2023-05-10 09:24:05 +02:00
|
|
|
package hscontrol
|
2022-08-14 21:15:58 +02:00
|
|
|
|
|
|
|
|
import (
|
2025-10-22 13:50:39 +02:00
|
|
|
"cmp"
|
2024-02-08 17:28:19 +01:00
|
|
|
"context"
|
2022-08-19 14:20:24 +02:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2022-08-14 21:15:58 +02:00
|
|
|
"net/http"
|
2025-01-26 22:20:11 +01:00
|
|
|
"net/url"
|
|
|
|
|
"strings"
|
2022-08-19 14:20:24 +02:00
|
|
|
"time"
|
2022-08-14 21:15:58 +02:00
|
|
|
|
2023-05-21 19:37:59 +03:00
|
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
2025-07-28 11:15:53 +02:00
|
|
|
"github.com/juanfont/headscale/hscontrol/types/change"
|
2025-10-16 12:17:43 +02:00
|
|
|
"github.com/juanfont/headscale/hscontrol/util"
|
2025-08-14 20:29:11 +02:00
|
|
|
"github.com/rs/zerolog/log"
|
2022-08-19 14:20:24 +02:00
|
|
|
"gorm.io/gorm"
|
2022-08-14 21:15:58 +02:00
|
|
|
"tailscale.com/tailcfg"
|
2022-08-19 14:20:24 +02:00
|
|
|
"tailscale.com/types/key"
|
2024-07-18 10:01:59 +02:00
|
|
|
"tailscale.com/types/ptr"
|
2022-08-14 21:15:58 +02:00
|
|
|
)
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
type AuthProvider interface {
|
|
|
|
|
RegisterHandler(http.ResponseWriter, *http.Request)
|
2025-01-26 22:20:11 +01:00
|
|
|
AuthURL(types.RegistrationID) string
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 14:50:17 +02:00
|
|
|
}
|
|
|
|
|
|
2023-06-06 17:14:56 +02:00
|
|
|
func (h *Headscale) handleRegister(
|
2025-02-01 09:16:51 +00:00
|
|
|
ctx context.Context,
|
2025-10-16 12:17:43 +02:00
|
|
|
req tailcfg.RegisterRequest,
|
2022-08-19 14:20:24 +02:00
|
|
|
machineKey key.MachinePublic,
|
2025-02-01 09:16:51 +00:00
|
|
|
) (*tailcfg.RegisterResponse, error) {
|
2025-10-16 12:17:43 +02:00
|
|
|
// Check for logout/expiry FIRST, before checking auth key.
|
|
|
|
|
// Tailscale clients may send logout requests with BOTH a past expiry AND an auth key.
|
|
|
|
|
// A past expiry takes precedence - it's a logout regardless of other fields.
|
|
|
|
|
if !req.Expiry.IsZero() && req.Expiry.Before(time.Now()) {
|
|
|
|
|
log.Debug().
|
|
|
|
|
Str("node.key", req.NodeKey.ShortString()).
|
|
|
|
|
Time("expiry", req.Expiry).
|
|
|
|
|
Bool("has_auth", req.Auth != nil).
|
|
|
|
|
Msg("Detected logout attempt with past expiry")
|
|
|
|
|
|
|
|
|
|
// This is a logout attempt (expiry in the past)
|
|
|
|
|
if node, ok := h.state.GetNodeByNodeKey(req.NodeKey); ok {
|
|
|
|
|
log.Debug().
|
|
|
|
|
Uint64("node.id", node.ID().Uint64()).
|
|
|
|
|
Str("node.name", node.Hostname()).
|
|
|
|
|
Bool("is_ephemeral", node.IsEphemeral()).
|
|
|
|
|
Bool("has_authkey", node.AuthKey().Valid()).
|
|
|
|
|
Msg("Found existing node for logout, calling handleLogout")
|
|
|
|
|
|
|
|
|
|
resp, err := h.handleLogout(node, req, machineKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("handling logout: %w", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
return resp, nil
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
log.Warn().
|
|
|
|
|
Str("node.key", req.NodeKey.ShortString()).
