headscale/machine.go

1228 lines
31 KiB
Go
Raw Normal View History

2020-06-21 12:32:08 +02:00
package headscale
import (
2022-01-16 14:16:59 +01:00
"database/sql/driver"
"errors"
2020-06-21 12:32:08 +02:00
"fmt"
2022-09-02 00:04:31 +02:00
"net/netip"
"sort"
2021-02-22 23:27:33 +01:00
"strconv"
"strings"
2020-06-21 12:32:08 +02:00
"time"
2021-11-13 08:39:04 +00:00
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
2021-08-05 18:11:26 +01:00
"github.com/rs/zerolog/log"
"google.golang.org/protobuf/types/known/timestamppb"
"gorm.io/gorm"
2020-06-21 12:32:08 +02:00
"tailscale.com/tailcfg"
"tailscale.com/types/key"
2020-06-21 12:32:08 +02:00
)
2021-11-15 19:18:14 +00:00
const (
2022-07-29 17:35:21 +02:00
ErrMachineNotFound = Error("machine not found")
ErrMachineRouteIsNotAvailable = Error("route is not available on machine")
ErrMachineAddressesInvalid = Error("failed to parse machine addresses")
ErrMachineNotFoundRegistrationCache = Error(
"machine not found in registration cache",
)
2022-07-29 17:35:21 +02:00
ErrCouldNotConvertMachineInterface = Error("failed to convert machine interface")
ErrHostnameTooLong = Error("Hostname too long")
ErrDifferentRegisteredUser = Error(
"machine was previously registered with a different user",
)
MachineGivenNameHashLength = 8
MachineGivenNameTrimSize = 2
)
const (
maxHostnameLength = 255
2021-11-15 19:18:14 +00:00
)
2021-11-13 08:39:04 +00:00
// Machine is a Headscale client.
2020-06-21 12:32:08 +02:00
type Machine struct {
ID uint64 `gorm:"primary_key"`
MachineKey string `gorm:"type:varchar(64);unique_index"`
NodeKey string
DiscoKey string
2022-01-16 14:16:59 +01:00
IPAddresses MachineAddresses
// Hostname represents the name given by the Tailscale
// client during registration
Hostname string
// Givenname represents either:
// a DNS normalized version of Hostname
// a valid name set by the User
//
// GivenName is the name used in all DNS related
// parts of headscale.
GivenName string `gorm:"type:varchar(63);unique_index"`
UserID uint
User User `gorm:"foreignKey:UserID"`
2020-06-21 12:32:08 +02:00
RegisterMethod string
ForcedTags StringList
// TODO(kradalby): This seems like irrelevant information?
AuthKeyID uint
AuthKey *PreAuthKey
LastSeen *time.Time
LastSuccessfulUpdate *time.Time
Expiry *time.Time
2020-06-21 12:32:08 +02:00
HostInfo HostInfo
Endpoints StringList
2020-06-21 12:32:08 +02:00
CreatedAt time.Time
UpdatedAt time.Time
DeletedAt *time.Time
}
type (
Machines []Machine
MachinesP []*Machine
)
2022-09-02 00:04:31 +02:00
type MachineAddresses []netip.Addr
2022-01-16 14:16:59 +01:00
func (ma MachineAddresses) ToStringSlice() []string {
strSlice := make([]string, 0, len(ma))
for _, addr := range ma {
strSlice = append(strSlice, addr.String())
}
return strSlice
}
func (ma *MachineAddresses) Scan(destination interface{}) error {
switch value := destination.(type) {
case string:
addresses := strings.Split(value, ",")
*ma = (*ma)[:0]
for _, addr := range addresses {
if len(addr) < 1 {
continue
}
2022-09-02 00:04:31 +02:00
parsed, err := netip.ParseAddr(addr)
2022-01-16 14:16:59 +01:00
if err != nil {
return err
}
*ma = append(*ma, parsed)
}
return nil
default:
2022-07-29 17:35:21 +02:00
return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
2022-01-16 14:16:59 +01:00
}
}
// Value return json value, implement driver.Valuer interface.
func (ma MachineAddresses) Value() (driver.Value, error) {
addresses := strings.Join(ma.ToStringSlice(), ",")
return addresses, nil
}
2021-11-13 08:39:04 +00:00
// isExpired returns whether the machine registration has expired.
func (machine Machine) isExpired() bool {
// If Expiry is not set, the client has not indicated that
// it wants an expiry time, it is therefor considered
// to mean "not expired"
2022-03-02 07:15:20 +00:00
if machine.Expiry == nil || machine.Expiry.IsZero() {
return false
2021-10-10 17:22:42 +08:00
}
return time.Now().UTC().After(*machine.Expiry)
2021-10-10 17:22:42 +08:00
}
// isOnline returns if the machine is connected to Headscale.
// This is really a naive implementation, as we don't really see
// if there is a working connection between the client and the server.
func (machine *Machine) isOnline() bool {
if machine.LastSeen == nil {
return false
}
2022-12-18 11:57:45 +00:00
if machine.isExpired() {
return false
}
return machine.LastSeen.After(time.Now().Add(-keepAliveInterval))
}
2022-12-27 11:30:59 +00:00
// isEphemeral returns if the machine is registered as an Ephemeral node.
