tailscale/ipn/ipnauth/test_actor.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package ipnauth

import (
	"cmp"
	"context"
	"errors"

	"tailscale.com/ipn"
)

var _ Actor = (*TestActor)(nil)

// TestActor is an [Actor] used exclusively for testing purposes.
type TestActor struct {
	UID         ipn.WindowsUserID // OS-specific UID of the user, if the actor represents a local Windows user
	Name        string            // username associated with the actor, or ""
	NameErr     error             // error to be returned by [TestActor.Username]
	CID         ClientID          // non-zero if the actor represents a connected LocalAPI client
	Ctx         context.Context   // context associated with the actor
	LocalSystem bool              // whether the actor represents the special Local System account on Windows
	LocalAdmin  bool              // whether the actor has local admin access
}

// UserID implements [Actor].
func (a *TestActor) UserID() ipn.WindowsUserID { return a.UID }

// Username implements [Actor].
func (a *TestActor) Username() (string, error) { return a.Name, a.NameErr }

// ClientID implements [Actor].
func (a *TestActor) ClientID() (_ ClientID, ok bool) { return a.CID, a.CID != NoClientID }

// Context implements [Actor].
func (a *TestActor) Context() context.Context { return cmp.Or(a.Ctx, context.Background()) }

// CheckProfileAccess implements [Actor].
func (a *TestActor) CheckProfileAccess(profile ipn.LoginProfileView, _ ProfileAccess, _ AuditLogFunc) error {
	return errors.New("profile access denied")
}

// IsLocalSystem implements [Actor].
func (a *TestActor) IsLocalSystem() bool { return a.LocalSystem }

// IsLocalAdmin implements [Actor].
func (a *TestActor) IsLocalAdmin(operatorUID string) bool { return a.LocalAdmin }
ipn/{ipnauth,ipnlocal,ipnserver}: send the auth URL to the user who started interactive login We add the ClientID() method to the ipnauth.Actor interface and updated ipnserver.actor to implement it. This method returns a unique ID of the connected client if the actor represents one. It helps link a series of interactions initiated by the client, such as when a notification needs to be sent back to a specific session, rather than all active sessions, in response to a certain request. We also add LocalBackend.WatchNotificationsAs and LocalBackend.StartLoginInteractiveAs methods, which are like WatchNotifications and StartLoginInteractive but accept an additional parameter specifying an ipnauth.Actor who initiates the operation. We store these actor identities in watchSession.owner and LocalBackend.authActor, respectively,and implement LocalBackend.sendTo and related helper methods to enable sending notifications to watchSessions associated with actors (or, more broadly, identifiable recipients). We then use the above to change who receives the BrowseToURL notifications: - For user-initiated, interactive logins, the notification is delivered only to the user who initiated the process. If the initiating actor represents a specific connected client, the URL notification is sent back to the same LocalAPI client that called StartLoginInteractive. Otherwise, the notification is sent to all clients connected as that user. Currently, we only differentiate between users on Windows, as it is inherently a multi-user OS. - In all other cases (e.g., node key expiration), we send the notification to all connected users. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-10-13 11:36:46 -05:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`

			`package ipnauth`

			`import (`
ipn/ipn{auth,server}: update ipnauth.Actor to carry a context The context carries additional information about the actor, such as the request reason, and is canceled when the actor is done. Additionally, we implement three new ipn.Actor types that wrap other actors to modify their behavior: - WithRequestReason, which adds a request reason to the actor; - WithoutClose, which narrows the actor's interface to prevent it from being closed; - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess method. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-07 10:47:14 -06:00			`"cmp"`
			`"context"`
ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method The implementations define it to verify whether the actor has the requested access to a login profile. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-01-29 15:34:20 -06:00			`"errors"`

ipn/{ipnauth,ipnlocal,ipnserver}: send the auth URL to the user who started interactive login We add the ClientID() method to the ipnauth.Actor interface and updated ipnserver.actor to implement it. This method returns a unique ID of the connected client if the actor represents one. It helps link a series of interactions initiated by the client, such as when a notification needs to be sent back to a specific session, rather than all active sessions, in response to a certain request. We also add LocalBackend.WatchNotificationsAs and LocalBackend.StartLoginInteractiveAs methods, which are like WatchNotifications and StartLoginInteractive but accept an additional parameter specifying an ipnauth.Actor who initiates the operation. We store these actor identities in watchSession.owner and LocalBackend.authActor, respectively,and implement LocalBackend.sendTo and related helper methods to enable sending notifications to watchSessions associated with actors (or, more broadly, identifiable recipients). We then use the above to change who receives the BrowseToURL notifications: - For user-initiated, interactive logins, the notification is delivered only to the user who initiated the process. If the initiating actor represents a specific connected client, the URL notification is sent back to the same LocalAPI client that called StartLoginInteractive. Otherwise, the notification is sent to all clients connected as that user. Currently, we only differentiate between users on Windows, as it is inherently a multi-user OS. - In all other cases (e.g., node key expiration), we send the notification to all connected users. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-10-13 11:36:46 -05:00			`"tailscale.com/ipn"`
			`)`

