chore: initial import

Author: jsiebens

.github/workflows/build.yaml

@@ -0,0 +1,24 @@
+name: build
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - name: Build
+        run: |
+          go test ./...
+          go build cmd/tskeyservice/main.go

.github/workflows/nightly.yaml

@@ -0,0 +1,42 @@
+name: nightly
+
+on: workflow_dispatch
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Docker Login
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.8.1
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          args: release --nightly --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

.github/workflows/release.yaml

@@ -0,0 +1,45 @@
+name: release
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Docker Login
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.8.1
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

.gitignore

@@ -0,0 +1,2 @@
+.idea
+dist

.goreleaser.yaml

@@ -0,0 +1,100 @@
+project_name: tskeyservice
+
+nightly:
+  name_template: '{{ incminor .Version }}-dev'
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - main: ./cmd/tskeyservice
+    env: [ CGO_ENABLED=0 ]
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w
+
+checksum:
+  name_template: "checksums.txt"
+
+dockers:
+  - image_templates: [ "ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-amd64" ]
+    dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - --platform=linux/amd64
+  - image_templates: [ "ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-arm64" ]
+    goarch: arm64
+    dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - --platform=linux/arm64
+
+docker_manifests:
+  - name_template: ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}
+    image_templates:
+      - ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-amd64
+      - ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-arm64
+  - name_template: ghcr.io/jsiebens/{{ .ProjectName }}:{{ if .IsNightly }}dev{{ else }}latest{{ end }}
+    image_templates:
+      - ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-amd64
+      - ghcr.io/jsiebens/{{ .ProjectName }}:{{ .Version }}-arm64
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+
+docker_signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    artifacts: all
+    output: true
+    args:
+      - sign
+      - '${artifact}'
+
+archives:
+  - format: binary
+    name_template: '{{ .Binary }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}'
+
+release:
+  prerelease: auto
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^test:'
+      - '^chore'
+      - '^docs'
+      - Merge pull request
+      - Merge remote-tracking branch
+      - Merge branch
+      - go mod tidy
+  groups:
+    - title: 'New Features'
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 0
+    - title: 'Bug fixes'
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 10
+    - title: Other work
+      order: 999

Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=${BUILDPLATFORM:-linux/amd64} alpine:3.16.2
+
+COPY tskeyservice /usr/local/bin/tskeyservice
+
+RUN mkdir -p /data/tskeyservice
+WORKDIR /data/tskeyservice
+
+ENTRYPOINT ["/usr/local/bin/tskeyservice"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Johan Siebens
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,95 @@
+package main
+
+import (
+	"context"
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/hashicorp/go-bexpr"
+	"github.com/labstack/echo/v4"
+	"github.com/tailscale/tailscale-client-go/tailscale"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+)
+
+const BEARER_SCHEMA = "Bearer "
+
+type KeyResponse struct {
+	Key string `json:"key"`
+}
+
+func start() error {
+	ctx := context.Background()
+
+	apiKey := os.Getenv("TS_API_KEY")
+	tailnet := os.Getenv("TS_TAILNET")
+	issuer := os.Getenv("TS_KEYS_ISSUER")
+	tags := os.Getenv("TS_KEYS_TAGS")
+	filter := os.Getenv("TS_KEYS_BEXPR")
+
+	client, err := tailscale.NewClient(apiKey, tailnet)
+	if err != nil {
+		return err
+	}
+
+	provider, err := oidc.NewProvider(ctx, issuer)
+	if err != nil {
+		return err
+	}
+
+	verifier := provider.Verifier(&oidc.Config{SkipClientIDCheck: true})
+
+	evaluator, err := bexpr.CreateEvaluator(filter)
+	if err != nil {
+		return err
+	}
+
+	expirySeconds := uint64(300)
+	capabilities := tailscale.KeyCapabilities{}
+	capabilities.Devices.Create.Reusable = false
+	capabilities.Devices.Create.Ephemeral = true
+	if len(tags) != 0 {
+		capabilities.Devices.Create.Tags = strings.Split(tags, ",")
+	}
+
+	e := echo.New()
+	e.HideBanner = true
+	e.GET("/key", func(c echo.Context) error {
+		ctx := c.Request().Context()
+
+		authHeader := c.Request().Header.Get("Authorization")
+
+		if len(authHeader) == 0 || !strings.HasPrefix(authHeader, BEARER_SCHEMA) {
+			return echo.ErrUnauthorized
+		}
+
+		idToken, err := verifier.Verify(ctx, authHeader[len(BEARER_SCHEMA):])
+		if err != nil {
+			return echo.ErrBadRequest
+		}
+
+		var claims = make(map[string]interface{})
+		if err := idToken.Claims(&claims); err != nil {
+			return echo.ErrBadRequest
+		}
+
+		if ok, _ := evaluator.Evaluate(claims); ok {
+			key, err := client.CreateKey(ctx, capabilities, tailscale.WithKeyExpirySeconds(expirySeconds))
+			if err != nil {
+				return echo.ErrInternalServerError
+			}
+
+			return c.JSON(http.StatusOK, &KeyResponse{Key: key.Key})
+		}
+
+		return echo.ErrForbidden
+	})
+
+	return e.Start(":8080")
+}
+
+func main() {
+	if err := start(); err != nil {
+		log.Fatal(err)
+	}
+}

cmd/tskeyservice/main.go

@@ -0,0 +1,32 @@
+module github.com/jsiebens/tskeyservice
+
+go 1.19
+
+replace github.com/tailscale/tailscale-client-go v1.7.0 => github.com/jsiebens/tailscale-client-go v0.0.0-20221108073316-a64d102ba541
+
+require (
+	github.com/coreos/go-oidc/v3 v3.4.0
+	github.com/hashicorp/go-bexpr v0.1.11
+	github.com/labstack/echo/v4 v4.9.1
+	github.com/tailscale/tailscale-client-go v1.7.0
+)
+
+require (
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/labstack/gommon v0.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.11 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/mitchellh/pointerstructure v1.2.1 // indirect
+	github.com/tailscale/hujson v0.0.0-20220506213045-af5ed07155e5 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasttemplate v1.2.1 // indirect
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b // indirect
+	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
+	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+)