tailscale/cmd/get-authkey/main.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

// get-authkey allocates an authkey using an OAuth API client
// https://tailscale.com/s/oauth-clients and prints it
// to stdout for scripts to capture and use.
package main

import (
	"context"
	"flag"
	"fmt"
	"log"
	"os"
	"strings"

	"golang.org/x/oauth2/clientcredentials"
	"tailscale.com/client/tailscale"
)

func main() {
	// Required to use our client API. We're fine with the instability since the
	// client lives in the same repo as this code.
	tailscale.I_Acknowledge_This_API_Is_Unstable = true

	reusable := flag.Bool("reusable", false, "allocate a reusable authkey")
	ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")
	preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")
	tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
	flag.Parse()

	clientID := os.Getenv("TS_API_CLIENT_ID")
	clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
	if clientID == "" || clientSecret == "" {
		log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
	}

	if *tags == "" {
		log.Fatal("at least one tag must be specified")
	}

	baseURL := os.Getenv("TS_BASE_URL")
	if baseURL == "" {
		baseURL = "https://api.tailscale.com"
	}

	credentials := clientcredentials.Config{
		ClientID:     clientID,
		ClientSecret: clientSecret,
		TokenURL:     baseURL + "/api/v2/oauth/token",
		Scopes:       []string{"device"},
	}

	ctx := context.Background()
	tsClient := tailscale.NewClient("-", nil)
	tsClient.HTTPClient = credentials.Client(ctx)
	tsClient.BaseURL = baseURL

	caps := tailscale.KeyCapabilities{
		Devices: tailscale.KeyDeviceCapabilities{
			Create: tailscale.KeyDeviceCreateCapabilities{
				Reusable:      *reusable,
				Ephemeral:     *ephemeral,
				Preauthorized: *preauth,
				Tags:          strings.Split(*tags, ","),
			},
		},
	}

	authkey, _, err := tsClient.CreateKey(ctx, caps, 0)
	if err != nil {
		log.Fatal(err.Error())
	}

	fmt.Println(authkey)
}
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`

			`// get-authkey allocates an authkey using an OAuth API client`
all: replace /kb/ links with /s/ equivalents Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-03-13 19:33:16 +00:00			`// https://tailscale.com/s/oauth-clients and prints it`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`// to stdout for scripts to capture and use.`
			`package main`

			`import (`
			`"context"`
			`"flag"`
			`"fmt"`
			`"log"`
			`"os"`
			`"strings"`

			`"golang.org/x/oauth2/clientcredentials"`
			`"tailscale.com/client/tailscale"`
			`)`

			`func main() {`
			`// Required to use our client API. We're fine with the instability since the`
			`// client lives in the same repo as this code.`
			`tailscale.I_Acknowledge_This_API_Is_Unstable = true`

			`reusable := flag.Bool("reusable", false, "allocate a reusable authkey")`
			`ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")`
			`preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")`
			`tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")`
			`flag.Parse()`

cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-04-26 19:34:28 +01:00			`clientID := os.Getenv("TS_API_CLIENT_ID")`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`clientSecret := os.Getenv("TS_API_CLIENT_SECRET")`
cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-04-26 19:34:28 +01:00			`if clientID == "" \|\| clientSecret == "" {`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")`
			`}`

get-authkey: require tags to be specified Tailnet-owned auth keys (which all OAuth-created keys are) must include tags, since there is no user to own the registered devices. Signed-off-by: Will Norris <will@tailscale.com> 2023-02-09 00:06:48 +00:00			`if *tags == "" {`
			`log.Fatal("at least one tag must be specified")`
			`}`

cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-04-26 19:34:28 +01:00			`baseURL := os.Getenv("TS_BASE_URL")`
			`if baseURL == "" {`
			`baseURL = "https://api.tailscale.com"`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`}`

			`credentials := clientcredentials.Config{`
cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-04-26 19:34:28 +01:00			`ClientID: clientID,`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`ClientSecret: clientSecret,`
cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-04-26 19:34:28 +01:00			`TokenURL: baseURL + "/api/v2/oauth/token",`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`Scopes: []string{"device"},`
			`}`

			`ctx := context.Background()`
			`tsClient := tailscale.NewClient("-", nil)`
			`tsClient.HTTPClient = credentials.Client(ctx)`
cmd/tailscale/cli: [up] add experimental oauth2 authkey support Updates #7982 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-04-26 19:34:28 +01:00			`tsClient.BaseURL = baseURL`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00
			`caps := tailscale.KeyCapabilities{`
			`Devices: tailscale.KeyDeviceCapabilities{`
			`Create: tailscale.KeyDeviceCreateCapabilities{`
			`Reusable: *reusable,`
			`Ephemeral: *ephemeral,`
			`Preauthorized: *preauth,`
			`Tags: strings.Split(*tags, ","),`
			`},`
			`},`
			`}`

client: allow the expiry time to be specified for new keys Adds a parameter for create key that allows a number of seconds (less than 90) to be specified for new keys. Fixes https://github.com/tailscale/tailscale/issues/7965 Signed-off-by: Matthew Brown <matthew@bargrove.com> 2023-05-12 06:05:18 +01:00			`authkey, _, err := tsClient.CreateKey(ctx, caps, 0)`
cmd/get-authkey: add an OAuth API client to produce an authkey Updates https://github.com/tailscale/tailscale/issues/3243 Signed-off-by: Denton Gentry <dgentry@tailscale.com> 2023-02-04 01:14:06 +00:00			`if err != nil {`
			`log.Fatal(err.Error())`
			`}`

			`fmt.Println(authkey)`
			`}`