2022-11-21 20:51:54 +00:00
|
|
|
package integration
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/tls"
|
2024-10-18 12:59:27 +00:00
|
|
|
"encoding/json"
|
2022-11-21 20:51:54 +00:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"log"
|
|
|
|
|
"net"
|
|
|
|
|
"net/http"
|
2022-12-31 00:23:55 +00:00
|
|
|
"net/netip"
|
2024-10-18 12:59:27 +00:00
|
|
|
"sort"
|
2022-11-21 20:51:54 +00:00
|
|
|
"strconv"
|
|
|
|
|
"testing"
|
2022-12-31 00:23:55 +00:00
|
|
|
"time"
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
"github.com/google/go-cmp/cmp"
|
|
|
|
|
"github.com/google/go-cmp/cmp/cmpopts"
|
|
|
|
|
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
|
2023-06-06 08:23:39 +00:00
|
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
2023-05-11 07:09:18 +00:00
|
|
|
"github.com/juanfont/headscale/hscontrol/util"
|
2022-11-21 20:51:54 +00:00
|
|
|
"github.com/juanfont/headscale/integration/dockertestutil"
|
|
|
|
|
"github.com/juanfont/headscale/integration/hsic"
|
2024-10-18 12:59:27 +00:00
|
|
|
"github.com/oauth2-proxy/mockoidc"
|
2022-11-21 20:51:54 +00:00
|
|
|
"github.com/ory/dockertest/v3"
|
|
|
|
|
"github.com/ory/dockertest/v3/docker"
|
2023-02-02 09:14:33 +00:00
|
|
|
"github.com/samber/lo"
|
2023-08-31 16:37:18 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2022-11-21 20:51:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
dockerContextPath = "../."
|
|
|
|
|
hsicOIDCMockHashLength = 6
|
2022-12-31 00:23:55 +00:00
|
|
|
defaultAccessTTL = 10 * time.Minute
|
2022-11-21 20:51:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var errStatusCodeNotOK = errors.New("status code not OK")
|
|
|
|
|
|
|
|
|
|
type AuthOIDCScenario struct {
|
|
|
|
|
*Scenario
|
|
|
|
|
|
|
|
|
|
mockOIDC *dockertest.Resource
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestOIDCAuthenticationPingAll(t *testing.T) {
|
|
|
|
|
IntegrationSkip(t)
|
2022-11-22 11:05:58 +00:00
|
|
|
t.Parallel()
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-04-21 16:28:17 +00:00
|
|
|
baseScenario, err := NewScenario(dockertestMaxWait())
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErr(t, err)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
scenario := AuthOIDCScenario{
|
|
|
|
|
Scenario: baseScenario,
|
|
|
|
|
}
|
2024-11-18 16:33:46 +00:00
|
|
|
// defer scenario.ShutdownAssertNoPanics(t)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
// Logins to MockOIDC is served by a queue with a strict order,
|
|
|
|
|
// if we use more than one node per user, the order of the logins
|
|
|
|
|
// will not be deterministic and the test will fail.
