2023-05-10 03:24:05 -04:00
|
|
|
package hscontrol
|
2021-02-27 18:58:09 -05:00
|
|
|
|
|
|
|
|
import (
|
2021-06-24 09:44:19 -04:00
|
|
|
"errors"
|
2022-02-22 06:45:50 -05:00
|
|
|
"fmt"
|
|
|
|
|
"regexp"
|
2021-11-04 18:15:17 -04:00
|
|
|
"strconv"
|
2022-02-22 06:45:50 -05:00
|
|
|
"strings"
|
2021-02-27 18:58:09 -05:00
|
|
|
"time"
|
|
|
|
|
|
2021-11-04 18:15:17 -04:00
|
|
|
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
|
2023-05-11 03:09:18 -04:00
|
|
|
"github.com/juanfont/headscale/hscontrol/util"
|
2021-08-05 13:23:02 -04:00
|
|
|
"github.com/rs/zerolog/log"
|
2021-11-04 18:15:17 -04:00
|
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
2021-06-24 09:44:19 -04:00
|
|
|
"gorm.io/gorm"
|
2021-02-27 18:58:09 -05:00
|
|
|
"tailscale.com/tailcfg"
|
|
|
|
|
)
|
|
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
var (
|
|
|
|
|
ErrUserExists = errors.New("user already exists")
|
|
|
|
|
ErrUserNotFound = errors.New("user not found")
|
|
|
|
|
ErrUserStillHasNodes = errors.New("user not empty: node(s) found")
|
|
|
|
|
ErrInvalidUserName = errors.New("invalid user name")
|
2021-11-04 18:15:17 -04:00
|
|
|
)
|
2021-05-09 11:12:05 -04:00
|
|
|
|
2022-02-22 15:05:39 -05:00
|
|
|
const (
|
|
|
|
|
// value related to RFC 1123 and 952.
|
|
|
|
|
labelHostnameLength = 63
|
|
|
|
|
)
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
var invalidCharsInUserRegex = regexp.MustCompile("[^a-z0-9-.]+")
|
2022-02-22 06:45:50 -05:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// User is the way Headscale implements the concept of users in Tailscale
|
2021-02-27 18:58:09 -05:00
|
|
|
//
|
2023-01-17 11:43:44 -05:00
|
|
|
// At the end of the day, users in Tailscale are some kind of 'bubbles' or users
|
2021-02-27 18:58:09 -05:00
|
|
|
// that contain our machines.
|
2023-01-17 11:43:44 -05:00
|
|
|
type User struct {
|
2021-02-27 18:58:09 -05:00
|
|
|
gorm.Model
|
|
|
|
|
Name string `gorm:"unique"`
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// CreateUser creates a new User. Returns error if could not be created
|
|
|
|
|
// or another user already exists.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) CreateUser(name string) (*User, error) {
|
2022-03-07 16:55:54 -05:00
|
|
|
err := CheckForFQDNRules(name)
|
2022-02-22 06:45:50 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-01-17 11:43:44 -05:00
|
|
|
user := User{}
|
2023-05-11 03:09:18 -04:00
|
|
|
if err := hsdb.db.Where("name = ?", name).First(&user).Error; err == nil {
|
2023-01-17 11:43:44 -05:00
|
|
|
return nil, ErrUserExists
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
2023-01-17 11:43:44 -05:00
|
|
|
user.Name = name
|
2023-05-11 03:09:18 -04:00
|
|
|
if err := hsdb.db.Create(&user).Error; err != nil {
|
2021-08-05 13:23:02 -04:00
|
|
|
log.Error().
|
2023-01-17 11:43:44 -05:00
|
|
|
Str("func", "CreateUser").
|
2021-08-05 13:23:02 -04:00
|
|
|
Err(err).
