From e3211ff88ba85435f70984cf67d9b353f3d650d8 Mon Sep 17 00:00:00 2001 From: Vladimir Pouzanov Date: Tue, 28 Feb 2023 02:05:24 +0000 Subject: [PATCH] Add support for OAuth tokens #7394 (#7393) Signed-off-by: Vladimir Pouzanov --- cmd/gitops-pusher/gitops-pusher.go | 55 +++++++++++++++++++----------- 1 file changed, 36 insertions(+), 19 deletions(-) diff --git a/cmd/gitops-pusher/gitops-pusher.go b/cmd/gitops-pusher/gitops-pusher.go index 9cfdea604..dd48a723a 100644 --- a/cmd/gitops-pusher/gitops-pusher.go +++ b/cmd/gitops-pusher/gitops-pusher.go @@ -22,6 +22,7 @@ "github.com/peterbourgon/ff/v3/ffcli" "github.com/tailscale/hujson" + "golang.org/x/oauth2/clientcredentials" "tailscale.com/util/httpm" ) @@ -42,9 +43,9 @@ func modifiedExternallyError() { } } -func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { +func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { return func(ctx context.Context, args []string) error { - controlEtag, err := getACLETag(ctx, tailnet, apiKey) + controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) if err != nil { return err } @@ -73,7 +74,7 @@ func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) return nil } - if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil { + if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil { return err } @@ -83,9 +84,9 @@ func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) } } -func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { +func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { return func(ctx context.Context, args []string) error { - controlEtag, err := getACLETag(ctx, tailnet, apiKey) + controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) if err != nil { return err } @@ -113,16 +114,16 @@ func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) return nil } - if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil { + if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil { return err } return nil } } -func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { +func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error { return func(ctx context.Context, args []string) error { - controlEtag, err := getACLETag(ctx, tailnet, apiKey) + controlEtag, err := getACLETag(ctx, client, tailnet, apiKey) if err != nil { return err } @@ -151,8 +152,24 @@ func main() { log.Fatal("set envvar TS_TAILNET to your tailnet's name") } apiKey, ok := os.LookupEnv("TS_API_KEY") - if !ok { - log.Fatal("set envvar TS_API_KEY to your Tailscale API key") + oauthId, oiok := os.LookupEnv("TS_OAUTH_ID") + oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET") + if !ok && (!oiok || !osok) { + log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret") + } + if ok && (oiok || osok) { + log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET") + } + var client *http.Client + if oiok { + oauthConfig := &clientcredentials.Config{ + ClientID: oauthId, + ClientSecret: oauthSecret, + TokenURL: fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer), + } + client = oauthConfig.Client(context.Background()) + } else { + client = http.DefaultClient } cache, err := LoadCache(*cacheFname) if err != nil { @@ -169,7 +186,7 @@ func main() { ShortUsage: "gitops-pusher [options] apply", ShortHelp: "Pushes changes to CONTROL", LongHelp: `Pushes changes to CONTROL`, - Exec: apply(cache, tailnet, apiKey), + Exec: apply(cache, client, tailnet, apiKey), } testCmd := &ffcli.Command{ @@ -177,7 +194,7 @@ func main() { ShortUsage: "gitops-pusher [options] test", ShortHelp: "Tests ACL changes", LongHelp: "Tests ACL changes", - Exec: test(cache, tailnet, apiKey), + Exec: test(cache, client, tailnet, apiKey), } cksumCmd := &ffcli.Command{ @@ -185,7 +202,7 @@ func main() { ShortUsage: "Shows checksums of ACL files", ShortHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", LongHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", - Exec: getChecksums(cache, tailnet, apiKey), + Exec: getChecksums(cache, client, tailnet, apiKey), } root := &ffcli.Command{ @@ -228,7 +245,7 @@ func sumFile(fname string) (string, error) { return fmt.Sprintf("%x", h.Sum(nil)), nil } -func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error { +func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname, oldEtag string) error { fin, err := os.Open(policyFname) if err != nil { return err @@ -244,7 +261,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri req.Header.Set("Content-Type", "application/hujson") req.Header.Set("If-Match", `"`+oldEtag+`"`) - resp, err := http.DefaultClient.Do(req) + resp, err := client.Do(req) if err != nil { return err } @@ -265,7 +282,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri return nil } -func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error { +func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname string) error { data, err := os.ReadFile(policyFname) if err != nil { return err @@ -283,7 +300,7 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error req.SetBasicAuth(apiKey, "") req.Header.Set("Content-Type", "application/hujson") - resp, err := http.DefaultClient.Do(req) + resp, err := client.Do(req) if err != nil { return err } @@ -346,7 +363,7 @@ type ACLTestErrorDetail struct { Errors []string `json:"errors"` } -func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) { +func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) { req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil) if err != nil { return "", err @@ -355,7 +372,7 @@ func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) { req.SetBasicAuth(apiKey, "") req.Header.Set("Accept", "application/hujson") - resp, err := http.DefaultClient.Do(req) + resp, err := client.Do(req) if err != nil { return "", err }