Merge branch 'main' into acls-doc

beclab · Mar 18, 2022 · 47bbb85 · 47bbb85
2 parents d68d7d5 + 304109a
commit 47bbb85
Show file tree

Hide file tree

Showing 15 changed files with 48 additions and 39 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -31,7 +31,7 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: actions/setup-go@v2
         with:
-          go-version: "1.17.7"
+          go-version: "1.18.0"
 
       - name: Install dependencies
         if: steps.changed-files.outputs.any_changed == 'true'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17.7
+          go-version: 1.18.0
 
       - name: Install dependencies
         run: |

diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml
@@ -25,7 +25,7 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: actions/setup-go@v2
         with:
-          go-version: "1.17.7"
+          go-version: "1.18.0"
 
       - name: Run Integration tests
         if: steps.changed-files.outputs.any_changed == 'true'

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -25,7 +25,7 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: actions/setup-go@v2
         with:
-          go-version: "1.17.7"
+          go-version: "1.18.0"
 
       - name: Install dependencies
         if: steps.changed-files.outputs.any_changed == 'true'

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,7 @@
 - Fix a limitation in the ACLs that prevented users to write rules with `*` as source [#374](https://github.com/juanfont/headscale/issues/374)
 - Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine [#371](https://github.com/juanfont/headscale/pull/371)
 - Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations [#363](https://github.com/juanfont/headscale/issues/363)
+- Fix a bug that prevented the use of `tailscale logout` with OIDC [#508](https://github.com/juanfont/headscale/issues/508)
 
 ## 0.14.0 (2022-02-24)
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.17.8-bullseye AS build
+FROM docker.io/golang:1.18.0-bullseye AS build
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 

diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.17.8-alpine AS build
+FROM docker.io/golang:1.18.0-alpine AS build
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 

diff --git a/Dockerfile.debug b/Dockerfile.debug
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.17.8-bullseye AS build
+FROM docker.io/golang:1.18.0-bullseye AS build
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 

diff --git a/app.go b/app.go
@@ -47,6 +47,14 @@ import (
 	"tailscale.com/types/key"
 )
 
+const (
+	errSTUNAddressNotSet                   = Error("STUN address not set")
+	errUnsupportedDatabase                 = Error("unsupported DB")
+	errUnsupportedLetsEncryptChallengeType = Error(
+		"unknown value for Lets Encrypt challenge type",
+	)
+)
+
 const (
 	AuthPrefix         = "Bearer "
 	Postgres           = "postgres"
@@ -58,11 +66,6 @@ const (
 	registerCacheExpiration = time.Minute * 15
 	registerCacheCleanup    = time.Minute * 20
 
-	errUnsupportedDatabase                 = Error("unsupported DB")
-	errUnsupportedLetsEncryptChallengeType = Error(
-		"unknown value for Lets Encrypt challenge type",
-	)
-
 	DisabledClientAuth = "disabled"
 	RelaxedClientAuth  = "relaxed"
 	EnforcedClientAuth = "enforced"
@@ -124,7 +127,6 @@ type DERPConfig struct {
 	ServerRegionID   int
 	ServerRegionCode string
 	ServerRegionName string
-	STUNEnabled      bool
 	STUNAddr         string
 	URLs             []url.URL
 	Paths            []string
@@ -500,10 +502,13 @@ func (h *Headscale) Serve() error {
 	h.DERPMap = GetDERPMap(h.cfg.DERP)
 
 	if h.cfg.DERP.ServerEnabled {
-		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
-		if h.cfg.DERP.STUNEnabled {
-			go h.ServeSTUN()
+		// When embedded DERP is enabled we always need a STUN server
+		if h.cfg.DERP.STUNAddr == "" {
+			return errSTUNAddressNotSet
 		}
+
+		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
+		go h.ServeSTUN()
 	}
 
 	if h.cfg.DERP.AutoUpdate {

diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
@@ -55,6 +55,9 @@ func LoadConfig(path string) error {
 
 	viper.SetDefault("dns_config", nil)
 
+	viper.SetDefault("derp.server.enabled", false)
+	viper.SetDefault("derp.server.stun.enabled", true)
+
 	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
 	viper.SetDefault("unix_socket_permission", "0o770")
 
@@ -121,8 +124,11 @@ func GetDERPConfig() headscale.DERPConfig {
 	serverRegionID := viper.GetInt("derp.server.region_id")
 	serverRegionCode := viper.GetString("derp.server.region_code")
 	serverRegionName := viper.GetString("derp.server.region_name")
-	stunEnabled := viper.GetBool("derp.server.stun.enabled")
-	stunAddr := viper.GetString("derp.server.stun.listen_addr")
+	stunAddr := viper.GetString("derp.server.stun_listen_addr")
+
+	if serverEnabled && stunAddr == "" {
+		log.Fatal().Msg("derp.server.stun_listen_addr must be set if derp.server.enabled is true")
+	}
 
 	urlStrs := viper.GetStringSlice("derp.urls")
 
@@ -149,7 +155,6 @@ func GetDERPConfig() headscale.DERPConfig {
 		ServerRegionID:   serverRegionID,
 		ServerRegionCode: serverRegionCode,
 		ServerRegionName: serverRegionName,
-		STUNEnabled:      stunEnabled,
 		STUNAddr:         stunAddr,
 		URLs:             urls,
 		Paths:            paths,

diff --git a/config-example.yaml b/config-example.yaml
@@ -69,11 +69,11 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
-    # If enabled, also listens in UDP at the configured address for STUN connections to help on NAT traversal
+    # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
+    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+    #
     # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
-    stun:
-      enabled: false
-      listen_addr: "0.0.0.0:3478"
+    stun_listen_addr: "0.0.0.0:3478"
 
   # List of externally available DERP maps encoded in JSON
   urls:

diff --git a/derp_server.go b/derp_server.go
@@ -77,17 +77,15 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
 		},
 	}
 
-	if h.cfg.DERP.STUNEnabled {
-		_, portStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
-		if err != nil {
-			return tailcfg.DERPRegion{}, err
-		}
-		port, err := strconv.Atoi(portStr)
-		if err != nil {
-			return tailcfg.DERPRegion{}, err
-		}
-		localDERPregion.Nodes[0].STUNPort = port
+	_, portSTUNStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	portSTUN, err := strconv.Atoi(portSTUNStr)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
 	}
+	localDERPregion.Nodes[0].STUNPort = portSTUN
 
 	return localDERPregion, nil
 }

diff --git a/go.mod b/go.mod
@@ -1,9 +1,10 @@
 module github.com/juanfont/headscale
 
-go 1.17
+go 1.18
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.2
+	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/fatih/set v0.2.1
@@ -49,7 +50,6 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/atomicgo/cursor v0.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/containerd/continuity v0.2.2 // indirect

diff --git a/integration_test/etc_embedded_derp/config.yaml b/integration_test/etc_embedded_derp/config.yaml
@@ -24,6 +24,5 @@ derp:
     region_id: 999
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
-    stun:
-      enabled: true
-      listen_addr: "0.0.0.0:3478"
+
+    stun_listen_addr: "0.0.0.0:3478"
diff --git a/oidc.go b/oidc.go
@@ -10,6 +10,7 @@ import (
 	"html/template"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gin-gonic/gin"
@@ -229,7 +230,7 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Str("machine", machine.Name).
 			Msg("machine already registered, reauthenticating")
 
-		h.RefreshMachine(machine, *machine.Expiry)
+		h.RefreshMachine(machine, time.Time{})
 
 		var content bytes.Buffer
 		if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{