Commit Graph

6798 Commits (05298f4336e71986c6872cab108625ebdb328587)
 

Author SHA1 Message Date
Will Norris 237c6c44cd client/web: call /api/auth before rendering any client views
For now this is effectively a noop, since only the ManagementClientView
uses the auth data. That will change soon.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Rhea Ghosh 970eb5e784
cmd/k8s-operator: sanitize connection headers (#10063)
Fixes tailscale/corp#15526

Signed-off-by: Rhea Ghosh <rhea@tailscale.com>
1 year ago
James Tucker ca4c940a4d ipn: introduce app connector advertisement preference and flags
Introduce a preference structure to store the setting for app connector
advertisement.

Introduce the associated flags:

  tailscale up --advertise-connector{=true,=false}
  tailscale set --advertise-connector{=true,=false}

```
% tailscale set --advertise-connector=false
% tailscale debug prefs | jq .AppConnector.Advertise
false
% tailscale set --advertise-connector=true
% tailscale debug prefs | jq .AppConnector.Advertise
true
% tailscale up --advertise-connector=false
% tailscale debug prefs | jq .AppConnector.Advertise
false
% tailscale up --advertise-connector=true
% tailscale debug prefs | jq .AppConnector.Advertise
true
```

Updates tailscale/corp#15437

Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
James Tucker 09fcbae900 net/dnscache: remove completed TODO
The other IP types don't appear to be imported anymore, and after a scan
through I couldn't see any substantial usage of other representations,
so I think this TODO is complete.

Updates #cleanup
Signed-off-by: James Tucker <james@tailscale.com>
1 year ago
Sonia Appasamy 32ebc03591 client/web: move session logic to auth.go
Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Chris Palmer 3a9f5c02bf
util/set: make Clone a method (#10044)
Updates #cleanup

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
1 year ago
Derek Kaser 5289cfce33
clientupdate: disable on Unraid (#10048)
* clientupdate: disable on Unraid

Updates dkaser/unraid-tailscale#94

Signed-off-by: Derek Kaser <derek.kaser@gmail.com>

* Update clientupdate/clientupdate.go

Signed-off-by: Andrew Lytvynov <andrew@awly.dev>

---------

Signed-off-by: Derek Kaser <derek.kaser@gmail.com>
Signed-off-by: Andrew Lytvynov <andrew@awly.dev>
Co-authored-by: Andrew Lytvynov <andrew@awly.dev>
1 year ago
Irbe Krumina c2b87fcb46
cmd/k8s-operator/deploy/chart,.github/workflows: use helm chart API v2 (#10055)
API v1 is compatible with helm v2 and v2 is not.
However, helm v2 (the Tiller deployment mechanism) was deprecated in 2020
and no-one should be using it anymore.
This PR also adds a CI lint test for helm chart

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Maisem Ali d0f2c0664b wgengine/netstack: standardize var names in UpdateNetstackIPs
Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali eaf8aa63fc wgengine/netstack: remove unnecessary map in UpdateNetstackIPs
Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Maisem Ali d601c81c51 wgengine/netstack: use netip.Prefix as map keys
Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Anton Tolchanov c3313133b9 derp/derphttp: close DERP client to avoid data race in test
Fixes #10041

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
1 year ago
Will Norris 66c7af3dd3 ipn: replace web client debug flag with node capability
Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Jordan Whited bd488e4ff8
go.mod: update wireguard-go (#10046)
Updates tailscale/corp#9990

Signed-off-by: Jordan Whited <jordan@tailscale.com>
1 year ago
Chris Palmer 00375f56ea
util/set: add some more Set operations (#10022)
Updates #cleanup

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
1 year ago
Andrew Lytvynov 7f3208592f
clientupdate: mention release track when running latest (#10039)
Not all users know about our tracks and versioning scheme. They can be
confused when e.g. 1.52.0 is out but 1.53.0 is available. Or when 1.52.0
is our but 1.53 has not been built yet and user is on 1.51.x.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
1 year ago
Sonia Appasamy 44175653dc ipn/ipnlocal: rename web fields/structs to webClient
For consistency and clarity around what the LocalBackend.web field
is used for.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Anton Tolchanov 3114a1c88d derp/derphttp: add watch reconnection tests from #9719
Co-authored-by: Val <valerie@tailscale.com>
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
1 year ago
Brad Fitzpatrick 3d7fb6c21d derp/derphttp: fix race in mesh watcher
The derphttp client automatically reconnects upon failure.

RunWatchConnectionLoop called derphttp.Client.WatchConnectionChanges
once, but that wrapper method called the underlying
derp.Client.WatchConnectionChanges exactly once on derphttp.Client's
currently active connection. If there's a failure, we need to re-subscribe
upon all reconnections.

This removes the derphttp.Client.WatchConnectionChanges method, which
was basically impossible to use correctly, and changes it to be a
boolean field on derphttp.Client alongside MeshKey and IsProber. Then
it moves the call to the underlying derp.Client.WatchConnectionChanges
to derphttp's client connection code, so it's resubscribed on any
reconnect.

