119 Commits

Author	SHA1	Message	Date
Kristoffer Dalby	cfe9bbf829	oidc: try to get username from userinfo (#2545) ... * oidc: try to get username from userinfo Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:54:13 +02:00
Kristoffer Dalby	8f9fbf16f1	types/authkey: include user object in response (#2542) ... * types/authkey: include user object, not string Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * make preauthkeys use id Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: wire up user id for auth keys Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:45:08 +02:00
Kristoffer Dalby	f1206328dc	fix webauth + autoapprove routes (#2528) ... * types/node: add helper funcs for node tags Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: add DebugString method for node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add String func to AutoApprover interface Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: simplify, use slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: debug, use nodes.DebugString Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: fix potential nil pointer in NodeCanApproveRoute Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: fix diff in login commands Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: fix webauth running with wrong scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: move common oidc opts to func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: require node count, more verbose Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: remove uneffective route approve Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: fmt Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: add id func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: remove call that might be nil Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: test autoapprovers against web/authkey x group/tag/user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: unique network id per scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Revert "integration: move common oidc opts to func" This reverts commit 7e9d165d4a900c304f1083b665f1a24a26e06e55. * remove cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: clean docker images between runs in ci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: run autoapprove test against differnt policy modes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: append, not overrwrite extra login args Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: remove polv2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:54:04 +02:00
Kristoffer Dalby	30539b2e26	config: disallow same server url and base_domain (#2544) ... * config: disallow same server url and base_domain Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-23 16:24:38 +02:00
Kristoffer Dalby	098ab0357c	add casbin user test (#2474) ... * add casbin user test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Delete double slash * types/users: use join url on iss that are ursl Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2025-04-23 13:21:51 +02:00
Kristoffer Dalby	8e7e52cf3a	some clarifications for tags (#2531) ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-18 09:33:02 +02:00
nblock	1e0516b99d	Restore support for "Override local DNS" (#2438) ... Tailscale allows to override the local DNS settings of a node via "Override local DNS" [1]. Restore this flag with the same config setting name `dns.override_local_dns` but disable it by default to align it with Tailscale's default behaviour. Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12. With `dns.override_local_dns: false`: ``` Link 12 (tailscale0) Current Scopes: DNS Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 100.100.100.100 DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip] ``` With `dns.override_local_dns: true`: ``` Link 12 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 100.100.100.100 DNS Domain: tn.example.com ~. ``` [1] https://tailscale.com/kb/1054/dns#override-local-dns Fixes: #2256	2025-04-17 17:16:59 +02:00
Nick	109989005d	ensure final dot on node name (#2503) ... * ensure final dot on node name This ensures that nodes which have a base domain set, will have a dot appended to their FQDN. Resolves: https://github.com/juanfont/headscale/issues/2501 * improve OIDC TTL expire test Waiting a bit more than the TTL of the OIDC token seems to remove some flakiness of this test. This furthermore makes use of a go func safe buffer which should avoid race conditions.	2025-04-11 12:39:08 +02:00
Kristoffer Dalby	cbc99010f0	populate serving from primary routes (#2489) ... * populate serving from primary routes Depends on #2464 Fixes #2480 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * also exit Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix route update outside of connection there was a bug where routes would not be updated if they changed while a node was connected and it was not part of an autoapprove. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update expected test output, cli only shows service node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-03-28 13:22:15 +01:00