|
2022-11-21 20:51:54 +00:00
|
|
|
spec := map[string]int{
|
2024-10-18 12:59:27 +00:00
|
|
|
"user1": 1,
|
|
|
|
|
"user2": 1,
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
mockusers := []mockoidc.MockUser{
|
|
|
|
|
oidcMockUser("user1", true),
|
|
|
|
|
oidcMockUser("user2", false),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
oidcConfig, err := scenario.runMockOIDC(defaultAccessTTL, mockusers)
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrf(t, "failed to run mock OIDC server: %s", err)
|
2024-10-18 12:59:27 +00:00
|
|
|
defer scenario.mockOIDC.Close()
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
oidcMap := map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_ISSUER": oidcConfig.Issuer,
|
|
|
|
|
"HEADSCALE_OIDC_CLIENT_ID": oidcConfig.ClientID,
|
2023-01-10 11:46:42 +00:00
|
|
|
"CREDENTIALS_DIRECTORY_TEST": "/tmp",
|
|
|
|
|
"HEADSCALE_OIDC_CLIENT_SECRET_PATH": "${CREDENTIALS_DIRECTORY_TEST}/hs_client_oidc_secret",
|
2024-10-18 12:59:27 +00:00
|
|
|
// TODO(kradalby): Remove when strip_email_domain is removed
|
|
|
|
|
// after #2170 is cleaned up
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "0",
|
|
|
|
|
"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": "0",
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = scenario.CreateHeadscaleEnv(
|
|
|
|
|
spec,
|
|
|
|
|
hsic.WithTestName("oidcauthping"),
|
|
|
|
|
hsic.WithConfigEnv(oidcMap),
|
2024-10-15 12:38:43 +00:00
|
|
|
hsic.WithTLS(),
|
2022-11-21 20:51:54 +00:00
|
|
|
hsic.WithHostnameAsServerURL(),
|
2023-01-10 11:46:42 +00:00
|
|
|
hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
|
2022-11-21 20:51:54 +00:00
|
|
|
)
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrHeadscaleEnv(t, err)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
allClients, err := scenario.ListTailscaleClients()
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrListClients(t, err)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
allIps, err := scenario.ListTailscaleClientsIPs()
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrListClientIPs(t, err)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
err = scenario.WaitForTailscaleSync()
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrSync(t, err)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-02-23 09:59:24 +00:00
|
|
|
// assertClientsState(t, allClients)
|
2024-02-09 06:26:41 +00:00
|
|
|
|
2023-02-02 09:14:33 +00:00
|
|
|
allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
|
|
|
|
|
return x.String()
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
success := pingAllHelper(t, allClients, allAddrs)
|
2022-12-31 00:23:55 +00:00
|
|
|
t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
|
2024-10-18 12:59:27 +00:00
|
|
|
|
|
|
|
|
headscale, err := scenario.Headscale()
|
|
|
|
|
assertNoErr(t, err)
|
|
|
|
|
|
|
|
|
|
var listUsers []v1.User
|
|
|
|
|
err = executeAndUnmarshal(headscale,
|
|
|
|
|
[]string{
|
|
|
|
|
"headscale",
|
|
|
|
|
"users",
|
|
|
|
|
"list",
|
|
|
|
|
"--output",
|
|
|
|
|
"json",
|
|
|
|
|
},
|
|
|
|
|
&listUsers,
|
|
|
|
|
)
|
|
|
|
|
assertNoErr(t, err)
|
|
|
|
|
|
|
|
|
|
want := []v1.User{
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Email: "user1@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: oidcConfig.Issuer + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "3",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "4",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Email: "", // Unverified
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: oidcConfig.Issuer + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sort.Slice(listUsers, func(i, j int) bool {
|
|
|
|
|
return listUsers[i].Id < listUsers[j].Id
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if diff := cmp.Diff(want, listUsers, cmpopts.IgnoreUnexported(v1.User{}), cmpopts.IgnoreFields(v1.User{}, "CreatedAt")); diff != "" {
|
|
|
|
|
t.Fatalf("unexpected users: %s", diff)
|
|
|
|
|
}
|
2022-12-31 00:23:55 +00:00
|
|
|
}
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2023-08-31 16:37:18 +00:00
|
|
|
// This test is really flaky.