			`var _ Actor = (*TestActor)(nil)`

			`// TestActor is an [Actor] used exclusively for testing purposes.`
			`type TestActor struct {`
			`UID ipn.WindowsUserID // OS-specific UID of the user, if the actor represents a local Windows user`
			`Name string // username associated with the actor, or ""`
			`NameErr error // error to be returned by [TestActor.Username]`
			`CID ClientID // non-zero if the actor represents a connected LocalAPI client`
ipn/ipn{auth,server}: update ipnauth.Actor to carry a context The context carries additional information about the actor, such as the request reason, and is canceled when the actor is done. Additionally, we implement three new ipn.Actor types that wrap other actors to modify their behavior: - WithRequestReason, which adds a request reason to the actor; - WithoutClose, which narrows the actor's interface to prevent it from being closed; - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess method. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-07 10:47:14 -06:00			`Ctx context.Context // context associated with the actor`
ipn/{ipnauth,ipnlocal,ipnserver}: send the auth URL to the user who started interactive login We add the ClientID() method to the ipnauth.Actor interface and updated ipnserver.actor to implement it. This method returns a unique ID of the connected client if the actor represents one. It helps link a series of interactions initiated by the client, such as when a notification needs to be sent back to a specific session, rather than all active sessions, in response to a certain request. We also add LocalBackend.WatchNotificationsAs and LocalBackend.StartLoginInteractiveAs methods, which are like WatchNotifications and StartLoginInteractive but accept an additional parameter specifying an ipnauth.Actor who initiates the operation. We store these actor identities in watchSession.owner and LocalBackend.authActor, respectively,and implement LocalBackend.sendTo and related helper methods to enable sending notifications to watchSessions associated with actors (or, more broadly, identifiable recipients). We then use the above to change who receives the BrowseToURL notifications: - For user-initiated, interactive logins, the notification is delivered only to the user who initiated the process. If the initiating actor represents a specific connected client, the URL notification is sent back to the same LocalAPI client that called StartLoginInteractive. Otherwise, the notification is sent to all clients connected as that user. Currently, we only differentiate between users on Windows, as it is inherently a multi-user OS. - In all other cases (e.g., node key expiration), we send the notification to all connected users. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-10-13 11:36:46 -05:00			`LocalSystem bool // whether the actor represents the special Local System account on Windows`
			`LocalAdmin bool // whether the actor has local admin access`
			`}`

			`// UserID implements [Actor].`
			`func (a *TestActor) UserID() ipn.WindowsUserID { return a.UID }`

			`// Username implements [Actor].`
			`func (a *TestActor) Username() (string, error) { return a.Name, a.NameErr }`

			`// ClientID implements [Actor].`
			`func (a *TestActor) ClientID() (_ ClientID, ok bool) { return a.CID, a.CID != NoClientID }`

ipn/ipn{auth,server}: update ipnauth.Actor to carry a context The context carries additional information about the actor, such as the request reason, and is canceled when the actor is done. Additionally, we implement three new ipn.Actor types that wrap other actors to modify their behavior: - WithRequestReason, which adds a request reason to the actor; - WithoutClose, which narrows the actor's interface to prevent it from being closed; - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess method. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-07 10:47:14 -06:00			`// Context implements [Actor].`
			`func (a *TestActor) Context() context.Context { return cmp.Or(a.Ctx, context.Background()) }`

ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method The implementations define it to verify whether the actor has the requested access to a login profile. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-01-29 15:34:20 -06:00			`// CheckProfileAccess implements [Actor].`
ipn/{ipnauth,ipnlocal,ipnserver}: move the AlwaysOn policy check from ipnserver to ipnauth In this PR, we move the code that checks the AlwaysOn policy from ipnserver.actor to ipnauth. It is intended to be used by ipnauth.Actor implementations, and we temporarily make it exported while these implementations reside in ipnserver and in corp. We'll unexport it later. We also update [ipnauth.Actor.CheckProfileAccess] to accept an auditLogger, which is called to write details about the action to the audit log when required by the policy, and update LocalBackend.EditPrefsAs to use an auditLogger that writes to the regular backend log. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-02-04 14:20:06 -06:00			`func (a *TestActor) CheckProfileAccess(profile ipn.LoginProfileView, _ ProfileAccess, _ AuditLogFunc) error {`
ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method The implementations define it to verify whether the actor has the requested access to a login profile. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2025-01-29 15:34:20 -06:00			`return errors.New("profile access denied")`
			`}`

ipn/{ipnauth,ipnlocal,ipnserver}: send the auth URL to the user who started interactive login We add the ClientID() method to the ipnauth.Actor interface and updated ipnserver.actor to implement it. This method returns a unique ID of the connected client if the actor represents one. It helps link a series of interactions initiated by the client, such as when a notification needs to be sent back to a specific session, rather than all active sessions, in response to a certain request. We also add LocalBackend.WatchNotificationsAs and LocalBackend.StartLoginInteractiveAs methods, which are like WatchNotifications and StartLoginInteractive but accept an additional parameter specifying an ipnauth.Actor who initiates the operation. We store these actor identities in watchSession.owner and LocalBackend.authActor, respectively,and implement LocalBackend.sendTo and related helper methods to enable sending notifications to watchSessions associated with actors (or, more broadly, identifiable recipients). We then use the above to change who receives the BrowseToURL notifications: - For user-initiated, interactive logins, the notification is delivered only to the user who initiated the process. If the initiating actor represents a specific connected client, the URL notification is sent back to the same LocalAPI client that called StartLoginInteractive. Otherwise, the notification is sent to all clients connected as that user. Currently, we only differentiate between users on Windows, as it is inherently a multi-user OS. - In all other cases (e.g., node key expiration), we send the notification to all connected users. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com> 2024-10-13 11:36:46 -05:00			`// IsLocalSystem implements [Actor].`
			`func (a *TestActor) IsLocalSystem() bool { return a.LocalSystem }`

			`// IsLocalAdmin implements [Actor].`
			`func (a *TestActor) IsLocalAdmin(operatorUID string) bool { return a.LocalAdmin }`