tailscale

Commit Graph

Author	SHA1	Message	Date
Aaron Klotz	855f79fad7	cmd/tailscaled, util/winutil: changes to process and token APIs in winutil This PR changes the internal getTokenInfo function to use generics. I also removed our own implementations for obtaining a token's user and primary group in favour of calling the ones now available in x/sys/windows. Furthermore, I added two new functions for working with tokens, logon session IDs, and Terminal Services / RDP session IDs. I modified our privilege enabling code to allow enabling of multiple privileges via one single function call. Finally, I added the ProcessImageName function and updated the code in tailscaled_windows.go to use that instead of directly calling the underlying API. All of these changes will be utilized by subsequent PRs pertaining to this issue. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Will Norris	9b537f7c97	ipn: remove the preview-webclient node capability Now that 1.54 has released, and the new web client will be included in 1.56, we can remove the need for the node capability. This means that all 1.55 unstable builds, and then eventually the 1.56 build, will work without setting the node capability. The web client still requires the "webclient" user pref, so this does NOT mean that the web client will be on by default for all devices. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	303a1e86f5	cmd/tailscale: expose --webclient for all builds This removes the dev/unstable build check for the --webclient flag on `tailscale set`, so that it will be included in the next major stable release (1.56) Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Andrew Dunham	e33bc64cff	net/dnsfallback: add singleflight to recursive resolver This prevents running more than one recursive resolution for the same hostname in parallel, which can use excessive amounts of CPU when called in a tight loop. Additionally, add tests that hit the network (when run with a flag) to test the lookup behaviour. Updates tailscale/corp#15261 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I39351e1d2a8782dd4c52cb04b3bd982eb651c81e	8 months ago
Sonia Appasamy	bb31912ea5	cmd/cli: remove --webclient flag from up Causing issues building a stable release. Getting rid of the flag for now because it was only available in unstable, can still be turned on through localapi. A #cleanup Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Andrew Lytvynov	c3f1bd4c0a	clientupdate: fix auto-update on Windows over RDP (#10242 ) `winutil.WTSGetActiveConsoleSessionId` only works for physical desktop logins and does not return the session ID for RDP logins. We need to `windows.WTSEnumerateSessions` and find the active session. Fixes https://github.com/tailscale/corp/issues/15772 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Tom DNetto	90a0aafdca	cmd/tailscale: warn if app-connector is enabled without ip forwarding Fixes: ENG-2446 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Naman Sood	e57fd9cda4	ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188 ) * ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * depaware Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in> * address review feedback Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	8 months ago
Andrew Lytvynov	55cd5c575b	ipn/localapi: only perform local-admin check in serveServeConfig (#10163 ) On unix systems, the check involves executing sudo, which is slow. Instead of doing it for every incoming request, move the logic into localapi serveServeConfig handler and do it as needed. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Jordan Whited	12d5c99b04	client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071 ) Updates tailscale/corp#9990 Signed-off-by: Jordan Whited <jordan@tailscale.com>	8 months ago
Andrew Lytvynov	1fc1077052	ssh/tailssh,util: extract new osuser package from ssh code (#10170 ) This package is a wrapper for os/user that handles non-cgo builds, gokrazy and user shells. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Will Norris	fdbe511c41	cmd/tailscale: add -webclient flag to up and set Initially, only expose this flag on dev and unstable builds. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	942d720a16	cli/web: don't block startup on status req If the status request to check for the preview node cap fails, continue with starting up the legacy client. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	7e81c83e64	cmd/tailscale: respect existing web client pref After running `tailscale web`, only disable the user pref if it was not already previously set. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	0ecfc1d5c3	client/web: fill devMode from an env var Avoids the need to pipe a web client dev flag through the tailscaled command. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	191e2ce719	client/web: add ServerMode to web.Server Adds a new Mode to the web server, indicating the specific scenario the constructed server is intended to be run in. Also starts filling this from the cli/web and ipn/ipnlocal callers. From cli/web this gets filled conditionally based on whether the preview web client node cap is set. If not set, the existing "legacy" client is served. If set, both a login/lobby and full management client are started (in "login" and "manage" modes respectively). Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