|
2023-01-31 11:40:38 +00:00
|
|
|
func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
|
2022-12-31 00:23:55 +00:00
|
|
|
IntegrationSkip(t)
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
shortAccessTTL := 5 * time.Minute
|
|
|
|
|
|
2024-04-21 16:28:17 +00:00
|
|
|
baseScenario, err := NewScenario(dockertestMaxWait())
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErr(t, err)
|
2022-12-31 00:23:55 +00:00
|
|
|
|
2023-08-31 16:37:18 +00:00
|
|
|
baseScenario.pool.MaxWait = 5 * time.Minute
|
|
|
|
|
|
2022-12-31 00:23:55 +00:00
|
|
|
scenario := AuthOIDCScenario{
|
|
|
|
|
Scenario: baseScenario,
|
|
|
|
|
}
|
2024-09-17 09:44:55 +00:00
|
|
|
defer scenario.ShutdownAssertNoPanics(t)
|
2022-12-31 00:23:55 +00:00
|
|
|
|
|
|
|
|
spec := map[string]int{
|
2024-10-18 12:59:27 +00:00
|
|
|
"user1": 1,
|
|
|
|
|
"user2": 1,
|
2022-12-31 00:23:55 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
oidcConfig, err := scenario.runMockOIDC(shortAccessTTL, []mockoidc.MockUser{
|
|
|
|
|
oidcMockUser("user1", true),
|
|
|
|
|
oidcMockUser("user2", false),
|
|
|
|
|
})
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrf(t, "failed to run mock OIDC server: %s", err)
|
2024-10-18 12:59:27 +00:00
|
|
|
defer scenario.mockOIDC.Close()
|
2022-12-31 00:23:55 +00:00
|
|
|
|
|
|
|
|
oidcMap := map[string]string{
|
2023-01-31 11:40:38 +00:00
|
|
|
"HEADSCALE_OIDC_ISSUER": oidcConfig.Issuer,
|
|
|
|
|
"HEADSCALE_OIDC_CLIENT_ID": oidcConfig.ClientID,
|
|
|
|
|
"HEADSCALE_OIDC_CLIENT_SECRET": oidcConfig.ClientSecret,
|
|
|
|
|
"HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN": "1",
|
2022-12-31 00:23:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = scenario.CreateHeadscaleEnv(
|
|
|
|
|
spec,
|
|
|
|
|
hsic.WithTestName("oidcexpirenodes"),
|
|
|
|
|
hsic.WithConfigEnv(oidcMap),
|
|
|
|
|
hsic.WithHostnameAsServerURL(),
|
|
|
|
|
)
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrHeadscaleEnv(t, err)
|
2022-12-31 00:23:55 +00:00
|
|
|
|
|
|
|
|
allClients, err := scenario.ListTailscaleClients()
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrListClients(t, err)
|
2022-12-31 00:23:55 +00:00
|
|
|
|
|
|
|
|
allIps, err := scenario.ListTailscaleClientsIPs()
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrListClientIPs(t, err)
|
2022-12-31 00:23:55 +00:00
|
|
|
|
|
|
|
|
err = scenario.WaitForTailscaleSync()
|
2023-08-29 06:33:33 +00:00
|
|
|
assertNoErrSync(t, err)
|
2022-12-31 00:23:55 +00:00
|
|
|
|
2024-02-23 09:59:24 +00:00
|
|
|
// assertClientsState(t, allClients)
|
2024-02-09 06:26:41 +00:00
|
|
|
|
2023-02-02 09:14:33 +00:00
|
|
|
allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
|
|
|
|
|
return x.String()
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
success := pingAllHelper(t, allClients, allAddrs)
|
2022-12-31 00:23:55 +00:00
|
|
|
t.Logf("%d successful pings out of %d (before expiry)", success, len(allClients)*len(allIps))
|
|
|
|
|
|
2023-08-31 16:37:18 +00:00
|
|
|
// This is not great, but this sadly is a time dependent test, so the
|
|
|
|
|
// safe thing to do is wait out the whole TTL time before checking if
|
|
|
|
|
// the clients have logged out. The Wait function cant do it itself
|
|
|
|
|
// as it has an upper bound of 1 min.
