cmd/tailscale/web: add support for QNAP

Signed-off-by: Maisem Ali <maisem@tailscale.com>
4 years ago · f944614c5c
parent 8b11937eaf
commit f944614c5c
10 changed files with 329 additions and 152 deletions
--- a/cmd/tailscale/cli/auth-redirect.html
+++ b/cmd/tailscale/cli/auth-redirect.html
@ -0,0 +1,57 @@
 <html>
 <head>
 	<title>Redirecting...</title>
 	<style>
 		html,
 		body {
 			height: 100%;
 		}
 		html {
 			background-color: rgb(249, 247, 246);
 			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
 			line-height: 1.5;
 			-webkit-text-size-adjust: 100%;
 			-webkit-font-smoothing: antialiased;
 			-moz-osx-font-smoothing: grayscale;
 		}
 		body {
 			display: flex;
 			flex-direction: column;
 			align-items: center;
 			justify-content: center;
 		}
 		.spinner {
 			margin-bottom: 2rem;
 			border: 4px rgba(112, 110, 109, 0.5) solid;
 			border-left-color: transparent;
 			border-radius: 9999px;
 			width: 4rem;
 			height: 4rem;
 			-webkit-animation: spin 700ms linear infinite;
      animation: spin 800ms linear infinite;
 		}
 		.label {
 			color: rgb(112, 110, 109);
 			padding-left: 0.4rem;
 		}
 		@-webkit-keyframes spin {
 			to {
 				transform: rotate(360deg);
 			}
 		}
 		@keyframes spin {
 			to {
 				transform: rotate(360deg);
 			}
 		}
 	</style>
 </head> <body>
 	<div class="spinner"></div>
 	<div class="label">Redirecting...</div>
 </body>
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@ -5,28 +5,29 @@
 package cli
 import (
 	"bufio"
 	"bytes"
 	"context"
 	_ "embed"
 	"encoding/json"
 	"encoding/xml"
 	"flag"
 	"fmt"
 	"html/template"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/cgi"
-	"os"
+	"net/url"
 	"os/exec"
 	"runtime"
 	"strings"
 	"github.com/peterbourgon/ff/v2/ffcli"
 	"go4.org/mem"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )
@ -36,6 +37,9 @@ var webHTML string
 //go:embed web.css
 var webCSS string
 //go:embed auth-redirect.html
 var authenticationRedirectHTML string
 var tmpl *template.Template
 func init() {
@ -85,57 +89,98 @@ func runWeb(ctx context.Context, args []string) error {
 	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }
-// authorize checks whether the provided user has access to the web UI.
+// authorize returns the name of the user accessing the web UI after verifying
-func authorize(name string) error {
+// whether the user has access to the web UI. The function will write the
-	if distro.Get() == distro.Synology {
+// error to the provided http.ResponseWriter.
-		return authorizeSynology(name)
+// Note: This is different from a tailscale user, and is typically the local
 // user on the node.
 func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
 	switch distro.Get() {
 	case distro.Synology:
 		user, err := synoAuthn()
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusUnauthorized)
 			return "", err
 		}
-	return nil
+		if err := authorizeSynology(user); err != nil {
 			http.Error(w, err.Error(), http.StatusForbidden)
 			return "", err
 		}
 		return user, nil
 	case distro.QNAP:
 		user, resp, err := qnapAuthn(r)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusUnauthorized)
 			return "", err
 		}
 		if resp.IsAdmin == 0 {
 			http.Error(w, err.Error(), http.StatusForbidden)
 			return "", err
 		}
 		return user, nil
 	}
 	return "", nil
 }
 // authorizeSynology checks whether the provided user has access to the web UI
 // by consulting the membership of the "administrators" group.
