tailscale/ipn/ipnauth/policy.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package ipnauth

import (
	"errors"
	"fmt"

	"tailscale.com/client/tailscale/apitype"
	"tailscale.com/ipn"
	"tailscale.com/util/syspolicy"
)

type actorWithPolicyChecks struct{ Actor }

// WithPolicyChecks returns an [Actor] that wraps the given actor and
// performs additional policy checks on top of the access checks
// implemented by the wrapped actor.
func WithPolicyChecks(actor Actor) Actor {
	// TODO(nickkhyl): We should probably exclude the Windows Local System
	// account from policy checks as well.
	switch actor.(type) {
	case unrestricted:
		return actor
	default:
		return &actorWithPolicyChecks{Actor: actor}
	}
}

// CheckProfileAccess implements [Actor].
func (a actorWithPolicyChecks) CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess, auditLogger AuditLogFunc) error {
	if err := a.Actor.CheckProfileAccess(profile, requestedAccess, auditLogger); err != nil {
		return err
	}
	requestReason := apitype.RequestReasonKey.Value(a.Context())
	return CheckDisconnectPolicy(a.Actor, profile, requestReason, auditLogger)
}

// CheckDisconnectPolicy checks if the policy allows the specified actor to disconnect
// Tailscale with the given optional reason. It returns nil if the operation is allowed,
// or an error if it is not. If auditLogger is non-nil, it is called to log the action
// when required by the policy.
//
// Note: this function only checks the policy and does not check whether the actor has
// the necessary access rights to the device or profile. It is intended to be used by
// [Actor] implementations on platforms where [syspolicy] is supported.
//
// TODO(nickkhyl): unexport it when we move [ipn.Actor] implementations from [ipnserver]
// and corp to this package.
func CheckDisconnectPolicy(actor Actor, profile ipn.LoginProfileView, reason string, auditLogger AuditLogFunc) error {
	if alwaysOn, _ := syspolicy.GetBoolean(syspolicy.AlwaysOn, false); !alwaysOn {
		return nil
	}
	if allowWithReason, _ := syspolicy.GetBoolean(syspolicy.AlwaysOnOverrideWithReason, false); !allowWithReason {
		return errors.New("disconnect not allowed: always-on mode is enabled")
	}
	if reason == "" {
		return errors.New("disconnect not allowed: reason required")
	}
	if auditLogger != nil {
		var details string
		if username, _ := actor.Username(); username != "" { // best-effort; we don't have it on all platforms
			details = fmt.Sprintf("%q is being disconnected by %q: %v", profile.Name(), username, reason)
		} else {
			details = fmt.Sprintf("%q is being disconnected: %v", profile.Name(), reason)
		}
		// TODO(nickkhyl,barnstar): use a const for DISCONNECT_NODE.
		auditLogger("DISCONNECT_NODE", details)
	}
	return nil
}
ipn/{ipnauth,ipnlocal,ipnserver}: move the AlwaysOn policy check from ipnserver to ipnauth In this PR, we move the code that checks the AlwaysOn policy from ipnserver.actor to ipnauth. It is intended to be used by ipnauth.Actor implementations, and we temporarily make it exported while these implementations reside in ipnserver and in corp. We'll unexport it later. We also update [ipnauth.Actor.CheckProfileAccess] to accept an auditLogger, which is called to write details about the action to the audit log when required by the policy, and update LocalBackend.EditPrefsAs to use an auditLogger that writes to the regular backend log. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-04 14:20:06 -06:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`

			`package ipnauth`

			`import (`
			`"errors"`
			`"fmt"`

ipn/ipn{auth,server}: update ipnauth.Actor to carry a context The context carries additional information about the actor, such as the request reason, and is canceled when the actor is done. Additionally, we implement three new ipn.Actor types that wrap other actors to modify their behavior: - WithRequestReason, which adds a request reason to the actor; - WithoutClose, which narrows the actor's interface to prevent it from being closed; - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess method. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-07 10:47:14 -06:00			`"tailscale.com/client/tailscale/apitype"`
ipn/{ipnauth,ipnlocal,ipnserver}: move the AlwaysOn policy check from ipnserver to ipnauth In this PR, we move the code that checks the AlwaysOn policy from ipnserver.actor to ipnauth. It is intended to be used by ipnauth.Actor implementations, and we temporarily make it exported while these implementations reside in ipnserver and in corp. We'll unexport it later. We also update [ipnauth.Actor.CheckProfileAccess] to accept an auditLogger, which is called to write details about the action to the audit log when required by the policy, and update LocalBackend.EditPrefsAs to use an auditLogger that writes to the regular backend log. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-04 14:20:06 -06:00			`"tailscale.com/ipn"`
			`"tailscale.com/util/syspolicy"`
			`)`

