ipn: replace web client debug flag with node capability

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
This commit is contained in:
Will Norris 2023-10-31 11:41:39 -07:00 committed by Will Norris
parent bd488e4ff8
commit 66c7af3dd3
4 changed files with 6 additions and 12 deletions

View File

@ -570,9 +570,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
if root := lb.TailscaleVarRoot(); root != "" { if root := lb.TailscaleVarRoot(); root != "" {
dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf) dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
} }
if envknob.Bool("TS_DEBUG_WEB_UI") {
lb.SetWebLocalClient(&tailscale.LocalClient{Socket: args.socketpath, UseSocketOnly: args.socketpath != ""}) lb.SetWebLocalClient(&tailscale.LocalClient{Socket: args.socketpath, UseSocketOnly: args.socketpath != ""})
}
configureTaildrop(logf, lb) configureTaildrop(logf, lb)
if err := ns.Start(lb); err != nil { if err := ns.Start(lb); err != nil {
log.Fatalf("failed to start netstack: %v", err) log.Fatalf("failed to start netstack: %v", err)

View File

@ -2920,11 +2920,6 @@ func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (ipn.PrefsView, error) {
b.logf("EditPrefs requests SSH, but disabled by envknob; returning error") b.logf("EditPrefs requests SSH, but disabled by envknob; returning error")
return ipn.PrefsView{}, errors.New("Tailscale SSH server administratively disabled.") return ipn.PrefsView{}, errors.New("Tailscale SSH server administratively disabled.")
} }
if p1.RunWebClient && !envknob.Bool("TS_DEBUG_WEB_UI") {
b.mu.Unlock()
b.logf("EditPrefs requests web client, but disabled by envknob; returning error")
return ipn.PrefsView{}, errors.New("web ui flag not set")
}
if p1.View().Equals(p0) { if p1.View().Equals(p0) {
b.mu.Unlock() b.mu.Unlock()
return stripKeysFromPrefs(p0), nil return stripKeysFromPrefs(p0), nil
@ -4161,7 +4156,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {
func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() } func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
func (b *LocalBackend) ShouldRunWebClient() bool { func (b *LocalBackend) ShouldRunWebClient() bool {
return b.webclientAtomicBool.Load() && envknob.Bool("TS_DEBUG_WEB_UI") return b.webclientAtomicBool.Load() && hasCapability(b.netMap, tailcfg.CapabilityPreviewWebClient)
} }
// ShouldHandleViaIP reports whether ip is an IPv6 address in the // ShouldHandleViaIP reports whether ip is an IPv6 address in the

View File

@ -13,8 +13,8 @@
"tailscale.com/client/tailscale" "tailscale.com/client/tailscale"
"tailscale.com/client/web" "tailscale.com/client/web"
"tailscale.com/envknob"
"tailscale.com/net/netutil" "tailscale.com/net/netutil"
"tailscale.com/tailcfg"
) )
// webClient holds state for the web interface for managing // webClient holds state for the web interface for managing
@ -41,8 +41,8 @@ func (b *LocalBackend) SetWebLocalClient(lc *tailscale.LocalClient) {
// tailscaled instance. // tailscaled instance.
// If the web interface is already running, WebClientInit is a no-op. // If the web interface is already running, WebClientInit is a no-op.
func (b *LocalBackend) WebClientInit() (err error) { func (b *LocalBackend) WebClientInit() (err error) {
if !envknob.Bool("TS_DEBUG_WEB_UI") { if !hasCapability(b.netMap, tailcfg.CapabilityPreviewWebClient) {
return errors.New("web ui flag unset") return errors.New("web client not enabled for this device")
} }
b.mu.Lock() b.mu.Lock()

View File

@ -2040,6 +2040,7 @@ type Oauth2Token struct {
CapabilityDataPlaneAuditLogs NodeCapability = "https://tailscale.com/cap/data-plane-audit-logs" // feature enabled CapabilityDataPlaneAuditLogs NodeCapability = "https://tailscale.com/cap/data-plane-audit-logs" // feature enabled
CapabilityDebug NodeCapability = "https://tailscale.com/cap/debug" // exposes debug endpoints over the PeerAPI CapabilityDebug NodeCapability = "https://tailscale.com/cap/debug" // exposes debug endpoints over the PeerAPI
CapabilityHTTPS NodeCapability = "https" // https cert provisioning enabled on tailnet CapabilityHTTPS NodeCapability = "https" // https cert provisioning enabled on tailnet
CapabilityPreviewWebClient NodeCapability = "preview-webclient" // allows starting web client in tailscaled
// CapabilityBindToInterfaceByRoute changes how Darwin nodes create // CapabilityBindToInterfaceByRoute changes how Darwin nodes create
// sockets (in the net/netns package). See that package for more // sockets (in the net/netns package). See that package for more