Kristoffer Dalby	603f3ad490	Multi network integration tests (#2464)	2025-03-21 11:49:32 +01:00
Kristoffer Dalby	87326f5c4f	Experimental implementation of Policy v2 (#2214) ... * utility iterator for ipset Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * split policy -> policy and v1 This commit split out the common policy logic and policy implementation into separate packages. policy contains functions that are independent of the policy implementation, this typically means logic that works on tailcfg types and generic formats. In addition, it defines the PolicyManager interface which the v1 implements. v1 is a subpackage which implements the PolicyManager using the "original" policy implementation. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use polivyv1 definitions in integration tests These can be marshalled back into JSON, which the new format might not be able to. Also, just dont change it all to JSON strings for now. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * formatter: breaks lines Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove compareprefix, use tsaddr version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * remove getacl test, add back autoapprover Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use policy manager tag handling Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * rename display helper for user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * introduce policy v2 package policy v2 is built from the ground up to be stricter and follow the same pattern for all types of resolvers. TODO introduce aliass resolver Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * wire up policyv2 in integration testing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * split policy v2 tests into seperate workflow to work around github limit Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add policy manager output to /debug Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-03-10 16:20:29 +01:00
Kristoffer Dalby	7891378f57	Redo route code (#2422) ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-02-26 16:22:55 +01:00
Kristoffer Dalby	16868190c8	fix double login URL with OIDC (#2445) ... * factor out login url parser Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * move to not trigger test gen checker Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * return regresp or err after waiting for registration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-02-25 18:16:07 +01:00
Kristoffer Dalby	1f0110fe06	use helper function for constructing state updates (#2410) ... This helps preventing messages being sent with the wrong update type and payload combination, and it is shorter/neater. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-02-07 13:49:59 +01:00
Kristoffer Dalby	b92bd3d27e	remove oidc migration (#2411) ... * remove oidc migration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-02-07 13:49:45 +01:00
Kristoffer Dalby	3bf7d5a9c9	add git hash to binary, print on startup (#2415) ... * add git hash to binary, print on startup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-02-07 13:49:34 +01:00
Nbelles	22277d1fc7	Spell check	2025-02-05 17:29:30 +01:00
Kristoffer Dalby	8b92c017ec	add 1.80 to capver and update deps (#2394)	2025-02-05 07:17:51 +01:00
Kristoffer Dalby	9bd143852f	do not allow preauth keys to be deleted if assigned to node (#2396) ... * do not allow preauth keys to be deleted if assigned to node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-02-01 10:31:13 +01:00
Kristoffer Dalby	d57a55c024	Rewrite authentication flow (#2374)	2025-02-01 09:16:51 +00:00
Kristoffer Dalby	7ba6ad3489	simplify findUserByToken in ACL, add missing testcases (#2388) ... * update users doc on unique constraints Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * simplify finduser func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add initial tests for findUserFromToken Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-01-30 11:35:49 +01:00
Kristoffer Dalby	4c8e847f47	use dedicated registration ID for auth flow (#2337)	2025-01-26 22:20:11 +01:00
Kristoffer Dalby	615ee5df75	make it harder to insert invalid routes (#2371) ... * make it harder to insert invalid routes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * dont panic if node is not available for route Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-01-23 13:40:23 +01:00
Kristoffer Dalby	c1f42cdf4b	relax user validation to allow emails, add tests from various oidc providers (#2364) ... * relax user validation to allow emails, add tests from various oidc providers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-01-22 18:10:15 +01:00
Kristoffer Dalby	5b986ed0a7	set oidc.map_legacy_users false (#2350)	2025-01-17 14:44:04 +00:00
Kristoffer Dalby	e4a3dcc3b8	use headscale server url as domain instead of base_domain (#2338)	2025-01-16 18:05:20 +01:00
Kristoffer Dalby	38aef77e54	allow @ and Log if OIDC username is not consider valid (#2340)	2025-01-16 18:04:54 +01:00
Stefan Majer	ede4f97a16	Fix typos	2025-01-09 10:38:25 +01:00
