Add support for OAuth tokens #7394 (#7393)

Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>
pull/7389/head
Vladimir Pouzanov 2 years ago committed by GitHub
parent 49c206fe1e
commit e3211ff88b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -22,6 +22,7 @@ import (
"github.com/peterbourgon/ff/v3/ffcli" "github.com/peterbourgon/ff/v3/ffcli"
"github.com/tailscale/hujson" "github.com/tailscale/hujson"
"golang.org/x/oauth2/clientcredentials"
"tailscale.com/util/httpm" "tailscale.com/util/httpm"
) )
@ -42,9 +43,9 @@ func modifiedExternallyError() {
} }
} }
func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
return func(ctx context.Context, args []string) error { return func(ctx context.Context, args []string) error {
controlEtag, err := getACLETag(ctx, tailnet, apiKey) controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
if err != nil { if err != nil {
return err return err
} }
@ -73,7 +74,7 @@ func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string)
return nil return nil
} }
if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil { if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil {
return err return err
} }
@ -83,9 +84,9 @@ func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string)
} }
} }
func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
return func(ctx context.Context, args []string) error { return func(ctx context.Context, args []string) error {
controlEtag, err := getACLETag(ctx, tailnet, apiKey) controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
if err != nil { if err != nil {
return err return err
} }
@ -113,16 +114,16 @@ func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string)
return nil return nil
} }
if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil { if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil {
return err return err
} }
return nil return nil
} }
} }
func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error { func getChecksums(cache *Cache, client *http.Client, tailnet, apiKey string) func(context.Context, []string) error {
return func(ctx context.Context, args []string) error { return func(ctx context.Context, args []string) error {
controlEtag, err := getACLETag(ctx, tailnet, apiKey) controlEtag, err := getACLETag(ctx, client, tailnet, apiKey)
if err != nil { if err != nil {
return err return err
} }
@ -151,8 +152,24 @@ func main() {
log.Fatal("set envvar TS_TAILNET to your tailnet's name") log.Fatal("set envvar TS_TAILNET to your tailnet's name")
} }
apiKey, ok := os.LookupEnv("TS_API_KEY") apiKey, ok := os.LookupEnv("TS_API_KEY")
if !ok { oauthId, oiok := os.LookupEnv("TS_OAUTH_ID")
log.Fatal("set envvar TS_API_KEY to your Tailscale API key") oauthSecret, osok := os.LookupEnv("TS_OAUTH_SECRET")
if !ok && (!oiok || !osok) {
log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
}
if ok && (oiok || osok) {
log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
}
var client *http.Client
if oiok {
oauthConfig := &clientcredentials.Config{
ClientID: oauthId,
ClientSecret: oauthSecret,
TokenURL: fmt.Sprintf("https://%s/api/v2/oauth/token", *apiServer),
}
client = oauthConfig.Client(context.Background())
} else {
client = http.DefaultClient
} }
cache, err := LoadCache(*cacheFname) cache, err := LoadCache(*cacheFname)
if err != nil { if err != nil {
@ -169,7 +186,7 @@ func main() {
ShortUsage: "gitops-pusher [options] apply", ShortUsage: "gitops-pusher [options] apply",
ShortHelp: "Pushes changes to CONTROL", ShortHelp: "Pushes changes to CONTROL",
LongHelp: `Pushes changes to CONTROL`, LongHelp: `Pushes changes to CONTROL`,
Exec: apply(cache, tailnet, apiKey), Exec: apply(cache, client, tailnet, apiKey),
} }
testCmd := &ffcli.Command{ testCmd := &ffcli.Command{
@ -177,7 +194,7 @@ func main() {
ShortUsage: "gitops-pusher [options] test", ShortUsage: "gitops-pusher [options] test",
ShortHelp: "Tests ACL changes", ShortHelp: "Tests ACL changes",
LongHelp: "Tests ACL changes", LongHelp: "Tests ACL changes",
Exec: test(cache, tailnet, apiKey), Exec: test(cache, client, tailnet, apiKey),
} }
cksumCmd := &ffcli.Command{ cksumCmd := &ffcli.Command{
@ -185,7 +202,7 @@ func main() {
ShortUsage: "Shows checksums of ACL files", ShortUsage: "Shows checksums of ACL files",
ShortHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", ShortHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
LongHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison", LongHelp: "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
Exec: getChecksums(cache, tailnet, apiKey), Exec: getChecksums(cache, client, tailnet, apiKey),
} }
root := &ffcli.Command{ root := &ffcli.Command{
@ -228,7 +245,7 @@ func sumFile(fname string) (string, error) {
return fmt.Sprintf("%x", h.Sum(nil)), nil return fmt.Sprintf("%x", h.Sum(nil)), nil
} }
func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error { func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname, oldEtag string) error {
fin, err := os.Open(policyFname) fin, err := os.Open(policyFname)
if err != nil { if err != nil {
return err return err
@ -244,7 +261,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
req.Header.Set("Content-Type", "application/hujson") req.Header.Set("Content-Type", "application/hujson")
req.Header.Set("If-Match", `"`+oldEtag+`"`) req.Header.Set("If-Match", `"`+oldEtag+`"`)
resp, err := http.DefaultClient.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
return err return err
} }
@ -265,7 +282,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
return nil return nil
} }
func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error { func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, policyFname string) error {
data, err := os.ReadFile(policyFname) data, err := os.ReadFile(policyFname)
if err != nil { if err != nil {
return err return err
@ -283,7 +300,7 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
req.SetBasicAuth(apiKey, "") req.SetBasicAuth(apiKey, "")
req.Header.Set("Content-Type", "application/hujson") req.Header.Set("Content-Type", "application/hujson")
resp, err := http.DefaultClient.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
return err return err
} }
@ -346,7 +363,7 @@ type ACLTestErrorDetail struct {
Errors []string `json:"errors"` Errors []string `json:"errors"`
} }
func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) { func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) {
req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil) req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
if err != nil { if err != nil {
return "", err return "", err
@ -355,7 +372,7 @@ func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
req.SetBasicAuth(apiKey, "") req.SetBasicAuth(apiKey, "")
req.Header.Set("Accept", "application/hujson") req.Header.Set("Accept", "application/hujson")
resp, err := http.DefaultClient.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
return "", err return "", err
} }

Loading…
Cancel
Save