headscale/app.go

277 lines
7.4 KiB
Go
Raw Normal View History

2020-06-21 06:32:08 -04:00
package headscale
import (
"errors"
2020-06-21 06:32:08 -04:00
"fmt"
2021-10-08 05:43:52 -04:00
"github.com/coreos/go-oidc/v3/oidc"
"github.com/patrickmn/go-cache"
"golang.org/x/oauth2"
"net/http"
2021-02-21 17:54:15 -05:00
"os"
"strings"
"sync"
"time"
2020-06-21 06:32:08 -04:00
2021-08-05 13:11:26 -04:00
"github.com/rs/zerolog/log"
2020-06-21 06:32:08 -04:00
"github.com/gin-gonic/gin"
"golang.org/x/crypto/acme/autocert"
2021-07-04 15:40:46 -04:00
"gorm.io/gorm"
"inet.af/netaddr"
2021-02-20 17:57:06 -05:00
"tailscale.com/tailcfg"
2021-06-25 12:57:08 -04:00
"tailscale.com/types/wgkey"
2020-06-21 06:32:08 -04:00
)
2021-02-21 16:14:38 -05:00
// Config contains the initial Headscale configuration
2020-06-21 06:32:08 -04:00
type Config struct {
ServerURL string
Addr string
PrivateKeyPath string
DerpMap *tailcfg.DERPMap
EphemeralNodeInactivityTimeout time.Duration
IPPrefix netaddr.IPPrefix
2020-06-21 06:32:08 -04:00
DBtype string
DBpath string
2020-06-21 06:32:08 -04:00
DBhost string
DBport int
DBname string
DBuser string
DBpass string
TLSLetsEncryptListen string
TLSLetsEncryptHostname string
TLSLetsEncryptCacheDir string
TLSLetsEncryptChallengeType string
TLSCertPath string
TLSKeyPath string
2021-08-24 02:09:47 -04:00
DNSConfig *tailcfg.DNSConfig
2021-09-26 04:53:05 -04:00
OIDCIssuer string
2021-09-26 04:53:05 -04:00
OIDCClientID string
OIDCClientSecret string
2021-10-08 05:43:52 -04:00
MaxMachineExpiry time.Duration
DefaultMachineExpiry time.Duration
2020-06-21 06:32:08 -04:00
}
2021-02-21 16:14:38 -05:00
// Headscale represents the base app of the service
2020-06-21 06:32:08 -04:00
type Headscale struct {
cfg Config
2021-07-04 15:40:46 -04:00
db *gorm.DB
2020-06-21 06:32:08 -04:00
dbString string
dbType string
dbDebug bool
2021-06-25 12:57:08 -04:00
publicKey *wgkey.Key
privateKey *wgkey.Private
2021-07-03 11:31:32 -04:00
aclPolicy *ACLPolicy
2021-07-04 07:24:05 -04:00
aclRules *[]tailcfg.FilterRule
2021-07-03 11:31:32 -04:00
clientsUpdateChannels sync.Map
clientsUpdateChannelMutex sync.Mutex
2021-08-19 13:19:26 -04:00
lastStateChange sync.Map
2021-10-08 05:43:52 -04:00
oidcProvider *oidc.Provider
oauth2Config *oauth2.Config
oidcStateCache *cache.Cache
2020-06-21 06:32:08 -04:00
}
2021-02-21 16:14:38 -05:00
// NewHeadscale returns the Headscale app
2020-06-21 06:32:08 -04:00
func NewHeadscale(cfg Config) (*Headscale, error) {
2021-02-21 17:54:15 -05:00
content, err := os.ReadFile(cfg.PrivateKeyPath)
2020-06-21 06:32:08 -04:00
if err != nil {
return nil, err
}
2021-06-25 12:57:08 -04:00
privKey, err := wgkey.ParsePrivate(string(content))
2020-06-21 06:32:08 -04:00
if err != nil {
return nil, err
}
pubKey := privKey.Public()
var dbString string
switch cfg.DBtype {
case "postgres":
dbString = fmt.Sprintf("host=%s port=%d dbname=%s user=%s password=%s sslmode=disable", cfg.DBhost,
cfg.DBport, cfg.DBname, cfg.DBuser, cfg.DBpass)
case "sqlite3":
dbString = cfg.DBpath
default:
2021-07-11 09:10:37 -04:00
return nil, errors.New("unsupported DB")
}
2020-06-21 06:32:08 -04:00
h := Headscale{
2021-08-19 13:19:26 -04:00
cfg: cfg,
dbType: cfg.DBtype,
dbString: dbString,
privateKey: privKey,
publicKey: &pubKey,
aclRules: &tailcfg.FilterAllowAll, // default allowall
2020-06-21 06:32:08 -04:00
}
2021-07-04 07:24:05 -04:00
2020-06-21 06:32:08 -04:00
err = h.initDB()
if err != nil {
return nil, err
}
2021-07-04 15:40:46 -04:00
2021-10-08 05:43:52 -04:00
if cfg.OIDCIssuer != "" {
err = h.initOIDC()
if err != nil {
return nil, err
}
}
2020-06-21 06:32:08 -04:00
return &h, nil
}
// Redirect to our TLS url
func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
target := h.cfg.ServerURL + req.URL.RequestURI()
http.Redirect(w, req, target, http.StatusFound)
}
2021-08-12 15:45:40 -04:00
// expireEphemeralNodes deletes ephemeral machine records that have not been
// seen for longer than h.cfg.EphemeralNodeInactivityTimeout
2021-08-12 15:45:40 -04:00
func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
for range ticker.C {
h.expireEphemeralNodesWorker()
}
}
func (h *Headscale) expireEphemeralNodesWorker() {
namespaces, err := h.ListNamespaces()
if err != nil {
2021-08-05 13:11:26 -04:00
log.Error().Err(err).Msg("Error listing namespaces")
return
}
for _, ns := range *namespaces {
machines, err := h.ListMachinesInNamespace(ns.Name)
