}
|
||||
|
||||
return types.NodeID(id)
|
||||
}
|
||||
|
||||
// Netmap returns the current Netmap (netmap.NetworkMap) of the Tailscale instance.
|
||||
// Only works with Tailscale 1.56 and newer.
|
||||
// Panics if version is lower then minimum.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue