TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-07-31 16:23:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Export functions in authorization file

Browse Source
This commit is contained in:
Fran Bull 2025-02-27 13:23:26 -08:00
parent 24ce3279f4
commit c4110ec886
4 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tsconsensus/authorization.go
View File

@ -70,7 +70,7 @@ func newAuthorization(ts *tsnet.Server, tag string) *authorization {
} }
} }
func (a *authorization) refresh(ctx context.Context) error { func (a *authorization) Refresh(ctx context.Context) error {
tStatus, err := a.sg.getStatus(ctx) tStatus, err := a.sg.getStatus(ctx)
if err != nil { if err != nil {
return err return err
@ -87,7 +87,7 @@ func (a *authorization) refresh(ctx context.Context) error {
return nil return nil
} }
func (a *authorization) allowsHost(addr netip.Addr) bool { func (a *authorization) AllowsHost(addr netip.Addr) bool {
if a.peers == nil { if a.peers == nil {
return false return false
} }
@ -96,7 +96,7 @@ func (a *authorization) allowsHost(addr netip.Addr) bool {
return a.peers.peerExists(addr, a.tag) return a.peers.peerExists(addr, a.tag)
} }
func (a *authorization) selfAllowed() bool { func (a *authorization) SelfAllowed() bool {
if a.peers == nil { if a.peers == nil {
return false return false
} }
@ -105,7 +105,7 @@ func (a *authorization) selfAllowed() bool {
return a.peers.status.Self.Tags != nil && slices.Contains(a.peers.status.Self.Tags.AsSlice(), a.tag) return a.peers.status.Self.Tags != nil && slices.Contains(a.peers.status.Self.Tags.AsSlice(), a.tag)
} }
func (a *authorization) allowedPeers() views.Slice[*ipnstate.PeerStatus] { func (a *authorization) AllowedPeers() views.Slice[*ipnstate.PeerStatus] {
if a.peers == nil { if a.peers == nil {
return views.SliceOf([]*ipnstate.PeerStatus{}) return views.SliceOf([]*ipnstate.PeerStatus{})
} }

26
tsconsensus/authorization_test.go
View File

@ -65,7 +65,7 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
ctx := context.Background() ctx := context.Background()
a := authForStatus(nil) a := authForStatus(nil)
err := a.refresh(ctx) err := a.Refresh(ctx)
if err == nil { if err == nil {
t.Fatalf("expected err to be non-nil") t.Fatalf("expected err to be non-nil")
} }
@ -77,7 +77,7 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
a = authForStatus(&ipnstate.Status{ a = authForStatus(&ipnstate.Status{
BackendState: "NeedsMachineAuth", BackendState: "NeedsMachineAuth",
}) })
err = a.refresh(ctx) err = a.Refresh(ctx)
if err == nil { if err == nil {
t.Fatalf("expected err to be non-nil") t.Fatalf("expected err to be non-nil")
} }
@ -89,14 +89,14 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
func TestAuthUnrefreshed(t *testing.T) { func TestAuthUnrefreshed(t *testing.T) {
a := authForStatus(nil) a := authForStatus(nil)
if a.allowsHost(netip.MustParseAddr("100.0.0.1")) { if a.AllowsHost(netip.MustParseAddr("100.0.0.1")) {
t.Fatalf("never refreshed authorization, allowsHost: expected false, got true") t.Fatalf("never refreshed authorization, allowsHost: expected false, got true")
} }
gotAllowedPeers := a.allowedPeers() gotAllowedPeers := a.AllowedPeers()
if gotAllowedPeers.Len() != 0 { if gotAllowedPeers.Len() != 0 {
t.Fatalf("never refreshed authorization, allowedPeers: expected [], got %v", gotAllowedPeers) t.Fatalf("never refreshed authorization, allowedPeers: expected [], got %v", gotAllowedPeers)
} }
if a.selfAllowed() != false { if a.SelfAllowed() != false {
t.Fatalf("never refreshed authorization, selfAllowed: expected false got true") t.Fatalf("never refreshed authorization, selfAllowed: expected false got true")
} }
} }
@ -116,14 +116,14 @@ func TestAuthAllowsHost(t *testing.T) {
true, true,
} }
a := authForTags(nil, peerTags) a := authForTags(nil, peerTags)
err := a.refresh(ctx) err := a.Refresh(ctx)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
for i, tags := range peerTags { for i, tags := range peerTags {
for _, addr := range addrsForIndex(i) { for _, addr := range addrsForIndex(i) {
got := a.allowsHost(addr) got := a.AllowsHost(addr)
if got != expected[i] { if got != expected[i] {
t.Fatalf("allowed %v, expected: %t, got %t", tags, expected[i], got) t.Fatalf("allowed %v, expected: %t, got %t", tags, expected[i], got)
} }
@ -139,11 +139,11 @@ func TestAuthAllowedPeers(t *testing.T) {
[]string{"woo", testTag}, []string{"woo", testTag},
[]string{testTag}, []string{testTag},
}) })
err := a.refresh(ctx) err := a.Refresh(ctx)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
ps := a.allowedPeers() ps := a.AllowedPeers()
if ps.Len() != 2 { if ps.Len() != 2 {
t.Fatalf("expected: 2, got: %d", ps.Len()) t.Fatalf("expected: 2, got: %d", ps.Len())
} }
@ -153,21 +153,21 @@ func TestAuthSelfAllowed(t *testing.T) {
ctx := context.Background() ctx := context.Background()
a := authForTags([]string{"woo"}, nil) a := authForTags([]string{"woo"}, nil)
err := a.refresh(ctx) err := a.Refresh(ctx)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
got := a.selfAllowed() got := a.SelfAllowed()
if got { if got {
t.Fatalf("expected: false, got: %t", got) t.Fatalf("expected: false, got: %t", got)
} }
a = authForTags([]string{"woo", testTag}, nil) a = authForTags([]string{"woo", testTag}, nil)
err = a.refresh(ctx) err = a.Refresh(ctx)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
got = a.selfAllowed() got = a.SelfAllowed()
if !got { if !got {
t.Fatalf("expected: true, got: %t", got) t.Fatalf("expected: true, got: %t", got)
} }

