ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418)

Add a disable-web-client node attribute and add handling for disabling
the web client when this node attribute is set.

Updates https://github.com/tailscale/tailscale/issues/10261

Signed-off-by: Mario Minardi <mario@tailscale.com>

ipn/ipnlocal/local.go

@@ -4508,8 +4508,13 @@ func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && en
 // call regardless of whether b.mu is held or not.
 func (b *LocalBackend) ShouldRunWebClient() bool { return b.webClientAtomicBool.Load() }
 
+// setWebClientAtomicBoolLocked sets webClientAtomicBool based on whether
+// the RunWebClient pref is set, and whether tailcfg.NodeAttrDisableWebClient
+// has been set in the netmap.NetworkMap.
+//
+// b.mu must be held.
 func (b *LocalBackend) setWebClientAtomicBoolLocked(nm *netmap.NetworkMap, prefs ipn.PrefsView) {
-	shouldRun := prefs.Valid() && prefs.RunWebClient()
+	shouldRun := prefs.Valid() && prefs.RunWebClient() && !hasCapability(nm, tailcfg.NodeAttrDisableWebClient)
 	wasRunning := b.webClientAtomicBool.Swap(shouldRun)
 	if wasRunning && !shouldRun {
 		go b.webClientShutdown() // stop web client

tailcfg/tailcfg.go

@@ -2219,6 +2219,9 @@ type Oauth2Token struct {
 	// NodeAttrSuggestExitNode is applied to each exit node which the control plane has determined
 	// is a recommended exit node.
 	NodeAttrSuggestExitNode NodeCapability = "suggest-exit-node"
+
+	// NodeAttrDisableWebClient disables using the web client.
+	NodeAttrDisableWebClient NodeCapability = "disable-web-client"
 )
 
 // SetDNSRequest is a request to add a DNS record.