|
|
|
|
|
time.Sleep(shortAccessTTL)
|
|
|
|
|
|
|
|
|
|
assertTailscaleNodesLogout(t, allClients)
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
// TODO(kradalby):
|
|
|
|
|
// - Test that creates a new user when one exists when migration is turned off
|
|
|
|
|
// - Test that takes over a user when one exists when migration is turned on
|
|
|
|
|
// - But email is not verified
|
|
|
|
|
// - stripped email domain on/off
|
|
|
|
|
func TestOIDC024UserCreation(t *testing.T) {
|
|
|
|
|
IntegrationSkip(t)
|
|
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
config map[string]string
|
|
|
|
|
emailVerified bool
|
|
|
|
|
cliUsers []string
|
|
|
|
|
oidcUsers []string
|
|
|
|
|
want func(iss string) []v1.User
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "no-migration-verified-email",
|
|
|
|
|
config: map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "0",
|
|
|
|
|
},
|
|
|
|
|
emailVerified: true,
|
|
|
|
|
cliUsers: []string{"user1", "user2"},
|
|
|
|
|
oidcUsers: []string{"user1", "user2"},
|
|
|
|
|
want: func(iss string) []v1.User {
|
|
|
|
|
return []v1.User{
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Email: "user1@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "3",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "4",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Email: "user2@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "no-migration-not-verified-email",
|
|
|
|
|
config: map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "0",
|
|
|
|
|
},
|
|
|
|
|
emailVerified: false,
|
|
|
|
|
cliUsers: []string{"user1", "user2"},
|
|
|
|
|
oidcUsers: []string{"user1", "user2"},
|
|
|
|
|
want: func(iss string) []v1.User {
|
|
|
|
|
return []v1.User{
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "3",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "4",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "migration-strip-domains-verified-email",
|
|
|
|
|
config: map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "1",
|
|
|
|
|
"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": "1",
|
|
|
|
|
},
|
|
|
|
|
emailVerified: true,
|
|
|
|
|
cliUsers: []string{"user1", "user2"},
|
|
|
|
|
oidcUsers: []string{"user1", "user2"},
|
|
|
|
|
want: func(iss string) []v1.User {
|
|
|
|
|
return []v1.User{
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Email: "user1@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Email: "user2@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "migration-strip-domains-not-verified-email",
|
|
|
|
|
config: map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "1",
|
|
|
|
|
"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": "1",
|
|
|
|
|
},
|
|
|
|
|
emailVerified: false,
|
|
|
|
|
cliUsers: []string{"user1", "user2"},
|
|
|
|
|
oidcUsers: []string{"user1", "user2"},
|
|
|
|
|
want: func(iss string) []v1.User {
|
|
|
|
|
return []v1.User{
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "3",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "4",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "migration-no-strip-domains-verified-email",
|
|
|
|
|
config: map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "1",
|
|
|
|
|
"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": "0",
|
|
|
|
|
},
|
|
|
|
|
emailVerified: true,
|
|
|
|
|
cliUsers: []string{"user1.headscale.net", "user2.headscale.net"},
|
|
|
|
|
oidcUsers: []string{"user1", "user2"},
|
|
|
|
|
want: func(iss string) []v1.User {
|
|
|
|
|
return []v1.User{
|
|
|
|
|
// Hmm I think we will have to overwrite the initial name here
|
|
|
|
|
// createuser with "user1.headscale.net", but oidc with "user1"
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Email: "user1@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Email: "user2@headscale.net",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "migration-no-strip-domains-not-verified-email",
|
|
|
|
|
config: map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_MAP_LEGACY_USERS": "1",
