Commit Graph

7552 Commits

Author SHA1 Message Date
Will Norris
74947ce459 client/web: only trigger check mode if not authed
After logging in, the `?check=now` query string is still present if it
was passed. Reloading the page causes a new check mode to be triggered,
even though the user has an active session. Only trigger the automatic
check mode if the user is not already able to manage the device.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-14 12:27:18 -08:00
Will Norris
79719f05a9 ipn/ipnlocal: remove web client listeners after close
This prevents a panic in some cases where WebClientShutdown is called
multiple times.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-14 12:26:14 -08:00
Sonia Appasamy
7c99a1763b client/web: fix panic on logout
Fix panic due to `CurrentTailnet` being nil.

Fixes tailscale/corp#15791

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-14 14:35:13 -05:00
OSS Updater
063657c65f go.mod: update web-client-prebuilt module
Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>
2023-11-14 09:47:56 -08:00
Will Norris
7399e56acd .github: add action for updating web-client-prebuilt module
Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-14 09:30:08 -08:00
Andrew Lytvynov
955e2fcbfb
ipn/ipnlocal: run "tailscale update" via systemd-run on Linux (#10229)
When we run tailscled under systemd, restarting the unit kills all child
processes, including "tailscale update". And during update, the package
manager will restart the tailscaled unit. Specifically on Debian-based
distros, interrupting `apt-get install` can get the system into a wedged
state which requires the user to manually run `dpkg --configure` to
recover.

To avoid all this, use `systemd-run` where available to run the
`tailscale update` process. This launches it in a separate temporary
unit and doesn't kill it when parent unit is restarted.

Also, detect when `apt-get install` complains about aborted update and
try to restore the system by running `dpkg --configure tailscale`. This
could help if the system unexpectedly shuts down during our auto-update.

Fixes https://github.com/tailscale/corp/issues/15771

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-13 16:41:21 -08:00
Jordan Whited
c99488ea19
wgengine/magicsock: fix typo in endpoint.sendDiscoPing() docs (#10232)
Updates #cleanup

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2023-11-13 13:56:26 -08:00
Tom DNetto
90a0aafdca cmd/tailscale: warn if app-connector is enabled without ip forwarding
Fixes: ENG-2446
Signed-off-by: Tom DNetto <tom@tailscale.com>
2023-11-13 13:35:35 -08:00
Brad Fitzpatrick
1825d2337b
ipn/ipnlocal: respect ExitNodeAllowLANAccess on iOS (#10230)
Updates tailscale/corp#15783

Change-Id: I1082fbfff61a241ebd3b8275be0f45e329b67561

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-13 13:18:30 -08:00
Sonia Appasamy
c9bfb7c683 client/web: add Tailscale SSH view
Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-13 15:49:45 -05:00
Brad Fitzpatrick
103c00a175 ipn/ipnlocal: clean up c2n handling's big switch, add a mux table
Updates #cleanup

Change-Id: I29ec03db91e7831a3a66a63dcf6ff8e3f72ab045
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-13 11:57:56 -08:00
Tom DNetto
ce46d92ed2 go.{mod,sum}: update inet.af/tcpproxy to fix flaking test
```
[nix-shell:~/tailscale]$ ./tool/go test ./cmd/sniproxy --failfast --count 80
ok  	tailscale.com/cmd/sniproxy	127.085s
[nix-shell:~/tailscale]$ ./tool/go test ./cmd/sniproxy --failfast --count 80
ok  	tailscale.com/cmd/sniproxy	127.030s
```

Fixes: #10056
Signed-off-by: Tom DNetto <tom@tailscale.com>
2023-11-13 11:48:45 -08:00
Joe Tsai
975c5f7684
taildrop: lazily perform full deletion scan after first taildrop use (#10137)
Simply reading the taildrop directory can pop up security dialogs
on platforms like macOS. Avoid this by only performing garbage collection
of partial and deleted files after the first received taildrop file,
which would have prompted the security dialog window.

Updates tailscale/corp#14772

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2023-11-13 12:20:28 -06:00
Jordan Whited
e848736927
control/controlknobs,wgengine/magicsock: implement SilentDisco toggle (#10195)
This change exposes SilentDisco as a control knob, and plumbs it down to
magicsock.endpoint. No changes are being made to magicsock.endpoint
disco behavior, yet.

Updates #540

Signed-off-by: Jordan Whited <jordan@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-13 10:05:04 -08:00
Kristoffer Dalby
fe7f7bff4f posture: ignore not found serial errors
Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-11-13 18:22:08 +01:00
Sonia Appasamy
86c8ab7502 client/web: add readonly/manage toggle
Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-10 15:01:34 -05:00
James Tucker
c54d680682 ipn,tailconfig: clean up unreleased and removed app connector service
This was never released, and is replaced by HostInfo.AppConnector.