|
|
|
|
|
Msg("Logout attempt but node not found in NodeStore")
|
2023-03-20 17:14:34 +07:00
|
|
|
}
|
2025-10-16 12:17:43 +02:00
|
|
|
}
|
2023-03-20 17:14:34 +07:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// If the register request does not contain a Auth struct, it means we are logging
|
|
|
|
|
// out an existing node (legacy logout path for clients that send Auth=nil).
|
|
|
|
|
if req.Auth == nil {
|
|
|
|
|
// If the register request present a NodeKey that is currently in use, we will
|
|
|
|
|
// check if the node needs to be sent to re-auth, or if the node is logging out.
|
|
|
|
|
// We do not look up nodes by [key.MachinePublic] as it might belong to multiple
|
|
|
|
|
// nodes, separated by users and this path is handling expiring/logout paths.
|
|
|
|
|
if node, ok := h.state.GetNodeByNodeKey(req.NodeKey); ok {
|
2025-11-11 17:42:07 +01:00
|
|
|
// When tailscaled restarts, it sends RegisterRequest with Auth=nil and Expiry=zero.
|
|
|
|
|
// Return the current node state without modification.
|
|
|
|
|
// See: https://github.com/juanfont/headscale/issues/2862
|
|
|
|
|
if req.Expiry.IsZero() && node.Expiry().Valid() && !node.IsExpired() {
|
|
|
|
|
return nodeToRegisterResponse(node), nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
resp, err := h.handleLogout(node, req, machineKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("handling existing node: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If resp is not nil, we have a response to return to the node.
|
|
|
|
|
// If resp is nil, we should proceed and see if the node is trying to re-auth.
|
|
|
|
|
if resp != nil {
|
|
|
|
|
return resp, nil
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// If the register request is not attempting to register a node, and
|
|
|
|
|
// we cannot match it with an existing node, we consider that unexpected
|
|
|
|
|
// as only register nodes should attempt to log out.
|
|
|
|
|
log.Debug().
|
|
|
|
|
Str("node.key", req.NodeKey.ShortString()).
|
|
|
|
|
Str("machine.key", machineKey.ShortString()).
|
|
|
|
|
Bool("unexpected", true).
|
|
|
|
|
Msg("received register request with no auth, and no existing node")
|
|
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// If the [tailcfg.RegisterRequest] has a Followup URL, it means that the
|
|
|
|
|
// node has already started the registration process and we should wait for
|
|
|
|
|
// it to finish the original registration.
|
|
|
|
|
if req.Followup != "" {
|
|
|
|
|
return h.waitForFollowup(ctx, req, machineKey)
|
2025-02-01 09:16:51 +00:00
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// Pre authenticated keys are handled slightly different than interactive
|
|
|
|
|
// logins as they can be done fully sync and we can respond to the node with
|
|
|
|
|
// the result as it is waiting.
|
|
|
|
|
if isAuthKey(req) {
|
|
|
|
|
resp, err := h.handleRegisterWithAuthKey(req, machineKey)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
2025-07-28 11:15:53 +02:00
|
|
|
// Preserve HTTPError types so they can be handled properly by the HTTP layer
|
|
|
|
|
var httpErr HTTPError
|
|
|
|
|
if errors.As(err, &httpErr) {
|
|
|
|
|
return nil, httpErr
|
|
|
|
|
}
|
2025-07-05 23:30:47 +02:00
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
return nil, fmt.Errorf("handling register with auth key: %w", err)
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
return resp, nil
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
resp, err := h.handleRegisterInteractive(req, machineKey)
|
2025-02-01 09:16:51 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("handling register interactive: %w", err)
|
|
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
return resp, nil
|
|
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// handleLogout checks if the [tailcfg.RegisterRequest] is a
|
|
|
|
|
// logout attempt from a node. If the node is not attempting to
|
|
|
|
|
func (h *Headscale) handleLogout(
|
|
|
|
|
node types.NodeView,
|
|
|
|
|
req tailcfg.RegisterRequest,
|
2025-02-01 09:16:51 +00:00
|
|
|
machineKey key.MachinePublic,
|
|
|
|
|
) (*tailcfg.RegisterResponse, error) {
|
2025-10-16 12:17:43 +02:00
|
|
|
// Fail closed if it looks like this is an attempt to modify a node where
|
|
|
|
|
// the node key and the machine key the noise session was started with does
|
|
|
|
|
// not align.