// https://tailscale.com/kb/1111/ephemeral-nodes/
func (machine *Machine) isEphemeral() bool {
return machine.AuthKey != nil && machine.AuthKey.Ephemeral
}
func containsAddresses(inputs []string, addrs []string) bool {
for _, addr := range addrs {
if containsStr(inputs, addr) {
return true
}
}
return false
}
2022-02-21 10:02:59 +01:00
// matchSourceAndDestinationWithRule.
2022-02-21 16:06:20 +01:00
func matchSourceAndDestinationWithRule(
ruleSources []string,
ruleDestinations []string,
source []string,
destination []string,
) bool {
return containsAddresses(ruleSources, source) &&
containsAddresses(ruleDestinations, destination)
}
// getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine.
2022-02-21 16:06:20 +01:00
func getFilteredByACLPeers(
machines []Machine,
rules []tailcfg.FilterRule,
machine *Machine,
) Machines {
log.Trace().
Caller().
Str("machine", machine.Hostname).
Msg("Finding peers filtered by ACLs")
peers := make(map[uint64]Machine)
// Aclfilter peers here. We are itering through machines in all users and search through the computed aclRules
// for match between rule SrcIPs and DstPorts. If the rule is a match we allow the machine to be viewable.
machineIPs := machine.IPAddresses.ToStringSlice()
for _, peer := range machines {
if peer.ID == machine.ID {
continue
}
for _, rule := range rules {
var dst []string
for _, d := range rule.DstPorts {
dst = append(dst, d.IP)
}
peerIPs := peer.IPAddresses.ToStringSlice()
2022-02-21 16:06:20 +01:00
if matchSourceAndDestinationWithRule(
rule.SrcIPs,
dst,
machineIPs,
peerIPs,
2022-02-21 16:06:20 +01:00
) || // match source and destination
matchSourceAndDestinationWithRule(
rule.SrcIPs,
dst,
peerIPs,
machineIPs,
) || // match return path
2022-02-21 21:45:15 +01:00
matchSourceAndDestinationWithRule(
rule.SrcIPs,
dst,
machineIPs,
2022-02-21 21:45:15 +01:00
[]string{"*"},
) || // match source and all destination
matchSourceAndDestinationWithRule(
rule.SrcIPs,
dst,
[]string{"*"},
[]string{"*"},
) || // match source and all destination
matchSourceAndDestinationWithRule(
rule.SrcIPs,
dst,
[]string{"*"},
peerIPs,
) || // match source and all destination
matchSourceAndDestinationWithRule(
rule.SrcIPs,
dst,
[]string{"*"},
machineIPs,
) { // match all sources and source
peers[peer.ID] = peer
}
}
}
authorizedPeers := make([]Machine, 0, len(peers))
for _, m := range peers {
authorizedPeers = append(authorizedPeers, m)
}
2022-02-14 15:54:51 +01:00
sort.Slice(
authorizedPeers,
func(i, j int) bool { return authorizedPeers[i].ID < authorizedPeers[j].ID },
2022-02-14 15:54:51 +01:00
)
log.Trace().
Caller().
Str("machine", machine.Hostname).
Msgf("Found some machines: %v", machines)
2022-02-21 10:02:59 +01:00
return authorizedPeers
}
2022-02-25 10:26:34 +01:00
func (h *Headscale) ListPeers(machine *Machine) (Machines, error) {
log.Trace().
Caller().
Str("machine", machine.Hostname).
Msg("Finding direct peers")
machines := Machines{}
if err := h.db.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Where("node_key <> ?",
2022-08-16 17:51:43 +02:00
machine.NodeKey).Find(&machines).Error; err != nil {
log.Error().Err(err).Msg("Error accessing db")
2021-11-14 16:46:09 +01:00
return Machines{}, err
2020-06-21 12:32:08 +02:00
}
sort.Slice(machines, func(i, j int) bool { return machines[i].ID < machines[j].ID })
2020-06-21 12:32:08 +02:00
log.Trace().
Caller().
Str("machine", machine.Hostname).
2022-02-25 10:26:34 +01:00
Msgf("Found peers: %s", machines.String())
2021-11-14 16:46:09 +01:00
return machines, nil
2020-06-21 12:32:08 +02:00
}
func (h *Headscale) getPeers(machine *Machine) (Machines, error) {
var peers Machines
var err error
// If ACLs rules are defined, filter visible host list with the ACLs
// else use the classic user scope
if h.aclPolicy != nil {
var machines []Machine
2022-02-25 10:26:34 +01:00
machines, err = h.ListMachines()
if err != nil {
log.Error().Err(err).Msg("Error retrieving list of machines")
2021-11-14 16:46:09 +01:00
return Machines{}, err
}
2022-02-21 10:02:59 +01:00
peers = getFilteredByACLPeers(machines, h.aclRules, machine)
} else {
2022-02-25 10:26:34 +01:00
peers, err = h.ListPeers(machine)
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Cannot fetch peers")
return Machines{}, err
}
}
sort.Slice(peers, func(i, j int) bool { return peers[i].ID < peers[j].ID })
log.Trace().
