cmd/tailscaled,*: add start of configuration file support

Updates #1412

Co-authored-by: Maisem Ali <maisem@tailscale.com>
Change-Id: I38d559c1784d09fc804f521986c9b4b548718f7d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

ipn/conf.go

@@ -0,0 +1,122 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ipn
+
+import (
+	"net/netip"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/opt"
+	"tailscale.com/types/preftype"
+)
+
+// ConfigVAlpha is the config file format for the "alpha0" version.
+type ConfigVAlpha struct {
+	Locked opt.Bool `json:",omitempty"` // whether the config is locked from being changed by 'tailscale set'; it defaults to true
+
+	ServerURL *string  `json:",omitempty"` // defaults to https://controlplane.tailscale.com
+	AuthKey   *string  `json:",omitempty"` // as needed if NeedsLogin. either key or path to a file (if it contains a slash)
+	Enabled   opt.Bool `json:",omitempty"` // wantRunning; empty string defaults to true
+
+	OperatorUser *string `json:",omitempty"` // local user name who is allowed to operate tailscaled without being root or using sudo
+	Hostname     *string `json:",omitempty"`
+
+	AcceptDNS    opt.Bool `json:"acceptDNS,omitempty"` // --accept-dns
+	AcceptRoutes opt.Bool `json:"acceptRoutes,omitempty"`
+
+	ExitNode                   *string  `json:"exitNode,omitempty"` // IP, StableID, or MagicDNS base name
+	AllowLANWhileUsingExitNode opt.Bool `json:"allowLANWhileUsingExitNode,omitempty"`
+
+	AdvertiseRoutes []netip.Prefix `json:",omitempty"`
+	DisableSNAT     opt.Bool       `json:",omitempty"`
+
+	NetfilterMode *string `json:",omitempty"` // "on", "off", "nodivert"
+
+	PostureChecking opt.Bool         `json:",omitempty"`
+	RunSSHServer    opt.Bool         `json:",omitempty"` // Tailscale SSH
+	ShieldsUp       opt.Bool         `json:",omitempty"`
+	AutoUpdate      *AutoUpdatePrefs `json:",omitempty"`
+	ServeConfigTemp *ServeConfig     `json:",omitempty"` // TODO(bradfitz,maisem): make separate stable type for this
+
+	// TODO(bradfitz,maisem): future something like:
+	// Profile map[string]*Config // keyed by alice@gmail.com, corp.com (TailnetSID)
+}
+
+func (c *ConfigVAlpha) ToPrefs() (MaskedPrefs, error) {
+	var mp MaskedPrefs
+	if c == nil {
+		return mp, nil
+	}
+	if c.ServerURL != nil {
+		mp.ControlURL = *c.ServerURL
+		mp.ControlURLSet = true
+	}
+	if c.Enabled != "" {
+		mp.WantRunning = c.Enabled.EqualBool(true)
+		mp.WantRunningSet = true
+	}
+	if c.OperatorUser != nil {
+		mp.OperatorUser = *c.OperatorUser
+		mp.OperatorUserSet = true
+	}
+	if c.Hostname != nil {
+		mp.Hostname = *c.Hostname
+		mp.HostnameSet = true
+	}
+	if c.AcceptDNS != "" {
+		mp.CorpDNS = c.AcceptDNS.EqualBool(true)
+		mp.CorpDNSSet = true
+	}
+	if c.AcceptRoutes != "" {
+		mp.RouteAll = c.AcceptRoutes.EqualBool(true)
+		mp.RouteAllSet = true
+	}
+	if c.ExitNode != nil {
+		ip, err := netip.ParseAddr(*c.ExitNode)
+		if err == nil {
+			mp.ExitNodeIP = ip
+			mp.ExitNodeIPSet = true
+		} else {
+			mp.ExitNodeID = tailcfg.StableNodeID(*c.ExitNode)
+			mp.ExitNodeIDSet = true
+		}
+	}
+	if c.AllowLANWhileUsingExitNode != "" {
+		mp.ExitNodeAllowLANAccess = c.AllowLANWhileUsingExitNode.EqualBool(true)
+		mp.ExitNodeAllowLANAccessSet = true
+	}
+	if c.AdvertiseRoutes != nil {
+		mp.AdvertiseRoutes = c.AdvertiseRoutes
+		mp.AdvertiseRoutesSet = true
+	}
+	if c.DisableSNAT != "" {
+		mp.NoSNAT = c.DisableSNAT.EqualBool(true)
+		mp.NoSNAT = true
+	}
+	if c.NetfilterMode != nil {
+		m, err := preftype.ParseNetfilterMode(*c.NetfilterMode)
+		if err != nil {
+			return mp, err
+		}
+		mp.NetfilterMode = m
+		mp.NetfilterModeSet = true
+	}
+	if c.PostureChecking != "" {
+		mp.PostureChecking = c.PostureChecking.EqualBool(true)
+		mp.PostureCheckingSet = true
+	}
+	if c.RunSSHServer != "" {
+		mp.RunSSH = c.RunSSHServer.EqualBool(true)
+		mp.RunSSHSet = true
+	}
+	if c.ShieldsUp != "" {
+		mp.ShieldsUp = c.ShieldsUp.EqualBool(true)
+		mp.ShieldsUpSet = true
+	}
+	if c.AutoUpdate != nil {
+		mp.AutoUpdate = *c.AutoUpdate
+		mp.AutoUpdateSet = true
+	}
+	return mp, nil
+}