|
|
|
|
|
if node.MachineKey() != machineKey {
|
2025-02-01 15:25:18 +01:00
|
|
|
return nil, NewHTTPError(http.StatusUnauthorized, "node exist with different machine key", nil)
|
2025-02-01 09:16:51 +00:00
|
|
|
}
|
2024-05-16 02:40:14 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// Note: We do NOT return early if req.Auth is set, because Tailscale clients
|
|
|
|
|
// may send logout requests with BOTH a past expiry AND an auth key.
|
|
|
|
|
// A past expiry indicates logout, regardless of whether Auth is present.
|
|
|
|
|
// The expiry check below will handle the logout logic.
|
2025-07-28 11:15:53 +02:00
|
|
|
|
2025-07-05 23:30:47 +02:00
|
|
|
// If the node is expired and this is not a re-authentication attempt,
|
2025-10-16 12:17:43 +02:00
|
|
|
// force the client to re-authenticate.
|
|
|
|
|
// TODO(kradalby): I wonder if this is a path we ever hit?
|
|
|
|
|
if node.IsExpired() {
|
|
|
|
|
log.Trace().Str("node.name", node.Hostname()).
|
|
|
|
|
Uint64("node.id", node.ID().Uint64()).
|
|
|
|
|
Interface("reg.req", req).
|
|
|
|
|
Bool("unexpected", true).
|
|
|
|
|
Msg("Node key expired, forcing re-authentication")
|
2025-07-05 23:30:47 +02:00
|
|
|
return &tailcfg.RegisterResponse{
|
|
|
|
|
NodeKeyExpired: true,
|
|
|
|
|
MachineAuthorized: false,
|
|
|
|
|
AuthURL: "", // Client will need to re-authenticate
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// If we get here, the node is not currently expired, and not trying to
|
|
|
|
|
// do an auth.
|
|
|
|
|
// The node is likely logging out, but before we run that logic, we will validate
|
|
|
|
|
// that the node is not attempting to tamper/extend their expiry.
|
|
|
|
|
// If it is not, we will expire the node or in the case of an ephemeral node, delete it.
|
2022-08-25 20:43:15 +10:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// The client is trying to extend their key, this is not allowed.
|
|
|
|
|
if req.Expiry.After(time.Now()) {
|
|
|
|
|
return nil, NewHTTPError(http.StatusBadRequest, "extending key is not allowed", nil)
|
|
|
|
|
}
|
2025-05-27 16:27:16 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// If the request expiry is in the past, we consider it a logout.
|
2025-11-11 17:42:07 +01:00
|
|
|
// Zero expiry is handled in handleRegister() before calling this function.
|
2025-10-16 12:17:43 +02:00
|
|
|
if req.Expiry.Before(time.Now()) {
|
|
|
|
|
log.Debug().
|
|
|
|
|
Uint64("node.id", node.ID().Uint64()).
|
|
|
|
|
Str("node.name", node.Hostname()).
|
|
|
|
|
Bool("is_ephemeral", node.IsEphemeral()).
|
|
|
|
|
Bool("has_authkey", node.AuthKey().Valid()).
|
|
|
|
|
Time("req.expiry", req.Expiry).
|
|
|
|
|
Msg("Processing logout request with past expiry")
|
|
|
|
|
|
|
|
|
|
if node.IsEphemeral() {
|
|
|
|
|
log.Info().
|
|
|
|
|
Uint64("node.id", node.ID().Uint64()).
|
|
|
|
|
Str("node.name", node.Hostname()).
|
|
|
|
|
Msg("Deleting ephemeral node during logout")
|
|
|
|
|
|
|
|
|
|
c, err := h.state.DeleteNode(node)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("deleting ephemeral node: %w", err)
|
2022-09-23 17:58:06 +10:00
|
|
|
}
|
2024-02-18 19:31:29 +01:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
h.Change(c)
|
|
|
|
|
|
|
|
|
|
return &tailcfg.RegisterResponse{
|
|
|
|
|
NodeKeyExpired: true,
|
|
|
|
|
MachineAuthorized: false,
|
|
|
|
|
}, nil
|
2024-11-26 15:16:06 +01:00
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
log.Debug().
