TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-28 19:27:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/ipn/ipnauth/self.go
Nick Khyl e9e2bc5bd7 ipn/ipn{auth,server}: update ipnauth.Actor to carry a context 
The context carries additional information about the actor, such as the
request reason, and is canceled when the actor is done.

Additionally, we implement three new ipn.Actor types that wrap other actors
to modify their behavior:
 - WithRequestReason, which adds a request reason to the actor;
 - WithoutClose, which narrows the actor's interface to prevent it from being
   closed;
 - WithPolicyChecks, which adds policy checks to the actor's CheckProfileAccess
   method.

Updates #14823

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-02-11 15:31:42 -06:00

52 lines
1.8 KiB
Go
Raw Blame History

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
package ipnauth
import (
"context"
"tailscale.com/ipn"
)
// Self is a caller identity that represents the tailscaled itself and therefore
// has unlimited access.
var Self Actor = unrestricted{}
// unrestricted is an [Actor] that has unlimited access to the currently running
// tailscaled instance. It's typically used for operations performed by tailscaled
// on its own, or upon a request from the control plane, rather on behalf of a user.
type unrestricted struct{}
// UserID implements [Actor].
func (unrestricted) UserID() ipn.WindowsUserID { return "" }
// Username implements [Actor].
func (unrestricted) Username() (string, error) { return "", nil }
// Context implements [Actor].
func (unrestricted) Context() context.Context { return context.Background() }
// ClientID implements [Actor].
// It always returns (NoClientID, false) because the tailscaled itself
// is not a connected LocalAPI client.
func (unrestricted) ClientID() (_ ClientID, ok bool) { return NoClientID, false }
// CheckProfileAccess implements [Actor].
func (unrestricted) CheckProfileAccess(_ ipn.LoginProfileView, _ ProfileAccess, _ AuditLogFunc) error {
// Unrestricted access to all profiles.
return nil
}
// IsLocalSystem implements [Actor].
//
// Deprecated: this method exists for compatibility with the current (as of 2025-01-28)
// permission model and will be removed as we progress on tailscale/corp#18342.
func (unrestricted) IsLocalSystem() bool { return false }
// IsLocalAdmin implements [Actor].
//
// Deprecated: this method exists for compatibility with the current (as of 2025-01-28)
// permission model and will be removed as we progress on tailscale/corp#18342.
func (unrestricted) IsLocalAdmin(operatorUID string) bool { return false }
Reference in New Issue View Git Blame Copy Permalink