Files
claudetools/.claude/skills/tailscale/scripts/tailscale-api.sh
Howard Enos d5f7eadf82 sync: auto-sync from HOWARD-HOME at 2026-07-06 08:29:31
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-06 08:29:31
2026-07-06 08:30:01 -07:00

294 lines
13 KiB
Bash

#!/usr/bin/env bash
# tailscale-api.sh — CLI for the ACG Tailscale tailnet via the Tailscale REST API v2
# (base: https://api.tailscale.com/api/v2). Read-only by default; every device
# delete/authorize and every auth-key create/delete is GATED behind --confirm.
#
# AUTH (resolved from the SOPS vault, OAuth preferred, token fallback):
# vault path: tailscale/api-access.sops.yaml (override: --vault <path> or env TAILSCALE_VAULT)
# credentials.client_id + credentials.client_secret -> OAuth client (preferred, non-expiring)
# POST /oauth/token -> short-lived bearer
# credentials.api_key -> raw API access token (tskey-api-...) fallback
# tailnet (path segment): credentials.tailnet | top-level plaintext `tailnet:` | env
# TAILSCALE_TAILNET | default `-` (the authenticated principal's default tailnet).
#
# Secrets never touch argv/stdout: the bearer is written to a 0600 curl config file
# (-K) and the OAuth secret is fed to curl over stdin (--data @-).
#
# Subcommands:
# status auth check + tailnet + device count
# devices [--json] list devices (name/id/addr/os/user/lastSeen/tags/update/online)
# device <name|id|100.x> [--json] device detail
# delete-device <name|id|100.x> [--confirm] DELETE a device (GATED)
# authorize <name|id|100.x> [--confirm] POST authorized=true (GATED)
# keys [--json] list auth keys
# create-key [--tag tag:x]... [--reusable] [--preauth] [--ephemeral]
# [--expiry-days N] [--desc "..."] [--confirm] create an auth key (GATED)
# delete-key <keyId> [--confirm] DELETE/revoke an auth key (GATED)
#
# Device args accept a NAME, the stable numeric/node id, or a 100.x address; the name is
# resolved to an id against the live device list. On an AMBIGUOUS match (>1 device) the
# candidates are printed and the op STOPS — it never acts on a guess.
#
# Usage: bash .claude/skills/tailscale/scripts/tailscale-api.sh <subcommand> [args] [--confirm]
# Runs `--help` with no credentials.
set -uo pipefail
API="https://api.tailscale.com/api/v2"
OAUTH_URL="https://api.tailscale.com/api/v2/oauth/token"
REPO="$(git rev-parse --show-toplevel 2>/dev/null || echo "${CLAUDETOOLS_ROOT:-C:/claudetools}")"
VAULT_SH="$REPO/.claude/scripts/vault.sh"
ALERT_SH="$REPO/.claude/scripts/post-bot-alert.sh"
logerr() { bash "$REPO/.claude/scripts/log-skill-error.sh" "tailscale" "$1" ${2:+--context "$2"} >/dev/null 2>&1 || true; }
usage() {
sed -n '2,40p' "$0" | sed 's/^# \{0,1\}//'
exit "${1:-0}"
}
# ---- arg parse (global) -------------------------------------------------------
VAULT_PATH="${TAILSCALE_VAULT:-tailscale/api-access.sops.yaml}"
CONFIRM=0; JSON=0; TAGS=(); REUSABLE=false; PREAUTH=false; EPHEMERAL=false
EXPIRY_DAYS=90; DESC=""; POS=()
while [ $# -gt 0 ]; do
case "$1" in
-h|--help|help) usage 0;;
--vault) VAULT_PATH="${2:?--vault needs a path}"; shift 2;;
--confirm) CONFIRM=1; shift;;
--json) JSON=1; shift;;
--tag) TAGS+=("${2:?--tag needs a value e.g. tag:roberts}"); shift 2;;
--reusable) REUSABLE=true; shift;;
--preauth) PREAUTH=true; shift;;
--ephemeral) EPHEMERAL=true; shift;;
--expiry-days) EXPIRY_DAYS="${2:?--expiry-days needs N}"; shift 2;;
--desc) DESC="${2:-}"; shift 2;;
*) POS+=("$1"); shift;;
esac
done
SUB="${POS[0]:-}"; [ -n "$SUB" ] || usage 2
command -v jq >/dev/null 2>&1 || { echo "[ERROR] jq is required"; exit 2; }
command -v curl >/dev/null 2>&1 || { echo "[ERROR] curl is required"; exit 2; }
# ---- credentials + bearer -----------------------------------------------------
CURL_CFG="$(mktemp)"; chmod 600 "$CURL_CFG" 2>/dev/null || true
trap 'rm -f "$CURL_CFG"' EXIT
vget() { bash "$VAULT_SH" get-field "$VAULT_PATH" "$1" 2>/dev/null; }
TAILNET="${TAILSCALE_TAILNET:-}"
BEARER=""
resolve_auth() {
[ -n "$TAILNET" ] || TAILNET="$(vget credentials.tailnet)"
[ -n "$TAILNET" ] || TAILNET="$(vget tailnet)"
[ -n "$TAILNET" ] || TAILNET="-"
local cid csec key
cid="$(vget credentials.client_id)"; csec="$(vget credentials.client_secret)"
if [ -n "$cid" ] && [ -n "$csec" ]; then
# OAuth: secret over stdin (not argv); scopes devices:core + auth_keys.
local out code body
out="$(printf 'grant_type=client_credentials&client_id=%s&client_secret=%s' "$cid" "$csec" \
| curl -sS --data @- -w $'\n%{http_code}' "$OAUTH_URL" 2>/dev/null)"
code="${out##*$'\n'}"; body="${out%$'\n'*}"
if [ "$code" = "200" ]; then
BEARER="$(printf '%s' "$body" | jq -r '.access_token // empty')"
fi
[ -n "$BEARER" ] || { echo "[ERROR] OAuth token exchange failed (HTTP $code) at vault:$VAULT_PATH"; logerr "OAuth token exchange failed" "http=$code vault=$VAULT_PATH"; exit 2; }
return 0
fi
key="$(vget credentials.api_key)"
if [ -n "$key" ]; then BEARER="$key"; return 0; fi
echo "[BLOCKED] no Tailscale credential at vault:$VAULT_PATH"
echo " need credentials.client_id + credentials.client_secret (OAuth) OR credentials.api_key (token)."
exit 2
}
resolve_auth
printf 'header = "Authorization: Bearer %s"\n' "$BEARER" > "$CURL_CFG"
# ---- API wrapper (HTTP_CODE / HTTP_BODY) --------------------------------------
HTTP_CODE=""; HTTP_BODY=""
api() { # METHOD PATH [JSON_BODY]
local method="$1" path="$2" data="${3:-}" out
local args=(-sS -X "$method" -H "Accept: application/json" -K "$CURL_CFG" -w $'\n%{http_code}')
if [ -n "$data" ]; then
out="$(printf '%s' "$data" | curl "${args[@]}" -H "Content-Type: application/json" --data-binary @- "$API/$path" 2>/dev/null)"
else
out="$(curl "${args[@]}" "$API/$path" 2>/dev/null)"
fi
HTTP_CODE="${out##*$'\n'}"; HTTP_BODY="${out%$'\n'*}"
}
api_ok() { case "$HTTP_CODE" in 2*) return 0;; *) return 1;; esac; }
api_fail() { # context
echo "[ERROR] Tailscale API $1 -> HTTP $HTTP_CODE"
printf '%s\n' "$HTTP_BODY" | jq -r '.message // .' 2>/dev/null || printf '%s\n' "$HTTP_BODY"
logerr "API $1 HTTP $HTTP_CODE" "tailnet=$TAILNET vault=$VAULT_PATH"
}
alert() { [ -f "$ALERT_SH" ] && bash "$ALERT_SH" "$1" >/dev/null 2>&1 || true; }
# ---- device list + name->id resolution ----------------------------------------
DEVLIST_JSON=""
load_devices() {
[ -n "$DEVLIST_JSON" ] && return 0
api GET "tailnet/$TAILNET/devices?fields=all"
api_ok || { api_fail "list devices"; exit 2; }
DEVLIST_JSON="$HTTP_BODY"