Caller().
Str("machine", machine.Hostname).
Msgf("Found total peers: %s", peers.String())
return peers, nil
2020-06-21 12:32:08 +02:00
}
2021-03-14 11:38:42 +01:00
func (h *Headscale) getValidPeers(machine *Machine) (Machines, error) {
validPeers := make(Machines, 0)
peers, err := h.getPeers(machine)
if err != nil {
return Machines{}, err
}
for _, peer := range peers {
if !peer.isExpired() {
validPeers = append(validPeers, peer)
}
}
return validPeers, nil
}
func (h *Headscale) ListMachines() ([]Machine, error) {
machines := []Machine{}
if err := h.db.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Find(&machines).Error; err != nil {
return nil, err
}
2021-11-14 16:46:09 +01:00
return machines, nil
}
func (h *Headscale) ListMachinesByGivenName(givenName string) ([]Machine, error) {
machines := []Machine{}
2023-01-19 09:25:48 +08:00
if err := h.db.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Where("given_name = ?", givenName).Find(&machines).Error; err != nil {
return nil, err
}
return machines, nil
}
// GetMachine finds a Machine by name and user and returns the Machine struct.
func (h *Headscale) GetMachine(user string, name string) (*Machine, error) {
machines, err := h.ListMachinesByUser(user)
2021-03-14 11:38:42 +01:00
if err != nil {
return nil, err
}
for _, m := range machines {
if m.Hostname == name {
2021-03-14 11:38:42 +01:00
return &m, nil
}
}
2021-11-14 16:46:09 +01:00
2022-07-29 17:35:21 +02:00
return nil, ErrMachineNotFound
2021-03-14 11:38:42 +01:00
}
// GetMachineByGivenName finds a Machine by given name and user and returns the Machine struct.
func (h *Headscale) GetMachineByGivenName(user string, givenName string) (*Machine, error) {
machines, err := h.ListMachinesByUser(user)
if err != nil {
return nil, err
}
for _, m := range machines {
if m.GivenName == givenName {
return &m, nil
}
}
return nil, ErrMachineNotFound
}
2021-11-13 08:39:04 +00:00
// GetMachineByID finds a Machine by ID and returns the Machine struct.
2021-07-17 00:14:22 +02:00
func (h *Headscale) GetMachineByID(id uint64) (*Machine, error) {
m := Machine{}
if result := h.db.Preload("AuthKey").Preload("User").Find(&Machine{ID: id}).First(&m); result.Error != nil {
2021-07-17 00:14:22 +02:00
return nil, result.Error
}
2021-11-14 16:46:09 +01:00
2021-07-17 00:14:22 +02:00
return &m, nil
}
2022-08-10 13:15:31 +02:00
// GetMachineByMachineKey finds a Machine by its MachineKey and returns the Machine struct.
func (h *Headscale) GetMachineByMachineKey(
machineKey key.MachinePublic,
) (*Machine, error) {
m := Machine{}
if result := h.db.Preload("AuthKey").Preload("User").First(&m, "machine_key = ?", MachinePublicKeyStripPrefix(machineKey)); result.Error != nil {
return nil, result.Error
}
2021-11-14 16:46:09 +01:00
return &m, nil
}
2022-08-10 16:03:33 +02:00
// GetMachineByNodeKey finds a Machine by its current NodeKey.
2022-08-10 13:15:31 +02:00
func (h *Headscale) GetMachineByNodeKey(
nodeKey key.NodePublic,
) (*Machine, error) {
machine := Machine{}
if result := h.db.Preload("AuthKey").Preload("User").First(&machine, "node_key = ?",
2022-08-10 13:15:31 +02:00
NodePublicKeyStripPrefix(nodeKey)); result.Error != nil {
return nil, result.Error
}
return &machine, nil
}
// GetMachineByAnyNodeKey finds a Machine by its MachineKey, its current NodeKey or the old one, and returns the Machine struct.
func (h *Headscale) GetMachineByAnyKey(
machineKey key.MachinePublic, nodeKey key.NodePublic, oldNodeKey key.NodePublic,
) (*Machine, error) {
machine := Machine{}
if result := h.db.Preload("AuthKey").Preload("User").First(&machine, "machine_key = ? OR node_key = ? OR node_key = ?",
MachinePublicKeyStripPrefix(machineKey),
NodePublicKeyStripPrefix(nodeKey),
NodePublicKeyStripPrefix(oldNodeKey)); result.Error != nil {
return nil, result.Error
}
return &machine, nil
}
// UpdateMachineFromDatabase takes a Machine struct pointer (typically already loaded from database
2021-08-23 07:35:44 +01:00
// and updates it with the latest data from the database.
func (h *Headscale) UpdateMachineFromDatabase(machine *Machine) error {
if result := h.db.Find(machine).First(&machine); result.Error != nil {
return result.Error
}
2021-11-14 16:46:09 +01:00
return nil
}
// SetTags takes a Machine struct pointer and update the forced tags.
