ipn/localapi: require local Windows admin to set serve path (#9969)

For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>
2025-08-20 09:57:31 +00:00 · 2023-10-26 14:40:44 -07:00
parent 42abf13843
commit baa1fd976e
4 changed files with 193 additions and 0 deletions
--- a/ipn/serve_test.go
+++ b/ipn/serve_test.go
@@ -43,3 +43,86 @@ func TestCheckFunnelAccess(t *testing.T) {
 		}
 	}
 }
+
+func TestHasPathHandler(t *testing.T) {
+	tests := []struct {
+		name string
+		cfg  ServeConfig
+		want bool
+	}{
+		{
+			name: "empty-config",
+			cfg:  ServeConfig{},
+			want: false,
+		},
+		{
+			name: "with-bg-path-handler",
+			cfg: ServeConfig{
+				TCP: map[uint16]*TCPPortHandler{80: {HTTP: true}},
+				Web: map[HostPort]*WebServerConfig{
+					"foo.test.ts.net:80": {Handlers: map[string]*HTTPHandler{
+						"/": {Path: "/tmp"},
+					}},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-fg-path-handler",
+			cfg: ServeConfig{
+				TCP: map[uint16]*TCPPortHandler{
+					443: {HTTPS: true},
+				},
+				Foreground: map[string]*ServeConfig{
+					"abc123": {
+						TCP: map[uint16]*TCPPortHandler{80: {HTTP: true}},
+						Web: map[HostPort]*WebServerConfig{
+							"foo.test.ts.net:80": {Handlers: map[string]*HTTPHandler{
+								"/": {Path: "/tmp"},
+							}},
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-no-bg-path-handler",
+			cfg: ServeConfig{
+				TCP: map[uint16]*TCPPortHandler{443: {HTTPS: true}},
+				Web: map[HostPort]*WebServerConfig{
+					"foo.test.ts.net:443": {Handlers: map[string]*HTTPHandler{
+						"/": {Proxy: "http://127.0.0.1:3000"},
+					}},
+				},
+				AllowFunnel: map[HostPort]bool{"foo.test.ts.net:443": true},
+			},
+			want: false,
+		},
+		{
+			name: "with-no-fg-path-handler",
+			cfg: ServeConfig{
+				Foreground: map[string]*ServeConfig{
+					"abc123": {
+						TCP: map[uint16]*TCPPortHandler{443: {HTTPS: true}},
+						Web: map[HostPort]*WebServerConfig{
+							"foo.test.ts.net:443": {Handlers: map[string]*HTTPHandler{
+								"/": {Proxy: "http://127.0.0.1:3000"},
+							}},
+						},
+						AllowFunnel: map[HostPort]bool{"foo.test.ts.net:443": true},
+					},
+				},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.cfg.HasPathHandler()
+			if tt.want != got {
+				t.Errorf("HasPathHandler() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}