|
|
@ -261,15 +261,14 @@ const (
|
|
|
|
func (c *Direct) TryLogout(ctx context.Context) error {
|
|
|
|
func (c *Direct) TryLogout(ctx context.Context) error {
|
|
|
|
c.logf("direct.TryLogout()")
|
|
|
|
c.logf("direct.TryLogout()")
|
|
|
|
|
|
|
|
|
|
|
|
c.mu.Lock()
|
|
|
|
mustRegen, newURL, err := c.doLogin(ctx, loginOpt{Logout: true})
|
|
|
|
defer c.mu.Unlock()
|
|
|
|
c.logf("TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)
|
|
|
|
|
|
|
|
|
|
|
|
// TODO(crawshaw): Tell the server. This node key should be
|
|
|
|
c.mu.Lock()
|
|
|
|
// immediately invalidated.
|
|
|
|
|
|
|
|
//if !c.persist.PrivateNodeKey.IsZero() {
|
|
|
|
|
|
|
|
//}
|
|
|
|
|
|
|
|
c.persist = persist.Persist{}
|
|
|
|
c.persist = persist.Persist{}
|
|
|
|
return nil
|
|
|
|
c.mu.Unlock()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (c *Direct) TryLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags) (url string, err error) {
|
|
|
|
func (c *Direct) TryLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags) (url string, err error) {
|
|
|
@ -298,10 +297,11 @@ func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL strin
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type loginOpt struct {
|
|
|
|
type loginOpt struct {
|
|
|
|
Token *tailcfg.Oauth2Token
|
|
|
|
Token *tailcfg.Oauth2Token
|
|
|
|
Flags LoginFlags
|
|
|
|
Flags LoginFlags
|
|
|
|
Regen bool
|
|
|
|
Regen bool
|
|
|
|
URL string
|
|
|
|
URL string
|
|
|
|
|
|
|
|
Logout bool
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
|
|
|
|
func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
|
|
|
@ -324,14 +324,18 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
regen := opt.Regen
|
|
|
|
regen := opt.Regen
|
|
|
|
if expired {
|
|
|
|
if opt.Logout {
|
|
|
|
c.logf("Old key expired -> regen=true")
|
|
|
|
c.logf("logging out...")
|
|
|
|
systemd.Status("key expired; run 'tailscale up' to authenticate")
|
|
|
|
} else {
|
|
|
|
regen = true
|
|
|
|
if expired {
|
|
|
|
}
|
|
|
|
c.logf("Old key expired -> regen=true")
|
|
|
|
if (opt.Flags & LoginInteractive) != 0 {
|
|
|
|
systemd.Status("key expired; run 'tailscale up' to authenticate")
|
|
|
|
c.logf("LoginInteractive -> regen=true")
|
|
|
|
regen = true
|
|
|
|
regen = true
|
|
|
|
}
|
|
|
|
|
|
|
|
if (opt.Flags & LoginInteractive) != 0 {
|
|
|
|
|
|
|
|
c.logf("LoginInteractive -> regen=true")
|
|
|
|
|
|
|
|
regen = true
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.logf("doLogin(regen=%v, hasUrl=%v)", regen, opt.URL != "")
|
|
|
|
c.logf("doLogin(regen=%v, hasUrl=%v)", regen, opt.URL != "")
|
|
|
@ -348,8 +352,12 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var oldNodeKey wgkey.Key
|
|
|
|
var oldNodeKey wgkey.Key
|
|
|
|
if opt.URL != "" {
|
|
|
|
switch {
|
|
|
|
} else if regen || persist.PrivateNodeKey.IsZero() {
|
|
|
|
case opt.Logout:
|
|
|
|
|
|
|
|
tryingNewKey = persist.PrivateNodeKey
|
|
|
|
|
|
|
|
case opt.URL != "":
|
|
|
|
|
|
|
|
// Nothing.
|
|
|
|
|
|
|
|
case regen || persist.PrivateNodeKey.IsZero():
|
|
|
|
c.logf("Generating a new nodekey.")
|
|
|
|
c.logf("Generating a new nodekey.")
