tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	bbdd3c3bde	wgengine/router: add Plan 9 implementation Updates #5794 Change-Id: Ib78a3ea971a2374d405b024ab88658ec34be59a6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Percy Wegmann	a7be3a3d86	ipn/ipnlocal: add debug logging to initPeerAPIListener initPeerAPIListener may be returning early unexpectedly. Add debug logging to see what causes it to return early when it does. Updates #14393 Signed-off-by: Percy Wegmann <percy@tailscale.com>	8 months ago
Kristoffer Dalby	cdde301ca5	ipn/ipnlocal: return old hwaddrs if missing If we previously knew of macaddresses of a node, and they suddenly goes to zero, ignore them and return the previous hardware addresses. Updates tailscale/corp#25168 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	8 months ago
Nick Khyl	6a9a7f35d9	cmd/tailscaled,ipn/{auditlog,ipnlocal},tsd: omit auditlog unless explicitly imported In this PR, we update ipnlocal.LocalBackend to allow registering callbacks for control client creation and profile changes. We also allow to register ipnauth.AuditLogFunc to be called when an auditable action is attempted. We then use all this to invert the dependency between the auditlog and ipnlocal packages and make the auditlog functionality optional, where it only registers its callbacks via ipnlocal-provided hooks when the auditlog package is imported. We then underscore-import it when building tailscaled for Windows, and we'll explicitly import it when building xcode/ipn-go-bridge for macOS. Since there's no default log-store location for macOS, we'll also need to call auditlog.SetStoreFilePath to specify where pending audit logs should be persisted. Fixes #15394 Updates tailscale/corp#26435 Updates tailscale/corp#27012 Signed-off-by: Nick Khyl <nickk@tailscale.com>	9 months ago
Nick Khyl	272854df41	ipn/ipnlocal: unconfigure wgengine when switching profiles LocalBackend transitions to ipn.NoState when switching to a different (or new) profile. When this happens, we should unconfigure wgengine to clear routes, DNS configuration, firewall rules that block all traffic except to the exit node, etc. In this PR, we update (*LocalBackend).enterStateLockedOnEntry to do just that. Fixes #15316 Updates tailscale/corp#23967 Signed-off-by: Nick Khyl <nickk@tailscale.com>	9 months ago
Jonathan Nobels	725c8d298a	ipn/ipnlocal: remove misleading [unexpected] log for auditlog (#15421 ) fixes tailscale/tailscale#15394 In the current iteration, usage of the memstore for the audit logger is expected on some platforms. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	9 months ago
Percy Wegmann	e78055eb01	ipn/ipnlocal: add more logging for initializing peerAPIListeners On Windows and Android, peerAPIListeners may be initialized after a link change. This commit adds log statements to make it easier to trace this flow. Updates #14393 Signed-off-by: Percy Wegmann <percy@tailscale.com>	9 months ago
Brad Fitzpatrick	14db99241f	net/netmon: use Monitor's tsIfName if set by SetTailscaleInterfaceName Currently nobody calls SetTailscaleInterfaceName yet, so this is a no-op. I checked oss, android, and the macOS/iOS client. Nobody calls this, or ever did. But I want to in the future. Updates #15408 Updates #9040 Change-Id: I05dfabe505174f9067b929e91c6e0d8bc42628d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	d0c50c6072	clientupdate: cache CanAutoUpdate, avoid log spam when false I noticed logs on one of my machines where it can't auto-update with scary log spam about "failed to apply tailnet-wide default for auto-updates". This avoids trying to do the EditPrefs if we know it's just going to fail anyway. Updates #282 Change-Id: Ib7db3b122185faa70efe08b60ebd05a6094eed8c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Nick Khyl	f3f2f72f96	ipn/ipnlocal: do not attempt to start the auditlogger with a nil transport (*LocalBackend).setControlClientLocked() is called to both set and reset b.cc. We shouldn't attempt to start the audit logger when b.cc is being reset (i.e., cc is nil). However, it's fine to start the audit logger if b.cc implements auditlog.Transport, even if it's not a controlclient.Auto but a mock control client. In this PR, we fix both issues and add an assertion that controlclient.Auto is an auditlog.Transport. This ensures a compile-time failure if controlclient.Auto ever stops being a valid transport due to future interface or implementation changes. Updates tailscale/corp#26435 Signed-off-by: Nick Khyl <nickk@tailscale.com>	9 months ago
Nick Khyl	e07c1573f6	ipn/ipnlocal: do not reset the netmap and packet filter in (LocalBackend).Start() Resetting LocalBackend's netmap without also unconfiguring wgengine to reset routes, DNS, and the killswitch firewall rules may cause connectivity issues until a new netmap is received. In some cases, such as when bootstrap DNS servers are inaccessible due to network restrictions or other reasons, or if the control plane is experiencing issues, this can result in a complete loss of connectivity until the user disconnects and reconnects to Tailscale. As LocalBackend handles state resets in (LocalBackend).resetForProfileChangeLockedOnEntry(), and this includes resetting the netmap, resetting the current netmap in (LocalBackend).Start() is not necessary. Moreover, it's harmful if (LocalBackend).Start() is called more than once for the same profile. In this PR, we update resetForProfileChangeLockedOnEntry() to reset the packet filter and remove the redundant resetting of the netmap and packet filter from Start(). We also update the state machine tests and revise comments that became inaccurate due to previous test updates. Updates tailscale/corp#27173 Signed-off-by: Nick Khyl <nickk@tailscale.com>	9 months ago
Irbe Krumina	f34e08e186	ipn: ensure that conffile is source of truth for advertised services. (#15361 ) If conffile is used to configure tailscaled, always update currently advertised services from conffile, even if they are empty in the conffile, to ensure that it is possible to transition to a state where no services are advertised. Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
James Sanderson	27ef9b666c	ipn/ipnlocal: add test for CapMap packet filters Updates tailscale/corp#20514 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	9 months ago
Irbe Krumina	cd391b37a6	ipn/ipnlocal, envknob: make it possible to configure the cert client to act in read-only mode (#15250 ) * ipn/ipnlocal,envknob: add some primitives for HA replica cert share. Add an envknob for configuring an instance's cert store as read-only, so that it does not attempt to issue or renew TLS credentials, only reads them from its cert store. This will be used by the Kubernetes Operator's HA Ingress to enable multiple replicas serving the same HTTPS endpoint to be able to share the same cert. Also some minor refactor to allow adding more tests for cert retrieval logic. Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Jonathan Nobels	52710945f5	control/controlclient, ipn: add client audit logging (#14950 ) updates tailscale/corp#26435 Adds client support for sending audit logs to control via /machine/audit-log. Specifically implements audit logging for user initiated disconnections. This will require further work to optimize the peristant storage and exclusion via build tags for mobile: tailscale/corp#27011 tailscale/corp#27012 Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	9 months ago
Tom Proctor	a6e19f2881	ipn/ipnlocal: allow cache hits for testing ACME certs (#15023 ) PR #14771 added support for getting certs from alternate ACME servers, but the certStore caching mechanism breaks unless you install the CA in system roots, because we check the validity of the cert before allowing a cache hit, which includes checking for a valid chain back to a trusted CA. For ease of testing, allow cert cache hits when the chain is unknown to avoid re-issuing the cert on every TLS request served. We will still get a cache miss when the cert has expired, as enforced by a test, and this makes it much easier to test against non-prod ACME servers compared to having to manage the installation of non-prod CAs on clients. Updates #14771 Change-Id: I74fe6593fe399bd135cc822195155e99985ec08a Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	9 months ago
Naman Sood	a4b8c24834	ipn: sort VIP services before hashing (#15035 ) We're computing the list of services to hash by iterating over the values of a map, the ordering of which is not guaranteed. This can cause the hash to fluctuate depending on the ordering if there's more than one service hosted by the same host. Updates tailscale/corp#25733. Signed-off-by: Naman Sood <mail@nsood.in>	9 months ago
Percy Wegmann	ce6ce81311	ipn/ipnlocal: initialize Taildrive shares when starting backend Previously, it initialized when the backend was created. This caused two problems: 1. It would not properly switch when changing profiles. 2. If the backend was created before the profile had been selected, Taildrive's shares were uninitialized. Updates #14825 Signed-off-by: Percy Wegmann <percy@tailscale.com>	9 months ago
kari-ts	dc18091678	ipn: update AddPeer to include TaildropTarget (#15091 ) We previously were not merging in the TaildropTarget into the PeerStatus because we did not update AddPeer. Updates tailscale/tailscale#14393 Signed-off-by: kari-ts <kari@tailscale.com>	9 months ago
KevinLiang10	8c2717f96a	ipn/ipnlocal: send vipServices info via c2n even it's incomplete (#15166 ) This commit updates the logic of vipServicesFromPrefsLocked, so that it would return the vipServices list even when service host is only advertising the service but not yet serving anything. This makes control always get accurate state of service host in terms of serving a service. Fixes tailscale/corp#26843 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	9 months ago