|
|
|
|
|
Msg("Could not create row")
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-02-27 18:58:09 -05:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
return &user, nil
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// DestroyUser destroys a User. Returns error if the User does
|
2021-05-09 11:12:05 -04:00
|
|
|
// not exist or if there are machines associated with it.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) DestroyUser(name string) error {
|
|
|
|
|
user, err := hsdb.GetUser(name)
|
2021-05-09 11:12:05 -04:00
|
|
|
if err != nil {
|
2023-01-17 11:43:44 -05:00
|
|
|
return ErrUserNotFound
|
2021-05-09 11:12:05 -04:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
machines, err := hsdb.ListMachinesByUser(name)
|
2021-05-09 11:12:05 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-11-14 14:32:03 -05:00
|
|
|
if len(machines) > 0 {
|
2023-01-17 11:43:44 -05:00
|
|
|
return ErrUserStillHasNodes
|
2021-11-13 14:01:05 -05:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
keys, err := hsdb.ListPreAuthKeys(name)
|
2021-11-13 14:01:05 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-11-14 14:32:03 -05:00
|
|
|
for _, key := range keys {
|
2023-05-11 03:09:18 -04:00
|
|
|
err = hsdb.DestroyPreAuthKey(key)
|
2021-11-13 15:24:32 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-05-09 11:12:05 -04:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
if result := hsdb.db.Unscoped().Delete(&user); result.Error != nil {
|
2021-10-16 11:14:37 -04:00
|
|
|
return result.Error
|
2021-05-09 11:12:05 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// RenameUser renames a User. Returns error if the User does
|
|
|
|
|
// not exist or if another User exists with the new name.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) RenameUser(oldName, newName string) error {
|
2022-02-22 06:45:50 -05:00
|
|
|
var err error
|
2023-05-11 03:09:18 -04:00
|
|
|
oldUser, err := hsdb.GetUser(oldName)
|
2021-10-16 11:20:06 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-03-07 16:55:54 -05:00
|
|
|
err = CheckForFQDNRules(newName)
|
2022-02-22 06:45:50 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2023-05-11 03:09:18 -04:00
|
|
|
_, err = hsdb.GetUser(newName)
|
2021-10-16 11:20:06 -04:00
|
|
|
if err == nil {
|
2023-01-17 11:43:44 -05:00
|
|
|
return ErrUserExists
|
2021-10-16 11:20:06 -04:00
|
|
|
}
|
2023-01-17 11:43:44 -05:00
|
|
|
if !errors.Is(err, ErrUserNotFound) {
|
2021-10-16 11:20:06 -04:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
oldUser.Name = newName
|
2021-10-16 11:20:06 -04:00
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
if result := hsdb.db.Save(&oldUser); result.Error != nil {
|
2021-10-16 11:20:06 -04:00
|
|
|
return result.Error
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-09 11:12:05 -04:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// GetUser fetches a user by name.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) GetUser(name string) (*User, error) {
|
2023-01-17 11:43:44 -05:00
|
|
|
user := User{}
|
2023-05-11 03:09:18 -04:00
|
|
|
if result := hsdb.db.First(&user, "name = ?", name); errors.Is(
|
2021-11-13 03:36:45 -05:00
|
|
|
result.Error,
|
|
|
|
|
gorm.ErrRecordNotFound,
|
|
|
|
|
) {
|
2023-01-17 11:43:44 -05:00
|
|
|
return nil, ErrUserNotFound
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
return &user, nil
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// ListUsers gets all the existing users.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) ListUsers() ([]User, error) {
|
2023-01-17 11:43:44 -05:00
|
|
|
users := []User{}
|
2023-05-11 03:09:18 -04:00
|
|
|
if err := hsdb.db.Find(&users).Error; err != nil {
|
2021-02-27 18:58:09 -05:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
return users, nil
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// ListMachinesByUser gets all the nodes in a given user.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) ListMachinesByUser(name string) ([]Machine, error) {
|
2022-03-07 16:55:54 -05:00
|
|
|
err := CheckForFQDNRules(name)
|
2022-02-22 06:45:50 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-05-11 03:09:18 -04:00
|
|
|
user, err := hsdb.GetUser(name)
|
2021-02-27 18:58:09 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
machines := []Machine{}
|
2023-05-11 03:09:18 -04:00
|
|
|
if err := hsdb.db.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Where(&Machine{UserID: user.ID}).Find(&machines).Error; err != nil {
|
2021-02-27 18:58:09 -05:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-04 18:15:17 -04:00
|
|
|
return machines, nil
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// SetMachineUser assigns a Machine to a user.
