ipn/localapi: add endpoint to request id token

Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
pull/4362/head
Maisem Ali 3 years ago committed by Maisem Ali
parent 035e8ab00e
commit 3603a18710

@ -6,6 +6,7 @@
package localapi package localapi
import ( import (
"bytes"
"crypto/rand" "crypto/rand"
"encoding/hex" "encoding/hex"
"encoding/json" "encoding/json"
@ -24,6 +25,7 @@ import (
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/client/tailscale/apitype" "tailscale.com/client/tailscale/apitype"
"tailscale.com/envknob"
"tailscale.com/ipn" "tailscale.com/ipn"
"tailscale.com/ipn/ipnlocal" "tailscale.com/ipn/ipnlocal"
"tailscale.com/ipn/ipnstate" "tailscale.com/ipn/ipnstate"
@ -128,6 +130,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
h.serveSetExpirySooner(w, r) h.serveSetExpirySooner(w, r)
case "/localapi/v0/dial": case "/localapi/v0/dial":
h.serveDial(w, r) h.serveDial(w, r)
case "/localapi/v0/id-token":
h.serveIDToken(w, r)
case "/": case "/":
io.WriteString(w, "tailscaled\n") io.WriteString(w, "tailscaled\n")
default: default:
@ -135,6 +139,54 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
} }
// serveIDToken handles requests to get an OIDC ID token.
func (h *Handler) serveIDToken(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite {
http.Error(w, "id-token access denied", http.StatusForbidden)
return
}
if !envknob.UseWIPCode() {
http.Error(w, "id-token access denied", http.StatusServiceUnavailable)
return
}
nm := h.b.NetMap()
if nm == nil {
http.Error(w, "no netmap", http.StatusServiceUnavailable)
return
}
aud := strings.TrimSpace(r.FormValue("aud"))
if len(aud) == 0 {
http.Error(w, "no audience requested", http.StatusBadRequest)
return
}
req := &tailcfg.TokenRequest{
CapVersion: tailcfg.CurrentCapabilityVersion,
Audience: aud,
NodeKey: nm.NodeKey,
}
b, err := json.Marshal(req)
if err != nil {
http.Error(w, err.Error(), 500)
return
}
httpReq, err := http.NewRequest("POST", "https://unused/machine/id-token", bytes.NewReader(b))
if err != nil {
http.Error(w, err.Error(), 500)
return
}
resp, err := h.b.DoNoiseRequest(httpReq)
if err != nil {
http.Error(w, err.Error(), 500)
return
}
defer resp.Body.Close()
w.WriteHeader(resp.StatusCode)
if _, err := io.Copy(w, resp.Body); err != nil {
http.Error(w, err.Error(), 500)
return
}
}
func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) { func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
if !h.PermitRead { if !h.PermitRead {
http.Error(w, "bugreport access denied", http.StatusForbidden) http.Error(w, "bugreport access denied", http.StatusForbidden)

@ -65,8 +65,9 @@ type CapabilityVersion int
// 26: 2022-01-12: (nothing, just bumping for 1.20.0) // 26: 2022-01-12: (nothing, just bumping for 1.20.0)
// 27: 2022-02-18: start of SSHPolicy being respected // 27: 2022-02-18: start of SSHPolicy being respected
// 28: 2022-03-09: client can communicate over Noise. // 28: 2022-03-09: client can communicate over Noise.
// 29: 2022-03-09: MapResponse.PopBrowserURL // 29: 2022-03-21: MapResponse.PopBrowserURL
const CurrentCapabilityVersion CapabilityVersion = 29 // 30: 2022-03-22: client can request id tokens.
const CurrentCapabilityVersion CapabilityVersion = 30
type StableID string type StableID string

Loading…
Cancel
Save