feat: machine authorization

internal/service/auth_keys.go

@@ -161,7 +161,7 @@ func (s *Service) CreateAuthKey(ctx context.Context, req *connect.Request[api.Cr
 
 	tags := domain.SanitizeTags(req.Msg.Tags)
 
-	v, authKey := domain.CreateAuthKey(tailnet, user, req.Msg.Ephemeral, tags, expiresAt)
+	v, authKey := domain.CreateAuthKey(tailnet, user, req.Msg.Ephemeral, req.Msg.PreAuthorized, tags, expiresAt)
 
 	if err := s.repository.SaveAuthKey(ctx, authKey); err != nil {
 		return nil, err

internal/service/machine.go

@@ -57,6 +57,7 @@ func (s *Service) machineToApi(m *domain.Machine) *api.Machine {
 		EnabledRoutes:      m.AllowedPrefixes(),
 		AdvertisedExitNode: m.IsAdvertisedExitNode(),
 		EnabledExitNode:    m.IsAllowedExitNode(),
+		Authorized:         m.Authorized,
 	}
 }
 
@@ -160,6 +161,34 @@ func (s *Service) ExpireMachine(ctx context.Context, req *connect.Request[api.Ex
 	return connect.NewResponse(&api.ExpireMachineResponse{}), nil
 }
 
+func (s *Service) AuthorizeMachine(ctx context.Context, req *connect.Request[api.AuthorizeMachineRequest]) (*connect.Response[api.AuthorizeMachineResponse], error) {
+	principal := CurrentPrincipal(ctx)
+
+	m, err := s.repository.GetMachine(ctx, req.Msg.MachineId)
+	if err != nil {
+		return nil, err
+	}
+
+	if m == nil {
+		return nil, connect.NewError(connect.CodeNotFound, errors.New("machine not found"))
+	}
+
+	if !principal.IsSystemAdmin() && !principal.IsTailnetAdmin(m.TailnetID) {
+		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+	}
+
+	if !m.Authorized {
+		m.Authorized = true
+		if err := s.repository.SaveMachine(ctx, m); err != nil {
+			return nil, err
+		}
+	}
+
+	s.pubsub.Publish(m.TailnetID, &broker.Signal{PeerUpdated: &m.ID})
+
+	return connect.NewResponse(&api.AuthorizeMachineResponse{}), nil
+}
+
 func (s *Service) GetMachineRoutes(ctx context.Context, req *connect.Request[api.GetMachineRoutesRequest]) (*connect.Response[api.GetMachineRoutesResponse], error) {
 	principal := CurrentPrincipal(ctx)
 

internal/service/tailnet.go

@@ -391,3 +391,51 @@ func (s *Service) DisableSSH(ctx context.Context, req *connect.Request[api.Disab
 
 	return connect.NewResponse(&api.DisableSSHResponse{}), nil
 }
+
+func (s *Service) EnableMachineAuthorization(ctx context.Context, req *connect.Request[api.EnableMachineAuthorizationRequest]) (*connect.Response[api.EnableMachineAuthorizationResponse], error) {
+	principal := CurrentPrincipal(ctx)
+	if !principal.IsSystemAdmin() && !principal.IsTailnetAdmin(req.Msg.TailnetId) {
+		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+	}
+
+	tailnet, err := s.repository.GetTailnet(ctx, req.Msg.TailnetId)
+	if err != nil {
+		return nil, err
+	}
+	if tailnet == nil {
+		return nil, connect.NewError(connect.CodeNotFound, errors.New("tailnet not found"))
+	}
+
+	if !tailnet.MachineAuthorizationEnabled {
+		tailnet.MachineAuthorizationEnabled = true
+		if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
+			return nil, err
+		}
+	}
+
+	return connect.NewResponse(&api.EnableMachineAuthorizationResponse{}), nil
+}
+
+func (s *Service) DisableMachineAuthorization(ctx context.Context, req *connect.Request[api.DisableMachineAuthorizationRequest]) (*connect.Response[api.DisableMachineAuthorizationResponse], error) {
+	principal := CurrentPrincipal(ctx)
+	if !principal.IsSystemAdmin() && !principal.IsTailnetAdmin(req.Msg.TailnetId) {
+		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+	}
+
+	tailnet, err := s.repository.GetTailnet(ctx, req.Msg.TailnetId)
+	if err != nil {
+		return nil, err
+	}
+	if tailnet == nil {
+		return nil, connect.NewError(connect.CodeNotFound, errors.New("tailnet not found"))
+	}
+
+	if tailnet.MachineAuthorizationEnabled {
+		tailnet.MachineAuthorizationEnabled = false
+		if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
+			return nil, err
+		}
+	}
+
+	return connect.NewResponse(&api.DisableMachineAuthorizationResponse{}), nil
+}