ipn/conffile/conffile.go

@@ -0,0 +1,66 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package conffile contains code to load, manipulate, and access config file
+// settings.
+package conffile
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/tailscale/hujson"
+	"tailscale.com/ipn"
+)
+
+// Config describes a config file
+type Config struct {
+	Path    string // disk path of HuJSON
+	Raw     []byte // raw bytes from disk, in HuJSON form
+	Std     []byte // standardized JSON form
+	Version string // "alpha0" for now
+
+	// Parsed is the parsed config, converted from its on-disk version to the
+	// latest known format.
+	//
+	// As of 2023-10-15 there is exactly one format ("alpha0") so this is both
+	// the on-disk format and the in-memory upgraded format.
+	Parsed ipn.ConfigVAlpha
+}
+
+// Load reads and parses the config file at the provided path on disk.
+func Load(path string) (*Config, error) {
+	var c Config
+	c.Path = path
+
+	var err error
+	c.Raw, err = os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	c.Std, err = hujson.Standardize(c.Raw)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing config file %s HuJSON/JSON: %w", path, err)
+	}
+	var ver struct {
+		Version string `json:"version"`
+	}
+	if err := json.Unmarshal(c.Std, &ver); err != nil {
+		return nil, fmt.Errorf("error parsing config file %s: %w", path, err)
+	}
+	switch ver.Version {
+	case "":
+		return nil, fmt.Errorf("error parsing config file %s: no \"version\" field defined", path)
+	case "alpha0":
+	default:
+		return nil, fmt.Errorf("error parsing config file %s: unsupported \"version\" value %q; want \"alpha0\" for now", path, ver.Version)
+	}
+	c.Version = ver.Version
+
+	err = json.Unmarshal(c.Std, &c.Parsed)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing config file %s: %w", path, err)
+	}
+	return &c, nil
+}

ipn/ipnlocal/local.go

@@ -44,6 +44,7 @@ import (
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/conffile"
 	"tailscale.com/ipn/ipnauth"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
@@ -198,7 +199,8 @@ type LocalBackend struct {
 
 	// The mutex protects the following elements.
 	mu             sync.Mutex
-	pm             *profileManager // mu guards access
+	conf           *conffile.Config // latest parsed config, or nil if not in declarative mode
+	pm             *profileManager  // mu guards access
 	filterHash     deephash.Sum
 	httpTestClient *http.Client // for controlclient. nil by default, used by tests.
 	ccGen          clientGen    // function for producing controlclient; lazily populated
@@ -340,6 +342,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		keyLogf:             logger.LogOnChange(logf, 5*time.Minute, clock.Now),
 		statsLogf:           logger.LogOnChange(logf, 5*time.Minute, clock.Now),
 		sys:                 sys,
+		conf:                sys.InitialConfig,
 		e:                   e,
 		dialer:              dialer,
 		store:               store,
@@ -518,6 +521,25 @@ func (b *LocalBackend) SetDirectFileDoFinalRename(v bool) {
 	b.directFileDoFinalRename = v
 }
 
+// ReloadCOnfig reloads the backend's config from disk.
+//
+// It returns (false, nil) if not running in declarative mode, (true, nil) on
+// success, or (false, error) on failure.
+func (b *LocalBackend) ReloadConfig() (ok bool, err error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.conf == nil {
+		return false, nil
+	}
+	conf, err := conffile.Load(b.conf.Path)
+	if err != nil {
+		return false, err
+	}
+	b.conf = conf
+	// TODO(bradfitz): apply things
+	return true, nil
+}
+
 // pauseOrResumeControlClientLocked pauses b.cc if there is no network available
 // or if the LocalBackend is in Stopped state with a valid NetMap. In all other
 // cases, it unpauses it. It is a no-op if b.cc is nil.

ipn/localapi/localapi.go

@@ -96,6 +96,7 @@ var handler = map[string]localAPIHandler{
 	"ping":                        (*Handler).servePing,
 	"prefs":                       (*Handler).servePrefs,
 	"pprof":                       (*Handler).servePprof,
+	"reload-config":               (*Handler).reloadConfig,
 	"reset-auth":                  (*Handler).serveResetAuth,
 	"serve-config":                (*Handler).serveServeConfig,
 	"set-dns":                     (*Handler).serveSetDNS,
@@ -838,6 +839,26 @@ func (h *Handler) servePprof(w http.ResponseWriter, r *http.Request) {
 	servePprofFunc(w, r)
 }
 
+func (h *Handler) reloadConfig(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != httpm.POST {
+		http.Error(w, "use POST", http.StatusMethodNotAllowed)
+		return
+	}
+	ok, err := h.b.ReloadConfig()
+	var res apitype.ReloadConfigResponse
+	res.Reloaded = ok
+	if err != nil {
+		res.Err = err.Error()
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(&res)
+}
+
 func (h *Handler) serveResetAuth(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "reset-auth modify access denied", http.StatusForbidden)