tailscale

Commit Graph

Author	SHA1	Message	Date
Cole Helbling	9e71851a36	go.mod.sri: update Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	8 months ago
Cole Helbling	4f62a2ed99	flake: set a default package This allows `nix build` to run, without needing to use `nix build .#tailscale`. Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	8 months ago
Cole Helbling	f737496d7c	flake: drop unnecessary fileContents binding Since the tailscale derivation already has a `pkgs` binding, we can use `pkgs.lib`. Alternatively, we could have used `nixpkgs.lib`, as `fileContents` doesn't need a system to use (anymore?). Signed-off-by: Cole Helbling <cole.helbling@determinate.systems>	8 months ago
Maisem Ali	9107b5eadf	cmd/tailscale/cli: use status before doing interactive feature query We were inconsistent whether we checked if the feature was already enabled which we could do cheaply using the locally available status. We would do the checks fine if we were turning on funnel, but not serve. This moves the cap checks down into enableFeatureInteractive so that are always run. Updates #9984 Co-authored-by: Tyler Smalley <tyler@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
License Updater	e94d345e26	licenses: update android licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	8 months ago
License Updater	7c7f60be22	licenses: update tailscale{,d} licenses Signed-off-by: License Updater <noreply+license-updater@tailscale.com>	8 months ago
Tyler Smalley	baa1fd976e	ipn/localapi: require local Windows admin to set serve path (#9969 ) For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Will Norris	42abf13843	.github: run tests on all PRs, regardless of branch name The branch name selector "*" doesn't match branches with a "/" in their name. The vast majority of our PRs are against the main (or previously, master) branch anyway, so this will have minimal impact. But in the rare cases that we want to open a PR against a branch with a "/" in the name, tests should still run. ``` gh pr list --limit 9999 --state all --json baseRefName \| \ jq -cs '.[] \| group_by(.baseRefName) \| map({ base: .[0].baseRefName, count: map(.baseRefName) \| length}) \| sort_by(-.count) \| .[]' {"base":"main","count":4593} {"base":"master","count":226} {"base":"release-branch/1.48","count":4} {"base":"josh-and-adrian-io_uring","count":3} {"base":"release-branch/1.30","count":3} {"base":"release-branch/1.32","count":3} {"base":"release-branch/1.20","count":2} {"base":"release-branch/1.26","count":2} {"base":"release-branch/1.34","count":2} {"base":"release-branch/1.38","count":2} {"base":"Aadi/speedtest-tailscaled","count":1} {"base":"josh/io_uring","count":1} {"base":"maisem/hi","count":1} {"base":"rel-144","count":1} {"base":"release-branch/1.18","count":1} {"base":"release-branch/1.2","count":1} {"base":"release-branch/1.22","count":1} {"base":"release-branch/1.24","count":1} {"base":"release-branch/1.4","count":1} {"base":"release-branch/1.46","count":1} {"base":"release-branch/1.8","count":1} {"base":"web-client-main","count":1} ``` Updates #cleanup Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Brad Fitzpatrick	b4be4f089f	safesocket: make clear which net.Conns are winio types Follow-up to earlier #9049. Updates #9049 Change-Id: I121fbd2468770233a23ab5ee3df42698ca1dabc2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Andrew Dunham	ef596aed9b	net/portmapper: avoid alloc in getUPnPErrorsMetric Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iea558024c038face24cc46584421998d10f13a66	8 months ago
James Tucker	237b4b5a2a	.github/workflows: add checklocks Currently the checklocks step is not configured to fail, as we do not yet have the appropriate annotations. Updates tailscale/corp#14381 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tyler Smalley	131518eed1	cmd/tailscale/cli: improve error when bg serve config is present (#9961 ) We prevent shodow configs when starting a foreground when a background serve config already exists for the serve type and port. This PR improves the messaging to let the user know how to remove the previous config. Updates #8489 ENG-2314 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Tyler Smalley	1873bc471b	cmd/tailscale/cli: remove http flag for funnel command (#9955 ) The `--http` flag can not be used with Funnel, so we should remove it to remove confusion. Updates #8489 ENG-2316 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Val	19e5f242e0	net/portmapper: convert UPnP metrics to new syncs.Map.LoadOrInit method Simplify UPnP error metrics by using the new syncs.Map.LoadOrInit method. Updates #cleanup Signed-off-by: Val <valerie@tailscale.com>	8 months ago
Andrew Lytvynov	8326fdd60f	clientupdate: disable auto-updates on Synology for now (#9965 ) Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Flakes Updater	143bda87a3	go.mod.sri: update SRI hash for go.mod changes Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>	8 months ago
Marwan Sulaiman	5f3cdaf283	cmd/tailscale/cli: chage port flags to uint for serve and funnel This PR changes the -https, -http, -tcp, and -tls-terminated-tcp flags from string to int and also updates the validation to ensure they fit the uint16 size as the flag library does not have a Uint16Var method. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	8 months ago