Some paranoia is then added to make sure people hold the API right,
not calling derphttp.Client.RunWatchConnectionLoop on an
already-started Client without having set the bool to true. (But still
auto-setting it to true if that's the first method that's been called
on that derphttp.Client, as is commonly the case, and prevents
existing code from breaking)

Fixes tailscale/corp#9916
Supercedes tailscale/tailscale#9719

Co-authored-by: Val <valerie@tailscale.com>
Co-authored-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Anton Tolchanov <anton@tailscale.com>
Signed-off-by: Brad Fitzpatrick <brad@danga.com>
1 year ago
Tom DNetto df4b730438 types/appctype: define the nodeAttrs type for dns-driven app connectors
Signed-off-by: Tom DNetto <tom@tailscale.com>
Updates: https://github.com/tailscale/corp/issues/15440
Code-authored-by: Podtato <podtato@tailscale.com>
1 year ago
Tom DNetto a7c80c332a cmd/sniproxy: implement support for control configuration, multiple addresses
* Implement missing tests for sniproxy
 * Wire sniproxy to new appc package
 * Add support to tsnet for routing subnet router traffic into netstack, so it can be handled

Updates: https://github.com/tailscale/corp/issues/15038
Signed-off-by: Tom DNetto <tom@tailscale.com>
1 year ago
Flakes Updater 0d86eb9da5 go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
1 year ago
Will Norris ea599b018c ipn: serve web client requests from LocalBackend
instead of starting a separate server listening on a particular port,
use the TCPHandlerForDst method to intercept requests for the special
web client port (currently 5252, probably configurable later).

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Will Norris 28ad910840 ipn: add user pref for running web client
This is not currently exposed as a user-settable preference through
`tailscale up` or `tailscale set`.  Instead, the preference is set when
turning the web client on and off via localapi. In a subsequent commit,
the pref will be used to automatically start the web client on startup
when appropriate.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Jordan Whited dd842d4d37
go.mod: update wireguard-go to enable TUN UDP GSO/GRO (#10029)
Updates tailscale/corp#9990

Signed-off-by: Jordan Whited <jordan@tailscale.com>
1 year ago
Sonia Appasamy 6f214dec48 client/web: split out UI components
This commit makes the following structural changes to the web
client interface. No user-visible changes.

1. Splits login, legacy, readonly, and full management clients into
   their own components, and pulls them out into their own view files.
2. Renders the same Login component for all scenarios when the client
   is not logged in, regardless of legacy or debug mode. Styling comes
   from the existing legacy login, which is removed from legacy.tsx
   now that it is shared.
3. Adds a ui folder to hold non-Tailscale-specific components,
   starting with ProfilePic, previously housed in app.tsx.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Sonia Appasamy 89953b015b ipn/ipnlocal,client/web: add web client to tailscaled
Allows for serving the web interface from tailscaled, with the
ability to start and stop the server via localapi endpoints
(/web/start and /web/stop).

This will be used to run the new full management web client,
which will only be accessible over Tailscale (with an extra auth
check step over noise) from the daemon. This switch also allows
us to run the web interface as a long-lived service in environments
where the CLI version is restricted to CGI, allowing us to manage
certain auth state in memory.

ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for
ios builds to satisfy ios restriction from adding "text/template"
and "html/template" dependencies.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Sonia Appasamy 93aa8a8cff client/web: allow providing logger implementation
Also report metrics in separate go routine with a 5 second timeout.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
1 year ago
Andrea Gottardo 95715c4a12
ipn/localapi: add endpoint to handle APNS payloads (#9972)
* ipn/localapi: add endpoint to handle APNS payloads

Fixes #9971. This adds a new `handle-push-message` local API endpoint. When an APNS payload is delivered to the main app, this endpoint can be used to forward the JSON body of the message to the backend, making a POST request.

cc @bradfitz

Signed-off-by: Andrea Gottardo <andrea@tailscale.com>

* Address comments from code review

Signed-off-by: Andrea Gottardo <andrea@tailscale.com>

---------

Signed-off-by: Andrea Gottardo <andrea@tailscale.com>
1 year ago
Andrew Dunham 57c5b5a77e net/dns/recursive: update IP for b.root-servers.net
As of 2023-11-27, the official IP addresses for b.root-servers.net will
change to a new set, with the older IP addresses supported for at least
a year after that date. These IPs are already active and returning
results, so update these in our recursive DNS resolver package so as to
be ready for the switchover.

See: https://b.root-servers.org/news/2023/05/16/new-addresses.html

Fixes #9994

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I29e2fe9f019163c9ec0e62bdb286e124aa90a487
1 year ago
Tom DNetto 3df305b764 tsnet: enable use-cases with non-native IPs by setting ns.ProcessSubnets
Terminating traffic to IPs which are not the native IPs of the node requires
the netstack subsystem to intercept trafic to an IP it does not consider local.
This PR switches on such interception. In addition to supporting such termination,
this change will also enable exit nodes and subnet routers when running in
userspace mode.

