mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-01 14:05:39 +00:00
ipn/localapi: add endpoint to request id token
Updates tailscale/corp#4347 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
parent
035e8ab00e
commit
3603a18710
@ -6,6 +6,7 @@
|
||||
package localapi
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
@ -24,6 +25,7 @@
|
||||
|
||||
"inet.af/netaddr"
|
||||
"tailscale.com/client/tailscale/apitype"
|
||||
"tailscale.com/envknob"
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/ipn/ipnlocal"
|
||||
"tailscale.com/ipn/ipnstate"
|
||||
@ -128,6 +130,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
h.serveSetExpirySooner(w, r)
|
||||
case "/localapi/v0/dial":
|
||||
h.serveDial(w, r)
|
||||
case "/localapi/v0/id-token":
|
||||
h.serveIDToken(w, r)
|
||||
case "/":
|
||||
io.WriteString(w, "tailscaled\n")
|
||||
default:
|
||||
@ -135,6 +139,54 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
// serveIDToken handles requests to get an OIDC ID token.
|
||||
func (h *Handler) serveIDToken(w http.ResponseWriter, r *http.Request) {
|
||||
if !h.PermitWrite {
|
||||
http.Error(w, "id-token access denied", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
if !envknob.UseWIPCode() {
|
||||
http.Error(w, "id-token access denied", http.StatusServiceUnavailable)
|
||||
return
|
||||
}
|
||||
nm := h.b.NetMap()
|
||||
if nm == nil {
|
||||
http.Error(w, "no netmap", http.StatusServiceUnavailable)
|
||||
return
|
||||
}
|
||||
aud := strings.TrimSpace(r.FormValue("aud"))
|
||||
if len(aud) == 0 {
|
||||
http.Error(w, "no audience requested", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
req := &tailcfg.TokenRequest{
|
||||
CapVersion: tailcfg.CurrentCapabilityVersion,
|
||||
Audience: aud,
|
||||
NodeKey: nm.NodeKey,
|
||||
}
|
||||
b, err := json.Marshal(req)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
httpReq, err := http.NewRequest("POST", "https://unused/machine/id-token", bytes.NewReader(b))
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
resp, err := h.b.DoNoiseRequest(httpReq)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
w.WriteHeader(resp.StatusCode)
|
||||
if _, err := io.Copy(w, resp.Body); err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
|
||||
if !h.PermitRead {
|
||||
http.Error(w, "bugreport access denied", http.StatusForbidden)
|
||||
|
@ -65,8 +65,9 @@
|
||||
// 26: 2022-01-12: (nothing, just bumping for 1.20.0)
|
||||
// 27: 2022-02-18: start of SSHPolicy being respected
|
||||
// 28: 2022-03-09: client can communicate over Noise.
|
||||
// 29: 2022-03-09: MapResponse.PopBrowserURL
|
||||
const CurrentCapabilityVersion CapabilityVersion = 29
|
||||
// 29: 2022-03-21: MapResponse.PopBrowserURL
|
||||
// 30: 2022-03-22: client can request id tokens.
|
||||
const CurrentCapabilityVersion CapabilityVersion = 30
|
||||
|
||||
type StableID string
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user