Marwan Sulaiman	a7e4cebb90	cmd/tailscale/cli: refactor TestServeDevConfigMutations The TestServeDevConfigMutations test has 63 steps that all run under the same scope. This tests breaks them out into isolated subtests that can be run independently. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Sonia Appasamy	d79e0fde9c	client/web: split errTaggedSelf resp from getTailscaleBrowserSession Previously returned errTaggedSource in the case that of any tagged source. Now distinguishing whether the source was local or remote. We'll be presenting the two cases with varying copy on the frontend. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	e0a4a02b35	client/web: pipe Server.timeNow() through session funcs Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	21b6d373b0	cmd/tailscale/cli: unhide auto-update flags and mark update as Beta (#9954 ) Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Marwan Sulaiman	f5a7551382	cmd/tailscale: fix help message for serve funnel We currently print out "run tailscale serve --help" when the subcmd might be funnel. This PR ensures the right subcmd is passed. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrew Lytvynov	d3bc575f35	cmd/tailscale/cli: set Sparkle auto-update on macsys (#9952 ) On `tailscale set --auto-update`, set the Sparkle plist option for it. Also make macsys report not supporting auto-updates over c2n, since they will be triggered by Sparkle locally. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
James Tucker	6f69fe8ad7	wgnengine: remove unused field in userspaceEngine Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tyler Smalley	269a498c1e	cmd/tailscale/cli: serve --set-path should not force background mode (#9905 ) A few people have run into issues with understanding why `--set-path` started in background mode, and/or why they couldn't use a path in foreground mode. This change allows `--set-path` to be used in either case (foreground or background). updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Thomas Kosiewski	b2ae8fdf80	derp/derphttp: strip port numbers from URL hostname When trying to set up multiple derper instances meshing with each other, it turned out that while one can specify an alternative listening port using the -a flag, the TLS hostname gets incorrectly determined and includes the set alternative listening port as part of the hostname. Thus, the TLS hostname validation always fails when the -mesh-with values have ports. Updates #9949 Signed-off-by: Thomas Kosiewski <thomas.kosiewski@loft.sh>	8 months ago
Brad Fitzpatrick	514539b611	wgengine/magicsock: close disco listeners on Conn.Close, fix Linux root TestNewConn TestNewConn now passes as root on Linux. It wasn't closing the BPF listeners and their goroutines. The code is still a mess of two Close overlapping code paths, but that can be refactored later. For now, make the two close paths more similar. Updates #9945 Change-Id: I8a3cf5fb04d22ba29094243b8e645de293d9ed85 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
James Tucker	7df6f8736a	wgengine/netstack: only add addresses to correct protocols Prior to an earlier netstack bump this code used a string conversion path to cover multiple cases of behavior seemingly checking for unspecified addresses, adding unspecified addresses to v6. The behavior is now crashy in netstack, as it is enforcing address length in various areas of the API, one in particular being address removal. As netstack is now protocol specific, we must not create invalid protocol addresses - an address is v4 or v6, and the address value contained inside must match. If a control path attempts to do something otherwise it is now logged and skipped rather than incorrect addressing being added. Fixes tailscale/corp#15377 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Tyler Smalley	35d7b3aa27	cmd/tailscale/cli: updates help and background messaging (#9929 ) * Fixes issue with template string not being provided in help text * Updates background information to provide full URL, including path, to make it clear the source and destination * Restores some tests * Removes AllowFunnel in ServeConfig if no proxy exists for that port. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Marwan Sulaiman	c53ee37912	cmd/tailscale: add set-raw to the new serve funnel commands This PR adds the same set-raw from the old flow into the new one so that users can continue to use it when transitioning into the new flow. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Marwan Sulaiman	f232d4554a	cmd/tailscale: translate old serve commands to new ones This PR fixes the isLegacyInvocation to better catch serve and funnel legacy commands. In addition, it now also returns a string that translates the old command into the new one so that users can have an easier transition story. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Sonia Appasamy	62d08d26b6	client/web: set Server.cgiMode field Updates tailscale/corp#15373 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> Co-authored-by: Will Norris <will@tailscale.com>	8 months ago
