tailscale

Commit Graph

Author	SHA1	Message	Date
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	7 months ago
Andrew Lytvynov	9b158db2c6	ipn/localapi: require root or sudo+operator access for SetServeConfig (#10142 ) For an operator user, require them to be able to `sudo tailscale` to use `tailscale serve`. This is similar to the Windows elevated token check. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Andrew Lytvynov	f0bc95a066	ipn/localapi: make serveTKASign require write permission (#10094 ) The existing read permission check looks like an oversight. Write seems more appropriate for sining new nodes. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Sonia Appasamy	da31ce3a64	ipn/localapi: remove webclient endpoint Managing starting/stopping tailscaled web client purely via setting the RunWebClient pref. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Andrew Lytvynov	c6a4612915	ipn/localapi: require Write access on /watch-ipn-bus with private keys (#10059 ) Clients optionally request private key filtering. If they don't, we should require Write access for the user. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Sonia Appasamy	44175653dc	ipn/ipnlocal: rename web fields/structs to webClient For consistency and clarity around what the LocalBackend.web field is used for. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Andrea Gottardo	95715c4a12	ipn/localapi: add endpoint to handle APNS payloads (#9972 ) * ipn/localapi: add endpoint to handle APNS payloads Fixes #9971. This adds a new `handle-push-message` local API endpoint. When an APNS payload is delivered to the main app, this endpoint can be used to forward the JSON body of the message to the backend, making a POST request. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@tailscale.com> * Address comments from code review Signed-off-by: Andrea Gottardo <andrea@tailscale.com> --------- Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	7 months ago
Tyler Smalley	baa1fd976e	ipn/localapi: require local Windows admin to set serve path (#9969 ) For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	7 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Maisem Ali	17b2072b72	ipn/ipnlocal: set the push device token correctly It would end up resetting whatever hostinfo we had constructed and leave the backend statemachine in a broken state. This fixes that by storing the PushDeviceToken on the LocalBackend and populating it on Hostinfo before passing it to controlclient. Updates tailscale/corp#8940 Updates tailscale/corp#15367 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Joe Tsai	152390e80a	ipn/localapi: avoid unkeyed literal (#9933 ) Go has no way to explicitly identify Go struct as effectively a tuple, so staticcheck assumes any external use of unkeyed literals is wrong. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	7 months ago
Sonia Appasamy	68da15516f	ipn/localapi,client/web: clean up auth error handling This commit makes two changes to the web client auth flow error handling: 1. Properly passes back the error code from the noise request from the localapi. Previously we were using io.Copy, which was always setting a 200 response status code. 2. Clean up web client browser sessions on any /wait endpoint error. This avoids the user getting in a stuck state if something goes wrong with their auth path. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	73bbf941f8	client/web: hook up auth flow Connects serveTailscaleAuth to the localapi webclient endpoint and pipes auth URLs and session cookies back to the browser to redirect users from the frontend. All behind debug flags for now. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Joe Tsai	3f27087e9d	taildrop: switch hashing to be streaming based (#9861 ) While the previous logic was correct, it did not perform well. Resuming is a dance between the client and server, where 1. the client requests hashes for a partial file, 2. the server then computes those hashes, 3. the client computes hashes locally and compares them. 4. goto 1 while the partial file still has data While step 2 is running, the client is sitting idle. While step 3 is running, the server is sitting idle. By streaming over the block hash immediately after the server computes it, the client can start checking the hash, while the server works on the next hash (in a pipelined manner). This performs dramatically better and also uses less memory as we don't need to hold a list of hashes, but only need to handle one hash at a time. There are two detriments to this approach: * The HTTP API relies on a JSON stream, which is not a standard REST-like pattern. However, since we implement both client and server, this is fine. * While the stream is on-going, we hold an open file handle on the server side while the file is being hashed. On really slow streams, this could hold a file open forever. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Joe Tsai	7971333603	ipn: fix localapi and peerapi protocol for taildrop resume (#9860 ) Minor fixes: * The branch for listing or hashing partial files was inverted. * The host for peerapi call needs to be real (rather than bogus). * Handle remote peers that don't support resuming. * Make resume failures non-fatal (since we can still continue). This was tested locally, end-to-end system test is future work. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Rhea Ghosh	9d3c6bf52e	ipn/ipnlocal/peerapi: refactoring taildrop to just one endpoint (#9832 ) Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Brad Fitzpatrick	18bd98d35b	cmd/tailscaled,*: add start of configuration file support Updates #1412 Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Rhea Ghosh	71271e41d6	ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798 ) This change: * adds a partial files peerAPI endpoint to get a list of partial files * adds a helper function to extract the basename of a file * updates the peer put peerAPI endpoint * updates the file put localapi endpoint to allow resume functionality Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Sonia Appasamy	feabb34ea0	ipn/localapi: add debug-web-client endpoint Debug endpoint for the web client's auth flow to talk back to the control server. Restricted behind a feature flag on control. We will either be removing this debug endpoint, or renaming it before launching the web client updates. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Rhea Ghosh	8c7169105e	ipn/{ipnlocal/peerapi, localapi}: cleaning up http statuses for consistency and readability (#9796 ) Updates #cleanup Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
Brad Fitzpatrick	70de16bda7	ipn/localapi: make whois take IP or IP:port as documented, fix capmap netstack lookup The whois handler was documented as taking IP (e.g. 100.101.102.103) or IP:port (e.g. usermode 127.0.0.1:1234) but that got broken at some point and we started requiring a port always. Fix that. Also, found in the process of adding tests: fix the CapMap lookup in userspace mode (it was always returning the caps of 127.0.0.1 in userspace mode). Fix and test that too. Updates #9714 Change-Id: Ie9a59744286522fa91c4b70ebe89a1e94dbded26 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Brad Fitzpatrick	6f36f8842c	cmd/tailscale, magicsock: add debug command to flip DERP homes For testing netmap patchification server-side. Updates #1909 Change-Id: Ib1d784bd97b8d4a31e48374b4567404aae5280cc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Val	c608660d12	wgengine,net,ipn,disco: split up and define different types of MTU Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	8 months ago
Brad Fitzpatrick	04fabcd359	ipn/{ipnlocal,localapi}, cli: add debug force-netmap-update For loading testing & profiling the cost of full netmap updates. Updates #1909 Change-Id: I0afdf5de9967f8d95c7f81d5b531ed1c92c3208f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Val	6cc5b272d8	Revert "wgengine,net,ipn,disco: split up and define different types of MTU" This reverts commit `059051c58a`. Signed-off-by: Val <valerie@tailscale.com>	8 months ago
Val	059051c58a	wgengine,net,ipn,disco: split up and define different types of MTU Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	8 months ago
Brad Fitzpatrick	7c1ed38ab3	ipn/ipnlocal: fix missing controlknobs.Knobs plumbing I missed connecting some controlknobs.Knobs pieces in `4e91cf20a8` resulting in that breaking control knobs entirely. Whoops. The fix in ipn/ipnlocal (where it makes a new controlclient) but to atone, I also added integration tests. Those integration tests use a new "tailscale debug control-knobs" which by itself might be useful for future debugging. Updates #9351 Change-Id: Id9c89c8637746d879d5da67b9ac4e0d2367a3f0d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Marwan Sulaiman	12d4685328	ipn/localapi, ipn/ipnlocal: add etag support for SetServeConfig This PR adds optimistic concurrency control in the local client and api in order to ensure multiple writes of the ServeConfig do not conflict with each other. Updates #9273 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	4e91cf20a8	control/controlknobs, all: add plumbed Knobs type, not global variables Previously two tsnet nodes in the same process couldn't have disjoint sets of controlknob settings from control as both would overwrite each other's global variables. This plumbs a new controlknobs.Knobs type around everywhere and hangs the knobs sent by control on that instead. Updates #9351 Change-Id: I75338646d36813ed971b4ffad6f9a8b41ec91560 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Marwan Sulaiman	50990f8931	ipn, ipn/ipnlocal: add Foreground field for ServeConfig This PR adds a new field to the serve config that can be used to identify which serves are in "foreground mode" and then can also be used to ensure they do not get persisted to disk so that if Tailscaled gets ungracefully shutdown, the reloaded ServeConfig will not have those ports opened. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	7175f06e62	util/rands: add package with HexString func We use it a number of places in different repos. Might as well make one. Another use is coming. Updates #cleanup Change-Id: Ib7ce38de0db35af998171edee81ca875102349a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Tyler Smalley	e1fbb5457b	cmd/tailscale: combine serve and funnel for debug wip funnel stream model (#9169 ) > Note > Behind the `TAILSCALE_USE_WIP_CODE` flag In preparing for incoming CLI changes, this PR merges the code path for the `serve` and `funnel` subcommands. See the parent issue for more context. The following commands will run in foreground mode when using the environment flag. ``` tailscale serve localhost:3000 tailscae funnel localhost:3000 ``` Replaces #9134 Updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com> Signed-off-by: Marwan Sulaiman <marwan@tailscale.com> Co-authored-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Maisem Ali	96277b63ff	ipn/ipnlocal: rename LogoutSync to Logout Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Andrew Dunham	c86a610eb3	cmd/tailscale, net/portmapper: add --log-http option to "debug portmap" This option allows logging the raw HTTP requests and responses that the portmapper Client makes when using UPnP. This can be extremely helpful when debugging strange UPnP issues with users' devices, and might allow us to avoid having to instruct users to perform a packet capture. Updates #8992 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2c3cf6930b09717028deaff31738484cc9b008e4	9 months ago
Marwan Sulaiman	9c07f4f512	all: replace deprecated ioutil references This PR removes calls to ioutil library and replaces them with their new locations in the io and os packages. Fixes #9034 Updates #5210 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	35ff5bf5a6	cmd/tailscale/cli, ipn/ipnlocal: [funnel] add stream mode Adds ability to start Funnel in the foreground and stream incoming connections. When foreground process is stopped, Funnel is turned back off for the port. Exampe usage: ``` TAILSCALE_FUNNEL_V2=on tailscale funnel 8080 ``` Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	84b94b3146	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView Updates #1909 Change-Id: I8c470cbc147129a652c1d58eac9b790691b87606 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	58a4fd43d8	types/netmap, all: use read-only tailcfg.NodeView in NetworkMap Updates #8948 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Brad Fitzpatrick	e8551d6b40	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} Updates #8419 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Sonia Appasamy	8e63d75018	client/tailscale: add LocalClient.IncrementMetric func A #cleanup to add a func to utilize the already-present "/localapi/v0/upload-client-metrics" localapi endpoint. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	92fc9a01fa	cmd/tailscale: add debug commands to break connections For testing reconnects. Updates tailscale/corp#5761 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
salman aljammaz	25a7204bb4	wgengine,ipn,cmd/tailscale: add size option to ping (#8739 ) This adds the capability to pad disco ping message payloads to reach a specified size. It also plumbs it through to the tailscale ping -size flag. Disco pings used for actual endpoint discovery do not use this yet. Updates #311. Signed-off-by: salman <salman@tailscale.com> Co-authored-by: Val <valerie@tailscale.com>	10 months ago
Aaron Klotz	37925b3e7a	go.mod, cmd/tailscaled, ipn/localapi, util/osdiag, util/winutil, util/winutil/authenticode: add Windows module list to OS-specific logs that are written upon bugreport * We update wingoes to pick up new version information functionality (See pe/version.go in the https://github.com/dblohm7/wingoes repo); * We move the existing LogSupportInfo code (including necessary syscall stubs) out of util/winutil into a new package, util/osdiag, and implement the public LogSupportInfo function may be implemented for other platforms as needed; * We add a new reason argument to LogSupportInfo and wire that into localapi's bugreport implementation; * We add module information to the Windows implementation of LogSupportInfo when reason indicates a bugreport. We enumerate all loaded modules in our process, and for each one we gather debug, authenticode signature, and version information. Fixes #7802 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Sonia Appasamy	301e59f398	tailcfg,ipn/localapi,client/tailscale: add QueryFeature endpoint Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Tom DNetto	767e839db5	all: implement lock revoke-keys command The revoke-keys command allows nodes with tailnet lock keys to collaborate to erase the use of a compromised key, and remove trust in it. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-1848	10 months ago
David Anderson	ed46442cb1	client/tailscale/apitype: document never-nil property of WhoIsResponse Every time I use WhoIsResponse I end up writing mildly irritating nil-checking for both Node and UserProfile, but it turns out our code guarantees that both are non-nil in successful whois responses. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Claire Wang	2315bf246a	ipn: use tstime (#8597 ) Updates #8587 Signed-off-by: Claire Wang <claire@tailscale.com>	10 months ago
Maisem Ali	1ecc16da5f	tailcfg,ipn/ipnlocal,wgengine: add values to PeerCapabilities Define PeerCapabilty and PeerCapMap as the new way of sending down inter-peer capability information. Previously, this was unstructured and you could only send down strings which got too limiting for certain usecases. Instead add the ability to send down raw JSON messages that are opaque to Tailscale but provide the applications to define them however they wish. Also update accessors to use the new values. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago

1 2 3 4

168 Commits (12d5c99b04dce9e8d5394e0d9f87ea502491de16)