|
|
|
|
|
"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": "0",
|
|
|
|
|
},
|
|
|
|
|
emailVerified: false,
|
|
|
|
|
cliUsers: []string{"user1.headscale.net", "user2.headscale.net"},
|
|
|
|
|
oidcUsers: []string{"user1", "user2"},
|
|
|
|
|
want: func(iss string) []v1.User {
|
|
|
|
|
return []v1.User{
|
|
|
|
|
{
|
|
|
|
|
Id: "1",
|
|
|
|
|
Name: "user1.headscale.net",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "2",
|
|
|
|
|
Name: "user1",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "3",
|
|
|
|
|
Name: "user2.headscale.net",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Id: "4",
|
|
|
|
|
Name: "user2",
|
|
|
|
|
Provider: "oidc",
|
|
|
|
|
ProviderId: iss + "/user2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
baseScenario, err := NewScenario(dockertestMaxWait())
|
|
|
|
|
assertNoErr(t, err)
|
|
|
|
|
|
|
|
|
|
scenario := AuthOIDCScenario{
|
|
|
|
|
Scenario: baseScenario,
|
|
|
|
|
}
|
|
|
|
|
defer scenario.ShutdownAssertNoPanics(t)
|
|
|
|
|
|
|
|
|
|
spec := map[string]int{}
|
|
|
|
|
for _, user := range tt.cliUsers {
|
|
|
|
|
spec[user] = 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var mockusers []mockoidc.MockUser
|
|
|
|
|
for _, user := range tt.oidcUsers {
|
|
|
|
|
mockusers = append(mockusers, oidcMockUser(user, tt.emailVerified))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
oidcConfig, err := scenario.runMockOIDC(defaultAccessTTL, mockusers)
|
|
|
|
|
assertNoErrf(t, "failed to run mock OIDC server: %s", err)
|
|
|
|
|
defer scenario.mockOIDC.Close()
|
|
|
|
|
|
|
|
|
|
oidcMap := map[string]string{
|
|
|
|
|
"HEADSCALE_OIDC_ISSUER": oidcConfig.Issuer,
|
|
|
|
|
"HEADSCALE_OIDC_CLIENT_ID": oidcConfig.ClientID,
|
|
|
|
|
"CREDENTIALS_DIRECTORY_TEST": "/tmp",
|
|
|
|
|
"HEADSCALE_OIDC_CLIENT_SECRET_PATH": "${CREDENTIALS_DIRECTORY_TEST}/hs_client_oidc_secret",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for k, v := range tt.config {
|
|
|
|
|
oidcMap[k] = v
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = scenario.CreateHeadscaleEnv(
|
|
|
|
|
spec,
|
|
|
|
|
hsic.WithTestName("oidcmigration"),
|
|
|
|
|
hsic.WithConfigEnv(oidcMap),
|
|
|
|
|
hsic.WithTLS(),
|
|
|
|
|
hsic.WithHostnameAsServerURL(),
|
|
|
|
|
hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
|
|
|
|
|
)
|
|
|
|
|
assertNoErrHeadscaleEnv(t, err)
|
|
|
|
|
|
|
|
|
|
// Ensure that the nodes have logged in, this is what
|
|
|
|
|
// triggers user creation via OIDC.
|
|
|
|
|
err = scenario.WaitForTailscaleSync()
|
|
|
|
|
assertNoErrSync(t, err)
|
|
|
|
|
|
|
|
|
|
headscale, err := scenario.Headscale()
|
|
|
|
|
assertNoErr(t, err)
|
|
|
|
|
|
|
|
|
|
want := tt.want(oidcConfig.Issuer)
|
|
|
|
|
|
|
|
|
|
var listUsers []v1.User
|
|
|
|
|
err = executeAndUnmarshal(headscale,
|
|
|
|
|
[]string{
|
|
|
|
|
"headscale",
|
|
|
|
|
"users",
|
|
|
|
|
"list",
|
|
|
|
|
"--output",
|
|
|
|
|
"json",
|
|
|
|
|
},
|
|
|
|
|
&listUsers,
|
|
|
|
|
)
|
|
|
|
|
assertNoErr(t, err)
|
|
|
|
|
|
|
|
|
|
sort.Slice(listUsers, func(i, j int) bool {
|
|
|
|
|
return listUsers[i].Id < listUsers[j].Id
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if diff := cmp.Diff(want, listUsers, cmpopts.IgnoreUnexported(v1.User{}), cmpopts.IgnoreFields(v1.User{}, "CreatedAt")); diff != "" {
|
|
|
|
|
t.Errorf("unexpected users: %s", diff)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-21 20:51:54 +00:00
|
|
|
func (s *AuthOIDCScenario) CreateHeadscaleEnv(
|
2023-01-17 16:43:44 +00:00
|
|
|
users map[string]int,
|
2022-11-21 20:51:54 +00:00
|
|
|
opts ...hsic.Option,
|
|
|
|
|
) error {
|
|
|
|
|
headscale, err := s.Headscale(opts...)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-29 06:33:33 +00:00
|
|
|
err = headscale.WaitForRunning()
|
2022-11-21 20:51:54 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 16:43:44 +00:00
|
|
|
for userName, clientCount := range users {
|
2024-10-18 12:59:27 +00:00
|
|
|
if clientCount != 1 {
|
|
|
|
|
// OIDC scenario only supports one client per user.
