tailscale/ipn/ipnlocal/profiles.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package ipnlocal

import (
	"cmp"
	"crypto/rand"
	"encoding/json"
	"errors"
	"fmt"
	"runtime"
	"slices"
	"strings"

	"tailscale.com/clientupdate"
	"tailscale.com/envknob"
	"tailscale.com/health"
	"tailscale.com/ipn"
	"tailscale.com/tailcfg"
	"tailscale.com/types/logger"
	"tailscale.com/util/clientmetric"
)

var debug = envknob.RegisterBool("TS_DEBUG_PROFILES")

// profileManager is a wrapper around an [ipn.StateStore] that manages
// multiple profiles and the current profile.
//
// It is not safe for concurrent use.
type profileManager struct {
	goos   string // used for TestProfileManagementWindows
	store  ipn.StateStore
	logf   logger.Logf
	health *health.Tracker

	currentUserID  ipn.WindowsUserID
	knownProfiles  map[ipn.ProfileID]*ipn.LoginProfile // always non-nil
	currentProfile *ipn.LoginProfile                   // always non-nil
	prefs          ipn.PrefsView                       // always Valid.
}

func (pm *profileManager) dlogf(format string, args ...any) {
	if !debug() {
		return
	}
	pm.logf(format, args...)
}

func (pm *profileManager) WriteState(id ipn.StateKey, val []byte) error {
	return ipn.WriteState(pm.store, id, val)
}

// CurrentUserID returns the current user ID. It is only non-empty on
// Windows where we have a multi-user system.
func (pm *profileManager) CurrentUserID() ipn.WindowsUserID {
	return pm.currentUserID
}

// SetCurrentUserID sets the current user ID and switches to that user's default (last used) profile.
// If the specified user does not have a default profile, or the default profile could not be loaded,
// it creates a new one and switches to it. The uid is only non-empty on Windows where we have a multi-user system.
func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) {
	if pm.currentUserID == uid {
		return
	}
	pm.currentUserID = uid
	if err := pm.SwitchToDefaultProfile(); err != nil {
		// SetCurrentUserID should never fail and must always switch to the
		// user's default profile or create a new profile for the current user.
		// Until we implement multi-user support and the new permission model,
		// and remove the concept of the "current user" completely, we must ensure
		// that when SetCurrentUserID exits, the profile in pm.currentProfile
		// is either an existing profile owned by the user, or a new, empty profile.
		pm.logf("%q's default profile cannot be used; creating a new one: %v", uid, err)
		pm.NewProfileForUser(uid)
	}
}

// DefaultUserProfileID returns [ipn.ProfileID] of the default (last used) profile for the specified user,
// or an empty string if the specified user does not have a default profile.
func (pm *profileManager) DefaultUserProfileID(uid ipn.WindowsUserID) ipn.ProfileID {
	// Read the CurrentProfileKey from the store which stores
	// the selected profile for the specified user.
	b, err := pm.store.ReadState(ipn.CurrentProfileKey(string(uid)))
	pm.dlogf("DefaultUserProfileID: ReadState(%q) = %v, %v", string(uid), len(b), err)
	if err == ipn.ErrStateNotExist || len(b) == 0 {
		if runtime.GOOS == "windows" {
			pm.dlogf("DefaultUserProfileID: windows: migrating from legacy preferences")
			profile, err := pm.migrateFromLegacyPrefs(uid, false)
			if err == nil {
				return profile.ID
			}
			pm.logf("failed to migrate from legacy preferences: %v", err)
		}
		return ""
	}

	pk := ipn.StateKey(string(b))
	prof := pm.findProfileByKey(pk)
	if prof == nil {
		pm.dlogf("DefaultUserProfileID: no profile found for key: %q", pk)
		return ""
	}
	return prof.ID
}

// checkProfileAccess returns an [errProfileAccessDenied] if the current user
// does not have access to the specified profile.
func (pm *profileManager) checkProfileAccess(profile *ipn.LoginProfile) error {
	if pm.currentUserID != "" && profile.LocalUserID != pm.currentUserID {
		return errProfileAccessDenied
	}
	return nil
}

