feat: support client verify for derp (add integration tests)

.github/workflows/test-integration.yaml

@@ -37,6 +37,7 @@ jobs:
  - TestNodeRenameCommand
  - TestNodeMoveCommand
  - TestPolicyCommand
+ - TestDERPVerifyEndpoint
  - TestDERPServerScenario
  - TestPingAllByIP
  - TestPingAllByIPPublicDERP

Dockerfile.derper

@@ -0,0 +1,19 @@
+# For testing purposes only
+
+FROM golang:1.22-alpine AS build-env
+
+WORKDIR /go/src
+
+RUN apk add --no-cache git
+ARG VERSION_BRANCH=main
+RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
+WORKDIR /go/src/tailscale
+
+ARG TARGETARCH
+RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+ENTRYPOINT [ "/usr/local/bin/derper" ]

hscontrol/app.go

@@ -445,6 +445,8 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
  router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
  Methods(http.MethodGet)
 
+ router.HandleFunc("/verify", h.VerifyHandler).Methods(http.MethodPost)
+
  if h.cfg.DERP.ServerEnabled {
  router.HandleFunc("/derp", h.DERPServer.DERPHandler)
  router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)

hscontrol/handlers.go

@@ -6,6 +6,7 @@ import (
  "errors"
  "fmt"
  "html/template"
+ "io"
  "net/http"
  "strconv"
  "time"
@@ -53,6 +54,76 @@ func parseCabailityVersion(req *http.Request) (tailcfg.CapabilityVersion, error)
  return tailcfg.CapabilityVersion(clientCapabilityVersion), nil
 }
 
+// see https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159, Derp use verifyClientsURL to verify whether a client is allowed to connect to the DERP server.
+func (h *Headscale) VerifyHandler(
+ writer http.ResponseWriter,
+ req *http.Request,
+) {
+ if req.Method != http.MethodPost {
+ http.Error(writer, "Wrong method", http.StatusMethodNotAllowed)
+ return
+ }
+ log.Debug().
+ Str("handler", "/verify").
+ Msg("verify client")
+
+ body, err := io.ReadAll(req.Body)
+ if err != nil {
+ log.Error().
+ Str("handler", "/verify").
+ Err(err).
+ Msg("Cannot read request body")
+ http.Error(writer, "Internal error", http.StatusInternalServerError)
+ return
+ }
+
+ var derpAdmitClientRequest tailcfg.DERPAdmitClientRequest
+ if err := json.Unmarshal(body, &derpAdmitClientRequest); err != nil {
+ log.Error().
+ Caller().
+ Err(err).
+ Msg("Cannot parse derpAdmitClientRequest")
+ http.Error(writer, "Internal error", http.StatusInternalServerError)
+ return
+ }
+
+ nodes, err := h.db.ListNodes()
+ if err != nil {
+ log.Error().
+ Caller().
+ Err(err).
+ Msg("Cannot list nodes")
+ http.Error(writer, "Internal error", http.StatusInternalServerError)
+ }
+
+ for _, node := range nodes {
+ log.Debug().Str("node", node.NodeKey.String()).Msg("Node")
+ }
+
+ allow := false
+ // Check if the node is in the list of nodes
+ for _, node := range nodes {
+ if node.NodeKey == derpAdmitClientRequest.NodePublic {
+ allow = true
+ break
+ }
+ }
+
+ resp := tailcfg.DERPAdmitClientResponse{
+ Allow: allow,
+ }
+
+ writer.Header().Set("Content-Type", "application/json")
+ writer.WriteHeader(http.StatusOK)
+ err = json.NewEncoder(writer).Encode(resp)
+ if err != nil {
+ log.Error().
+ Caller().
+ Err(err).
+ Msg("Failed to write response")
+ }
+}
+
 // KeyHandler provides the Headscale pub key
 // Listens in /key.
 func (h *Headscale) KeyHandler(

integration/README.md

@@ -11,10 +11,10 @@ Tests are located in files ending with `_test.go` and the framework are located
 
 ## Running integration tests locally
 
-The easiest way to run tests locally is to use `[act](INSERT LINK)`, a local GitHub Actions runner:
+The easiest way to run tests locally is to use [act](https://github.com/nektos/act), a local GitHub Actions runner:
 
 ```
-act pull_request -W .github/workflows/test-integration-v2-TestPingAllByIP.yaml
+act pull_request -W .github/workflows/test-integration.yaml
 ```
 
