2023-01-27 13:37:20 -08:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2020-10-19 10:46:30 -07:00
|
|
|
|
2021-10-14 12:51:28 -07:00
|
|
|
// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
|
2020-10-19 10:46:30 -07:00
|
|
|
|
|
|
|
|
package ipn
|
|
|
|
|
|
|
|
|
|
import (
|
2023-08-20 13:16:06 -04:00
|
|
|
"maps"
|
2022-07-24 20:08:42 -07:00
|
|
|
"net/netip"
|
|
|
|
|
|
2024-04-02 13:32:30 -07:00
|
|
|
"tailscale.com/drive"
|
2021-01-20 17:24:16 -08:00
|
|
|
"tailscale.com/tailcfg"
|
2021-02-05 15:23:01 -08:00
|
|
|
"tailscale.com/types/persist"
|
2021-02-04 13:12:42 -08:00
|
|
|
"tailscale.com/types/preftype"
|
2020-10-19 10:46:30 -07:00
|
|
|
)
|
|
|
|
|
|
ipn, ipn/ipnauth: implement API surface for LocalBackend access checking
We have a lot of access checks spread around the
ipnserver, ipnlocal, localapi, and ipnauth
packages, with a significant number of
platform-specific checks that are used exclusively
on either Windows or Unix-like platforms.
Additionally, with the exception of a few
Windows-specific checks, most of these checks are
per-device rather than per-profile, which is not
always correct even on single-user/single-session
environments, but even more problematic on
multi-user/multi-session environments such as
Windows.
We initially attempted to map all possible
operations onto the permitRead/permitWrite access
flags. However, these flags are not utilized on
Windows and prove insufficient on Unix machines.
Specifically, on Windows, the first user to
connect is granted full access, while subsequent
logged-in users have no access to the LocalAPI at
all. This restriction applies regardless of the
environment, local user roles (e.g., whether a
Windows user is a local admin), or whether they
are the active user on a shared Windows client
device. Conversely, on Unix, we introduced the
permitCert flag to enable granting non-root web
servers (such as www-data, caddy, nginx, etc.)
access to certificates. We also added additional
access check to distinguish local admins (root
on Unix-like platforms, elevated admins on
Windows) from users with permitWrite access,
and used it as a fix for the serve path LPE.
A more fine-grained access control system could
better suit our current and future needs, especially
in improving the UX across various scenarios on
corporate and personal Windows devices.
This adds an API surface in ipnauth that will be
used in LocalBackend to check access to individual
Tailscale profiles as well as any device-wide
information and operations.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-04-08 13:10:18 -05:00
|
|
|
// Clone makes a deep copy of LoginProfile.
|
|
|
|
|
// The result aliases no memory with the original.
|
|
|
|
|
func (src *LoginProfile) Clone() *LoginProfile {
|
|
|
|
|
if src == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
dst := new(LoginProfile)
|
|
|
|
|
*dst = *src
|
|
|
|
|
return dst
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A compilation failure here means this code must be regenerated, with the command at the top of this file.
|
|
|
|
|
var _LoginProfileCloneNeedsRegeneration = LoginProfile(struct {
|
|
|
|
|
ID ProfileID
|
|
|
|
|
Name string
|
|
|
|
|
NetworkProfile NetworkProfile
|
|
|
|
|
Key StateKey
|
|
|
|
|
UserProfile tailcfg.UserProfile
|
|
|
|
|
NodeID tailcfg.StableNodeID
|
|
|
|
|
LocalUserID WindowsUserID
|
|
|
|
|
ControlURL string
|
|
|
|
|
}{})
|
|
|
|
|
|
2020-10-19 10:46:30 -07:00
|
|
|
// Clone makes a deep copy of Prefs.
|
|
|
|
|
// The result aliases no memory with the original.
|
|
|
|
|
func (src *Prefs) Clone() *Prefs {
|
|
|
|
|
if src == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
dst := new(Prefs)
|
|
|
|
|
*dst = *src
|
|
|
|
|
dst.AdvertiseTags = append(src.AdvertiseTags[:0:0], src.AdvertiseTags...)
|
|
|
|
|
dst.AdvertiseRoutes = append(src.AdvertiseRoutes[:0:0], src.AdvertiseRoutes...)