if err != nil {
2021-08-05 15:57:47 -04:00
log.Error().Err(err).Str("namespace", ns.Name).Msg("Error listing machines in namespace")
return
}
for _, m := range *machines {
if m.AuthKey != nil && m.LastSeen != nil && m.AuthKey.Ephemeral && time.Now().After(m.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
2021-08-05 15:57:47 -04:00
log.Info().Str("machine", m.Name).Msg("Ephemeral client removed from database")
2021-07-04 15:40:46 -04:00
err = h.db.Unscoped().Delete(m).Error
if err != nil {
2021-08-05 15:57:47 -04:00
log.Error().Err(err).Str("machine", m.Name).Msg("🤮 Cannot delete ephemeral machine from the database")
}
2021-08-13 05:33:19 -04:00
h.notifyChangesToPeers(&m)
}
}
}
}
// WatchForKVUpdates checks the KV DB table for requests to perform tailnet upgrades
// This is a way to communitate the CLI with the headscale server
func (h *Headscale) watchForKVUpdates(milliSeconds int64) {
ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
for range ticker.C {
h.watchForKVUpdatesWorker()
}
}
func (h *Headscale) watchForKVUpdatesWorker() {
h.checkForNamespacesPendingUpdates()
// more functions will come here in the future
}
2021-02-21 16:14:38 -05:00
// Serve launches a GIN server with the Headscale API
2020-06-21 06:32:08 -04:00
func (h *Headscale) Serve() error {
r := gin.Default()
r.GET("/health", func(c *gin.Context) { c.JSON(200, gin.H{"healthy": "ok"}) })
2020-06-21 06:32:08 -04:00
r.GET("/key", h.KeyHandler)
r.GET("/register", h.RegisterWebAPI)
r.POST("/machine/:id/map", h.PollNetMapHandler)
r.POST("/machine/:id", h.RegistrationHandler)
r.GET("/oidc/register/:mkey", h.RegisterOIDC)
2021-09-26 04:53:05 -04:00
r.GET("/oidc/callback", h.OIDCCallback)
2021-09-19 12:56:29 -04:00
r.GET("/apple", h.AppleMobileConfig)
r.GET("/apple/:platform", h.ApplePlatformConfig)
var err error
2021-08-19 17:29:03 -04:00
timeout := 30 * time.Second
go h.watchForKVUpdates(5000)
2021-08-12 15:45:40 -04:00
go h.expireEphemeralNodes(5000)
s := &http.Server{
Addr: h.cfg.Addr,
Handler: r,
2021-08-19 17:29:03 -04:00
ReadTimeout: timeout,
WriteTimeout: timeout,
}
if h.cfg.TLSLetsEncryptHostname != "" {
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
2021-08-05 13:11:26 -04:00
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
}
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(h.cfg.TLSLetsEncryptHostname),
Cache: autocert.DirCache(h.cfg.TLSLetsEncryptCacheDir),
}
s := &http.Server{
Addr: h.cfg.Addr,
TLSConfig: m.TLSConfig(),
Handler: r,
2021-08-19 17:29:03 -04:00
ReadTimeout: timeout,
WriteTimeout: timeout,
}
if h.cfg.TLSLetsEncryptChallengeType == "TLS-ALPN-01" {
// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
// The RFC requires that the validation is done on port 443; in other words, headscale
// must be reachable on port 443.
err = s.ListenAndServeTLS("", "")
} else if h.cfg.TLSLetsEncryptChallengeType == "HTTP-01" {
// Configuration via autocert with HTTP-01. This requires listening on
// port 80 for the certificate validation in addition to the headscale
// service, which can be configured to run on any other port.
go func() {
2021-08-05 13:11:26 -04:00
log.Fatal().
Err(http.ListenAndServe(h.cfg.TLSLetsEncryptListen, m.HTTPHandler(http.HandlerFunc(h.redirect)))).
Msg("failed to set up a HTTP server")
}()
2021-04-24 11:26:50 -04:00
err = s.ListenAndServeTLS("", "")
} else {
return errors.New("unknown value for TLSLetsEncryptChallengeType")
}
} else if h.cfg.TLSCertPath == "" {
if !strings.HasPrefix(h.cfg.ServerURL, "http://") {
2021-08-05 13:11:26 -04:00
log.Warn().Msg("Listening without TLS but ServerURL does not start with http://")
}
err = s.ListenAndServe()
} else {
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
2021-08-05 13:11:26 -04:00
log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
}
err = s.ListenAndServeTLS(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
}
2020-06-21 06:32:08 -04:00
return err
}
2021-08-19 13:19:26 -04:00
func (h *Headscale) setLastStateChangeToNow(namespace string) {
now := time.Now().UTC()
2021-08-19 13:19:26 -04:00
h.lastStateChange.Store(namespace, now)
}
2021-08-19 13:19:26 -04:00
func (h *Headscale) getLastStateChange(namespace string) time.Time {
if wrapped, ok := h.lastStateChange.Load(namespace); ok {
lastChange, _ := wrapped.(time.Time)
return lastChange
}
now := time.Now().UTC()
h.lastStateChange.Store(namespace, now)
return now
}