@ -668,7 +668,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
if err != nil {
return err
}
authKey , err = resolveAuthKey ( ctx , authKey )
authKey , err = resolveAuthKey ( ctx , authKey , upArgs . advertiseTags )
if err != nil {
return err
}
@ -1121,19 +1121,23 @@ func init() {
// resolveAuthKey either returns v unchanged (in the common case) or, if it
// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
//
// tskey-client-xxxx[?ephemeral=false& tags=foo, bar&preauthorized=BOOL&baseURL=...]
// tskey-client-xxxx[?ephemeral=false& bar&preauthorized=BOOL&baseURL=...]
//
// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
// property defaults to true if unspecified. The "preauthorized" defaults to
// false. The "baseURL" defaults to
// https://api.tailscale.com.
func resolveAuthKey ( ctx context . Context , v string ) ( string , error ) {
// false. The "baseURL" defaults to https://api.tailscale.com.
// The passed in tags are required, and must be non-empty. These will be
// set on the authkey generated by the OAuth2 dance.
func resolveAuthKey ( ctx context . Context , v , tags string ) ( string , error ) {
if ! strings . HasPrefix ( v , "tskey-client-" ) {
return v , nil
}
if ! envknob . Bool ( "TS_EXPERIMENT_OAUTH_AUTHKEY" ) {
return "" , errors . New ( "oauth authkeys are in experimental status" )
}
if tags == "" {
return "" , errors . New ( "oauth authkeys require --advertise-tags" )
}
clientSecret , named , _ := strings . Cut ( v , "?" )
attrs , err := url . ParseQuery ( named )
@ -1142,7 +1146,7 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
}
for k := range attrs {
switch k {
case "ephemeral" , "preauthorized" , " tags", " baseURL":
case "ephemeral" , "preauthorized" , " baseURL":
default :
return "" , fmt . Errorf ( "unknown attribute %q" , k )
}
@ -1166,10 +1170,6 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
if err != nil {
return "" , err
}
var tags [ ] string
if v := attrs . Get ( "tags" ) ; v != "" {
tags = strings . Split ( v , "," )
}
baseURL := "https://api.tailscale.com"
if v := attrs . Get ( "baseURL" ) ; v != "" {
@ -1193,7 +1193,7 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
Reusable : false ,
Ephemeral : ephemeral ,
Preauthorized : preauth ,
Tags : tags,
Tags : strings. Split ( tags, "," ) ,
} ,
} ,
}