|
2024-04-03 10:09:58 -07:00
|
|
|
if src.DriveShares != nil {
|
|
|
|
|
dst.DriveShares = make([]*drive.Share, len(src.DriveShares))
|
|
|
|
|
for i := range dst.DriveShares {
|
|
|
|
|
dst.DriveShares[i] = src.DriveShares[i].Clone()
|
2024-03-07 10:56:11 -06:00
|
|
|
}
|
|
|
|
|
}
|
2022-11-29 12:00:40 -08:00
|
|
|
dst.Persist = src.Persist.Clone()
|
2020-10-19 10:46:30 -07:00
|
|
|
return dst
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-15 10:05:34 -07:00
|
|
|
// A compilation failure here means this code must be regenerated, with the command at the top of this file.
|
2021-09-16 15:58:43 -07:00
|
|
|
var _PrefsCloneNeedsRegeneration = Prefs(struct {
|
2021-04-08 15:56:51 -07:00
|
|
|
ControlURL string
|
|
|
|
|
RouteAll bool
|
|
|
|
|
AllowSingleHosts bool
|
|
|
|
|
ExitNodeID tailcfg.StableNodeID
|
2022-07-24 20:08:42 -07:00
|
|
|
ExitNodeIP netip.Addr
|
2024-04-16 14:53:56 -04:00
|
|
|
InternalExitNodePrior tailcfg.StableNodeID
|
2021-04-08 15:56:51 -07:00
|
|
|
ExitNodeAllowLANAccess bool
|
|
|
|
|
CorpDNS bool
|
2021-08-26 14:50:55 -07:00
|
|
|
RunSSH bool
|
2023-10-26 11:35:41 -07:00
|
|
|
RunWebClient bool
|
2021-04-08 15:56:51 -07:00
|
|
|
WantRunning bool
|
2021-04-30 03:56:11 -04:00
|
|
|
LoggedOut bool
|
2021-04-08 15:56:51 -07:00
|
|
|
ShieldsUp bool
|
|
|
|
|
AdvertiseTags []string
|
|
|
|
|
Hostname string
|
|
|
|
|
NotepadURLs bool
|
|
|
|
|
ForceDaemon bool
|
2022-09-01 09:27:06 -07:00
|
|
|
Egg bool
|
2022-07-24 20:08:42 -07:00
|
|
|
AdvertiseRoutes []netip.Prefix
|
2021-04-08 15:56:51 -07:00
|
|
|
NoSNAT bool
|
|
|
|
|
NetfilterMode preftype.NetfilterMode
|
2021-04-16 21:01:29 -07:00
|
|
|
OperatorUser string
|
2022-11-18 14:42:32 +05:00
|
|
|
ProfileName string
|
2023-09-01 14:45:12 -06:00
|
|
|
AutoUpdate AutoUpdatePrefs
|
2023-10-26 15:55:32 -07:00
|
|
|
AppConnector AppConnectorPrefs
|
2023-10-03 11:46:24 +02:00
|
|
|
PostureChecking bool
|
2023-12-04 12:08:56 -05:00
|
|
|
NetfilterKind string
|
2024-04-03 10:09:58 -07:00
|
|
|
DriveShares []*drive.Share
|
2021-04-08 15:56:51 -07:00
|
|
|
Persist *persist.Persist
|
2020-10-19 10:46:30 -07:00
|
|
|
}{})
|
2022-11-09 06:10:06 -08:00
|
|
|
|
|
|
|
|
// Clone makes a deep copy of ServeConfig.
|
|
|
|
|
// The result aliases no memory with the original.