Maisem Ali	17b2072b72	ipn/ipnlocal: set the push device token correctly It would end up resetting whatever hostinfo we had constructed and leave the backend statemachine in a broken state. This fixes that by storing the PushDeviceToken on the LocalBackend and populating it on Hostinfo before passing it to controlclient. Updates tailscale/corp#8940 Updates tailscale/corp#15367 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	0e89245c0f	ipn/ipnlocal: drop hostinfo param from doSetHostinfoFilterServices The value being passed was the same as whats on b.hostinfo, so just use that directly. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Joe Tsai	152390e80a	ipn/localapi: avoid unkeyed literal (#9933 ) Go has no way to explicitly identify Go struct as effectively a tuple, so staticcheck assumes any external use of unkeyed literals is wrong. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Marwan Sulaiman	60e768fd14	cmd/tailscale: allow serve\|funnel off to delete an entire port This PR allows you to do "tailscale serve -bg -https:4545 off" and it will delete all handlers under it. It will also prompt you for a y/n in case you wanted to delete a single port. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrew Lytvynov	e561f1ce61	clientupdate: manually restart Windows GUI after update (#9906 ) When updating via c2n, `tailscale.exe update` runs from `tailscaled.exe` which runs as SYSTEM. The MSI installer does not start the GUI when running as SYSTEM. This results in Tailscale just existing on auto-update, which is ungood. Instead, always ask the MSI installer to not launch the GUI (via `TS_NOLAUNCH` argument) and launch it manually with a token from the current logged in user. The token code was borrowed from `d9081d6ba2/net/dns/wsl_windows.go (L207-L232)` Also, make some logging changes so that these issues are easier to debug in the future. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	e9956419f6	cmd/k8s-operator: allow cleanup of cluster resources for deleted devices (#9917 ) Users should delete proxies by deleting or modifying the k8s cluster resources that they used to tell the operator to create they proxy. With this flow, the tailscale operator will delete the associated device from the control. However, in some cases users might have already deleted the device from the control manually. Updates tailscale/tailscale#9773 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Brad Fitzpatrick	e87862bce3	go.toolchain.rev: bump Tailscale Go toolchain Updates tailscale/go#77 Change-Id: I367465fb90cd4369cfbafd913c3964bfe5553dd0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Maisem Ali	f398712c00	ipn/ipnlocal: prevent changing serve config if conf.Locked This adds a check to prevent changes to ServeConfig if tailscaled is run with a Locked config. Missed in `1fc3573446`. Updates #1412 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Tyler Smalley	d9081d6ba2	cmd/tailscale/cli: update serve/funnel CLI help text (#9895 ) updates #8489 ENG-2308 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Adrian Dewhurst	5347e6a292	control/controlclient: support certstore without cgo We no longer build Windows releases with cgo enabled, which automatically turned off certstore support. Rather than re-enabling cgo, we updated our fork of the certstore package to no longer require cgo. This updates the package, cleans up how the feature is configured, and removes the cgo build tag requirement. Fixes tailscale/corp#14797 Fixes tailscale/coral#118 Change-Id: Iaea34340761c0431d759370532c16a48c0913374 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Sonia Appasamy	68da15516f	ipn/localapi,client/web: clean up auth error handling This commit makes two changes to the web client auth flow error handling: 1. Properly passes back the error code from the noise request from the localapi. Previously we were using io.Copy, which was always setting a 200 response status code. 2. Clean up web client browser sessions on any /wait endpoint error. This avoids the user getting in a stuck state if something goes wrong with their auth path. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	70f9c8a6ed	clientupdate: change Mac App Store support (#9891 ) In the sandboxed app from the app store, we cannot check `/Library/Preferences/com.apple.commerce.plist` or run `softwareupdate`. We can at most print a helpful message and open the app store page. Also, reenable macsys update function to mark it as supporting c2n updates. macsys support in `tailscale update` was fixed. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Irbe Krumina	eced054796	ipn/ipnlocal: close connections for removed proxy transports (#9884 ) Ensure that when a userspace proxy config is reloaded, connections for any removed proxies are safely closed Updates tailscale/tailscale#9725 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Sonia Appasamy	1df2d14c8f	client/web: use auth ID in browser sessions Stores ID from tailcfg.WebClientAuthResponse in browser session data, and uses ID to hit control server /wait endpoint. No longer need the control url cached, so removed that from Server. Also added optional timeNow field, initially to manage time from tests. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago

1 2 3 4 5 ...

6608 Commits (9e71851a36ef5c7e2fb043f98ea2619ce42867b2) All Branches Search

6608 Commits (9e71851a36ef5c7e2fb043f98ea2619ce42867b2)

All Branches