|
|
|
|
@ -1118,33 +1118,31 @@ func init() {
|
|
|
|
|
tailscale.I_Acknowledge_This_API_Is_Unstable = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// resolveAuthKey either returns v unchanged (in the common case)
|
|
|
|
|
// or, if it starts with "oauth:" parses it as one of:
|
|
|
|
|
// resolveAuthKey either returns v unchanged (in the common case) or, if it
|
|
|
|
|
// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
|
|
|
|
|
//
|
|
|
|
|
// oauth2:CLIENT_ID:CLIENT_SECRET?ephemeral=false&tags=foo,bar&preauthorized=BOOL
|
|
|
|
|
// oauth2:CLIENT_ID:CLIENT_SECRET:BASE_URL?...
|
|
|
|
|
// tskey-client-xxxx[?ephemeral=false&tags=foo,bar&preauthorized=BOOL&baseURL=...]
|
|
|
|
|
//
|
|
|
|
|
// and does the OAuth2 dance to get and return an authkey. The "ephemeral" property
|
|
|
|
|
// defaults to true if unspecified. The "preauthorized" defaults to false.
|
|
|
|
|
//
|
|
|
|
|
// If the BASE_URL argument is not provided, it defaults to https://api.tailscale.com.
|
|
|
|
|
// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
|
|
|
|
|
// property defaults to true if unspecified. The "preauthorized" defaults to
|
|
|
|
|
// false. The "baseURL" defaults to
|
|
|
|
|
// https://api.tailscale.com.
|
|
|
|
|
func resolveAuthKey(ctx context.Context, v string) (string, error) {
|
|
|
|
|
suff, ok := strings.CutPrefix(v, "oauth:")
|
|
|
|
|
if !ok {
|
|
|
|
|
if !strings.HasPrefix(v, "tskey-client-") {
|
|
|
|
|
return v, nil
|
|
|
|
|
}
|
|
|
|
|
if !envknob.Bool("TS_EXPERIMENT_OAUTH_AUTHKEY") {
|
|
|
|
|
return "", errors.New("oauth authkeys are in experimental status")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pos, named, _ := strings.Cut(suff, "?")
|
|
|
|
|
clientSecret, named, _ := strings.Cut(v, "?")
|
|
|
|
|
attrs, err := url.ParseQuery(named)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
for k := range attrs {
|
|
|
|
|
switch k {
|
|
|
|
|
case "ephemeral", "preauthorized", "tags":
|
|
|
|
|
case "ephemeral", "preauthorized", "tags", "baseURL":
|
|
|
|
|
default:
|
|
|
|
|
return "", fmt.Errorf("unknown attribute %q", k)
|
|
|
|
|
}
|
|
|
|
|
@ -1173,18 +1171,13 @@ func resolveAuthKey(ctx context.Context, v string) (string, error) {
|
|
|
|
|
tags = strings.Split(v, ",")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f := strings.SplitN(pos, ":", 3)
|
|
|
|
|
if len(f) < 2 || len(f) > 3 {
|
|
|
|
|
return "", errors.New("invalid auth key format; want oauth2:CLIENT_ID:CLIENT_SECRET[:BASE_URL]")
|
|
|
|
|
}
|
|
|
|
|
clientID, clientSecret := f[0], f[1]
|
|
|
|
|
baseURL := "https://api.tailscale.com"
|
|
|
|
|
if len(f) == 3 {
|
|
|
|
|
baseURL = f[2]
|
|
|
|
|
if v := attrs.Get("baseURL"); v != "" {
|
|
|
|
|
baseURL = v
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
credentials := clientcredentials.Config{
|
|
|
|
|
ClientID: clientID,
|
|
|
|
|
ClientID: "some-client-id", // ignored
|
|
|
|
|
ClientSecret: clientSecret,
|
|
|
|
|
TokenURL: baseURL + "/api/v2/oauth/token",
|
|
|
|
|
Scopes: []string{"device"},
|
|
|
|
|
|
Brad Fitzpatrick
2 years ago
committed by