mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-01 14:05:39 +00:00
874db2173b
We add the ClientID() method to the ipnauth.Actor interface and updated ipnserver.actor to implement it. This method returns a unique ID of the connected client if the actor represents one. It helps link a series of interactions initiated by the client, such as when a notification needs to be sent back to a specific session, rather than all active sessions, in response to a certain request. We also add LocalBackend.WatchNotificationsAs and LocalBackend.StartLoginInteractiveAs methods, which are like WatchNotifications and StartLoginInteractive but accept an additional parameter specifying an ipnauth.Actor who initiates the operation. We store these actor identities in watchSession.owner and LocalBackend.authActor, respectively,and implement LocalBackend.sendTo and related helper methods to enable sending notifications to watchSessions associated with actors (or, more broadly, identifiable recipients). We then use the above to change who receives the BrowseToURL notifications: - For user-initiated, interactive logins, the notification is delivered only to the user who initiated the process. If the initiating actor represents a specific connected client, the URL notification is sent back to the same LocalAPI client that called StartLoginInteractive. Otherwise, the notification is sent to all clients connected as that user. Currently, we only differentiate between users on Windows, as it is inherently a multi-user OS. - In all other cases (e.g., node key expiration), we send the notification to all connected users. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>
32 lines
869 B
Go
32 lines
869 B
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !windows
|
|
|
|
package ipnauth
|
|
|
|
import (
|
|
"net"
|
|
|
|
"github.com/tailscale/peercred"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
// GetConnIdentity extracts the identity information from the connection
|
|
// based on the user who owns the other end of the connection.
|
|
// and couldn't. The returned connIdentity has NotWindows set to true.
|
|
func GetConnIdentity(_ logger.Logf, c net.Conn) (ci *ConnIdentity, err error) {
|
|
ci = &ConnIdentity{conn: c, notWindows: true}
|
|
_, ci.isUnixSock = c.(*net.UnixConn)
|
|
if ci.creds, _ = peercred.Get(c); ci.creds != nil {
|
|
ci.pid, _ = ci.creds.PID()
|
|
}
|
|
return ci, nil
|
|
}
|
|
|
|
// WindowsToken is unsupported when GOOS != windows and always returns
|
|
// ErrNotImplemented.
|
|
func (ci *ConnIdentity) WindowsToken() (WindowsToken, error) {
|
|
return nil, ErrNotImplemented
|
|
}
|