 Alternatively, the `docker run` command in each GitHub workflow file can be used.

integration/derp_verify_endpoint_test.go

@@ -0,0 +1,111 @@
+package integration
+
+import (
+ "encoding/json"
+ "fmt"
+ "net"
+ "strconv"
+ "strings"
+ "testing"
+
+ "github.com/juanfont/headscale/hscontrol/util"
+ "github.com/juanfont/headscale/integration/dsic"
+ "github.com/juanfont/headscale/integration/hsic"
+ "github.com/juanfont/headscale/integration/integrationutil"
+ "github.com/juanfont/headscale/integration/tsic"
+)
+
+func TestDERPVerifyEndpoint(t *testing.T) {
+ IntegrationSkip(t)
+
+ // Generate random hostname for the headscale instance
+ hash, err := util.GenerateRandomStringDNSSafe(6)
+ assertNoErr(t, err)
+ testName := "derpverify"
+ hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
+
+ headscalePort := 8080
+
+ // Create cert for headscale
+ certHeadscale, keyHeadscale, err := integrationutil.CreateCertificate(hostname)
+ assertNoErr(t, err)
+
+ scenario, err := NewScenario(dockertestMaxWait())
+ assertNoErr(t, err)
+ defer scenario.Shutdown()
+
+ spec := map[string]int{
+ "user1": 10,
+ }
+
+ derper, err := scenario.CreateDERPServer("head",
+ dsic.WithCACert(certHeadscale),
+ dsic.WithVerifyClientURL(fmt.Sprintf("https://%s/verify", net.JoinHostPort(hostname, strconv.Itoa(headscalePort)))),
+ )
+ assertNoErr(t, err)
+
+ derpConfig := "regions:\n"
+ derpConfig += " 900:\n"
+ derpConfig += " regionid: 900\n"
+ derpConfig += " regioncode: test-derpverify\n"
+ derpConfig += " regionname: TestDerpVerify\n"
+ derpConfig += " nodes:\n"
+ derpConfig += " - name: TestDerpVerify\n"
+ derpConfig += " regionid: 900\n"
+ derpConfig += " hostname: " + derper.GetHostname() + "\n"
+ derpConfig += " stunport: " + derper.GetSTUNPort() + "\n"
+ derpConfig += " stunonly: false\n"
+ derpConfig += " derpport: " + derper.GetDERPPort() + "\n"
+
+ headscale, err := scenario.Headscale(
+ hsic.WithHostname(hostname),
+ hsic.WithPort(headscalePort),
+ hsic.WithCustomTLS(certHeadscale, keyHeadscale),
+ hsic.WithHostnameAsServerURL(),
+ hsic.WithCustomDERPServerOnly([]byte(derpConfig)),
+ )
+ assertNoErrHeadscaleEnv(t, err)
+
+ for userName, clientCount := range spec {
+ err = scenario.CreateUser(userName)
+ if err != nil {
+ t.Fatalf("failed to create user %s: %s", userName, err)
+ }
+
+ err = scenario.CreateTailscaleNodesInUser(userName, "all", clientCount, tsic.WithCACert(derper.GetCert()))
+ if err != nil {
+ t.Fatalf("failed to create tailscale nodes in user %s: %s", userName, err)
+ }
+
+ key, err := scenario.CreatePreAuthKey(userName, true, true)
+ if err != nil {
+ t.Fatalf("failed to create pre-auth key for user %s: %s", userName, err)
+ }
+
+ err = scenario.RunTailscaleUp(userName, headscale.GetEndpoint(), key.GetKey())
+ if err != nil {
+ t.Fatalf("failed to run tailscale up for user %s: %s", userName, err)
+ }
+ }
+
+ allClients, err := scenario.ListTailscaleClients()
+ assertNoErrListClients(t, err)
+
+ for _, client := range allClients {
+ report, err := client.DebugDERPRegion("test-derpverify")
+ assertNoErr(t, err)
+ successful := false
+ for _, line := range report.Info {
+ if strings.Contains(line, "Successfully established a DERP connection with node") {
+ successful = true
+
+ break
+ }
+ }
+ if !successful {
+ stJSON, err := json.Marshal(report)
+ assertNoErr(t, err)
+ t.Errorf("Client %s could not establish a DERP connection: %s", client.Hostname(), string(stJSON))
+ }
+ }
+}