Irbe Krumina	b85d18d14e	ipn/{ipnlocal,store},kube/kubeclient: store TLS cert and key pair to a Secret in a single operation. (#15147 ) To avoid duplicate issuances/slowness while the state Secret contains a mismatched cert and key. Updates tailscale/tailscale#15134 Updates tailscale/corp#24795 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Nick Khyl	8d7033fe7f	ipn/ipnlocal,util/syspolicy,docs/windows/policy: implement the ReconnectAfter policy setting In this PR, we update the LocalBackend so that when the ReconnectAfter policy setting is configured and a user disconnects Tailscale by setting WantRunning to false in the profile prefs, the LocalBackend will now start a timer to set WantRunning back to true once the ReconnectAfter timer expires. We also update the ADMX/ADML policy definitions to allow configuring this policy setting for Windows via Group Policy and Intune. Updates #14824 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Nick Khyl	09982e1918	ipn/ipnlocal: reset always-on override and apply policy settings on start We already reset the always-on override flag when switching profiles and in a few other cases. In this PR, we update (*LocalBackend).Start() to reset it as well. This is necessary to support scenarios where Start() is called explicitly, such as when the GUI starts or when tailscale up is used with additional flags and passes prefs via ipn.Options in a call to Start() rather than via EditPrefs. Additionally, we update it to apply policy settings to the current prefs, which is necessary for properly overriding prefs specified in ipn.Options. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Irbe Krumina	b21eec7621	ipn/ipnlocal,tailcfg: don't send WireIngress if IngressEnabled already true (#14960 ) Hostinfo.WireIngress is used as a hint that the node intends to use funnel. We now send another field, IngressEnabled, in cases where funnel is explicitly enabled, and the logic control-side has been changed to look at IngressEnabled as well as WireIngress in all cases where previously the hint was used - so we can now stop sending WireIngress when IngressEnabled is true to save some bandwidth. Updates tailscale/tailscale#11572 Updates tailscale/corp#25931 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	10 months ago
Nick Khyl	6df5c8f32e	various: keep tailscale connected when Always On mode is enabled on Windows In this PR, we enable the registration of LocalBackend extensions to exclude code specific to certain platforms or environments. We then introduce desktopSessionsExt, which is included only in Windows builds and only if the ts_omit_desktop_sessions tag is disabled for the build. This extension tracks desktop sessions and switches to (or remains on) the appropriate profile when a user signs in or out, locks their screen, or disconnects a remote session. As desktopSessionsExt requires an ipn/desktop.SessionManager, we register it with tsd.System for the tailscaled subprocess on Windows. We also fix a bug in the sessionWatcher implementation where it attempts to close a nil channel on stop. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
kari-ts	4c3c04a413	ipn, tailscale/cli: add TaildropTargetStatus and remove race with FileTargets (#15017 ) Introduce new TaildropTargetStatus in PeerStatus Refactor getTargetStableID to solely rely on Status() instead of calling FileTargets(). This removes a possible race condition between the two calls and provides more detailed failure information if a peer can't receive files. Updates tailscale/tailscale#14393 Signed-off-by: kari-ts <kari@tailscale.com>	10 months ago
James 'zofrex' Sanderson	e142571397	ipn/ipnlocal: add GetFilterForTest (#15025 ) Needed to test full packet filter in e2e tests. See tailscale/corp#26596 Updates tailscale/corp#20514 Signed-off-by: James Sanderson <jsanderson@tailscale.com>	10 months ago
Nick Khyl	7aef4fd44d	ipn/ipn{local,server}: extract logic that determines the "best" Tailscale profile to use In this PR, we further refactor LocalBackend and Unattended Mode to extract the logic that determines which profile should be used at the time of the check, such as when a LocalAPI client connects or disconnects. We then update (LocalBackend).switchProfileLockedOnEntry to to switch to the profile returned by (LocalBackend).resolveBestProfileLocked() rather than to the caller-specified specified profile, and rename it to switchToBestProfileLockedOnEntry. This is done in preparation for updating (*LocalBackend).getBackgroundProfileIDLocked to support Always-On mode by determining which profile to use based on which users, if any, are currently logged in and have an active foreground desktop session. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Nick Khyl	9b32ba7f54	ipn/ipn{local,server}: move "staying alive in server mode" from ipnserver to LocalBackend Currently, we disconnect Tailscale and reset LocalBackend on Windows when the last LocalAPI client disconnects, unless Unattended Mode is enabled for the current profile. And the implementation is somewhat racy since the current profile could theoretically change after (ipnserver.Server).addActiveHTTPRequest checks (LocalBackend).InServerMode() and before it calls (LocalBackend).SetCurrentUser(nil) (or, previously, (LocalBackend).ResetForClientDisconnect). Additionally, we might want to keep Tailscale running and connected while a user is logged in rather than tying it to whether a LocalAPI client is connected (i.e., while the GUI is running), even when Unattended Mode is disabled for a profile. This includes scenarios where the new AlwaysOn mode is enabled, as well as when Tailscale is used on headless Windows editions, such as Windows Server Core, where the GUI is not supported. It may also be desirable to switch to the "background" profile when a user logs off from their device or implement other similar features. To facilitate these improvements, we move the logic from ipnserver.Server to ipnlocal.LocalBackend, where it determines whether to keep Tailscale running when the current user disconnects. We also update the logic that determines whether a connection should be allowed to better reflect the fact that, currently, LocalAPI connections are not allowed unless: - the current UID is "", meaning that either we are not on a multi-user system or Tailscale is idle; - the LocalAPI client belongs to the current user (their UIDs are the same); - the LocalAPI client is Local System (special case; Local System is always allowed). Whether Unattended Mode is enabled only affects the error message returned to the Local API client when the connection is denied. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Brad Fitzpatrick	9706c9f4ff	types/netmap,*: pass around UserProfiles as views (pointers) instead Smaller. Updates tailscale/corp#26058 (@andrew-d noticed during this) Change-Id: Id33cddd171aaf8f042073b6d3c183b0a746e9931 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	48dd4bbe21	ipn/ipn{local,server}: remove ResetForClientDisconnect in favor of SetCurrentUser(nil) There’s (LocalBackend).ResetForClientDisconnect, and there’s also (LocalBackend).resetForProfileChangeLockedOnEntry. Both methods essentially did the same thing but in slightly different ways. For example, resetForProfileChangeLockedOnEntry didn’t reset the control client until (*LocalBackend).Start() was called at the very end and didn’t reset the keyExpired flag, while ResetForClientDisconnect didn’t reinitialize TKA. Since SetCurrentUser can be called with a nil argument to reset the currently connected user and internally calls resetForProfileChangeLockedOnEntry, we can remove ResetForClientDisconnect and let SetCurrentUser and resetForProfileChangeLockedOnEntry handle it. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Nick Khyl	122255765a	ipn/ipnlocal: fix (*profileManager).DefaultUserProfileID for users other than current Currently, profileManager filters profiles based on their creator/owner and the "current user"'s UID. This causes DefaultUserProfileID(uid) to work incorrectly when the UID doesn't match the current user. While we plan to remove the concept of the "current user" completely, we're not there yet. In this PR, we fix DefaultUserProfileID by updating profileManager to allow checking profile access for a given UID and modifying helper methods to accept UID as a parameter when returning matching profiles. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Brad Fitzpatrick	05ac21ebe4	all: use new LocalAPI client package location It was moved in `f57fa3cbc3`. Updates tailscale/corp#22748 Change-Id: I19f965e6bded1d4c919310aa5b864f2de0cd6220 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Nick Khyl	00fe8845b1	ipn/{ipnauth,ipnlocal,ipnserver}: move the AlwaysOn policy check from ipnserver to ipnauth In this PR, we move the code that checks the AlwaysOn policy from ipnserver.actor to ipnauth. It is intended to be used by ipnauth.Actor implementations, and we temporarily make it exported while these implementations reside in ipnserver and in corp. We'll unexport it later. We also update [ipnauth.Actor.CheckProfileAccess] to accept an auditLogger, which is called to write details about the action to the audit log when required by the policy, and update LocalBackend.EditPrefsAs to use an auditLogger that writes to the regular backend log. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Adrian Dewhurst	97c4c0ecf0	ipn/ipnlocal: add VIP service IPs to localnets Without adding this, the packet filter rejects traffic to VIP service addresses before checking the filters sent in the netmap. Fixes tailscale/corp#26241 Change-Id: Idd54448048e9b786cf4873fd33b3b21e03d3ad4c Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	10 months ago
Adrian Dewhurst	600f25dac9	tailcfg: add JSON unmarshal helper for view of node/peer capabilities Many places that need to work with node/peer capabilities end up with a something-View and need to either reimplement the helper code or make an expensive copy. We have the machinery to easily handle this now. Updates #cleanup Change-Id: Ic3f55be329f0fc6c178de26b34359d0e8c6ca5fc Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	10 months ago
