tailscale

Commit Graph

Author	SHA1	Message	Date
Nick Khyl	961ee321e8	ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client. These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config) requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues. We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other platforms when switching between profiles that have different OperatorUser values in ipn.Prefs. We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device (e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation. The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device and against the current (and/or the target) profile. This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next PRs and removing the deprecated methods and the Permit* flags at the end of the transition. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	3 weeks ago
Kristoffer Dalby	a2c42d3cd4	usermetric: add initial user-facing metrics This commit adds a new usermetric package and wires up metrics across the tailscale client. Updates tailscale/corp#22075 Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Percy Wegmann	74b9fa1348	ipn/localapi: only flush relevant data in multiFilePostResponseWriter.Flush() This prevents two things: 1. Crashing if there's no response body 2. Sending a nonsensical 0 response status code Updates tailscale/corp#22357 Signed-off-by: Percy Wegmann <percy@tailscale.com>	1 month ago
Andrew Lytvynov	e7bf6e716b	cmd/tailscale: add --min-validity flag to the cert command (#12822 ) Some users run "tailscale cert" in a cron job to renew their certificates on disk. The time until the next cron job run may be long enough for the old cert to expire with our default heristics. Add a `--min-validity` flag which ensures that the returned cert is valid for at least the provided duration (unless it's longer than the cert lifetime set by Let's Encrypt). Updates #8725 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Andrew Dunham	45d2f4301f	proxymap, various: distinguish between different protocols Previously, we were registering TCP and UDP connections in the same map, which could result in erroneously removing a mapping if one of the two connections completes while the other one is still active. Add a "proto string" argument to these functions to avoid this. Additionally, take the "proto" argument in LocalAPI, and plumb that through from the CLI and add a new LocalClient method. Updates tailscale/corp#20600 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I35d5efaefdfbf4721e315b8ca123f0c8af9125fb	3 months ago
Brad Fitzpatrick	6908fb0de3	ipn/localapi,client/tailscale,cmd/derper: add WhoIs lookup by nodekey, use in derper Fixes #12465 Change-Id: I9b7c87315a3d2b2ecae2b8db9e94b4f5a1eef74a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Irbe Krumina	bc53ebd4a0	ipn/{ipnlocal,localapi},net/netkernelconf,client/tailscale,cmd/containerboot: optionally enable UDP GRO forwarding for containers (#12410 ) Add a new TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS env var that can be set for tailscale/tailscale container running as a subnet router or exit node to enable UDP GRO forwarding for improved performance. See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes This is currently considered an experimental approach; the configuration support is partially to allow further experimentation with containerized environments to evaluate the performance improvements. Updates tailscale/tailscale#12295 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Maisem Ali	42cfbf427c	tsnet,wgengine/netstack: add ListenPacket and tests This adds a new ListenPacket function on tsnet.Server which acts mostly like `net.ListenPacket`. Unlike `Server.Listen`, this requires listening on a specific IP and does not automatically listen on both V4 and V6 addresses of the Server when the IP is unspecified. To test this, it also adds UDP support to tsdial.Dialer.UserDial and plumbs it through the localapi. Then an associated test to make sure the UDP functionality works from both sides. Updates #12182 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 months ago
Brad Fitzpatrick	21509db121	ipn/ipnlocal, all: plumb health trackers in tests I saw some panics in CI, like: 2024-05-08T04:30:25.9553518Z ## WARNING: (non-fatal) nil health.Tracker (being strict in CI): 2024-05-08T04:30:25.9554043Z goroutine 801 [running]: 2024-05-08T04:30:25.9554489Z tailscale.com/health.(Tracker).nil(0x0) 2024-05-08T04:30:25.9555086Z tailscale.com/health/health.go:185 +0x70 2024-05-08T04:30:25.9555688Z tailscale.com/health.(Tracker).SetUDP4Unbound(0x0, 0x0) 2024-05-08T04:30:25.9556373Z tailscale.com/health/health.go:532 +0x2f 2024-05-08T04:30:25.9557296Z tailscale.com/wgengine/magicsock.(Conn).bindSocket(0xc0003b4808, 0xc0003b4878, {0x1fbca53, 0x4}, 0x0) 2024-05-08T04:30:25.9558301Z tailscale.com/wgengine/magicsock/magicsock.go:2481 +0x12c5 2024-05-08T04:30:25.9559026Z tailscale.com/wgengine/magicsock.