// Copyright (c) Tailscale Inc & AUTHORS // SPDX-License-Identifier: BSD-3-Clause package ipnlocal import ( "crypto/x509" "encoding/json" "encoding/pem" "errors" "fmt" "io" "net" "net/http" "os" "os/exec" "path" "path/filepath" "runtime" "sort" "strconv" "strings" "time" "github.com/kortschak/wol" "tailscale.com/clientupdate" "tailscale.com/envknob" "tailscale.com/ipn" "tailscale.com/net/sockstats" "tailscale.com/posture" "tailscale.com/tailcfg" "tailscale.com/util/clientmetric" "tailscale.com/util/goroutines" "tailscale.com/util/set" "tailscale.com/util/syspolicy" "tailscale.com/version" "tailscale.com/version/distro" ) // c2nHandlers maps an HTTP method and URI path (without query parameters) to // its handler. The exact method+path match is preferred, but if no entry // exists for that, a map entry with an empty method is used as a fallback. var c2nHandlers = map[methodAndPath]c2nHandler{ // Debug. req("/echo"): handleC2NEcho, req("/debug/goroutines"): handleC2NDebugGoroutines, req("/debug/prefs"): handleC2NDebugPrefs, req("/debug/metrics"): handleC2NDebugMetrics, req("/debug/component-logging"): handleC2NDebugComponentLogging, req("/debug/logheap"): handleC2NDebugLogHeap, // PPROF - We only expose a subset of typical pprof endpoints for security. req("/debug/pprof/heap"): handleC2NPprof, req("/debug/pprof/allocs"): handleC2NPprof, req("POST /logtail/flush"): handleC2NLogtailFlush, req("POST /sockstats"): handleC2NSockStats, // Check TLS certificate status. req("GET /tls-cert-status"): handleC2NTLSCertStatus, // SSH req("/ssh/usernames"): handleC2NSSHUsernames, // Auto-updates. req("GET /update"): handleC2NUpdateGet, req("POST /update"): handleC2NUpdatePost, // Wake-on-LAN. req("POST /wol"): handleC2NWoL, // Device posture. req("GET /posture/identity"): handleC2NPostureIdentityGet, // App Connectors. req("GET /appconnector/routes"): handleC2NAppConnectorDomainRoutesGet, // Linux netfilter. req("POST /netfilter-kind"): handleC2NSetNetfilterKind, } type c2nHandler func(*LocalBackend, http.ResponseWriter, *http.Request) type methodAndPath struct { method string // empty string means fallback path string // Request.URL.Path (without query string) } func req(s string) methodAndPath { if m, p, ok := strings.Cut(s, " "); ok { return methodAndPath{m, p} } return methodAndPath{"", s} } // c2nHandlerPaths is all the set of paths from c2nHandlers, without their HTTP methods. // It's used to detect requests with a non-matching method. var c2nHandlerPaths = set.Set[string]{} func init() { for k := range c2nHandlers { c2nHandlerPaths.Add(k.path) } } func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) { // First try to match by both method and path, if h, ok := c2nHandlers[methodAndPath{r.Method, r.URL.Path}]; ok { h(b, w, r) return } // Then try to match by just path. if h, ok := c2nHandlers[methodAndPath{path: r.URL.Path}]; ok { h(b, w, r) return } if c2nHandlerPaths.Contains(r.URL.Path) { http.Error(w, "bad method", http.StatusMethodNotAllowed) } else { http.Error(w, "unknown c2n path", http.StatusBadRequest) } } func writeJSON(w http.ResponseWriter, v any) { w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(v) } func handleC2NEcho(b *LocalBackend, w http.ResponseWriter, r *http.Request) { // Test handler. body, _ := io.ReadAll(r.Body) w.Write(body) } func handleC2NLogtailFlush(b *LocalBackend, w http.ResponseWriter, r *http.Request) { if b.TryFlushLogs() { w.WriteHeader(http.StatusNoContent) } else { http.Error(w, "no log flusher wired up", http.StatusInternalServerError) } } func handleC2NDebugGoroutines(_ *LocalBackend, w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") w.Write(goroutines.ScrubbedGoroutineDump(true)) } func handleC2NDebugPrefs(b *LocalBackend, w http.ResponseWriter, r *http.Request) { writeJSON(w, b.Prefs()) } func handleC2NDebugMetrics(_ *LocalBackend, w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") clientmetric.WritePrometheusExpositionFormat(w) } func handleC2NDebugComponentLogging(b *LocalBackend, w http.ResponseWriter, r *http.Request) { component := r.FormValue("component") secs, _ := strconv.Atoi(r.FormValue("secs")) if secs == 0 { secs -= 1 } until := b.clock.Now().Add(time.Duration(secs) * time.Second) err := b.SetComponentDebugLogging(component, until) var res struct { Error string `json:",omitempty"` } if err != nil { res.Error = err.Error() } writeJSON(w, res) } var c2nLogHeap func(http.ResponseWriter, *http.Request) // non-nil on most platforms (c2n_pprof.go) func handleC2NDebugLogHeap(b *LocalBackend, w http.ResponseWriter, r *http.Request) { if c2nLogHeap == nil { // Not implemented on platforms trying to optimize for binary size or // reduced memory usage. http.Error(w, "not implemented", http.StatusNotImplemented) return } c2nLogHeap(w, r) } var c2nPprof func(http.ResponseWriter, *http.Request, string) // non-nil on most platforms (c2n_pprof.go) func handleC2NPprof(b *LocalBackend, w http.ResponseWriter, r *http.Request) { if c2nPprof == nil { // Not implemented on platforms trying to optimize for binary size or // reduced memory usage. http.Error(w, "not implemented", http.StatusNotImplemented) return } _, profile := path.Split(r.URL.Path) c2nPprof(w, r, profile) } func handleC2NSSHUsernames(b *LocalBackend, w http.ResponseWriter, r *http.Request) { var req tailcfg.C2NSSHUsernamesRequest if r.Method == "POST" { if err := json.NewDecoder(r.Body).Decode(&req); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } } res, err := b.getSSHUsernames(&req) if err != nil { http.Error(w, err.Error(), 500) return } writeJSON(w, res) } func handleC2NSockStats(b *LocalBackend, w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") if b.sockstatLogger == nil { http.Error(w, "no sockstatLogger", http.StatusInternalServerError) return } b.sockstatLogger.Flush() fmt.Fprintf(w, "logid: %s\n", b.sockstatLogger.LogID()) fmt.Fprintf(w, "debug info: %v\n", sockstats.DebugInfo()) } // handleC2NAppConnectorDomainRoutesGet handles returning the domains // that the app connector is responsible for, as well as the resolved // IP addresses for each domain. If the node is not configured as // an app connector, an empty map is returned. func handleC2NAppConnectorDomainRoutesGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) { b.logf("c2n: GET /appconnector/routes received") var res tailcfg.C2NAppConnectorDomainRoutesResponse if b.appConnector == nil { w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(res) return } res.Domains = b.appConnector.DomainRoutes() w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(res) } func handleC2NSetNetfilterKind(b *LocalBackend, w http.ResponseWriter, r *http.Request) { b.logf("c2n: POST /netfilter-kind received") if version.OS() != "linux" { http.Error(w, "netfilter kind only settable on linux", http.StatusNotImplemented) } kind := r.FormValue("kind") b.logf("c2n: switching netfilter to %s", kind) _, err := b.EditPrefs(&ipn.MaskedPrefs{ NetfilterKindSet: true, Prefs: ipn.Prefs{ NetfilterKind: kind, }, }) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } b.authReconfig() w.WriteHeader(http.StatusNoContent) } func handleC2NUpdateGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) { b.logf("c2n: GET /update received") res := b.newC2NUpdateResponse() res.Started = b.c2nUpdateStarted() w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(res) } func handleC2NUpdatePost(b *LocalBackend, w http.ResponseWriter, r *http.Request) { b.logf("c2n: POST /update received") res := b.newC2NUpdateResponse() defer func() { if res.Err != "" { b.logf("c2n: POST /update failed: %s", res.Err) } w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(res) }() if !res.Enabled { res.Err = "not enabled" return } if !res.Supported { res.Err = "not supported" return } // Do not update if we have active inbound SSH connections. Control can set // force=true query parameter to override this. if r.FormValue("force") != "true" && b.sshServer != nil && b.sshServer.NumActiveConns() > 0 { res.Err = "not updating due to active SSH connections" return } if err := b.startAutoUpdate("c2n"); err != nil { res.Err = err.Error() return } res.Started = true } func handleC2NPostureIdentityGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) { b.logf("c2n: GET /posture/identity received") res := tailcfg.C2NPostureIdentityResponse{} // Only collect serial numbers if enabled on the client, // this will first check syspolicy, MDM settings like Registry // on Windows or defaults on macOS. If they are not set, it falls // back to the cli-flag, `--posture-checking`. choice, err := syspolicy.GetPreferenceOption(syspolicy.PostureChecking) if err != nil { b.logf( "c2n: failed to read PostureChecking from syspolicy, returning default from CLI: %s; got error: %s", b.Prefs().PostureChecking(), err, ) } if choice.ShouldEnable(b.Prefs().PostureChecking()) { sns, err := posture.GetSerialNumbers(b.logf) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } res.SerialNumbers = sns } else { res.PostureDisabled = true } w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(res) } func (b *LocalBackend) newC2NUpdateResponse() tailcfg.C2NUpdateResponse { // If NewUpdater does not return an error, we can update the installation. // // Note that we create the Updater solely to check for errors; we do not // invoke it here. For this purpose, it is ok to pass it a zero Arguments. prefs := b.Prefs().AutoUpdate() return tailcfg.C2NUpdateResponse{ Enabled: envknob.AllowsRemoteUpdate() || prefs.Apply.EqualBool(true), Supported: clientupdate.CanAutoUpdate() && !version.IsMacSysExt(), } } func (b *LocalBackend) c2nUpdateStarted() bool { b.mu.Lock() defer b.mu.Unlock() return b.c2nUpdateStatus.started } func (b *LocalBackend) setC2NUpdateStarted(v bool) { b.mu.Lock() defer b.mu.Unlock() b.c2nUpdateStatus.started = v } func (b *LocalBackend) trySetC2NUpdateStarted() bool { b.mu.Lock() defer b.mu.Unlock() if b.c2nUpdateStatus.started { return false } b.c2nUpdateStatus.started = true return true } // findCmdTailscale looks for the cmd/tailscale that corresponds to the // currently running cmd/tailscaled. It's up to the caller to verify that the // two match, but this function does its best to find the right one. Notably, it // doesn't use $PATH for security reasons. func findCmdTailscale() (string, error) { self, err := os.Executable() if err != nil { return "", err } var ts string switch runtime.GOOS { case "linux": if self == "/usr/sbin/tailscaled" || self == "/usr/bin/tailscaled" { ts = "/usr/bin/tailscale" } if self == "/usr/local/sbin/tailscaled" || self == "/usr/local/bin/tailscaled" { ts = "/usr/local/bin/tailscale" } switch distro.Get() { case distro.QNAP: // The volume under /share/ where qpkg are installed is not // predictable. But the rest of the path is. ok, err := filepath.Match("/share/*/.qpkg/Tailscale/tailscaled", self) if err == nil && ok { ts = filepath.Join(filepath.Dir(self), "tailscale") } case distro.Unraid: if self == "/usr/local/emhttp/plugins/tailscale/bin/tailscaled" { ts = "/usr/local/emhttp/plugins/tailscale/bin/tailscale" } } case "windows": ts = filepath.Join(filepath.Dir(self), "tailscale.exe") case "freebsd": if self == "/usr/local/bin/tailscaled" { ts = "/usr/local/bin/tailscale" } default: return "", fmt.Errorf("unsupported OS %v", runtime.GOOS) } if ts != "" && regularFileExists(ts) { return ts, nil } return "", errors.New("tailscale executable not found in expected place") } func tailscaleUpdateCmd(cmdTS string) *exec.Cmd { defaultCmd := exec.Command(cmdTS, "update", "--yes") if