Nick Khyl	d832467461	client/tailscale,ipn/ipn{local,server},util/syspolicy: implement the AlwaysOn.OverrideWithReason policy setting In this PR, we update client/tailscale.LocalClient to allow sending requests with an optional X-Tailscale-Reason header. We then update ipn/ipnserver.{actor,Server} to retrieve this reason, if specified, and use it to determine whether ipnauth.Disconnect is allowed when the AlwaysOn.OverrideWithReason policy setting is enabled. For now, we log the reason, along with the profile and OS username, to the backend log. Finally, we update LocalBackend to remember when a disconnect was permitted and do not reconnect automatically unless the policy changes. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Nick Khyl	a0537dc027	ipn/ipnlocal: fix a panic in setPrefsLockedOnEntry when cc is nil The AlwaysOn policy can be applied by (LocalBackend).applySysPolicy, flipping WantRunning from false to true before (LocalBackend).Start() has been called for the first time and set a control client in b.cc. This results in a nil pointer dereference and a panic when setPrefsLockedOnEntry applies the change and calls controlclient.Client.Login(). In this PR, we fix it by only doing a login if b.cc has been set. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Percy Wegmann	2e95313b8b	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Originally implemented in `46fd4e58a2`, which was reverted in `b60f6b849a` to keep the change out of v1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Nick Khyl	02ad21717f	ipn/ipn{auth,server,local}: initial support for the always-on mode In this PR, we update LocalBackend to set WantRunning=true when applying policy settings to the current profile's prefs, if the "always-on" mode is enabled. We also implement a new (LocalBackend).EditPrefsAs() method, which is like EditPrefs but accepts an actor (e.g., a LocalAPI client's identity) that initiated the change. If WantRunning is being set to false, the new EditPrefsAs method checks whether the actor has ipnauth.Disconnect access to the profile and propagates an error if they do not. Finally, we update (ipnserver.actor).CheckProfileAccess to allow a disconnect only if the "always-on" mode is not enabled by the AlwaysOn policy setting. This is not a comprehensive solution to the "always-on" mode across platforms, as instead of disconnecting a user could achieve the same effect by creating a new empty profile, initiating a reauth, or by deleting the profile. These are the things we should address in future PRs. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Nick Khyl	4e7f4086b2	ipn: generate LoginProfileView and use it instead of LoginProfile where appropriate Conventionally, we use views (e.g., ipn.PrefsView, tailcfg.NodeView, etc.) when dealing with structs that shouldn't be mutated. However, ipn.LoginProfile has been an exception so far, with a mix of passing and returning LoginProfile by reference (allowing accidental mutations) and by value (which is wasteful, given its current size of 192 bytes). In this PR, we generate an ipn.LoginProfileView and use it instead of passing/returning LoginProfiles by mutable reference or copying them when passing/returning by value. Now, LoginProfiles can only be mutated by (profileManager).setProfilePrefs. Updates #14823 Signed-off-by: Nick Khyl <nickk@tailscale.com>	10 months ago
Percy Wegmann	b60f6b849a	Revert "ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh" This reverts commit `46fd4e58a2`. We don't want to include this in 1.80 yet, but can add it back post 1.80. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Percy Wegmann	46fd4e58a2	ssh,tempfork/gliderlabs/ssh: replace github.com/tailscale/golang-x-crypto/ssh with golang.org/x/crypto/ssh The upstream crypto package now supports sending banners at any time during authentication, so the Tailscale fork of crypto/ssh is no longer necessary. github.com/tailscale/golang-x-crypto is still needed for some custom ACME autocert functionality. tempfork/gliderlabs is still necessary because of a few other customizations, mostly related to TTY handling. Updates #8593 Signed-off-by: Percy Wegmann <percy@tailscale.com>	10 months ago
Brad Fitzpatrick	ba1f9a3918	types/persist: remove Persist.LegacyFrontendPrivateMachineKey It was a temporary migration over four years ago. It's no longer relevant. Updates #610 Change-Id: I1f00c9485fab13ede6f77603f7d4235222c2a481 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	2691b9f6be	tempfork/acme: add new package for x/crypto package acme fork, move We've been maintaining temporary dev forks of golang.org/x/crypto/{acme,ssh} in https://github.com/tailscale/golang-x-crypto instead of using this repo's tempfork directory as we do with other packages. The reason we were doing that was because x/crypto/ssh depended on x/crypto/ssh/internal/poly1305 and I hadn't noticed there are forwarding wrappers already available in x/crypto/poly1305. It also depended internal/bcrypt_pbkdf but we don't use that so it's easy to just delete that calling code in our tempfork/ssh. Now that our SSH changes have been upstreamed, we can soon unfork from SSH. That leaves ACME remaining. This change copies our tailscale/golang-x-crypto/acme code to tempfork/acme but adds a test that our vendored copied still matches our tailscale/golang-x-crypto repo, where we can continue to do development work and rebases with upstream. A comment on the new test describes the expected workflow. While we could continue to just import & use tailscale/golang-x-crypto/acme, it seems a bit nicer to not have that entire-fork-of-x-crypto visible at all in our transitive deps and the questions that invites. Showing just a fork of an ACME client is much less scary. It does add a step to the process of hacking on the ACME client code, but we do that approximately never anyway, and the extra step is very incremental compared to the existing tedious steps. Updates #8593 Updates #10238 Change-Id: I8af4378c04c1f82e63d31bf4d16dba9f510f9199 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	68a66ee81b	feature/capture: move packet capture to feature/*, out of iOS + CLI We had the debug packet capture code + Lua dissector in the CLI + the iOS app. Now we don't, with tests to lock it in. As a bonus, tailscale.com/net/packet and tailscale.com/net/flowtrack no longer appear in the CLI's binary either. A new build tag ts_omit_capture disables the packet capture code and was added to build_dist.sh's --extra-small mode. Updates #12614 Change-Id: I79b0628c0d59911bd4d510c732284d97b0160f10 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Tom Proctor	2089f4b603	ipn/ipnlocal: add debug envknob for ACME directory URL (#14771 ) Adds an envknob setting for changing the client's ACME directory URL. This allows testing cert issuing against LE's staging environment, as well as enabling local-only test environments, which is useful for avoiding the production rate limits in test and development scenarios. Fixes #14761 Change-Id: I191c840c0ca143a20e4fa54ea3b2f9b7cbfc889f Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	11 months ago
Tom Proctor	69bc164c62	ipn/ipnlocal: include DNS SAN in cert CSR (#14764 ) The CN field is technically deprecated; set the requested name in a DNS SAN extension in addition to maximise compatibility with RFC 8555. Fixes #14762 Change-Id: If5d27f1e7abc519ec86489bf034ac98b2e613043 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	11 months ago
Andrew Lytvynov	f1710f4a42	appc,ipn/ipnlocal: log DNS parsing errors in app connectors (#14607 ) If we fail to parse the upstream DNS response in an app connector, we might miss new IPs for the target domain. Log parsing errors to be able to diagnose that. Updates #14606 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Brad Fitzpatrick	1562a6f2f2	feature/: make Wake-on-LAN conditional, start supporting modular features This pulls out the Wake-on-LAN (WoL) code out into its own package (feature/wakeonlan) that registers itself with various new hooks around tailscaled. Then a new build tag (ts_omit_wakeonlan) causes the package to not even be linked in the binary. Ohter new packages include: feature: to just record which features are loaded. Future: dependencies between features. * feature/condregister: the package with all the build tags that tailscaled, tsnet, and the Tailscale Xcode project extension can empty (underscore) import to load features as a function of the defined build tags. Future commits will move of our "ts_omit_foo" build tags into this style. Updates #12614 Change-Id: I9c5378dafb1113b62b816aabef02714db3fc9c4a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Andrew Lytvynov	3fb8a1f6bf	ipn/ipnlocal: re-advertise appc routes on startup, take 2 (#14740 ) * Reapply "ipn/ipnlocal: re-advertise appc routes on startup (#14609)" This reverts commit `51adaec35a`. Signed-off-by: Andrew Lytvynov <awly@tailscale.com> * ipn/ipnlocal: fix a deadlock in readvertiseAppConnectorRoutes Don't hold LocalBackend.mu while calling the methods of appc.AppConnector. Those methods could call back into LocalBackend and try to acquire it's mutex. Fixes https://github.com/tailscale/corp/issues/25965 Fixes #14606 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> --------- Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Adrian Dewhurst	0fa7b4a236	tailcfg: add ServiceName Rather than using a string everywhere and needing to clarify that the string should have the svc: prefix, create a separate type for Service names. Updates tailscale/corp#24607 Change-Id: I720e022f61a7221644bb60955b72cacf42f59960 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	11 months ago
KevinLiang10	550923d953	fix handler related and some nit Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	11 months ago