}
# echoes the resolved device id on success; on none/ambiguous prints to stderr, non-zero.
resolve_device() {
local q="$1"; load_devices
local filt='.devices[] | select(%s) | .id'
local exact
exact="$(printf '%s' "$DEVLIST_JSON" | jq -r --arg q "$q" \
'.devices[] | select((.id==$q) or (.nodeId==$q) or ((.addresses//[])|index($q))
or ((.hostname//""|ascii_downcase)==($q|ascii_downcase))
or ((.name//""|ascii_downcase|split(".")[0])==($q|ascii_downcase))) | .id')"
local n; n="$(printf '%s\n' "$exact" | grep -c . || true)"
if [ "$n" -eq 1 ]; then printf '%s' "$exact"; return 0; fi
if [ "$n" -eq 0 ]; then
# substring fallback on name/hostname
exact="$(printf '%s' "$DEVLIST_JSON" | jq -r --arg q "$q" \
'.devices[] | select(((.name//""|ascii_downcase)|contains($q|ascii_downcase))
or ((.hostname//""|ascii_downcase)|contains($q|ascii_downcase))) | .id')"
n="$(printf '%s\n' "$exact" | grep -c . || true)"
fi
if [ "$n" -eq 1 ]; then printf '%s' "$exact"; return 0; fi
if [ "$n" -eq 0 ]; then echo "[ERROR] no device matches '$q' in tailnet $TAILNET" >&2; return 3; fi
echo "[BLOCKED] '$q' is AMBIGUOUS ($n matches) — refusing to act. Candidates:" >&2
printf '%s' "$DEVLIST_JSON" | jq -r --arg q "$q" \
'.devices[] | select(((.name//""|ascii_downcase)|contains($q|ascii_downcase))
or ((.hostname//""|ascii_downcase)|contains($q|ascii_downcase)))
| " " + .id + " " + (.name//"?") + " " + ((.addresses//[])|join(","))' >&2
return 4
}
dev_label() { # id -> "name (addr)"
printf '%s' "$DEVLIST_JSON" | jq -r --arg id "$1" \
'.devices[] | select(.id==$id) | (.name//"?") + " (" + ((.addresses//[])|join(","))+")"'
}
# ---- subcommands --------------------------------------------------------------
case "$SUB" in
status)
load_devices
local_count="$(printf '%s' "$DEVLIST_JSON" | jq -r '.devices | length')"
echo "[OK] Tailscale API reachable"
echo " tailnet : $TAILNET"
echo " auth : $([ -n "$(vget credentials.client_id)" ] && echo OAuth-client || echo api-token)"
echo " devices : $local_count"
;;
devices)
load_devices
if [ "$JSON" = 1 ]; then printf '%s\n' "$DEVLIST_JSON" | jq '.'; exit 0; fi
printf '%s' "$DEVLIST_JSON" | jq -r '
.devices | sort_by(.name) | .[]
| [ (.name//"?"), .id, ((.addresses//[])|join(",")), (.os//"?"),
(.user//"?"), (.lastSeen//"?"), ((.tags//[])|join(",")),
(if .updateAvailable then "update" else "-" end) ] | @tsv' \
| { echo -e "NAME\tID\tADDRESSES\tOS\tUSER\tLASTSEEN\tTAGS\tUPDATE"; cat; } | column -t -s $'\t'
;;
device)
Q="${POS[1]:?usage: device <name|id|100.x>}"
ID="$(resolve_device "$Q")" || exit $?
api GET "device/$ID?fields=all"; api_ok || { api_fail "device detail"; exit 2; }
if [ "$JSON" = 1 ]; then printf '%s\n' "$HTTP_BODY" | jq '.'; else
printf '%s\n' "$HTTP_BODY" | jq -r '
"name : " + (.name//"?"),
"id : " + (.id//"?"),
"nodeId : " + (.nodeId//"?"),
"addresses : " + ((.addresses//[])|join(", ")),
"os : " + (.os//"?"),
"user : " + (.user//"?"),
"tags : " + ((.tags//[])|join(", ")),
"authorized : " + ((.authorized//false)|tostring),
"lastSeen : " + (.lastSeen//"?"),
"clientVer : " + (.clientVersion//"?"),
"update : " + ((.updateAvailable//false)|tostring)'
fi
;;
delete-device)
Q="${POS[1]:?usage: delete-device <name|id|100.x> [--confirm]}"
ID="$(resolve_device "$Q")" || exit $?