4
tsconsensus/http.go
View File

@ -91,7 +91,7 @@ type authedHandler struct {
} }
func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
err := h.auth.refresh(r.Context()) err := h.auth.Refresh(r.Context())
if err != nil { if err != nil {
log.Printf("error authedHandler ServeHTTP refresh auth: %v", err) log.Printf("error authedHandler ServeHTTP refresh auth: %v", err)
http.Error(w, "", http.StatusInternalServerError) http.Error(w, "", http.StatusInternalServerError)
@ -103,7 +103,7 @@ func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
http.Error(w, "", http.StatusInternalServerError) http.Error(w, "", http.StatusInternalServerError)
return return
} }
allowed := h.auth.allowsHost(a) allowed := h.auth.AllowsHost(a)
if !allowed { if !allowed {
http.Error(w, "peer not allowed", http.StatusForbidden) http.Error(w, "peer not allowed", http.StatusForbidden)
return return

14
tsconsensus/tsconsensus.go
View File

@ -96,7 +96,7 @@ type StreamLayer struct {
func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (net.Conn, error) { func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (net.Conn, error) {
ctx, cancel := context.WithTimeout(context.Background(), timeout) ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel() defer cancel()
err := sl.auth.refresh(ctx) err := sl.auth.Refresh(ctx)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -106,7 +106,7 @@ func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (n
return nil, err return nil, err
} }
if !sl.auth.allowsHost(addr) { if !sl.auth.AllowsHost(addr) {
return nil, errors.New("peer is not allowed") return nil, errors.New("peer is not allowed")
} }
return sl.s.Dial(ctx, "tcp", string(address)) return sl.s.Dial(ctx, "tcp", string(address))
@ -122,12 +122,12 @@ func (sl StreamLayer) connAuthorized(conn net.Conn) (bool, error) {
return false, nil return false, nil
} }
ctx := context.Background() // TODO ctx := context.Background() // TODO
err = sl.auth.refresh(ctx) err = sl.auth.Refresh(ctx)
if err != nil { if err != nil {
// might be authorized, we couldn't tell // might be authorized, we couldn't tell
return false, err return false, err
} }
return sl.auth.allowsHost(addr), nil return sl.auth.AllowsHost(addr), nil
} }
func (sl StreamLayer) Accept() (net.Conn, error) { func (sl StreamLayer) Accept() (net.Conn, error) {
@ -175,11 +175,11 @@ func Start(ctx context.Context, ts *tsnet.Server, fsm raft.FSM, clusterTag strin
} }
auth := newAuthorization(ts, clusterTag) auth := newAuthorization(ts, clusterTag)
err := auth.refresh(ctx) err := auth.Refresh(ctx)
if err != nil { if err != nil {
return nil, fmt.Errorf("auth refresh: %w", err) return nil, fmt.Errorf("auth refresh: %w", err)
} }
if !auth.selfAllowed() { if !auth.SelfAllowed() {
return nil, errors.New("this node is not tagged with the cluster tag") return nil, errors.New("this node is not tagged with the cluster tag")
} }
@ -198,7 +198,7 @@ func Start(ctx context.Context, ts *tsnet.Server, fsm raft.FSM, clusterTag strin
} }
c.cmdHttpServer = srv c.cmdHttpServer = srv
c.bootstrap(auth.allowedPeers()) c.bootstrap(auth.AllowedPeers())
if serveDebugMonitor { if serveDebugMonitor {
srv, err = serveMonitor(&c, ts, netip.AddrPortFrom(c.self.hostAddr, cfg.MonitorPort).String()) srv, err = serveMonitor(&c, ts, netip.AddrPortFrom(c.self.hostAddr, cfg.MonitorPort).String())