KevinLiang10	8c8750f1b3	ipn/ipnlocal: Support TCP and Web VIP services This commit intend to provide support for TCP and Web VIP services and also allow user to use Tun for VIP services if they want to. The commit includes: 1.Setting TCP intercept function for VIP Services. 2.Update netstack to send packet written from WG to netStack handler for VIP service. 3.Return correct TCP hander for VIP services when netstack acceptTCP. This commit also includes unit tests for if the local backend setServeConfig would set correct TCP intercept function and test if a hander gets returned when getting TCPHandlerForDst. The shouldProcessInbound check is not unit tested since the test result just depends on mocked functions. There should be an integration test to cover shouldProcessInbound and if the returned TCP handler actually does what the serveConfig says. Updates tailscale/corp#24604 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	11 months ago
Brad Fitzpatrick	150cd30b1d	ipn/ipnlocal: also use LetsEncrypt-baked-in roots for cert validation We previously baked in the LetsEncrypt x509 root CA for our tlsdial package. This moves that out into a new "bakedroots" package and is now also shared by ipn/ipnlocal's cert validation code (validCertPEM) that decides whether it's time to fetch a new cert. Otherwise, a machine without LetsEncrypt roots locally in its system roots is unable to use tailscale cert/serve and fetch certs. Fixes #14690 Change-Id: Ic88b3bdaabe25d56b9ff07ada56a27e3f11d7159 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	51adaec35a	Revert "ipn/ipnlocal: re-advertise appc routes on startup (#14609 )" This reverts commit `1b303ee5ba` (#14609). It caused a deadlock; see tailscale/corp#25965 Updates tailscale/corp#25965 Updates #13680 Updates #14606	11 months ago
Irbe Krumina	69a985fb1e	ipn/ipnlocal,tailcfg: communicate to control whether funnel is enabled (#14688 ) Adds a new Hostinfo.IngressEnabled bool field that holds whether funnel is currently enabled for the node. Triggers control update when this value changes. Bumps capver so that control can distinguish the new field being false vs non-existant in previous clients. This is part of a fix for an issue where nodes with any AllowFunnel block set in their serve config are being displayed as if actively routing funnel traffic in the admin panel. Updates tailscale/tailscale#11572 Updates tailscale/corp#25931 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	11 months ago
Andrea Gottardo	c79b736a85	ipnlocal: allow overriding os.Hostname() via syspolicy (#14676 ) Updates tailscale/corp#25936 This defines a new syspolicy 'Hostname' and allows an IT administrator to override the value we normally read from os.Hostname(). This is particularly useful on Android and iOS devices, where the hostname we get from the OS is really just the device model (a platform restriction to prevent fingerprinting). If we don't implement this, all devices on the customer's side will look like `google-pixel-7a-1`, `google-pixel-7a-2`, `google-pixel-7a-3`, etc. and it is not feasible for the customer to use the API or worse the admin console to manually fix these names. Apply code review comment by @nickkhyl Signed-off-by: Andrea Gottardo <andrea@gottardo.me> Co-authored-by: Nick Khyl <1761190+nickkhyl@users.noreply.github.com>	11 months ago
Andrew Lytvynov	1b303ee5ba	ipn/ipnlocal: re-advertise appc routes on startup (#14609 ) There's at least one example of stored routes and advertised routes getting out of sync. I don't know how they got there yet, but this would backfill missing advertised routes on startup from stored routes. Also add logging in LocalBackend.AdvertiseRoute to record when new routes actually get put into prefs. Updates #14606 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Nick Khyl	f33f5f99c0	ipn/{ipnlocal,ipnserver}: remove redundant (LocalBackend).ResetForClientDisconnect In this commit, we add a failing test to verify that ipn/ipnserver.Server correctly sets and unsets the current user when two different users connect sequentially (A connects, A disconnects, B connects, B disconnects). We then fix the test by updating (ipn/ipnserver.Server).addActiveHTTPRequest to avoid calling (LocalBackend).ResetForClientDisconnect again after a new user has connected and been set as the current user with (LocalBackend).SetCurrentUser(). Since ipn/ipnserver.Server does not allow simultaneous connections from different Windows users and relies on the LocalBackend's current user, and since we already reset the LocalBackend's state by calling ResetForClientDisconnect when the last active request completes (indicating the server is idle and can accept connections from any Windows user), it is unnecessary to track the last connected user on the ipnserver.Server side or call ResetForClientDisconnect again when the user changes. Additionally, the second call to ResetForClientDisconnect occurs after the new user has been set as the current user, resetting the correct state for the new user instead of the old state of the now-disconnected user, causing issues. Updates tailscale/corp#25804 Signed-off-by: Nick Khyl <nickk@tailscale.com>	11 months ago
Nick Khyl	c3c4c96489	ipn/{ipnauth,ipnlocal,ipnserver}, client/tailscale: make ipnserver.Server testable We update client/tailscale.LocalClient to allow specifying an optional Transport (http.RoundTripper) for LocalAPI HTTP requests, and implement one that injects an ipnauth.TestActor via request headers. We also add several functions and types to make testing an ipn/ipnserver.Server possible (or at least easier). We then use these updates to write basic tests for ipnserver.Server, ensuring it works on non-Windows platforms and correctly sets and unsets the LocalBackend's current user when a Windows user connects and disconnects. We intentionally omit tests for switching between different OS users and will add them in follow-up commits. Updates tailscale/corp#25804 Signed-off-by: Nick Khyl <nickk@tailscale.com>	11 months ago
Brad Fitzpatrick	2fc4455e6d	all: add Node.HomeDERP int, phase out "127.3.3.40:$region" hack [capver 111] This deprecates the old "DERP string" packing a DERP region ID into an IP:port of 127.3.3.40:$REGION_ID and just uses an integer, like PeerChange.DERPRegion does. We still support servers sending the old form; they're converted to the new form internally right when they're read off the network. Updates #14636 Change-Id: I9427ec071f02a2c6d75ccb0fcbf0ecff9f19f26f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Nick Khyl	66269dc934	ipn/ipnlocal: allow Peer API access via either V4MasqAddr or V6MasqAddr when both are set This doesn't seem to have any immediate impact, but not allowing access via the IPv6 masquerade address when an IPv4 masquerade address is also set seems like a bug. Updates #cleanup Updates #14570 (found when working on it) Signed-off-by: Nick Khyl <nickk@tailscale.com>	11 months ago
Brad Fitzpatrick	cfda1ff709	cmd/viewer,all: consistently use "read-only" instead of "readonly" Updates #cleanup Change-Id: I8e4e3497d3d0ec5b16a73aedda500fe5cfa37a67 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Nick Khyl	da9965d51c	cmd/viewer,types/views,various: avoid allocations in pointer field getters whenever possible In this PR, we add a generic views.ValuePointer type that can be used as a view for pointers to basic types and struct types that do not require deep cloning and do not have corresponding view types. Its Get/GetOk methods return stack-allocated shallow copies of the underlying value. We then update the cmd/viewer codegen to produce getters that return either concrete views when available or ValuePointer views when not, for pointer fields in generated view types. This allows us to avoid unnecessary allocations compared to returning pointers to newly allocated shallow copies. Updates #14570 Signed-off-by: Nick Khyl <nickk@tailscale.com>	11 months ago
Brad Fitzpatrick	69b90742fe	util/uniq,types/lazy,*: delete code that's now in Go std sync.OnceValue and slices.Compact were both added in Go 1.21. cmp.Or was added in Go 1.22. Updates #8632 Updates #11058 Change-Id: I89ba4c404f40188e1f8a9566c8aaa049be377754 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
KevinLiang10	2af255790d	ipn/ipnlocal: add VIPServices hash to return body of vip-services c2n endpoint This commit updates the return body of c2n endpoint /vip-services to keep hash generation logic on client side. Updates tailscale/corp#24510 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	11 months ago
Nahum Shalman	9373a1b902	all: illumos/solaris userspace only support Updates #14565 Change-Id: I743148144938794db0a224873ce76c10dbe6fa5f Signed-off-by: Nahum Shalman <nahamu@gmail.com>	11 months ago
Brad Fitzpatrick	8d6b996483	ipn/ipnlocal: add client metric gauge for number of IPNBus connections Updates #1708 Change-Id: Ic7e28d692b4c48e78c842c26234b861fe42a916e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
KevinLiang10	009da8a364	ipn/ipnlocal: connect serve config to c2n endpoint This commit updates the VIPService c2n endpoint on client to response with actual VIPService configuration stored in the serve config. Fixes tailscale/corp#24510 Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>	11 months ago