 func authorizeSynology(name string) error {
-	f, err := os.Open("/etc/group")
+	yes, err := groupmember.IsMemberOfGroup("administrators", name)
 	if err != nil {
 		return err
 	}
-	defer f.Close()
+	if !yes {
-	s := bufio.NewScanner(f)
+		return fmt.Errorf("not a member of administrators group")
 	var agLine string
 	for s.Scan() {
 		if !mem.HasPrefix(mem.B(s.Bytes()), mem.S("administrators:")) {
 			continue
 	}
-		agLine = s.Text()
+	return nil
-		break
+}
 type qnapAuthResponse struct {
 	AuthPassed int    `xml:"authPassed"`
 	IsAdmin    int    `xml:"isAdmin"`
 	AuthSID    string `xml:"authSid"`
 	ErrorValue int    `xml:"errorValue"`
 }
 func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
 	user, err := r.Cookie("NAS_USER")
 	if err != nil {
 		return "", nil, err
 	}
-	if err := s.Err(); err != nil {
+	token, err := r.Cookie("qtoken")
-		return err
+	if err != nil {
 		return "", nil, err
 	}
-	if agLine == "" {
+	query := url.Values{
-		return fmt.Errorf("admin group not defined")
+		"qtoken": []string{token.Value},
 		"user":   []string{user.Value},
 	}
-	agEntry := strings.Split(agLine, ":")
+	u := url.URL{
-	if len(agEntry) < 4 {
+		Scheme:   r.URL.Scheme,
-		return fmt.Errorf("malformed admin group entry")
+		Host:     r.URL.Host,
 		Path:     "/cgi-bin/authLogin.cgi",
 		RawQuery: query.Encode(),
 	}
-	agMembers := agEntry[3]
+	resp, err := http.Get(u.String())
-	for _, m := range strings.Split(agMembers, ",") {
+	if err != nil {
-		if m == name {
+		return "", nil, err
-			return nil
+	}
 	defer resp.Body.Close()
 	out, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", nil, err
 	}
 	authResp := &qnapAuthResponse{}
 	if err := xml.Unmarshal(out, authResp); err != nil {
 		return "", nil, err
 	}
-	return fmt.Errorf("not a member of administrators group")
+	if authResp.AuthPassed == 0 {
 		return "", nil, fmt.Errorf("not authenticated")
 	}
 	return user.Value, authResp, nil
 }
-// authenticate returns the name of the user accessing the web UI.
+func synoAuthn() (string, error) {
 // Note: This is different from a tailscale user, and is typically the local
 // user on the node.
 func authenticate() (string, error) {
 	if distro.Get() != distro.Synology {
 		return "", nil
 	}
 	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
@ -144,10 +189,14 @@ func authenticate() (string, error) {
 	return strings.TrimSpace(string(out)), nil
 }
-func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
+func authRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if distro.Get() != distro.Synology {
+	if distro.Get() == distro.Synology {
-		return false
+		return synoTokenRedirect(w, r)
 	}
 	return false
 }
 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
 	if r.Header.Get("X-Syno-Token") != "" {
 		return false
 	}
@ -181,80 +230,13 @@ req.send(null);
 </body></html>
 `
 const authenticationRedirectHTML = `
 <html>
 <head>
 	<title>Redirecting...</title>
 	<style>
 		html,
 		body {
 			height: 100%;
 		}
 		html {
 			background-color: rgb(249, 247, 246);
 			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
 			line-height: 1.5;
 			-webkit-text-size-adjust: 100%;
 			-webkit-font-smoothing: antialiased;
 			-moz-osx-font-smoothing: grayscale;
 		}
 		body {
 			display: flex;
 			flex-direction: column;
 			align-items: center;
 			justify-content: center;
 		}
 		.spinner {
 			margin-bottom: 2rem;
 			border: 4px rgba(112, 110, 109, 0.5) solid;
 			border-left-color: transparent;
 			border-radius: 9999px;
 			width: 4rem;
 			height: 4rem;
 			-webkit-animation: spin 700ms linear infinite;
      animation: spin 800ms linear infinite;
 		}
 		.label {
 			color: rgb(112, 110, 109);
 			padding-left: 0.4rem;
 		}
 		@-webkit-keyframes spin {
 			to {
 				transform: rotate(360deg);
 			}
 		}
 		@keyframes spin {
 			to {
 				transform: rotate(360deg);
 			}
 		}
 	</style>
 </head>
 <body>
 	<div class="spinner"></div>
 	<div class="label">Redirecting...</div>
 </body>
 `
 func webHandler(w http.ResponseWriter, r *http.Request) {
-	if synoTokenRedirect(w, r) {
+	if authRedirect(w, r) {
 		return
 	}
-	user, err := authenticate()
+	user, err := authorize(w, r)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 	if err := authorize(user); err != nil {
 		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
@ -268,7 +250,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			w.WriteHeader(500)
