tailscale

Commit Graph

Author	SHA1	Message	Date
Will Norris	37eab31f68	client/web: simply csrf key caching in cgi mode Instead of trying to use the user config dir, and then fail back to the OS temp dir, just always use the temp dir. Also use a filename that is less likely to cause collisions. This addresses an issue on a test synology instance that was mysteriously failing because there was a file at /tmp/tailscale. We could still technically run into this issue if a /tmp/tailscale-web-csrf.key file exists, but that seems far less likely. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Maisem Ali	b90b9b4653	client/web: fix data race Fixes #9150 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Sonia Appasamy	e952564b59	client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	1cd03bc0a1	client/web: remove self node on server This is unused. Can be added back if needed in the future. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	da6eb076aa	client/web: add localapi proxy Adds proxy to the localapi from /api/local/ web client endpoint. The localapi proxy is restricted to an allowlist of those actually used by the web client frontend. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	7aea219a0f	client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775	10 months ago
Will Norris	d74c771fda	client/web: always use new web client; remove old client This uses the new react-based web client for all builds, not just with the --dev flag. If the web client assets have not been built, the client will serve a message that Tailscale was built without the web client, and link to build instructions. Because we will include the web client in all of our builds, this should only be seen by developers or users building from source. (And eventually this will be replaced by attempting to download needed assets as runtime.) We do now checkin the build/index.html file, which serves the error message when assets are unavailable. This will also eventually be used to trigger in CI when new assets should be built and uploaded to a well-known location. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	be5bd1e619	client/web: skip authorization checks for static assets Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Andrew Dunham	c86a610eb3	cmd/tailscale, net/portmapper: add --log-http option to "debug portmap" This option allows logging the raw HTTP requests and responses that the portmapper Client makes when using UPnP. This can be extremely helpful when debugging strange UPnP issues with users' devices, and might allow us to avoid having to instruct users to perform a packet capture. Updates #8992 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I2c3cf6930b09717028deaff31738484cc9b008e4	10 months ago
Sonia Appasamy	4828e4c2db	client/web: move api handler into web.go Also uses `http.HandlerFunc` to pass the handler into `csrfProtect` so we can get rid of the extraneous `api` struct. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	f3077c6ab5	client/web: add self node cache Adds a cached self node to the web client Server struct, which will be used from the web client api to verify that request came from the node's own machine (i.e. came from the web client frontend). We'll be using when we switch the web client api over to acting as a proxy to the localapi, to protect against DNS rebinding attacks. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	dc8287ab3b	client/web: enforce full path for CGI platforms Synology and QNAP both run the web client as a CGI script. The old web client didn't care too much about requests paths, since there was only a single GET and POST handler. The new client serves assets on different paths, so now we need to care. First, enforce that the CGI script is always accessed from its full path, including a trailing slash (e.g. /cgi-bin/tailscale/index.cgi/). Then, strip that prefix off before passing the request along to the main serve handler. This allows for properly serving both static files and the API handler in a CGI environment. Also add a CGIPath option to allow other CGI environments to specify a custom path. Finally, update vite and one "api/data" call to no longer assume that we are always serving at the root path of "/". Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	0c3d343ea3	client/web: invert auth logic for synology and qnap Add separate server methods for synology and qnap, and enforce authentication and authorization checks before calling into the actual serving handlers. This allows us to remove all of the auth logic from those handlers, since all requests will already be authenticated by that point. Also simplify the Synology token redirect handler by using fetch. Remove the SynologyUser from nodeData, since it was never used in the frontend anyway. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	05486f0f8e	client/web: move synology and qnap logic into separate files This commit doesn't change any of the logic, but just organizes the code a little to prepare for future changes. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	349c05d38d	client/web: refresh on tab focus Refresh node data when user switches to the web client browser tab. This helps clean up the auth flow where they're sent to another tab to authenticate then return to the original tab, where the data should be refreshed to pick up the login updates. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	824cd02d6d	client/web: cache csrf key when running in CGI mode Indicate to the web client when it is running in CGI mode, and if it is then cache the csrf key between requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	9ea3942b1a	client/web: don't require secure cookies for csrf Under normal circumstances, you would typically want to keep the default behavior of requiring secure cookies. In the case of the Tailscale web client, we are regularly serving on localhost (where secure cookies don't really matter), and/or we are behind a reverse proxy running on a network appliance like a NAS or Home Assistant. In those cases, those devices are regularly accessed over local IP addresses without https configured, so would not work with secure cookies. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	776f9b5875	client/web: open auth URLs in new browser tab Open control server auth URLs in new browser tabs on web clients so users don't loose original client URL when redirected for login. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	cf45d6a275	client/web: remove old /redirect handler I thought this had something to do with Synology or QNAP support, since they both have specific authentication logic. But it turns out this was part of the original web client added in #1621, and then refactored as part of #2093. But with how we handle logging in now, it's never called. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	5ebff95a4c	client/web: fix globbing for file embedding src/*/ was only grabbing files in subdirectories, but not in the src directory itself. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	0df5507c81	client/web: combine embeds into a single embed.FS instead of embedding each file individually, embed them all into a single embed filesystem. This is basically a noop for the current frontend, but sets things up a little cleaner for the new frontend. Also added an embed.FS for the source files needed to build the new frontend. These files are not actually embedded into the binary (since it is a blank identifier), but causes `go mod vendor` to copy them into the vendor directory. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	09e5e68297	client/web: track web client initializations Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	50b558de74	client/web: hook up remaining legacy POST requests Hooks up remaining legacy POST request from the React side in --dev. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Marwan Sulaiman	35ff5bf5a6	cmd/tailscale/cli, ipn/ipnlocal: [funnel] add stream mode Adds ability to start Funnel in the foreground and stream incoming connections. When foreground process is stopped, Funnel is turned back off for the port. Exampe usage: ``` TAILSCALE_FUNNEL_V2=on tailscale funnel 8080 ``` Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	10 months ago
Sonia Appasamy	077bbb8403	client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	b090d61c0f	tailcfg: rename prototype field to reflect its status (Added earlier today in #8916, `57da1f150`) Updates tailscale/corp#13969 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
Richard Castro	57da1f1501	client: update DNSConfig type (#8916 ) This PR adds DNSFilterURL to the DNSConfig type to be used by control changes to add DNS filtering logic Fixes #cleanup Signed-off-by: Richard Castro <richard@tailscale.com>	11 months ago
Sonia Appasamy	18280ebf7d	client/web: hook up data fetching to fill --dev React UI Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Will Norris	9c4364e0b7	client/web: copy existing UI to basic react components This copies the existing go template frontend into very crude react components that will be driven by a simple JSON api for fetching and updating data. For now, this returns a static set of test data. This just implements the simple existing UI, so I've put these all in a "legacy" component, with the expectation that we will rebuild this with more properly defined components, some pulled from corp. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Will Norris	ddba4824c4	client/web: add prettier and format scripts Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Sonia Appasamy	0052830c64	cli/serve: funnel interactive enablement flow tweaks 1. Add metrics to funnel flow. 2. Stop blocking users from turning off funnels when no longer in their node capabilities. 3. Rename LocalClient.IncrementMetric to IncrementCounter to better callout its usage is only for counter clientmetrics. Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Sonia Appasamy	8e63d75018	client/tailscale: add LocalClient.IncrementMetric func A #cleanup to add a func to utilize the already-present "/localapi/v0/upload-client-metrics" localapi endpoint. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Sonia Appasamy	12238dab48	client/web: add tailwind styling to react app Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Sonia Appasamy	d5ac18d2c4	client/web: add tsconfig.json Also allows us to use absolute import paths (see change in index.tsx). Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Sonia Appasamy	3f12b9c8b2	client/web: pipe through to React in dev mode Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Sonia Appasamy	16bc9350e3	client/web: add barebones vite dev setup Currently just serving a "Hello world" page when running the web cli in --dev mode. Updates tailscale/corp#13775 Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Will Norris	6ee85ba412	client/web: fix rendering of node owner profile Fixes #8837 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Sonia Appasamy	2bc98abbd9	client/web: add web client Server struct Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Sonia Appasamy	7815fbe17a	tailscale/cli: add interactive flow for enabling Funnel Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Will Norris	f9066ac1f4	client/web: extract web client from cli package move the tailscale web client out of the cmd/tailscale/cli package, into a new client/web package. The remaining cli/web.go file is still responsible for parsing CLI flags and such, and then calls into client/web. This will allow the web client to be hooked into from other contexts (for example, from a tsnet server), and provide a dedicated space to add more functionality to this client. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Brad Fitzpatrick	66f27c4beb	all: require Go 1.21 Updates #8419 Change-Id: I809b6a4d59d92a2ab6ec587ccbb9053376bf02c2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	11 months ago
salman aljammaz	25a7204bb4	wgengine,ipn,cmd/tailscale: add size option to ping (#8739 ) This adds the capability to pad disco ping message payloads to reach a specified size. It also plumbs it through to the tailscale ping -size flag. Disco pings used for actual endpoint discovery do not use this yet. Updates #311. Signed-off-by: salman <salman@tailscale.com> Co-authored-by: Val <valerie@tailscale.com>	11 months ago
Sonia Appasamy	301e59f398	tailcfg,ipn/localapi,client/tailscale: add QueryFeature endpoint Updates tailscale/corp#10577 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Tom DNetto	767e839db5	all: implement lock revoke-keys command The revoke-keys command allows nodes with tailnet lock keys to collaborate to erase the use of a compromised key, and remove trust in it. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-1848	11 months ago
David Anderson	ed46442cb1	client/tailscale/apitype: document never-nil property of WhoIsResponse Every time I use WhoIsResponse I end up writing mildly irritating nil-checking for both Node and UserProfile, but it turns out our code guarantees that both are non-nil in successful whois responses. Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	11 months ago
Maisem Ali	1ecc16da5f	tailcfg,ipn/ipnlocal,wgengine: add values to PeerCapabilities Define PeerCapabilty and PeerCapMap as the new way of sending down inter-peer capability information. Previously, this was unstructured and you could only send down strings which got too limiting for certain usecases. Instead add the ability to send down raw JSON messages that are opaque to Tailscale but provide the applications to define them however they wish. Also update accessors to use the new values. Updates #4217 Signed-off-by: Maisem Ali <maisem@tailscale.com>	11 months ago
Jenny Zhang	6b56e92acc	client/tailscale: add warnings slice to ACLTestFailureSummary Updates #8645 Signed-off-by: Jenny Zhang <jz@tailscale.com>	12 months ago
Aaron Klotz	fd8c8a3700	client/tailscale: add API for verifying network lock signing deeplink Fixes #8539 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	12 months ago
Anton Tolchanov	6a156f6243	client/tailscale: support deauthorizing a device This adds a new `SetAuthorized` method that allows setting device authorization to true or false. I chose the method name to be consistent with SetTags. Updates https://github.com/tailscale/corp/issues/10160 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 year ago
Brad Fitzpatrick	4664318be2	client/tailscale: revert CreateKey API change, add Client.CreateKeyWithExpiry The client/tailscale is a stable-ish API we try not to break. Revert the Client.CreateKey method as it was and add a new CreateKeyWithExpiry method to do the new thing. And document the expiry field and enforce that the time.Duration can't be between in range greater than 0 and less than a second. Updates #7143 Updates #8124 (reverts it, effectively) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago

1 2 3 4

160 Commits (37eab31f6894d3126a47208fd42036a8262a58b8)