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) SetMachineUser(machine *Machine, username string) error {
|
2023-01-17 11:43:44 -05:00
|
|
|
err := CheckForFQDNRules(username)
|
2022-02-22 06:45:50 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2023-05-11 03:09:18 -04:00
|
|
|
user, err := hsdb.GetUser(username)
|
2021-02-27 18:58:09 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2023-01-17 11:43:44 -05:00
|
|
|
machine.User = *user
|
2023-05-11 03:09:18 -04:00
|
|
|
if result := hsdb.db.Save(&machine); result.Error != nil {
|
2022-05-02 05:47:21 -04:00
|
|
|
return result.Error
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-02-27 18:58:09 -05:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
func (n *User) toTailscaleUser() *tailcfg.User {
|
2021-11-14 14:32:03 -05:00
|
|
|
user := tailcfg.User{
|
2021-02-27 18:58:09 -05:00
|
|
|
ID: tailcfg.UserID(n.ID),
|
2021-07-11 10:39:19 -04:00
|
|
|
LoginName: n.Name,
|
2021-02-27 18:58:09 -05:00
|
|
|
DisplayName: n.Name,
|
|
|
|
|
ProfilePicURL: "",
|
2021-07-11 10:39:19 -04:00
|
|
|
Domain: "headscale.net",
|
2021-02-27 18:58:09 -05:00
|
|
|
Logins: []tailcfg.LoginID{},
|
|
|
|
|
Created: time.Time{},
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
return &user
|
2021-02-27 18:58:09 -05:00
|
|
|
}
|
2021-10-15 11:09:55 -04:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
func (n *User) toTailscaleLogin() *tailcfg.Login {
|
2021-11-14 14:32:03 -05:00
|
|
|
login := tailcfg.Login{
|
2021-10-15 11:09:55 -04:00
|
|
|
ID: tailcfg.LoginID(n.ID),
|
|
|
|
|
LoginName: n.Name,
|
|
|
|
|
DisplayName: n.Name,
|
|
|
|
|
ProfilePicURL: "",
|
|
|
|
|
Domain: "headscale.net",
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-11-14 14:32:03 -05:00
|
|
|
return &login
|
2021-10-15 11:09:55 -04:00
|
|
|
}
|
2021-10-19 10:26:18 -04:00
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
func (hsdb *HSDatabase) getMapResponseUserProfiles(
|
2022-11-22 11:36:19 -05:00
|
|
|
machine Machine,
|
|
|
|
|
peers Machines,
|
|
|
|
|
) []tailcfg.UserProfile {
|
2023-01-17 11:43:44 -05:00
|
|
|
userMap := make(map[string]User)
|
|
|
|
|
userMap[machine.User.Name] = machine.User
|
2021-11-14 14:32:03 -05:00
|
|
|
for _, peer := range peers {
|
2023-01-17 11:43:44 -05:00
|
|
|
userMap[peer.User.Name] = peer.User // not worth checking if already is there
|
2021-10-17 17:58:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
profiles := []tailcfg.UserProfile{}
|
2023-01-17 11:43:44 -05:00
|
|
|
for _, user := range userMap {
|
|
|
|
|
displayName := user.Name
|
2022-11-22 11:36:19 -05:00
|
|
|
|
2023-05-11 03:09:18 -04:00
|
|
|
if hsdb.baseDomain != "" {
|
|
|
|
|
displayName = fmt.Sprintf("%s@%s", user.Name, hsdb.baseDomain)
|
2022-11-22 11:36:19 -05:00
|
|
|
}
|
|
|
|
|
|
2021-10-17 17:58:09 -04:00
|
|
|
profiles = append(profiles,
|
|
|
|
|
tailcfg.UserProfile{
|
2023-01-17 11:43:44 -05:00
|
|
|
ID: tailcfg.UserID(user.ID),
|
|
|
|
|
LoginName: user.Name,
|
2022-11-22 11:36:19 -05:00
|
|
|
DisplayName: displayName,
|
2021-10-17 17:58:09 -04:00
|
|
|
})
|
|
|
|
|
}
|
2021-11-14 10:46:09 -05:00
|
|
|
|
2021-10-17 17:58:09 -04:00
|
|
|
return profiles
|
|
|
|
|
}
|
2021-11-04 18:15:17 -04:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
func (n *User) toProto() *v1.User {
|
|
|
|
|
return &v1.User{
|
2023-05-11 03:09:18 -04:00
|
|
|
Id: strconv.FormatUint(uint64(n.ID), util.Base10),
|
2021-11-04 18:15:17 -04:00
|
|
|
Name: n.Name,
|
|
|
|
|
CreatedAt: timestamppb.New(n.CreatedAt),
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-02-22 06:45:50 -05:00
|
|
|
|
2023-01-17 11:43:44 -05:00
|
|
|
// NormalizeToFQDNRules will replace forbidden chars in user
|
|
|
|
|
// it can also return an error if the user doesn't respect RFC 952 and 1123.
