2020-06-21 04:32:08 -06:00
|
|
|
// Codehere is mostly taken from github.com/tailscale/tailscale
|
|
|
|
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package headscale
|
|
|
|
|
|
|
|
import (
|
2021-10-30 08:29:03 -06:00
|
|
|
"context"
|
2020-06-21 04:32:08 -06:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2021-10-30 08:29:03 -06:00
|
|
|
"net"
|
2021-08-13 03:33:19 -06:00
|
|
|
"strings"
|
2020-06-21 04:32:08 -06:00
|
|
|
|
2021-11-26 16:30:42 -07:00
|
|
|
"github.com/rs/zerolog/log"
|
2021-08-02 13:06:26 -06:00
|
|
|
"inet.af/netaddr"
|
2021-08-13 03:33:19 -06:00
|
|
|
"tailscale.com/tailcfg"
|
2021-11-26 16:30:42 -07:00
|
|
|
"tailscale.com/types/key"
|
2020-06-21 04:32:08 -06:00
|
|
|
)
|
|
|
|
|
2021-11-15 12:18:14 -07:00
|
|
|
const (
|
|
|
|
errCannotDecryptReponse = Error("cannot decrypt response")
|
|
|
|
errResponseMissingNonce = Error("response missing nonce")
|
|
|
|
errCouldNotAllocateIP = Error("could not find any suitable IP")
|
2021-11-26 16:30:42 -07:00
|
|
|
|
|
|
|
// These constants are copied from the upstream tailscale.com/types/key
|
|
|
|
// library, because they are not exported.
|
|
|
|
// https://github.com/tailscale/tailscale/tree/main/types/key
|
|
|
|
|
|
|
|
// nodePrivateHexPrefix is the prefix used to identify a
|
|
|
|
// hex-encoded node private key.
|
|
|
|
//
|
|
|
|
// This prefix name is a little unfortunate, in that it comes from
|
|
|
|
// WireGuard's own key types, and we've used it for both key types
|
|
|
|
// we persist to disk (machine and node keys). But we're stuck
|
|
|
|
// with it for now, barring another round of tricky migration.
|
|
|
|
nodePrivateHexPrefix = "privkey:"
|
|
|
|
|
|
|
|
// nodePublicHexPrefix is the prefix used to identify a
|
|
|
|
// hex-encoded node public key.
|
|
|
|
//
|
|
|
|
// This prefix is used in the control protocol, so cannot be
|
|
|
|
// changed.
|
|
|
|
nodePublicHexPrefix = "nodekey:"
|
|
|
|
|
|
|
|
// machinePrivateHexPrefix is the prefix used to identify a
|
|
|
|
// hex-encoded machine private key.
|
|
|
|
//
|
|
|
|
// This prefix name is a little unfortunate, in that it comes from
|
|
|
|
// WireGuard's own key types. Unfortunately we're stuck with it for
|
|
|
|
// machine keys, because we serialize them to disk with this prefix.
|
|
|
|
machinePrivateHexPrefix = "privkey:"
|
|
|
|
|
|
|
|
// machinePublicHexPrefix is the prefix used to identify a
|
|
|
|
// hex-encoded machine public key.
|
|
|
|
//
|
|
|
|
// This prefix is used in the control protocol, so cannot be
|
|
|
|
// changed.
|
|
|
|
machinePublicHexPrefix = "mkey:"
|
|
|
|
|
|
|
|
// discoPublicHexPrefix is the prefix used to identify a
|
|
|
|
// hex-encoded disco public key.
|
|
|
|
//
|
|
|
|
// This prefix is used in the control protocol, so cannot be
|
|
|
|
// changed.
|
|
|
|
discoPublicHexPrefix = "discokey:"
|
2021-11-15 12:18:14 -07:00
|
|
|
)
|
|
|
|
|
2021-11-26 16:30:42 -07:00
|
|
|
func MachinePublicKeyStripPrefix(machineKey key.MachinePublic) string {
|
|
|
|
return strings.TrimPrefix(machineKey.String(), machinePublicHexPrefix)
|
|
|
|
}
|
|
|
|
|
|
|
|
func NodePublicKeyStripPrefix(nodeKey key.NodePublic) string {
|
|
|
|
return strings.TrimPrefix(nodeKey.String(), nodePublicHexPrefix)
|
|
|
|
}
|
|
|
|
|
|
|
|
func DiscoPublicKeyStripPrefix(discoKey key.DiscoPublic) string {
|
|
|
|
return strings.TrimPrefix(discoKey.String(), discoPublicHexPrefix)
|
|
|
|
}
|
|
|
|
|
2021-05-05 17:01:45 -06:00
|
|
|
// Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
|
2021-05-05 15:00:04 -06:00
|
|
|
type Error string
|
|
|
|
|
|
|
|
func (e Error) Error() string { return string(e) }
|
|
|
|
|
2021-11-13 01:36:45 -07:00
|
|
|
func decode(
|
|
|
|
msg []byte,
|
2021-11-14 12:32:03 -07:00
|
|
|
output interface{},
|
2021-11-26 16:30:42 -07:00
|
|
|
pubKey *key.MachinePublic,
|
|
|
|
privKey *key.MachinePrivate,
|
2021-11-13 01:36:45 -07:00
|
|
|
) error {
|
2021-11-26 16:30:42 -07:00
|
|
|
log.Trace().Int("length", len(msg)).Msg("Trying to decrypt")
|
|
|
|
|
|
|
|
decrypted, ok := privKey.OpenFrom(*pubKey, msg)
|
|
|
|
if !ok {
|
|
|
|
return errCannotDecryptReponse
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
2021-11-26 16:30:42 -07:00
|
|
|
|
2021-11-14 12:32:03 -07:00
|
|
|
if err := json.Unmarshal(decrypted, output); err != nil {
|
2021-11-15 12:18:14 -07:00
|
|
|
return err
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2020-06-21 04:32:08 -06:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-11-26 16:30:42 -07:00
|
|
|
func encode(
|
|
|
|
v interface{},
|
|
|
|
pubKey *key.MachinePublic,
|
|
|
|
privKey *key.MachinePrivate,
|
|
|
|
) ([]byte, error) {
|
2020-06-21 04:32:08 -06:00
|
|
|
b, err := json.Marshal(v)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-08-13 03:33:19 -06:00
|
|
|
|
2021-11-26 16:30:42 -07:00
|
|
|
return privKey.SealTo(*pubKey, b), nil
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
|
|
|
|
2021-08-02 14:57:45 -06:00
|
|
|
func (h *Headscale) getAvailableIP() (*netaddr.IP, error) {
|
|
|
|
ipPrefix := h.cfg.IPPrefix
|
|
|
|
|
|
|
|
usedIps, err := h.getUsedIPs()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the first IP in our prefix
|
|
|
|
ip := ipPrefix.IP()
|
|
|
|
|
2020-06-21 04:32:08 -06:00
|
|
|
for {
|
2021-08-02 14:57:45 -06:00
|
|
|
if !ipPrefix.Contains(ip) {
|
2021-11-15 12:18:14 -07:00
|
|
|
return nil, errCouldNotAllocateIP
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
2021-08-02 14:57:45 -06:00
|
|
|
|
2021-08-03 03:06:42 -06:00
|
|
|
// Some OS (including Linux) does not like when IPs ends with 0 or 255, which
|
|
|
|
// is typically called network or broadcast. Lets avoid them and continue
|
|
|
|
// to look when we get one of those traditionally reserved IPs.
