tailscale

Commit Graph

Author	SHA1	Message	Date
Will Norris	623f669239	client/web: pass URL prefix to frontend This allows wouter to route URLs properly when running in CGI mode. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	e537d304ef	client/web: relax CSP restrictions for manage client Don't return CSP headers in dev mode, since that includes a bunch of extra things like the vite server. Allow images from any source, which is needed to load user profile images. Allow 'unsafe-inline' for various inline scripts and style react uses. We can eliminate this by using CSP nonce or hash values, but we'll need to look into the best way to handle that. There appear to be several react plugins for this, but I haven't evaluated any of them. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	a05ab9f3bc	client/web: check r.Host rather than r.URL.Host r.URL.Host is not typically populated on server requests. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	6b956b49e0	client/web: add some security checks for full client Require that requests to servers in manage mode are made to the Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various security headers on those responses. These might be too restrictive, but we can relax them as needed. Allow requests to /ok (even in manage mode) with no checks. This will be used for the connectivity check from a login client to see if the management client is reachable. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	e5dcf7bdde	client/web: move auth session creation out of /api/auth Splits auth session creation into two new endpoints: /api/auth/session/new - to request a new auth session /api/auth/session/wait - to block until user has completed auth url Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	0ecfc1d5c3	client/web: fill devMode from an env var Avoids the need to pipe a web client dev flag through the tailscaled command. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	191e2ce719	client/web: add ServerMode to web.Server Adds a new Mode to the web server, indicating the specific scenario the constructed server is intended to be run in. Also starts filling this from the cli/web and ipn/ipnlocal callers. From cli/web this gets filled conditionally based on whether the preview web client node cap is set. If not set, the existing "legacy" client is served. If set, both a login/lobby and full management client are started (in "login" and "manage" modes respectively). Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	4ce4bb6271	client/web: limit authorization checks to API calls This completes the migration to setting up authentication state in the client first before fetching any node data or rendering the client view. Notable changes: - `authorizeRequest` is now only enforced on `/api/*` calls (with the exception of /api/auth, which is handled early because it's needed to initially setup auth, particularly for synology) - re-separate the App and WebClient components to ensure that auth is completed before moving on - refactor platform auth (synology and QNAP) to fit into this new structure. Synology no longer returns redirect for auth, but returns authResponse instructing the client to fetch a SynoToken Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	7a725bb4f0	client/web: move more session logic to auth.go Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	e5fbe57908	web/client: update synology token from /api/auth call When the /api/auth response indicates that synology auth is needed, fetch the SynoToken and store it for future API calls. This doesn't yet update the server-side code to set the new SynoAuth field. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	237c6c44cd	client/web: call /api/auth before rendering any client views For now this is effectively a noop, since only the ManagementClientView uses the auth data. That will change soon. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	32ebc03591	client/web: move session logic to auth.go Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	89953b015b	ipn/ipnlocal,client/web: add web client to tailscaled Allows for serving the web interface from tailscaled, with the ability to start and stop the server via localapi endpoints (/web/start and /web/stop). This will be used to run the new full management web client, which will only be accessible over Tailscale (with an extra auth check step over noise) from the daemon. This switch also allows us to run the web interface as a long-lived service in environments where the CLI version is restricted to CGI, allowing us to manage certain auth state in memory. ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for ios builds to satisfy ios restriction from adding "text/template" and "html/template" dependencies. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	93aa8a8cff	client/web: allow providing logger implementation Also report metrics in separate go routine with a 5 second timeout. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	d79e0fde9c	client/web: split errTaggedSelf resp from getTailscaleBrowserSession Previously returned errTaggedSource in the case that of any tagged source. Now distinguishing whether the source was local or remote. We'll be presenting the two cases with varying copy on the frontend. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	e0a4a02b35	client/web: pipe Server.timeNow() through session funcs Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	62d08d26b6	client/web: set Server.cgiMode field Updates tailscale/corp#15373 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> Co-authored-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	68da15516f	ipn/localapi,client/web: clean up auth error handling This commit makes two changes to the web client auth flow error handling: 1. Properly passes back the error code from the noise request from the localapi. Previously we were using io.Copy, which was always setting a 200 response status code. 2. Clean up web client browser sessions on any /wait endpoint error. This avoids the user getting in a stuck state if something goes wrong with their auth path. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	1df2d14c8f	client/web: use auth ID in browser sessions Stores ID from tailcfg.WebClientAuthResponse in browser session data, and uses ID to hit control server /wait endpoint. No longer need the control url cached, so removed that from Server. Also added optional timeNow field, initially to manage time from tests. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	73bbf941f8	client/web: hook up auth flow Connects serveTailscaleAuth to the localapi webclient endpoint and pipes auth URLs and session cookies back to the browser to redirect users from the frontend. All behind debug flags for now. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	851536044a	client/web: add tests for authorizeRequest Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	c27870e160	client/web: refactor authorizeRequest Moves request authorization back into Server.serve to be run at the start of any request. Fixes Synology unstable track bug where client would get stuck unable to auth due to not rendering the Synology redirect auth html on index.html load. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Naman Sood	7783a960e8	client/web: add metric for exit node advertising (#9781 ) * client/web: add metric for exit node advertising Updates tailscale/corp#15215 Signed-off-by: Naman Sood <mail@nsood.in> * client/web: use http request's context for IncrementCounter Updates #cleanup Signed-off-by: Naman Sood <mail@nsood.in> --------- Signed-off-by: Naman Sood <mail@nsood.in>	9 months ago
Sonia Appasamy	7a0de2997e	client/web: remove unused context param from NewServer Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	3befc0ef02	client/web: restrict full management client behind browser sessions Adds `getTailscaleBrowserSession` to pull the user's session out of api requests, and `serveTailscaleAuth` to provide the "/api/auth" endpoint for browser to request auth status and new sessions. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	b29047bcf0	client/web: add browser session cache to web.Server Adds browser session cache, to be used to store sessions for the full management web client. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	5429ee2566	client/web: add debug mode for web client ui updates UI updates staged behind debug mode flags. Initial new views added in app.tsx, rendered based on the current debug setting. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	5d62b17cc5	client/web: add login client mode to web.Server Adds new LoginOnly server option and swaps out API handler depending on whether running in login mode or full web client mode. Also includes some minor refactoring to the synology/qnap authorization logic to allow for easier sharing between serveLoginAPI and serveAPI. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	697f92f4a7	client/web: refactor serveGetNodeData Remove the "JSON" ending, we no longer have a non-JSON version, it was removed in `d74c771` when we switched from the legacy web client to React. Also combine getNodeData into serveGetNodeData now that serveGetNodeData is the single caller of getNodeData. A #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	9 months ago
Sonia Appasamy	1eadb2b608	client/web: clean up assets handling A #cleanup that moves all frontend asset handling into assets.go (formerly dev.go), and stores a single assetsHandler field back to web.Server that manages when to serve the dev vite proxy versus static files itself. Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Craig Rodrigues	8683ce78c2	client/web, clientupdate, util/linuxfw, wgengine/magicsock: Use %v verb for errors Replace %w verb with %v verb when logging errors. Use %w only for wrapping errors with fmt.Errorf() Fixes: #9213 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	10 months ago
Will Norris	9a3bc9049c	client/web,cmd/tailscale: add prefix flag for web command We already had a path on the web client server struct, but hadn't plumbed it through to the CLI. Add that now and use it for Synology and QNAP instead of hard-coding the path. (Adding flag for QNAP is tailscale/tailscale-qpkg#112) This will allow supporting other environments (like unraid) without additional changes to the client/web package. Also fix a small bug in unraid handling to only include the csrf token on POST requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	37eab31f68	client/web: simply csrf key caching in cgi mode Instead of trying to use the user config dir, and then fail back to the OS temp dir, just always use the temp dir. Also use a filename that is less likely to cause collisions. This addresses an issue on a test synology instance that was mysteriously failing because there was a file at /tmp/tailscale. We could still technically run into this issue if a /tmp/tailscale-web-csrf.key file exists, but that seems far less likely. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	1cd03bc0a1	client/web: remove self node on server This is unused. Can be added back if needed in the future. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	da6eb076aa	client/web: add localapi proxy Adds proxy to the localapi from /api/local/ web client endpoint. The localapi proxy is restricted to an allowlist of those actually used by the web client frontend. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	d74c771fda	client/web: always use new web client; remove old client This uses the new react-based web client for all builds, not just with the --dev flag. If the web client assets have not been built, the client will serve a message that Tailscale was built without the web client, and link to build instructions. Because we will include the web client in all of our builds, this should only be seen by developers or users building from source. (And eventually this will be replaced by attempting to download needed assets as runtime.) We do now checkin the build/index.html file, which serves the error message when assets are unavailable. This will also eventually be used to trigger in CI when new assets should be built and uploaded to a well-known location. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	be5bd1e619	client/web: skip authorization checks for static assets Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	4828e4c2db	client/web: move api handler into web.go Also uses `http.HandlerFunc` to pass the handler into `csrfProtect` so we can get rid of the extraneous `api` struct. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	f3077c6ab5	client/web: add self node cache Adds a cached self node to the web client Server struct, which will be used from the web client api to verify that request came from the node's own machine (i.e. came from the web client frontend). We'll be using when we switch the web client api over to acting as a proxy to the localapi, to protect against DNS rebinding attacks. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Will Norris	dc8287ab3b	client/web: enforce full path for CGI platforms Synology and QNAP both run the web client as a CGI script. The old web client didn't care too much about requests paths, since there was only a single GET and POST handler. The new client serves assets on different paths, so now we need to care. First, enforce that the CGI script is always accessed from its full path, including a trailing slash (e.g. /cgi-bin/tailscale/index.cgi/). Then, strip that prefix off before passing the request along to the main serve handler. This allows for properly serving both static files and the API handler in a CGI environment. Also add a CGIPath option to allow other CGI environments to specify a custom path. Finally, update vite and one "api/data" call to no longer assume that we are always serving at the root path of "/". Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	0c3d343ea3	client/web: invert auth logic for synology and qnap Add separate server methods for synology and qnap, and enforce authentication and authorization checks before calling into the actual serving handlers. This allows us to remove all of the auth logic from those handlers, since all requests will already be authenticated by that point. Also simplify the Synology token redirect handler by using fetch. Remove the SynologyUser from nodeData, since it was never used in the frontend anyway. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	05486f0f8e	client/web: move synology and qnap logic into separate files This commit doesn't change any of the logic, but just organizes the code a little to prepare for future changes. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	824cd02d6d	client/web: cache csrf key when running in CGI mode Indicate to the web client when it is running in CGI mode, and if it is then cache the csrf key between requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	9ea3942b1a	client/web: don't require secure cookies for csrf Under normal circumstances, you would typically want to keep the default behavior of requiring secure cookies. In the case of the Tailscale web client, we are regularly serving on localhost (where secure cookies don't really matter), and/or we are behind a reverse proxy running on a network appliance like a NAS or Home Assistant. In those cases, those devices are regularly accessed over local IP addresses without https configured, so would not work with secure cookies. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	cf45d6a275	client/web: remove old /redirect handler I thought this had something to do with Synology or QNAP support, since they both have specific authentication logic. But it turns out this was part of the original web client added in #1621, and then refactored as part of #2093. But with how we handle logging in now, it's never called. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	5ebff95a4c	client/web: fix globbing for file embedding src/*/ was only grabbing files in subdirectories, but not in the src directory itself. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Will Norris	0df5507c81	client/web: combine embeds into a single embed.FS instead of embedding each file individually, embed them all into a single embed filesystem. This is basically a noop for the current frontend, but sets things up a little cleaner for the new frontend. Also added an embed.FS for the source files needed to build the new frontend. These files are not actually embedded into the binary (since it is a blank identifier), but causes `go mod vendor` to copy them into the vendor directory. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>	10 months ago
Sonia Appasamy	09e5e68297	client/web: track web client initializations Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	077bbb8403	client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	10 months ago
Sonia Appasamy	18280ebf7d	client/web: hook up data fetching to fill --dev React UI Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	11 months ago

1 2

54 Commits (d852c616c6047f711197f376b7f3b3927ddf68d6)