|
2022-03-07 16:55:54 -05:00
|
|
|
func NormalizeToFQDNRules(name string, stripEmailDomain bool) (string, error) {
|
2022-02-22 06:45:50 -05:00
|
|
|
name = strings.ToLower(name)
|
|
|
|
|
name = strings.ReplaceAll(name, "'", "")
|
2022-02-23 08:28:20 -05:00
|
|
|
atIdx := strings.Index(name, "@")
|
|
|
|
|
if stripEmailDomain && atIdx > 0 {
|
|
|
|
|
name = name[:atIdx]
|
2022-02-23 08:03:07 -05:00
|
|
|
} else {
|
|
|
|
|
name = strings.ReplaceAll(name, "@", ".")
|
|
|
|
|
}
|
2023-01-17 11:43:44 -05:00
|
|
|
name = invalidCharsInUserRegex.ReplaceAllString(name, "-")
|
2022-02-22 06:45:50 -05:00
|
|
|
|
|
|
|
|
for _, elt := range strings.Split(name, ".") {
|
2022-02-22 15:05:39 -05:00
|
|
|
if len(elt) > labelHostnameLength {
|
2022-02-22 06:45:50 -05:00
|
|
|
return "", fmt.Errorf(
|
|
|
|
|
"label %v is more than 63 chars: %w",
|
|
|
|
|
elt,
|
2023-01-17 11:43:44 -05:00
|
|
|
ErrInvalidUserName,
|
2022-02-22 06:45:50 -05:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return name, nil
|
|
|
|
|
}
|
2022-02-23 05:07:24 -05:00
|
|
|
|
2022-03-07 16:55:54 -05:00
|
|
|
func CheckForFQDNRules(name string) error {
|
2022-02-23 05:07:24 -05:00
|
|
|
if len(name) > labelHostnameLength {
|
|
|
|
|
return fmt.Errorf(
|
2022-05-16 14:31:32 -04:00
|
|
|
"DNS segment must not be over 63 chars. %v doesn't comply with this rule: %w",
|
2022-02-23 05:07:24 -05:00
|
|
|
name,
|
2023-01-17 11:43:44 -05:00
|
|
|
ErrInvalidUserName,
|
2022-02-23 05:07:24 -05:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
if strings.ToLower(name) != name {
|
|
|
|
|
return fmt.Errorf(
|
2022-05-16 14:31:32 -04:00
|
|
|
"DNS segment should be lowercase. %v doesn't comply with this rule: %w",
|
2022-02-23 05:07:24 -05:00
|
|
|
name,
|
2023-01-17 11:43:44 -05:00
|
|
|
ErrInvalidUserName,
|
2022-02-23 05:07:24 -05:00
|
|
|
)
|
|
|
|
|
}
|
2023-01-17 11:43:44 -05:00
|
|
|
if invalidCharsInUserRegex.MatchString(name) {
|
2022-02-23 05:07:24 -05:00
|
|
|
return fmt.Errorf(
|
2022-05-16 14:31:32 -04:00
|
|
|
"DNS segment should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
|
2022-02-23 05:07:24 -05:00
|
|
|
name,
|
2023-01-17 11:43:44 -05:00
|
|
|
ErrInvalidUserName,
|
2022-02-23 05:07:24 -05:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