func (h *Headscale) SetTags(machine *Machine, tags []string) error {
newTags := []string{}
for _, tag := range tags {
if !contains(newTags, tag) {
newTags = append(newTags, tag)
}
}
machine.ForcedTags = newTags
if err := h.UpdateACLRules(); err != nil && !errors.Is(err, errEmptyPolicy) {
return err
}
2022-08-16 13:39:15 +02:00
h.setLastStateChangeToNow()
2022-05-30 15:31:06 +02:00
if err := h.db.Save(machine).Error; err != nil {
return fmt.Errorf("failed to update tags for machine in the database: %w", err)
}
return nil
}
2021-11-21 13:40:19 +00:00
// ExpireMachine takes a Machine struct and sets the expire field to now.
2022-05-30 15:31:06 +02:00
func (h *Headscale) ExpireMachine(machine *Machine) error {
2021-11-21 13:40:19 +00:00
now := time.Now()
machine.Expiry = &now
2022-08-16 13:39:15 +02:00
h.setLastStateChangeToNow()
2022-05-30 15:31:06 +02:00
if err := h.db.Save(machine).Error; err != nil {
return fmt.Errorf("failed to expire machine in the database: %w", err)
}
return nil
2021-11-21 13:40:19 +00:00
}
2022-04-24 21:10:50 +01:00
// RenameMachine takes a Machine struct and a new GivenName for the machines
// and renames it.
func (h *Headscale) RenameMachine(machine *Machine, newName string) error {
err := CheckForFQDNRules(
newName,
)
if err != nil {
log.Error().
Caller().
Str("func", "RenameMachine").
Str("machine", machine.Hostname).
Str("newName", newName).
Err(err)
return err
}
machine.GivenName = newName
2022-03-13 21:03:20 +00:00
2022-08-16 13:39:15 +02:00
h.setLastStateChangeToNow()
2022-03-13 21:03:20 +00:00
2022-05-31 11:03:08 +02:00
if err := h.db.Save(machine).Error; err != nil {
return fmt.Errorf("failed to rename machine in the database: %w", err)
}
return nil
2022-03-13 21:03:20 +00:00
}
// RefreshMachine takes a Machine struct and sets the expire field to now.
2022-05-31 11:03:08 +02:00
func (h *Headscale) RefreshMachine(machine *Machine, expiry time.Time) error {
now := time.Now()
machine.LastSuccessfulUpdate = &now
machine.Expiry = &expiry
2022-08-16 13:39:15 +02:00
h.setLastStateChangeToNow()
2022-05-30 15:31:06 +02:00
if err := h.db.Save(machine).Error; err != nil {
2022-05-31 11:03:08 +02:00
return fmt.Errorf(
"failed to refresh machine (update expiration) in the database: %w",
err,
)
2022-05-30 15:31:06 +02:00
}
return nil
}
2021-11-13 08:39:04 +00:00
// DeleteMachine softs deletes a Machine from the database.
func (h *Headscale) DeleteMachine(machine *Machine) error {
if err := h.db.Delete(&machine).Error; err != nil {
2021-07-17 00:14:22 +02:00
return err
}
2022-02-12 21:04:00 +00:00
return nil
2021-07-17 00:14:22 +02:00
}
func (h *Headscale) TouchMachine(machine *Machine) error {
return h.db.Updates(Machine{
ID: machine.ID,
LastSeen: machine.LastSeen,
LastSuccessfulUpdate: machine.LastSuccessfulUpdate,
}).Error
}
2021-11-13 08:39:04 +00:00
// HardDeleteMachine hard deletes a Machine from the database.
func (h *Headscale) HardDeleteMachine(machine *Machine) error {
if err := h.db.Unscoped().Delete(&machine).Error; err != nil {
2021-07-17 00:14:22 +02:00
return err
}
2022-02-12 21:04:00 +00:00
return nil
2021-07-17 00:14:22 +02:00
}
2021-11-13 08:39:04 +00:00
// GetHostInfo returns a Hostinfo struct for the machine.
func (machine *Machine) GetHostInfo() tailcfg.Hostinfo {
return tailcfg.Hostinfo(machine.HostInfo)
2021-03-14 11:38:42 +01:00
}
func (h *Headscale) isOutdated(machine *Machine) bool {
if err := h.UpdateMachineFromDatabase(machine); err != nil {
2021-10-07 15:45:45 +01:00
// It does not seem meaningful to propagate this error as the end result
// will have to be that the machine has to be considered outdated.
return true
}
// Get the last update from all headscale users to compare with our nodes
// last update.
// TODO(kradalby): Only request updates from users where we can talk to nodes
// This would mostly be for a bit of performance, and can be calculated based on
// ACLs.
lastChange := h.getLastStateChange()
lastUpdate := machine.CreatedAt
if machine.LastSuccessfulUpdate != nil {
lastUpdate = *machine.LastSuccessfulUpdate
}
log.Trace().
Caller().
Str("machine", machine.Hostname).
Time("last_successful_update", lastChange).
Time("last_state_change", lastUpdate).
