Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify and improve register/reauth flow #227

Merged
merged 38 commits into from
Nov 24, 2021
Merged

Simplify and improve register/reauth flow #227

merged 38 commits into from
Nov 24, 2021

Conversation

kradalby
Copy link
Collaborator

@kradalby kradalby commented Nov 17, 2021
edited
Loading

This PR addresses a series of issues with OpenID Connect (oidc), the register workflow, the reauthentication workflow and the concept of expiry.

oidc introduced some broken expiry behaviour which broke both pre auth key machines and CLI registered machines. This was done by adding a maximum expiry, where we previously had none.

This PR removes that and in general fixes issues that was discovered hunting for the bugs:

  • Registration flow is now split up into function so its easier to follow
  • Add support for reauthentication of nodes (if expired)
  • Add support for client which sends "requested expiry"
  • Add expire command to allow users to force nodes to reauthenticate
  • Only send list of "valid" (registered and not expired) nodes to client on update
  • The oidc support seem to work pretty well (I use it on my prod setup)

@kradalby
Move registration workflow into functions
35c3fe9
@kradalby
Make "authKey" a constant
a8a8f01
@kradalby
Use valid handler for registered authkey machines
50dcb8b
@kradalby
Remove unused param
981f712
@kradalby
Remove unneeded returns
58d1255
@kradalby
Create constants for other reg methods
106b1e7
@kradalby
Remove expiry logic, this needs to be redone
9aac1fb
@kradalby
Remove expiry logic, this needs to be redone
6a9dd20
@kradalby
Add expired column to machine list command
1c7aff5
@kradalby
Remove println statement
f85a77e
@kradalby
Add ExpireMachine spec to rpc
f1c05f8
@kradalby
Implement ExpireMachine rpc
bd1d1b1
@kradalby
Add expire (logout) machine command
a2b9f3b
@kradalby
Remove special case for authkey
8ccc51a 
We no longer have weird expire behaviour, so we dont need this case
@kradalby
Simplify control flow in RegistrationHandler
c4ecc4d 
This commits tries to dismantle the complicated "if and or" in the
RegistrationHandler by factoring out the "is Registrated" into a root
if.

This, together with some new comments, should hopefully make it a bit
easier to follow what is happening in all the different cases that needs
to be handled when a Node contacts the registration endpoint.
@kradalby
Remove unused param
bda2d9c
@kradalby
Move handle expired machine to the end of registration
fd5f42c
@kradalby
Remove expiry update in expiry, we dont want to extend it just becaus…
c239368 
…e they _try_ to connect
@kradalby
Removed unused parameter
1687e3b
@kradalby
Use correct type for nodes command
b152e53
@kradalby
Add long description for expire
fac33e4
@kradalby
Clean up logging and error handling in oidc
fcd4d94 
We should never expose errors via web, it gives attackers a lot of info
(Insert OWASP guide).

Also handle error that didnt separate not found gorm issue and other
errors.
@kradalby
Remove anouther potential error leak
74044f6
@kradalby
Simplify register function if
5cbd451
@kradalby
Use uint64 straight instead of converting
e8faff4
@kradalby
Add missing return in oidc.go
200c10e
@kradalby
Make sure nodes can reauthenticate
e600ead 
This commit fixes an issue where nodes were not able to reauthenticate.
@kradalby
Add cache for requested expiry times
021c464 
This commit adds a sentral cache to keep track of clients whom has
requested an expiry time, but were we need to keep hold of it until the
second request comes in.
@kradalby
Fix typo
caf1b1c
@kradalby
Update neighbours if node is expired or refreshed
68dc2a7 
In addition, only pass the map of registered and not expired nodes to
clients.
@kradalby kradalby changed the title Move registration workflow into functions Simplify and improve register/reauth flow Nov 22, 2021
@kradalby kradalby requested review from juanfont and cure November 22, 2021 20:13
@kradalby kradalby marked this pull request as ready for review November 22, 2021 20:13
@kradalby
Copy link
Collaborator Author

This PR fixes #226.

I think this should make it so we can release 0.12.0 (preferably as beta/pre release).

@juanfont you did some work on setting up pre-releases right?

juanfont
juanfont previously approved these changes Nov 24, 2021
View reviewed changes
api.go
// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
if !req.Expiry.IsZero() && req.Expiry.UTC().Before(now) {
h.handleMachineLogOut(ctx, machineKey, req, *machine)
if machine.Registered {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if is already registering and we are reauth with a new key?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if I understand

@kradalby kradalby requested a review from juanfont November 24, 2021 14:18
juanfont
juanfont approved these changes Nov 24, 2021
View reviewed changes
Copy link
Owner

@juanfont juanfont left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work!

@kradalby kradalby merged commit 5620858 into juanfont:main Nov 24, 2021
@kradalby kradalby deleted the expired-issue branch November 24, 2021 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanfont juanfont juanfont approved these changes

@cure cure Awaiting requested review from cure

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kradalby @juanfont