server: add application capabilities for ui and DCR (#47)

Add new Application capabilities to limit access to the UI and dynamic client registration (DCR) endpoints.

This also unifies the structs used to UnmarshalCapJSON into a single struct with fields for all current uses.

Fixes: #44, #16, #17

Signed-off-by: Benson Wong <[email protected]>

Author: mostlygeek

README.md

@@ -12,6 +12,7 @@
 - A Tailscale network (tailnet) with magicDNS and HTTPS enabled
 - A Tailscale authentication key from your tailnet
 - (Recommended) Docker installed on your system
+- Ability to set an Application capability grant
 
 ## Running tsidp
 
@@ -71,6 +72,36 @@ _If you're running tsidp for the first time, you may not be able to access it in
 
 </details>
 
+## Setting an Application Capability Grant
+
+tsidp requires an [Application capability grant](https://tailscale.com/kb/1537/grants-app-capabilities) to allow access to the admin UI and dynamic client registration endpoints.
+
+This is a permissive grant that is suitable only for testing purposes:
+
+```json
+"grants": [
+  {
+    "src": ["*"],
+    "dst": ["*"],
+    "app": {
+      "tailscale.com/cap/tsidp": [
+        {
+          // STS controls
+          "users":     ["*"],
+          "resources": ["*"],
+
+          // allow access to UI
+          "allow_admin_ui": true,
+
+          // allow dynamic client registration
+          "allow_dcr": true,
+        },
+      ],
+    },
+  },
+],
+```
+
 ## Application Configuration Guides
 
 tsidp can be used as IdP server for any application that supports custom OIDC providers.

server/appcap.go

@@ -0,0 +1,118 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package server
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/netip"
+
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/tailcfg"
+)
+
+// shared key for context values
+var appCapCtxKey = &accessGrantedRules{}
+
+// Capability rule types
+type capRule struct {
+	IncludeInUserInfo bool           `json:"includeInUserInfo"`
+	ExtraClaims       map[string]any `json:"extraClaims,omitempty"` // list of features peer is allowed to edit
+
+	// for sts rules
+	Users     []string `json:"users"`     // list of users allowed to access resources (supports "*" wildcard)
+	Resources []string `json:"resources"` // list of audience/resource URIs the user can access
+
+	// allow lists
+	AllowAdminUI bool `json:"allow_admin_ui"`
+	AllowDCR     bool `json:"allow_dcr"` // dynamic client registration
+}
+
+// AccessGrantedRules holds the access rules from granted Application Capabilities.
+// tsidp uses a deny-all-by-default model, so only the granted capabilities are allowed
+type accessGrantedRules struct {
+	allowAdminUI bool
+	allowDCR     bool
+	rules        []capRule // list of rules
+}
+
+// addGrantAccessContext wraps an http.HandlerFunc and adds a AccessGrantedRules to the
+// *http.Request's context. Handlers that are protected by an Application capability grant
+// can conventiently extract and check the granted capabilities.
+func (s *IDPServer) addGrantAccessContext(handler http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// used only for testing to bypass app cap checks
+		if s.bypassAppCapCheck {
+			r = r.WithContext(context.WithValue(r.Context(), appCapCtxKey, &accessGrantedRules{
+				allowAdminUI: true,
+				allowDCR:     true,
+				rules:        []capRule{}, // empty rules for testing
+			}))
+			handler(w, r)
+			return
+		}
+
+		// when local.Client is not available send through a default-deny rules
+		if s.lc == nil {
+			r = r.WithContext(context.WithValue(r.Context(), appCapCtxKey, &accessGrantedRules{
+				rules: []capRule{}, // empty rules for testing
+			}))
+			handler(w, r)
+			return
+		}
+
+		// allow all access when requests are coming from localhost
+		if ap, err := netip.ParseAddrPort(r.RemoteAddr); err == nil {
+			if ap.Addr().IsLoopback() {
+				r = r.WithContext(context.WithValue(r.Context(), appCapCtxKey, &accessGrantedRules{
+					allowAdminUI: true,
+					allowDCR:     true,
+					rules:        []capRule{},
+				}))
+				handler(w, r)
+				return
+			}
+		}
+
+		// Build the access rules from granted application capabilities
+		accessRules := &accessGrantedRules{}
+
+		var remoteAddr string
+		if s.localTSMode {
+			remoteAddr = r.Header.Get("X-Forwarded-For")
+		} else {
+			remoteAddr = r.RemoteAddr
+		}
+
+		var who *apitype.WhoIsResponse
+		var err error
+
+		who, err = s.lc.WhoIs(r.Context(), remoteAddr)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("Error getting WhoIs: %v", err), http.StatusInternalServerError)
+			return
+		}
+
+		rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, "tailscale.com/cap/tsidp")
+		if err != nil {
+			http.Error(w, fmt.Sprintf("failed unmarshaling app cap rule %s", err.Error()), http.StatusInternalServerError)
+			return
+		}
+		accessRules.rules = rules
+
+		// grant rules are accumulated from all granted rules
+		for _, rule := range rules {
+			if rule.AllowAdminUI {
+				accessRules.allowAdminUI = true
+			}
+			if rule.AllowDCR {
+				accessRules.allowDCR = true
+			}
+		}
+
+		r = r.WithContext(context.WithValue(r.Context(), appCapCtxKey, accessRules))
+		handler(w, r)
+	}
+}

