tailscale

Commit Graph

Author	SHA1	Message	Date
Joe Tsai	975c5f7684	taildrop: lazily perform full deletion scan after first taildrop use (#10137 ) Simply reading the taildrop directory can pop up security dialogs on platforms like macOS. Avoid this by only performing garbage collection of partial and deleted files after the first received taildrop file, which would have prompted the security dialog window. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Jordan Whited	e848736927	control/controlknobs,wgengine/magicsock: implement SilentDisco toggle (#10195 ) This change exposes SilentDisco as a control knob, and plumbs it down to magicsock.endpoint. No changes are being made to magicsock.endpoint disco behavior, yet. Updates #540 Signed-off-by: Jordan Whited <jordan@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
James Tucker	c54d680682	ipn,tailconfig: clean up unreleased and removed app connector service This was never released, and is replaced by HostInfo.AppConnector. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	0b6636295e	tailcfg,ipn/ipnlocal: add hostinfo field to replace service entry Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Andrew Lytvynov	1f4a38ed49	clientupdate: add support for QNAP (#10179 ) Use the `qpkg_cli` to check for updates and install them. There are a couple special things about this compare to other updaters: * qpkg_cli can tell you when upgrade is available, but not what the version is * qpkg_cli --add Tailscale works for new installs, upgrades and reinstalling existing version; even reinstall of existing version takes a while Updates #10178 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
James Tucker	45be37cb01	ipn/ipnlocal: ensure that hostinfo is updated on app connector preference changes Some conditional paths may otherwise skip the hostinfo update, so kick it off asynchronously as other code paths do. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	933d201bba	ipn/policy: mark AppConnector service as interesting Updates #15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Naman Sood	e57fd9cda4	ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188 ) * ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * depaware Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	8 months ago
Andrew Lytvynov	55cd5c575b	ipn/localapi: only perform local-admin check in serveServeConfig (#10163 ) On unix systems, the check involves executing sudo, which is slow. Instead of doing it for every incoming request, move the logic into localapi serveServeConfig handler and do it as needed. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Will Norris	09de240934	ipn/ipnlocal: allow connecting to local web client The local web client has the same characteristic as tailscale serve, in that it needs a local listener to allow for connections from the local machine itself when running in kernel networking mode. This change renames and adapts the existing serveListener to allow it to be used by the web client as well. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Andrew Lytvynov	bff786520e	clientupdate,ipn/ipnlocal: fix c2n update on freebsd (#10168 ) The c2n part was broken because we were not looking up the tailscale binary for that GOOS. The rest of the update was failing at the `pkg upgrade` confirmation prompt. We also need to manually restart tailscaled after update. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Tom DNetto	11a20f371a	ipn/ipnlocal: fix nil control client panic while updating TKA head As part of tailnet-lock netmap processing, the LocalBackend mutex is unlocked so we can potentially make a network call. Its possible (during shutdown or while the control client is being reset) for b.cc to become nil before the lock is picked up again. Fixes: #9554 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Tom DNetto	3496d62ed3	ipn/ipnlocal: add empty address to the app-connector localNets set App connectors handle DNS requests for app domains over PeerAPI, but a safety check verifies the requesting peer has at least permission to send traffic to 0.0.0.0:53 (or 2000:: for IPv6) before handling the DNS request. The correct filter rules are synthesized by the coordination server and sent down, but the address needs to be part of the 'local net' for the filter package to even bother checking the filter rules, so we set them here. See: https://github.com/tailscale/corp/issues/11961 for more information. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates: ENG-2405	8 months ago
Charlotte Brandhorst-Satzkorn	f937cb6794	tailcfg,ipn,appc: add c2n endpoint for appc domain routes This change introduces a c2n endpoint that returns a map of domains to a slice of resolved IP addresses for the domain. Fixes tailscale/corp#15657 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	8 months ago
