2020-06-21 06:32:08 -04:00
|
|
|
package headscale
|
|
|
|
|
|
|
|
import (
|
2021-10-26 16:42:56 -04:00
|
|
|
"context"
|
|
|
|
"crypto/tls"
|
2021-04-23 22:54:15 -04:00
|
|
|
"errors"
|
2020-06-21 06:32:08 -04:00
|
|
|
"fmt"
|
2021-10-29 12:45:06 -04:00
|
|
|
"io"
|
2021-10-26 16:42:56 -04:00
|
|
|
"net"
|
2021-04-23 22:54:15 -04:00
|
|
|
"net/http"
|
2021-10-22 12:55:14 -04:00
|
|
|
"net/url"
|
2021-02-21 17:54:15 -05:00
|
|
|
"os"
|
2021-11-02 17:46:15 -04:00
|
|
|
"os/signal"
|
2021-10-06 18:06:07 -04:00
|
|
|
"sort"
|
2021-04-23 16:54:35 -04:00
|
|
|
"strings"
|
2021-02-23 15:07:52 -05:00
|
|
|
"sync"
|
2021-11-02 17:46:15 -04:00
|
|
|
"syscall"
|
2021-05-22 20:15:29 -04:00
|
|
|
"time"
|
2020-06-21 06:32:08 -04:00
|
|
|
|
2021-10-18 15:27:52 -04:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2020-06-21 06:32:08 -04:00
|
|
|
"github.com/gin-gonic/gin"
|
2021-11-13 03:39:04 -05:00
|
|
|
grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
|
2021-10-26 16:42:56 -04:00
|
|
|
"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
|
2021-11-04 18:18:55 -04:00
|
|
|
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
|
2021-11-13 03:39:04 -05:00
|
|
|
"github.com/patrickmn/go-cache"
|
|
|
|
zerolog "github.com/philip-bui/grpc-zerolog"
|
2021-11-08 17:06:25 -05:00
|
|
|
zl "github.com/rs/zerolog"
|
2021-10-26 16:42:56 -04:00
|
|
|
"github.com/rs/zerolog/log"
|
|
|
|
"github.com/soheilhy/cmux"
|
2021-10-09 06:22:13 -04:00
|
|
|
ginprometheus "github.com/zsais/go-gin-prometheus"
|
2021-10-03 14:26:38 -04:00
|
|
|
"golang.org/x/crypto/acme"
|
2021-04-23 22:54:15 -04:00
|
|
|
"golang.org/x/crypto/acme/autocert"
|
2021-11-13 03:39:04 -05:00
|
|
|
"golang.org/x/oauth2"
|
2021-10-26 16:42:56 -04:00
|
|
|
"golang.org/x/sync/errgroup"
|
|
|
|
"google.golang.org/grpc"
|
2021-10-29 12:45:06 -04:00
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
"google.golang.org/grpc/peer"
|
|
|
|
"google.golang.org/grpc/reflection"
|
|
|
|
"google.golang.org/grpc/status"
|
2021-07-04 15:40:46 -04:00
|
|
|
"gorm.io/gorm"
|
2021-08-02 15:06:26 -04:00
|
|
|
"inet.af/netaddr"
|
2021-02-20 17:57:06 -05:00
|
|
|
"tailscale.com/tailcfg"
|
2021-10-02 06:13:05 -04:00
|
|
|
"tailscale.com/types/dnstype"
|
2021-06-25 12:57:08 -04:00
|
|
|
"tailscale.com/types/wgkey"
|
2020-06-21 06:32:08 -04:00
|
|
|
)
|
|
|
|
|
2021-10-29 12:45:06 -04:00
|
|
|
const (
|
2021-11-14 12:31:51 -05:00
|
|
|
AUTH_PREFIX = "Bearer "
|
|
|
|
POSTGRESQL = "postgresql"
|
|
|
|
SQLITE = "sqlite3"
|
|
|
|
UPDATE_RATE_MILLISECONDS = 5000
|
|
|
|
HTTP_READ_TIMEOUT = 30 * time.Second
|
2021-10-29 12:45:06 -04:00
|
|
|
)
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
// Config contains the initial Headscale configuration.