|
|
|
|
|
// This is because the MockOIDC server can only serve login
|
|
|
|
|
// requests based on a queue it has been given on startup.
|
|
|
|
|
// We currently only populates it with one login request per user.
|
|
|
|
|
return fmt.Errorf("client count must be 1 for OIDC scenario.")
|
|
|
|
|
}
|
2023-01-17 16:43:44 +00:00
|
|
|
log.Printf("creating user %s with %d clients", userName, clientCount)
|
|
|
|
|
err = s.CreateUser(userName)
|
2022-11-21 20:51:54 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 16:43:44 +00:00
|
|
|
err = s.CreateTailscaleNodesInUser(userName, "all", clientCount)
|
2022-11-21 20:51:54 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 16:43:44 +00:00
|
|
|
err = s.runTailscaleUp(userName, headscale.GetEndpoint())
|
2022-11-21 20:51:54 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
func (s *AuthOIDCScenario) runMockOIDC(accessTTL time.Duration, users []mockoidc.MockUser) (*types.OIDCConfig, error) {
|
2022-12-31 00:23:55 +00:00
|
|
|
port, err := dockertestutil.RandomFreeHostPort()
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("could not find an open port: %s", err)
|
|
|
|
|
}
|
|
|
|
|
portNotation := fmt.Sprintf("%d/tcp", port)
|
|
|
|
|
|
2023-05-11 07:09:18 +00:00
|
|
|
hash, _ := util.GenerateRandomStringDNSSafe(hsicOIDCMockHashLength)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
hostname := fmt.Sprintf("hs-oidcmock-%s", hash)
|
|
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
usersJSON, err := json.Marshal(users)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-21 20:51:54 +00:00
|
|
|
mockOidcOptions := &dockertest.RunOptions{
|
|
|
|
|
Name: hostname,
|
|
|
|
|
Cmd: []string{"headscale", "mockoidc"},
|
2022-12-31 00:23:55 +00:00
|
|
|
ExposedPorts: []string{portNotation},
|
2022-11-21 20:51:54 +00:00
|
|
|
PortBindings: map[docker.Port][]docker.PortBinding{
|
2022-12-31 00:23:55 +00:00
|
|
|
docker.Port(portNotation): {{HostPort: strconv.Itoa(port)}},
|
2022-11-21 20:51:54 +00:00
|
|
|
},
|
|
|
|
|
Networks: []*dockertest.Network{s.Scenario.network},
|
|
|
|
|
Env: []string{
|
|
|
|
|
fmt.Sprintf("MOCKOIDC_ADDR=%s", hostname),
|
2022-12-31 00:23:55 +00:00
|
|
|
fmt.Sprintf("MOCKOIDC_PORT=%d", port),
|
2022-11-21 20:51:54 +00:00
|
|
|
"MOCKOIDC_CLIENT_ID=superclient",
|
|
|
|
|
"MOCKOIDC_CLIENT_SECRET=supersecret",
|
2022-12-31 00:23:55 +00:00
|
|
|
fmt.Sprintf("MOCKOIDC_ACCESS_TTL=%s", accessTTL.String()),
|
2024-10-18 12:59:27 +00:00
|
|
|
fmt.Sprintf("MOCKOIDC_USERS=%s", string(usersJSON)),
|
2022-11-21 20:51:54 +00:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
headscaleBuildOptions := &dockertest.BuildOptions{
|
2024-11-23 21:14:36 +00:00
|
|
|
Dockerfile: hsic.IntegrationTestDockerFileName,
|
2022-11-21 20:51:54 +00:00
|
|
|
ContextDir: dockerContextPath,
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-31 00:23:55 +00:00
|
|
|
err = s.pool.RemoveContainerByName(hostname)
|
2022-11-21 20:51:54 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if pmockoidc, err := s.pool.BuildAndRunWithBuildOptions(
|
|
|
|
|
headscaleBuildOptions,
|
|
|
|
|