Andrew Lytvynov	9b158db2c6	ipn/localapi: require root or sudo+operator access for SetServeConfig (#10142 ) For an operator user, require them to be able to `sudo tailscale` to use `tailscale serve`. This is similar to the Windows elevated token check. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Will Norris	6b956b49e0	client/web: add some security checks for full client Require that requests to servers in manage mode are made to the Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various security headers on those responses. These might be too restrictive, but we can relax them as needed. Allow requests to /ok (even in manage mode) with no checks. This will be used for the connectivity check from a login client to see if the management client is reachable. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Aaron Klotz	fbc18410ad	ipn/ipnauth: improve the Windows token administrator check (Token).IsAdministrator is supposed to return true even when the user is running with a UAC limited token. The idea is that, for the purposes of this check, we don't care whether the user is currently* running with full Admin rights, we just want to know whether the user can potentially do so. We accomplish this by querying for the token's "linked token," which should be the fully-elevated variant, and checking its group memberships. We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation check to preserve those semantics for tailscale serve; I want the IsAdministrator check to be used for less sensitive things like toggling auto-update on and off. Fixes #10036 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Will Norris	658971d7c0	ipn/ipnlocal: serve web client on quad100 if enabled if the user pref and nodecap for the new web client are enabled, serve the client over requests to 100.100.100.100. Today, that is just a static page that lists the local Tailcale IP addresses. For now, this will render the readonly full management client, with an "access" button that sends the user through check mode. After completing check mode, they will still be in the read-only view, since they are not accessing the client over Tailscale. Instead, quad100 should serve the lobby client that has a "manage" button that will open the management client on the Tailscale IP (and trigger check mode). That is something we'll fix in a subsequent PR in the web client code itself. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	0ecfc1d5c3	client/web: fill devMode from an env var Avoids the need to pipe a web client dev flag through the tailscaled command. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	f0bc95a066	ipn/localapi: make serveTKASign require write permission (#10094 ) The existing read permission check looks like an oversight. Write seems more appropriate for sining new nodes. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Sonia Appasamy	191e2ce719	client/web: add ServerMode to web.Server Adds a new Mode to the web server, indicating the specific scenario the constructed server is intended to be run in. Also starts filling this from the cli/web and ipn/ipnlocal callers. From cli/web this gets filled conditionally based on whether the preview web client node cap is set. If not set, the existing "legacy" client is served. If set, both a login/lobby and full management client are started (in "login" and "manage" modes respectively). Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
James Tucker	f27b2cf569	appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc The design changed during integration and testing, resulting in the earlier implementation growing in the appc package to be intended now only for the sniproxy implementation. That code is moved to it's final location, and the current App Connector code is now renamed. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Sonia Appasamy	aa5af06165	ipn/ipnlocal: include web client port in setTCPPortsIntercepted Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	da31ce3a64	ipn/localapi: remove webclient endpoint Managing starting/stopping tailscaled web client purely via setting the RunWebClient pref. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	b370274b29	ipn/ipnlocal: pull CapabilityPreviewWebClient into webClientAtomicBool Now uses webClientAtomicBool as the source of truth for whether the web client should be running in tailscaled, with it updated when either the RunWebClient pref or CapabilityPreviewWebClient node capability changes. This avoids requiring holding the LocalBackend lock on each call to ShouldRunWebClient to check for the CapabilityPreviewWebClient value. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	c6a4612915	ipn/localapi: require Write access on /watch-ipn-bus with private keys (#10059 ) Clients optionally request private key filtering. If they don't, we should require Write access for the user. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
James Tucker	228a82f178	ipn/ipnlocal,tailcfg: add AppConnector service to HostInfo when configured Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	6ad54fed00	appc,ipn/ipnlocal: add App Connector domain configuration from mapcap The AppConnector is now configured by the mapcap from the control plane. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	b48b7d82d0	appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs An EmbeddedAppConnector is added that when configured observes DNS responses from the PeerAPI. If a response is found matching a configured domain, routes are advertised when necessary. The wiring from a configuration in the netmap capmap is not yet done, so while the connector can be enabled, no domains can yet be added. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Will Norris	e7482f0df0	ipn/ipnlocal: prevent deadlock on WebClientShutdown WebClientShutdown tries to acquire the b.mu lock, so run it in a go routine so that it can finish shutdown after setPrefsLockedOnEntry is finished. This is the same reason b.sshServer.Shutdown is run in a go routine. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