|
|
|
|
|
Uint64("node.id", node.ID().Uint64()).
|
|
|
|
|
Str("node.name", node.Hostname()).
|
|
|
|
|
Msg("Node is not ephemeral, setting expiry instead of deleting")
|
|
|
|
|
}
|
2025-05-27 16:27:16 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// Update the internal state with the nodes new expiry, meaning it is
|
|
|
|
|
// logged out.
|
|
|
|
|
updatedNode, c, err := h.state.SetNodeExpiry(node.ID(), req.Expiry)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("setting node expiry: %w", err)
|
2025-07-05 23:30:47 +02:00
|
|
|
}
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
h.Change(c)
|
|
|
|
|
|
|
|
|
|
return nodeToRegisterResponse(updatedNode), nil
|
2025-02-25 09:16:07 -08:00
|
|
|
}
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
// isAuthKey reports if the register request is a registration request
|
|
|
|
|
// using an pre auth key.
|
|
|
|
|
func isAuthKey(req tailcfg.RegisterRequest) bool {
|
|
|
|
|
return req.Auth != nil && req.Auth.AuthKey != ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func nodeToRegisterResponse(node types.NodeView) *tailcfg.RegisterResponse {
|
2025-02-01 09:16:51 +00:00
|
|
|
return &tailcfg.RegisterResponse{
|
|
|
|
|
// TODO(kradalby): Only send for user-owned nodes
|
|
|
|
|
// and not tagged nodes when tags is working.
|
2025-10-16 12:17:43 +02:00
|
|
|
User: node.UserView().TailscaleUser(),
|
|
|
|
|
Login: node.UserView().TailscaleLogin(),
|
2025-02-25 09:16:07 -08:00
|
|
|
NodeKeyExpired: node.IsExpired(),
|
2025-02-01 09:16:51 +00:00
|
|
|
|
|
|
|
|
// Headscale does not implement the concept of machine authorization
|
|
|
|
|
// so we always return true here.
|
|
|
|
|
// Revisit this if #2176 gets implemented.
|
|
|
|
|
MachineAuthorized: true,
|
2025-02-25 09:16:07 -08:00
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
func (h *Headscale) waitForFollowup(
|
|
|
|
|
ctx context.Context,
|
2025-10-16 12:17:43 +02:00
|
|
|
req tailcfg.RegisterRequest,
|
2025-08-29 15:55:42 +02:00
|
|
|
machineKey key.MachinePublic,
|
2025-02-25 09:16:07 -08:00
|
|
|
) (*tailcfg.RegisterResponse, error) {
|
2025-10-16 12:17:43 +02:00
|
|
|
fu, err := url.Parse(req.Followup)
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
2025-02-25 09:16:07 -08:00
|
|
|
return nil, NewHTTPError(http.StatusUnauthorized, "invalid followup URL", err)
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
followupReg, err := types.RegistrationIDFromString(strings.ReplaceAll(fu.Path, "/register/", ""))
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
2025-02-25 09:16:07 -08:00
|
|
|
return nil, NewHTTPError(http.StatusUnauthorized, "invalid registration ID", err)
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-05-27 16:27:16 +02:00
|
|
|
if reg, ok := h.state.GetRegistrationCacheEntry(followupReg); ok {
|
2025-02-01 09:16:51 +00:00
|
|
|
select {
|
|
|
|
|
case <-ctx.Done():
|
2025-02-25 09:16:07 -08:00
|
|
|
return nil, NewHTTPError(http.StatusUnauthorized, "registration timed out", err)
|
|
|
|
|
case node := <-reg.Registered:
|
|
|
|
|
if node == nil {
|
2025-08-29 15:55:42 +02:00
|
|
|
// registration is expired in the cache, instruct the client to try a new registration
|
2025-10-16 12:17:43 +02:00
|
|
|
return h.reqToNewRegisterResponse(req, machineKey)
|
2025-02-25 09:16:07 -08:00
|
|
|
}
|
2025-10-16 12:17:43 +02:00
|
|
|
return nodeToRegisterResponse(node.View()), nil
|
2025-02-01 09:16:51 +00:00
|
|
|
}
|
|
|
|
|
}
|
2025-02-25 09:16:07 -08:00
|
|
|
|
2025-08-29 15:55:42 +02:00
|
|
|
// if the follow-up registration isn't found anymore, instruct the client to try a new registration
|
2025-10-16 12:17:43 +02:00
|
|
|
return h.reqToNewRegisterResponse(req, machineKey)
|
2025-08-29 15:55:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// reqToNewRegisterResponse refreshes the registration flow by creating a new
|
|
|
|
|
// registration ID and returning the corresponding AuthURL so the client can
|
|
|
|
|
// restart the authentication process.
