cmd/tailscale/cli,ipn/ipnlocal: restrict logout when AlwaysOn mode is enabled

In this PR, we start passing a LocalAPI actor to (*LocalBackend).Logout to make it subject
to the same access check as disconnects made via tailscale down or the GUI.

We then update the CLI to allow `tailscale logout` to accept a reason, similar to `tailscale down`.

Updates tailscale/corp#26249

Signed-off-by: Nick Khyl <nickk@tailscale.com>

cmd/tailscale/cli/logout.go

@@ -5,12 +5,18 @@ package cli
 
 import (
 	"context"
+	"flag"
 	"fmt"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale/apitype"
 )
 
+var logoutArgs struct {
+	reason string
+}
+
 var logoutCmd = &ffcli.Command{
 	Name:       "logout",
 	ShortUsage: "tailscale logout",
@@ -22,11 +28,17 @@ the current node key, forcing a future use of it to cause
 a reauthentication.
 `),
 	Exec: runLogout,
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("logout")
+		fs.StringVar(&logoutArgs.reason, "reason", "", "reason for the logout, if required by a policy")
+		return fs
+	})(),
 }
 
 func runLogout(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
+	ctx = apitype.RequestReasonKey.WithValue(ctx, logoutArgs.reason)
 	return localClient.Logout(ctx)
 }

cmd/tsconnect/wasm/wasm_js.go

@@ -27,6 +27,7 @@ import (
 	"golang.org/x/crypto/ssh"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnauth"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store/mem"
@@ -336,7 +337,7 @@ func (i *jsIPN) logout() {
 	go func() {
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
-		i.lb.Logout(ctx)
+		i.lb.Logout(ctx, ipnauth.Self)
 	}()
 }