tailfs: initial implementation

Add a WebDAV-based folder sharing mechanism that is exposed to local clients at 100.100.100.100:8080 and to remote peers via a new peerapi endpoint at /v0/tailfs. Add the ability to manage folder sharing via the new 'share' CLI sub-command. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-12-23 00:56:20 +00:00 · 2024-02-02 12:45:32 -06:00
parent 2e404b769d
commit 993acf4475
61 changed files with 4919 additions and 284 deletions
--- a/tailfs/remote_permissions.go
+++ b/tailfs/remote_permissions.go
@@ -0,0 +1,65 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailfs
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+type Permission uint8
+
+const (
+	PermissionNone Permission = iota
+	PermissionReadOnly
+	PermissionReadWrite
+)
+
+const (
+	accessReadOnly  = "ro"
+	accessReadWrite = "rw"
+
+	wildcardShare = "*"
+)
+
+// Permissions represents the set of permissions for a given principal to a
+// set of shares.
+type Permissions map[string]Permission
+
+type grant struct {
+	Shares []string
+	Access string
+}
+
+// ParsePermissions builds a Permissions map from a lis of raw grants.
+func ParsePermissions(rawGrants [][]byte) (Permissions, error) {
+	permissions := make(Permissions)
+	for _, rawGrant := range rawGrants {
+		var g grant
+		err := json.Unmarshal(rawGrant, &g)
+		if err != nil {
+			return nil, fmt.Errorf("unmarshal raw grants: %v", err)
+		}
+		for _, share := range g.Shares {
+			existingPermission := permissions[share]
+			permission := PermissionReadOnly
+			if g.Access == accessReadWrite {
+				permission = PermissionReadWrite
+			}
+			if permission > existingPermission {
+				permissions[share] = permission
+			}
+		}
+	}
+	return permissions, nil
+}
+
+func (p Permissions) For(share string) Permission {
+	specific := p[share]
+	wildcard := p[wildcardShare]
+	if specific > wildcard {
+		return specific
+	}
+	return wildcard
+}