Msgf("Checking if %s is missing updates", machine.Hostname)
2021-11-14 16:46:09 +01:00
return lastUpdate.Before(lastChange)
}
func (machine Machine) String() string {
return machine.Hostname
}
func (machines Machines) String() string {
temp := make([]string, len(machines))
for index, machine := range machines {
temp[index] = machine.Hostname
}
return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
}
// TODO(kradalby): Remove when we have generics...
func (machines MachinesP) String() string {
temp := make([]string, len(machines))
for index, machine := range machines {
temp[index] = machine.Hostname
}
return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
}
func (h *Headscale) toNodes(
machines Machines,
2021-10-30 15:33:01 +00:00
baseDomain string,
dnsConfig *tailcfg.DNSConfig,
) ([]*tailcfg.Node, error) {
nodes := make([]*tailcfg.Node, len(machines))
for index, machine := range machines {
node, err := h.toNode(machine, baseDomain, dnsConfig)
if err != nil {
return nil, err
}
nodes[index] = node
}
return nodes, nil
}
// toNode converts a Machine into a Tailscale Node. includeRoutes is false for shared nodes
2021-11-13 08:39:04 +00:00
// as per the expected behaviour in the official SaaS.
func (h *Headscale) toNode(
machine Machine,
2021-11-13 08:36:45 +00:00
baseDomain string,
dnsConfig *tailcfg.DNSConfig,
) (*tailcfg.Node, error) {
var nodeKey key.NodePublic
err := nodeKey.UnmarshalText([]byte(NodePublicKeyEnsurePrefix(machine.NodeKey)))
2020-06-21 12:32:08 +02:00
if err != nil {
log.Trace().
Caller().
Str("node_key", machine.NodeKey).
Msgf("Failed to parse node public key from hex")
return nil, fmt.Errorf("failed to parse node public key: %w", err)
2020-06-21 12:32:08 +02:00
}
var machineKey key.MachinePublic
// MachineKey is only used in the legacy protocol
2022-08-14 21:07:29 +02:00
if machine.MachineKey != "" {
err = machineKey.UnmarshalText(
[]byte(MachinePublicKeyEnsurePrefix(machine.MachineKey)),
)
if err != nil {
return nil, fmt.Errorf("failed to parse machine public key: %w", err)
}
2020-06-21 12:32:08 +02:00
}
var discoKey key.DiscoPublic
if machine.DiscoKey != "" {
err := discoKey.UnmarshalText(
[]byte(DiscoPublicKeyEnsurePrefix(machine.DiscoKey)),
)
if err != nil {
return nil, fmt.Errorf("failed to parse disco public key: %w", err)
}
} else {
discoKey = key.DiscoPublic{}
}
2022-09-02 00:04:31 +02:00
addrs := []netip.Prefix{}
2022-01-16 14:16:59 +01:00
for _, machineAddress := range machine.IPAddresses {
2022-09-02 00:04:31 +02:00
ip := netip.PrefixFrom(machineAddress, machineAddress.BitLen())
2022-01-16 14:16:59 +01:00
addrs = append(addrs, ip)
2020-06-21 12:32:08 +02:00
}
2021-03-14 11:38:42 +01:00
2022-02-12 21:04:00 +00:00
allowedIPs := append(
2022-09-02 00:04:31 +02:00
[]netip.Prefix{},
2022-02-12 21:04:00 +00:00
addrs...) // we append the node own IP, as it is required by the clients
2021-03-14 11:38:42 +01:00
primaryRoutes, err := h.getMachinePrimaryRoutes(&machine)
if err != nil {
return nil, err
2020-06-21 12:32:08 +02:00
}
primaryPrefixes := Routes(primaryRoutes).toPrefixes()
2020-06-21 12:32:08 +02:00
machineRoutes, err := h.GetMachineRoutes(&machine)
if err != nil {
return nil, err
}
for _, route := range machineRoutes {
if route.Enabled && (route.IsPrimary || route.isExitRoute()) {
allowedIPs = append(allowedIPs, netip.Prefix(route.Prefix))
}
}
2021-02-24 23:45:27 +01:00
var derp string
if machine.HostInfo.NetInfo != nil {
derp = fmt.Sprintf("127.3.3.40:%d", machine.HostInfo.NetInfo.PreferredDERP)
2021-02-24 23:45:27 +01:00
} else {
derp = "127.3.3.40:0" // Zero means disconnected or unknown.
