From 385dd9cc34cabb0c7c1a2dcdf92c4bd055db1f52 Mon Sep 17 00:00:00 2001 From: Justin Angel Date: Sun, 20 Feb 2022 09:06:14 -0500 Subject: [PATCH] refactoring --- app.go | 49 +++++++++++++++----------------- cmd/headscale/cli/.utils.go.swp | Bin 24576 -> 0 bytes cmd/headscale/cli/utils.go | 17 ++++++++--- config-example.yaml | 2 +- docs/tls.md | 2 +- 5 files changed, 38 insertions(+), 32 deletions(-) delete mode 100644 cmd/headscale/cli/.utils.go.swp diff --git a/app.go b/app.go index 2e112483..2e4fb4bd 100644 --- a/app.go +++ b/app.go @@ -94,7 +94,7 @@ type Config struct { TLSCertPath string TLSKeyPath string - TLSClientAuthMode string + TLSClientAuthMode tls.ClientAuthType ACMEURL string ACMEEmail string @@ -153,6 +153,27 @@ type Headscale struct { requestedExpiryCache *cache.Cache } +// Look up the TLS constant relative to user-supplied TLS client +// authentication mode. If an unknown mode is supplied, the default +// value, tls.RequireAnyClientCert, is returned. The returned boolean +// indicates if the supplied mode was valid. +func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) { + switch mode { + case DisabledClientAuth: + // Client cert is _not_ required. + return tls.NoClientCert, true + case RelaxedClientAuth: + // Client cert required, but _not verified_. + return tls.RequireAnyClientCert, true + case EnforcedClientAuth: + // Client cert is _required and verified_. + return tls.RequireAndVerifyClientCert, true + default: + // Return the default when an unknown value is supplied. + return tls.RequireAnyClientCert, false + } +} + // NewHeadscale returns the Headscale app. func NewHeadscale(cfg Config) (*Headscale, error) { privKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath) @@ -655,17 +676,12 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) { log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") } - clientAuthMode, err := h.GetClientAuthMode() - if err != nil { - return nil, err - } - log.Info().Msg(fmt.Sprintf( "Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.", h.cfg.TLSClientAuthMode)) tlsConfig := &tls.Config{ - ClientAuth: clientAuthMode, + ClientAuth: h.cfg.TLSClientAuthMode, NextProtos: []string{"http/1.1"}, Certificates: make([]tls.Certificate, 1), MinVersion: tls.VersionTLS12, @@ -677,25 +693,6 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) { } } -// Look up the TLS constant relative to user-supplied TLS client -// authentication mode. -func (h *Headscale) GetClientAuthMode() (tls.ClientAuthType, error) { - switch h.cfg.TLSClientAuthMode { - case DisabledClientAuth: - // Client cert is _not_ required. - return tls.NoClientCert, nil - case