appc,ipn/ipnlocal,net/dns/resolver: add App Connector wiring when enabled in prefs

An EmbeddedAppConnector is added that when configured observes DNS
responses from the PeerAPI. If a response is found matching a configured
domain, routes are advertised when necessary.

The wiring from a configuration in the netmap capmap is not yet done, so
while the connector can be enabled, no domains can yet be added.

Updates tailscale/corp#15437

Signed-off-by: James Tucker <james@tailscale.com>

ipn/ipnlocal/local.go

@@ -32,6 +32,7 @@ import (
 	"go4.org/netipx"
 	xmaps "golang.org/x/exp/maps"
 	"gvisor.dev/gvisor/pkg/tcpip"
+	"tailscale.com/appc"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/control/controlknobs"
@@ -203,9 +204,10 @@ type LocalBackend struct {
 	conf           *conffile.Config // latest parsed config, or nil if not in declarative mode
 	pm             *profileManager  // mu guards access
 	filterHash     deephash.Sum
-	httpTestClient *http.Client // for controlclient. nil by default, used by tests.
-	ccGen          clientGen    // function for producing controlclient; lazily populated
-	sshServer      SSHServer    // or nil, initialized lazily.
+	httpTestClient *http.Client               // for controlclient. nil by default, used by tests.
+	ccGen          clientGen                  // function for producing controlclient; lazily populated
+	sshServer      SSHServer                  // or nil, initialized lazily.
+	appConnector   *appc.EmbeddedAppConnector // or nil, initialized when configured.
 	webClient      webClient
 	notify         func(ipn.Notify)
 	cc             controlclient.Client
@@ -2995,6 +2997,9 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) ipn
 
 	oldHi := b.hostinfo
 	newHi := oldHi.Clone()
+	if newHi == nil {
+		newHi = new(tailcfg.Hostinfo)
+	}
 	b.applyPrefsToHostinfoLocked(newHi, newp.View())
 	b.hostinfo = newHi
 	hostInfoChanged := !oldHi.Equal(newHi)
@@ -3240,6 +3245,10 @@ func (b *LocalBackend) authReconfig() {
 	disableSubnetsIfPAC := hasCapability(nm, tailcfg.NodeAttrDisableSubnetsIfPAC)
 	dohURL, dohURLOK := exitNodeCanProxyDNS(nm, b.peers, prefs.ExitNodeID())
 	dcfg := dnsConfigForNetmap(nm, b.peers, prefs, b.logf, version.OS())
+	// If the current node is an app connector, ensure the app connector machine is started
+	if prefs.AppConnector().Advertise && b.appConnector == nil {
+		b.appConnector = appc.NewEmbeddedAppConnector(b.logf, b)
+	}
 	b.mu.Unlock()
 
 	if blocked {
@@ -4812,6 +4821,14 @@ func (b *LocalBackend) OfferingExitNode() bool {
 	return def4 && def6
 }
 
+// OfferingAppConnector reports whether b is currently offering app
+// connector services.
+func (b *LocalBackend) OfferingAppConnector() bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	return b.appConnector != nil
+}
+
 // allowExitNodeDNSProxyToServeName reports whether the Exit Node DNS
 // proxy is allowed to serve responses for the provided DNS name.
 func (b *LocalBackend) allowExitNodeDNSProxyToServeName(name string) bool {
@@ -5398,6 +5415,39 @@ func (b *LocalBackend) DebugBreakDERPConns() error {
 	return b.magicConn().DebugBreakDERPConns()
 }
 
+// ObserveDNSResponse passes a DNS response from the PeerAPI DNS server to the
+// App Connector to enable route discovery.
+func (b *LocalBackend) ObserveDNSResponse(res []byte) {
+	var appConnector *appc.EmbeddedAppConnector
+	b.mu.Lock()
+	if b.appConnector == nil {
+		b.mu.Unlock()
+		return
+	}
+	appConnector = b.appConnector
+	b.mu.Unlock()
+
+	appConnector.ObserveDNSResponse(res)
+}
+
+// AdvertiseRoute implements the appc.RouteAdvertiser interface. It sets a new
+// route advertisement if one is not already present in the existing routes.
+func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
+	currentRoutes := b.Prefs().AdvertiseRoutes()
+	// TODO(raggi): check if the new route is a subset of an existing route.
+	if currentRoutes.ContainsFunc(func(r netip.Prefix) bool { return r == ipp }) {
+		return nil
+	}
+	routes := append(currentRoutes.AsSlice(), ipp)
+	_, err := b.EditPrefs(&ipn.MaskedPrefs{
+		Prefs: ipn.Prefs{
+			AdvertiseRoutes: routes,
+		},
+		AdvertiseRoutesSet: true,
+	})
+	return err
+}
+
 // mayDeref dereferences p if non-nil, otherwise it returns the zero value.
 func mayDeref[T any](p *T) (v T) {
 	if p == nil {

