tailscale

Commit Graph

Author	SHA1	Message	Date
Sonia Appasamy	95f26565db	client/web: use grants on web UI frontend Starts using peer capabilities to restrict the management client on a per-view basis. This change also includes a bulky cleanup of the login-toggle.tsx file, which was getting pretty unwieldy in its previous form. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	4 months ago
Sonia Appasamy	9aa704a05d	client/web: restrict serveAPI endpoints to peer capabilities This change adds a new apiHandler struct for use from serveAPI to aid with restricting endpoints to specific peer capabilities. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	4 months ago
Sonia Appasamy	2bb837a9cf	client/web: only check policy caps for tagged nodes For user-owned nodes, only the owner is ever allowed to manage the node. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Sonia Appasamy	331a6d105f	client/web: add initial types for using peer capabilities Sets up peer capability types for future use within the web client views and APIs. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	569b91417f	client/web: ensure path prefix has a leading slash This is simply an extra check to prevent hypothetical issues if a prefix such as `--prefix="javascript:alert(1)"` was provided. This isn't really necessary since the prefix is a configuration flag provided by the device owner, not user input. But it does enforce that we are always interpreting the provided value as a path relative to the root. Fixes: tailscale/corp#16268 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Chris Palmer	b62a3fc895	client/web: keep redirects on-site (#10525 ) Ensure we don't create Location: header URLs that have leading //, which is a schema-less reference to arbitrary 3rd-party sites. That is, //example.com/foo redirects off-site, while /example.com/foo is an on-site path URL. Fixes tailscale/corp#16268 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	7 months ago
Sonia Appasamy	4fb679d9cd	client/web: fix redirect logic when accessing login client over TS IP Was previously failing to redirect to the manage client when accessing the login client with the Tailscale IP. Updates #10261 Fixes tailscale/corp#16348 Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Mario Minardi	4e012794fc	client/web: add metric logging when viewing local / remote node (#10555 ) Add metric logging for the case where a user is viewing a local or remote node. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 months ago
Will Norris	69b56462fc	client/web: check content-type on PATCH requests Updates #10261 Fixes tailscale/corp#16267 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Mario Minardi	21958d2934	client/web: add logging of device management type for web client (#10492 ) Add logging of device management type for the web client auth flow. Namely, this differentiates between viewing a node you do not own, viewing a local tagged node, viewing a remote tagged node, managing a local node, and managing a remote node. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 months ago
Will Norris	26db9775f8	client/web: skip check mode for non-tailscale.com control servers (#10413 ) client/web: skip check mode for non-tailscale.com control servers Only enforce check mode if the control server URL ends in ".tailscale.com". This allows the web client to be used with headscale (or other) control servers while we work with the project to add check mode support (tracked in juanfont/headscale#1623). Updates #10261 Co-authored-by: Sonia Appasamy <sonia@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com> Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	bd534b971a	{client/web},{ipn/ipnlocal}: replace localapi debug-web-client endpoint This change removes the existing debug-web-client localapi endpoint and replaces it with functions passed directly to the web.ServerOpts when constructing a web.ManageServerMode client. The debug-web-client endpoint previously handled making noise requests to the control server via the /machine/webclient/ endpoints. The noise requests must be made from tailscaled, which has the noise connection open. But, now that the full client is served from tailscaled, we no longer need to proxy this request over the localapi. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	86c8ab7502	client/web: add readonly/manage toggle Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	6b956b49e0	client/web: add some security checks for full client Require that requests to servers in manage mode are made to the Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various security headers on those responses. These might be too restrictive, but we can relax them as needed. Allow requests to /ok (even in manage mode) with no checks. This will be used for the connectivity check from a login client to see if the management client is reachable. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	e5dcf7bdde	client/web: move auth session creation out of /api/auth Splits auth session creation into two new endpoints: /api/auth/session/new - to request a new auth session /api/auth/session/wait - to block until user has completed auth url Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	191e2ce719	client/web: add ServerMode to web.Server Adds a new Mode to the web server, indicating the specific scenario the constructed server is intended to be run in. Also starts filling this from the cli/web and ipn/ipnlocal callers. From cli/web this gets filled conditionally based on whether the preview web client node cap is set. If not set, the existing "legacy" client is served. If set, both a login/lobby and full management client are started (in "login" and "manage" modes respectively). Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	4ce4bb6271	client/web: limit authorization checks to API calls This completes the migration to setting up authentication state in the client first before fetching any node data or rendering the client view. Notable changes: - `authorizeRequest` is now only enforced on `/api/*` calls (with the exception of /api/auth, which is handled early because it's needed to initially setup auth, particularly for synology) - re-separate the App and WebClient components to ensure that auth is completed before moving on - refactor platform auth (synology and QNAP) to fit into this new structure. Synology no longer returns redirect for auth, but returns authResponse instructing the client to fetch a SynoToken Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	7a725bb4f0	client/web: move more session logic to auth.go Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	d79e0fde9c	client/web: split errTaggedSelf resp from getTailscaleBrowserSession Previously returned errTaggedSource in the case that of any tagged source. Now distinguishing whether the source was local or remote. We'll be presenting the two cases with varying copy on the frontend. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	e0a4a02b35	client/web: pipe Server.timeNow() through session funcs Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	1df2d14c8f	client/web: use auth ID in browser sessions Stores ID from tailcfg.WebClientAuthResponse in browser session data, and uses ID to hit control server /wait endpoint. No longer need the control url cached, so removed that from Server. Also added optional timeNow field, initially to manage time from tests. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	73bbf941f8	client/web: hook up auth flow Connects serveTailscaleAuth to the localapi webclient endpoint and pipes auth URLs and session cookies back to the browser to redirect users from the frontend. All behind debug flags for now. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	851536044a	client/web: add tests for authorizeRequest Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	3befc0ef02	client/web: restrict full management client behind browser sessions Adds `getTailscaleBrowserSession` to pull the user's session out of api requests, and `serveTailscaleAuth` to provide the "/api/auth" endpoint for browser to request auth status and new sessions. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Maisem Ali	b90b9b4653	client/web: fix data race Fixes #9150 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Sonia Appasamy	da6eb076aa	client/web: add localapi proxy Adds proxy to the localapi from /api/local/ web client endpoint. The localapi proxy is restricted to an allowlist of those actually used by the web client frontend. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	f9066ac1f4	client/web: extract web client from cli package move the tailscale web client out of the cmd/tailscale/cli package, into a new client/web package. The remaining cli/web.go file is still responsible for parsing CLI flags and such, and then calls into client/web. This will allow the web client to be hooked into from other contexts (for example, from a tsnet server), and provide a dedicated space to add more functionality to this client. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago

27 Commits (80df8ffb8557b286367aaeb4f323cd9e42914657)