|
2020-06-21 06:32:08 -04:00
|
|
|
type Config struct {
|
2021-05-22 20:15:29 -04:00
|
|
|
ServerURL string
|
|
|
|
Addr string
|
|
|
|
PrivateKeyPath string
|
|
|
|
EphemeralNodeInactivityTimeout time.Duration
|
2021-08-02 15:06:26 -04:00
|
|
|
IPPrefix netaddr.IPPrefix
|
2021-10-02 05:20:42 -04:00
|
|
|
BaseDomain string
|
2020-06-21 06:32:08 -04:00
|
|
|
|
2021-10-22 12:55:14 -04:00
|
|
|
DERP DERPConfig
|
|
|
|
|
2021-05-15 08:32:26 -04:00
|
|
|
DBtype string
|
|
|
|
DBpath string
|
2020-06-21 06:32:08 -04:00
|
|
|
DBhost string
|
|
|
|
DBport int
|
|
|
|
DBname string
|
|
|
|
DBuser string
|
|
|
|
DBpass string
|
2021-04-23 16:54:35 -04:00
|
|
|
|
2021-07-23 18:12:01 -04:00
|
|
|
TLSLetsEncryptListen string
|
2021-04-23 22:54:15 -04:00
|
|
|
TLSLetsEncryptHostname string
|
|
|
|
TLSLetsEncryptCacheDir string
|
|
|
|
TLSLetsEncryptChallengeType string
|
|
|
|
|
2021-04-23 16:54:35 -04:00
|
|
|
TLSCertPath string
|
|
|
|
TLSKeyPath string
|
2021-08-24 02:09:47 -04:00
|
|
|
|
2021-10-03 14:26:38 -04:00
|
|
|
ACMEURL string
|
|
|
|
ACMEEmail string
|
|
|
|
|
2021-08-24 02:09:47 -04:00
|
|
|
DNSConfig *tailcfg.DNSConfig
|
2021-10-30 10:08:16 -04:00
|
|
|
|
|
|
|
UnixSocket string
|
2021-10-31 05:40:43 -04:00
|
|
|
|
2021-10-18 15:27:52 -04:00
|
|
|
OIDC OIDCConfig
|
2021-10-08 05:43:52 -04:00
|
|
|
|
2021-11-07 04:41:14 -05:00
|
|
|
CLI CLIConfig
|
|
|
|
|
2021-10-10 05:22:42 -04:00
|
|
|
MaxMachineRegistrationDuration time.Duration
|
|
|
|
DefaultMachineRegistrationDuration time.Duration
|
2020-06-21 06:32:08 -04:00
|
|
|
}
|
|
|
|
|
2021-10-18 15:27:52 -04:00
|
|
|
type OIDCConfig struct {
|
|
|
|
Issuer string
|
|
|
|
ClientID string
|
|
|
|
ClientSecret string
|
|
|
|
MatchMap map[string]string
|
2020-06-21 06:32:08 -04:00
|
|
|
}
|
|
|
|
|
2021-10-22 12:55:14 -04:00
|
|
|
type DERPConfig struct {
|
|
|
|
URLs []url.URL
|
|
|
|
Paths []string
|
|
|
|
AutoUpdate bool
|
|
|
|
UpdateFrequency time.Duration
|
|
|
|
}
|
|
|
|
|
2021-11-07 04:41:14 -05:00
|
|
|
type CLIConfig struct {
|
|
|
|
Address string
|
|
|
|
APIKey string
|
|
|
|
Insecure bool
|
|
|
|
Timeout time.Duration
|
|
|
|
}
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
// Headscale represents the base app of the service.
|
2020-06-21 06:32:08 -04:00
|
|
|
type Headscale struct {
|
|
|
|
cfg Config
|
2021-07-04 15:40:46 -04:00
|
|
|
db *gorm.DB
|
2020-06-21 06:32:08 -04:00
|
|
|
dbString string
|
2021-05-02 14:47:36 -04:00
|
|
|
dbType string
|
|
|
|
dbDebug bool
|
2021-06-25 12:57:08 -04:00
|
|
|
publicKey *wgkey.Key
|
|
|
|
privateKey *wgkey.Private
|
2021-02-23 15:07:52 -05:00
|
|
|
|
2021-10-22 12:55:14 -04:00
|
|
|
DERPMap *tailcfg.DERPMap
|
|
|
|
|
2021-07-03 11:31:32 -04:00
|
|
|
aclPolicy *ACLPolicy
|
2021-11-04 18:18:55 -04:00
|
|
|
aclRules []tailcfg.FilterRule
|
2021-07-03 11:31:32 -04:00
|
|
|
|
2021-08-19 13:19:26 -04:00
|
|
|
lastStateChange sync.Map
|
2021-10-08 05:43:52 -04:00
|
|
|
|
|
|
|
oidcProvider *oidc.Provider
|
|
|
|
oauth2Config *oauth2.Config
|
|
|
|
oidcStateCache *cache.Cache
|
2020-06-21 06:32:08 -04:00
|
|
|
}
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
// NewHeadscale returns the Headscale app.