ipn/ipnlocal/local_test.go

@@ -10,10 +10,13 @@ import (
 	"net/http"
 	"net/netip"
 	"reflect"
+	"slices"
 	"testing"
 	"time"
 
 	"go4.org/netipx"
+	"golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/appc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -30,6 +33,7 @@ import (
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
+	"tailscale.com/util/must"
 	"tailscale.com/util/set"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
@@ -1142,6 +1146,47 @@ func TestDNSConfigForNetmapForExitNodeConfigs(t *testing.T) {
 	}
 }
 
+func TestOfferingAppConnector(t *testing.T) {
+	b := newTestBackend(t)
+	if b.OfferingAppConnector() {
+		t.Fatal("unexpected offering app connector")
+	}
+	b.appConnector = appc.NewEmbeddedAppConnector(t.Logf, nil)
+	if !b.OfferingAppConnector() {
+		t.Fatal("unexpected not offering app connector")
+	}
+}
+
+func TestRouteAdvertiser(t *testing.T) {
+	b := newTestBackend(t)
+	testPrefix := netip.MustParsePrefix("192.0.0.8/32")
+
+	ra := appc.RouteAdvertiser(b)
+	must.Do(ra.AdvertiseRoute(testPrefix))
+
+	routes := b.Prefs().AdvertiseRoutes()
+	if routes.Len() != 1 || routes.At(0) != testPrefix {
+		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
+	}
+}
+
+func TestObserveDNSResponse(t *testing.T) {
+	b := newTestBackend(t)
+
+	// ensure no error when no app connector is configured
+	b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+
+	rc := &routeCollector{}
+	b.appConnector = appc.NewEmbeddedAppConnector(t.Logf, rc)
+	b.appConnector.UpdateDomains([]string{"example.com"})
+
+	b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
+	if !slices.Equal(rc.routes, wantRoutes) {
+		t.Fatalf("got routes %v, want %v", rc.routes, wantRoutes)
+	}
+}
+
 func resolversEqual(t *testing.T, a, b []*dnstype.Resolver) bool {
 	if a == nil && b == nil {
 		return true
@@ -1176,3 +1221,50 @@ func routesEqual(t *testing.T, a, b map[dnsname.FQDN][]*dnstype.Resolver) bool {
 	}
 	return true
 }
+
+// dnsResponse is a test helper that creates a DNS response buffer for the given domain and address
+func dnsResponse(domain, address string) []byte {
+	addr := netip.MustParseAddr(address)
+	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
+	b.EnableCompression()
+	b.StartAnswers()
+	switch addr.BitLen() {
+	case 32:
+		b.AResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AResource{
+				A: addr.As4(),
+			},
+		)
+	case 128:
+		b.AAAAResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeAAAA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AAAAResource{
+				AAAA: addr.As16(),
+			},
+		)
+	default:
+		panic("invalid address length")
+	}
+	return must.Get(b.Finish())
+}
+
+// routeCollector is a test helper that collects the list of routes advertised
+type routeCollector struct {
+	routes []netip.Prefix
+}
+
+func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx)
+	return nil
+}

ipn/ipnlocal/peerapi.go

@@ -32,7 +32,6 @@ import (
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
-	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/netutil"
@@ -51,9 +50,14 @@ var initListenConfig func(*net.ListenConfig, netip.Addr, *interfaces.State, stri
 // ("cleartext" HTTP/2) support to the peerAPI.
 var addH2C func(*http.Server)
 
