TheArchive/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2024-11-23 18:15:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #829 from kradalby/oidc-dependency

Browse Source
This commit is contained in:
Kristoffer Dalby 2022-09-26 11:49:53 +02:00 committed by GitHub
commit 5f975cbb50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -17,6 +17,7 @@
- Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653) - Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
- Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767) - Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
- Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763) - Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
- Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)
## 0.16.4 (2022-08-21) ## 0.16.4 (2022-08-21)

4
app.go
View File

@ -192,8 +192,10 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
if cfg.OIDC.Issuer != "" { if cfg.OIDC.Issuer != "" {
err = app.initOIDC() err = app.initOIDC()
if err != nil { if err != nil && cfg.OIDC.OnlyStartIfOIDCIsAvailable {
return nil, err return nil, err
} else {
log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
} }
} }

1
config-example.yaml
View File

@ -230,6 +230,7 @@ unix_socket_permission: "0770"
# help us test it. # help us test it.
# OpenID Connect # OpenID Connect
# oidc: # oidc:
# only_start_if_oidc_is_available: true
# issuer: "https://your-oidc.issuer.com/path" # issuer: "https://your-oidc.issuer.com/path"
# client_id: "your-oidc-client-id" # client_id: "your-oidc-client-id"
# client_secret: "your-oidc-client-secret" # client_secret: "your-oidc-client-secret"

21
config.go
View File

@ -90,14 +90,15 @@ type LetsEncryptConfig struct {
} }
type OIDCConfig struct { type OIDCConfig struct {
Issuer string OnlyStartIfOIDCIsAvailable bool
ClientID string Issuer string
ClientSecret string ClientID string
Scope []string ClientSecret string
ExtraParams map[string]string Scope []string
AllowedDomains []string ExtraParams map[string]string
AllowedUsers []string AllowedDomains []string
StripEmaildomain bool AllowedUsers []string
StripEmaildomain bool
} }
type DERPConfig struct { type DERPConfig struct {
@ -174,6 +175,7 @@ func LoadConfig(path string, isFile bool) error {
viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"}) viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
viper.SetDefault("oidc.strip_email_domain", true) viper.SetDefault("oidc.strip_email_domain", true)
viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
viper.SetDefault("logtail.enabled", false) viper.SetDefault("logtail.enabled", false)
viper.SetDefault("randomize_client_port", false) viper.SetDefault("randomize_client_port", false)
@ -559,6 +561,9 @@ func GetHeadscaleConfig() (*Config, error) {
UnixSocketPermission: GetFileMode("unix_socket_permission"), UnixSocketPermission: GetFileMode("unix_socket_permission"),
OIDC: OIDCConfig{ OIDC: OIDCConfig{
OnlyStartIfOIDCIsAvailable: viper.GetBool(
"oidc.only_start_if_oidc_is_available",
),
Issuer: viper.GetString("oidc.issuer"), Issuer: viper.GetString("oidc.issuer"),
ClientID: viper.GetString("oidc.client_id"), ClientID: viper.GetString("oidc.client_id"),
ClientSecret: viper.GetString("oidc.client_secret"), ClientSecret: viper.GetString("oidc.client_secret"),

1
integration_test/etc/alt-config.dump.gold.yaml
View File

@ -35,6 +35,7 @@ logtail:
enabled: false enabled: false
metrics_listen_addr: 127.0.0.1:19090 metrics_listen_addr: 127.0.0.1:19090
oidc: oidc:
only_start_if_oidc_is_available: true
scope: scope:
- openid - openid
- profile - profile

1
integration_test/etc/alt-env-config.dump.gold.yaml
View File

@ -34,6 +34,7 @@ logtail:
enabled: false enabled: false
metrics_listen_addr: 127.0.0.1:19090 metrics_listen_addr: 127.0.0.1:19090
oidc: oidc:
only_start_if_oidc_is_available: true
scope: scope:
- openid - openid
- profile - profile

1
integration_test/etc/config.dump.gold.yaml
View File

@ -35,6 +35,7 @@ logtail:
enabled: false enabled: false
metrics_listen_addr: 127.0.0.1:9090 metrics_listen_addr: 127.0.0.1:9090
oidc: oidc:
only_start_if_oidc_is_available: true
scope: scope:
- openid - openid
- profile - profile

4
protocol_common.go
View File

@ -483,7 +483,7 @@ func (h *Headscale) handleNewMachineCommon(
Bool("noise", machineKey.IsZero()). Bool("noise", machineKey.IsZero()).
Str("machine", registerRequest.Hostinfo.Hostname). Str("machine", registerRequest.Hostinfo.Hostname).
Msg("The node seems to be new, sending auth url") Msg("The node seems to be new, sending auth url")
if h.cfg.OIDC.Issuer != "" { if h.oauth2Config != nil {
resp.AuthURL = fmt.Sprintf( resp.AuthURL = fmt.Sprintf(
"%s/oidc/register/%s", "%s/oidc/register/%s",
strings.TrimSuffix(h.cfg.ServerURL, "/"), strings.TrimSuffix(h.cfg.ServerURL, "/"),
@ -716,7 +716,7 @@ func (h *Headscale) handleMachineExpiredCommon(
return return
} }
if h.cfg.OIDC.Issuer != "" { if h.oauth2Config != nil {
resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s", resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
strings.TrimSuffix(h.cfg.ServerURL, "/"), strings.TrimSuffix(h.cfg.ServerURL, "/"),
NodePublicKeyStripPrefix(registerRequest.NodeKey)) NodePublicKeyStripPrefix(registerRequest.NodeKey))