TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-11 21:27:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

tailscale/cli: add interactive flow for enabling Funnel

Browse Source 
Updates tailscale/corp#10577

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This commit is contained in:
Sonia Appasamy
2023-08-09 10:06:58 -04:00
committed by Sonia Appasamy
parent 90081a25ca
commit 7815fbe17a
9 changed files with 275 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
ipn/serve.go
View File

@@ -204,31 +204,27 @@ func (sc *ServeConfig) IsFunnelOn() bool {
// CheckFunnelAccess checks whether Funnel access is allowed for the given node
// and port.
// It checks:
// 1. Funnel is enabled on the Tailnet
// 2. HTTPS is enabled on the Tailnet
// 3. the node has the "funnel" nodeAttr
// 4. the port is allowed for Funnel
// 1. HTTPS is enabled on the Tailnet
// 2. the node has the "funnel" nodeAttr
// 3. the port is allowed for Funnel
//
// The nodeAttrs arg should be the node's Self.Capabilities which should contain
// the attribute we're checking for and possibly warning-capabilities for
// Funnel.
func CheckFunnelAccess(port uint16, nodeAttrs []string) error {
if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoInvite) {
return errors.New("Funnel not enabled; See https://tailscale.com/s/no-funnel.")
}
if slices.Contains(nodeAttrs, tailcfg.CapabilityWarnFunnelNoHTTPS) {
if !slices.Contains(nodeAttrs, tailcfg.CapabilityHTTPS) {
return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https.")
}
if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/s/no-funnel.")
}
return checkFunnelPort(port, nodeAttrs)
return CheckFunnelPort(port, nodeAttrs)
}
// checkFunnelPort checks whether the given port is allowed for Funnel.
// CheckFunnelPort checks whether the given port is allowed for Funnel.
// It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed
// ports.
func checkFunnelPort(wantedPort uint16, nodeAttrs []string) error {
func CheckFunnelPort(wantedPort uint16, nodeAttrs []string) error {
deny := func(allowedPorts string) error {
if allowedPorts == "" {
return fmt.Errorf("port %d is not allowed for funnel", wantedPort)

15
ipn/serve_test.go
View File

@@ -16,14 +16,13 @@ func TestCheckFunnelAccess(t *testing.T) {
wantErr bool
}{
{443, []string{portAttr}, true}, // No "funnel" attribute
{443, []string{portAttr, tailcfg.CapabilityWarnFunnelNoInvite}, true},
{443, []string{portAttr, tailcfg.CapabilityWarnFunnelNoHTTPS}, true},
{443, []string{portAttr, tailcfg.NodeAttrFunnel}, false},
{8443, []string{portAttr, tailcfg.NodeAttrFunnel}, false},
{8321, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
{8083, []string{portAttr, tailcfg.NodeAttrFunnel}, false},
{8091, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
{3000, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
{443, []string{portAttr, tailcfg.NodeAttrFunnel}, true},
{443, []string{portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel}, false},
{8443, []string{portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel}, false},
{8321, []string{portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel}, true},
{8083, []string{portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel}, false},
{8091, []string{portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel}, true},
{3000, []string{portAttr, tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel}, true},
}
for _, tt := range tests {
err := CheckFunnelAccess(tt.port, tt.caps)