tailscale/ipn/localapi/cert.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

//go:build !ios && !android && !js

package localapi

import (
	"fmt"
	"net/http"
	"strings"

	"tailscale.com/ipn/ipnlocal"
)

func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
	if !h.PermitWrite && !h.PermitCert {
		http.Error(w, "cert access denied", http.StatusForbidden)
		return
	}
	domain, ok := strings.CutPrefix(r.URL.Path, "/localapi/v0/cert/")
	if !ok {
		http.Error(w, "internal handler config wired wrong", 500)
		return
	}
	pair, err := h.b.GetCertPEM(r.Context(), domain)
	if err != nil {
		// TODO(bradfitz): 500 is a little lazy here. The errors returned from
		// GetCertPEM (and everywhere) should carry info info to get whether
		// they're 400 vs 403 vs 500 at minimum. And then we should have helpers
		// (in tsweb probably) to return an error that looks at the error value
		// to determine the HTTP status code.
		http.Error(w, fmt.Sprint(err), 500)
		return
	}
	serveKeyPair(w, r, pair)
}

func serveKeyPair(w http.ResponseWriter, r *http.Request, p *ipnlocal.TLSCertKeyPair) {
	w.Header().Set("Content-Type", "text/plain")
	switch r.URL.Query().Get("type") {
	case "", "crt", "cert":
		w.Write(p.CertPEM)
	case "key":
		w.Write(p.KeyPEM)
	case "pair":
		w.Write(p.KeyPEM)
		w.Write(p.CertPEM)
	default:
		http.Error(w, `invalid type; want "cert" (default), "key", or "pair"`, 400)
	}
}
all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com> 2023-01-27 21:37:20 +00:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00
wasm: exclude code that's not used on iOS for Wasm too It has similar size constraints. Saves ~1.9MB from the Wasm build. Updates #3157 Signed-off-by: Mihai Parparita <mihai@tailscale.com> 2022-06-06 21:52:52 +01:00			`//go:build !ios && !android && !js`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00
			`package localapi`

			`import (`
			`"fmt"`
			`"net/http"`
all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork Updates #7123 Updates #5309 Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-02-01 21:43:06 +00:00			`"strings"`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00
ipn/localapi: refactor some cert code in prep for a move I want to move the guts (after the HTTP layer) of the certificate fetching into the ipnlocal package, out of localapi. As prep, refactor a bit: * add a method to do the fetch-from-cert-or-as-needed-with-refresh, rather than doing it in the HTTP hander * convert two methods to funcs, taking the one extra field (LocalBackend) then needed from their method receiver. One of the methods needed nothing from its receiver. This will make a future change easier to reason about. Change-Id: I2a7811e5d7246139927bb86e7db8009bf09b3be3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 04:49:46 +00:00			`"tailscale.com/ipn/ipnlocal"`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`)`

			`func (h Handler) serveCert(w http.ResponseWriter, r http.Request) {`
ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access So you can run Caddy etc as a non-root user and let it have access to get certs. Updates caddyserver/caddy#4541 Change-Id: Iecc5922274530e2b00ba107d4b536580f374109b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-01-25 18:33:11 +00:00			`if !h.PermitWrite && !h.PermitCert {`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`http.Error(w, "cert access denied", http.StatusForbidden)`
			`return`
			`}`
all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork Updates #7123 Updates #5309 Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2023-02-01 21:43:06 +00:00			`domain, ok := strings.CutPrefix(r.URL.Path, "/localapi/v0/cert/")`
ipn/{ipnlocal,localapi}: use strs.CutPrefix, add more domain validation The GitHub CodeQL scanner flagged the localapi's cert domain usage as a problem because user input in the URL made it to disk stat checks. The domain is validated against the ipnstate.Status later, and only authenticated root/configured users can hit this, but add some paranoia anyway. Change-Id: I373ef23832f1d8b3a27208bc811b6588ae5a1ddd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-09-16 06:08:45 +01:00			`if !ok {`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`http.Error(w, "internal handler config wired wrong", 500)`
			`return`
			`}`
ipn/ipnlocal: do unexpired cert renewals in the background We were eagerly doing a synchronous renewal of the cert while trying to serve traffic. Instead of that, just do the cert renewal in the background and continue serving traffic as long as the cert is still valid. This regressed in c1ecae13ab708cef90905085f87729974f6c339d when we introduced ARI support and were trying to make the experience of `tailscale cert` better. However, that ended up regressing the experience for tsnet as it would not always doing the renewal synchronously. Fixes #9783 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-10-12 23:52:41 +01:00			`pair, err := h.b.GetCertPEM(r.Context(), domain)`
ipn/localapi: refactor some cert code in prep for a move I want to move the guts (after the HTTP layer) of the certificate fetching into the ipnlocal package, out of localapi. As prep, refactor a bit: * add a method to do the fetch-from-cert-or-as-needed-with-refresh, rather than doing it in the HTTP hander * convert two methods to funcs, taking the one extra field (LocalBackend) then needed from their method receiver. One of the methods needed nothing from its receiver. This will make a future change easier to reason about. Change-Id: I2a7811e5d7246139927bb86e7db8009bf09b3be3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 04:49:46 +00:00			`if err != nil {`
ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 05:26:26 +00:00			`// TODO(bradfitz): 500 is a little lazy here. The errors returned from`
			`// GetCertPEM (and everywhere) should carry info info to get whether`
			`// they're 400 vs 403 vs 500 at minimum. And then we should have helpers`
			`// (in tsweb probably) to return an error that looks at the error value`
			`// to determine the HTTP status code.`
ipn/localapi: refactor some cert code in prep for a move I want to move the guts (after the HTTP layer) of the certificate fetching into the ipnlocal package, out of localapi. As prep, refactor a bit: * add a method to do the fetch-from-cert-or-as-needed-with-refresh, rather than doing it in the HTTP hander * convert two methods to funcs, taking the one extra field (LocalBackend) then needed from their method receiver. One of the methods needed nothing from its receiver. This will make a future change easier to reason about. Change-Id: I2a7811e5d7246139927bb86e7db8009bf09b3be3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 04:49:46 +00:00			`http.Error(w, fmt.Sprint(err), 500)`
			`return`
			`}`
			`serveKeyPair(w, r, pair)`
			`}`

ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 05:26:26 +00:00			`func serveKeyPair(w http.ResponseWriter, r http.Request, p ipnlocal.TLSCertKeyPair) {`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`w.Header().Set("Content-Type", "text/plain")`
			`switch r.URL.Query().Get("type") {`
			`case "", "crt", "cert":`
ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 05:26:26 +00:00			`w.Write(p.CertPEM)`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`case "key":`
ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 05:26:26 +00:00			`w.Write(p.KeyPEM)`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`case "pair":`
ipn/{ipnlocal,localapi}: move most of cert.go to ipnlocal Leave only the HTTP/auth bits in localapi. Change-Id: I8e23fb417367f1e0e31483e2982c343ca74086ab Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-08 05:26:26 +00:00			`w.Write(p.KeyPEM)`
			`w.Write(p.CertPEM)`
ipn/localapi: move cert fetching code to localapi, cache, add cert subcommand Updates #1235 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-08-17 23:03:28 +01:00			`default:`
			http.Error(w, `invalid type; want "cert" (default), "key", or "pair"`, 400)
			`}`
			`}`