runtime.GOOS != "linux" { return defaultCmd } if _, err := exec.LookPath("systemd-run"); err != nil { return defaultCmd } // When systemd-run is available, use it to run the update command. This // creates a new temporary unit separate from the tailscaled unit. When // tailscaled is restarted during the update, systemd won't kill this // temporary update unit, which could cause unexpected breakage. // // We want to use the --wait flag for systemd-run, to block the update // command until completion and collect output. But this flag was added in // systemd 232, so we need to check the version first. // // The output will look like: // // systemd 255 (255.7-1-arch) // +PAM +AUDIT ... other feature flags ... systemdVerOut, err := exec.Command("systemd-run", "--version").Output() if err != nil { return defaultCmd } parts := strings.Fields(string(systemdVerOut)) if len(parts) < 2 || parts[0] != "systemd" { return defaultCmd } systemdVer, err := strconv.Atoi(parts[1]) if err != nil { return defaultCmd } if systemdVer < 232 { return exec.Command("systemd-run", "--pipe", "--collect", cmdTS, "update", "--yes") } else { return exec.Command("systemd-run", "--wait", "--pipe", "--collect", cmdTS, "update", "--yes") } } func regularFileExists(path string) bool { fi, err := os.Stat(path) return err == nil && fi.Mode().IsRegular() } func handleC2NWoL(b *LocalBackend, w http.ResponseWriter, r *http.Request) { r.ParseForm() var macs []net.HardwareAddr for _, macStr := range r.Form["mac"] { mac, err := net.ParseMAC(macStr) if err != nil { http.Error(w, "bad 'mac' param", http.StatusBadRequest) return } macs = append(macs, mac) } var res struct { SentTo []string Errors []string } st := b.sys.NetMon.Get().InterfaceState() if st == nil { res.Errors = append(res.Errors, "no interface state") writeJSON(w, &res) return } var password []byte // TODO(bradfitz): support? does anything use WoL passwords? for _, mac := range macs { for ifName, ips := range st.InterfaceIPs { for _, ip := range ips { if ip.Addr().IsLoopback() || ip.Addr().Is6() { continue } local := &net.UDPAddr{ IP: ip.Addr().AsSlice(), Port: 0, } remote := &net.UDPAddr{ IP: net.IPv4bcast, Port: 0, } if err := wol.Wake(mac, password, local, remote); err != nil { res.Errors = append(res.Errors, err.Error()) } else { res.SentTo = append(res.SentTo, ifName) } break // one per interface is enough } } } sort.Strings(res.SentTo) writeJSON(w, &res) } // handleC2NTLSCertStatus returns info about the last TLS certificate issued for the // provided domain. This can be called by the controlplane to clean up DNS TXT // records when they're no longer needed by LetsEncrypt. // // It does not kick off a cert fetch or async refresh. It only reports anything // that's already sitting on disk, and only reports metadata about the public // cert (stuff that'd be the in CT logs anyway). func handleC2NTLSCertStatus(b *LocalBackend, w http.ResponseWriter, r *http.Request) { cs, err := b.getCertStore() if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } domain := r.FormValue("domain") if domain == "" { http.Error(w, "no 'domain'", http.StatusBadRequest) return } ret := &tailcfg.C2NTLSCertInfo{} pair, err := getCertPEMCached(cs, domain, b.clock.Now()) ret.Valid = err == nil if err != nil { ret.Error = err.Error() if errors.Is(err, errCertExpired) { ret.Expired = true } else if errors.Is(err, ipn.ErrStateNotExist) { ret.Missing = true ret.Error = "no certificate" } } else { block, _ := pem.Decode(pair.CertPEM) if block == nil { ret.Error = "invalid PEM" ret.Valid = false } else { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { ret.Error = fmt.Sprintf("invalid certificate: %v", err) ret.Valid = false } else { ret.NotBefore = cert.NotBefore.UTC().Format(time.RFC3339) ret.NotAfter = cert.NotAfter.UTC().Format(time.RFC3339) } } } writeJSON(w, ret) }