(Conn).rebind(0xc0003b4808, 0x0) 2024-05-08T04:30:25.9559874Z tailscale.com/wgengine/magicsock/magicsock.go:2510 +0x16f 2024-05-08T04:30:25.9561038Z tailscale.com/wgengine/magicsock.NewConn({0xc000063c80, 0x0, 0xc000197930, 0xc000197950, 0xc000197960, {0x0, 0x0}, 0xc000197970, 0xc000198ee0, 0x0, ...}) 2024-05-08T04:30:25.9562402Z tailscale.com/wgengine/magicsock/magicsock.go:476 +0xd5f 2024-05-08T04:30:25.9563779Z tailscale.com/wgengine.NewUserspaceEngine(0xc000063c80, {{0x22c8750, 0xc0001976b0}, 0x0, {0x22c3210, 0xc000063c80}, {0x22c31d8, 0x2d3c900}, 0x0, 0x0, ...}) 2024-05-08T04:30:25.9564982Z tailscale.com/wgengine/userspace.go:389 +0x159d 2024-05-08T04:30:25.9565529Z tailscale.com/ipn/ipnlocal.newTestBackend(0xc000358b60) 2024-05-08T04:30:25.9566086Z tailscale.com/ipn/ipnlocal/serve_test.go:675 +0x2a5 2024-05-08T04:30:25.9566612Z ta Updates #11874 Change-Id: I3432ed52d670743e532be4642f38dbd6e3763b1b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Fran Bull	6a0fbacc28	appc: setting AdvertiseRoutes explicitly discards app connector routes This fixes bugs where after using the cli to set AdvertiseRoutes users were finding that they had to restart tailscaled before the app connector would advertise previously learned routes again. And seems more in line with user expectations. Fixes #11006 Signed-off-by: Fran Bull <fran@tailscale.com>	5 months ago
Brad Fitzpatrick	6d69fc137f	ipn/{ipnlocal,localapi},wgengine{,/magicsock}: plumb health.Tracker Down to 25 health.Global users. After this remains controlclient & net/dns & wgengine/router. Updates #11874 Updates #4136 Change-Id: I6dd1856e3d9bf523bdd44b60fb3b8f7501d5dc0d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Brad Fitzpatrick	ebc552d2e0	health: add Tracker type, in prep for removing global variables This moves most of the health package global variables to a new `health.Tracker` type. But then rather than plumbing the Tracker in tsd.System everywhere, this only goes halfway and makes one new global Tracker (`health.Global`) that all the existing callers now use. A future change will eliminate that global. Updates #11874 Updates #4136 Change-Id: I6ee27e0b2e35f68cb38fecdb3b2dc4c3f2e09d68 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Joe Tsai	63b3c82587	ipn/local: log OS-specific diagnostic information as JSON (#11700 ) There is an undocumented 16KiB limit for text log messages. However, the limit for JSON messages is 256KiB. Even worse, logging JSON as text results in significant overhead since each double quote needs to be escaped. Instead, use logger.Logf.JSON to explicitly log the info as JSON. We also modify osdiag to return the information as structured data rather than implicitly have the package log on our behalf. This gives more control to the caller on how to log. Updates #7802 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Brad Fitzpatrick	7ec0dc3834	ipn/ipnlocal: make StartLoginInteractive take (yet unused) context In prep for future fix to undermentioned issue. Updates tailscale/tailscale#7036 Change-Id: Ide114db917dcba43719482ffded6a9a54630d99e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Claire Wang	9171b217ba	cmd/tailscale, ipn/ipnlocal: add suggest exit node CLI option (#11407 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	5 months ago
Brad Fitzpatrick	b9aa7421d6	ipn/ipnlocal: remove some dead code (legacyBackend methods) from LocalBackend Nothing used it. Updates #11649 Change-Id: Ic1c331d947974cd7d4738ff3aafe9c498853689e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Brad Fitzpatrick	38377c37b5	ipn/localapi: sort localapi handler map keys Updates #cleanup Change-Id: I750ed8d033954f1f8786fb35dd16895bb1c5af8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	8c75da27fc	drive: move normalizeShareName into pkg drive and make func public (#11638 ) This change makes the normalizeShareName function public, so it can be used for validation in control. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	6 months ago
Percy Wegmann	66e4d843c1	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	6 months ago
Percy Wegmann	bed818a978	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	6 months ago
James Tucker	e0f97738ee	localapi: reduce garbage production in bus watcher Updates #optimization Signed-off-by: James Tucker <james@tailscale.com>	6 months ago
Brad Fitzpatrick	ad33e47270	ipn/{ipnlocal,localapi}: add debug verb to force spam IPN bus NetMap To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Percy Wegmann	e496451928	ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS shares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	7 months ago
Percy Wegmann	6c160e6321	ipn,tailfs: tie TailFS share configuration to user profile Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	7 months ago
Andrea Gottardo	0cb86468ca	ipn/localapi: add set-gui-visible endpoint Updates tailscale/corp#17859 Provides a local API endpoint to be called from the GUI to inform the backend when the client menu is opened or closed. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@gottardo.me> Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	7 months ago
