TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-05-22 15:28:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method

Browse Source 
The implementations define it to verify whether the actor has the requested access to a login profile.

Updates #14823

Signed-off-by: Nick Khyl <nickk@tailscale.com>
This commit is contained in:
Nick Khyl 2025-01-29 15:34:20 -06:00 committed by Nick Khyl
parent 4e7f4086b2
commit 081595de63
4 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ipn/ipnauth/access.go Normal file
View File

@ -0,0 +1,8 @@
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
package ipnauth
// ProfileAccess is a bitmask representing the requested, required, or granted
// access rights to an [ipn.LoginProfile].
type ProfileAccess uint32

4
ipn/ipnauth/actor.go
View File

@ -27,6 +27,10 @@ type Actor interface {
// a connected LocalAPI client. Otherwise, it returns a zero value and false. // a connected LocalAPI client. Otherwise, it returns a zero value and false.
ClientID() (_ ClientID, ok bool) ClientID() (_ ClientID, ok bool)
// CheckProfileAccess checks whether the actor has the requested access rights
// to the specified Tailscale profile. It returns an error if the access is denied.
CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess) error
// IsLocalSystem reports whether the actor is the Windows' Local System account. // IsLocalSystem reports whether the actor is the Windows' Local System account.
// //
// Deprecated: this method exists for compatibility with the current (as of 2024-08-27) // Deprecated: this method exists for compatibility with the current (as of 2024-08-27)

8
ipn/ipnauth/test_actor.go
View File

@ -4,6 +4,8 @@
package ipnauth package ipnauth
import ( import (
"errors"
"tailscale.com/ipn" "tailscale.com/ipn"
) )
@ -17,7 +19,6 @@ type TestActor struct {
CID ClientID // non-zero if the actor represents a connected LocalAPI client CID ClientID // non-zero if the actor represents a connected LocalAPI client
LocalSystem bool // whether the actor represents the special Local System account on Windows LocalSystem bool // whether the actor represents the special Local System account on Windows
LocalAdmin bool // whether the actor has local admin access LocalAdmin bool // whether the actor has local admin access
} }
// UserID implements [Actor]. // UserID implements [Actor].
@ -29,6 +30,11 @@ func (a *TestActor) Username() (string, error) { return a.Name, a.NameErr }
// ClientID implements [Actor]. // ClientID implements [Actor].
func (a *TestActor) ClientID() (_ ClientID, ok bool) { return a.CID, a.CID != NoClientID } func (a *TestActor) ClientID() (_ ClientID, ok bool) { return a.CID, a.CID != NoClientID }
// CheckProfileAccess implements [Actor].
func (a *TestActor) CheckProfileAccess(profile ipn.LoginProfileView, _ ProfileAccess) error {
return errors.New("profile access denied")
}
// IsLocalSystem implements [Actor]. // IsLocalSystem implements [Actor].
func (a *TestActor) IsLocalSystem() bool { return a.LocalSystem } func (a *TestActor) IsLocalSystem() bool { return a.LocalSystem }

8
ipn/ipnserver/actor.go
View File

@ -58,6 +58,14 @@ func newActor(logf logger.Logf, c net.Conn) (*actor, error) {
return &actor{logf: logf, ci: ci, clientID: clientID, isLocalSystem: connIsLocalSystem(ci)}, nil return &actor{logf: logf, ci: ci, clientID: clientID, isLocalSystem: connIsLocalSystem(ci)}, nil
} }
// CheckProfileAccess implements [ipnauth.Actor].
func (a *actor) CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ipnauth.ProfileAccess) error {
if profile.LocalUserID() != a.UserID() {
return errors.New("the target profile does not belong to the user")
}
return errors.New("the requested operation is not allowed")
}
// IsLocalSystem implements [ipnauth.Actor]. // IsLocalSystem implements [ipnauth.Actor].
func (a *actor) IsLocalSystem() bool { func (a *actor) IsLocalSystem() bool {
return a.isLocalSystem return a.isLocalSystem