James Tucker	0ee4573a41	ipn/ipnlocal: fix small typo Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	ca4c940a4d	ipn: introduce app connector advertisement preference and flags Introduce a preference structure to store the setting for app connector advertisement. Introduce the associated flags: tailscale up --advertise-connector{=true,=false} tailscale set --advertise-connector{=true,=false} ``` % tailscale set --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale set --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true % tailscale up --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale up --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true ``` Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	44175653dc	ipn/ipnlocal: rename web fields/structs to webClient For consistency and clarity around what the LocalBackend.web field is used for. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	ea599b018c	ipn: serve web client requests from LocalBackend instead of starting a separate server listening on a particular port, use the TCPHandlerForDst method to intercept requests for the special web client port (currently 5252, probably configurable later). Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrea Gottardo	95715c4a12	ipn/localapi: add endpoint to handle APNS payloads (#9972 ) * ipn/localapi: add endpoint to handle APNS payloads Fixes #9971. This adds a new `handle-push-message` local API endpoint. When an APNS payload is delivered to the main app, this endpoint can be used to forward the JSON body of the message to the backend, making a POST request. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@tailscale.com> * Address comments from code review Signed-off-by: Andrea Gottardo <andrea@tailscale.com> --------- Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	8 months ago
Rhea Ghosh	387a98fe28	ipn/ipnlocal: exclude tvOS devices from taildrop file targets (#10002 )	8 months ago
Tyler Smalley	baa1fd976e	ipn/localapi: require local Windows admin to set serve path (#9969 ) For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	8 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Maisem Ali	17b2072b72	ipn/ipnlocal: set the push device token correctly It would end up resetting whatever hostinfo we had constructed and leave the backend statemachine in a broken state. This fixes that by storing the PushDeviceToken on the LocalBackend and populating it on Hostinfo before passing it to controlclient. Updates tailscale/corp#8940 Updates tailscale/corp#15367 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	0e89245c0f	ipn/ipnlocal: drop hostinfo param from doSetHostinfoFilterServices The value being passed was the same as whats on b.hostinfo, so just use that directly. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Joe Tsai	152390e80a	ipn/localapi: avoid unkeyed literal (#9933 ) Go has no way to explicitly identify Go struct as effectively a tuple, so staticcheck assumes any external use of unkeyed literals is wrong. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Maisem Ali	f398712c00	ipn/ipnlocal: prevent changing serve config if conf.Locked This adds a check to prevent changes to ServeConfig if tailscaled is run with a Locked config. Missed in `1fc3573446`. Updates #1412 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Sonia Appasamy	68da15516f	ipn/localapi,client/web: clean up auth error handling This commit makes two changes to the web client auth flow error handling: 1. Properly passes back the error code from the noise request from the localapi. Previously we were using io.Copy, which was always setting a 200 response status code. 2. Clean up web client browser sessions on any /wait endpoint error. This avoids the user getting in a stuck state if something goes wrong with their auth path. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	eced054796	ipn/ipnlocal: close connections for removed proxy transports (#9884 ) Ensure that when a userspace proxy config is reloaded, connections for any removed proxies are safely closed Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Andrew Lytvynov	25b6974219	ipn/ipnlocal: send ClientVersion to Apple frontends (#9887 ) Apple frontends will now understand this Notify field and handle it. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	f09cb45f9d	ipn/ipnlocal: initiate proxy transport once (#9883 ) Initiates http/h2c transport for userspace proxy backend lazily and at most once. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Sonia Appasamy	73bbf941f8	client/web: hook up auth flow Connects serveTailscaleAuth to the localapi webclient endpoint and pipes auth URLs and session cookies back to the browser to redirect users from the frontend. All behind debug flags for now. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	09b5bb3e55	ipn/ipnlocal: proxy gRPC requests over h2c if needed. (#9847 ) Updates userspace proxy to detect plaintext grpc requests using the preconfigured host prefix and request's content type header and ensure that these will be proxied over h2c. Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Joe Tsai	3f27087e9d	taildrop: switch hashing to be streaming based (#9861 ) While the previous logic was correct, it did not perform well. Resuming is a dance between the client and server, where 1. the client requests hashes for a partial file, 2. the server then computes those hashes, 3. the client computes hashes locally and compares them. 4. goto 1 while the partial file still has data While step 2 is running, the client is sitting idle. While step 3 is running, the server is sitting idle. By streaming over the block hash immediately after the server computes it, the client can start checking the hash, while the server works on the next hash (in a pipelined manner). This performs dramatically better and also uses less memory as we don't need to hold a list of hashes, but only need to handle one hash at a time. There are two detriments to this approach: * The HTTP API relies on a JSON stream, which is not a standard REST-like pattern. However, since we implement both client and server, this is fine. * While the stream is on-going, we hold an open file handle on the server side while the file is being hashed. On really slow streams, this could hold a file open forever. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Joe Tsai	7971333603	ipn: fix localapi and peerapi protocol for taildrop resume (#9860 ) Minor fixes: * The branch for listing or hashing partial files was inverted. * The host for peerapi call needs to be real (rather than bogus). * Handle remote peers that don't support resuming. * Make resume failures non-fatal (since we can still continue). This was tested locally, end-to-end system test is future work. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	77127a2494	clientupdate: fix background install for linux tarballs (#9852 ) Two bug fixes: 1. when tailscale update is executed as root, `os.UserCacheDir` may return an error because `$XDG_CACHE_HOME` and `$HOME` are not set; fallback to `os.TempDir` in those cases 2. on some weird distros (like my EndeavourOS), `/usr/sbin` is just a symlink to `/usr/bin`; when we resolve `tailscale` binary path from `tailscaled`, allow `tailscaled` to be in either directory Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Joe Tsai	c2a551469c	taildrop: implement asynchronous file deletion (#9844 ) File resumption requires keeping partial files around for some time, but we must still eventually delete them if never resumed. Thus, we implement asynchronous file deletion, which could spawn a background goroutine to delete the files. We also use the same mechanism for deleting files on Windows, where a file can't be deleted if there is still an open file handle. We can enqueue those with the asynchronous file deleter as well. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Brad Fitzpatrick	1fc3573446	ipn/{conffile,ipnlocal}: start booting tailscaled from a config file w/ auth key Updates #1412 Change-Id: Icd880035a31df59797b8379f4af19da5c4c453e2 Co-authored-by: Maisem Ali <maisem@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Rhea Ghosh	9d3c6bf52e	ipn/ipnlocal/peerapi: refactoring taildrop to just one endpoint (#9832 ) Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	b949e208bb	ipn/ipnlocal: fix AllowsUpdate disable after enable (#9827 ) The old code would always retain value `true` if it was set once, even if you then change `prefs.AutoUpdate.Apply` to `false`. Instead of using the previous value, use the default (envknob) value to OR with. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Brad Fitzpatrick	18bd98d35b	cmd/tailscaled,*: add start of configuration file support Updates #1412 Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Rhea Ghosh	71271e41d6	ipn/{ipnlocal/peerapi, localapi} initial taildrop resume api plumbing (#9798 ) This change: * adds a partial files peerAPI endpoint to get a list of partial files * adds a helper function to extract the basename of a file * updates the peer put peerAPI endpoint * updates the file put localapi endpoint to allow resume functionality Updates #14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	8a5b02133d	clientupdate: return ErrUnsupported for macSys clients (#9793 ) The Sparkle-based update is not quite working yet. Make `NewUpdater` return `ErrUnsupported` for it to avoid the proliferation of exceptions up the stack. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Sonia Appasamy	feabb34ea0	ipn/localapi: add debug-web-client endpoint Debug endpoint for the web client's auth flow to talk back to the control server. Restricted behind a feature flag on control. We will either be removing this debug endpoint, or renaming it before launching the web client updates. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Kristoffer Dalby	e06f2f1873	ipn/ipnlocal: change serial number policy to be PreferenceOption This commit changes the PostureChecking syspolicy key to be a PreferenceOption(user-defined, always, never) instead of Bool. This aligns better with the defaults implementation on macOS allowing CLI arguments to be read when user-defined or no defaults is set. Updates #tailscale/tailscale/5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Rhea Ghosh	8c7169105e	ipn/{ipnlocal/peerapi, localapi}: cleaning up http statuses for consistency and readability (#9796 ) Updates #cleanup Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Andrew Lytvynov	af5a586463	ipn/ipnlocal: include AutoUpdate prefs in HostInfo.AllowsUpdate (#9792 ) Updates #9260 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Joe Tsai	b1867eb23f	taildrop: add logic for resuming partial files (#9785 ) We add the following API: * type FileChecksums * type Checksum * func Manager.PartialFiles * func Manager.HashPartialFile * func ResumeReader The Manager methods provide the ability to query for partial files and retrieve a list of checksums for a given partial file. The ResumeReader function is a helper that wraps an io.Reader to discard content that is identical locally and remotely. The FileChecksums type represents the checksums of a file and is safe to JSON marshal and send over the wire. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Maisem Ali	24f322bc43	ipn/ipnlocal: do unexpired cert renewals in the background We were eagerly doing a synchronous renewal of the cert while trying to serve traffic. Instead of that, just do the cert renewal in the background and continue serving traffic as long as the cert is still valid. This regressed in `c1ecae13ab` when we introduced ARI support and were trying to make the experience of `tailscale cert` better. However, that ended up regressing the experience for tsnet as it would not always doing the renewal synchronously. Fixes #9783 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Joe Tsai	37c646d9d3	taildrop: improve the functionality and reliability of put (#9762 ) Changes made: * Move all HTTP related functionality from taildrop to ipnlocal. * Add two arguments to taildrop.Manager.PutFile to specify an opaque client ID and a resume offset (both unused for now). * Cleanup the logic of taildrop.Manager.PutFile to be easier to follow. * Implement file conflict handling where duplicate files are renamed (e.g., "IMG_1234.jpg" -> "IMG_1234 (2).jpg"). * Implement file de-duplication where "renaming" a partial file simply deletes it if it already exists with the same contents. * Detect conflicting active puts where a second concurrent put results in an error. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Maisem Ali	319607625f	ipn/ipnlocal: fix log spam from now expected paths These log paths were actually unexpected until the refactor in `fe95d81b43`. This moves the logs to the callsites where they are actually unexpected. Fixes #9670 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	9d96e05267	net/packet: split off checksum munging into different pkg The current structure meant that we were embedding netstack in the tailscale CLI and in the GUIs. This removes that by isolating the checksum munging to a different pkg which is only called from `net/tstun`. Fixes #9756 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Brad Fitzpatrick	70de16bda7	ipn/localapi: make whois take IP or IP:port as documented, fix capmap netstack lookup The whois handler was documented as taking IP (e.g. 100.101.102.103) or IP:port (e.g. usermode 127.0.0.1:1234) but that got broken at some point and we started requiring a port always. Fix that. Also, found in the process of adding tests: fix the CapMap lookup in userspace mode (it was always returning the caps of 127.0.0.1 in userspace mode). Fix and test that too. Updates #9714 Change-Id: Ie9a59744286522fa91c4b70ebe89a1e94dbded26 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Kristoffer Dalby	7f540042d5	ipn/ipnlocal: use syspolicy to determine collection of posture data Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	9eedf86563	posture: add get serial support for Windows/Linux This commit adds support for getting serial numbers from SMBIOS on Windows/Linux (and BSD) using go-smbios. Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	b4e587c3bd	tailcfg,ipn: add c2n endpoint for posture identity Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Kristoffer Dalby	886917c42b	ipn: add PostureChecks to Prefs Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Brad Fitzpatrick	6f36f8842c	cmd/tailscale, magicsock: add debug command to flip DERP homes For testing netmap patchification server-side. Updates #1909 Change-Id: Ib1d784bd97b8d4a31e48374b4567404aae5280cc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Joe Tsai	e4cb83b18b	taildrop: document and cleanup the package (#9699 ) Changes made: * Unexport declarations specific to internal taildrop functionality. * Document all exported functionality. * Move TestRedactErr to the taildrop package. * Rename and invert Handler.DirectFileDoFinalRename as AvoidFinalRename. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Rhea Ghosh	557ddced6c	{ipn/ipnlocal, taildrop}: move put logic to taildrop (#9680 ) Cleaning up taildrop logic for sending files. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com> Co-authored-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Joe Tsai	c42398b5b7	ipn/ipnlocal: cleanup incomingFile (#9678 ) This is being moved to taildrop, so clean it up to stop depending on so much unreleated functionality by removing a dependency on peerAPIHandler. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net> Co-authored-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Rhea Ghosh	dc1c7cbe3e	taildrop: initial commit of taildrop functionality refactoring (#9676 ) Over time all taildrop functionality will be contained in the taildrop package. This will include end to end unit tests. This is simply the first smallest piece to move over. There is no functionality change in this commit. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com> Co-authored-by: Joseph Tsai <joetsai@tailscale.com>	9 months ago