Updates tailscale/corp#15437
Signed-off-by: James Tucker <james@tailscale.com>
2023-11-09 22:36:52 -08:00
James Tucker
0b6636295e tailcfg,ipn/ipnlocal: add hostinfo field to replace service entry
Updates tailscale/corp#15437
Signed-off-by: James Tucker <james@tailscale.com>
2023-11-09 20:50:55 -08:00
Andrew Lytvynov
1f4a38ed49
clientupdate: add support for QNAP (#10179)
Use the `qpkg_cli` to check for updates and install them. There are a
couple special things about this compare to other updaters:
* qpkg_cli can tell you when upgrade is available, but not what the
  version is
* qpkg_cli --add Tailscale works for new installs, upgrades and
  reinstalling existing version; even reinstall of existing version
  takes a while

Updates #10178

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-09 17:46:16 -08:00
James Tucker
45be37cb01 ipn/ipnlocal: ensure that hostinfo is updated on app connector preference changes
Some conditional paths may otherwise skip the hostinfo update, so kick
it off asynchronously as other code paths do.

Updates tailscale/corp#15437
Signed-off-by: James Tucker <james@tailscale.com>
2023-11-09 17:38:57 -08:00
James Tucker
933d201bba ipn/policy: mark AppConnector service as interesting
Updates #15437
Signed-off-by: James Tucker <james@tailscale.com>
2023-11-09 17:16:07 -08:00
James Tucker
1a143963ec appc: prevent duplication of wildcard entries on map updates
Updates #15437
Signed-off-by: James Tucker <james@tailscale.com>
2023-11-09 16:47:42 -08:00
Andrew Lytvynov
6cce5fe001
go.toolchain.rev: bump to Go 1.21.4 (#10189)
Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-09 13:39:56 -08:00
Brad Fitzpatrick
53c4adc982 ssh/tailssh: add envknobs to force override forwarding, sftp, pty
Updates tailscale/corp#15735

Change-Id: Ib1303406be925c3231ce7e0950a173ad12626492
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-09 13:37:54 -08:00
Brad Fitzpatrick
ffabe5fe21 ssh/tailssh: fix sftp metric increment location
We were incrementing the sftp metric on regular sessions
too, not just sftp.

Updates #cleanup

Change-Id: I63027a39cffb3e03397c6e4829b1620c10fa3130
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-09 13:08:07 -08:00
Naman Sood
e57fd9cda4
ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update (#10188)
* ipn/{ipnlocal,ipnstate,localapi}: add localapi endpoints for client self-update

Updates #10187.

Signed-off-by: Naman Sood <mail@nsood.in>

* depaware

Updates #10187.

Signed-off-by: Naman Sood <mail@nsood.in>

* address review feedback

Signed-off-by: Naman Sood <mail@nsood.in>

---------

Signed-off-by: Naman Sood <mail@nsood.in>
2023-11-09 16:00:47 -05:00
Andrew Lytvynov
55cd5c575b
ipn/localapi: only perform local-admin check in serveServeConfig (#10163)
On unix systems, the check involves executing sudo, which is slow.
Instead of doing it for every incoming request, move the logic into
localapi serveServeConfig handler and do it as needed.

Updates tailscale/corp#15405

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-09 12:55:46 -08:00
James Tucker
73de6a1a95 appc: add support for matching wildcard domains
The app connector matches a configuration of "*.example.com" to mean any
sub-domain of example.com.

Updates #15437

Signed-off-by: James Tucker <james@tailscale.com>
2023-11-09 12:39:30 -08:00
Jordan Whited
12d5c99b04
client/tailscale,ipn/{ipnlocal,localapi}: check UDP GRO config (#10071)
Updates tailscale/corp#9990

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2023-11-09 11:34:41 -08:00
Andrew Lytvynov
1fc1077052
ssh/tailssh,util: extract new osuser package from ssh code (#10170)
This package is a wrapper for os/user that handles non-cgo builds,
gokrazy and user shells.

Updates tailscale/corp#15405

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-09 09:49:06 -08:00
Will Norris
09de240934 ipn/ipnlocal: allow connecting to local web client
The local web client has the same characteristic as tailscale serve, in
that it needs a local listener to allow for connections from the local
machine itself when running in kernel networking mode.

This change renames and adapts the existing serveListener to allow it to
be used by the web client as well.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-09 08:49:15 -08:00
Brad Fitzpatrick
d36a0d42aa tsnet: check a bit harder for https in Server.ListenFunnel
This was mostly already fixed already indirectly in earlier
commits but add a last second length check to this slice so
it can't ever OOB.