}
2021-09-02 16:59:03 +02:00
var keyExpiry time.Time
if machine.Expiry != nil {
keyExpiry = *machine.Expiry
2021-09-02 16:59:03 +02:00
} else {
keyExpiry = time.Time{}
}
2021-10-04 23:49:16 +02:00
var hostname string
if dnsConfig != nil && dnsConfig.Proxied { // MagicDNS
hostname = fmt.Sprintf(
"%s.%s.%s",
machine.GivenName,
machine.User.Name,
baseDomain,
)
if len(hostname) > maxHostnameLength {
return nil, fmt.Errorf(
"hostname %q is too long it cannot except 255 ASCII chars: %w",
hostname,
2022-07-29 17:35:21 +02:00
ErrHostnameTooLong,
)
}
2021-10-04 23:49:16 +02:00
} else {
hostname = machine.GivenName
2021-10-04 23:49:16 +02:00
}
hostInfo := machine.GetHostInfo()
online := machine.isOnline()
2021-11-15 16:15:50 +00:00
node := tailcfg.Node{
ID: tailcfg.NodeID(machine.ID), // this is the actual ID
2021-10-30 15:33:01 +00:00
StableID: tailcfg.StableNodeID(
strconv.FormatUint(machine.ID, Base10),
2021-10-30 15:33:01 +00:00
), // in headscale, unlike tailcontrol server, IDs are permanent
Name: hostname,
User: tailcfg.UserID(machine.UserID),
Key: nodeKey,
KeyExpiry: keyExpiry,
Machine: machineKey,
DiscoKey: discoKey,
Addresses: addrs,
AllowedIPs: allowedIPs,
PrimaryRoutes: primaryPrefixes,
Endpoints: machine.Endpoints,
DERP: derp,
2020-06-21 12:32:08 +02:00
Online: &online,
Hostinfo: hostInfo.View(),
Created: machine.CreatedAt,
LastSeen: machine.LastSeen,
2020-06-21 12:32:08 +02:00
KeepAlive: true,
MachineAuthorized: !machine.isExpired(),
Capabilities: []string{
tailcfg.CapabilityFileSharing,
tailcfg.CapabilityAdmin,
tailcfg.CapabilitySSH,
},
2020-06-21 12:32:08 +02:00
}
2021-11-14 16:46:09 +01:00
2021-11-15 16:15:50 +00:00
return &node, nil
2020-06-21 12:32:08 +02:00
}
func (machine *Machine) toProto() *v1.Machine {
machineProto := &v1.Machine{
Id: machine.ID,
MachineKey: machine.MachineKey,
2022-01-16 14:16:59 +01:00
NodeKey: machine.NodeKey,
DiscoKey: machine.DiscoKey,
IpAddresses: machine.IPAddresses.ToStringSlice(),
Name: machine.Hostname,
GivenName: machine.GivenName,
User: machine.User.toProto(),
2022-04-15 18:27:57 +02:00
ForcedTags: machine.ForcedTags,
Online: machine.isOnline(),
// TODO(kradalby): Implement register method enum converter
// RegisterMethod: ,
CreatedAt: timestamppb.New(machine.CreatedAt),
}
if machine.AuthKey != nil {
machineProto.PreAuthKey = machine.AuthKey.toProto()
}
if machine.LastSeen != nil {
machineProto.LastSeen = timestamppb.New(*machine.LastSeen)
}
if machine.LastSuccessfulUpdate != nil {
machineProto.LastSuccessfulUpdate = timestamppb.New(
*machine.LastSuccessfulUpdate,
)
}
if machine.Expiry != nil {
machineProto.Expiry = timestamppb.New(*machine.Expiry)
}
return machineProto
}
2022-04-21 23:49:21 +02:00
// getTags will return the tags of the current machine.
// Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag.
// Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.
2022-04-16 13:15:04 +02:00
func getTags(
aclPolicy *ACLPolicy,
2022-04-16 13:15:04 +02:00
machine Machine,
stripEmailDomain bool,
2022-05-16 14:59:46 +02:00
) ([]string, []string) {
validTags := make([]string, 0)
invalidTags := make([]string, 0)
if aclPolicy == nil {
2022-05-16 14:59:46 +02:00
return validTags, invalidTags
}
validTagMap := make(map[string]bool)
invalidTagMap := make(map[string]bool)
for _, tag := range machine.HostInfo.RequestTags {
owners, err := expandTagOwners(*aclPolicy, tag, stripEmailDomain)
if errors.Is(err, errInvalidTag) {
2022-04-16 13:15:04 +02:00
invalidTagMap[tag] = true
2022-04-25 22:27:44 +02:00
2022-04-25 22:07:44 +02:00
continue
}
var found bool
for _, owner := range owners {
if machine.User.Name == owner {
found = true
}
}
if found {
validTagMap[tag] = true
} else {
invalidTagMap[tag] = true
}
}
for tag := range invalidTagMap {
invalidTags = append(invalidTags, tag)
}
for tag := range validTagMap {
validTags = append(validTags, tag)
}
2022-04-21 23:49:21 +02:00
return validTags, invalidTags
}
func (h *Headscale) RegisterMachineFromAuthCallback(
2022-08-10 13:15:31 +02:00
nodeKeyStr string,
userName string,
machineExpiry *time.Time,
registrationMethod string,
) (*Machine, error) {
2022-11-05 16:07:22 +08:00
nodeKey := key.NodePublic{}
err := nodeKey.UnmarshalText([]byte(nodeKeyStr))
if err != nil {
return nil, err
}
log.Debug().
Str("nodeKey", nodeKey.ShortString()).
Str("userName", userName).
Str("registrationMethod", registrationMethod).
Str("expiresAt", fmt.Sprintf("%v", machineExpiry)).