// allProfiles returns all profiles accessible to the current user.
// The returned profiles are sorted by Name.
func (pm *profileManager) allProfiles() (out []*ipn.LoginProfile) {
	for _, p := range pm.knownProfiles {
		if pm.checkProfileAccess(p) == nil {
			out = append(out, p)
		}
	}
	slices.SortFunc(out, func(a, b *ipn.LoginProfile) int {
		return cmp.Compare(a.Name, b.Name)
	})
	return out
}

// matchingProfiles is like [profileManager.allProfiles], but returns only profiles
// matching the given predicate.
func (pm *profileManager) matchingProfiles(f func(*ipn.LoginProfile) bool) (out []*ipn.LoginProfile) {
	all := pm.allProfiles()
	out = all[:0]
	for _, p := range all {
		if f(p) {
			out = append(out, p)
		}
	}
	return out
}

// findMatchingProfiles returns all profiles accessible to the current user
// that represent the same node/user as prefs.
// The returned profiles are sorted by Name.
func (pm *profileManager) findMatchingProfiles(prefs ipn.PrefsView) []*ipn.LoginProfile {
	return pm.matchingProfiles(func(p *ipn.LoginProfile) bool {
		return p.ControlURL == prefs.ControlURL() &&
			(p.UserProfile.ID == prefs.Persist().UserProfile().ID ||
				p.NodeID == prefs.Persist().NodeID())
	})
}

// ProfileIDForName returns the profile ID for the profile with the
// given name. It returns "" if no such profile exists among profiles
// accessible to the current user.
func (pm *profileManager) ProfileIDForName(name string) ipn.ProfileID {
	p := pm.findProfileByName(name)
	if p == nil {
		return ""
	}
	return p.ID
}

func (pm *profileManager) findProfileByName(name string) *ipn.LoginProfile {
	out := pm.matchingProfiles(func(p *ipn.LoginProfile) bool {
		return p.Name == name
	})
	if len(out) == 0 {
		return nil
	}
	if len(out) > 1 {
		pm.logf("[unexpected] multiple profiles with the same name")
	}
	return out[0]
}

func (pm *profileManager) findProfileByKey(key ipn.StateKey) *ipn.LoginProfile {
	out := pm.matchingProfiles(func(p *ipn.LoginProfile) bool {
		return p.Key == key
	})
	if len(out) == 0 {
		return nil
	}
	if len(out) > 1 {
		pm.logf("[unexpected] multiple profiles with the same key")
	}
	return out[0]
}

func (pm *profileManager) setUnattendedModeAsConfigured() error {
	if pm.goos != "windows" {
		return nil
	}

	if pm.currentProfile.Key != "" && pm.prefs.ForceDaemon() {
		return pm.WriteState(ipn.ServerModeStartKey, []byte(pm.currentProfile.Key))
	} else {
		return pm.WriteState(ipn.ServerModeStartKey, nil)
	}
}

// Reset unloads the current profile, if any.
func (pm *profileManager) Reset() {
	pm.currentUserID = ""
	pm.NewProfile()
}

// SetPrefs sets the current profile's prefs to the provided value.
// It also saves the prefs to the [ipn.StateStore]. It stores a copy of the
// provided prefs, which may be accessed via [profileManager.CurrentPrefs].
//
// The [ipn.NetworkProfile] stores additional information about the tailnet the user
// is logged into so that we can keep track of things like their domain name
// across user switches to disambiguate the same account but a different tailnet.
func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView, np ipn.NetworkProfile) error {
	cp := pm.currentProfile
	if persist := prefsIn.Persist(); !persist.Valid() || persist.NodeID() == "" || persist.UserProfile().LoginName == "" {
		// We don't know anything about this profile, so ignore it for now.
		return pm.setProfilePrefsNoPermCheck(pm.currentProfile, prefsIn.AsStruct().View())
	}