+// peerDNSQueryHandler is implemented by tsdns.Resolver.
+type peerDNSQueryHandler interface {
+	HandlePeerDNSQuery(context.Context, []byte, netip.AddrPort, func(name string) bool) (res []byte, err error)
+}
+
 type peerAPIServer struct {
 	b        *LocalBackend
-	resolver *resolver.Resolver
+	resolver peerDNSQueryHandler
 
 	taildrop *taildrop.Manager
 }
@@ -861,9 +865,9 @@ func (h *peerAPIHandler) replyToDNSQueries() bool {
 		return true
 	}
 	b := h.ps.b
-	if !b.OfferingExitNode() {
-		// If we're not an exit node, there's no point to
-		// being a DNS server for somebody.
+	if !b.OfferingExitNode() && !b.OfferingAppConnector() {
+		// If we're not an exit node or app connector, there's
+		// no point to being a DNS server for somebody.
 		return false
 	}
 	if !h.remoteAddr.IsValid() {
@@ -927,7 +931,7 @@ func (h *peerAPIHandler) handleDNSQuery(w http.ResponseWriter, r *http.Request)
 
 	ctx, cancel := context.WithTimeout(r.Context(), arbitraryTimeout)
 	defer cancel()
-	res, err := h.ps.resolver.HandleExitNodeDNSQuery(ctx, q, h.remoteAddr, h.ps.b.allowExitNodeDNSProxyToServeName)
+	res, err := h.ps.resolver.HandlePeerDNSQuery(ctx, q, h.remoteAddr, h.ps.b.allowExitNodeDNSProxyToServeName)
 	if err != nil {
 		h.logf("handleDNS fwd error: %v", err)
 		if err := ctx.Err(); err != nil {
@@ -937,6 +941,13 @@ func (h *peerAPIHandler) handleDNSQuery(w http.ResponseWriter, r *http.Request)
 		}
 		return
 	}
+	// TODO(raggi): consider pushing the integration down into the resolver
+	// instead to avoid re-parsing the DNS response for improved performance in
+	// the future.
+	if h.ps.b.OfferingAppConnector() {
+		h.ps.b.ObserveDNSResponse(res)
+	}
+
 	if pretty {
 		// Non-standard response for interactive debugging.
 		w.Header().Set("Content-Type", "application/json")

ipn/ipnlocal/peerapi_test.go

@@ -5,6 +5,7 @@ package ipnlocal
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"io"
 	"io/fs"
@@ -14,11 +15,14 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"go4.org/netipx"
+	"golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/appc"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -680,3 +684,63 @@ func TestPeerAPIReplyToDNSQueries(t *testing.T) {
 		t.Errorf("unexpectedly IPv6 deny; wanted to be a DNS server")
 	}
 }
+
+func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
+	var h peerAPIHandler
+	h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
+
+	rc := &routeCollector{}
+	eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
+	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
+	h.ps = &peerAPIServer{
+		b: &LocalBackend{
+			e:            eng,
+			pm:           pm,
+			store:        pm.Store(),
+			appConnector: appc.NewEmbeddedAppConnector(t.Logf, rc),
+		},
+	}
+	h.ps.b.appConnector.UpdateDomains([]string{"example.com"})
+
+	h.ps.resolver = &fakeResolver{}
+	f := filter.NewAllowAllForTest(logger.Discard)
+	h.ps.b.setFilter(f)
+
+	if !h.ps.b.OfferingAppConnector() {
+		t.Fatal("expecting to be offering app connector")
+	}
+	if !h.replyToDNSQueries() {
+		t.Errorf("unexpectedly deny; wanted to be a DNS server")
+	}
+
+	w := httptest.NewRecorder()
+	h.handleDNSQuery(w, httptest.NewRequest("GET", "/dns-query?q=true&t=example.com.", nil))
+	if w.Code != http.StatusOK {
+		t.Errorf("unexpected status code: %v", w.Code)
+	}
+
+	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
+	if !slices.Equal(rc.routes, wantRoutes) {
+		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
+	}
+}
+
+type fakeResolver struct{}
+
+func (f *fakeResolver) HandlePeerDNSQuery(ctx context.Context, q []byte, from netip.AddrPort, allowName func(name string) bool) (res []byte, err error) {
+	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
+	b.EnableCompression()
+	b.StartAnswers()
+	b.AResource(
+		dnsmessage.ResourceHeader{
+			Name:  dnsmessage.MustNewName("example.com."),
+			Type:  dnsmessage.TypeA,
+			Class: dnsmessage.ClassINET,
+			TTL:   0,
+		},
+		dnsmessage.AResource{
+			A: [4]byte{192, 0, 0, 8},
+		},
+	)
+	return b.Finish()
+}