RelaxedClientAuth: - // Client cert required, but _not verified_. - return tls.RequireAnyClientCert, nil - case EnforcedClientAuth: - // Client cert is _required and verified_. - return tls.RequireAndVerifyClientCert, nil - default: - return tls.NoClientCert, Error("Invalid tls_client_auth_mode provided: " + - h.cfg.TLSClientAuthMode) - } -} - func (h *Headscale) setLastStateChangeToNow(namespace string) { now := time.Now().UTC() lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix())) diff --git a/cmd/headscale/cli/.utils.go.swp b/cmd/headscale/cli/.utils.go.swp deleted file mode 100644 index fbd933abe05eba73d62b6cfcf550855fe57a20f6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24576 zcmeI3dyr&TS-=|tLZg@vL5N!A*$#<4o5}6jyqS>b?96O-WM_A>vr8bGO>?LFcF*1I zzPG*i_RP-a1%D6|vI&ailQI&51j;H(R3M59#Y@2wBnb(zBq6>DRgolGSXOELednC} z=;_{_7~>yS^;UkF?t9PkJLi1o`@VB}W$LX9i|R7xf)fAED3y*r^nJH+PE@-6he{>ErEX0I{&g)moB_u$CTtbyRuFF$e9P9clL3@u>{5v7)xL*fw2U}5*SNh zEP=5E#uE7dFM*`@veGSd{5v7)xL*fw2U}5*SNhEP=5E#u6AyU@U>L1jZ8hKahaiER|kIxv!A`0O$Xy z|NpP2mrBpVlkhlv6}|v}0)GG>g?r(Ba2wnN5gY*@cEcI)><^bpkHTl*ci`9H7I+6- z4~O9(ya_IaOW-x|%&SYKC*Xd#3u5r$ZSZDz6L6eadObYOU4<{hpTn(i6`TpLfhT^j zRQfjjA>0qY1n+~l!ZuLw{a2Mre+6HId%%V3;V}Fpl;Nx8QYnF#z<<56RQgZ&92|p7 z;iIo8mEI3e{y?epPw(gQMzw%9`a=9OM;zNGW z^o|`?SE%iLooO~BM4{i7%ZqWlTG{3L9j~d9Q1#p>_7tfmmER7+$Pe0%<5VU{UoOu_ zQPqp02}gfhPNHgsl$A+I&o}eD6Sf@^hEY|2_gjiAYTFem@H^@T(;{iYq<%hqg=BV? zq}r-2rc`c)k(U5O(|^DV2@%OahT%r6SepO0$gWJf1HEYi`G92s?4T(eb??sk{ATwcZVzo{Iau z9?zPNnrSq=Ucyk5y6?r)s_Dn>3S&R1BCq2flMh~i_#33I==x1*GZeNcWl1B_OcizR zxoX6FThz&3rxi$F%A2w?oSVj|S{c5Kk~$Z`IxLX3S5G#2o^m5k z?LKf|>HMi3$_<+8z@FvvXZ9@Z<-3u@aKBGoB5ju`QYa@A$O|mWHm@iYqqVMaqku&` zt=3n)K=orj4|R7njFZ6adS<)}tx|5RGFd2*#bmzB%|u!8SQIXaSRhDP^$@PQ=%Ncz zjgIH2jvpspPlYSVK(|n3^WF)}5jhrMX5YGU1X{KUVyw2hLUN zrYma2Yq)*X2V=^>G<2afBM!SBIp|;PCyD%}@KzKCi3(eVW+$s|LYtd@NGV zqGuYa>N#zPAy$4bkq*Tw>UTWRHr3)pwOVOtvKKn5XS?Z{p6cZnFs@e&O%W!%ESjy$ zN=MXAwBocFREeW?L83fXzBjxu(sD%?XpQ4VNxkPLt2Oy{)Z5TsCRGq7Y9&lo?eZAi z;6|D`Z{>|Qo}_bW(OJ?|fs8J?xR}#6XIVvWl-JzI=sww2PT%dO>M_(_)b-;Sfk@d?;iZ>OjV`{BNmAAj zcP;7%`R!LnO4J+FaE;A?{aJ5M7zQVC-x@uK=P(L_DFedq43F`spyl{S)8;DRH|1;M@hw6dh6@!HAg=# zG#iT}>@qqnZTM0sl4DeIbP^j`Kk7Kxc%){@;5y0%NYJ60P^m^Cl9B;_t;Gk+Ire#LDZ#ZzDb zOih(242!9%lT{MD1bx}tX@uRHY?*P5`79r>nKr*Baii6i7k=O+j@zp7M>b1&)DC+` z+m0X9Hr#Hxbsj!2g?}Smi){c4&{RWNQU(vP3z1EHkYr5l`-b8WjxEF;i zof`0RZHKCGM?KAXr0=qjg5sU^windeVL{4kJ2n+MoT`0RfV z55p(nLvR9agPS3SLvSrz4SQh`X5l=TfGRwOU;jn84?YCg$Fl5Gk9_N#MS&Wa3Qg%lZ=Q~JfOBcJG5CzO^A!nx>dzTG7@RMc# zxOd4#Qooc(1_}5XyC;j{Rq>$mz+KjGo@VAwEANmPJ$X-Q*rMCB-K%5wn9bW+BvLdR zc6&&n8v4z~qMKl~iWeh6mBN!eGHHsE;>-5qa8s#^KCr7-D^iBj#KiT3de`k?;OWp~ z2ZL?j!rZK`kmN)kd3%Tw$#vNLp$;8F@OVYDB!R>dOaxGOz;--#B;n>FB`qO`$nD|t z5CIDNL@TsRB?3&W%y0R`2Xrt&LI?)81+l9`ynV4^F84-p}<3JscoX z8;gmuEH0RzY|w|5FqG)8j+ko42Mf6(5lTYL$F&<;nO2pZ9`UG1Rn&PZadg3x*_<4b z!VRSfRULY&r(75rA39J3uZ_$osF55K-&Bk!XV(0kOgll(vu-f4q$imBi(;|j;Z{YA z`%RQrM@~hARNXT{^T?