mockOidcOptions,
|
|
|
|
|
dockertestutil.DockerRestartPolicy); err == nil {
|
|
|
|
|
s.mockOIDC = pmockoidc
|
|
|
|
|
} else {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Println("Waiting for headscale mock oidc to be ready for tests")
|
2022-12-31 00:23:55 +00:00
|
|
|
hostEndpoint := fmt.Sprintf("%s:%d", s.mockOIDC.GetIPInNetwork(s.network), port)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
if err := s.pool.Retry(func() error {
|
|
|
|
|
oidcConfigURL := fmt.Sprintf("http://%s/oidc/.well-known/openid-configuration", hostEndpoint)
|
|
|
|
|
httpClient := &http.Client{}
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
req, _ := http.NewRequestWithContext(ctx, http.MethodGet, oidcConfigURL, nil)
|
|
|
|
|
resp, err := httpClient.Do(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Printf("headscale mock OIDC tests is not ready: %s\n", err)
|
|
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
|
return errStatusCodeNotOK
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Printf("headscale mock oidc is ready for tests at %s", hostEndpoint)
|
|
|
|
|
|
2023-06-06 08:23:39 +00:00
|
|
|
return &types.OIDCConfig{
|
2023-01-31 11:40:38 +00:00
|
|
|
Issuer: fmt.Sprintf(
|
|
|
|
|
"http://%s/oidc",
|
|
|
|
|
net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(port)),
|
|
|
|
|
),
|
2022-12-31 00:23:55 +00:00
|
|
|
ClientID: "superclient",
|
|
|
|
|
ClientSecret: "supersecret",
|
|
|
|
|
OnlyStartIfOIDCIsAvailable: true,
|
2022-11-21 20:51:54 +00:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *AuthOIDCScenario) runTailscaleUp(
|
2023-01-17 16:43:44 +00:00
|
|
|
userStr, loginServer string,
|
2022-11-21 20:51:54 +00:00
|
|
|
) error {
|
|
|
|
|
headscale, err := s.Headscale()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 16:43:44 +00:00
|
|
|
log.Printf("running tailscale up for user %s", userStr)
|
|
|
|
|
if user, ok := s.users[userStr]; ok {
|
|
|
|
|
for _, client := range user.Clients {
|
2023-08-29 06:33:33 +00:00
|
|
|
c := client
|
|
|
|
|
user.joinWaitGroup.Go(func() error {
|
|
|
|
|
loginURL, err := c.LoginWithURL(loginServer)
|
2022-11-21 20:51:54 +00:00
|
|
|
if err != nil {
|
2023-08-29 06:33:33 +00:00
|
|
|
log.Printf("%s failed to run tailscale up: %s", c.Hostname(), err)
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
|
|
|
|
|
loginURL.Scheme = "http"
|
|
|
|
|
|
2024-10-15 12:38:43 +00:00
|
|
|
if len(headscale.GetCert()) > 0 {
|
|
|
|
|
loginURL.Scheme = "https"
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-21 20:51:54 +00:00
|
|
|
insecureTransport := &http.Transport{
|
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Printf("%s login url: %s\n", c.Hostname(), loginURL.String())
|
|
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
log.Printf("%s logging in with url", c.Hostname())
|
|
|
|
|
httpClient := &http.Client{Transport: insecureTransport}
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
|
|
|
|
|
resp, err := httpClient.Do(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Printf(
|
|
|
|
|
"%s failed to login using url %s: %s",
|
|
|
|
|
c.Hostname(),