	// Check if we already have an existing profile that matches the user/node.
	if existing := pm.findMatchingProfiles(prefsIn); len(existing) > 0 {
		// We already have a profile for this user/node we should reuse it. Also
		// cleanup any other duplicate profiles.
		cp = existing[0]
		existing = existing[1:]
		for _, p := range existing {
			// Clear the state.
			if err := pm.store.WriteState(p.Key, nil); err != nil {
				// We couldn't delete the state, so keep the profile around.
				continue
			}
			// Remove the profile, knownProfiles will be persisted
			// in [profileManager.setProfilePrefs] below.
			delete(pm.knownProfiles, p.ID)
		}
	}
	pm.currentProfile = cp
	if err := pm.SetProfilePrefs(cp, prefsIn, np); err != nil {
		return err
	}
	return pm.setProfileAsUserDefault(cp)

}

// SetProfilePrefs is like [profileManager.SetPrefs], but sets prefs for the specified [ipn.LoginProfile]
// which is not necessarily the [profileManager.CurrentProfile]. It returns an [errProfileAccessDenied]
// if the specified profile is not accessible by the current user.
func (pm *profileManager) SetProfilePrefs(lp *ipn.LoginProfile, prefsIn ipn.PrefsView, np ipn.NetworkProfile) error {
	if err := pm.checkProfileAccess(lp); err != nil {
		return err
	}

	// An empty profile.ID indicates that the profile is new, the node info wasn't available,
	// and it hasn't been persisted yet. We'll generate both an ID and [ipn.StateKey]
	// once the information is available and needs to be persisted.
	if lp.ID == "" {
		if persist := prefsIn.Persist(); persist.Valid() && persist.NodeID() != "" && persist.UserProfile().LoginName != "" {
			// Generate an ID and [ipn.StateKey] now that we have the node info.
			lp.ID, lp.Key = newUnusedID(pm.knownProfiles)
		}

		// Set the current user as the profile owner, unless the current user ID does
		// not represent a specific user, or the profile is already owned by a different user.
		// It is only relevant on Windows where we have a multi-user system.
		if lp.LocalUserID == "" && pm.currentUserID != "" {
			lp.LocalUserID = pm.currentUserID
		}
	}

	var up tailcfg.UserProfile
	if persist := prefsIn.Persist(); persist.Valid() {
		up = persist.UserProfile()
		if up.DisplayName == "" {
			up.DisplayName = up.LoginName
		}
		lp.NodeID = persist.NodeID()
	} else {
		lp.NodeID = ""
	}

	if prefsIn.ProfileName() != "" {
		lp.Name = prefsIn.ProfileName()
	} else {
		lp.Name = up.LoginName
	}
	lp.ControlURL = prefsIn.ControlURL()
	lp.UserProfile = up
	lp.NetworkProfile = np

	// An empty profile.ID indicates that the node info is not available yet,
	// and the profile doesn't need to be saved on disk.
	if lp.ID != "" {
		pm.knownProfiles[lp.ID] = lp
		if err := pm.writeKnownProfiles(); err != nil {
			return err
		}
		// Clone prefsIn and create a read-only view as a safety measure to
		// prevent accidental preference mutations, both externally and internally.
		if err := pm.setProfilePrefsNoPermCheck(lp, prefsIn.AsStruct().View()); err != nil {
			return err
		}
	}
	return nil
}

func newUnusedID(knownProfiles map[ipn.ProfileID]*ipn.LoginProfile) (ipn.ProfileID, ipn.StateKey) {
	var idb [2]byte
	for {
		rand.Read(idb[:])
		id := ipn.ProfileID(fmt.Sprintf("%x", idb))
		if _, ok := knownProfiles[id]; ok {
			continue
		}
		return id, ipn.StateKey("profile-" + id)
	}
}

// setProfilePrefsNoPermCheck sets the profile's prefs to the provided value.
// If the profile has the [ipn.LoginProfile.Key] set, it saves the prefs to the
// [ipn.StateStore] under that key. It returns an error if the profile is non-current
// and does not have its Key set, or if the prefs could not be saved.
// The method does not perform any additional checks on the specified
// profile, such as verifying the caller's access rights or checking
// if another profile for the same node already exists.
func (pm *profileManager) setProfilePrefsNoPermCheck(profile *ipn.LoginProfile, clonedPrefs ipn.PrefsView) error {
	isCurrentProfile := pm.currentProfile == profile
	if isCurrentProfile {
		pm.prefs = clonedPrefs
		pm.updateHealth()
	}
	if profile.Key != "" {
		if err := pm.writePrefsToStore(profile.Key, clonedPrefs); err != nil {
			return err
		}
	} else if !isCurrentProfile {
		return errors.New("cannot set prefs for a non-current in-memory profile")
	}
	if isCurrentProfile {
		return pm.setUnattendedModeAsConfigured()
	}
	return nil
}

// setPrefsNoPermCheck is like [profileManager.setProfilePrefsNoPermCheck], but sets the current profile's prefs.
func (pm *profileManager) setPrefsNoPermCheck(clonedPrefs ipn.PrefsView) error {
	return pm.setProfilePrefsNoPermCheck(pm.currentProfile, clonedPrefs)
}

func (pm *profileManager) writePrefsToStore(key ipn.StateKey, prefs ipn.PrefsView) error {
	if key == "" {
		return nil
	}
	if err := pm.WriteState(key, prefs.ToBytes()); err != nil {
		pm.logf("WriteState(%q): %v", key, err)
		return err
	}
	return nil
}

// Profiles returns the list of known profiles accessible to the current user.
func (pm *profileManager) Profiles() []ipn.LoginProfile {
	allProfiles := pm.allProfiles()
	out := make([]ipn.LoginProfile, len(allProfiles))
	for i, p := range allProfiles {
		out[i] = *p
	}
	return out
}

// ProfileByID returns a profile with the given id, if it is accessible to the current user.
// If the profile exists but is not accessible to the current user, it returns an [errProfileAccessDenied].
// If the profile does not exist, it returns an [errProfileNotFound].
func (pm *profileManager) ProfileByID(id ipn.ProfileID) (ipn.LoginProfile, error) {
	kp, err := pm.profileByIDNoPermCheck(id)
	if err != nil {
		return ipn.LoginProfile{}, err
	}
	if err := pm.checkProfileAccess(kp); err != nil {
		return ipn.LoginProfile{}, err
	}
	return *kp, nil
}

// profileByIDNoPermCheck is like [profileManager.ProfileByID], but it doesn't
// check user's access rights to the profile.
func (pm *profileManager) profileByIDNoPermCheck(id ipn.ProfileID) (*ipn.LoginProfile, error) {
	if id == pm.currentProfile.ID {
		return pm.currentProfile, nil
	}
	kp, ok := pm.knownProfiles[id]
	if !ok {
		return nil, errProfileNotFound
	}
	return kp, nil
}

// ProfilePrefs returns preferences for a profile with the given id.
// If the profile exists but is not accessible to the current user, it returns an [errProfileAccessDenied].
// If the profile does not exist, it returns an [errProfileNotFound].
func (pm *profileManager) ProfilePrefs(id ipn.ProfileID) (ipn.PrefsView, error) {
	kp, err := pm.profileByIDNoPermCheck(id)
	if err != nil {
		return ipn.PrefsView{}, errProfileNotFound
	}
	if err := pm.checkProfileAccess(kp); err != nil {
		return ipn.PrefsView{}, err
	}
	return pm.profilePrefs(kp)
}

func (pm *profileManager) profilePrefs(p *ipn.LoginProfile) (ipn.PrefsView, error) {
	if p.ID == pm.currentProfile.ID {
		return pm.prefs, nil
	}
	return pm.loadSavedPrefs(p.Key)
}

// SwitchProfile switches to the profile with the given id.
// If the profile exists but is not accessible to the current user, it returns an [errProfileAccessDenied].
// If the profile does not exist, it returns an [errProfileNotFound].
func (pm *profileManager) SwitchProfile(id ipn.ProfileID) error {
	metricSwitchProfile.Add(1)

	kp, ok := pm.knownProfiles[id]
	if !ok {
		return errProfileNotFound
	}
	if pm.currentProfile != nil && kp.ID == pm.currentProfile.ID && pm.prefs.Valid() {
		return nil
	}

	if err := pm.checkProfileAccess(kp); err != nil {
		return fmt.Errorf("%w: profile %q is not accessible to the current user", err, id)
	}
	prefs, err := pm.loadSavedPrefs(kp.Key)
	if err != nil {
		return err
	}
	pm.prefs = prefs
	pm.updateHealth()
	pm.currentProfile = kp
	return pm.setProfileAsUserDefault(kp)
}

// SwitchToDefaultProfile switches to the default (last used) profile for the current user.
// It creates a new one and switches to it if the current user does not have a default profile,
// or returns an error if the default profile is inaccessible or could not be loaded.
func (pm *profileManager) SwitchToDefaultProfile() error {
	if id := pm.DefaultUserProfileID(pm.currentUserID); id != "" {
		return pm.SwitchProfile(id)
	}
	pm.NewProfileForUser(pm.currentUserID)
	return nil
}

// setProfileAsUserDefault sets the specified profile as the default for the current user.
// It returns an [errProfileAccessDenied] if the specified profile is not accessible to the current user.
func (pm *profileManager) setProfileAsUserDefault(profile *ipn.LoginProfile) error {
	if profile.Key == "" {
		// The profile has not been persisted yet; ignore it for now.
		return nil
	}
	if err := pm.checkProfileAccess(profile); err != nil {
		return errProfileAccessDenied
	}
	k := ipn.CurrentProfileKey(string(pm.currentUserID))
	return pm.WriteState(k, []byte(profile.Key))
}

func (pm *profileManager) loadSavedPrefs(key ipn.StateKey) (ipn.PrefsView, error) {
	bs, err := pm.store.ReadState(key)
	if err == ipn.ErrStateNotExist || len(bs) == 0 {
		return defaultPrefs, nil
	}
	if err != nil {
		return ipn.PrefsView{}, err
	}
	savedPrefs := ipn.NewPrefs()
	if err := ipn.PrefsFromBytes(bs, savedPrefs); err != nil {
		return ipn.PrefsView{}, fmt.Errorf("parsing saved prefs: %v", err)
	}
	pm.logf("using backend prefs for %q: %v", key, savedPrefs.Pretty())

	// Ignore any old stored preferences for https://login.tailscale.com
	// as the control server that would override the new default of
	// controlplane.tailscale.com.
	if savedPrefs.ControlURL != "" &&
		savedPrefs.ControlURL != ipn.DefaultControlURL &&
		ipn.IsLoginServerSynonym(savedPrefs.ControlURL) {
		savedPrefs.ControlURL = ""
	}
	// Before
	// https://github.com/tailscale/tailscale/pull/11814/commits/1613b18f8280c2bce786980532d012c9f0454fa2#diff-314ba0d799f70c8998940903efb541e511f352b39a9eeeae8d475c921d66c2ac
	// prefs could set AutoUpdate.Apply=true via EditPrefs or tailnet
	// auto-update defaults. After that change, such value is "invalid" and
	// cause any EditPrefs calls to fail (other than disabling auto-updates).
	//
	// Reset AutoUpdate.Apply if we detect such invalid prefs.
	if savedPrefs.AutoUpdate.Apply.EqualBool(true) && !clientupdate.CanAutoUpdate() {
		savedPrefs.AutoUpdate.Apply.Clear()
	}

	return savedPrefs.View(), nil
}

// CurrentProfile returns the current LoginProfile.
// The value may be zero if the profile is not persisted.
func (pm *profileManager) CurrentProfile() ipn.LoginProfile {
	return *pm.currentProfile
}

// errProfileNotFound is returned by methods that accept a ProfileID
// when the specified profile does not exist.
var errProfileNotFound = errors.New("profile not found")

// errProfileAccessDenied is returned by methods that accept a ProfileID
// when the current user does not have access to the specified profile.
// It is used temporarily until we implement access checks based on the
// caller's identity in tailscale/corp#18342.
var errProfileAccessDenied = errors.New("profile access denied")

// DeleteProfile removes the profile with the given id. It returns
// [errProfileNotFound] if the profile does not exist, or an
// [errProfileAccessDenied] if the specified profile is not accessible
// to the current user.
// If the profile is the current profile, it is the equivalent of
// calling [profileManager.NewProfile] followed by [profileManager.DeleteProfile](id).
// This is useful for deleting the last profile. In other cases, it is
// recommended to call [profileManager.SwitchProfile] first.
func (pm *profileManager) DeleteProfile(id ipn.ProfileID) error {
	metricDeleteProfile.Add(1)
	if id == pm.currentProfile.ID {
		return pm.deleteCurrentProfile()
	}
	kp, ok := pm.knownProfiles[id]
	if !ok {
		return errProfileNotFound
	}
	if err := pm.checkProfileAccess(kp); err != nil {
		return err
	}
	return pm.deleteProfileNoPermCheck(kp)
}

func (pm *profileManager) deleteCurrentProfile() error {
	if err := pm.checkProfileAccess(pm.currentProfile); err != nil {
		return err
	}
	if pm.currentProfile.ID == "" {
		// Deleting the in-memory only new profile, just create a new one.
		pm.NewProfile()
		return nil
	}
	return pm.deleteProfileNoPermCheck(pm.currentProfile)
}

// deleteProfileNoPermCheck is like [profileManager.DeleteProfile],
// but it doesn't check user's access rights to the profile.
func (pm *profileManager) deleteProfileNoPermCheck(profile *ipn.LoginProfile) error {
	if profile.ID == pm.currentProfile.ID {
		pm.NewProfile()
	}
	if err := pm.WriteState(profile.Key, nil); err != nil {
		return err
	}
	delete(pm.knownProfiles, profile.ID)
	return pm.writeKnownProfiles()
}

// DeleteAllProfilesForUser removes all known profiles accessible to the current user
// and switches to a new, empty profile.
func (pm *profileManager) DeleteAllProfilesForUser() error {
	metricDeleteAllProfile.Add(1)

	currentProfileDeleted := false
	writeKnownProfiles := func() error {
		if currentProfileDeleted || pm.currentProfile.ID == "" {
			pm.NewProfile()
		}
		return pm.writeKnownProfiles()
	}

	for _, kp := range pm.knownProfiles {
		if pm.checkProfileAccess(kp) != nil {
			// Skip profiles we don't have access to.
			continue
		}
		if err := pm.WriteState(kp.Key, nil); err != nil {
			// Write to remove references to profiles we've already deleted, but
			// return the original error.
			writeKnownProfiles()
			return err
		}
		delete(pm.knownProfiles, kp.ID)
		if kp.ID == pm.currentProfile.ID {
			currentProfileDeleted = true
		}
	}
	return writeKnownProfiles()
}

func (pm *profileManager) writeKnownProfiles() error {
	b, err := json.Marshal(pm.knownProfiles)
	if err != nil {
		return err
	}
	return pm.WriteState(ipn.KnownProfilesStateKey, b)
}

func (pm *profileManager) updateHealth() {
	if !pm.prefs.Valid() {
		return
	}
	pm.health.SetAutoUpdatePrefs(pm.prefs.AutoUpdate().Check, pm.prefs.AutoUpdate().Apply)
}

// NewProfile creates and switches to a new unnamed profile. The new profile is
// not persisted until [profileManager.SetPrefs] is called with a logged-in user.
func (pm *profileManager) NewProfile() {
	pm.NewProfileForUser(pm.currentUserID)
}