Fixes #7860

Change-Id: I31ac17fc93b5808deb09ff34e452fe37c87ddf3a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-09 07:51:58 -08:00
Andrew Lytvynov
bff786520e
clientupdate,ipn/ipnlocal: fix c2n update on freebsd (#10168)
The c2n part was broken because we were not looking up the tailscale
binary for that GOOS. The rest of the update was failing at the `pkg
upgrade` confirmation prompt. We also need to manually restart
tailscaled after update.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-08 18:56:00 -07:00
Sonia Appasamy
d544e80fc1 client/web: populate device details view
Fills /details page with real values, passed back from the /data
endpoint.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-08 17:59:58 -05:00
Brad Fitzpatrick
d852c616c6 logtail: fix Logger.Write return result
io.Writer says you need to write completely on err=nil. (the result
int should be the same as the input buffer length)

We weren't doing that. We used to, but at some point the verbose
filtering was modifying buf before the final return of len(buf).

We've been getting lucky probably, that callers haven't looked at our
results and turned us into a short write error.

Updates #cleanup
Updates tailscale/corp#15664

Change-Id: I01e765ba35b86b759819e38e0072eceb9d10d75c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-11-08 11:57:15 -08:00
Tom DNetto
11a20f371a ipn/ipnlocal: fix nil control client panic while updating TKA head
As part of tailnet-lock netmap processing, the LocalBackend mutex
is unlocked so we can potentially make a network call. Its possible
(during shutdown or while the control client is being reset) for
b.cc to become nil before the lock is picked up again.

Fixes: #9554
Signed-off-by: Tom DNetto <tom@tailscale.com>
2023-11-08 10:44:25 -08:00
Tom DNetto
3496d62ed3 ipn/ipnlocal: add empty address to the app-connector localNets set
App connectors handle DNS requests for app domains over PeerAPI,
but a safety check verifies the requesting peer has at least permission
to send traffic to 0.0.0.0:53 (or 2000:: for IPv6) before handling the DNS
request. The correct filter rules are synthesized by the coordination server
and sent down, but the address needs to be part of the 'local net' for the
filter package to even bother checking the filter rules, so we set them here.
See: https://github.com/tailscale/corp/issues/11961 for more information.

Signed-off-by: Tom DNetto <tom@tailscale.com>
Updates: ENG-2405
2023-11-08 10:44:03 -08:00
Will Norris
fdbe511c41 cmd/tailscale: add -webclient flag to up and set
Initially, only expose this flag on dev and unstable builds.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-08 10:00:58 -08:00
Charlotte Brandhorst-Satzkorn
f937cb6794 tailcfg,ipn,appc: add c2n endpoint for appc domain routes
This change introduces a c2n endpoint that returns a map of domains to a
slice of resolved IP addresses for the domain.

Fixes tailscale/corp#15657

Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
2023-11-07 18:12:24 -08:00
Andrew Lytvynov
63062abadc
clientupdate: check whether running as root early (#10161)
Check for root early, before we fetch the pkgs index. This avoids
several seconds delay for the command to tell you to sudo.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-07 13:09:30 -08:00
Andrew Lytvynov
9b158db2c6
ipn/localapi: require root or sudo+operator access for SetServeConfig (#10142)
For an operator user, require them to be able to `sudo tailscale` to use
`tailscale serve`. This is similar to the Windows elevated token check.

Updates tailscale/corp#15405

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-07 12:31:33 -08:00
Will Norris
fc2d63bb8c go.mod: updates web-client-prebuilt
Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-07 11:16:37 -08:00
Will Norris
623f669239 client/web: pass URL prefix to frontend
This allows wouter to route URLs properly when running in CGI mode.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-07 11:13:01 -08:00
Sonia Appasamy
0753ad6cf8 client/web: move useNodeData out of App component
Only loading data once auth request has completed.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-07 13:31:05 -05:00
Will Norris
d530153d2f go.mod: bump web-client-prebuilt
Updates #cleanup

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-07 09:29:00 -08:00
Sonia Appasamy
5e095ddc20 client/web: add initial framework for exit node selector
Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-07 11:30:22 -05:00
Sonia Appasamy
de2af54ffc client/web: pipe newSession through to readonly view
Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-07 11:12:40 -05:00
Sonia Appasamy
d73e923b73 client/web: add device details view
Initial addition of device details view on the frontend. A little
more backend piping work to come to fill all of the detail fields,
for now using placeholders.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-11-07 10:59:18 -05:00
Will Norris
3e9026efda client/web: show manage button in readonly view
We render the readonly view in two situations:
- the client is in login mode, and the device is connected
- the client is in manage mode, but the user does not yet have a session

If the user is not authenticated, and they are not currently on the
Tailscale IP address, render a "Manage" button that will take them to
the Tailcale IP of the device and immediately start check mode.

Still to do is detecting if they have connectivity to the Tailscale IP,
and disabling the button if not.

Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-07 07:50:26 -08:00
Thomas Kosiewski
96a80fcce3 Add support for custom DERP port in TLS prober
Updates #10146

Signed-off-by: Thomas Kosiewski <thoma471@googlemail.com>
2023-11-07 12:56:13 +00:00