Brad Fitzpatrick	041622c92f	ipn/ipnlocal: move where auto exit node selection happens In the process, because I needed it for testing, make all LocalBackend-managed goroutines be accounted for. And then in tests, verify they're no longer running during LocalBackend.Shutdown. Updates tailscale/corp#19681 Change-Id: Iad873d4df7d30103a4a7863dfacf9e078c77e6a3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	07aae18bca	ipn/ipnlocal, util/goroutines: track goroutines for tests, shutdown Updates #14520 Updates #14517 (in that I pulled this out of there) Change-Id: Ibc28162816e083fcadf550586c06805c76e378fc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	2b8f02b407	ipn: convert ServeConfig Range methods to iterators These were the last two Range funcs in this repo. Updates #12912 Change-Id: I6ba0a911933cb5fc4e43697a9aac58a8035f9622 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	47bd0723a0	all: use iterators in more places instead of Range funcs And misc cleanup along the way. Updates #12912 Change-Id: I0cab148b49efc668c6f5cdf09c740b84a713e388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	1e2e319e7d	util/slicesx: add MapKeys and MapValues from golang.org/x/exp/maps Importing the ~deprecated golang.org/x/exp/maps as "xmaps" to not shadow the std "maps" was getting ugly. And using slices.Collect on an iterator is verbose & allocates more. So copy (x)maps.Keys+Values into our slicesx package instead. Updates #cleanup Updates #12912 Updates #14514 (pulled out of that change) Change-Id: I5e68d12729934de93cf4a9cd87c367645f86123a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	e3bcb2ec83	ipn/ipnlocal: use context.CancelFunc type for doc clarity Using context.CancelFunc as the type (instead of func()) answers questions like whether it's okay to call it multiple times, whether it blocks, etc. And that's the type it actually is in this case. Updates #cleanup Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Brad Fitzpatrick	ff095606cc	all: add means to set device posture attributes from node Updates tailscale/corp#24690 Updates #4077 Change-Id: I05fe799beb1d2a71d1ec3ae08744cc68bcadae2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
James Tucker	7f9ebc0a83	cmd/tailscale,net/netcheck: add debug feature to force preferred DERP This provides an interface for a user to force a preferred DERP outcome for all future netchecks that will take precedence unless the forced region is unreachable. The option does not persist and will be lost when the daemon restarts. Updates tailscale/corp#18997 Updates tailscale/corp#24755 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Mario Minardi	26de518413	ipn/ipnlocal: only check CanUseExitNode if we are attempting to use one (#14230 ) In https://github.com/tailscale/tailscale/pull/13726 we added logic to `checkExitNodePrefsLocked` to error out on platforms where using an exit node is unsupported in order to give users more obvious feedback than having this silently fail downstream. The above change neglected to properly check whether the device in question was actually trying to use an exit node when doing the check and was incorrectly returning an error on any calls to `checkExitNodePrefsLocked` on platforms where using an exit node is not supported as a result. This change remedies this by adding a check to see whether the device is attempting to use an exit node before doing the `CanUseExitNode` check. Updates https://github.com/tailscale/corp/issues/24835 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 year ago
Nick Khyl	36b7449fea	ipn/ipnlocal: rebuild allowed suggested exit nodes when syspolicy changes In this PR, we update LocalBackend to rebuild the set of allowed suggested exit nodes whenever the AllowedSuggestedExitNodes syspolicy setting changes. Additionally, we request a new suggested exit node when this occurs, enabling its use if the ExitNodeID syspolicy setting is set to auto:any. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	eb3cd32911	ipn/ipnlocal: update ipn.Prefs when there's a change in syspolicy settings In this PR, we update ipnlocal.NewLocalBackend to subscribe to policy change notifications and reapply syspolicy settings to the current profile's ipn.Prefs whenever a change occurs. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	2ab66d9698	ipn/ipnlocal: move syspolicy handling from setExitNodeID to applySysPolicy This moves code that handles ExitNodeID/ExitNodeIP syspolicy settings from (*LocalBackend).setExitNodeID to applySysPolicy. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	462e1fc503	ipn/{ipnlocal,localapi}, wgengine/netstack: call (*LocalBackend).Shutdown when tests that create them complete We have several places where LocalBackend instances are created for testing, but they are rarely shut down when the tests that created them exit. In this PR, we update newTestLocalBackend and similar functions to use testing.TB.Cleanup(lb.Shutdown) to ensure LocalBackend instances are properly shut down during test cleanup. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	da70a84a4b	ipn/ipnlocal: fix build, remove another Notify.BackendLogID reference that crept in I merged `5cae7c51bf` (removing Notify.BackendLogID) and `93db503565` (adding another reference to Notify.BackendLogID) that didn't have merge conflicts, but didn't compile together. This removes the new reference, fixing the build. Updates #14129 Change-Id: I9bb68efd977342ea8822e525d656817235039a66 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	93db503565	ipn/ipnlocal: add IPN Bus NotifyRateLimit watch bit NotifyRateLimit Limit spamming GUIs with boring updates to once in 3 seconds, unless the notification is relatively interesting and the GUI should update immediately. This is basically @barnstar's #14119 but with the logic moved to be per-watch-session (since the bit is per session), rather than globally. And this distinguishes notable Notify messages (such as state changes) and makes them send immediately. Updates tailscale/corp#24553 Change-Id: I79cac52cce85280ce351e65e76ea11e107b00b49 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	5cae7c51bf	ipn: remove unused Notify.BackendLogID Updates #14129 Change-Id: I13b5df8765e786a4a919d6b2e72afe987000b2d1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Naman Sood	aefbed323f	ipn,tailcfg: add VIPService struct and c2n to fetch them from client (#14046 ) * ipn,tailcfg: add VIPService struct and c2n to fetch them from client Updates tailscale/corp#22743, tailscale/corp#22955 Signed-off-by: Naman Sood <mail@nsood.in> * more review fixes Signed-off-by: Naman Sood <mail@nsood.in> * don't mention PeerCapabilityServicesDestination since it's currently unused Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Brad Fitzpatrick	4e0fc037e6	all: use iterators over slice views more This gets close to all of the remaining ones. Updates #12912 Change-Id: I9c672bbed2654a6c5cab31e0cbece6c107d8c6fa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Anton Tolchanov	64d70fb718	ipn/ipnlocal: log a summary of posture identity response Perhaps I was too opimistic in #13323 thinking we won't need logs for this. Let's log a summary of the response without logging specific identifiers. Updates tailscale/corp#24437 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Irbe Krumina	2c8859c2e7	client/tailscale,ipn/{ipnlocal,localapi}: add a pre-shutdown localAPI endpoint that terminates control connections. (#14028 ) Adds a /disconnect-control local API endpoint that just shuts down control client. This can be run before shutting down an HA subnet router/app connector replica - it will ensure that all connection to control are dropped and control thus considers this node inactive and tells peers to switch over to another replica. Meanwhile the existing connections keep working (assuming that the replica is given some graceful shutdown period). Updates tailscale/tailscale#14020 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Brad Fitzpatrick	01185e436f	types/result, util/lineiter: add package for a result type, use it This adds a new generic result type (motivated by golang/go#70084) to try it out, and uses it in the new lineutil package (replacing the old lineread package), changing that package to return iterators: sometimes over []byte (when the input is all in memory), but sometimes iterators over results of []byte, if errors might happen at runtime. Updates #12912 Updates golang/go#70084 Change-Id: Iacdc1070e661b5fb163907b1e8b07ac7d51d3f83 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Maisem Ali	d09e9d967f	ipn/ipnlocal: reload prefs correctly on ReloadConfig We were only updating the ProfileManager and not going down the EditPrefs path which meant the prefs weren't applied till either the process restarted or some other pref changed. This makes it so that we reconfigure everything correctly when ReloadConfig is called. Updates #13032 Signed-off-by: Maisem Ali <maisem@tailscale.com>	1 year ago
Anton Tolchanov	38af62c7b3	ipn/ipnlocal: remove the primary routes gauge for now Not confident this is the right way to expose this, so let's remote it for now. Updates tailscale/corp#22075 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Anton Tolchanov	94fa6d97c5	ipn/ipnlocal: log errors while fetching serial numbers If the client cannot fetch a serial number, write a log message helping the user understand what happened. Also, don't just return the error immediately, since we still have a chance to collect network interface addresses. Updates #5902 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Nick Khyl	e815ae0ec4	util/syspolicy, ipn/ipnlocal: update syspolicy package to utilize syspolicy/rsop In this PR, we update the syspolicy package to utilize syspolicy/rsop under the hood, and remove syspolicy.CachingHandler, syspolicy.windowsHandler and related code which is no longer used. We mark the syspolicy.Handler interface and RegisterHandler/SetHandlerForTest functions as deprecated, but keep them temporarily until they are no longer used in other repos. We also update the package to register setting definitions for all existing policy settings and to register the Registry-based, Windows-specific policy stores when running on Windows. Finally, we update existing internal and external tests to use the new API and add a few more tests and benchmarks. Updates #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	874db2173b	ipn/{ipnauth,ipnlocal,ipnserver}: send the auth URL to the user who started interactive login We add the ClientID() method to the ipnauth.Actor interface and updated ipnserver.actor to implement it. This method returns a unique ID of the connected client if the actor represents one. It helps link a series of interactions initiated by the client, such as when a notification needs to be sent back to a specific session, rather than all active sessions, in response to a certain request. We also add LocalBackend.WatchNotificationsAs and LocalBackend.StartLoginInteractiveAs methods, which are like WatchNotifications and StartLoginInteractive but accept an additional parameter specifying an ipnauth.Actor who initiates the operation. We store these actor identities in watchSession.owner and LocalBackend.authActor, respectively,and implement LocalBackend.sendTo and related helper methods to enable sending notifications to watchSessions associated with actors (or, more broadly, identifiable recipients). We then use the above to change who receives the BrowseToURL notifications: - For user-initiated, interactive logins, the notification is delivered only to the user who initiated the process. If the initiating actor represents a specific connected client, the URL notification is sent back to the same LocalAPI client that called StartLoginInteractive. Otherwise, the notification is sent to all clients connected as that user. Currently, we only differentiate between users on Windows, as it is inherently a multi-user OS. - In all other cases (e.g., node key expiration), we send the notification to all connected users. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Mario Minardi	d32d742af0	ipn/ipnlocal: error when trying to use exit node on unsupported platform (#13726 ) Adds logic to `checkExitNodePrefsLocked` to return an error when attempting to use exit nodes on a platform where this is not supported. This mirrors logic that was added to error out when trying to use `ssh` on an unsupported platform, and has very similar semantics. Fixes https://github.com/tailscale/tailscale/issues/13724 Signed-off-by: Mario Minardi <mario@tailscale.com>	1 year ago
Nick Khyl	da40609abd	util/syspolicy, ipn: add "tailscale debug component-logs" support Fixes #13313 Fixes #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	383120c534	ipn/ipnlocal: don't run portlist code unless service collection is on We were selectively uploading it, but we were still gathering it, which can be a waste of CPU. Also remove a bunch of complexity that I don't think matters anymore. And add an envknob to force service collection off on a single node, even if the tailnet policy permits it. Fixes #13463 Change-Id: Ib6abe9e29d92df4ffa955225289f045eeeb279cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Kristoffer Dalby	77832553e5	ipn/ipnlocal: add advertised and primary route metrics Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Kristoffer Dalby	7d1160ddaa	{ipn,net,tsnet}: use tsaddr helpers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Kristoffer Dalby	0e0e53d3b3	util/usermetrics: make usermetrics non-global this commit changes usermetrics to be non-global, this is a building block for correct metrics if a go process runs multiple tsnets or in tests. Updates #13420 Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Andrea Gottardo	8a6f48b455	cli: add `tailscale dns query` (#13368 ) Updates tailscale/tailscale#13326 Adds a CLI subcommand to perform DNS queries using the internal DNS forwarder and observe its internals (namely, which upstream resolvers are being used). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Joe Tsai	dc86d3589c	types/views: add SliceView.All iterator (#13536 ) And convert a all relevant usages. Updates #12912 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	1 year ago
Brad Fitzpatrick	9f9470fc10	ipnlocal,proxymap,wgengine/netstack: add optional WhoIs/proxymap debug Updates tailscale/corp#20600 Change-Id: I2bb17af0f40603ada1ba4cecc087443e00f9392a Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Dunham	0970615b1b	ipn/ipnlocal: don't program system DNS when node key is expired (#13370 ) This mimics having Tailscale in the 'Stopped' state by programming an empty DNS configuration when the current node key is expired. Updates tailscale/support-escalations#55 Change-Id: I68ff4665761fb621ed57ebf879263c2f4b911610 Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	1 year ago
Anton Tolchanov	fd6686d81a	tka: truncate long rotation signature chains When a rotation signature chain reaches a certain size, remove the oldest rotation signature from the chain before wrapping it in a new rotation signature. Since all previous rotation signatures are signed by the same wrapping pubkey (node's own tailnet lock key), the node can re-construct the chain, re-signing previous rotation signatures. This will satisfy the existing certificate validation logic. Updates #13185 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Andrea Gottardo	d060b3fa02	cli: implement `tailscale dns status` (#13353 ) Updates tailscale/tailscale#13326 This PR begins implementing a `tailscale dns` command group in the Tailscale CLI. It provides an initial implementation of `tailscale dns status` which dumps the state of the internal DNS forwarder. Two new endpoints were added in LocalAPI to support the CLI functionality: - `/netmap`: dumps a copy of the last received network map (because the CLI shouldn't have to listen to the ipn bus for a copy) - `/dns-osconfig`: dumps the OS DNS configuration (this will be very handy for the UI clients as well, as they currently do not display this information) My plan is to implement other subcommands mentioned in tailscale/tailscale#13326, such as `query`, in later PRs. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Nick Khyl	5bc9fafab8	ipn/ipnlocal: always send auth URL notifications when a user requests interactive login This PR changes how LocalBackend handles interactive (initiated via StartLoginInteractive) and non-interactive (e.g., due to key expiration) logins, and when it sends the authURL to the connected clients. Specifically, - When a user initiates an interactive login by clicking Log In in the GUI, the LocalAPI calls StartLoginInteractive. If an authURL is available and hasn't expired, we immediately send it to all connected clients, suggesting them to open that URL in a browser. Otherwise, we send a login request to the control plane and set a flag indicating that an interactive login is in progress. - When LocalBackend receives an authURL from the control plane, we check if it differs from the previous one and whether an interactive login is in progress. If either condition is true, we notify all connected clients with the new authURL and reset the interactive login flag. We reset the auth URL and flags upon a successful authentication, when a different user logs in and when switching Tailscale login profiles. Finally, we remove the redundant dedup logic added to WatchNotifications in #12096 and revert the tests to their original state to ensure that calling StartLoginInteractive always produces BrowseToURL notifications, either immediately or when the authURL is received from the control plane. Fixes #13296 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	2f2aeaeaeb	ipn/ipnlocal: fix a nil pointer dereference when serving /localapi/v0/tka/status Fixes #13330 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	959285e0c5	ipn/ipnlocal: fix race condition that results in a panic sending on a closed channel Fixes #13288 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	b48c8db69c	ipn/ipnlocal: set WantRunning upon an interactive login, but not during a seamless renewal or a profile switch The LocalBackend's state machine starts in NoState and soon transitions to NeedsLogin if there's no auto-start profile, with the profileManager starting with a new empty profile. Notably, entering the NeedsLogin state blocks engine updates. We expect the user to transition out of this state by logging in interactively, and we set WantRunning to true when controlclient enters the StateAuthenticated state. While our intention is correct, and completing an interactive login should set WantRunning to true, our assumption that logging into the current Tailscale profile is the only way to transition out of the NeedsLogin state is not accurate. Another common transition path includes an explicit profile switch (via LocalBackend.SwitchProfile) or an implicit switch when a Windows user connects to the backend. This results in a bug where WantRunning is set to true even when it was previously set to false, and the user expressed no intention of changing it. A similar issue occurs when switching from (sic) a Tailnet that has seamlessRenewalEnabled, regardless of the current state of the LocalBackend's state machine, and also results in unexpectedly set WantRunning. While this behavior is generally undesired, it is also incorrect that it depends on the control knobs of the Tailnet we're switching from rather than the Tailnet we're switching to. However, this issue needs to be addressed separately. This PR updates LocalBackend.SetControlClientStatus to only set WantRunning to true in response to an interactive login as indicated by a non-empty authURL. Fixes #6668 Fixes #11280 Updates #12756 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	80b2b45d60	ipn/ipnlocal: refactor and cleanup profileManager In preparation for multi-user and unattended mode improvements, we are refactoring and cleaning up `ipn/ipnlocal.profileManager`. The concept of the "current user", which is only relevant on Windows, is being deprecated and will soon be removed to allow more than one Windows user to connect and utilize `LocalBackend` according to that user's access rights to the device and specific Tailscale profiles. We plan to pass the user's identity down to the `profileManager`, where it can be used to determine the user's access rights to a given `LoginProfile`. While the new permission model in `ipnauth` requires more work and is currently blocked pending PR reviews, we are updating the `profileManager` to reduce its reliance on the concept of a single OS user being