1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
package ipnauth
import (
"context"
"errors"
"golang.org/x/sys/windows"
"tailscale.com/ipn"
"tailscale.com/types/lazy"
)
// WindowsActor implements [Actor].
var _ Actor = (*WindowsActor)(nil)
// WindowsActor represents a logged in Windows user.
type WindowsActor struct {
ctx context.Context
cancelCtx context.CancelFunc
token WindowsToken
uid ipn.WindowsUserID
username lazy.SyncValue[string]
}
// NewWindowsActorWithToken returns a new [WindowsActor] for the user
// represented by the given [windows.Token].
// It takes ownership of the token.
func NewWindowsActorWithToken(t windows.Token) (_ *WindowsActor, err error) {
tok := newToken(t)
uid, err := tok.UID()
if err != nil {
t.Close()
return nil, err
}
ctx, cancelCtx := context.WithCancel(context.Background())
return &WindowsActor{ctx: ctx, cancelCtx: cancelCtx, token: tok, uid: uid}, nil
}
// UserID implements [Actor].
func (a *WindowsActor) UserID() ipn.WindowsUserID {
return a.uid
}
// Username implements [Actor].
func (a *WindowsActor) Username() (string, error) {
return a.username.GetErr(a.token.Username)
}
// ClientID implements [Actor].
func (a *WindowsActor) ClientID() (_ ClientID, ok bool) {
// TODO(nickkhyl): assign and return a client ID when the actor
// represents a connected LocalAPI client.
return NoClientID, false
}
// Context implements [Actor].
func (a *WindowsActor) Context() context.Context {
return a.ctx
}
// CheckProfileAccess implements [Actor].
func (a *WindowsActor) CheckProfileAccess(profile ipn.LoginProfileView, _ ProfileAccess, _ AuditLogFunc) error {
if profile.LocalUserID() != a.UserID() {
// TODO(nickkhyl): return errors of more specific types and have them
// translated to the appropriate HTTP status codes in the API handler.
return errors.New("the target profile does not belong to the user")
}
return nil
}
// IsLocalSystem implements [Actor].
//
// Deprecated: this method exists for compatibility with the current (as of 2025-02-06)
// permission model and will be removed as we progress on tailscale/corp#18342.
func (a *WindowsActor) IsLocalSystem() bool {
// https://web.archive.org/web/2024/https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
const systemUID = ipn.WindowsUserID("S-1-5-18")
return a.uid == systemUID
}
// IsLocalAdmin implements [Actor].
//
// Deprecated: this method exists for compatibility with the current (as of 2025-02-06)
// permission model and will be removed as we progress on tailscale/corp#18342.
func (a *WindowsActor) IsLocalAdmin(operatorUID string) bool {
return a.token.IsElevated()
}
// Close releases resources associated with the actor
// and cancels its context.
func (a *WindowsActor) Close() error {
if a.token != nil {
if err := a.token.Close(); err != nil {
return err
}
a.token = nil
}
a.cancelCtx()
return nil
}
|