#uQ`sZbtGlTSOucU%Ys;#Tr+xhJftje?R67yHBT3hy7Ij&i zXE$nV+g}@mig-ft!TAJ?y-M+^nAX}&kQrN_)Tx<~CX61&&P>#nFuI;~ggF;+%P3-B zKk4<8T^(2A-i1+H?h`tWWAj>~*5=aXN(5tx1(kFH z>pxbHNaQ^Wyqnmv(T0r4K!&t;q|Y;yne{N{{8?>sx?9A|g>tLJ5o7C1qg)e)7dq$^AM)4tV zX$I<;L#_#DRs#QWDz_{LcQz08+D{YGJZYV76PpcNf~(q`f-!PtJ?M!oO|W&aU5XA2 zn$^NX(+cMrJnsb?gsbXPEqX>kz?t2%;G{2PIhM<^F3LAeprQGvmE<(#`UH9OBi&~y z4zq*S%o5*bdLe^2-+Sb^tg~amoXqKMRf6{vA=|M&*^%8-1kupjr}qDG`%7oYc`zT+`~45%?>_*) z4%fol;c}?JE8#o%_g{q1!Dm6v_fJ3vcEeThWAHHk{WswKa2T$GbK!gV@qYtff&1WB z;cc)Vu7>mBWgve3WAG?^6Fv@i!F%9#5dVHV{0n~ir{Ndj4%h?R;S6}H%$YoV1bT2S z>;m!6PlwOrcYhjgg(h4F2VoohIGhg8;cMRr>kvZ(3-Ag!4PFY5;AejjZh&h+eD4e3 z%bfRr0X_?#f&1V%{0v+Sj}d?QYj_m?2tEaJC*Z^IA-EUb2^YhU!e4Uc{~K^Sv|t75 za6McN`(Q6@gMVjSABAtipTeDR2xPoR-2o_<7nV%Cb6S~yHvXn8rE}uHuQrk z;p|B+Pndu)>VWUrd40L8-`1r~S*~SH!>G2V<|PwIxNEfUO*+a=gPqd-0gg z2C}8XNxR8aG3l20zD%$&auZBoZ3A0Jp<#~1rFsqK7+hqMPZXwgMbVFDh|?n4lyj&KXRw%@m;~l18KM-Uy=$V%nNjhVjETn_m3M$H|PQK2bc?aAwI0^=&m|*k)AP;9^F- zI7lyK{6-gb>cKPvXd9W!Wmanb614X%VRWcuP(Q0<(+4Z-@ z>Z4_*f~{6up^`jl{!mw(t@+VQGEcq5I^4Vpw_bxoD{$2M%j^FitiG++US4cWLye}F z1!LrzEtBE7W$vC1X4k%NK~EH~tfs1BVd*3}W$*`!8?iKoH?u;Pt+vpCq^7IctdzRW zl~aH5U^6v&1M~3YD+62A#uUX+PgN_i#On5;l2X$(4a>;{KiDJS>h01Y)u6F4t@?ux zL|e$!5R=Y27r4UqfxH$Al&h`zKQWVId4oGL@Ir1A%L{9N<~C)1%~#BdO-&dWg1J7% zHUXFP7O`$^y_L3K#GkirAg48ZJ#Z(SfNP)z+hGDugNN|(KL&Sz+yVG$I1AnYU&qgvvwyj_FL(7X zgeUOnzYQM%Ip04UD)1^O!?*C|e;F|J4L>7IZVUr z;WQ}0bNKdu2Y(AE;28KIzYBPlv3v#|frml-{*S@0fcz#v{C^qmC3w;QrOtrZXL{4j z0&$p2a)=^vNCJxas=12L;Ih6=XI>dAB+HgY{j8l>h}X&5EPQ2~v~fk*glv40hoXiK za%IodA@8iIxG8=&H@AO&d3hjyXZ=3yFyRYJ*wsecE1wWIasWS(Fm4pyp7 zMA@6>yp=u{FJ>jWFl%CZGt0Qu;wGoBiVcv+UmW+jm8{R$Y#@-En3BObO-inIN(*!8 z(%-Z&^s+QdLa8$*_RCAro|&w75<)zx1znUY`3@b{X=H#*6jv0S34ZHvw`dy#qz}m? z=z751x0K+vezuba&5vr9bS>4i6e_bHMT%)`W|J$-Q9z?pH|^6`ob|2AY=dVPH+#;AbXkN; z$C0iv@$4qyFv8e!zg^-&^hpknwIEu3ekW77*4~gqVFKQ(E`cZFON8|K5+>&pjiN(# zP8TCa^mxQo13eld40@Tbm*PQ9m6;@yQ>L7pu5%W~(Gxxe^4okoPN?wIGp~3!D0g_Z z?I|-~k8alw76KRbvc}1`o!X+`?1j*RJiQ**ti8zX)C2A|)cq`1JzXP4fmXImsH*40 z6E+}(KtuYpKAHW9p&KG}G)4o5#k?bp!XI*M4f-|c+;v|u6hRL@uXH52?b{F&cO`B(d{nN{iBu3}qHa}@h23hpQ z_RIG|2Xd<-zuPn|M-38`*Vmvbg=_!C-wJ3+=GjdjjO#JfszMRcDu!TYc5&XGkqo7F z8(mL+wPrdXDd)K?)EOaJozjz+w%E+?;s<_d;8xei51@>+aiR3@`9_pB@;3syo8;yI zQ#Poqnd3fRL>+2+kp*=EyUvK=6rc#?h$ z{O%x4uYdVwq^jFBteJ;?@sRywA?--99rAL{XELU}8EWbt{Zla!+R!L(uF4#wnbsk& zLOr|fPuZSFSM%Qm=~18C*~8u(k*~SJjvo{Bmf@M($uH07#ZVJTC2!JH5-}K^O5UWY z