|
2020-06-21 06:32:08 -04:00
|
|
|
func NewHeadscale(cfg Config) (*Headscale, error) {
|
2021-02-21 17:54:15 -05:00
|
|
|
content, err := os.ReadFile(cfg.PrivateKeyPath)
|
2020-06-21 06:32:08 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-06-25 12:57:08 -04:00
|
|
|
privKey, err := wgkey.ParsePrivate(string(content))
|
2020-06-21 06:32:08 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
pubKey := privKey.Public()
|
2021-05-15 08:32:26 -04:00
|
|
|
|
|
|
|
var dbString string
|
|
|
|
switch cfg.DBtype {
|
2021-11-14 12:06:25 -05:00
|
|
|
case POSTGRESQL:
|
2021-11-13 03:36:45 -05:00
|
|
|
dbString = fmt.Sprintf(
|
|
|
|
"host=%s port=%d dbname=%s user=%s password=%s sslmode=disable",
|
|
|
|
cfg.DBhost,
|
|
|
|
cfg.DBport,
|
|
|
|
cfg.DBname,
|
|
|
|
cfg.DBuser,
|
|
|
|
cfg.DBpass,
|
|
|
|
)
|
2021-11-14 12:06:25 -05:00
|
|
|
case SQLITE:
|
2021-05-15 08:32:26 -04:00
|
|
|
dbString = cfg.DBpath
|
|
|
|
default:
|
2021-07-11 09:10:37 -04:00
|
|
|
return nil, errors.New("unsupported DB")
|
2021-05-15 08:32:26 -04:00
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
app := Headscale{
|
2021-05-15 08:32:26 -04:00
|
|
|
cfg: cfg,
|
|
|
|
dbType: cfg.DBtype,
|
|
|
|
dbString: dbString,
|
2020-06-21 06:32:08 -04:00
|
|
|
privateKey: privKey,
|
|
|
|
publicKey: &pubKey,
|
2021-11-04 18:18:55 -04:00
|
|
|
aclRules: tailcfg.FilterAllowAll, // default allowall
|
2020-06-21 06:32:08 -04:00
|
|
|
}
|
2021-07-04 07:24:05 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
err = app.initDB()
|
2020-06-21 06:32:08 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-07-04 15:40:46 -04:00
|
|
|
|
2021-10-18 15:27:52 -04:00
|
|
|
if cfg.OIDC.Issuer != "" {
|
2021-11-14 14:32:03 -05:00
|
|
|
err = app.initOIDC()
|
2021-10-08 05:43:52 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-10-18 15:27:52 -04:00
|
|
|
}
|
2021-10-16 10:31:37 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
if app.cfg.DNSConfig != nil && app.cfg.DNSConfig.Proxied { // if MagicDNS
|
2021-11-14 12:03:21 -05:00
|
|
|
magicDNSDomains := generateMagicDNSRootDomains(
|
2021-11-14 14:32:03 -05:00
|
|
|
app.cfg.IPPrefix,
|
2021-11-13 03:36:45 -05:00
|
|
|
)
|
2021-10-20 03:35:56 -04:00
|
|
|
// we might have routes already from Split DNS
|
2021-11-14 14:32:03 -05:00
|
|
|
if app.cfg.DNSConfig.Routes == nil {
|
|
|
|
app.cfg.DNSConfig.Routes = make(map[string][]dnstype.Resolver)
|
2021-10-19 14:51:43 -04:00
|
|
|
}
|
2021-10-10 06:43:41 -04:00
|
|
|
for _, d := range magicDNSDomains {
|
2021-11-14 14:32:03 -05:00
|
|
|
app.cfg.DNSConfig.Routes[d.WithoutTrailingDot()] = nil
|
2021-10-02 06:13:05 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
return &app, nil
|
2020-06-21 06:32:08 -04:00
|
|
|
}
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
// Redirect to our TLS url.
|
2021-04-23 22:54:15 -04:00
|
|
|
func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
|
|
|
|
target := h.cfg.ServerURL + req.URL.RequestURI()
|
|
|
|
http.Redirect(w, req, target, http.StatusFound)
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:45:40 -04:00
|
|
|
// expireEphemeralNodes deletes ephemeral machine records that have not been
|
2021-10-26 16:42:56 -04:00
|
|
|
// seen for longer than h.cfg.EphemeralNodeInactivityTimeout.
|
2021-08-12 15:45:40 -04:00
|
|
|
func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
|
2021-05-22 20:15:29 -04:00
|
|
|
ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
|
|
|
|
for range ticker.C {
|
|
|
|
h.expireEphemeralNodesWorker()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Headscale) expireEphemeralNodesWorker() {
|
|
|
|
namespaces, err := h.ListNamespaces()
|
|
|
|
if err != nil {
|
2021-08-05 13:11:26 -04:00
|
|
|
log.Error().Err(err).Msg("Error listing namespaces")
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-05-22 20:15:29 -04:00
|
|
|
return
|
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
for _, namespace := range namespaces {
|
|
|
|
machines, err := h.ListMachinesInNamespace(namespace.Name)
|
2021-05-22 20:15:29 -04:00
|
|
|
if err != nil {
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("namespace", namespace.Name).
|
2021-11-13 03:36:45 -05:00
|
|
|
Msg("Error listing machines in namespace")
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-05-22 20:15:29 -04:00
|
|
|
return
|
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
for _, machine := range machines {
|
|
|
|
if machine.AuthKey != nil && machine.LastSeen != nil &&
|
|
|
|
machine.AuthKey.Ephemeral &&
|
|
|
|
time.Now().
|
|
|
|
After(machine.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Info().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("machine", machine.Name).
|
2021-11-13 03:36:45 -05:00
|
|
|
Msg("Ephemeral client removed from database")
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
err = h.db.Unscoped().Delete(machine).Error
|
2021-05-22 20:15:29 -04:00
|
|
|
if err != nil {
|
2021-10-22 12:55:14 -04:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("machine", machine.Name).
