mirror of
https://github.com/tailscale/tailscale.git
synced 2026-07-15 10:03:09 -04:00
* ipn/localapi,ipnlocal,feature/acme,client/local: honour Retry-After on cert rate-limit serveCert now responds with 429 + Retry-After when the underlying ACME error is a rate limit, instead of a generic 500. client/local surfaces this as a typed RateLimitedError with the parsed hint so callers can back off intelligently. Updates tailscale/corp#42164 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> * tsweb,feature/acme,ipn/localapi,ipnlocal: generalise cert error → HTTP mapping via tsweb.HTTPStatuser Introduces a tsweb.HTTPStatuser interface, any error can implement to describe its intended HTTP response (code, message, headers). Moves CertRateLimitedError from ipnlocal to feature/acme where it's constructed, and it now uses HTTPStatuser to return 429 + Retry-After. serveCert now checks for tsweb.HTTPStatuser rather than the specific error type, so it no longer needs to know about the ACME rate-limit type. Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
74 lines
1.9 KiB
Go
74 lines
1.9 KiB
Go
// Copyright (c) Tailscale Inc & contributors
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build !ios && !android && !js && !ts_omit_acme
|
|
|
|
package localapi
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"maps"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"tailscale.com/ipn/ipnlocal"
|
|
"tailscale.com/tsweb"
|
|
)
|
|
|
|
func init() {
|
|
Register("cert/", (*Handler).serveCert)
|
|
}
|
|
|
|
func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitWrite && !h.PermitCert {
|
|
http.Error(w, "cert access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
domain, ok := strings.CutPrefix(r.URL.Path, "/localapi/v0/cert/")
|
|
if !ok {
|
|
http.Error(w, "internal handler config wired wrong", 500)
|
|
return
|
|
}
|
|
var minValidity time.Duration
|
|
if minValidityStr := r.URL.Query().Get("min_validity"); minValidityStr != "" {
|
|
var err error
|
|
minValidity, err = time.ParseDuration(minValidityStr)
|
|
if err != nil {
|
|
http.Error(w, fmt.Sprintf("invalid validity parameter: %v", err), http.StatusBadRequest)
|
|
return
|
|
}
|
|
}
|
|
pair, err := h.b.GetCertPEMWithValidity(r.Context(), domain, minValidity)
|
|
if err != nil {
|
|
if hs, ok := errors.AsType[tsweb.HTTPStatuser](err); ok {
|
|
resp := hs.HTTPStatus()
|
|
maps.Copy(w.Header(), resp.Header)
|
|
http.Error(w, resp.Msg, resp.Code)
|
|
return
|
|
}
|
|
// TODO(bradfitz): 500 is a little lazy. Other errors from GetCertPEM
|
|
// should also implement tsweb.HTTPStatuser (400 vs 403 vs 500 vs …)
|
|
// rather than falling through here.
|
|
http.Error(w, fmt.Sprint(err), 500)
|
|
return
|
|
}
|
|
serveKeyPair(w, r, pair)
|
|
}
|
|
|
|
func serveKeyPair(w http.ResponseWriter, r *http.Request, p *ipnlocal.TLSCertKeyPair) {
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
switch r.URL.Query().Get("type") {
|
|
case "", "crt", "cert":
|
|
w.Write(p.CertPEM)
|
|
case "key":
|
|
w.Write(p.KeyPEM)
|
|
case "pair":
|
|
w.Write(p.KeyPEM)
|
|
w.Write(p.CertPEM)
|
|
default:
|
|
http.Error(w, `invalid type; want "cert" (default), "key", or "pair"`, 400)
|
|
}
|
|
}
|