James Tucker	f27b2cf569	appc,cmd/sniproxy,ipn/ipnlocal: split sniproxy configuration code out of appc The design changed during integration and testing, resulting in the earlier implementation growing in the appc package to be intended now only for the sniproxy implementation. That code is moved to it's final location, and the current App Connector code is now renamed. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Aaron Klotz	47019ce1f1	cmd/tailscaled: pre-load wintun.dll using a fully-qualified path In corp PR #14970 I updated the installer to set a security mitigation that always forces system32 to the front of the Windows dynamic linker's search path. Unfortunately there are other products out there that, partying like it's 1995, drop their own, older version of wintun.dll into system32. Since we look there first, we end up loading that old version. We can fix this by preloading wintun using a fully-qualified path. When wintun-go then loads wintun, the dynamic linker will hand it the module that was previously loaded by us. Fixes #10023, #10025, #10052 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Irbe Krumina	af49bcaa52	cmd/k8s-operator: set different app type for operator with proxy (#10081 ) Updates tailscale/tailscale#9222 plain k8s-operator should have hostinfo.App set to 'k8s-operator', operator with proxy should have it set to 'k8s-operator-proxy'. In proxy mode, we were setting the type after it had already been set to 'k8s-operator' Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
James Tucker	6ad54fed00	appc,ipn/ipnlocal: add App Connector domain configuration from mapcap The AppConnector is now configured by the mapcap from the control plane. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
James Tucker	b48b7d82d0	appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs An EmbeddedAppConnector is added that when configured observes DNS responses from the PeerAPI. If a response is found matching a configured domain, routes are advertised when necessary. The wiring from a configuration in the netmap capmap is not yet done, so while the connector can be enabled, no domains can yet be added. Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
David Anderson	37863205ec	cmd/k8s-operator: strip credentials from client config in noauth mode Updates tailscale/corp#15526 Signed-off-by: David Anderson <danderson@tailscale.com>	8 months ago
Rhea Ghosh	970eb5e784	cmd/k8s-operator: sanitize connection headers (#10063 ) Fixes tailscale/corp#15526 Signed-off-by: Rhea Ghosh <rhea@tailscale.com>	8 months ago
James Tucker	ca4c940a4d	ipn: introduce app connector advertisement preference and flags Introduce a preference structure to store the setting for app connector advertisement. Introduce the associated flags: tailscale up --advertise-connector{=true,=false} tailscale set --advertise-connector{=true,=false} ``` % tailscale set --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale set --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true % tailscale up --advertise-connector=false % tailscale debug prefs \| jq .AppConnector.Advertise false % tailscale up --advertise-connector=true % tailscale debug prefs \| jq .AppConnector.Advertise true ``` Updates tailscale/corp#15437 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Irbe Krumina	c2b87fcb46	cmd/k8s-operator/deploy/chart,.github/workflows: use helm chart API v2 (#10055 ) API v1 is compatible with helm v2 and v2 is not. However, helm v2 (the Tiller deployment mechanism) was deprecated in 2020 and no-one should be using it anymore. This PR also adds a CI lint test for helm chart Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	8 months ago
Will Norris	66c7af3dd3	ipn: replace web client debug flag with node capability Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Brad Fitzpatrick	3d7fb6c21d	derp/derphttp: fix race in mesh watcher The derphttp client automatically reconnects upon failure. RunWatchConnectionLoop called derphttp.Client.WatchConnectionChanges once, but that wrapper method called the underlying derp.Client.WatchConnectionChanges exactly once on derphttp.Client's currently active connection. If there's a failure, we need to re-subscribe upon all reconnections. This removes the derphttp.Client.WatchConnectionChanges method, which was basically impossible to use correctly, and changes it to be a boolean field on derphttp.Client alongside MeshKey and IsProber. Then it moves the call to the underlying derp.Client.WatchConnectionChanges to derphttp's client connection code, so it's resubscribed on any reconnect. Some paranoia is then added to make sure people hold the API right, not calling derphttp.Client.RunWatchConnectionLoop on an already-started Client without having set the bool to true. (But still auto-setting it to true if that's the first method that's been called on that derphttp.Client, as is commonly the case, and prevents existing code from breaking) Fixes tailscale/corp#9916 Supercedes tailscale/tailscale#9719 Co-authored-by: Val <valerie@tailscale.com> Co-authored-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Brad Fitzpatrick <brad@danga.com>	8 months ago
Tom DNetto	a7c80c332a	cmd/sniproxy: implement support for control configuration, multiple addresses * Implement missing tests for sniproxy * Wire sniproxy to new appc package * Add support to tsnet for routing subnet router traffic into netstack, so it can be handled Updates: https://github.com/tailscale/corp/issues/15038 Signed-off-by: Tom DNetto <tom@tailscale.com>	8 months ago
Will Norris	28ad910840	ipn: add user pref for running web client This is not currently exposed as a user-settable preference through `tailscale up` or `tailscale set`. Instead, the preference is set when turning the web client on and off via localapi. In a subsequent commit, the pref will be used to automatically start the web client on startup when appropriate. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Irbe Krumina	ed1b935238	cmd/k8s-operator: allow to install operator via helm (#9920 ) Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	9107b5eadf	cmd/tailscale/cli: use status before doing interactive feature query We were inconsistent whether we checked if the feature was already enabled which we could do cheaply using the locally available status. We would do the checks fine if we were turning on funnel, but not serve. This moves the cap checks down into enableFeatureInteractive so that are always run. Updates #9984 Co-authored-by: Tyler Smalley <tyler@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Aaron Klotz	95671b71a6	ipn, safesocket: use Windows token in LocalAPI On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Tyler Smalley	131518eed1	cmd/tailscale/cli: improve error when bg serve config is present (#9961 ) We prevent shodow configs when starting a foreground when a background serve config already exists for the serve type and port. This PR improves the messaging to let the user know how to remove the previous config. Updates #8489 ENG-2314 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Tyler Smalley	1873bc471b	cmd/tailscale/cli: remove http flag for funnel command (#9955 ) The `--http` flag can not be used with Funnel, so we should remove it to remove confusion. Updates #8489 ENG-2316 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Marwan Sulaiman	5f3cdaf283	cmd/tailscale/cli: chage port flags to uint for serve and funnel This PR changes the -https, -http, -tcp, and -tls-terminated-tcp flags from string to int and also updates the validation to ensure they fit the uint16 size as the flag library does not have a Uint16Var method. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Marwan Sulaiman	a7e4cebb90	cmd/tailscale/cli: refactor TestServeDevConfigMutations The TestServeDevConfigMutations test has 63 steps that all run under the same scope. This tests breaks them out into isolated subtests that can be run independently. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrew Lytvynov	21b6d373b0	cmd/tailscale/cli: unhide auto-update flags and mark update as Beta (#9954 ) Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Marwan Sulaiman	f5a7551382	cmd/tailscale: fix help message for serve funnel We currently print out "run tailscale serve --help" when the subcmd might be funnel. This PR ensures the right subcmd is passed. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	8 months ago
Andrew Lytvynov	d3bc575f35	cmd/tailscale/cli: set Sparkle auto-update on macsys (#9952 ) On `tailscale set --auto-update`, set the Sparkle plist option for it. Also make macsys report not supporting auto-updates over c2n, since they will be triggered by Sparkle locally. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Tyler Smalley	269a498c1e	cmd/tailscale/cli: serve --set-path should not force background mode (#9905 ) A few people have run into issues with understanding why `--set-path` started in background mode, and/or why they couldn't use a path in foreground mode. This change allows `--set-path` to be used in either case (foreground or background). updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	8 months ago
Andrew Lytvynov	593c086866	clientupdate: distinguish when auto-updates are possible (#9896 ) clientupdate.Updater will have a non-nil Update func in a few cases where it doesn't actually perform an update: * on Arch-like distros, where it prints instructions on how to update * on macOS app store version, where it opens the app store page Add a new clientupdate.Arguments field to cause NewUpdater to fail when we hit one of these cases. This results in c2n updates being "not supported" and `tailscale set --auto-update` returning an error. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago
Tyler Smalley	35d7b3aa27	cmd/tailscale/cli: updates help and background messaging (#9929 ) * Fixes issue with template string not being provided in help text * Updates background information to provide full URL, including path, to make it clear the source and destination * Restores some tests * Removes AllowFunnel in ServeConfig if no proxy exists for that port. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	9 months ago
Marwan Sulaiman	c53ee37912	cmd/tailscale: add set-raw to the new serve funnel commands This PR adds the same set-raw from the old flow into the new one so that users can continue to use it when transitioning into the new flow. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	f232d4554a	cmd/tailscale: translate old serve commands to new ones This PR fixes the isLegacyInvocation to better catch serve and funnel legacy commands. In addition, it now also returns a string that translates the old command into the new one so that users can have an easier transition story. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Marwan Sulaiman	60e768fd14	cmd/tailscale: allow serve\|funnel off to delete an entire port This PR allows you to do "tailscale serve -bg -https:4545 off" and it will delete all handlers under it. It will also prompt you for a y/n in case you wanted to delete a single port. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>	9 months ago
Irbe Krumina	e9956419f6	cmd/k8s-operator: allow cleanup of cluster resources for deleted devices (#9917 ) Users should delete proxies by deleting or modifying the k8s cluster resources that they used to tell the operator to create they proxy. With this flow, the tailscale operator will delete the associated device from the control. However, in some cases users might have already deleted the device from the control manually. Updates tailscale/tailscale#9773 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	9 months ago
Tyler Smalley	d9081d6ba2	cmd/tailscale/cli: update serve/funnel CLI help text (#9895 ) updates #8489 ENG-2308 Signed-off-by: Tyler Smalley <tyler@tailscale.com>	9 months ago
Adrian Dewhurst	5347e6a292	control/controlclient: support certstore without cgo We no longer build Windows releases with cgo enabled, which automatically turned off certstore support. Rather than re-enabling cgo, we updated our fork of the certstore package to no longer require cgo. This updates the package, cleans up how the feature is configured, and removes the cgo build tag requirement. Fixes tailscale/corp#14797 Fixes tailscale/coral#118 Change-Id: Iaea34340761c0431d759370532c16a48c0913374 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	9 months ago
Andrew Lytvynov	70f9c8a6ed	clientupdate: change Mac App Store support (#9891 ) In the sandboxed app from the app store, we cannot check `/Library/Preferences/com.apple.commerce.plist` or run `softwareupdate`. We can at most print a helpful message and open the app store page. Also, reenable macsys update function to mark it as supporting c2n updates. macsys support in `tailscale update` was fixed. Updates #755 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	9 months ago

1 2 3 4 5 ...

1575 Commits (b8ac3c5191f6292726e59d97899a0203e5c1123e)