|
|
|
|
|
loginURL,
|
|
|
|
|
err,
|
|
|
|
|
)
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
return err
|
|
|
|
|
}
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
|
log.Printf("%s response code of oidc login request was %s", c.Hostname(), resp.Status)
|
|
|
|
|
body, _ := io.ReadAll(resp.Body)
|
|
|
|
|
log.Printf("body: %s", body)
|
2023-08-31 16:37:18 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
return errStatusCodeNotOK
|
|
|
|
|
}
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
defer resp.Body.Close()
|
2023-08-31 16:37:18 +00:00
|
|
|
|
2024-10-18 12:59:27 +00:00
|
|
|
_, err = io.ReadAll(resp.Body)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Printf("%s failed to read response body: %s", c.Hostname(), err)
|
2023-08-31 16:37:18 +00:00
|
|
|
|
2023-08-29 06:33:33 +00:00
|
|
|
return err
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Printf("Finished request for %s to join tailnet", c.Hostname())
|
2023-08-29 06:33:33 +00:00
|
|
|
return nil
|
|
|
|
|
})
|
2022-11-21 20:51:54 +00:00
|
|
|
|
|
|
|
|
log.Printf("client %s is ready", client.Hostname())
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-29 06:33:33 +00:00
|
|
|
if err := user.joinWaitGroup.Wait(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-11-21 20:51:54 +00:00
|
|
|
|
2023-04-12 07:25:51 +00:00
|
|
|
for _, client := range user.Clients {
|
2023-08-29 06:33:33 +00:00
|
|
|
err := client.WaitForRunning()
|
2023-04-12 07:25:51 +00:00
|
|
|
if err != nil {
|
2023-08-29 06:33:33 +00:00
|
|
|
return fmt.Errorf(
|
|
|
|
|
"%s tailscale node has not reached running: %w",
|
|
|
|
|
client.Hostname(),
|
|
|
|
|
err,
|
|
|
|
|
)
|
2023-04-12 07:25:51 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-21 20:51:54 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 16:43:44 +00:00
|
|
|
return fmt.Errorf("failed to up tailscale node: %w", errNoUserAvailable)
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-29 06:33:33 +00:00
|
|
|
func (s *AuthOIDCScenario) Shutdown() {
|
2022-11-21 20:51:54 +00:00
|
|
|
err := s.pool.Purge(s.mockOIDC)
|
|
|
|
|
if err != nil {
|
2023-08-29 06:33:33 +00:00
|
|
|
log.Printf("failed to remove mock oidc container")
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-29 06:33:33 +00:00
|
|
|
s.Scenario.Shutdown()
|
2022-11-21 20:51:54 +00:00
|
|
|
}
|
2023-08-31 16:37:18 +00:00
|
|
|
|
|
|
|
|
func assertTailscaleNodesLogout(t *testing.T, clients []TailscaleClient) {
|
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
|
|
for _, client := range clients {
|
|
|
|
|
status, err := client.Status()
|
|
|
|
|
assertNoErr(t, err)
|
|
|
|
|
|
|
|
|
|
assert.Equal(t, "NeedsLogin", status.BackendState)
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-10-18 12:59:27 +00:00
|
|
|
|
|
|
|
|
func oidcMockUser(username string, emailVerified bool) mockoidc.MockUser {
|
|
|
|
|
return mockoidc.MockUser{
|
|
|
|
|
Subject: username,
|
|
|
|
|
PreferredUsername: username,
|
|
|
|
|
Email: fmt.Sprintf("%s@headscale.net", username),
|
|
|
|
|
EmailVerified: emailVerified,
|
|
|
|
|
}
|
|
|
|
|
}
|
