ipn, safesocket: use Windows token in LocalAPI

On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.

The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.

This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).

Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.

I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.

Updates https://github.com/tailscale/tailscale/issues/755

Signed-off-by: Aaron Klotz <aaron@tailscale.com>

ipn/localapi/localapi.go

@@ -157,6 +157,17 @@ type Handler struct {
 	// cert fetching access.
 	PermitCert bool
 
+	// CallerIsLocalAdmin is whether the this handler is being invoked as a
+	// result of a LocalAPI call from a user who is a local admin of the current
+	// machine.
+	//
+	// As of 2023-10-26 it is only populated on Windows.
+	//
+	// It can be used to to restrict some LocalAPI operations which should only
+	// be run by an admin and not unprivileged users in a computing environment
+	// managed by IT admins.
+	CallerIsLocalAdmin bool
+
 	b            *ipnlocal.LocalBackend
 	logf         logger.Logf
 	netMon       *netmon.Monitor // optional; nil means interfaces will be looked up on-demand