|
|
|
|
|
func (src *ServeConfig) Clone() *ServeConfig {
|
|
|
|
|
if src == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
dst := new(ServeConfig)
|
|
|
|
|
*dst = *src
|
|
|
|
|
if dst.TCP != nil {
|
2022-11-10 22:58:40 -05:00
|
|
|
dst.TCP = map[uint16]*TCPPortHandler{}
|
2022-11-09 06:10:06 -08:00
|
|
|
for k, v := range src.TCP {
|
|
|
|
|
dst.TCP[k] = v.Clone()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if dst.Web != nil {
|
|
|
|
|
dst.Web = map[HostPort]*WebServerConfig{}
|
|
|
|
|
for k, v := range src.Web {
|
|
|
|
|
dst.Web[k] = v.Clone()
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-08-20 13:16:06 -04:00
|
|
|
dst.AllowFunnel = maps.Clone(src.AllowFunnel)
|
2023-09-05 14:33:18 -04:00
|
|
|
if dst.Foreground != nil {
|
|
|
|
|
dst.Foreground = map[string]*ServeConfig{}
|
|
|
|
|
for k, v := range src.Foreground {
|
|
|
|
|
dst.Foreground[k] = v.Clone()
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-11-09 06:10:06 -08:00
|
|
|
return dst
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A compilation failure here means this code must be regenerated, with the command at the top of this file.
|
|
|
|
|
var _ServeConfigCloneNeedsRegeneration = ServeConfig(struct {
|
2022-11-17 16:09:43 -05:00
|
|
|
TCP map[uint16]*TCPPortHandler
|
|
|
|
|
Web map[HostPort]*WebServerConfig
|
|
|
|
|
AllowFunnel map[HostPort]bool
|
2023-09-05 14:33:18 -04:00
|
|
|
Foreground map[string]*ServeConfig
|
2023-09-11 21:32:51 -04:00
|
|
|
ETag string
|
2022-11-09 06:10:06 -08:00
|
|
|
}{})
|
|
|
|
|
|
|
|
|
|
// Clone makes a deep copy of TCPPortHandler.
|
|
|
|
|
// The result aliases no memory with the original.
|
|
|
|
|
func (src *TCPPortHandler) Clone() *TCPPortHandler {
|
|
|
|
|
if src == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
dst := new(TCPPortHandler)
|
|
|
|
|
*dst = *src
|
|
|
|
|
return dst
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A compilation failure here means this code must be regenerated, with the command at the top of this file.
|
|
|
|
|
var _TCPPortHandlerCloneNeedsRegeneration = TCPPortHandler(struct {
|
|
|
|
|
HTTPS bool
|
2023-06-21 12:32:20 -04:00
|
|
|
HTTP bool
|
2022-11-09 06:10:06 -08:00
|
|
|
TCPForward string
|
2022-11-10 21:24:22 -08:00
|
|
|
TerminateTLS string
|
2022-11-09 06:10:06 -08:00
|
|
|
}{})
|
|
|
|
|
|
|
|
|
|
// Clone makes a deep copy of HTTPHandler.
|
|
|
|
|
// The result aliases no memory with the original.
|
|
|
|
|
func (src *HTTPHandler) Clone() *HTTPHandler {
|
|
|
|
|
if src == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
dst := new(HTTPHandler)
|
|
|
|
|
*dst = *src
|
|
|
|
|
return dst
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A compilation failure here means this code must be regenerated, with the command at the top of this file.
|
|
|
|
|
var _HTTPHandlerCloneNeedsRegeneration = HTTPHandler(struct {
|
|
|
|
|
Path string
|
|
|
|
|
Proxy string
|
2022-11-09 06:55:17 -08:00
|
|
|
Text string
|
2022-11-09 06:10:06 -08:00
|
|
|
}{})
|
|
|
|
|
|
|
|
|
|
// Clone makes a deep copy of WebServerConfig.
|
|
|
|
|
// The result aliases no memory with the original.
|
|
|
|
|
func (src *WebServerConfig) Clone() *WebServerConfig {
|
|
|
|
|
if src == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
dst := new(WebServerConfig)
|
|
|
|
|
*dst = *src
|
|
|
|
|
if dst.Handlers != nil {
|
|
|
|
|
dst.Handlers = map[string]*HTTPHandler{}
|
|
|
|
|
for k, v := range src.Handlers {
|
|
|
|
|
dst.Handlers[k] = v.Clone()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return dst
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A compilation failure here means this code must be regenerated, with the command at the top of this file.
|
|
|
|
|
var _WebServerConfigCloneNeedsRegeneration = WebServerConfig(struct {
|
|
|
|
|
Handlers map[string]*HTTPHandler
|
|
|
|
|
}{})
|