TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-27 18:57:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/tsidp: add some docs

Browse Source 
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2023-11-14 11:40:47 -08:00
parent 017a2ed349
commit 491b5fa92d
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
cmd/tsidp/tsidp.go
View File

@ -82,19 +82,30 @@ type idpServer struct {
lazySigningKey lazy.SyncValue[*signingKey] lazySigningKey lazy.SyncValue[*signingKey]
lazySigner lazy.SyncValue[jose.Signer] lazySigner lazy.SyncValue[jose.Signer]
mu sync.Mutex // guards the fields below mu sync.Mutex // guards the fields below
code map[string]*authRequest code map[string]*authRequest
accessToken map[string]*authRequest accessToken map[string]*authRequest
} }
type authRequest struct { type authRequest struct {
forNodeID string // string form nodeid:abcd // requesterNodeID is the node who requested the auth (say synology), not the node
nonce string // who is being authenticated.
// String form of tailcfg.NodeID
requesterNodeID string
// nonce presented in the request.
nonce string
// redirectURI is the redirect_uri presented in the request.
redirectURI string redirectURI string
// remoteUser is the user who is being authenticated.
remoteUser *apitype.WhoIsResponse remoteUser *apitype.WhoIsResponse
validTill time.Time
// validTill is the time until which the token is valid.
// As of 2023-11-14, it is 5 minutes.
// TODO: add routine to delete expired tokens.
validTill time.Time
} }
func (s *idpServer) Register(mux *http.ServeMux) { func (s *idpServer) Register(mux *http.ServeMux) {
@ -119,10 +130,10 @@ func (s *idpServer) authorize(w http.ResponseWriter, r *http.Request) {
uq := r.URL.Query() uq := r.URL.Query()
code := rands.HexString(32) code := rands.HexString(32)
ar := &authRequest{ ar := &authRequest{
forNodeID: nodeID, requesterNodeID: nodeID,
nonce: uq.Get("nonce"), nonce: uq.Get("nonce"),
remoteUser: who, remoteUser: who,
redirectURI: uq.Get("redirect_uri"), redirectURI: uq.Get("redirect_uri"),
} }
s.mu.Lock() s.mu.Lock()
@ -173,7 +184,7 @@ func (s *idpServer) serveUserInfo(w http.ResponseWriter, r *http.Request) {
http.Error(w, "tsidp: invalid token", http.StatusBadRequest) http.Error(w, "tsidp: invalid token", http.StatusBadRequest)
return return
} }
if ar.forNodeID != who.Node.ID.String() { if ar.requesterNodeID != who.Node.ID.String() {
http.Error(w, "tsidp: token for different node", http.StatusForbidden) http.Error(w, "tsidp: token for different node", http.StatusForbidden)
return return
} }
@ -240,7 +251,7 @@ func (s *idpServer) serveToken(w http.ResponseWriter, r *http.Request) {
http.Error(w, "tsidp: code not found", http.StatusBadRequest) http.Error(w, "tsidp: code not found", http.StatusBadRequest)
return return
} }
if ar.forNodeID != caller.Node.ID.String() { if ar.requesterNodeID != caller.Node.ID.String() {
http.Error(w, "tsidp: token for different node", http.StatusForbidden) http.Error(w, "tsidp: token for different node", http.StatusForbidden)
return return
} }