LBL="$(dev_label "$ID")"
if [ "$CONFIRM" != 1 ]; then
echo "[BLOCKED] would DELETE device $ID $LBL from tailnet $TAILNET"
echo " re-run with --confirm to delete."
exit 3
fi
api DELETE "device/$ID"; api_ok || { api_fail "delete device"; exit 2; }
echo "[OK] deleted device $ID $LBL"
alert "[TAILSCALE] deleted device $LBL ($ID) from tailnet $TAILNET"
;;
authorize)
Q="${POS[1]:?usage: authorize <name|id|100.x> [--confirm]}"
ID="$(resolve_device "$Q")" || exit $?
LBL="$(dev_label "$ID")"
if [ "$CONFIRM" != 1 ]; then
echo "[BLOCKED] would AUTHORIZE device $ID $LBL on tailnet $TAILNET"
echo " re-run with --confirm to authorize."
exit 3
fi
api POST "device/$ID/authorized" '{"authorized":true}'; api_ok || { api_fail "authorize device"; exit 2; }
echo "[OK] authorized device $ID $LBL"
alert "[TAILSCALE] authorized device $LBL ($ID) on tailnet $TAILNET"
;;
keys)
api GET "tailnet/$TAILNET/keys"; api_ok || { api_fail "list keys"; exit 2; }
if [ "$JSON" = 1 ]; then printf '%s\n' "$HTTP_BODY" | jq '.'; exit 0; fi
printf '%s' "$HTTP_BODY" | jq -r '
.keys // [] | .[]
| [ .id, (.description//"-"),
((.capabilities.devices.create.tags//[])|join(",") // "-"),
((.capabilities.devices.create.reusable//false)|tostring),
(.created//"?"), (.expires//"?") ] | @tsv' \
| { echo -e "KEYID\tDESC\tTAGS\tREUSABLE\tCREATED\tEXPIRES"; cat; } | column -t -s $'\t'
;;
create-key)
TAGS_JSON="$(printf '%s\n' "${TAGS[@]:-}" | jq -R . | jq -s 'map(select(length>0))')"
EXPIRY_SECONDS=$(( EXPIRY_DAYS * 86400 ))
BODY="$(jq -n \
--argjson reusable "$REUSABLE" --argjson ephemeral "$EPHEMERAL" --argjson preauth "$PREAUTH" \
--argjson expiry "$EXPIRY_SECONDS" --arg desc "$DESC" --argjson tags "$TAGS_JSON" \
'{capabilities:{devices:{create:{reusable:$reusable,ephemeral:$ephemeral,preauthorized:$preauth,tags:$tags}}},expirySeconds:$expiry,description:$desc}')"
if [ "$CONFIRM" != 1 ]; then
echo "[BLOCKED] would CREATE auth key on tailnet $TAILNET with:"
printf '%s\n' "$BODY" | jq '.'
echo " re-run with --confirm to create."
exit 3
fi
api POST "tailnet/$TAILNET/keys" "$BODY"; api_ok || { api_fail "create key"; exit 2; }
KID="$(printf '%s' "$HTTP_BODY" | jq -r '.id // "?"')"
echo "[OK] created auth key $KID (tags: $(printf '%s' "$TAGS_JSON" | jq -r 'join(",")'))"
echo "[WARNING] the key secret is shown ONCE below — store it in the vault, never in chat/commit:"
printf '%s' "$HTTP_BODY" | jq -r '.key // "(no key field returned)"'
alert "[TAILSCALE] created auth key $KID on tailnet $TAILNET (tags: $(printf '%s' "$TAGS_JSON" | jq -r 'join(",")'))"
;;
delete-key)
KID="${POS[1]:?usage: delete-key <keyId> [--confirm]}"
if [ "$CONFIRM" != 1 ]; then
echo "[BLOCKED] would DELETE/revoke auth key $KID on tailnet $TAILNET"
echo " re-run with --confirm to revoke."
exit 3
fi
api DELETE "tailnet/$TAILNET/keys/$KID"; api_ok || { api_fail "delete key"; exit 2; }
echo "[OK] revoked auth key $KID"
alert "[TAILSCALE] revoked auth key $KID on tailnet $TAILNET"
;;
*)
echo "[ERROR] unknown subcommand: $SUB"
usage 2
;;
esac