|
2021-10-22 12:55:14 -04:00
|
|
|
Msg("🤮 Cannot delete ephemeral machine from the database")
|
2021-05-22 20:15:29 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
h.setLastStateChangeToNow(namespace.Name)
|
2021-05-22 20:15:29 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-07-25 11:59:48 -04:00
|
|
|
// WatchForKVUpdates checks the KV DB table for requests to perform tailnet upgrades
|
2021-10-26 16:42:56 -04:00
|
|
|
// This is a way to communitate the CLI with the headscale server.
|
2021-07-25 11:59:48 -04:00
|
|
|
func (h *Headscale) watchForKVUpdates(milliSeconds int64) {
|
|
|
|
ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
|
|
|
|
for range ticker.C {
|
|
|
|
h.watchForKVUpdatesWorker()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Headscale) watchForKVUpdatesWorker() {
|
|
|
|
h.checkForNamespacesPendingUpdates()
|
|
|
|
// more functions will come here in the future
|
|
|
|
}
|
|
|
|
|
2021-10-29 12:45:06 -04:00
|
|
|
func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
|
|
|
|
req interface{},
|
|
|
|
info *grpc.UnaryServerInfo,
|
|
|
|
handler grpc.UnaryHandler) (interface{}, error) {
|
|
|
|
// Check if the request is coming from the on-server client.
|
|
|
|
// This is not secure, but it is to maintain maintainability
|
|
|
|
// with the "legacy" database-based client
|
|
|
|
// It is also neede for grpc-gateway to be able to connect to
|
|
|
|
// the server
|
2021-11-14 14:32:03 -05:00
|
|
|
client, _ := peer.FromContext(ctx)
|
2021-10-29 12:45:06 -04:00
|
|
|
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("client_address", client.Addr.String()).
|
2021-11-13 03:36:45 -05:00
|
|
|
Msg("Client is trying to authenticate")
|
2021-10-29 12:45:06 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
meta, ok := metadata.FromIncomingContext(ctx)
|
2021-10-29 12:45:06 -04:00
|
|
|
if !ok {
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Error().
|
|
|
|
Caller().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("client_address", client.Addr.String()).
|
2021-11-13 03:36:45 -05:00
|
|
|
Msg("Retrieving metadata is failed")
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-13 03:36:45 -05:00
|
|
|
return ctx, status.Errorf(
|
|
|
|
codes.InvalidArgument,
|
|
|
|
"Retrieving metadata is failed",
|
|
|
|
)
|
2021-10-29 12:45:06 -04:00
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
authHeader, ok := meta["authorization"]
|
2021-10-29 12:45:06 -04:00
|
|
|
if !ok {
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Error().
|
|
|
|
Caller().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("client_address", client.Addr.String()).
|
2021-11-13 03:36:45 -05:00
|
|
|
Msg("Authorization token is not supplied")
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-13 03:36:45 -05:00
|
|
|
return ctx, status.Errorf(
|
|
|
|
codes.Unauthenticated,
|
|
|
|
"Authorization token is not supplied",
|
|
|
|
)
|
2021-10-29 12:45:06 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
token := authHeader[0]
|
|
|
|
|
|
|
|
if !strings.HasPrefix(token, AUTH_PREFIX) {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("client_address", client.Addr.String()).
|
2021-10-29 12:45:06 -04:00
|
|
|
Msg(`missing "Bearer " prefix in "Authorization" header`)
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-13 03:36:45 -05:00
|
|
|
return ctx, status.Error(
|
|
|
|
codes.Unauthenticated,
|
|
|
|
`missing "Bearer " prefix in "Authorization" header`,
|
|
|
|
)
|
2021-10-29 12:45:06 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// TODO(kradalby): Implement API key backend:
|
|
|
|
// - Table in the DB
|
|
|
|
// - Key name
|
|
|
|
// - Encrypted
|
|
|
|
// - Expiry
|
|
|
|
//
|
|
|
|
// Currently all other than localhost traffic is unauthorized, this is intentional to allow
|
|
|
|
// us to make use of gRPC for our CLI, but not having to implement any of the remote capabilities
|
|
|
|
// and API key auth
|
2021-11-13 03:36:45 -05:00
|
|
|
return ctx, status.Error(
|
|
|
|
codes.Unauthenticated,
|
|
|
|
"Authentication is not implemented yet",
|
|
|
|
)
|
2021-10-29 12:45:06 -04:00
|
|
|
|
2021-11-14 12:44:37 -05:00
|
|
|
// if strings.TrimPrefix(token, AUTH_PREFIX) != a.Token {
|
|
|
|
// log.Error().Caller().Str("client_address", p.Addr.String()).Msg("invalid token")
|
|
|
|
// return ctx, status.Error(codes.Unauthenticated, "invalid token")
|
|
|
|
// }
|
2021-10-29 12:45:06 -04:00
|
|
|
|
|
|
|
// return handler(ctx, req)
|
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
func (h *Headscale) httpAuthenticationMiddleware(ctx *gin.Context) {
|
2021-10-29 12:45:06 -04:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("client_address", ctx.ClientIP()).