Rorical	b81420bef1	feat: Add PKCE Verifier for OIDC (#2314) ... * feat: add PKCE verifier for OIDC * Update CHANGELOG.md	2024-12-22 16:46:36 +00:00
Kristoffer Dalby	5345f19693	fix issue where some oidc claim bools are sent as string (#2297) ... Jumpcloud send invalid json, so we need to handle it. Fixes #2293 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-12-16 11:26:32 +01:00
Kristoffer Dalby	ec8729b772	fix sighup issue with empty acl (#2296) ... Fixes #2291 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-12-16 07:48:19 +01:00
Kristoffer Dalby	58d089ce0a	fix deletion of exit routes without nodes (#2286) ... Fixes #2259 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-12-13 20:15:24 +01:00
Kristoffer Dalby	380fcdba17	Add worker reading extra_records_path from file (#2271) ... * consolidate scheduled tasks into one goroutine Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * rename Tailcfg dns struct Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add dns.extra_records_path option Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * prettier lint Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go-fmt Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-12-13 07:52:40 +00:00
Florian Preinstorfer	89a648c7dd	Remove use_username_in_magic_dns option ... Upgrade the use of dns.use_username_in_magic_dns or dns_config.use_username_in_magic_dns to a fatal error and remove the option from the example configuration and integration tests. Fixes: #2219	2024-12-11 18:39:35 +01:00
Kristoffer Dalby	64fd1f9483	restructure command/api to use stable IDs (#2261)	2024-12-10 16:23:55 +01:00
Kristoffer Dalby	fffd23602b	Resolve user to stable unique ID in policy (#2205)	2024-11-24 00:13:27 +01:00
Kristoffer Dalby	7d9b430ec2	fix constraints ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	281025bb16	fix constraints ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	5e7c3153b9	nits ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	7ba0c3d515	use userID instead of username everywhere ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	4dd12a2f97	fix oidc test, add tests for migration ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	2fe65624c0	restore strip_email_domain for migration ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	35b669fe59	add iss to identifier, only set email if verified ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	dc07779143	add @ to end of username if not present ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	78214699ad	Harden OIDC migration and make optional ... This commit hardens the migration part of the OIDC from the old username based approach to the new sub based approach and makes it possible for the operator to opt out entirely. Fixes #1990 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-23 21:14:55 +01:00
Kristoffer Dalby	64bb56352f	make configurable wal auto checkpoint (#2242)	2024-11-23 21:03:48 +01:00
Kristoffer Dalby	a6b19e85db	more linter fixups (#2212) ... * linter fixes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * conf Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update nix hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-22 15:54:58 +00:00
ArcticLampyrid	edf9e25001	feat: support client verify for derp (add integration tests) (#2046) ... * feat: support client verify for derp * docs: fix doc for integration test * tests: add integration test for DERP verify endpoint * tests: use `tailcfg.DERPMap` instead of `[]byte` * refactor: introduce func `ContainsNodeKey` * tests(dsic): use string builder for cmd args * ci: fix tests order * tests: fix derper failure * chore: cleanup * tests(verify-client): perfer to use `CreateHeadscaleEnv` * refactor(verify-client): simplify error handling * tests: fix `TestDERPVerifyEndpoint` * refactor: make `doVerify` a seperated func --------- Co-authored-by: 117503445 <t117503445@gmail.com>	2024-11-22 13:23:05 +01:00
Motiejus Jakštys	c6336adb01	config: loosen up BaseDomain and ServerURL checks (#2248) ... * config: loosen up BaseDomain and ServerURL checks Requirements [here][1]: > OK: > server_url: headscale.com, base: clients.headscale.com > server_url: headscale.com, base: headscale.net > > Not OK: > server_url: server.headscale.com, base: headscale.com > > Essentially we have to prevent the possibility where the headscale > server has a URL which can also be assigned to a node. > > So for the Not OK scenario: > > if the server is: server.headscale.com, and a node joins with the name > server, it will be assigned server.headscale.com and that will break > the connection for nodes which will now try to connect to that node > instead of the headscale server. Fixes #2210 [1]: https://github.com/juanfont/headscale/issues/2210#issuecomment-2488165187 * server_url and base_domain: re-word error message, fix a one-off bug and add a test case for the bug. * lint * lint again	2024-11-22 13:21:44 +01:00
Kristoffer Dalby	028d9aab73	add new user fields to grpc and list command (#2202) ... Updates #2166 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-10-18 14:20:03 +00:00