From 8dcc82ceb38123ac417c79da734e9fd7654d4695 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 26 Sep 2022 09:51:23 +0200 Subject: [PATCH 1/6] Use oidc if it initialised, not if it is configured OIDC might be configured, but unable to be initialised, this only runs the oidc cycle if it is actually successfully set up/initialised. Prep for next commit Signed-off-by: Kristoffer Dalby --- protocol_common.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/protocol_common.go b/protocol_common.go index b4c6223c..465279aa 100644 --- a/protocol_common.go +++ b/protocol_common.go @@ -483,7 +483,7 @@ func (h *Headscale) handleNewMachineCommon( Bool("noise", machineKey.IsZero()). Str("machine", registerRequest.Hostinfo.Hostname). Msg("The node seems to be new, sending auth url") - if h.cfg.OIDC.Issuer != "" { + if h.oauth2Config != nil { resp.AuthURL = fmt.Sprintf( "%s/oidc/register/%s", strings.TrimSuffix(h.cfg.ServerURL, "/"), @@ -716,7 +716,7 @@ func (h *Headscale) handleMachineExpiredCommon( return } - if h.cfg.OIDC.Issuer != "" { + if h.oauth2Config != nil { resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s", strings.TrimSuffix(h.cfg.ServerURL, "/"), NodePublicKeyStripPrefix(registerRequest.NodeKey)) From dbe58e53e4af65a23c5f54b3f9de37957f4ba5ee Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 26 Sep 2022 09:52:32 +0200 Subject: [PATCH 2/6] Allow headscale to start if oidc setup fails. This commit makes headscale fall back to CLI authentication if oidc fails to initialised and posts a warning to users. Signed-off-by: Kristoffer Dalby --- app.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.go b/app.go index 59101be3..3a4e9a25 100644 --- a/app.go +++ b/app.go @@ -193,7 +193,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) { if cfg.OIDC.Issuer != "" { err = app.initOIDC() if err != nil { - return nil, err + log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication") } } From fb25a06a662c1f11235f9a7f669a4a237b1873be Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 26 Sep 2022 09:57:28 +0200 Subject: [PATCH 3/6] Preserve current behaviour with a config flag Add a configuration flag (default true to preserve current behaviour) to allow headscale to start without OIDC being able to initialise. Signed-off-by: Kristoffer Dalby --- app.go | 4 +++- config.go | 21 +++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/app.go b/app.go index 3a4e9a25..a40d8894 100644 --- a/app.go +++ b/app.go @@ -192,7 +192,9 @@ func NewHeadscale(cfg *Config) (*Headscale, error) { if cfg.OIDC.Issuer != "" { err = app.initOIDC() - if err != nil { + if err != nil && cfg.OIDC.OnlyStartIfOIDCIsAvailable { + return nil, err + } else { log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication") } } diff --git a/config.go b/config.go index b000c566..494356d8 100644 --- a/config.go +++ b/config.go @@ -90,14 +90,15 @@ type LetsEncryptConfig struct { } type OIDCConfig struct { - Issuer string - ClientID string - ClientSecret string - Scope []string - ExtraParams map[string]string - AllowedDomains []string - AllowedUsers []string - StripEmaildomain bool + OnlyStartIfOIDCIsAvailable bool + Issuer string + ClientID string + ClientSecret string + Scope []string + ExtraParams map[string]string + AllowedDomains []string + AllowedUsers []string + StripEmaildomain bool } type DERPConfig struct { @@ -174,6 +175,7 @@ func LoadConfig(path string, isFile bool) error { viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"}) viper.SetDefault("oidc.strip_email_domain", true) + viper.SetDefault("oidc.only_start_if_oidc_is_available", true) viper.SetDefault("logtail.enabled", false) viper.SetDefault("randomize_client_port", false) @@ -559,6 +561,9 @@ func GetHeadscaleConfig() (*Config, error) { UnixSocketPermission: GetFileMode("unix_socket_permission"), OIDC: OIDCConfig{ + OnlyStartIfOIDCIsAvailable: viper.GetBool( + "oidc.only_start_if_oidc_is_available", + ), Issuer: viper.GetString("oidc.issuer"), ClientID: viper.GetString("oidc.client_id"), ClientSecret: viper.GetString("oidc.client_secret"), From 6b4d53315bc54b1225feb4d8c15e9df6ae6a1dae Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 26 Sep 2022 10:01:01 +0200 Subject: [PATCH 4/6] Update changelog Signed-off-by: Kristoffer Dalby --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 78c5c133..d5080aaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653) - Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767) - Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763) +- Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829) ## 0.16.4 (2022-08-21) From 256b6cb54dab6509b44eb7ebd237fe89d6276689 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 26 Sep 2022 10:01:15 +0200 Subject: [PATCH 5/6] Add new option to config-example Signed-off-by: Kristoffer Dalby --- config-example.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config-example.yaml b/config-example.yaml index 69672b24..72397c78 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -230,6 +230,7 @@ unix_socket_permission: "0770" # help us test it. # OpenID Connect # oidc: +# only_start_if_oidc_is_available: true # issuer: "https://your-oidc.issuer.com/path" # client_id: "your-oidc-client-id" # client_secret: "your-oidc-client-secret" From 24629895c787d98bc0601130eb21b736d0d2be3e Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 26 Sep 2022 10:14:46 +0200 Subject: [PATCH 6/6] Add new config option to cli integration tests Signed-off-by: Kristoffer Dalby --- integration_test/etc/alt-config.dump.gold.yaml | 1 + integration_test/etc/alt-env-config.dump.gold.yaml | 1 + integration_test/etc/config.dump.gold.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/integration_test/etc/alt-config.dump.gold.yaml b/integration_test/etc/alt-config.dump.gold.yaml index c9bd39b0..9df870fa 100644 --- a/integration_test/etc/alt-config.dump.gold.yaml +++ b/integration_test/etc/alt-config.dump.gold.yaml @@ -35,6 +35,7 @@ logtail: enabled: false metrics_listen_addr: 127.0.0.1:19090 oidc: + only_start_if_oidc_is_available: true scope: - openid - profile diff --git a/integration_test/etc/alt-env-config.dump.gold.yaml b/integration_test/etc/alt-env-config.dump.gold.yaml index 4df4bf44..2fa8ef44 100644 --- a/integration_test/etc/alt-env-config.dump.gold.yaml +++ b/integration_test/etc/alt-env-config.dump.gold.yaml @@ -34,6 +34,7 @@ logtail: enabled: false metrics_listen_addr: 127.0.0.1:19090 oidc: + only_start_if_oidc_is_available: true scope: - openid - profile diff --git a/integration_test/etc/config.dump.gold.yaml b/integration_test/etc/config.dump.gold.yaml index 158a1954..7bdd2c3e 100644 --- a/integration_test/etc/config.dump.gold.yaml +++ b/integration_test/etc/config.dump.gold.yaml @@ -35,6 +35,7 @@ logtail: enabled: false metrics_listen_addr: 127.0.0.1:9090 oidc: + only_start_if_oidc_is_available: true scope: - openid - profile