+			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
@ -278,7 +260,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	st, err := tailscale.Status(r.Context())
 	if err != nil {
-		http.Error(w, err.Error(), 500)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
@ -296,7 +278,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	buf := new(bytes.Buffer)
 	if err := tmpl.Execute(buf, data); err != nil {
-		http.Error(w, err.Error(), 500)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	w.Write(buf.Bytes())
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@ -53,6 +53,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/wgkey                                    from tailscale.com/types/netmap+
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
   L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
@ -118,13 +119,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        debug/macho                                                  from rsc.io/goversion/version
        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/cmd/tailscale/cli
-        encoding                                                     from encoding/json
+        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
        flag                                                         from github.com/peterbourgon/ff/v2+
@ -156,6 +158,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os                                                           from crypto/rand+
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
        os/user                                                      from tailscale.com/util/groupmember
        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@ -135,6 +135,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
   L    tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@ -24,7 +24,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@ -41,9 +40,11 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/util/pidowner"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 )
@ -347,51 +348,32 @@ func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool
 		logf("connection from userid %v; is configured operator", uid)
 		return rw
 	}
-	var adminGroupID string
+	if yes, err := isLocalAdmin(uid); err != nil {
-	switch runtime.GOOS {
+		logf("connection from userid %v; read-only; %v", uid, err)
 	case "darwin":
 		adminGroupID = darwinAdminGroupID()
 	default:
 		logf("connection from userid %v; read-only", uid)
 		return ro
 	}
 	if adminGroupID == "" {
 		logf("connection from userid %v; no system admin group found, read-only", uid)
 		return ro
 	}
 	u, err := user.LookupId(uid)
 	if err != nil {
 		logf("connection from userid %v; failed to look up user; read-only", uid)
 		return ro
 	}
 	gids, err := u.GroupIds()
 	if err != nil {
 		logf("connection from userid %v; failed to look up groups; read-only", uid)
 		return ro
-	}
+	} else if yes {
 	for _, gid := range gids {
 		if gid == adminGroupID {
 		logf("connection from userid %v; is local admin, has access", uid)
 		return rw
 	}
 	}
 	logf("connection from userid %v; read-only", uid)
 	return ro
 }
-var darwinAdminGroupIDCache atomic.Value // of string
+func isLocalAdmin(uid string) (bool, error) {
-
+	u, err := user.LookupId(uid)
 func darwinAdminGroupID() string {
 	s, _ := darwinAdminGroupIDCache.Load().(string)
 	if s != "" {
 		return s
 	}
 	g, err := user.LookupGroup("admin")
 	if err != nil {
-		return ""
+		return false, err
 	}
 	var adminGroup string
 	switch {
 	case runtime.GOOS == "darwin":
 		adminGroup = "admin"
 	case distro.Get() == distro.QNAP:
 		adminGroup = "administrators"
 	default:
 		return false, fmt.Errorf("no system admin group found")
 	}
-	darwinAdminGroupIDCache.Store(g.Gid)
+	return groupmember.IsMemberOfGroup(adminGroup, u.Username)
 	return g.Gid
 }
 // inUseOtherUserError is the error type for when the server is in use
--- a/util/groupmember/groupmember.go
+++ b/util/groupmember/groupmember.go
@ -0,0 +1,21 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package groupmemeber verifies group membership of the provided user on the
 // local system.
 package groupmember
 import (
 	"errors"
 	"runtime"
 )
 var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)
 // IsMemberOfGroup verifies if the provided user is member of the provided
 // system group.