Msg("Registering machine from API/CLI or auth callback")
2022-11-05 16:07:22 +08:00
if machineInterface, ok := h.registrationCache.Get(NodePublicKeyStripPrefix(nodeKey)); ok {
if registrationMachine, ok := machineInterface.(Machine); ok {
user, err := h.GetUser(userName)
if err != nil {
return nil, fmt.Errorf(
"failed to find user in register machine from auth callback, %w",
err,
)
}
// Registration of expired machine with different user
if registrationMachine.ID != 0 &&
registrationMachine.UserID != user.ID {
return nil, ErrDifferentRegisteredUser
}
registrationMachine.UserID = user.ID
registrationMachine.RegisterMethod = registrationMethod
if machineExpiry != nil {
registrationMachine.Expiry = machineExpiry
}
machine, err := h.RegisterMachine(
registrationMachine,
)
if err == nil {
h.registrationCache.Delete(nodeKeyStr)
}
return machine, err
} else {
2022-07-29 17:35:21 +02:00
return nil, ErrCouldNotConvertMachineInterface
}
}
2022-07-29 17:35:21 +02:00
return nil, ErrMachineNotFoundRegistrationCache
}
2021-11-13 08:39:04 +00:00
// RegisterMachine is executed from the CLI to register a new Machine using its MachineKey.
func (h *Headscale) RegisterMachine(machine Machine,
) (*Machine, error) {
log.Debug().
Str("machine", machine.Hostname).
Str("machine_key", machine.MachineKey).
Str("node_key", machine.NodeKey).
Str("user", machine.User.Name).
Msg("Registering machine")
// If the machine exists and we had already IPs for it, we just save it
// so we store the machine.Expire and machine.Nodekey that has been set when
// adding it to the registrationCache
if len(machine.IPAddresses) > 0 {
if err := h.db.Save(&machine).Error; err != nil {
return nil, fmt.Errorf("failed register existing machine in the database: %w", err)
}
log.Trace().
Caller().
Str("machine", machine.Hostname).
Str("machine_key", machine.MachineKey).
Str("node_key", machine.NodeKey).
Str("user", machine.User.Name).
Msg("Machine authorized again")
return &machine, nil
}
h.ipAllocationMutex.Lock()
defer h.ipAllocationMutex.Unlock()
2022-01-16 14:16:59 +01:00
ips, err := h.getAvailableIPs()
if err != nil {
log.Error().
Caller().
Err(err).
Str("machine", machine.Hostname).
Msg("Could not find IP for the new machine")
2021-11-14 16:46:09 +01:00
return nil, err
}
2022-01-16 14:16:59 +01:00
machine.IPAddresses = ips
2022-05-31 10:05:00 +02:00
if err := h.db.Save(&machine).Error; err != nil {
2022-05-30 15:31:06 +02:00
return nil, fmt.Errorf("failed register(save) machine in the database: %w", err)
}
log.Trace().
Caller().
Str("machine", machine.Hostname).
2022-01-16 14:16:59 +01:00
Str("ip", strings.Join(ips.ToStringSlice(), ",")).
Msg("Machine registered with the database")
return &machine, nil
}
// GetAdvertisedRoutes returns the routes that are be advertised by the given machine.
func (h *Headscale) GetAdvertisedRoutes(machine *Machine) ([]netip.Prefix, error) {
routes := []Route{}
err := h.db.
Preload("Machine").
Where("machine_id = ? AND advertised = ?", machine.ID, true).Find(&routes).Error
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
log.Error().
Caller().
Err(err).
Str("machine", machine.Hostname).
Msg("Could not get advertised routes for machine")
return nil, err
}
prefixes := []netip.Prefix{}
for _, route := range routes {
prefixes = append(prefixes, netip.Prefix(route.Prefix))
}
return prefixes, nil
}
// GetEnabledRoutes returns the routes that are enabled for the machine.
func (h *Headscale) GetEnabledRoutes(machine *Machine) ([]netip.Prefix, error) {
routes := []Route{}
err := h.db.
Preload("Machine").
Where("machine_id = ? AND advertised = ? AND enabled = ?", machine.ID, true, true).
Find(&routes).Error
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
log.Error().
Caller().
Err(err).
Str("machine", machine.Hostname).
Msg("Could not get enabled routes for machine")
return nil, err
}
prefixes := []netip.Prefix{}
for _, route := range routes {
prefixes = append(prefixes, netip.Prefix(route.Prefix))
}
return prefixes, nil
}
func (h *Headscale) IsRoutesEnabled(machine *Machine, routeStr string) bool {
2022-09-02 00:04:31 +02:00
route, err := netip.ParsePrefix(routeStr)
if err != nil {
return false
}
enabledRoutes, err := h.GetEnabledRoutes(machine)
if err != nil {
log.Error().Err(err).Msg("Could not get enabled routes")
return false
}
for _, enabledRoute := range enabledRoutes {
if route == enabledRoute {
return true
}
}
2021-11-14 16:46:09 +01:00
return false
}
// EnableRoutes enables new routes based on a list of new routes.
