ipnauth

package
v1.76.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 4, 2024 License: BSD-3-Clause Imports: 17 Imported by: 5

Documentation

Overview

Package ipnauth controls access to the LocalAPI.

Index

Constants

This section is empty.

Variables

View Source 
var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)

ErrNotImplemented is returned by ConnIdentity.WindowsToken when it is not implemented for the current GOOS.

Functions

func LookupUserFromID 

func LookupUserFromID(logf logger.Logf, uid string) (*user.User, error)

LookupUserFromID is a wrapper around os/user.LookupId that works around some issues on Windows. On non-Windows platforms it's identical to user.LookupId.

Types

type Actor added in v1.74.0 

type Actor interface {
	// UserID returns an OS-specific UID of the user represented by the receiver,
	// or "" if the actor does not represent a specific user on a multi-user system.
	// As of 2024-08-27, it is only used on Windows.
	UserID() ipn.WindowsUserID
	// Username returns the user name associated with the receiver,
	// or "" if the actor does not represent a specific user.
	Username() (string, error)

	// IsLocalSystem reports whether the actor is the Windows' Local System account.
	//
	// Deprecated: this method exists for compatibility with the current (as of 2024-08-27)
	// permission model and will be removed as we progress on tailscale/corp#18342.
	IsLocalSystem() bool

	// IsLocalAdmin reports whether the actor has administrative access to the
	// local machine, for whatever that means with respect to the current OS.
	//
	// The operatorUID is only used on Unix-like platforms and specifies the ID
	// of a local user (in the os/user.User.Uid string form) who is allowed to
	// operate tailscaled without being root or using sudo.
	//
	// Deprecated: this method exists for compatibility with the current (as of 2024-08-27)
	// permission model and will be removed as we progress on tailscale/corp#18342.
	IsLocalAdmin(operatorUID string) bool
}

Actor is any actor using the [ipnlocal.LocalBackend].

It typically represents a specific OS user, indicating that an operation is performed on behalf of this user, should be evaluated against their access rights, and performed in their security context when applicable.

type ActorCloser added in v1.74.0 

type ActorCloser interface {
	// Close releases resources associated with the receiver.
	Close() error
}

ActorCloser is an optional interface that might be implemented by an Actor that must be closed when done to release the resources.

type ConnIdentity 

type ConnIdentity struct {
	// contains filtered or unexported fields
}

ConnIdentity represents the owner of a localhost TCP or unix socket connection connecting to the LocalAPI.

func GetConnIdentity 

func GetConnIdentity(_ logger.Logf, c net.Conn) (ci *ConnIdentity, err error)

GetConnIdentity extracts the identity information from the connection based on the user who owns the other end of the connection. and couldn't. The returned connIdentity has NotWindows set to true.

func (*ConnIdentity) Creds 

func (ci *ConnIdentity) Creds() *peercred.Creds

func (*ConnIdentity) IsReadonlyConn 

func (ci *ConnIdentity) IsReadonlyConn(operatorUID string, logf logger.Logf) bool

IsReadonlyConn reports whether the connection should be considered read-only, meaning it's not allowed to change the state of the node.

Read-only also means it's not allowed to access sensitive information, which admittedly doesn't follow from the name. Consider this "IsUnprivileged". Also, Windows doesn't use this. For Windows it always returns false.

TODO(bradfitz): rename it? Also make Windows use this.

func (*ConnIdentity) IsUnixSock 

func (ci *ConnIdentity) IsUnixSock() bool

func (*ConnIdentity) Pid 

func (ci *ConnIdentity) Pid() int

func (*ConnIdentity) WindowsToken added in v1.44.3 

func (ci *ConnIdentity) WindowsToken() (WindowsToken, error)

WindowsToken is unsupported when GOOS != windows and always returns ErrNotImplemented.

func (*ConnIdentity) WindowsUserID 

func (ci *ConnIdentity) WindowsUserID() ipn.WindowsUserID

WindowsUserID returns the local machine's userid of the connection if it's on Windows. Otherwise it returns the empty string.

It's suitable for passing to LookupUserFromID (os/user.LookupId) on any operating system.

type WindowsToken added in v1.44.3 

type WindowsToken interface {
	io.Closer
	// EqualUIDs reports whether other refers to the same user ID as the receiver.
	EqualUIDs(other WindowsToken) bool
	// IsAdministrator reports whether the receiver is a member of the built-in
	// Administrators group, or else an error. Use IsElevated to determine whether
	// the receiver is actually utilizing administrative rights.
	IsAdministrator() (bool, error)
	// IsUID reports whether the receiver's user ID matches uid.
	IsUID(uid ipn.WindowsUserID) bool
	// UID returns the ipn.WindowsUserID associated with the receiver, or else
	// an error.
	UID() (ipn.WindowsUserID, error)
	// IsElevated reports whether the receiver is currently executing as an
	// elevated administrative user.
	IsElevated() bool
	// IsLocalSystem reports whether the receiver is the built-in SYSTEM user.
	IsLocalSystem() bool
	// UserDir returns the special directory identified by folderID as associated
	// with the receiver. folderID must be one of the KNOWNFOLDERID values from
	// the x/sys/windows package, serialized as a stringified GUID.
	UserDir(folderID string) (string, error)
	// Username returns the user name associated with the receiver.
	Username() (string, error)
}

WindowsToken represents the current security context of a Windows user.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.