 // If verfication fails, an error is returned.
 func IsMemberOfGroup(group, userName string) (bool, error) {
 	return isMemberOfGroup(group, userName)
 }
--- a/util/groupmember/groupmember_cgo.go
+++ b/util/groupmember/groupmember_cgo.go
@ -0,0 +1,48 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build cgo
 package groupmember
 import (
 	"os/user"
 	"sync"
 )
 func isMemberOfGroup(group, name string) (bool, error) {
 	u, err := user.Lookup(name)
 	if err != nil {
 		return false, err
 	}
 	ugids, err := u.GroupIds()
 	if err != nil {
 		return false, err
 	}
 	gid, err := getGroupID(group)
 	if err != nil {
 		return false, err
 	}
 	for _, ugid := range ugids {
 		if gid == ugid {
 			return true, nil
 		}
 	}
 	return false, nil
 }
 var groupIDCache sync.Map // of string
 func getGroupID(groupName string) (string, error) {
 	s, ok := groupIDCache.Load(groupName)
 	if ok {
 		return s.(string), nil
 	}
 	g, err := user.LookupGroup(groupName)
 	if err != nil {
 		return "", err
 	}
 	groupIDCache.Store(groupName, g.Gid)
 	return g.Gid, nil
 }
--- a/util/groupmember/groupmember_noimpl.go
+++ b/util/groupmember/groupmember_noimpl.go
@ -0,0 +1,9 @@
 // Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build !cgo,!linux,!darwin
 package groupmember
 func isMemberOfGroup(group, name string) (bool, error) { return false, ErrNotImplemented }
--- a/util/groupmember/groupmember_notcgo.go
+++ b/util/groupmember/groupmember_notcgo.go
@ -0,0 +1,71 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build !cgo
 // +build linux darwin
 package groupmember
 import (
 	"bufio"
 	"fmt"
 	"os"
 	"os/exec"
 	"strings"
 	"go4.org/mem"
 	"tailscale.com/version/distro"
 )
 func isMemberOfGroup(group, name string) (bool, error) {
 	if distro.Get() == distro.Synology {
 		return isMemberOfGroupEtcGroup(group, name)
 	}
 	cmd := exec.Command("/usr/bin/env", "groups", name)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return false, err
 	}
 	groups := strings.Split(strings.TrimSpace(string(out)), " ")
 	for _, g := range groups {
 		if g == group {
 			return true, nil
 		}
 	}
 	return false, nil
 }
 func isMemberOfGroupEtcGroup(group, name string) (bool, error) {
 	f, err := os.Open("/etc/group")
 	if err != nil {
 		return false, err
 	}
 	defer f.Close()
 	s := bufio.NewScanner(f)
 	var agLine string
 	for s.Scan() {
 		if !mem.HasPrefix(mem.B(s.Bytes()), mem.S(fmt.Sprintf("%s:", group))) {
 			continue
 		}
 		agLine = s.Text()
 		break
 	}
 	if err := s.Err(); err != nil {
 		return false, err
 	}
 	if agLine == "" {
 		return false, fmt.Errorf("admin group not defined")
 	}
 	agEntry := strings.Split(agLine, ":")
 	if len(agEntry) < 4 {
 		return false, fmt.Errorf("malformed admin group entry")
 	}
 	agMembers := agEntry[3]
 	for _, m := range strings.Split(agMembers, ",") {
 		if m == name {
 			return true, nil
 		}
 	}
 	return false, nil
 }
--- a/version/distro/distro.go
+++ b/version/distro/distro.go
@ -18,6 +18,7 @@ const (
 	Synology = Distro("synology")
 	OpenWrt  = Distro("openwrt")
 	NixOS    = Distro("nixos")
 	QNAP     = Distro("qnap")
 )
 // Get returns the current distro, or the empty string if unknown.
@ -50,6 +51,8 @@ func linuxDistro() Distro {
 		return OpenWrt
 	case have("/run/current-system/sw/bin/nixos-version"):
 		return NixOS
 	case have("/etc/config/uLinux.conf"):
 		return QNAP
 	}
 	return ""
 }