From b3cc719add220f08cfb7664be9a24024ad7020db Mon Sep 17 00:00:00 2001 From: Will Norris Date: Thu, 11 Aug 2022 11:45:00 -0700 Subject: [PATCH] cmd/nginx-auth: allow use of shared nodes When sharing nodes, the name of the sharee node is not exposed (instead it is hardcoded to "device-of-shared-to-user"), which means that we can't determine the tailnet of that node. Don't immediately fail when that happens, since it only matters if "Expected-Tailnet" is used. Signed-off-by: Will Norris --- cmd/nginx-auth/nginx-auth.go | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/cmd/nginx-auth/nginx-auth.go b/cmd/nginx-auth/nginx-auth.go index 439dd3e6d..ee55ca74f 100644 --- a/cmd/nginx-auth/nginx-auth.go +++ b/cmd/nginx-auth/nginx-auth.go @@ -63,17 +63,24 @@ func main() { return } - _, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".") - if !ok { - w.WriteHeader(http.StatusUnauthorized) - log.Printf("can't extract tailnet name from hostname %q", info.Node.Name) - return - } - tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net") - if !ok { - w.WriteHeader(http.StatusUnauthorized) - log.Printf("can't extract tailnet name from hostname %q", info.Node.Name) - return + // tailnet of connected node. When accessing shared nodes, this + // will be empty because the tailnet of the sharee is not exposed. + var tailnet string + + if !info.Node.Hostinfo.ShareeNode() { + var ok bool + _, tailnet, ok = strings.Cut(info.Node.Name, info.Node.ComputedName+".") + if !ok { + w.WriteHeader(http.StatusUnauthorized) + log.Printf("can't extract tailnet name from hostname %q", info.Node.Name) + return + } + tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net") + if !ok { + w.WriteHeader(http.StatusUnauthorized) + log.Printf("can't extract tailnet name from hostname %q", info.Node.Name) + return + } } if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {