ipn/ipnlocal: lock down unsigned peers more

Apparently there's no tracking bug? Updates tailscale/corp#7515 for ingress/funnel at least. Change-Id: I03bc54fdc1f53f9832ab8b51475b2d676c38d897 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago · 6e6f27dd21
parent dc75b7cfd1
commit 6e6f27dd21
1 changed files with 8 additions and 0 deletions
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@ -818,6 +818,10 @@ func (f *incomingFile) PartialFile() ipn.PartialFile {

 // canPutFile reports whether h can put a file ("Taildrop") to this node.
 func (h *peerAPIHandler) canPutFile() bool {
+	if h.peerNode.UnsignedPeerAPIOnly {
+		// Unsigned peers can't send files.
+		return false
+	}
 	return h.isSelf || h.peerHasCap(tailcfg.CapabilityFileSharingSend)
 }

@ -828,6 +832,10 @@ func (h *peerAPIHandler) canDebug() bool {
 		// This node does not expose debug info.
 		return false
 	}
+	if h.peerNode.UnsignedPeerAPIOnly {
+		// Unsigned peers can't debug.
+		return false
+	}
 	return h.isSelf || h.peerHasCap(tailcfg.CapabilityDebugPeer)
 }