// NewProfileForUser is like [profileManager.NewProfile], but it switches to the
// specified user and sets that user as the profile owner for the new profile.
func (pm *profileManager) NewProfileForUser(uid ipn.WindowsUserID) {
	pm.currentUserID = uid

	metricNewProfile.Add(1)

	pm.prefs = defaultPrefs
	pm.updateHealth()
	pm.currentProfile = &ipn.LoginProfile{LocalUserID: uid}
}

// newProfileWithPrefs creates a new profile with the specified prefs and assigns
// the specified uid as the profile owner. If switchNow is true, it switches to the
// newly created profile immediately. It returns the newly created profile on success,
// or an error on failure.
func (pm *profileManager) newProfileWithPrefs(uid ipn.WindowsUserID, prefs ipn.PrefsView, switchNow bool) (*ipn.LoginProfile, error) {
	metricNewProfile.Add(1)

	profile := &ipn.LoginProfile{LocalUserID: uid}
	if err := pm.SetProfilePrefs(profile, prefs, ipn.NetworkProfile{}); err != nil {
		return nil, err
	}
	if switchNow {
		pm.currentProfile = profile
		pm.prefs = prefs.AsStruct().View()
		pm.updateHealth()
		if err := pm.setProfileAsUserDefault(profile); err != nil {
			return nil, err
		}
	}
	return profile, nil
}

// defaultPrefs is the default prefs for a new profile. This initializes before
// even this package's init() so do not rely on other parts of the system being
// fully initialized here (for example, syspolicy will not be available on
// Apple platforms).
var defaultPrefs = func() ipn.PrefsView {
	prefs := ipn.NewPrefs()
	prefs.LoggedOut = true
	prefs.WantRunning = false

	return prefs.View()
}()

// Store returns the [ipn.StateStore] used by the [profileManager].
func (pm *profileManager) Store() ipn.StateStore {
	return pm.store
}

// CurrentPrefs returns a read-only view of the current prefs.
// The returned view is always valid.
func (pm *profileManager) CurrentPrefs() ipn.PrefsView {
	return pm.prefs
}

// ReadStartupPrefsForTest reads the startup prefs from disk. It is only used for testing.
func ReadStartupPrefsForTest(logf logger.Logf, store ipn.StateStore) (ipn.PrefsView, error) {
	ht := new(health.Tracker) // in tests, don't care about the health status
	pm, err := newProfileManager(store, logf, ht)
	if err != nil {
		return ipn.PrefsView{}, err
	}
	return pm.CurrentPrefs(), nil
}

// newProfileManager creates a new [profileManager] using the provided [ipn.StateStore].
// It also loads the list of known profiles from the store.
func newProfileManager(store ipn.StateStore, logf logger.Logf, health *health.Tracker) (*profileManager, error) {
	return newProfileManagerWithGOOS(store, logf, health, envknob.GOOS())
}

func readAutoStartKey(store ipn.StateStore, goos string) (ipn.StateKey, error) {
	startKey := ipn.CurrentProfileStateKey
	if goos == "windows" {
		// When tailscaled runs on Windows it is not typically run unattended.
		// So we can't use the profile mechanism to load the profile at startup.
		startKey = ipn.ServerModeStartKey
	}
	autoStartKey, err := store.ReadState(startKey)
	if err != nil && err != ipn.ErrStateNotExist {
		return "", fmt.Errorf("calling ReadState on state store: %w", err)
	}
	return ipn.StateKey(autoStartKey), nil
}

func readKnownProfiles(store ipn.StateStore) (map[ipn.ProfileID]*ipn.LoginProfile, error) {
	var knownProfiles map[ipn.ProfileID]*ipn.LoginProfile
	prfB, err := store.ReadState(ipn.KnownProfilesStateKey)
	switch err {
	case nil:
		if err := json.Unmarshal(prfB, &knownProfiles); err != nil {
			return nil, fmt.Errorf("unmarshaling known profiles: %w", err)
		}
	case ipn.ErrStateNotExist:
		knownProfiles = make(map[ipn.ProfileID]*ipn.LoginProfile)
	default:
		return nil, fmt.Errorf("calling ReadState on state store: %w", err)
	}
	return knownProfiles, nil
}

