cmd/tailscale/cli: [up] change oauth authkey format

Updates #7982

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2023-04-26 13:20:58 -07:00 committed by Maisem Ali
parent 13de36303d
commit b2b5379348

View File

@ -1118,33 +1118,31 @@ func init() {
tailscale.I_Acknowledge_This_API_Is_Unstable = true
}
// resolveAuthKey either returns v unchanged (in the common case)
// or, if it starts with "oauth:" parses it as one of:
// resolveAuthKey either returns v unchanged (in the common case) or, if it
// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
//
// oauth2:CLIENT_ID:CLIENT_SECRET?ephemeral=false&tags=foo,bar&preauthorized=BOOL
// oauth2:CLIENT_ID:CLIENT_SECRET:BASE_URL?...
// tskey-client-xxxx[?ephemeral=false&tags=foo,bar&preauthorized=BOOL&baseURL=...]
//
// and does the OAuth2 dance to get and return an authkey. The "ephemeral" property
// defaults to true if unspecified. The "preauthorized" defaults to false.
//
// If the BASE_URL argument is not provided, it defaults to https://api.tailscale.com.
// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
// property defaults to true if unspecified. The "preauthorized" defaults to
// false. The "baseURL" defaults to
// https://api.tailscale.com.
func resolveAuthKey(ctx context.Context, v string) (string, error) {
suff, ok := strings.CutPrefix(v, "oauth:")
if !ok {
if !strings.HasPrefix(v, "tskey-client-") {
return v, nil
}
if !envknob.Bool("TS_EXPERIMENT_OAUTH_AUTHKEY") {
return "", errors.New("oauth authkeys are in experimental status")
}
pos, named, _ := strings.Cut(suff, "?")
clientSecret, named, _ := strings.Cut(v, "?")
attrs, err := url.ParseQuery(named)
if err != nil {
return "", err
}
for k := range attrs {
switch k {
case "ephemeral", "preauthorized", "tags":
case "ephemeral", "preauthorized", "tags", "baseURL":
default:
return "", fmt.Errorf("unknown attribute %q", k)
}
@ -1173,18 +1171,13 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
tags = strings.Split(v, ",")
}
f := strings.SplitN(pos, ":", 3)
if len(f) < 2 || len(f) > 3 {
return "", errors.New("invalid auth key format; want oauth2:CLIENT_ID:CLIENT_SECRET[:BASE_URL]")
}
clientID, clientSecret := f[0], f[1]
baseURL := "https://api.tailscale.com"
if len(f) == 3 {
baseURL = f[2]
if v := attrs.Get("baseURL"); v != "" {
baseURL = v
}
credentials := clientcredentials.Config{
ClientID: clientID,
ClientID: "some-client-id", // ignored
ClientSecret: clientSecret,
TokenURL: baseURL + "/api/v2/oauth/token",
Scopes: []string{"device"},