| 995 | } |
| 996 | |
| 997 | func (s *Server) resolveAuthKey() (string, error) { |
| 998 | authKey := s.getAuthKey() |
| 999 | var err error |
| 1000 | // Try to use an OAuth secret to generate an auth key if that functionality |
| 1001 | // is available. |
| 1002 | resolveViaOAuth, oauthOk := tailscale.HookResolveAuthKey.GetOk() |
| 1003 | if oauthOk { |
| 1004 | clientSecret := authKey |
| 1005 | if authKey == "" { |
| 1006 | clientSecret = s.getClientSecret() |
| 1007 | } |
| 1008 | authKey, err = resolveViaOAuth(s.shutdownCtx, clientSecret, s.AdvertiseTags) |
| 1009 | if err != nil { |
| 1010 | return "", err |
| 1011 | } |
| 1012 | } |
| 1013 | // Try to resolve the auth key via workload identity federation if that functionality |
| 1014 | // is available and no auth key is yet determined. |
| 1015 | resolveViaWIF, wifOk := tailscale.HookResolveAuthKeyViaWIF.GetOk() |
| 1016 | if wifOk && authKey == "" { |
| 1017 | clientID := s.getClientID() |
| 1018 | idToken := s.getIDToken() |
| 1019 | audience := s.getAudience() |
| 1020 | if clientID != "" && idToken == "" && audience == "" { |
| 1021 | return "", fmt.Errorf("client ID for workload identity federation found, but ID token and audience are empty") |
| 1022 | } |
| 1023 | if idToken != "" && audience != "" { |
| 1024 | return "", fmt.Errorf("only one of ID token and audience should be for workload identity federation") |
| 1025 | } |
| 1026 | if clientID == "" { |
| 1027 | if idToken != "" { |
| 1028 | return "", fmt.Errorf("ID token for workload identity federation found, but client ID is empty") |
| 1029 | } |
| 1030 | if audience != "" { |
| 1031 | return "", fmt.Errorf("audience for workload identity federation found, but client ID is empty") |
| 1032 | } |
| 1033 | } |
| 1034 | authKey, err = resolveViaWIF(s.shutdownCtx, s.getControlURL(), clientID, idToken, audience, s.AdvertiseTags) |
| 1035 | if err != nil { |
| 1036 | return "", err |
| 1037 | } |
| 1038 | } |
| 1039 | return authKey, nil |
| 1040 | } |
| 1041 | |
| 1042 | func (s *Server) startLogger(closePool *closeOnErrorPool, health *health.Tracker, tsLogf logger.Logf) error { |
| 1043 | if testenv.InTest() { |