ipn/ipn{auth,server}: update ipnauth.Actor to carry a context The context carries additional information about the actor, such as the request reason, and is canceled when the actor is done. Additionally, we implement three new ipn.Actor types that wrap other actors to modify their behavior: - WithRequestReason, which adds a request reason to the actor; - WithoutClose, which narrows the actor's interface to prevent it from being closed; - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess method. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-07 10:47:14 -06:00			`type actorWithPolicyChecks struct{ Actor }`

			`// WithPolicyChecks returns an [Actor] that wraps the given actor and`
			`// performs additional policy checks on top of the access checks`
			`// implemented by the wrapped actor.`
			`func WithPolicyChecks(actor Actor) Actor {`
			`// TODO(nickkhyl): We should probably exclude the Windows Local System`
			`// account from policy checks as well.`
			`switch actor.(type) {`
			`case unrestricted:`
			`return actor`
			`default:`
			`return &actorWithPolicyChecks{Actor: actor}`
			`}`
			`}`

			`// CheckProfileAccess implements [Actor].`
			`func (a actorWithPolicyChecks) CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess, auditLogger AuditLogFunc) error {`
			`if err := a.Actor.CheckProfileAccess(profile, requestedAccess, auditLogger); err != nil {`
			`return err`
			`}`
			`requestReason := apitype.RequestReasonKey.Value(a.Context())`
			`return CheckDisconnectPolicy(a.Actor, profile, requestReason, auditLogger)`
			`}`

ipn/{ipnauth,ipnlocal,ipnserver}: move the AlwaysOn policy check from ipnserver to ipnauth In this PR, we move the code that checks the AlwaysOn policy from ipnserver.actor to ipnauth. It is intended to be used by ipnauth.Actor implementations, and we temporarily make it exported while these implementations reside in ipnserver and in corp. We'll unexport it later. We also update [ipnauth.Actor.CheckProfileAccess] to accept an auditLogger, which is called to write details about the action to the audit log when required by the policy, and update LocalBackend.EditPrefsAs to use an auditLogger that writes to the regular backend log. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-04 14:20:06 -06:00			`// CheckDisconnectPolicy checks if the policy allows the specified actor to disconnect`
			`// Tailscale with the given optional reason. It returns nil if the operation is allowed,`
			`// or an error if it is not. If auditLogger is non-nil, it is called to log the action`
			`// when required by the policy.`
			`//`
			`// Note: this function only checks the policy and does not check whether the actor has`
			`// the necessary access rights to the device or profile. It is intended to be used by`
			`// [Actor] implementations on platforms where [syspolicy] is supported.`
			`//`
			`// TODO(nickkhyl): unexport it when we move [ipn.Actor] implementations from [ipnserver]`
			`// and corp to this package.`
			`func CheckDisconnectPolicy(actor Actor, profile ipn.LoginProfileView, reason string, auditLogger AuditLogFunc) error {`
			`if alwaysOn, _ := syspolicy.GetBoolean(syspolicy.AlwaysOn, false); !alwaysOn {`
			`return nil`
			`}`
			`if allowWithReason, _ := syspolicy.GetBoolean(syspolicy.AlwaysOnOverrideWithReason, false); !allowWithReason {`
			`return errors.New("disconnect not allowed: always-on mode is enabled")`
			`}`
			`if reason == "" {`
			`return errors.New("disconnect not allowed: reason required")`
			`}`
			`if auditLogger != nil {`
			`var details string`
			`if username, _ := actor.Username(); username != "" { // best-effort; we don't have it on all platforms`
			`details = fmt.Sprintf("%q is being disconnected by %q: %v", profile.Name(), username, reason)`
			`} else {`
			`details = fmt.Sprintf("%q is being disconnected: %v", profile.Name(), reason)`
			`}`
			`// TODO(nickkhyl,barnstar): use a const for DISCONNECT_NODE.`
			`auditLogger("DISCONNECT_NODE", details)`
			`}`
			`return nil`
			`}`