From 3603a187103cffa41d504dfb36ca7872f5b73a54 Mon Sep 17 00:00:00 2001 From: Maisem Ali Date: Tue, 29 Mar 2022 12:43:26 -0700 Subject: [PATCH] ipn/localapi: add endpoint to request id token Updates tailscale/corp#4347 Signed-off-by: Maisem Ali --- ipn/localapi/localapi.go | 52 ++++++++++++++++++++++++++++++++++++++++ tailcfg/tailcfg.go | 5 ++-- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go index f47c02c08..9fdcaedcb 100644 --- a/ipn/localapi/localapi.go +++ b/ipn/localapi/localapi.go @@ -6,6 +6,7 @@ package localapi import ( + "bytes" "crypto/rand" "encoding/hex" "encoding/json" @@ -24,6 +25,7 @@ import ( "inet.af/netaddr" "tailscale.com/client/tailscale/apitype" + "tailscale.com/envknob" "tailscale.com/ipn" "tailscale.com/ipn/ipnlocal" "tailscale.com/ipn/ipnstate" @@ -128,6 +130,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { h.serveSetExpirySooner(w, r) case "/localapi/v0/dial": h.serveDial(w, r) + case "/localapi/v0/id-token": + h.serveIDToken(w, r) case "/": io.WriteString(w, "tailscaled\n") default: @@ -135,6 +139,54 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } +// serveIDToken handles requests to get an OIDC ID token. +func (h *Handler) serveIDToken(w http.ResponseWriter, r *http.Request) { + if !h.PermitWrite { + http.Error(w, "id-token access denied", http.StatusForbidden) + return + } + if !envknob.UseWIPCode() { + http.Error(w, "id-token access denied", http.StatusServiceUnavailable) + return + } + nm := h.b.NetMap() + if nm == nil { + http.Error(w, "no netmap", http.StatusServiceUnavailable) + return + } + aud := strings.TrimSpace(r.FormValue("aud")) + if len(aud) == 0 { + http.Error(w, "no audience requested", http.StatusBadRequest) + return + } + req := &tailcfg.TokenRequest{ + CapVersion: tailcfg.CurrentCapabilityVersion, + Audience: aud, + NodeKey: nm.NodeKey, + } + b, err := json.Marshal(req) + if err != nil { + http.Error(w, err.Error(), 500) + return + } + httpReq, err := http.NewRequest("POST", "https://unused/machine/id-token", bytes.NewReader(b)) + if err != nil { + http.Error(w, err.Error(), 500) + return + } + resp, err := h.b.DoNoiseRequest(httpReq) + if err != nil { + http.Error(w, err.Error(), 500) + return + } + defer resp.Body.Close() + w.WriteHeader(resp.StatusCode) + if _, err := io.Copy(w, resp.Body); err != nil { + http.Error(w, err.Error(), 500) + return + } +} + func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) { if !h.PermitRead { http.Error(w, "bugreport access denied", http.StatusForbidden) diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index e853a1394..c8d98ba66 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -65,8 +65,9 @@ type CapabilityVersion int // 26: 2022-01-12: (nothing, just bumping for 1.20.0) // 27: 2022-02-18: start of SSHPolicy being respected // 28: 2022-03-09: client can communicate over Noise. -// 29: 2022-03-09: MapResponse.PopBrowserURL -const CurrentCapabilityVersion CapabilityVersion = 29 +// 29: 2022-03-21: MapResponse.PopBrowserURL +// 30: 2022-03-22: client can request id tokens. +const CurrentCapabilityVersion CapabilityVersion = 30 type StableID string