mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-10 18:13:41 +00:00
06a82f416f
OAuth clients that were used to generate an auth_key previously specified the scope 'device'. 'device' is not an actual scope, the real scope is 'devices'. The resulting OAuth token ended up including all scopes from the specified OAuth client, so the code was able to successfully create auth_keys. It's better not to hardcode a scope here anyway, so that we have the flexibility of changing which scope(s) are used in the future without having to update old clients. Since the qualifier never actually did anything, this commit simply removes it. Updates tailscale/corp#24934 Signed-off-by: Percy Wegmann <percy@tailscale.com>
75 lines
2.0 KiB
Go
75 lines
2.0 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
// get-authkey allocates an authkey using an OAuth API client
|
|
// https://tailscale.com/s/oauth-clients and prints it
|
|
// to stdout for scripts to capture and use.
|
|
package main
|
|
|
|
import (
|
|
"cmp"
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"strings"
|
|
|
|
"golang.org/x/oauth2/clientcredentials"
|
|
"tailscale.com/client/tailscale"
|
|
)
|
|
|
|
func main() {
|
|
// Required to use our client API. We're fine with the instability since the
|
|
// client lives in the same repo as this code.
|
|
tailscale.I_Acknowledge_This_API_Is_Unstable = true
|
|
|
|
reusable := flag.Bool("reusable", false, "allocate a reusable authkey")
|
|
ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")
|
|
preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")
|
|
tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
|
|
flag.Parse()
|
|
|
|
clientID := os.Getenv("TS_API_CLIENT_ID")
|
|
clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
|
|
if clientID == "" || clientSecret == "" {
|
|
log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
|
|
}
|
|
|
|
if *tags == "" {
|
|
log.Fatal("at least one tag must be specified")
|
|
}
|
|
|
|
baseURL := cmp.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
|
|
|
|
credentials := clientcredentials.Config{
|
|
ClientID: clientID,
|
|
ClientSecret: clientSecret,
|
|
TokenURL: baseURL + "/api/v2/oauth/token",
|
|
}
|
|
|
|
ctx := context.Background()
|
|
tsClient := tailscale.NewClient("-", nil)
|
|
tsClient.UserAgent = "tailscale-get-authkey"
|
|
tsClient.HTTPClient = credentials.Client(ctx)
|
|
tsClient.BaseURL = baseURL
|
|
|
|
caps := tailscale.KeyCapabilities{
|
|
Devices: tailscale.KeyDeviceCapabilities{
|
|
Create: tailscale.KeyDeviceCreateCapabilities{
|
|
Reusable: *reusable,
|
|
Ephemeral: *ephemeral,
|
|
Preauthorized: *preauth,
|
|
Tags: strings.Split(*tags, ","),
|
|
},
|
|
},
|
|
}
|
|
|
|
authkey, _, err := tsClient.CreateKey(ctx, caps)
|
|
if err != nil {
|
|
log.Fatal(err.Error())
|
|
}
|
|
|
|
fmt.Println(authkey)
|
|
}
|