ipn/{ipnauth, ipnserver}: extend the ipnauth.Actor interface with a CheckProfileAccess method

The implementations define it to verify whether the actor has the requested access to a login profile. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-22 07:18:46 +00:00 · 2025-01-29 15:34:20 -06:00 · 2025-01-29 15:34:20 -06:00 · 081595de63
commit 081595de63
parent 4e7f4086b2
4 changed files with 27 additions and 1 deletions
--- a/ipn/ipnauth/access.go
+++ b/ipn/ipnauth/access.go
@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ipnauth
+
+// ProfileAccess is a bitmask representing the requested, required, or granted
+// access rights to an [ipn.LoginProfile].
+type ProfileAccess uint32
--- a/ipn/ipnauth/actor.go
+++ b/ipn/ipnauth/actor.go
@ -27,6 +27,10 @@ type Actor interface {
 	// a connected LocalAPI client. Otherwise, it returns a zero value and false.
 	ClientID() (_ ClientID, ok bool)

+	// CheckProfileAccess checks whether the actor has the requested access rights
+	// to the specified Tailscale profile. It returns an error if the access is denied.
+	CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess) error
+
 	// IsLocalSystem reports whether the actor is the Windows' Local System account.
 	//
 	// Deprecated: this method exists for compatibility with the current (as of 2024-08-27)
--- a/ipn/ipnauth/test_actor.go
+++ b/ipn/ipnauth/test_actor.go
@ -4,6 +4,8 @@
 package ipnauth

 import (
+	"errors"
+
 	"tailscale.com/ipn"
 )

@ -17,7 +19,6 @@ type TestActor struct {
 	CID         ClientID          // non-zero if the actor represents a connected LocalAPI client
 	LocalSystem bool              // whether the actor represents the special Local System account on Windows
 	LocalAdmin  bool              // whether the actor has local admin access
-
 }

 // UserID implements [Actor].
@ -29,6 +30,11 @@ func (a *TestActor) Username() (string, error) { return a.Name, a.NameErr }
 // ClientID implements [Actor].
 func (a *TestActor) ClientID() (_ ClientID, ok bool) { return a.CID, a.CID != NoClientID }

+// CheckProfileAccess implements [Actor].
+func (a *TestActor) CheckProfileAccess(profile ipn.LoginProfileView, _ ProfileAccess) error {
+	return errors.New("profile access denied")
+}
+
 // IsLocalSystem implements [Actor].
 func (a *TestActor) IsLocalSystem() bool { return a.LocalSystem }

--- a/ipn/ipnserver/actor.go
+++ b/ipn/ipnserver/actor.go
@ -58,6 +58,14 @@ func newActor(logf logger.Logf, c net.Conn) (*actor, error) {
 	return &actor{logf: logf, ci: ci, clientID: clientID, isLocalSystem: connIsLocalSystem(ci)}, nil
 }

+// CheckProfileAccess implements [ipnauth.Actor].
+func (a *actor) CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ipnauth.ProfileAccess) error {
+	if profile.LocalUserID() != a.UserID() {
+		return errors.New("the target profile does not belong to the user")
+	}
+	return errors.New("the requested operation is not allowed")
+}
+
 // IsLocalSystem implements [ipnauth.Actor].
 func (a *actor) IsLocalSystem() bool {
 	return a.isLocalSystem