connected to the backend at the same time. We extract the switching to the default Tailscale profile, which may also trigger legacy profile migration, from `profileManager.SetCurrentUserID`. This introduces `profileManager.DefaultUserProfileID`, which returns the default profile ID for the current user, and `profileManager.SwitchToDefaultProfile`, which is essentially a shorthand for `pm.SwitchProfile(pm.DefaultUserProfileID())`. Both methods will eventually be updated to accept the user's identity and utilize that user's default profile. We make access checks more explicit by introducing the `profileManager.checkProfileAccess` method. The current implementation continues to use `profileManager.currentUserID` and `LoginProfile.LocalUserID` to determine whether access to a given profile should be granted. This will be updated to utilize the `ipnauth` package and the new permissions model once it's ready. We also expand access checks to be used more widely in the `profileManager`, not just when switching or listing profiles. This includes access checks in methods like `SetPrefs` and, most notably, `DeleteProfile` and `DeleteAllProfiles`, preventing unprivileged Windows users from deleting Tailscale profiles owned by other users on the same device, including profiles owned by local admins. We extract `profileManager.ProfilePrefs` and `profileManager.SetProfilePrefs` methods that can be used to get and set preferences of a given `LoginProfile` if `profileManager.checkProfileAccess` permits access to it. We also update `profileManager.setUnattendedModeAsConfigured` to always enable unattended mode on Windows if `Prefs.ForceDaemon` is true in the current `LoginProfile`, even if `profileManager.currentUserID` is `""`. This facilitates enabling unattended mode via `tailscale up --unattended` even if `tailscale-ipn.exe` is not running, such as when a Group Policy or MDM-deployed script runs at boot time, or when Tailscale is used on a Server Code or otherwise headless Windows environments. See #12239, #2137, #3186 and https://github.com/tailscale/tailscale/pull/6255#issuecomment-2016623838 for details. Fixes #12239 Updates tailscale/corp#18342 Updates #3186 Updates #2137 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Nick Khyl	961ee321e8	ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client. These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config) requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues. We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other platforms when switching between profiles that have different OperatorUser values in ipn.Prefs. We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device (e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation. The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device and against the current (and/or the target) profile. This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next PRs and removing the deprecated methods and the Permit* flags at the end of the transition. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Kristoffer Dalby	a2c42d3cd4	usermetric: add initial user-facing metrics This commit adds a new usermetric package and wires up metrics across the tailscale client. Updates tailscale/corp#22075 Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
James Tucker	8af50fa97c	ipn/ipnlocal: update routes on link change with ExitNodeAllowLANAccess On a major link change the LAN routes may change, so on linkChange where ChangeDelta.Major, we need to call authReconfig to ensure that new routes are observed and applied. Updates tailscale/corp#22574 Signed-off-by: James Tucker <james@tailscale.com>	1 year ago
Jordan Whited	641693d61c	ipn/ipnlocal: install IPv6 service addr route (#13252 ) This is the equivalent of quad-100, but for IPv6. This is technically already contained in the Tailscale IPv6 ULA prefix, but that is only installed when remote peers are visible via control with contained addrs. The service addr should always be reachable. Updates #1152 Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 year ago
Brad Fitzpatrick	e54c81d1d0	types/views: add Slice.All iterator And convert a few callers as an example, but nowhere near all. Updates #12912 Change-Id: I5eaa12a29a6cd03b58d6f1072bd27bc0467852f2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Percy Wegmann	4637ac732e	ipn/ipnlocal: remember last notified taildrive shares and only notify if they've changed Fixes #13195 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 year ago
Anton Tolchanov	151b77f9d6	cmd/tl-longchain: tool to re-sign nodes with long rotation signatures In Tailnet Lock, there is an implicit limit on the number of rotation signatures that can be chained before the signature becomes too long. This program helps tailnet admins to identify nodes that have signatures with long chains and prints commands to re-sign those node keys with a fresh direct signature. It's a temporary mitigation measure, and we will remove this tool as we design and implement a long-term approach for rotation signatures. Example output: ``` 2024/08/20 18:25:03 Self: does not need re-signing 2024/08/20 18:25:03 Visible peers with valid signatures: 2024/08/20 18:25:03 Peer xxx2.yy.ts.net. (100.77.192.34) nodeid=nyDmhiZiGA11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx3.yy.ts.net. (100.84.248.22) nodeid=ndQ64mDnaB11KTM59, current signature kind=direct: does not need re-signing 2024/08/20 18:25:03 Peer xxx4.yy.ts.net. (100.85.253.53) nodeid=nmZfVygzkB21KTM59, current signature kind=rotation: chain length 4, printing command to re-sign tailscale lock sign nodekey:530bddbfbe69e91fe15758a1d6ead5337aa6307e55ac92dafad3794f8b3fc661 tlpub:4bf07597336703395f2149dce88e7c50dd8694ab5bbde3d7c2a1c7b3e231a3c2 ``` To support this, the NetworkLockStatus localapi response now includes information about signatures of all peers rather than just the invalid ones. This is not displayed by default in `tailscale lock status`, but will be surfaced in `tailscale lock status --json`. Updates #13185 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Kristoffer Dalby	01aa01f310	ipn/ipnlocal: network-lock, error if no pubkey instead of panic Updates tailscale/corp#20931 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	1 year ago
Andrea Gottardo	9d2b1820f1	ipnlocal: support setting authkey at login using syspolicy (#13061 ) Updates tailscale/corp#22120 Adds the ability to start the backend by reading an authkey stored in the syspolicy database (MDM). This is useful for devices that are provisioned in an unattended fashion. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Brad Fitzpatrick	4c2e978f1e	cmd/tailscale/cli: support passing network lock keys via files Fixes tailscale/corp#22356 Change-Id: I959efae716a22bcf582c20d261fb1b57bacf6dd9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Naman Sood	f79183dac7	cmd/tsidp: add funnel support (#12591 ) * cmd/tsidp: add funnel support Updates #10263. Signed-off-by: Naman Sood <mail@nsood.in> * look past funnel-ingress-node to see who we're authenticating Signed-off-by: Naman Sood <mail@nsood.in> * fix comment typo Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback, support Basic auth for /token Turns out you need to support Basic auth if you do client ID/secret according to OAuth. Signed-off-by: Naman Sood <mail@nsood.in> * fix typos Signed-off-by: Naman Sood <mail@nsood.in> * review fixes Signed-off-by: Naman Sood <mail@nsood.in> * remove debugging log Signed-off-by: Naman Sood <mail@nsood.in> * add comments, fix header Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Andrea Gottardo	949b15d858	net/captivedetection: call SetHealthy once connectivity restored (#12974 ) Fixes tailscale/tailscale#12973 Updates tailscale/tailscale#1634 There was a logic issue in the captive detection code we shipped in https://github.com/tailscale/tailscale/pull/12707. Assume a captive portal has been detected, and the user notified. Upon switching to another Wi-Fi that does not have a captive portal, we were issuing a signal to interrupt any pending captive detection attempt. However, we were not also setting the `captive-portal-detected` warnable to healthy. The result was that any "captive portal detected" alert would not be cleared from the UI. Also fixes a broken log statement value. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Andrea Gottardo	90be06bd5b	health: introduce captive-portal-detected Warnable (#12707 ) Updates tailscale/tailscale#1634 This PR introduces a new `captive-portal-detected` Warnable which is set to an unhealthy state whenever a captive portal is detected on the local network, preventing Tailscale from connecting. ipn/ipnlocal: fix captive portal loop shutdown Change-Id: I7cafdbce68463a16260091bcec1741501a070c95 net/captivedetection: fix mutex misuse ipn/ipnlocal: ensure that we don't fail to start the timer Change-Id: I3e43fb19264d793e8707c5031c0898e48e3e7465 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Irbe Krumina	57856fc0d5	ipn,wgengine/magicsock: allow setting static node endpoints via tailscaled configfile (#12882 ) wgengine/magicsock,ipn: allow setting static node endpoints via tailscaled config file. Adds a new StaticEndpoints field to tailscaled config that can be used to statically configure the endpoints that the node advertizes. This field will replace TS_DEBUG_PRETENDPOINTS env var that can be used to achieve the same. Additionally adds some functionality that ensures that endpoints are updated when configfile is reloaded. Also, refactor configuring/reconfiguring components to use the same functionality when configfile is parsed the first time or subsequent times (after reload). Previously a configfile reload did not result in resetting of prefs. Now it does- but does not yet tell the relevant components to consume the new prefs. This is to be done in a follow-up. Updates tailscale/tailscale#12578 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 year ago