|
|
|
|
ipRaw := ip.As4()
|
|
|
|
if ipRaw[3] == 0 || ipRaw[3] == 255 {
|
|
|
|
ip = ip.Next()
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2021-08-03 03:06:42 -06:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2021-08-02 14:57:45 -06:00
|
|
|
if ip.IsZero() &&
|
|
|
|
ip.IsLoopback() {
|
2021-08-03 03:06:42 -06:00
|
|
|
ip = ip.Next()
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2021-08-02 14:57:45 -06:00
|
|
|
continue
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
2021-08-02 14:57:45 -06:00
|
|
|
|
|
|
|
if !containsIPs(usedIps, ip) {
|
|
|
|
return &ip, nil
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
2021-08-02 14:57:45 -06:00
|
|
|
|
|
|
|
ip = ip.Next()
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-02 14:57:45 -06:00
|
|
|
func (h *Headscale) getUsedIPs() ([]netaddr.IP, error) {
|
|
|
|
var addresses []string
|
|
|
|
h.db.Model(&Machine{}).Pluck("ip_address", &addresses)
|
|
|
|
|
|
|
|
ips := make([]netaddr.IP, len(addresses))
|
|
|
|
for index, addr := range addresses {
|
2021-08-03 00:42:11 -06:00
|
|
|
if addr != "" {
|
|
|
|
ip, err := netaddr.ParseIP(addr)
|
|
|
|
if err != nil {
|
2021-11-15 12:18:14 -07:00
|
|
|
return nil, fmt.Errorf("failed to parse ip from database: %w", err)
|
2021-08-03 00:42:11 -06:00
|
|
|
}
|
2021-08-02 14:57:45 -06:00
|
|
|
|
2021-08-03 00:42:11 -06:00
|
|
|
ips[index] = ip
|
|
|
|
}
|
2021-08-02 14:57:45 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
return ips, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func containsIPs(ips []netaddr.IP, ip netaddr.IP) bool {
|
|
|
|
for _, v := range ips {
|
|
|
|
if v == ip {
|
|
|
|
return true
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
|
|
|
}
|
2021-02-21 14:11:27 -07:00
|
|
|
|
2021-08-02 14:57:45 -06:00
|
|
|
return false
|
2020-06-21 04:32:08 -06:00
|
|
|
}
|
2021-08-13 03:33:19 -06:00
|
|
|
|
|
|
|
func tailNodesToString(nodes []*tailcfg.Node) string {
|
|
|
|
temp := make([]string, len(nodes))
|
|
|
|
|
|
|
|
for index, node := range nodes {
|
|
|
|
temp[index] = node.Name
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
|
|
|
|
}
|
|
|
|
|
|
|
|
func tailMapResponseToString(resp tailcfg.MapResponse) string {
|
2021-11-13 01:36:45 -07:00
|
|
|
return fmt.Sprintf(
|
|
|
|
"{ Node: %s, Peers: %s }",
|
|
|
|
resp.Node.Name,
|
|
|
|
tailNodesToString(resp.Peers),
|
|
|
|
)
|
2021-08-13 03:33:19 -06:00
|
|
|
}
|
2021-10-30 08:29:03 -06:00
|
|
|
|
|
|
|
func GrpcSocketDialer(ctx context.Context, addr string) (net.Conn, error) {
|
|
|
|
var d net.Dialer
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2021-10-30 08:29:03 -06:00
|
|
|
return d.DialContext(ctx, "unix", addr)
|
|
|
|
}
|
2021-11-04 16:17:44 -06:00
|
|
|
|
|
|
|
func ipPrefixToString(prefixes []netaddr.IPPrefix) []string {
|
|
|
|
result := make([]string, len(prefixes))
|
|
|
|
|
|
|
|
for index, prefix := range prefixes {
|
|
|
|
result[index] = prefix.String()
|
|
|
|
}
|
|
|
|
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2021-11-15 10:24:24 -07:00
|
|
|
func stringToIPPrefix(prefixes []string) ([]netaddr.IPPrefix, error) {
|
2021-11-04 16:17:44 -06:00
|
|
|
result := make([]netaddr.IPPrefix, len(prefixes))
|
|
|
|
|
|
|
|
for index, prefixStr := range prefixes {
|
|
|
|
prefix, err := netaddr.ParseIPPrefix(prefixStr)
|
|
|
|
if err != nil {
|
|
|
|
return []netaddr.IPPrefix{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
result[index] = prefix
|
|
|
|
}
|
|
|
|
|
|
|
|
return result, nil
|
|
|
|
}
|
|
|
|
|
2021-11-15 10:24:24 -07:00
|
|
|
func containsIPPrefix(prefixes []netaddr.IPPrefix, prefix netaddr.IPPrefix) bool {
|
2021-11-04 16:17:44 -06:00
|
|
|
for _, p := range prefixes {
|
|
|
|
if prefix == p {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|