server/client_test.go

@@ -119,7 +119,24 @@ func TestServeDynamicClientRegistration(t *testing.T) {
 		isFunnel      bool
 		expectStatus  int
 		checkResponse func(t *testing.T, body []byte)
+
+		// Disable app cap override for this test to test for the deny-by-default behaviour
+		disableAppCapOverride bool
 	}{
+		{
+			name:   "Check access without app cap is denied",
+			method: "POST",
+			body: `{
+				"redirect_uris": ["https://example.com/callback"],
+				"client_name": "Test Client",
+				"grant_types": ["authorization_code"],
+				"response_types": ["code"]
+			}`,
+			expectStatus:          http.StatusForbidden,
+			disableAppCapOverride: true,
+			checkResponse:         nil,
+		},
+
 		{
 			name:   "POST request - verify JSON field names",
 			method: "POST",
@@ -347,6 +364,9 @@ func TestServeDynamicClientRegistration(t *testing.T) {
 				serverURL:     "https://idp.test.ts.net",
 				stateDir:      tempDir,
 				funnelClients: make(map[string]*FunnelClient),
+
+				// tt.disableAppCapOverride is true to test the deny-by-default behaviour
+				bypassAppCapCheck: !tt.disableAppCapOverride,
 			}
 
 			// Mock the storeFunnelClientsLocked function for testing
@@ -363,7 +383,7 @@ func TestServeDynamicClientRegistration(t *testing.T) {
 			}
 
 			rr := httptest.NewRecorder()
-			s.serveDynamicClientRegistration(rr, req)
+			s.ServeHTTP(rr, req)
 
 			if rr.Code != tt.expectStatus {
 				t.Errorf("expected status %d, got %d\nBody: %s", tt.expectStatus, rr.Code, rr.Body.String())

server/clients.go

@@ -292,6 +292,17 @@ func (s *IDPServer) serveDynamicClientRegistration(w http.ResponseWriter, r *htt
 		return
 	}
 
+	access, ok := r.Context().Value(appCapCtxKey).(*accessGrantedRules)
+	if !ok {
+		writeJSONError(w, http.StatusForbidden, "access_denied", "application capability not found")
+		return
+	}
+
+	if !access.allowDCR {
+		writeJSONError(w, http.StatusForbidden, "access_denied", "application capability not granted")
+		return
+	}
+
 	var registrationRequest struct {
 		RedirectURIs            []string `json:"redirect_uris"`
 		TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`

server/helpers_test.go

@@ -122,7 +122,7 @@ func normalizeMap(t *testing.T, m map[string]any) map[string]any {
 
 // marshalCapRules is a helper to convert stsCapRule slice to JSON for testing
 // Migrated from legacy/tsidp_test.go:2653-2661
-func marshalCapRules(rules []stsCapRule) []tailcfg.RawMessage {
+func marshalCapRules(rules []capRule) []tailcfg.RawMessage {
 	// UnmarshalCapJSON expects each rule to be a separate RawMessage
 	var msgs []tailcfg.RawMessage
 	for _, rule := range rules {

server/server.go

@@ -46,7 +46,7 @@ type IDPServer struct {
 	serverURL   string // "https://foo.bar.ts.net"
 	stateDir    string // directory for persisted state (keys, etc)
 	funnel      bool
-	localTSMode bool
+	localTSMode bool // use local tailscaled instead of tsnet
 	enableSTS   bool
 
 	lazyMux        lazy.SyncValue[*http.ServeMux]
@@ -58,6 +58,10 @@ type IDPServer struct {
 	accessToken   map[string]*AuthRequest  // keyed by random hex
 	refreshToken  map[string]*AuthRequest  // keyed by random hex
 	funnelClients map[string]*FunnelClient // keyed by client ID
+
+	// for bypassing application capability checks for testing
+	// see issue #44
+	bypassAppCapCheck bool
 }
 
 // AuthRequest represents an authorization request
@@ -240,12 +244,11 @@ func (s *IDPServer) newMux() *http.ServeMux {
 	mux.HandleFunc("/userinfo", s.serveUserInfo)
 
 	// Register /register endpoint for Dynamic Client Registration
-	// Migrated from legacy/tsidp.go:683
-	mux.HandleFunc("/register", s.serveDynamicClientRegistration)
+	mux.HandleFunc("/register", s.addGrantAccessContext(s.serveDynamicClientRegistration))
 
 	// Register UI handler - must be last as it handles "/"
 	// Migrated from legacy/tsidp.go:685
-	mux.HandleFunc("/", s.handleUI)
+	mux.HandleFunc("/", s.addGrantAccessContext(s.handleUI))
 	return mux
 }
 
@@ -430,5 +433,3 @@ func ServeOnLocalTailscaled(ctx context.Context, lc *local.Client, st *ipnstate.
 