Andrew Lytvynov	e7bf6e716b	cmd/tailscale: add --min-validity flag to the cert command (#12822 ) Some users run "tailscale cert" in a cron job to renew their certificates on disk. The time until the next cron job run may be long enough for the old cert to expire with our default heristics. Add a `--min-validity` flag which ensures that the returned cert is valid for at least the provided duration (unless it's longer than the cert lifetime set by Let's Encrypt). Updates #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Adrian Dewhurst	54f58d1143	ipn/ipnlocal: add comment explaining auto exit node migration Updates tailscale/corp#19681 Change-Id: I6d396780b058ff0fbea0e9e53100f04ef3b76339 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	1 year ago
Adrian Dewhurst	8882c6b730	ipn/ipnlocal: wait for DERP before auto exit node migration Updates tailscale/corp#19681 Change-Id: I31dec154aa3b5edba01f10eec37640f631729cb2 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	1 year ago
Anton Tolchanov	5d61d1c7b0	log/sockstatlog: don't block for more than 5s on shutdown Fixes tailscale/corp#21618 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Claire Wang	49bf63cdd0	ipn/ipnlocal: check for offline auto exit node in SetControlClientStatus (#12772 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	1 year ago
Anton Tolchanov	874972b683	posture: add network hardware addresses to posture identity If an optional `hwaddrs` URL parameter is present, add network interface hardware addresses to the posture identity response. Just like with serial numbers, this requires client opt-in via MDM or `tailscale set --posture-checking=true` (https://tailscale.com/kb/1326/device-identity) Updates tailscale/corp#21371 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Brad Fitzpatrick	c6af5bbfe8	all: add test for package comments, fix, add comments as needed Updates #cleanup Change-Id: Ic4304e909d2131a95a38b26911f49e7b1729aaef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrew Lytvynov	7b1c764088	ipn/ipnlocal: gate systemd-run flags on systemd version (#12747 ) We added a workaround for --wait, but didn't confirm the other flags, which were added in systemd 235 and 236. Check systemd version for deciding when to set all 3 flags. Fixes #12136 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Andrew Lytvynov	b8af91403d	clientupdate: return true for CanAutoUpdate for macsys (#12746 ) While `clientupdate.Updater` won't be able to apply updates on macsys, we use `clientupdate.CanAutoUpdate` to gate the EditPrefs endpoint in localAPI. We should allow the GUI client to set AutoUpdate.Apply on macsys for it to properly get reported to the control plane. This also allows the tailnet-wide default for auto-updates to propagate to macsys clients. Updates https://github.com/tailscale/corp/issues/21339 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Claire Wang	8965e87fa8	ipn/ipnlocal: handle auto value for ExitNodeID syspolicy (#12512 ) Updates tailscale/corp#19681 Signed-off-by: Claire Wang <claire@tailscale.com>	1 year ago
Anton Tolchanov	781f79408d	ipn/ipnlocal: allow multiple signature chains from the same SigCredential Detection of duplicate Network Lock signature chains added in `01847e0123` failed to account for chains originating with a SigCredential signature, which is used for wrapped auth keys. This results in erroneous removal of signatures that originate from the same re-usable auth key. This change ensures that multiple nodes created by the same re-usable auth key are not getting filtered out by the network lock. Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Anton Tolchanov	4651827f20	tka: test SigCredential signatures and netmap filtering This change moves handling of wrapped auth keys to the `tka` package and adds a test covering auth key originating signatures (SigCredential) in netmap. Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Adrian Dewhurst	8f7588900a	ipn/ipnlocal: fix nil pointer dereference and add related test Fixes #12644 Change-Id: I3589b01a9c671937192caaedbb1312fd906ca712 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	1 year ago
Andrew Lytvynov	2064dc20d4	health,ipn/ipnlocal: hide update warning when auto-updates are enabled (#12631 ) When auto-udpates are enabled, we don't need to nag users to update after a new release, before we release auto-updates. Updates https://github.com/tailscale/corp/issues/20081 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	1 year ago
Naman Sood	75254178a0	ipn/ipnlocal: don't bind localListener if its context is canceled (#12621 ) The context can get canceled during backoff, and binding after that makes the listener impossible to close afterwards. Fixes #12620. Signed-off-by: Naman Sood <mail@nsood.in>	1 year ago
Andrew Dunham	30f8d8199a	ipn/ipnlocal: fix data race in tests We can observe a data race in tests when logging after a test is finished. `b.onHealthChange` is called in a goroutine after being registered with `health.Tracker.RegisterWatcher`, which calls callbacks in `setUnhealthyLocked` in a new goroutine. See: https://github.com/tailscale/tailscale/actions/runs/9672919302/job/26686038740 Updates #12054 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibf22cc994965d88a9e7236544878d5373f91229e	1 year ago
Brad Fitzpatrick	d5e692f7e7	ipn/ipnlocal: check operator user via osuser package So non-local users (e.g. Kerberos on FreeIPA) on Linux can be looked up. Our default binaries are built with pure Go os/user which only supports the classic /etc/passwd and not any libc-hooked lookups. Updates #12601 Change-Id: I9592db89e6ca58bf972f2dcee7a35fbf44608a4f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Brad Fitzpatrick	5ec01bf3ce	wgengine/filter: support FilterRules matching on srcIP node caps [capver 100] See #12542 for background. Updates #12542 Change-Id: Ida312f700affc00d17681dc7551ee9672eeb1789 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Andrea Gottardo	d6a8fb20e7	health: include DERP region name in bad derp notifications (#12530 ) Fixes tailscale/corp#20971 We added some Warnables for DERP failure situations, but their Text currently spits out the DERP region ID ("10") in the UI, which is super ugly. It would be better to provide the RegionName of the DERP region that is failing. We can do so by storing a reference to the last-known DERP map in the health package whenever we fetch one, and using it when generating the notification text. This way, the following message... > Tailscale could not connect to the relay server '10'. The server might be temporarily unavailable, or your Internet connection might be down. becomes: > Tailscale could not connect to the 'Seattle' relay server. The server might be temporarily unavailable, or your Internet connection might be down. which is a lot more user-friendly. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	1 year ago
Andrew Dunham	45d2f4301f	proxymap, various: distinguish between different protocols Previously, we were registering TCP and UDP connections in the same map, which could result in erroneously removing a mapping if one of the two connections completes while the other one is still active. Add a "proto string" argument to these functions to avoid this. Additionally, take the "proto" argument in LocalAPI, and plumb that through from the CLI and add a new LocalClient method. Updates tailscale/corp#20600 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I35d5efaefdfbf4721e315b8ca123f0c8af9125fb	1 year ago
Brad Fitzpatrick	86e0f9b912	net/ipset, wgengine/filter/filtertype: add split-out packages This moves NewContainsIPFunc from tsaddr to new ipset package. And wgengine/filter types gets split into wgengine/filter/filtertype, so netmap (and thus the CLI, etc) doesn't need to bring in ipset, bart, etc. Then add a test making sure the CLI deps don't regress. Updates #1278 Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	491483d599	cmd/viewer,type/views: add MapSlice for maps of slices This abstraction provides a nicer way to work with maps of slices without having to write out three long type params. This also allows it to provide an AsMap implementation which copies the map and the slices at least. Updates tailscale/corp#20910 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrea Gottardo	a8ee83e2c5	health: begin work to use structured health warnings instead of strings, pipe changes into ipn.Notify (#12406 ) Updates tailscale/tailscale#4136 This PR is the first round of work to move from encoding health warnings as strings and use structured data instead. The current health package revolves around the idea of Subsystems. Each subsystem can have (or not have) a Go error associated with it. The overall health of the backend is given by the concatenation of all these errors. This PR polishes the concept of Warnable introduced by @bradfitz a few weeks ago. Each Warnable is a component of the backend (for instance, things like 'dns' or 'magicsock' are Warnables). Each Warnable has a unique identifying code. A Warnable is an entity we can warn the user about, by setting (or unsetting) a WarningState for it. Warnables have: - an identifying Code, so that the GUI can track them as their WarningStates come and go - a Title, which the GUIs can use to tell the user what component of the backend is broken - a Text, which is a function that is called with a set of Args to generate a more detailed error message to explain the unhappy state Additionally, this PR also begins to send Warnables and their WarningStates through LocalAPI to the clients, using ipn.Notify messages. An ipn.Notify is only issued when a warning is added or removed from the Tracker. In a next PR, we'll get rid of subsystems entirely, and we'll start using structured warnings for all errors affecting the backend functionality. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 years ago

1 2 3 4 5 ...

1223 Commits (ptruby/initial-tailscale-ui-components-integration)