|
2021-10-29 12:45:06 -04:00
|
|
|
Msg("HTTP authentication invoked")
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
authHeader := ctx.GetHeader("authorization")
|
2021-10-29 12:45:06 -04:00
|
|
|
|
|
|
|
if !strings.HasPrefix(authHeader, AUTH_PREFIX) {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
2021-11-14 14:32:03 -05:00
|
|
|
Str("client_address", ctx.ClientIP()).
|
2021-10-29 12:45:06 -04:00
|
|
|
Msg(`missing "Bearer " prefix in "Authorization" header`)
|
2021-11-14 14:32:03 -05:00
|
|
|
ctx.AbortWithStatus(http.StatusUnauthorized)
|
2021-10-29 12:45:06 -04:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
ctx.AbortWithStatus(http.StatusUnauthorized)
|
2021-10-29 12:45:06 -04:00
|
|
|
|
|
|
|
// TODO(kradalby): Implement API key backend
|
|
|
|
// Currently all traffic is unauthorized, this is intentional to allow
|
|
|
|
// us to make use of gRPC for our CLI, but not having to implement any of the remote capabilities
|
|
|
|
// and API key auth
|
|
|
|
//
|
|
|
|
// if strings.TrimPrefix(authHeader, AUTH_PREFIX) != a.Token {
|
|
|
|
// log.Error().Caller().Str("client_address", c.ClientIP()).Msg("invalid token")
|
|
|
|
// c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error", "unauthorized"})
|
|
|
|
|
|
|
|
// return
|
|
|
|
// }
|
|
|
|
|
|
|
|
// c.Next()
|
|
|
|
}
|
|
|
|
|
2021-11-07 04:55:32 -05:00
|
|
|
// ensureUnixSocketIsAbsent will check if the given path for headscales unix socket is clear
|
|
|
|
// and will remove it if it is not.
|
|
|
|
func (h *Headscale) ensureUnixSocketIsAbsent() error {
|
|
|
|
// File does not exist, all fine
|
|
|
|
if _, err := os.Stat(h.cfg.UnixSocket); errors.Is(err, os.ErrNotExist) {
|
|
|
|
return nil
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-07 04:55:32 -05:00
|
|
|
return os.Remove(h.cfg.UnixSocket)
|
|
|
|
}
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
// Serve launches a GIN server with the Headscale API.
|
2020-06-21 06:32:08 -04:00
|
|
|
func (h *Headscale) Serve() error {
|
2021-10-26 16:42:56 -04:00
|
|
|
var err error
|
|
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
|
|
|
|
|
|
defer cancel()
|
|
|
|
|
2021-11-07 04:55:32 -05:00
|
|
|
err = h.ensureUnixSocketIsAbsent()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2021-10-30 10:08:16 -04:00
|
|
|
socketListener, err := net.Listen("unix", h.cfg.UnixSocket)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2021-11-02 17:46:15 -04:00
|
|
|
// Handle common process-killing signals so we can gracefully shut down:
|
|
|
|
sigc := make(chan os.Signal, 1)
|
2021-11-02 17:49:19 -04:00
|
|
|
signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
|
2021-11-02 17:46:15 -04:00
|
|
|
go func(c chan os.Signal) {
|
|
|
|
// Wait for a SIGINT or SIGKILL:
|
|
|
|
sig := <-c
|
|
|
|
log.Printf("Caught signal %s: shutting down.", sig)
|
|
|
|
// Stop listening (and unlink the socket if unix type):
|
|
|
|
socketListener.Close()
|
|
|
|
// And we're done:
|
|
|
|
os.Exit(0)
|
|
|
|
}(sigc)
|
|
|
|
|
2021-10-30 10:08:16 -04:00
|
|
|
networkListener, err := net.Listen("tcp", h.cfg.Addr)
|
2021-10-26 16:42:56 -04:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create the cmux object that will multiplex 2 protocols on the same port.
|
|
|
|
// The two following listeners will be served on the same port below gracefully.
|
2021-11-14 14:32:03 -05:00
|
|
|
networkMutex := cmux.New(networkListener)
|
2021-10-26 16:42:56 -04:00
|
|
|
// Match gRPC requests here
|
2021-11-14 14:32:03 -05:00
|
|
|
grpcListener := networkMutex.MatchWithWriters(
|
2021-10-29 12:45:06 -04:00
|
|
|
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"),
|
2021-11-13 03:36:45 -05:00
|
|
|
cmux.HTTP2MatchHeaderFieldSendSettings(
|
|
|
|
"content-type",
|
|
|
|
"application/grpc+proto",
|
|
|
|
),
|
2021-10-29 12:45:06 -04:00
|
|
|
)
|
2021-10-26 16:42:56 -04:00
|
|
|
// Otherwise match regular http requests.