DO NOT MERGE until 1.52 is cut.

Signed-off-by: Tom DNetto <tom@tailscale.com>
Updates: https://github.com/tailscale/corp/issues/15038
1 year ago
Irbe Krumina 452f900589
tool: download helm CLI (#9981)
Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
1 year ago
Irbe Krumina ed1b935238
cmd/k8s-operator: allow to install operator via helm (#9920)
Initial helm manifests.

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Tyler Smalley fde2ba5bb3
VERSION.txt: this is v1.53.0 (#10018)
Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Maisem Ali 62d580f0e8 util/linuxfw: add missing error checks in tests
This would surface as panics when run on Fly. Still fail, but at least don't panic.

Updates #10003

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
Rhea Ghosh 387a98fe28
ipn/ipnlocal: exclude tvOS devices from taildrop file targets (#10002) 1 year ago
Chris Palmer f66dc8dc0a
clientupdate: check for privileges earlier (#9964)
Fixes #9963

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
1 year ago
Flakes Updater f9fafe269a go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
1 year ago
Cole Helbling 087260734b flake: drop unnecessary git input
Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>
1 year ago
Cole Helbling 561e7b61c3 flake: fix systemd service by hardcoding $PORT
Another solution would be to copy the `.defaults` file alongside the
service file, and set the `EnvironmentFile` to point to that, but it
would still be hardcoded (as the `.defaults` file would be stored in the
Nix store), so I figured that this is a good solution until there is a
proper NixOS module.

Fixes #9995.

Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>
1 year ago
Cole Helbling 9e71851a36 go.mod.sri: update
Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>
1 year ago
Cole Helbling 4f62a2ed99 flake: set a default package
This allows `nix build` to run, without needing to use `nix build
.#tailscale`.

Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>
1 year ago
Cole Helbling f737496d7c flake: drop unnecessary fileContents binding
Since the tailscale derivation already has a `pkgs` binding, we can
use `pkgs.lib`. Alternatively, we could have used `nixpkgs.lib`, as
`fileContents` doesn't need a system to use (anymore?).

Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>
1 year ago
Maisem Ali 9107b5eadf cmd/tailscale/cli: use status before doing interactive feature query
We were inconsistent whether we checked if the feature was already
enabled which we could do cheaply using the locally available status.
We would do the checks fine if we were turning on funnel, but not serve.

This moves the cap checks down into enableFeatureInteractive so that
are always run.

Updates #9984

Co-authored-by: Tyler Smalley <tyler@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
License Updater e94d345e26 licenses: update android licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
1 year ago
License Updater 7c7f60be22 licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
1 year ago
Tyler Smalley baa1fd976e
ipn/localapi: require local Windows admin to set serve path (#9969)
For a serve config with a path handler, ensure the caller is a local administrator on Windows.

updates #8489

Signed-off-by: Tyler Smalley <tyler@tailscale.com>
1 year ago
Will Norris 42abf13843 .github: run tests on all PRs, regardless of branch name
The branch name selector "*" doesn't match branches with a "/" in their
name. The vast majority of our PRs are against the main (or previously,
master) branch anyway, so this will have minimal impact. But in the rare
cases that we want to open a PR against a branch with a "/" in the name,
tests should still run.

```
gh pr list --limit 9999 --state all --json baseRefName | \
  jq -cs '.[] | group_by(.baseRefName) |
    map({ base: .[0].baseRefName, count: map(.baseRefName) | length}) |
    sort_by(-.count) | .[]'

{"base":"main","count":4593}
{"base":"master","count":226}
{"base":"release-branch/1.48","count":4}
{"base":"josh-and-adrian-io_uring","count":3}
{"base":"release-branch/1.30","count":3}
{"base":"release-branch/1.32","count":3}
{"base":"release-branch/1.20","count":2}
{"base":"release-branch/1.26","count":2}
{"base":"release-branch/1.34","count":2}
{"base":"release-branch/1.38","count":2}
{"base":"Aadi/speedtest-tailscaled","count":1}
{"base":"josh/io_uring","count":1}
{"base":"maisem/hi","count":1}
{"base":"rel-144","count":1}
{"base":"release-branch/1.18","count":1}
{"base":"release-branch/1.2","count":1}
{"base":"release-branch/1.22","count":1}
{"base":"release-branch/1.24","count":1}
{"base":"release-branch/1.4","count":1}
{"base":"release-branch/1.46","count":1}
{"base":"release-branch/1.8","count":1}
{"base":"web-client-main","count":1}
```

Updates #cleanup

Signed-off-by: Will Norris <will@tailscale.com>
1 year ago
Brad Fitzpatrick b4be4f089f safesocket: make clear which net.Conns are winio types
Follow-up to earlier #9049.

Updates #9049

Change-Id: I121fbd2468770233a23ab5ee3df42698ca1dabc2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
1 year ago
Aaron Klotz 95671b71a6 ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.

The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.

This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).

Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.

I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.

Updates https://github.com/tailscale/tailscale/issues/755

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
1 year ago