func newProfileManagerWithGOOS(store ipn.StateStore, logf logger.Logf, ht *health.Tracker, goos string) (*profileManager, error) {
	logf = logger.WithPrefix(logf, "pm: ")
	stateKey, err := readAutoStartKey(store, goos)
	if err != nil {
		return nil, err
	}

	knownProfiles, err := readKnownProfiles(store)
	if err != nil {
		return nil, err
	}

	pm := &profileManager{
		goos:          goos,
		store:         store,
		knownProfiles: knownProfiles,
		logf:          logf,
		health:        ht,
	}

	if stateKey != "" {
		for _, v := range knownProfiles {
			if v.Key == stateKey {
				pm.currentProfile = v
			}
		}
		if pm.currentProfile == nil {
			if suf, ok := strings.CutPrefix(string(stateKey), "user-"); ok {
				pm.currentUserID = ipn.WindowsUserID(suf)
			}
			pm.NewProfile()
		} else {
			pm.currentUserID = pm.currentProfile.LocalUserID
		}
		prefs, err := pm.loadSavedPrefs(stateKey)
		if err != nil {
			return nil, err
		}
		if err := pm.setProfilePrefsNoPermCheck(pm.currentProfile, prefs); err != nil {
			return nil, err
		}
		// Most platform behavior is controlled by the goos parameter, however
		// some behavior is implied by build tag and fails when run on Windows,
		// so we explicitly avoid that behavior when running on Windows.
		// Specifically this reaches down into legacy preference loading that is
		// specialized by profiles_windows.go and fails in tests on an invalid
		// uid passed in from the unix tests. The uid's used for Windows tests
		// and runtime must be valid Windows security identifier structures.
	} else if len(knownProfiles) == 0 && goos != "windows" && runtime.GOOS != "windows" {
		// No known profiles, try a migration.
		pm.dlogf("no known profiles; trying to migrate from legacy prefs")
		if _, err := pm.migrateFromLegacyPrefs(pm.currentUserID, true); err != nil {
			return nil, err
		}
	} else {
		pm.NewProfile()
	}

	return pm, nil
}

func (pm *profileManager) migrateFromLegacyPrefs(uid ipn.WindowsUserID, switchNow bool) (*ipn.LoginProfile, error) {
	metricMigration.Add(1)
	sentinel, prefs, err := pm.loadLegacyPrefs(uid)
	if err != nil {
		metricMigrationError.Add(1)
		return nil, fmt.Errorf("load legacy prefs: %w", err)
	}
	pm.dlogf("loaded legacy preferences; sentinel=%q", sentinel)
	profile, err := pm.newProfileWithPrefs(uid, prefs, switchNow)
	if err != nil {
		metricMigrationError.Add(1)
		return nil, fmt.Errorf("migrating _daemon profile: %w", err)
	}
	pm.completeMigration(sentinel)
	pm.dlogf("completed legacy preferences migration with sentinel=%q", sentinel)
	metricMigrationSuccess.Add(1)
	return profile, nil
}

func (pm *profileManager) requiresBackfill() bool {
	return pm != nil &&
		pm.currentProfile != nil &&
		pm.currentProfile.NetworkProfile.RequiresBackfill()
}

var (
	metricNewProfile       = clientmetric.NewCounter("profiles_new")
	metricSwitchProfile    = clientmetric.NewCounter("profiles_switch")
	metricDeleteProfile    = clientmetric.NewCounter("profiles_delete")
	metricDeleteAllProfile = clientmetric.NewCounter("profiles_delete_all")

	metricMigration        = clientmetric.NewCounter("profiles_migration")
	metricMigrationError   = clientmetric.NewCounter("profiles_migration_error")
	metricMigrationSuccess = clientmetric.NewCounter("profiles_migration_success")
)