|
2021-11-14 14:32:03 -05:00
|
|
|
httpListener := networkMutex.Match(cmux.Any())
|
2021-10-26 16:42:56 -04:00
|
|
|
|
|
|
|
grpcGatewayMux := runtime.NewServeMux()
|
|
|
|
|
2021-10-30 10:08:16 -04:00
|
|
|
// Make the grpc-gateway connect to grpc over socket
|
|
|
|
grpcGatewayConn, err := grpc.Dial(
|
|
|
|
h.cfg.UnixSocket,
|
|
|
|
[]grpc.DialOption{
|
|
|
|
grpc.WithInsecure(),
|
2021-10-30 10:29:03 -04:00
|
|
|
grpc.WithContextDialer(GrpcSocketDialer),
|
2021-10-30 10:08:16 -04:00
|
|
|
}...,
|
|
|
|
)
|
2021-10-29 12:45:06 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-10-29 12:45:06 -04:00
|
|
|
// Connect to the gRPC server over localhost to skip
|
|
|
|
// the authentication.
|
2021-11-04 18:18:55 -04:00
|
|
|
err = v1.RegisterHeadscaleServiceHandler(ctx, grpcGatewayMux, grpcGatewayConn)
|
2021-10-26 16:42:56 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
router := gin.Default()
|
2021-10-04 12:28:07 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
prometheus := ginprometheus.NewPrometheus("gin")
|
|
|
|
prometheus.Use(router)
|
2021-10-04 12:28:07 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
router.GET(
|
2021-11-13 03:36:45 -05:00
|
|
|
"/health",
|
|
|
|
func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"healthy": "ok"}) },
|
|
|
|
)
|
2021-11-14 14:32:03 -05:00
|
|
|
router.GET("/key", h.KeyHandler)
|
|
|
|
router.GET("/register", h.RegisterWebAPI)
|
|
|
|
router.POST("/machine/:id/map", h.PollNetMapHandler)
|
|
|
|
router.POST("/machine/:id", h.RegistrationHandler)
|
|
|
|
router.GET("/oidc/register/:mkey", h.RegisterOIDC)
|
|
|
|
router.GET("/oidc/callback", h.OIDCCallback)
|
|
|
|
router.GET("/apple", h.AppleMobileConfig)
|
|
|
|
router.GET("/apple/:platform", h.ApplePlatformConfig)
|
|
|
|
router.GET("/swagger", SwaggerUI)
|
|
|
|
router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
|
|
|
|
|
|
|
|
api := router.Group("/api")
|
2021-10-29 12:45:06 -04:00
|
|
|
api.Use(h.httpAuthenticationMiddleware)
|
|
|
|
{
|
|
|
|
api.Any("/v1/*any", gin.WrapF(grpcGatewayMux.ServeHTTP))
|
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
router.NoRoute(stdoutHandler)
|
2021-07-25 11:59:48 -04:00
|
|
|
|
2021-10-22 12:55:14 -04:00
|
|
|
// Fetch an initial DERP Map before we start serving
|
|
|
|
h.DERPMap = GetDERPMap(h.cfg.DERP)
|
|
|
|
|
|
|
|
if h.cfg.DERP.AutoUpdate {
|
|
|
|
derpMapCancelChannel := make(chan struct{})
|
|
|
|
defer func() { derpMapCancelChannel <- struct{}{} }()
|
|
|
|
go h.scheduledDERPMapUpdateWorker(derpMapCancelChannel)
|
|
|
|
}
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
// I HATE THIS
|
2021-11-14 12:31:51 -05:00
|
|
|
go h.watchForKVUpdates(UPDATE_RATE_MILLISECONDS)
|
|
|
|
go h.expireEphemeralNodes(UPDATE_RATE_MILLISECONDS)
|
2021-10-26 16:42:56 -04:00
|
|
|
|
|
|
|
httpServer := &http.Server{
|
2021-10-02 10:29:27 -04:00
|
|
|
Addr: h.cfg.Addr,
|
2021-11-14 14:32:03 -05:00
|
|
|
Handler: router,
|
2021-11-14 12:31:51 -05:00
|
|
|
ReadTimeout: HTTP_READ_TIMEOUT,
|
2021-10-02 10:29:27 -04:00
|
|
|
// Go does not handle timeouts in HTTP very well, and there is
|
|
|
|
// no good way to handle streaming timeouts, therefore we need to
|
|
|
|
// keep this at unlimited and be careful to clean up connections
|
|
|
|
// https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/#aboutstreaming
|
|
|
|
WriteTimeout: 0,
|
2021-08-18 18:21:11 -04:00
|
|
|
}
|
|
|
|
|
2021-11-08 17:06:25 -05:00
|
|
|
if zl.GlobalLevel() == zl.TraceLevel {
|
|
|
|
zerolog.RespLog = true
|
|
|
|
} else {
|
|
|
|
zerolog.RespLog = false
|
|
|
|
}
|
|
|
|
|
2021-10-29 12:45:06 -04:00
|
|
|
grpcOptions := []grpc.ServerOption{
|
|
|
|
grpc.UnaryInterceptor(
|
2021-11-04 18:18:55 -04:00
|
|
|
grpc_middleware.ChainUnaryServer(
|
|
|
|
h.grpcAuthenticationInterceptor,
|
|
|
|
zerolog.NewUnaryServerInterceptor(),
|
|
|
|
),
|
2021-10-29 12:45:06 -04:00
|
|
|
),
|
|
|
|
}
|
|
|
|
|
2021-10-26 16:42:56 -04:00
|
|
|
tlsConfig, err := h.getTLSSettings()
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Msg("Failed to set up TLS configuration")
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if tlsConfig != nil {
|
|
|
|
httpServer.TLSConfig = tlsConfig
|
2021-10-29 12:45:06 -04:00
|
|
|
|
|
|
|
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(tlsConfig)))
|
2021-10-26 16:42:56 -04:00
|
|
|
}
|
|
|
|
|
2021-10-29 12:45:06 -04:00
|
|
|
grpcServer := grpc.NewServer(grpcOptions...)
