Skip to content

Commit afa9acc

Browse files
cedwscedws
committed
Remove Tailscale policies after client disconnects
1 parent c9b487f commit afa9acc

2 files changed

Lines changed: 15 additions & 7 deletions

File tree

pkg/sshgate/policy.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@ import "sync"
55
type principalType string
66

77
const (
8-
principalTypeFingerprint = "fingerprint"
9-
principalTypeTailscale = "tailscale"
8+
principalTypeFingerprint = "fingerprint"
9+
principalTypeTailscaleNode = "tailscale_node"
1010
)
1111

1212
func newPolicyEngine() *policyEngine {
@@ -29,7 +29,7 @@ func (p *policyEngine) AddPolicy(principalType principalType, principal string,
2929
switch principalType {
3030
case principalTypeFingerprint:
3131
p.fingerprints[principal] = append(p.fingerprints[principal], rules...)
32-
case principalTypeTailscale:
32+
case principalTypeTailscaleNode:
3333
p.tailscaleNodes[principal] = append(p.tailscaleNodes[principal], rules...)
3434
}
3535
}
@@ -41,7 +41,7 @@ func (p *policyEngine) RemovePolicy(principalType principalType, principal strin
4141
switch principalType {
4242
case principalTypeFingerprint:
4343
delete(p.fingerprints, principal)
44-
case principalTypeTailscale:
44+
case principalTypeTailscaleNode:
4545
delete(p.tailscaleNodes, principal)
4646
}
4747
}
@@ -56,7 +56,7 @@ func (p *policyEngine) Principal(principalType principalType, principal string)
5656
switch principalType {
5757
case principalTypeFingerprint:
5858
rules, ok = p.fingerprints[principal]
59-
case principalTypeTailscale:
59+
case principalTypeTailscaleNode:
6060
rules, ok = p.tailscaleNodes[principal]
6161
}
6262

pkg/sshgate/sshgate.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ const tsnetCapability = "github.com/cedws/sshgate"
3030

3131
const (
3232
fingerprintKey = "fingerprint"
33-
tailscaleNodeIDKey = "tailscale_user"
33+
tailscaleNodeIDKey = "tailscale_node_id"
3434
)
3535

3636
type rejectionError struct {
@@ -410,7 +410,7 @@ func (s *Server) addCapMapPolicy(logger *slog.Logger, id string, whois *apitype.
410410
rules = append(rules, capData)
411411
}
412412

413-
s.policyEngine.AddPolicy(principalTypeTailscale, id, rules)
413+
s.policyEngine.AddPolicy(principalTypeTailscaleNode, id, rules)
414414

415415
return nil
416416
}
@@ -435,6 +435,14 @@ func (s *Server) handleConnection(ctx context.Context, c net.Conn, config *ssh.S
435435
s.conns.Add(1)
436436
defer s.conns.Add(-1)
437437

438+
defer func() {
439+
// Clean up policies from Tailscale capabilities associated with this client
440+
nodeID, ok := sshConn.Permissions.Extensions[tailscaleNodeIDKey]
441+
if ok {
442+
s.policyEngine.RemovePolicy(principalTypeTailscaleNode, nodeID)
443+
}
444+
}()
445+
438446
go func() {
439447
for req := range requests {
440448
req.Reply(false, nil)

0 commit comments

Comments
 (0)