cmd/tailscale/cli: [up] reuse --advertise-tags for OAuth key generation

We need to always specify tags when creating an AuthKey from an OAuth key. Check for that, and reuse the `--advertise-tags` param. Updates #7982 Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago · a8f10c23b2
parent b2b5379348
commit a8f10c23b2
1 changed files with 11 additions and 11 deletions
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@ -668,7 +668,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		if err != nil {
 			return err
 		}
-		authKey, err = resolveAuthKey(ctx, authKey)
+		authKey, err = resolveAuthKey(ctx, authKey, upArgs.advertiseTags)
 		if err != nil {
 			return err
 		}
@ -1121,19 +1121,23 @@ func init() {
 // resolveAuthKey either returns v unchanged (in the common case) or, if it
 // starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
 //
-//	tskey-client-xxxx[?ephemeral=false&tags=foo,bar&preauthorized=BOOL&baseURL=...]
+//	tskey-client-xxxx[?ephemeral=false&bar&preauthorized=BOOL&baseURL=...]
 //
 // and does the OAuth2 dance to get and return an authkey. The "ephemeral"
 // property defaults to true if unspecified. The "preauthorized" defaults to
-// false. The "baseURL" defaults to
-// https://api.tailscale.com.
-func resolveAuthKey(ctx context.Context, v string) (string, error) {
+// false. The "baseURL" defaults to https://api.tailscale.com.
+// The passed in tags are required, and must be non-empty. These will be
+// set on the authkey generated by the OAuth2 dance.
+func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
 	if !strings.HasPrefix(v, "tskey-client-") {
 		return v, nil
 	}
 	if !envknob.Bool("TS_EXPERIMENT_OAUTH_AUTHKEY") {
 		return "", errors.New("oauth authkeys are in experimental status")
 	}
+	if tags == "" {
+		return "", errors.New("oauth authkeys require --advertise-tags")
+	}

 	clientSecret, named, _ := strings.Cut(v, "?")
 	attrs, err := url.ParseQuery(named)
@ -1142,7 +1146,7 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
 	}
 	for k := range attrs {
 		switch k {
-		case "ephemeral", "preauthorized", "tags", "baseURL":
+		case "ephemeral", "preauthorized", "baseURL":
 		default:
 			return "", fmt.Errorf("unknown attribute %q", k)
 		}
@ -1166,10 +1170,6 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	var tags []string
-	if v := attrs.Get("tags"); v != "" {
-		tags = strings.Split(v, ",")
-	}

 	baseURL := "https://api.tailscale.com"
 	if v := attrs.Get("baseURL"); v != "" {
@ -1193,7 +1193,7 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
 				Reusable:      false,
 				Ephemeral:     ephemeral,
 				Preauthorized: preauth,
-				Tags:          tags,
+				Tags:          strings.Split(tags, ","),
 			},
 		},
 	}