Sonia Appasamy	3befc0ef02	client/web: restrict full management client behind browser sessions Adds `getTailscaleBrowserSession` to pull the user's session out of api requests, and `serveTailscaleAuth` to provide the "/api/auth" endpoint for browser to request auth status and new sessions. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Brad Fitzpatrick	7868393200	net/dns/resolver, ipnlocal: fix ExitDNS on Android and iOS Advertise it on Android (it looks like it already works once advertised). And both advertise & likely fix it on iOS. Yet untested. Updates #9672 Change-Id: If3b7e97f011dea61e7e75aff23dcc178b6cf9123 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	b4816e19b6	hostinfo, ipnlocal: flesh out Wake-on-LAN support, send MACs, add c2n sender This optionally uploads MAC address(es) to control, then adds a c2n handler so control can ask a node to send a WoL packet. Updates #306 RELNOTE=now supports waking up peer nodes on your LAN via Wake-on-LAN packets Change-Id: Ibea1275fcd2048dc61d7059039abfbaf1ad4f465 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	b775a3799e	util/httpm, all: add a test to make sure httpm is used consistently Updates #cleanup Change-Id: I7dbf8a02de22fc6b317ab5e29cc97792dd75352c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Val	73e53dcd1c	cmd/tailscale,ipn/ipnlocal: print debug component names Make the 'tailscale debug component-logs' command print the component names for which extra logging can be turned on, for easier discoverability of debug functions. Updates #cleanup Co-authored-by: Paul Scott <paul@tailscale.com> Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Brad Fitzpatrick	246e0ccdca	tsnet: add a test for restarting a tsnet server, fix Windows Thanks to @qur and @eric for debugging! Fixes #6973 Change-Id: Ib2cf8f030cf595cc73dd061c72e78ac19f5fae5d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Maisem Ali	354455e8be	ipn: use NodeCapMap in CheckFunnel These were missed when adding NodeCapMap and resulted in tsnet binaries not being able to turn on funnel. Fixes #9566 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	5c2b2fa1f8	ipn/ipnlocal: plumb ExitNodeDNSResolvers for IsWireGuardOnly exit nodes Control sends ExitNodeDNSResolvers when configured for IsWireGuardOnly nodes that are to be used as the default resolver with a lower precedence than split DNS, and a lower precedence than "Override local DNS", but otherwise before local DNS is used when the exit node is in use. Neither of the below changes were problematic, but appeared so alongside a number of other client and external changes. See tailscale/corp#14809. Reland `ea9dd8fabc`. Reland `d52ab181c3`. Updates #9377 Updates tailscale/corp#14809 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Rhea Ghosh	0275afa0c6	ipn/ipnlocal: prevent putting file if file already exists (#9515 ) Also adding tests to ensure this works. Updates tailscale/corp#14772 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	9 months ago
Claire Wang	e3d6236606	winutil: refactor methods to get values from registry to also return (#9536 ) errors Updates tailscale/corp#14879 Signed-off-by: Claire Wang <claire@tailscale.com>	9 months ago
Val	c608660d12	wgengine,net,ipn,disco: split up and define different types of MTU Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Marwan Sulaiman	651620623b	ipn/ipnlocal: close foreground sessions on SetServeConfig This PR ensures zombie foregrounds are shutdown if a new ServeConfig is created that wipes the ongoing foreground ones. For example, "tailscale serve\|funnel reset\|off" should close all open sessions. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Brad Fitzpatrick	04fabcd359	ipn/{ipnlocal,localapi}, cli: add debug force-netmap-update For loading testing & profiling the cost of full netmap updates. Updates #1909 Change-Id: I0afdf5de9967f8d95c7f81d5b531ed1c92c3208f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Val	6cc5b272d8	Revert "wgengine,net,ipn,disco: split up and define different types of MTU" This reverts commit `059051c58a`. Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Val	059051c58a	wgengine,net,ipn,disco: split up and define different types of MTU Prepare for path MTU discovery by splitting up the concept of DefaultMTU() into the concepts of the Tailscale TUN MTU, MTUs of underlying network interfaces, minimum "safe" TUN MTU, user configured TUN MTU, probed path MTU to a peer, and maximum probed MTU. Add a set of likely MTUs to probe. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	9 months ago
Joe Tsai	5473d11caa	ipn/ipnlocal: perform additional sanity check in diskPath (#9500 ) Use filepath.IsLocal to further validate the baseName. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago

1 2 3 4 5 ...

1297 Commits (75f1d3e7d75f67c9b46408b46d10d16d4236dc1a)