From 9048ea25db8064b3833b7a2fcbe4b421e4a820dc Mon Sep 17 00:00:00 2001
From: James 'zofrex' Sanderson <jsanderson@tailscale.com>
Date: Tue, 18 Nov 2025 08:04:03 +0000
Subject: [PATCH] ipn/localapi: log calls to localapi (#17880)

Updates tailscale/corp#34238

Signed-off-by: James Sanderson <jsanderson@tailscale.com>
---
 ipn/localapi/localapi.go      | 24 +++++++++++++++++-------
 ipn/localapi/localapi_test.go | 33 ++++++++++++++++++++++++---------
 2 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index ddd55234a..c4ba2a40b 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -264,7 +264,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	if fn, ok := handlerForPath(r.URL.Path); ok {
+	if fn, route, ok := handlerForPath(r.URL.Path); ok {
+		h.logRequest(r.Method, route)
 		fn(h, w, r)
 	} else {
 		http.NotFound(w, r)
@@ -300,9 +301,9 @@ func (h *Handler) validHost(hostname string) bool {
 
 // handlerForPath returns the LocalAPI handler for the provided Request.URI.Path.
 // (the path doesn't include any query parameters)
-func handlerForPath(urlPath string) (h LocalAPIHandler, ok bool) {
+func handlerForPath(urlPath string) (h LocalAPIHandler, route string, ok bool) {
 	if urlPath == "/" {
-		return (*Handler).serveLocalAPIRoot, true
+		return (*Handler).serveLocalAPIRoot, "/", true
 	}
 	suff, ok := strings.CutPrefix(urlPath, "/localapi/v0/")
 	if !ok {
@@ -310,22 +311,31 @@ func handlerForPath(urlPath string) (h LocalAPIHandler, ok bool) {
 		// to people that they're not necessarily stable APIs. In practice we'll
 		// probably need to keep them pretty stable anyway, but for now treat
 		// them as an internal implementation detail.
-		return nil, false
+		return nil, "", false
 	}
 	if fn, ok := handler[suff]; ok {
 		// Here we match exact handler suffixes like "status" or ones with a
 		// slash already in their name, like "tka/status".
-		return fn, true
+		return fn, "/localapi/v0/" + suff, true
 	}
 	// Otherwise, it might be a prefix match like "files/*" which we look up
 	// by the prefix including first trailing slash.
 	if i := strings.IndexByte(suff, '/'); i != -1 {
 		suff = suff[:i+1]
 		if fn, ok := handler[suff]; ok {
-			return fn, true
+			return fn, "/localapi/v0/" + suff, true
 		}
 	}
-	return nil, false
+	return nil, "", false
+}
+
+func (h *Handler) logRequest(method, route string) {
+	switch method {
+	case httpm.GET, httpm.HEAD, httpm.OPTIONS:
+		// don't log safe methods
+	default:
+		h.Logf("localapi: [%s] %s", method, route)
+	}
 }
 
 func (*Handler) serveLocalAPIRoot(w http.ResponseWriter, r *http.Request) {
diff --git a/ipn/localapi/localapi_test.go b/ipn/localapi/localapi_test.go
index d00b4117b..6bb9b5182 100644
--- a/ipn/localapi/localapi_test.go
+++ b/ipn/localapi/localapi_test.go
@@ -40,6 +40,19 @@ import (
 	"tailscale.com/wgengine"
 )
 
+func handlerForTest(t testing.TB, h *Handler) *Handler {
+	if h.Actor == nil {
+		h.Actor = &ipnauth.TestActor{}
+	}
+	if h.b == nil {
+		h.b = &ipnlocal.LocalBackend{}
+	}
+	if h.logf == nil {
+		h.logf = logger.TestLogger(t)
+	}
+	return h
+}
+
 func TestValidHost(t *testing.T) {
 	tests := []struct {
 		host  string
@@ -57,7 +70,7 @@ func TestValidHost(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.host, func(t *testing.T) {
-			h := &Handler{}
+			h := handlerForTest(t, &Handler{})
 			if got := h.validHost(test.host); got != test.valid {
 				t.Errorf("validHost(%q)=%v, want %v", test.host, got, test.valid)
 			}
@@ -68,10 +81,9 @@ func TestValidHost(t *testing.T) {
 func TestSetPushDeviceToken(t *testing.T) {
 	tstest.Replace(t, &validLocalHostForTesting, true)
 
-	h := &Handler{
+	h := handlerForTest(t, &Handler{
 		PermitWrite: true,
-		b:           &ipnlocal.LocalBackend{},
-	}
+	})
 	s := httptest.NewServer(h)
 	defer s.Close()
 	c := s.Client()
@@ -125,9 +137,9 @@ func (b whoIsBackend) PeerCaps(ip netip.Addr) tailcfg.PeerCapMap {
 //
 // And https://github.com/tailscale/tailscale/issues/12465
 func TestWhoIsArgTypes(t *testing.T) {
-	h := &Handler{
+	h := handlerForTest(t, &Handler{
 		PermitRead: true,
-	}
+	})
 
 	match := func() (n tailcfg.NodeView, u tailcfg.UserProfile, ok bool) {
 		return (&tailcfg.Node{
@@ -190,7 +202,10 @@ func TestWhoIsArgTypes(t *testing.T) {
 
 func TestShouldDenyServeConfigForGOOSAndUserContext(t *testing.T) {
 	newHandler := func(connIsLocalAdmin bool) *Handler {
-		return &Handler{Actor: &ipnauth.TestActor{LocalAdmin: connIsLocalAdmin}, b: newTestLocalBackend(t)}
+		return handlerForTest(t, &Handler{
+			Actor: &ipnauth.TestActor{LocalAdmin: connIsLocalAdmin},
+			b:     newTestLocalBackend(t),
+		})
 	}
 	tests := []struct {
 		name     string
@@ -298,11 +313,11 @@ func TestServeWatchIPNBus(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			h := &Handler{
+			h := handlerForTest(t, &Handler{
 				PermitRead:  tt.permitRead,
 				PermitWrite: tt.permitWrite,
 				b:           newTestLocalBackend(t),
-			}
+			})
 			s := httptest.NewServer(h)
 			defer s.Close()
 			c := s.Client()