From 57de94c7aa98bf0fa0540c495ad5f4ef5000f906 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 4 Mar 2020 13:49:18 -0800 Subject: [PATCH] tsweb: add /debug/ access via &debugkey + TS_DEBUG_KEY_PATH --- tsweb/tsweb.go | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tsweb/tsweb.go b/tsweb/tsweb.go index 27ec6f1b3..305fabcf1 100644 --- a/tsweb/tsweb.go +++ b/tsweb/tsweb.go @@ -6,9 +6,11 @@ package tsweb import ( + "bytes" "expvar" _ "expvar" "fmt" + "io/ioutil" "net" "net/http" _ "net/http/pprof" @@ -65,7 +67,20 @@ func AllowDebugAccess(r *http.Request) bool { return false } ip := net.ParseIP(ipStr) - return interfaces.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == os.Getenv("ALLOW_DEBUG_IP") + if interfaces.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == os.Getenv("TS_ALLOW_DEBUG_IP") { + return true + } + if r.Method == "GET" { + urlKey := r.FormValue("debugkey") + keyPath := os.Getenv("TS_DEBUG_KEY_PATH") + if urlKey != "" && keyPath != "" { + slurp, err := ioutil.ReadFile(keyPath) + if err == nil && string(bytes.TrimSpace(slurp)) == urlKey { + return true + } + } + } + return false } // Protected wraps a provided debug handler, h, returning a Handler @@ -77,7 +92,7 @@ func Protected(h http.Handler) http.Handler { msg := "debug access denied" if DevMode { ipStr, _, _ := net.SplitHostPort(r.RemoteAddr) - msg += fmt.Sprintf("; to permit access, set ALLOW_DEBUG_IP=%v", ipStr) + msg += fmt.Sprintf("; to permit access, set TS_ALLOW_DEBUG_IP=%v", ipStr) } http.Error(w, msg, http.StatusForbidden) return