Merge branch 'main' into patch-1

.github/workflows/test-integration-cli.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on: [pull_request]
+
+jobs:
+  integration-test-cli:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/[email protected]
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run CLI integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 240
+          max_attempts: 5
+          retry_on: error
+          command: nix develop --command -- make test_integration_cli

.github/workflows/test-integration.yml → .github/workflows/test-integration-derp.yml

@@ -3,7 +3,7 @@ name: CI
 on: [pull_request]
 
 jobs:
-  integration-test:
+  integration-test-derp:
     runs-on: ubuntu-latest
 
     steps:
@@ -30,15 +30,6 @@ jobs:
       - uses: cachix/install-nix-action@v16
         if: steps.changed-files.outputs.any_changed == 'true'
 
-      - name: Run CLI integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_cli
-
       - name: Run Embedded DERP server integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: nick-fields/retry@v2
@@ -47,21 +38,3 @@ jobs:
           max_attempts: 5
           retry_on: error
           command: nix develop --command -- make test_integration_derp
-
-      - name: Run OIDC integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_oidc
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_general

.github/workflows/test-integration-general.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on: [pull_request]
+
+jobs:
+  integration-test-general:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/[email protected]
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 240
+          max_attempts: 5
+          retry_on: error
+          command: nix develop --command -- make test_integration_general

.github/workflows/test-integration-oidc.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on: [pull_request]
+
+jobs:
+  integration-test-oidc:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/[email protected]
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run OIDC integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 240
+          max_attempts: 5
+          retry_on: error
+          command: nix develop --command -- make test_integration_oidc

.github/workflows/test-integration-v2-general.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on: [pull_request]
+
+jobs:
+  integration-test-v2-general:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/[email protected]
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 240
+          max_attempts: 5
+          retry_on: error
+          command: nix develop --command -- make test_integration_v2_general

CHANGELOG.md

@@ -15,6 +15,7 @@
 - Give a warning when running Headscale with reverse proxy improperly configured for WebSockets [#788](https://github.com/juanfont/headscale/pull/788)
 - Fix subnet routers with Primary Routes [#811](https://github.com/juanfont/headscale/pull/811)
 - Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
+- Sanitise the node key passed to registration url [#823](https://github.com/juanfont/headscale/pull/823)
 - Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
 - Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
 - Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)

Makefile

@@ -22,21 +22,59 @@ build:
 dev: lint test build
 
 test:
-	@go test -coverprofile=coverage.out ./...
+	@go test -short -coverprofile=coverage.out ./...
 
 test_integration: test_integration_cli test_integration_derp test_integration_oidc test_integration_general
 
 test_integration_cli:
-	go test -failfast -tags integration_cli,integration -timeout 30m -count=1 ./...
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
 
 test_integration_derp:
-	go test -failfast -tags integration_derp,integration -timeout 30m -count=1 ./...
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
 
 test_integration_general:
-	go test -failfast -tags integration_general,integration -timeout 30m -count=1 ./...
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test -failfast -timeout 30m -count=1 -run IntegrationGeneral ./...
 
 test_integration_oidc:
-	go test -failfast -tags integration_oidc,integration -timeout 30m -count=1 ./...
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test -failfast -timeout 30m -count=1 -run IntegrationOIDC ./...
+
+test_integration_v2_general:
+	docker run \
+		-t --rm \
+		-v ~/.cache/hs-integration-go:/go \
+		--name headscale-test-suite \
+		-v $$PWD:$$PWD -w $$PWD/integration \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		golang:1 \
+		go test ./... -timeout 15m -v
 
 coverprofile_func:
 	go tool cover -func=coverage.out

api.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
+	"tailscale.com/types/key"
 )
 
 const (
@@ -93,7 +94,34 @@ func (h *Headscale) RegisterWebAPI(
 ) {
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
+
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
+
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().Err(err).Msg("Failed to parse incoming nodekey")
+
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("Wrong params"))
@@ -130,7 +158,7 @@ func (h *Headscale) RegisterWebAPI(
 
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write(content.Bytes())
+	_, err = writer.Write(content.Bytes())
 	if err != nil {
 		log.Error().
 			Caller().

cmd/headscale/cli/mockoidc.go

@@ -46,6 +46,10 @@ func mockOIDC() error {
 	if clientSecret == "" {
 		return errMockOidcClientSecretNotDefined
 	}
+	addrStr := os.Getenv("MOCKOIDC_ADDR")
+	if addrStr == "" {
+		return errMockOidcPortNotDefined
+	}
 	portStr := os.Getenv("MOCKOIDC_PORT")
 	if portStr == "" {
 		return errMockOidcPortNotDefined
@@ -61,7 +65,7 @@ func mockOIDC() error {
 		return err
 	}
 
-	listener, err := net.Listen("tcp", fmt.Sprintf("mockoidc:%d", port))
+	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", addrStr, port))
 	if err != nil {
 		return err
 	}

cmd/headscale/cli/root.go

@@ -15,7 +15,7 @@ import (
 var cfgFile string = ""
 
 func init() {
-	if len(os.Args) > 1 && os.Args[1] == "version" || os.Args[1] == "mockoidc" {
+	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc") {
 		return
 	}