ipn/store: automatically migrate between plaintext and encrypted state (#16318)

Add a new `--encrypt-state` flag to `cmd/tailscaled`. Based on that flag, migrate the existing state file to/from encrypted format if needed. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-14 23:17:29 +00:00 · 2025-06-26 17:09:13 -07:00
parent d2c1ed22c3
commit 6feb3c35cb
24 changed files with 546 additions and 26 deletions
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -15,6 +15,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"iter"
 	"log"
 	"math/rand/v2"
 	"net"
@@ -579,6 +580,29 @@ func (s *jsStateStore) WriteState(id ipn.StateKey, bs []byte) error {
 	return nil
 }

+func (s *jsStateStore) All() iter.Seq2[ipn.StateKey, []byte] {
+	return func(yield func(ipn.StateKey, []byte) bool) {
+		jsValue := s.jsStateStorage.Call("all")
+		if jsValue.String() == "" {
+			return
+		}
+		buf, err := hex.DecodeString(jsValue.String())
+		if err != nil {
+			return
+		}
+		var state map[string][]byte
+		if err := json.Unmarshal(buf, &state); err != nil {
+			return
+		}
+
+		for k, v := range state {
+			if !yield(ipn.StateKey(k), v) {
+				break
+			}
+		}
+	}
+}
+
 func mapSlice[T any, M any](a []T, f func(T) M) []M {
 	n := make([]M, len(a))
 	for i, e := range a {