|
|
|
|
|
2021-10-31 15:52:34 -04:00
|
|
|
// Start the local gRPC server without TLS and without authentication
|
2021-11-04 18:18:55 -04:00
|
|
|
grpcSocket := grpc.NewServer(zerolog.UnaryInterceptor())
|
2021-10-31 15:52:34 -04:00
|
|
|
|
2021-11-04 18:18:55 -04:00
|
|
|
v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
|
|
|
|
v1.RegisterHeadscaleServiceServer(grpcSocket, newHeadscaleV1APIServer(h))
|
2021-10-29 12:45:06 -04:00
|
|
|
reflection.Register(grpcServer)
|
2021-10-31 15:52:34 -04:00
|
|
|
reflection.Register(grpcSocket)
|
2021-10-29 12:45:06 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
errorGroup := new(errgroup.Group)
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
errorGroup.Go(func() error { return grpcSocket.Serve(socketListener) })
|
2021-10-31 12:34:20 -04:00
|
|
|
|
|
|
|
// TODO(kradalby): Verify if we need the same TLS setup for gRPC as HTTP
|
2021-11-14 14:32:03 -05:00
|
|
|
errorGroup.Go(func() error { return grpcServer.Serve(grpcListener) })
|
2021-10-31 12:19:38 -04:00
|
|
|
|
|
|
|
if tlsConfig != nil {
|
2021-11-14 14:32:03 -05:00
|
|
|
errorGroup.Go(func() error {
|
2021-10-31 12:19:38 -04:00
|
|
|
tlsl := tls.NewListener(httpListener, tlsConfig)
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-10-31 12:19:38 -04:00
|
|
|
return httpServer.Serve(tlsl)
|
|
|
|
})
|
|
|
|
} else {
|
2021-11-14 14:32:03 -05:00
|
|
|
errorGroup.Go(func() error { return httpServer.Serve(httpListener) })
|
2021-10-31 12:19:38 -04:00
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
errorGroup.Go(func() error { return networkMutex.Serve() })
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Info().
|
|
|
|
Msgf("listening and serving (multiplexed HTTP and gRPC) on: %s", h.cfg.Addr)
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
return errorGroup.Wait()
|
2021-10-26 16:42:56 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Headscale) getTLSSettings() (*tls.Config, error) {
|
2021-11-14 11:51:34 -05:00
|
|
|
var err error
|
2021-04-23 22:54:15 -04:00
|
|
|
if h.cfg.TLSLetsEncryptHostname != "" {
|
|
|
|
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
|
2021-11-13 03:36:45 -05:00
|
|
|
log.Warn().
|
|
|
|
Msg("Listening with TLS but ServerURL does not start with https://")
|
2021-04-23 22:54:15 -04:00
|
|
|
}
|
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
certManager := autocert.Manager{
|
2021-04-23 22:54:15 -04:00
|
|
|
Prompt: autocert.AcceptTOS,
|
|
|
|
HostPolicy: autocert.HostWhitelist(h.cfg.TLSLetsEncryptHostname),
|
|
|
|
Cache: autocert.DirCache(h.cfg.TLSLetsEncryptCacheDir),
|
2021-10-03 14:26:38 -04:00
|
|
|
Client: &acme.Client{
|
|
|
|
DirectoryURL: h.cfg.ACMEURL,
|
|
|
|
},
|
|
|
|
Email: h.cfg.ACMEEmail,
|
2021-04-23 22:54:15 -04:00
|
|
|
}
|
2021-10-02 10:29:27 -04:00
|
|
|
|
2021-11-14 12:44:37 -05:00
|
|
|
switch h.cfg.TLSLetsEncryptChallengeType {
|
|
|
|
case "TLS-ALPN-01":
|
2021-04-23 22:54:15 -04:00
|
|
|
// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
|
|
|
|
// The RFC requires that the validation is done on port 443; in other words, headscale
|
2021-07-24 09:01:20 -04:00
|
|
|
// must be reachable on port 443.