func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
2022-09-02 00:04:31 +02:00
newRoutes := make([]netip.Prefix, len(routeStrs))
for index, routeStr := range routeStrs {
2022-09-02 00:04:31 +02:00
route, err := netip.ParsePrefix(routeStr)
if err != nil {
return err
}
newRoutes[index] = route
}
advertisedRoutes, err := h.GetAdvertisedRoutes(machine)
if err != nil {
return err
}
for _, newRoute := range newRoutes {
if !contains(advertisedRoutes, newRoute) {
2021-11-13 08:36:45 +00:00
return fmt.Errorf(
2021-11-15 19:18:14 +00:00
"route (%s) is not available on node %s: %w",
machine.Hostname,
2022-07-29 17:35:21 +02:00
newRoute, ErrMachineRouteIsNotAvailable,
2021-11-13 08:36:45 +00:00
)
}
}
// Separate loop so we don't leave things in a half-updated state
for _, prefix := range newRoutes {
route := Route{}
err := h.db.Preload("Machine").
Where("machine_id = ? AND prefix = ?", machine.ID, IPPrefix(prefix)).
First(&route).Error
if err == nil {
route.Enabled = true
2022-05-30 15:31:06 +02:00
// Mark already as primary if there is only this node offering this subnet
// (and is not an exit route)
if !route.isExitRoute() {
route.IsPrimary = h.isUniquePrefix(route)
}
err = h.db.Save(&route).Error
if err != nil {
return fmt.Errorf("failed to enable route: %w", err)
}
} else {
return fmt.Errorf("failed to find route: %w", err)
}
2022-05-30 15:31:06 +02:00
}
h.setLastStateChangeToNow()
2022-12-20 21:03:15 +00:00
return nil
}
// EnableAutoApprovedRoutes enables any routes advertised by a machine that match the ACL autoApprovers policy.
func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
if len(machine.IPAddresses) == 0 {
return nil // This machine has no IPAddresses, so can't possibly match any autoApprovers ACLs
}
routes := []Route{}
err := h.db.
Preload("Machine").
Where("machine_id = ? AND advertised = true AND enabled = false", machine.ID).Find(&routes).Error
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
log.Error().
Caller().
Err(err).
Str("machine", machine.Hostname).
Msg("Could not get advertised routes for machine")
return err
}
approvedRoutes := []Route{}
for _, advertisedRoute := range routes {
routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(netip.Prefix(advertisedRoute.Prefix))
if err != nil {
log.Err(err).
Str("advertisedRoute", advertisedRoute.String()).
Uint64("machineId", machine.ID).
Msg("Failed to resolve autoApprovers for advertised route")
2022-09-07 21:39:56 +10:00
return err
}
for _, approvedAlias := range routeApprovers {
if approvedAlias == machine.User.Name {
2022-08-24 22:09:06 +10:00
approvedRoutes = append(approvedRoutes, advertisedRoute)
} else {
approvedIps, err := expandAlias([]Machine{*machine}, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
2022-08-24 22:09:06 +10:00
if err != nil {
log.Err(err).
Str("alias", approvedAlias).
Msg("Failed to expand alias when processing autoApprovers policy")
2022-09-07 21:39:56 +10:00
return err
2022-08-24 22:09:06 +10:00
}
// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
if contains(approvedIps, machine.IPAddresses[0].String()) {
approvedRoutes = append(approvedRoutes, advertisedRoute)
}
}
}
}
for i, approvedRoute := range approvedRoutes {
approvedRoutes[i].Enabled = true
err = h.db.Save(&approvedRoutes[i]).Error
if err != nil {
log.Err(err).
Str("approvedRoute", approvedRoute.String()).
Uint64("machineId", machine.ID).
Msg("Failed to enable approved route")
return err
}
}
return nil
}
func (h *Headscale) generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
normalizedHostname, err := NormalizeToFQDNRules(
suppliedName,
h.cfg.OIDC.StripEmaildomain,
)
if err != nil {
return "", err
}
if randomSuffix {
// Trim if a hostname will be longer than 63 chars after adding the hash.
trimmedHostnameLength := labelHostnameLength - MachineGivenNameHashLength - MachineGivenNameTrimSize
if len(normalizedHostname) > trimmedHostnameLength {
normalizedHostname = normalizedHostname[:trimmedHostnameLength]
}
suffix, err := GenerateRandomStringDNSSafe(MachineGivenNameHashLength)
if err != nil {
return "", err
}
normalizedHostname += "-" + suffix
}
return normalizedHostname, nil
}
func (h *Headscale) GenerateGivenName(machineKey string, suppliedName string) (string, error) {
givenName, err := h.generateGivenName(suppliedName, false)
if err != nil {
return "", err
}
// Tailscale rules (may differ) https://tailscale.com/kb/1098/machine-names/
machines, err := h.ListMachinesByGivenName(givenName)
if err != nil {
return "", err
}
for _, machine := range machines {
if machine.MachineKey != machineKey && machine.GivenName == givenName {
postfixedName, err := h.generateGivenName(suppliedName, true)
if err != nil {
return "", err
}
givenName = postfixedName
}
}
return givenName, nil
}