 	return func() { watcher.Close() }, watcherChan, nil
 }
-
-// getFunnelClientsPath returns the full path to the funnel clients file

server/token.go

@@ -129,19 +129,6 @@ func (tc tailscaleClaims) toMap() map[string]any {
 	return m
 }
 
-// Capability rule types
-// Migrated from legacy/tsidp.go:779-790
-
-type capRule struct {
-	IncludeInUserInfo bool           `json:"includeInUserInfo"`
-	ExtraClaims       map[string]any `json:"extraClaims,omitempty"` // list of features peer is allowed to edit
-}
-
-type stsCapRule struct {
-	Users     []string `json:"users"`     // list of users allowed to access resources (supports "*" wildcard)
-	Resources []string `json:"resources"` // list of audience/resource URIs the user can access
-}
-
 // serveToken is the main /token endpoint handler
 // Migrated from legacy/tsidp.go:921-942
 func (s *IDPServer) serveToken(w http.ResponseWriter, r *http.Request) {
@@ -379,7 +366,7 @@ func (s *IDPServer) serveTokenExchange(w http.ResponseWriter, r *http.Request) {
 
 	// Check ACL grant for STS token exchange
 	who := ar.RemoteUser
-	rules, err := tailcfg.UnmarshalCapJSON[stsCapRule](who.CapMap, "tailscale.com/cap/tsidp")
+	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, "tailscale.com/cap/tsidp")
 	if err != nil {
 		//log.Printf("tsidp: failed to unmarshal STS capability: %v", err)
 		writeTokenEndpointError(w, http.StatusForbidden, "access_denied", fmt.Sprintf("failed to unmarshal STS capability: %s", err.Error()))
@@ -695,7 +682,7 @@ func (s *IDPServer) identifyClient(r *http.Request) string {
 // Migrated from legacy/tsidp.go:426-472
 func (s *IDPServer) validateResourcesForUser(who *apitype.WhoIsResponse, requestedResources []string) ([]string, error) {
 	// Check ACL grant using the same capability as we would use for STS token exchange
-	rules, err := tailcfg.UnmarshalCapJSON[stsCapRule](who.CapMap, "tailscale.com/cap/tsidp")
+	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, "tailscale.com/cap/tsidp")
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal capability: %w", err)
 	}

server/token_test.go

@@ -27,7 +27,7 @@ func TestResourceIndicators(t *testing.T) {
 		name               string
 		authorizationQuery string
 		tokenFormData      url.Values
-		capMapRules        []stsCapRule
+		capMapRules        []capRule
 		expectStatus       int
 		checkResponse      func(t *testing.T, body []byte)
 	}{
@@ -38,7 +38,7 @@ func TestResourceIndicators(t *testing.T) {
 				"grant_type":   {"authorization_code"},
 				"redirect_uri": {"https://example.com/callback"},
 			},
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"*"},
 					Resources: []string{"https://api.example.com"},
@@ -75,7 +75,7 @@ func TestResourceIndicators(t *testing.T) {
 				"grant_type":   {"authorization_code"},
 				"redirect_uri": {"https://example.com/callback"},
 			},
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"*"},
 					Resources: []string{"*"}, // Allow all resources
@@ -113,7 +113,7 @@ func TestResourceIndicators(t *testing.T) {
 				"redirect_uri": {"https://example.com/callback"},
 				"resource":     {"https://api.example.com"},
 			},
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"[email protected]"},
 					Resources: []string{"https://api.example.com"},
@@ -138,7 +138,7 @@ func TestResourceIndicators(t *testing.T) {
 				"redirect_uri": {"https://example.com/callback"},
 				"resource":     {"https://unauthorized.example.com"},
 			},
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"[email protected]"},
 					Resources: []string{"https://api.example.com"},
@@ -806,15 +806,15 @@ func TestRefreshTokenWithResources(t *testing.T) {
 		name              string
 		originalResources []string
 		refreshResources  []string
-		capMapRules       []stsCapRule
+		capMapRules       []capRule
 		expectStatus      int
 		expectError       string
 	}{
 		{
 			name:              "refresh with resource downscoping",
 			originalResources: []string{"https://api1.example.com", "https://api2.example.com"},
 			refreshResources:  []string{"https://api1.example.com"},
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"*"},
 					Resources: []string{"*"},
@@ -826,7 +826,7 @@ func TestRefreshTokenWithResources(t *testing.T) {
 			name:              "refresh with resource not in original grant",
 			originalResources: []string{"https://api1.example.com"},
 			refreshResources:  []string{"https://api2.example.com"},
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"*"},
 					Resources: []string{"*"},
@@ -839,7 +839,7 @@ func TestRefreshTokenWithResources(t *testing.T) {
 			name:              "refresh without resource parameter",
 			originalResources: []string{"https://api1.example.com"},
 			refreshResources:  nil,
-			capMapRules: []stsCapRule{
+			capMapRules: []capRule{
 				{
 					Users:     []string{"*"},
 					Resources: []string{"*"},