|
2021-11-14 14:32:03 -05:00
|
|
|
return certManager.TLSConfig(), nil
|
2021-11-14 12:44:37 -05:00
|
|
|
|
|
|
|
case "HTTP-01":
|
2021-04-23 22:54:15 -04:00
|
|
|
// Configuration via autocert with HTTP-01. This requires listening on
|
|
|
|
// port 80 for the certificate validation in addition to the headscale
|
|
|
|
// service, which can be configured to run on any other port.
|
|
|
|
go func() {
|
2021-08-05 13:11:26 -04:00
|
|
|
log.Fatal().
|
2021-11-14 14:32:03 -05:00
|
|
|
Err(http.ListenAndServe(h.cfg.TLSLetsEncryptListen, certManager.HTTPHandler(http.HandlerFunc(h.redirect)))).
|
2021-08-05 13:11:26 -04:00
|
|
|
Msg("failed to set up a HTTP server")
|
2021-04-23 22:54:15 -04:00
|
|
|
}()
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
return certManager.TLSConfig(), nil
|
2021-11-14 12:44:37 -05:00
|
|
|
|
|
|
|
default:
|
2021-10-26 16:42:56 -04:00
|
|
|
return nil, errors.New("unknown value for TLSLetsEncryptChallengeType")
|
2021-04-23 22:54:15 -04:00
|
|
|
}
|
|
|
|
} else if h.cfg.TLSCertPath == "" {
|
2021-04-23 16:54:35 -04:00
|
|
|
if !strings.HasPrefix(h.cfg.ServerURL, "http://") {
|
2021-08-05 13:11:26 -04:00
|
|
|
log.Warn().Msg("Listening without TLS but ServerURL does not start with http://")
|
2021-04-23 16:54:35 -04:00
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
|
2021-11-14 11:51:34 -05:00
|
|
|
return nil, err
|
2021-04-23 16:54:35 -04:00
|
|
|
} else {
|
|
|
|
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
|
2021-08-05 13:11:26 -04:00
|
|
|
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
|
2021-04-23 16:54:35 -04:00
|
|
|
}
|
2021-10-26 16:42:56 -04:00
|
|
|
tlsConfig := &tls.Config{}
|
|
|
|
tlsConfig.ClientAuth = tls.RequireAnyClientCert
|
|
|
|
tlsConfig.NextProtos = []string{"http/1.1"}
|
|
|
|
tlsConfig.Certificates = make([]tls.Certificate, 1)
|
|
|
|
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
|
|
|
|
|
|
|
|
return tlsConfig, err
|
2021-04-23 16:54:35 -04:00
|
|
|
}
|
2020-06-21 06:32:08 -04:00
|
|
|
}
|
2021-08-18 18:21:11 -04:00
|
|
|
|
2021-08-19 13:19:26 -04:00
|
|
|
func (h *Headscale) setLastStateChangeToNow(namespace string) {
|
2021-08-18 18:21:11 -04:00
|
|
|
now := time.Now().UTC()
|
2021-10-04 12:28:07 -04:00
|
|
|
lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix()))
|
2021-08-19 13:19:26 -04:00
|
|
|
h.lastStateChange.Store(namespace, now)
|
2021-08-18 18:21:11 -04:00
|
|
|
}
|
|
|
|
|
2021-10-06 18:06:07 -04:00
|
|
|
func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
|
|
|
|
times := []time.Time{}
|
|
|
|
|
|
|
|
for _, namespace := range namespaces {
|
|
|
|
if wrapped, ok := h.lastStateChange.Load(namespace); ok {
|
|
|
|
lastChange, _ := wrapped.(time.Time)
|
|
|
|
|
|
|
|
times = append(times, lastChange)
|
|
|
|
}
|
2021-08-19 13:19:26 -04:00
|
|
|
}
|
|
|
|
|
2021-10-06 18:06:07 -04:00
|
|
|
sort.Slice(times, func(i, j int) bool {
|
|
|
|
return times[i].After(times[j])
|
|
|
|
})
|
|
|
|
|
|
|
|
log.Trace().Msgf("Latest times %#v", times)
|
|
|
|
|
|
|
|
if len(times) == 0 {
|
|
|
|
return time.Now().UTC()
|
|
|
|
} else {
|
|
|
|
return times[0]
|
|
|
|
}
|
2021-08-18 18:21:11 -04:00
|
|
|
}
|
2021-10-29 12:45:06 -04:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
func stdoutHandler(ctx *gin.Context) {
|
|
|
|
body, _ := io.ReadAll(ctx.Request.Body)
|
2021-10-29 12:45:06 -04:00
|
|
|
|
|
|
|
log.Trace().
|
2021-11-14 14:32:03 -05:00
|
|
|
Interface("header", ctx.Request.Header).
|
|
|
|
Interface("proto", ctx.Request.Proto).
|
|
|
|
Interface("url", ctx.Request.URL).
|
|
|
|
Bytes("body", body).
|
2021-10-29 12:45:06 -04:00
|
|
|
Msg("Request did not match")
|
|
|
|
}
|