TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-12 05:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipn/ipn{auth,server}: update ipnauth.Actor to carry a context

Browse Source 
The context carries additional information about the actor, such as the
request reason, and is canceled when the actor is done.

Additionally, we implement three new ipn.Actor types that wrap other actors
to modify their behavior:
 - WithRequestReason, which adds a request reason to the actor;
 - WithoutClose, which narrows the actor's interface to prevent it from being
   closed;
 - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess
   method.

Updates #14823

Signed-off-by: Nick Khyl <nickk@tailscale.com>
This commit is contained in:
Nick Khyl
2025-02-07 10:47:14 -06:00
committed by Nick Khyl
parent 5a082fccec
commit e9e2bc5bd7
5 changed files with 77 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
ipn/ipnauth/self.go
View File

@@ -4,6 +4,8 @@
package ipnauth
import (
"context"
"tailscale.com/ipn"
)
@@ -17,18 +19,21 @@ var Self Actor = unrestricted{}
type unrestricted struct{}
// UserID implements [Actor].
func (u unrestricted) UserID() ipn.WindowsUserID { return "" }
func (unrestricted) UserID() ipn.WindowsUserID { return "" }
// Username implements [Actor].
func (u unrestricted) Username() (string, error) { return "", nil }
func (unrestricted) Username() (string, error) { return "", nil }
// Context implements [Actor].
func (unrestricted) Context() context.Context { return context.Background() }
// ClientID implements [Actor].
// It always returns (NoClientID, false) because the tailscaled itself
// is not a connected LocalAPI client.
func (u unrestricted) ClientID() (_ ClientID, ok bool) { return NoClientID, false }
func (unrestricted) ClientID() (_ ClientID, ok bool) { return NoClientID, false }
// CheckProfileAccess implements [Actor].
func (u unrestricted) CheckProfileAccess(_ ipn.LoginProfileView, _ ProfileAccess, _ AuditLogFunc) error {
func (unrestricted) CheckProfileAccess(_ ipn.LoginProfileView, _ ProfileAccess, _ AuditLogFunc) error {
// Unrestricted access to all profiles.
return nil
}
@@ -37,10 +42,10 @@ func (u unrestricted) CheckProfileAccess(_ ipn.LoginProfileView, _ ProfileAccess
//
// Deprecated: this method exists for compatibility with the current (as of 2025-01-28)
// permission model and will be removed as we progress on tailscale/corp#18342.
func (u unrestricted) IsLocalSystem() bool { return false }
func (unrestricted) IsLocalSystem() bool { return false }
// IsLocalAdmin implements [Actor].
//
// Deprecated: this method exists for compatibility with the current (as of 2025-01-28)
// permission model and will be removed as we progress on tailscale/corp#18342.
func (u unrestricted) IsLocalAdmin(operatorUID string) bool { return false }
func (unrestricted) IsLocalAdmin(operatorUID string) bool { return false }