mirror of
https://github.com/tailscale/tailscale.git
synced 2025-07-31 00:03:47 +00:00
Export functions in authorization file
This commit is contained in:
Fran Bull
parent
24ce3279f4
commit
c4110ec886
@ -70,7 +70,7 @@ func newAuthorization(ts *tsnet.Server, tag string) *authorization {
|
||||
}
|
||||
}
|
||||
|
||||
func (a *authorization) refresh(ctx context.Context) error {
|
||||
func (a *authorization) Refresh(ctx context.Context) error {
|
||||
tStatus, err := a.sg.getStatus(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -87,7 +87,7 @@ func (a *authorization) refresh(ctx context.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *authorization) allowsHost(addr netip.Addr) bool {
|
||||
func (a *authorization) AllowsHost(addr netip.Addr) bool {
|
||||
if a.peers == nil {
|
||||
return false
|
||||
}
|
||||
@ -96,7 +96,7 @@ func (a *authorization) allowsHost(addr netip.Addr) bool {
|
||||
return a.peers.peerExists(addr, a.tag)
|
||||
}
|
||||
|
||||
func (a *authorization) selfAllowed() bool {
|
||||
func (a *authorization) SelfAllowed() bool {
|
||||
if a.peers == nil {
|
||||
return false
|
||||
}
|
||||
@ -105,7 +105,7 @@ func (a *authorization) selfAllowed() bool {
|
||||
return a.peers.status.Self.Tags != nil && slices.Contains(a.peers.status.Self.Tags.AsSlice(), a.tag)
|
||||
}
|
||||
|
||||
func (a *authorization) allowedPeers() views.Slice[*ipnstate.PeerStatus] {
|
||||
func (a *authorization) AllowedPeers() views.Slice[*ipnstate.PeerStatus] {
|
||||
if a.peers == nil {
|
||||
return views.SliceOf([]*ipnstate.PeerStatus{})
|
||||
}
|
||||
|
||||
@ -65,7 +65,7 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
a := authForStatus(nil)
|
||||
err := a.refresh(ctx)
|
||||
err := a.Refresh(ctx)
|
||||
if err == nil {
|
||||
t.Fatalf("expected err to be non-nil")
|
||||
}
|
||||
@ -77,7 +77,7 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
|
||||
a = authForStatus(&ipnstate.Status{
|
||||
BackendState: "NeedsMachineAuth",
|
||||
})
|
||||
err = a.refresh(ctx)
|
||||
err = a.Refresh(ctx)
|
||||
if err == nil {
|
||||
t.Fatalf("expected err to be non-nil")
|
||||
}
|
||||
@ -89,14 +89,14 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
|
||||
|
||||
func TestAuthUnrefreshed(t *testing.T) {
|
||||
a := authForStatus(nil)
|
||||
if a.allowsHost(netip.MustParseAddr("100.0.0.1")) {
|
||||
if a.AllowsHost(netip.MustParseAddr("100.0.0.1")) {
|
||||
t.Fatalf("never refreshed authorization, allowsHost: expected false, got true")
|
||||
}
|
||||
gotAllowedPeers := a.allowedPeers()
|
||||
gotAllowedPeers := a.AllowedPeers()
|
||||
if gotAllowedPeers.Len() != 0 {
|
||||
t.Fatalf("never refreshed authorization, allowedPeers: expected [], got %v", gotAllowedPeers)
|
||||
}
|
||||
if a.selfAllowed() != false {
|
||||
if a.SelfAllowed() != false {
|
||||
t.Fatalf("never refreshed authorization, selfAllowed: expected false got true")
|
||||
}
|
||||
}
|
||||
@ -116,14 +116,14 @@ func TestAuthAllowsHost(t *testing.T) {
|
||||
true,
|
||||
}
|
||||
a := authForTags(nil, peerTags)
|
||||
err := a.refresh(ctx)
|
||||
err := a.Refresh(ctx)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
for i, tags := range peerTags {
|
||||
for _, addr := range addrsForIndex(i) {
|
||||
got := a.allowsHost(addr)
|
||||
got := a.AllowsHost(addr)
|
||||
if got != expected[i] {
|
||||
t.Fatalf("allowed %v, expected: %t, got %t", tags, expected[i], got)
|
||||
}
|
||||
@ -139,11 +139,11 @@ func TestAuthAllowedPeers(t *testing.T) {
|
||||
[]string{"woo", testTag},
|
||||
[]string{testTag},
|
||||
})
|
||||
err := a.refresh(ctx)
|