|
|
|
|
persist.OldPrivateNodeKey = persist.PrivateNodeKey
|
|
|
|
persist.OldPrivateNodeKey = persist.PrivateNodeKey
|
|
|
|
key, err := wgkey.NewPrivate()
|
|
|
|
key, err := wgkey.NewPrivate()
|
|
|
@ -358,7 +366,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
return regen, opt.URL, err
|
|
|
|
return regen, opt.URL, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
tryingNewKey = key
|
|
|
|
tryingNewKey = key
|
|
|
|
} else {
|
|
|
|
default:
|
|
|
|
// Try refreshing the current key first
|
|
|
|
// Try refreshing the current key first
|
|
|
|
tryingNewKey = persist.PrivateNodeKey
|
|
|
|
tryingNewKey = persist.PrivateNodeKey
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -367,6 +375,9 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if tryingNewKey.IsZero() {
|
|
|
|
if tryingNewKey.IsZero() {
|
|
|
|
|
|
|
|
if opt.Logout {
|
|
|
|
|
|
|
|
return false, "", errors.New("no nodekey to log out")
|
|
|
|
|
|
|
|
}
|
|
|
|
log.Fatalf("tryingNewKey is empty, give up")
|
|
|
|
log.Fatalf("tryingNewKey is empty, give up")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if backendLogID == "" {
|
|
|
|
if backendLogID == "" {
|
|
|
@ -382,6 +393,9 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
Followup: opt.URL,
|
|
|
|
Followup: opt.URL,
|
|
|
|
Timestamp: &now,
|
|
|
|
Timestamp: &now,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if opt.Logout {
|
|
|
|
|
|
|
|
request.Expiry = time.Unix(123, 0) // far in the past
|
|
|
|
|
|
|
|
}
|
|
|
|
c.logf("RegisterReq: onode=%v node=%v fup=%v",
|
|
|
|
c.logf("RegisterReq: onode=%v node=%v fup=%v",
|
|
|
|
request.OldNodeKey.ShortString(),
|
|
|
|
request.OldNodeKey.ShortString(),
|
|
|
|
request.NodeKey.ShortString(), opt.URL != "")
|
|
|
|
request.NodeKey.ShortString(), opt.URL != "")
|
|
|
@ -403,6 +417,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
c.logf("RegisterReq sign error: %v", err)
|
|
|
|
c.logf("RegisterReq sign error: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if debugRegister {
|
|
|
|
|
|
|
|
j, _ := json.MarshalIndent(request, "", "\t")
|
|
|
|
|
|
|
|
c.logf("RegisterRequest: %s", j)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bodyData, err := encode(request, &serverKey, &machinePrivKey)
|
|
|
|
bodyData, err := encode(request, &serverKey, &machinePrivKey)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return regen, opt.URL, err
|
|
|
|
return regen, opt.URL, err
|
|
|
@ -431,6 +450,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
|
|
|
|
c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
|
|
|
|
c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
|
|
|
|
return regen, opt.URL, fmt.Errorf("register request: %v", err)
|
|
|
|
return regen, opt.URL, fmt.Errorf("register request: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if debugRegister {
|
|
|
|
|
|
|
|
j, _ := json.MarshalIndent(resp, "", "\t")
|
|
|
|
|
|
|
|
c.logf("RegisterResponse: %s", j)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Log without PII:
|
|
|
|
// Log without PII:
|
|
|
|
c.logf("RegisterReq: got response; nodeKeyExpired=%v, machineAuthorized=%v; authURL=%v",
|
|
|
|
c.logf("RegisterReq: got response; nodeKeyExpired=%v, machineAuthorized=%v; authURL=%v",
|
|
|
|
resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")
|
|
|
|
resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")
|
|
|
@ -902,7 +926,10 @@ func decode(res *http.Response, v interface{}, serverKey *wgkey.Key, mkey *wgkey
|
|
|
|
return decodeMsg(msg, v, serverKey, mkey)
|
|
|
|
return decodeMsg(msg, v, serverKey, mkey)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var debugMap, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
|
|
|
|
var (
|
|
|
|
|
|
|
|
debugMap, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
|
|
|
|
|
|
|
|
debugRegister, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_REGISTER"))
|
|
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
var jsonEscapedZero = []byte(`\u0000`)
|
|
|
|
var jsonEscapedZero = []byte(`\u0000`)
|
|
|
|
|
|
|
|
|
|
|
|