|
|
|
|
|
func (h *Headscale) reqToNewRegisterResponse(
|
2025-10-16 12:17:43 +02:00
|
|
|
req tailcfg.RegisterRequest,
|
2025-08-29 15:55:42 +02:00
|
|
|
machineKey key.MachinePublic,
|
|
|
|
|
) (*tailcfg.RegisterResponse, error) {
|
|
|
|
|
newRegID, err := types.NewRegistrationID()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, NewHTTPError(http.StatusInternalServerError, "failed to generate registration ID", err)
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-22 13:50:39 +02:00
|
|
|
// Ensure we have a valid hostname
|
|
|
|
|
hostname := util.EnsureHostname(
|
2025-10-16 12:17:43 +02:00
|
|
|
req.Hostinfo,
|
|
|
|
|
machineKey.String(),
|
|
|
|
|
req.NodeKey.String(),
|
|
|
|
|
)
|
|
|
|
|
|
2025-10-22 13:50:39 +02:00
|
|
|
// Ensure we have valid hostinfo
|
|
|
|
|
hostinfo := cmp.Or(req.Hostinfo, &tailcfg.Hostinfo{})
|
|
|
|
|
hostinfo.Hostname = hostname
|
|
|
|
|
|
2025-08-29 15:55:42 +02:00
|
|
|
nodeToRegister := types.NewRegisterNode(
|
|
|
|
|
types.Node{
|
2025-10-16 12:17:43 +02:00
|
|
|
Hostname: hostname,
|
2025-08-29 15:55:42 +02:00
|
|
|
MachineKey: machineKey,
|
2025-10-16 12:17:43 +02:00
|
|
|
NodeKey: req.NodeKey,
|
2025-10-22 13:50:39 +02:00
|
|
|
Hostinfo: hostinfo,
|
2025-08-29 15:55:42 +02:00
|
|
|
LastSeen: ptr.To(time.Now()),
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
if !req.Expiry.IsZero() {
|
|
|
|
|
nodeToRegister.Node.Expiry = &req.Expiry
|
2025-08-29 15:55:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Info().Msgf("New followup node registration using key: %s", newRegID)
|
|
|
|
|
h.state.SetRegistrationCacheEntry(newRegID, nodeToRegister)
|
|
|
|
|
|
|
|
|
|
return &tailcfg.RegisterResponse{
|
|
|
|
|
AuthURL: h.authProvider.AuthURL(newRegID),
|
|
|
|
|
}, nil
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
func (h *Headscale) handleRegisterWithAuthKey(
|
2025-10-16 12:17:43 +02:00
|
|
|
req tailcfg.RegisterRequest,
|
2025-02-01 09:16:51 +00:00
|
|
|
machineKey key.MachinePublic,
|
|
|
|
|
) (*tailcfg.RegisterResponse, error) {
|
2025-07-05 23:30:47 +02:00
|
|
|
node, changed, err := h.state.HandleNodeFromPreAuthKey(
|
2025-10-16 12:17:43 +02:00
|
|
|
req,
|
2025-05-27 16:27:16 +02:00
|
|
|
machineKey,
|
|
|
|
|
)
|
2025-02-01 15:25:18 +01:00
|
|
|
if err != nil {
|
|
|
|
|
if errors.Is(err, gorm.ErrRecordNotFound) {
|
|
|
|
|
return nil, NewHTTPError(http.StatusUnauthorized, "invalid pre auth key", nil)
|
|
|
|
|
}
|
2025-07-10 23:38:55 +02:00
|
|
|
var perr types.PAKError
|
|
|
|
|
if errors.As(err, &perr) {
|
2025-05-27 16:27:16 +02:00
|
|
|
return nil, NewHTTPError(http.StatusUnauthorized, perr.Error(), nil)
|
2022-12-27 11:33:51 +00:00
|
|
|
}
|
2025-07-10 23:38:55 +02:00
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
return nil, err
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-07-05 23:30:47 +02:00
|
|
|
// If node is not valid, it means an ephemeral node was deleted during logout
|
|
|
|
|
if !node.Valid() {
|
2025-07-28 11:15:53 +02:00
|
|
|
h.Change(changed)
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-01 08:05:42 +03:00
|
|
|
// This is a bit of a back and forth, but we have a bit of a chicken and egg
|
|
|
|
|
// dependency here.