||||
err := a.Refresh(ctx)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
ps := a.allowedPeers()
|
||||
ps := a.AllowedPeers()
|
||||
if ps.Len() != 2 {
|
||||
t.Fatalf("expected: 2, got: %d", ps.Len())
|
||||
}
|
||||
@ -153,21 +153,21 @@ func TestAuthSelfAllowed(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
a := authForTags([]string{"woo"}, nil)
|
||||
err := a.refresh(ctx)
|
||||
err := a.Refresh(ctx)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
got := a.selfAllowed()
|
||||
got := a.SelfAllowed()
|
||||
if got {
|
||||
t.Fatalf("expected: false, got: %t", got)
|
||||
}
|
||||
|
||||
a = authForTags([]string{"woo", testTag}, nil)
|
||||
err = a.refresh(ctx)
|
||||
err = a.Refresh(ctx)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
got = a.selfAllowed()
|
||||
got = a.SelfAllowed()
|
||||
if !got {
|
||||
t.Fatalf("expected: true, got: %t", got)
|
||||
}
|
||||
|
||||
@ -91,7 +91,7 @@ type authedHandler struct {
|
||||
}
|
||||
|
||||
func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
err := h.auth.refresh(r.Context())
|
||||
err := h.auth.Refresh(r.Context())
|
||||
if err != nil {
|
||||
log.Printf("error authedHandler ServeHTTP refresh auth: %v", err)
|
||||
http.Error(w, "", http.StatusInternalServerError)
|
||||
@ -103,7 +103,7 @@ func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
allowed := h.auth.allowsHost(a)
|
||||
allowed := h.auth.AllowsHost(a)
|
||||
if !allowed {
|
||||
http.Error(w, "peer not allowed", http.StatusForbidden)
|
||||
return
|
||||
|
||||
@ -96,7 +96,7 @@ type StreamLayer struct {
|
||||
func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (net.Conn, error) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), timeout)
|
||||
defer cancel()
|
||||
err := sl.auth.refresh(ctx)
|
||||
err := sl.auth.Refresh(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -106,7 +106,7 @@ func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (n
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !sl.auth.allowsHost(addr) {
|
||||
if !sl.auth.AllowsHost(addr) {
|
||||
return nil, errors.New("peer is not allowed")
|
||||
}
|
||||
return sl.s.Dial(ctx, "tcp", string(address))
|
||||
@ -122,12 +122,12 @@ func (sl StreamLayer) connAuthorized(conn net.Conn) (bool, error) {
|
||||
return false, nil
|
||||
}
|
||||
ctx := context.Background() // TODO
|
||||
err = sl.auth.refresh(ctx)
|
||||
err = sl.auth.Refresh(ctx)
|
||||
if err != nil {
|
||||
// might be authorized, we couldn't tell
|
||||
return false, err
|
||||
}
|
||||
return sl.auth.allowsHost(addr), nil
|
||||
return sl.auth.AllowsHost(addr), nil
|
||||
}
|
||||
|
||||
func (sl StreamLayer) Accept() (net.Conn, error) {
|
||||
@ -175,11 +175,11 @@ func Start(ctx context.Context, ts *tsnet.Server, fsm raft.FSM, clusterTag strin
|
||||
}
|
||||
|
||||
auth := newAuthorization(ts, clusterTag)
|
||||
err := auth.refresh(ctx)
|
||||
err := auth.Refresh(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("auth refresh: %w", err)
|
||||
}
|
||||
if !auth.selfAllowed() {
|
||||
if !auth.SelfAllowed() {
|
||||
return nil, errors.New("this node is not tagged with the cluster tag")
|
||||
}
|
||||
|
||||
@ -198,7 +198,7 @@ func Start(ctx context.Context, ts *tsnet.Server, fsm raft.FSM, clusterTag strin
|
||||
}
|
||||
c.cmdHttpServer = srv
|
||||
|
||||
c.bootstrap(auth.allowedPeers())
|
||||
c.bootstrap(auth.AllowedPeers())
|
||||
|
||||
if serveDebugMonitor {
|
||||
srv, err = serveMonitor(&c, ts, netip.AddrPortFrom(c.self.hostAddr, cfg.MonitorPort).String())
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user