Percy Wegmann	abab0d4197	tailfs: clean up naming and package structure - Restyles tailfs -> tailFS - Defines interfaces for main TailFS types - Moves implemenatation of TailFS into tailfsimpl package Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	7 months ago
Percy Wegmann	993acf4475	tailfs: initial implementation Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	7 months ago
kari-ts	5595b61b96	ipn/localapi: more http status cleanup (#10995 ) Use Http.StatusOk instead of 200 Updates #cleanup	8 months ago
Andrew Dunham	d3574a350f	cmd/tailscale, ipn/ipnlocal: add 'debug dial-types' command This command allows observing whether a given dialer ("SystemDial", "UserDial", etc.) will successfully obtain a connection to a provided host, from inside tailscaled itself. This is intended to help debug a variety of issues from subnet routers to split DNS setups. Updates #9619 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ie01ebb5469d3e287eac633ff656783960f697b84	9 months ago
Sonia Appasamy	ac6f671c54	ipn/localapi: use clientupdate.CanAutoUpdate from serveUpdateCheck Fixes #10486 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	bd534b971a	{client/web},{ipn/ipnlocal}: replace localapi debug-web-client endpoint This change removes the existing debug-web-client localapi endpoint and replaces it with functions passed directly to the web.ServerOpts when constructing a web.ManageServerMode client. The debug-web-client endpoint previously handled making noise requests to the control server via the /machine/webclient/ endpoints. The noise requests must be made from tailscaled, which has the noise connection open. But, now that the full client is served from tailscaled, we no longer need to proxy this request over the localapi. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Brad Fitzpatrick	3bd382f369	wgengine/magicsock: add DERP homeless debug mode for testing In DERP homeless mode, a DERP home connection is not sought or maintained and the local node is not reachable. Updates #3363 Updates tailscale/corp#396 Change-Id: Ibc30488ac2e3cfe4810733b96c2c9f10a51b8331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Naman Sood	e57fd9cda4	ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188 ) * ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * depaware Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	11 months ago
Andrew Lytvynov	55cd5c575b	ipn/localapi: only perform local-admin check in serveServeConfig (#10163 ) On unix systems, the check involves executing sudo, which is slow. Instead of doing it for every incoming request, move the logic into localapi serveServeConfig handler and do it as needed. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	11 months ago
Andrew Lytvynov	9b158db2c6	ipn/localapi: require root or sudo+operator access for SetServeConfig (#10142 ) For an operator user, require them to be able to `sudo tailscale` to use `tailscale serve`. This is similar to the Windows elevated token check. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Andrew Lytvynov	f0bc95a066	ipn/localapi: make serveTKASign require write permission (#10094 ) The existing read permission check looks like an oversight. Write seems more appropriate for sining new nodes. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Sonia Appasamy	da31ce3a64	ipn/localapi: remove webclient endpoint Managing starting/stopping tailscaled web client purely via setting the RunWebClient pref. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Andrew Lytvynov	c6a4612915	ipn/localapi: require Write access on /watch-ipn-bus with private keys (#10059 ) Clients optionally request private key filtering. If they don't, we should require Write access for the user. Updates https://github.com/tailscale/corp/issues/15506 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	11 months ago
Sonia Appasamy	44175653dc	ipn/ipnlocal: rename web fields/structs to webClient For consistency and clarity around what the LocalBackend.web field is used for. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	11 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago
Andrea Gottardo	95715c4a12	ipn/localapi: add endpoint to handle APNS payloads (#9972 ) * ipn/localapi: add endpoint to handle APNS payloads Fixes #9971. This adds a new `handle-push-message` local API endpoint. When an APNS payload is delivered to the main app, this endpoint can be used to forward the JSON body of the message to the backend, making a POST request. cc @bradfitz Signed-off-by: Andrea Gottardo <andrea@tailscale.com> * Address comments from code review Signed-off-by: Andrea Gottardo <andrea@tailscale.com> --------- Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	11 months ago
Tyler Smalley	baa1fd976e	ipn/localapi: require local Windows admin to set serve path (#9969 ) For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	11 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	11 months ago

1 2 3 4 5

224 Commits (959285e0c540d996135ed0db970fd88f0f983a30)