|
|
|
|
|
// Because the way the policy manager works, we need to have the node
|
|
|
|
|
// in the database, then add it to the policy manager and then we can
|
|
|
|
|
// approve the route. This means we get this dance where the node is
|
|
|
|
|
// first added to the database, then we add it to the policy manager via
|
|
|
|
|
// nodesChangedHook and then we can auto approve the routes.
|
|
|
|
|
// As that only approves the struct object, we need to save it again and
|
|
|
|
|
// ensure we send an update.
|
|
|
|
|
// This works, but might be another good candidate for doing some sort of
|
|
|
|
|
// eventbus.
|
2025-07-28 11:15:53 +02:00
|
|
|
// TODO(kradalby): This needs to be ran as part of the batcher maybe?
|
|
|
|
|
// now since we dont update the node/pol here anymore
|
|
|
|
|
routeChange := h.state.AutoApproveRoutes(node)
|
2025-07-05 23:30:47 +02:00
|
|
|
|
2025-05-27 16:27:16 +02:00
|
|
|
if _, _, err := h.state.SaveNode(node); err != nil {
|
2025-05-01 08:05:42 +03:00
|
|
|
return nil, fmt.Errorf("saving auto approved routes to node: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-28 11:15:53 +02:00
|
|
|
if routeChange && changed.Empty() {
|
2025-07-05 23:30:47 +02:00
|
|
|
changed = change.NodeAdded(node.ID())
|
2025-07-28 11:15:53 +02:00
|
|
|
}
|
|
|
|
|
h.Change(changed)
|
|
|
|
|
|
2025-07-05 23:30:47 +02:00
|
|
|
// TODO(kradalby): I think this is covered above, but we need to validate that.
|
|
|
|
|
// // If policy changed due to node registration, send a separate policy change
|
|
|
|
|
// if policyChanged {
|
|
|
|
|
// policyChange := change.PolicyChange()
|
|
|
|
|
// h.Change(policyChange)
|
|
|
|
|
// }
|
|
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
resp := &tailcfg.RegisterResponse{
|
2025-02-01 09:16:51 +00:00
|
|
|
MachineAuthorized: true,
|
|
|
|
|
NodeKeyExpired: node.IsExpired(),
|
2025-10-16 12:17:43 +02:00
|
|
|
User: node.UserView().TailscaleUser(),
|
|
|
|
|
Login: node.UserView().TailscaleLogin(),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Trace().
|
|
|
|
|
Caller().
|
|
|
|
|
Interface("reg.resp", resp).
|
|
|
|
|
Interface("reg.req", req).
|
|
|
|
|
Str("node.name", node.Hostname()).
|
|
|
|
|
Uint64("node.id", node.ID().Uint64()).
