ipn/ipnlocal: add start of inter-user Taildrop

Controlled by server-sent capability policy.

To be initially used for SSH servers to record sessions to other
nodes. Not yet productized into something user-accessible. (Notably,
the list of Taildrop targets from the sender side isn't augmented
yet.) This purely permits expanding the set of expands a node will
accept a drop from.

Updates #3802
Updates #4217

Change-Id: Id7a5bccd686490f8ef2cdc7dae7c07c440dc0085
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/4426/head
Brad Fitzpatrick 3 years ago committed by Brad Fitzpatrick
parent f4f76eb275
commit cd916b728b

@ -620,9 +620,31 @@ func (f *incomingFile) PartialFile() ipn.PartialFile {
}
}
// canPutFile reports whether h can put a file ("Taildrop") to this node.
func (h *peerAPIHandler) canPutFile() bool {
if h.isSelf {
return true
}
if h.peerNode == nil {
// Shouldn't happen, but in case.
return false
}
for _, addr := range h.peerNode.Addresses {
if !addr.IsSingleIP() {
continue
}
for _, cap := range h.ps.b.PeerCaps(addr.IP()) {
if cap == tailcfg.CapabilityFileSharingSend {
return true
}
}
}
return false
}
func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
if !h.isSelf {
http.Error(w, "not owner", http.StatusForbidden)
if !h.canPutFile() {
http.Error(w, "Taildrop access denied", http.StatusForbidden)
return
}
if !h.ps.b.hasCapFileSharing() {

@ -158,7 +158,7 @@ func TestHandlePeerAPI(t *testing.T) {
req: httptest.NewRequest("PUT", "/v0/put/foo", nil),
checks: checks(
httpStatus(http.StatusForbidden),
bodyContains("not owner"),
bodyContains("Taildrop access denied"),
),
},
{

@ -1577,8 +1577,16 @@ type Oauth2Token struct {
}
const (
// MapResponse.Node self capabilities.
CapabilityFileSharing = "https://tailscale.com/cap/file-sharing"
CapabilityAdmin = "https://tailscale.com/cap/is-admin"
// Inter-node capabilities.
// CapabilityFileSharingSend grants the ability to receive files from a
// node that's owned by a different user.
CapabilityFileSharingSend = "https://tailscale.com/cap/file-send"
)
// SetDNSRequest is a request to add a DNS record.

Loading…
Cancel
Save