|
|
|
|
|
Msg("RegisterResponse")
|
|
|
|
|
|
|
|
|
|
return resp, nil
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
func (h *Headscale) handleRegisterInteractive(
|
2025-10-16 12:17:43 +02:00
|
|
|
req tailcfg.RegisterRequest,
|
2022-08-19 14:20:24 +02:00
|
|
|
machineKey key.MachinePublic,
|
2025-02-01 09:16:51 +00:00
|
|
|
) (*tailcfg.RegisterResponse, error) {
|
|
|
|
|
registrationId, err := types.NewRegistrationID()
|
2022-08-19 14:20:24 +02:00
|
|
|
if err != nil {
|
2025-02-01 09:16:51 +00:00
|
|
|
return nil, fmt.Errorf("generating registration ID: %w", err)
|
|
|
|
|
}
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2025-10-22 13:50:39 +02:00
|
|
|
// Ensure we have a valid hostname
|
|
|
|
|
hostname := util.EnsureHostname(
|
2025-10-16 12:17:43 +02:00
|
|
|
req.Hostinfo,
|
|
|
|
|
machineKey.String(),
|
|
|
|
|
req.NodeKey.String(),
|
|
|
|
|
)
|
|
|
|
|
|
2025-10-22 13:50:39 +02:00
|
|
|
// Ensure we have valid hostinfo
|
|
|
|
|
hostinfo := cmp.Or(req.Hostinfo, &tailcfg.Hostinfo{})
|
2025-10-16 12:17:43 +02:00
|
|
|
if req.Hostinfo == nil {
|
|
|
|
|
log.Warn().
|
|
|
|
|
Str("machine.key", machineKey.ShortString()).
|
|
|
|
|
Str("node.key", req.NodeKey.ShortString()).
|
|
|
|
|
Str("generated.hostname", hostname).
|
|
|
|
|
Msg("Received registration request with nil hostinfo, generated default hostname")
|
|
|
|
|
} else if req.Hostinfo.Hostname == "" {
|
|
|
|
|
log.Warn().
|
|
|
|
|
Str("machine.key", machineKey.ShortString()).
|
|
|
|
|
Str("node.key", req.NodeKey.ShortString()).
|
|
|
|
|
Str("generated.hostname", hostname).
|
|
|
|
|
Msg("Received registration request with empty hostname, generated default")
|
|
|
|
|
}
|
2025-10-22 13:50:39 +02:00
|
|
|
hostinfo.Hostname = hostname
|
2025-10-16 12:17:43 +02:00
|
|
|
|
2025-08-29 15:55:42 +02:00
|
|
|
nodeToRegister := types.NewRegisterNode(
|
|
|
|
|
types.Node{
|
2025-10-16 12:17:43 +02:00
|
|
|
Hostname: hostname,
|
2025-02-01 09:16:51 +00:00
|
|
|
MachineKey: machineKey,
|
2025-10-16 12:17:43 +02:00
|
|
|
NodeKey: req.NodeKey,
|
2025-10-22 13:50:39 +02:00
|
|
|
Hostinfo: hostinfo,
|
2025-02-01 09:16:51 +00:00
|
|
|
LastSeen: ptr.To(time.Now()),
|
|
|
|
|
},
|
2025-08-29 15:55:42 +02:00
|
|
|
)
|
2022-08-19 14:20:24 +02:00
|
|
|
|
2025-10-16 12:17:43 +02:00
|
|
|
if !req.Expiry.IsZero() {
|
|
|
|
|
nodeToRegister.Node.Expiry = &req.Expiry
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|
|
|
|
|
|
2025-05-27 16:27:16 +02:00
|
|
|
h.state.SetRegistrationCacheEntry(
|
2025-02-01 09:16:51 +00:00
|
|
|
registrationId,
|
2025-03-31 15:55:07 +02:00
|
|
|
nodeToRegister,
|
2025-02-01 09:16:51 +00:00
|
|
|
)
|
|
|
|
|
|
2025-08-14 20:29:11 +02:00
|
|
|
log.Info().Msgf("Starting node registration using key: %s", registrationId)
|
2025-07-05 23:30:47 +02:00
|
|
|
|
2025-02-01 09:16:51 +00:00
|
|
|
return &tailcfg.RegisterResponse{
|
|
|
|
|
AuthURL: h.authProvider.AuthURL(registrationId),
|
|
|
|
|
}, nil
|
2022-08-19 14:20:24 +02:00
|
|
|
}
|