Commit Graph

8247 Commits

Author SHA1 Message Date
Adrian Dewhurst
f706a3abd0 ipn/ipnlocal, util/syspolicy: add auto update policy
Due to the Sparkle preference naming convention, macsys already has a
policy key named "ApplyUpdates" that merely shows or hides the menu
item that controls if auto updates are installed, rather than directly
controlling the setting.

For other platforms, we are going to use "InstallUpdates" instead
because it seemed better than the other options that were considered.

Updates ENG-2127
Updates tailscale/corp#16247

Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-07 17:29:22 -05:00
Sonia Appasamy
ef4f1e3a0b client/web: add loading state to app
Displays animated loading dots while initial auth and data endpoints
are fetching.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-07 17:08:15 -05:00
Andrew Dunham
3f576fc4ca ci: run 'go vet' in golangci-lint; fix errors in tests
Updates #cleanup

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ice78fc907bad24c1de749a1595e212ef2db4b8bb
2023-12-07 15:08:28 -05:00
Mario Minardi
f5f21c213c
client/web: add additional web client metrics logging (#10462)
Add additional web client metric logging. Namely, add logging events for
auth / deauth, enable / disable using exit node, enable / disable SSH,
enable / disable advertise routes, and click events on the device details
button.

Updates https://github.com/tailscale/tailscale/issues/10261

Signed-off-by: Mario Minardi <mario@tailscale.com>
2023-12-07 09:24:25 -07:00
Naman Sood
97f84200ac
wgengine/router: implement UpdateMagicsockPort for CallbackRouter (#10494)
Updates #9084.

Signed-off-by: Naman Sood <mail@nsood.in>
2023-12-07 10:45:14 -05:00
Sonia Appasamy
95655405b8 client/web: start using swr for some fetching
Adds swr to the web client, and starts by using it from the
useNodeData hook.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 21:20:13 -05:00
Sonia Appasamy
014ae98297 client/web: style tweaks
Style changes made in live pairing session.

Updates #10261

Co-authored-by: Will Norris <will@tailscale.com>
Co-authored-by: Alessandro Mingione <alessandro@tailscale.com>
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 17:31:53 -05:00
Adrian Dewhurst
1a4d423328 ipn/ipnlocal: add additional syspolicy enforcement
This adds support for enforcing exit node LAN access, DNS and subnet
routes.

Adding new preference policies was getting repetitive, so this turns
some of the boilerplate into a table.

Updates tailscale/corp#15585
Updates ENG-2240

Change-Id: Iabd3c42b0ae120b3145fac066c5caa7fc4d67824
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-06 16:34:36 -05:00
Sonia Appasamy
2731a9da36 client/web: fix exit node selector styling
Remove padding on top of search bar, remove rounded corners of
bottom border of earch bar, and add auto focus.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 16:19:52 -05:00
Adrian Dewhurst
af32d1c120 ipn/ipnlocal: better enforce system policies
Previously, policies affected the default prefs for a new profile, but
that does not affect existing profiles. This change ensures that
policies are applied whenever preferences are loaded or changed, so a
CLI or GUI client that does not respect the policies will still be
overridden.

Exit node IP is dropped from this PR as it was implemented elsewhere
in #10172.

Fixes tailscale/corp#15585

Change-Id: Ide4c3a4b00a64e43f506fa1fab70ef591407663f
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-06 14:45:06 -05:00
Sonia Appasamy
ac6f671c54 ipn/localapi: use clientupdate.CanAutoUpdate from serveUpdateCheck
Fixes #10486

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 14:08:37 -05:00
Sonia Appasamy
a54a4f757b client/web: add licenses and policies links
Adds a footer to the device details page that mirrors license and
policy content on other Tailscale clients.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 13:44:52 -05:00
Sonia Appasamy
cc6729a0bc .github/workflows: add webclient workflow
Add workflow to run yarn lint/test/format-check against the web
client on pull requests.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 13:21:27 -05:00
Mario Minardi
4a24db852a
client/web: use IPv4 instead of IP in login view (#10483)
The IP property in node data was renamed to IPv4 but refactoring the usage
of the property was missed in this file.

Updates https://github.com/tailscale/tailscale/issues/10261

Signed-off-by: Mario Minardi <mario@tailscale.com>
2023-12-06 10:08:23 -07:00
Denton Gentry
137e9f4c46 net/portmap: add test of Mikrotik Root Desc XML.
Unfortunately in the test we can't reproduce the failure seen
in the real system ("SOAP fault: UPnPError")

Updates https://github.com/tailscale/tailscale/issues/8364

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2023-12-05 22:10:27 -08:00
Naman Sood
d46a4eced5
util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux (#10370)
* util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux

Updates #9084.

Currently, we have to tell users to manually open UDP ports on Linux when
certain firewalls (like ufw) are enabled. This change automates the process of
adding and updating those firewall rules as magicsock changes what port it
listens on.

Signed-off-by: Naman Sood <mail@nsood.in>
2023-12-05 18:12:02 -05:00
Andrew Lytvynov
aad5fb28b1
go.toolchain.rev: bump to 1.21.5 (#10475)
Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-12-05 16:16:33 -06:00
Claire Wang
47db67fef5
util/syspolicy: add policy counters (#10471)
Fixes tailscale/corp#16138

Signed-off-by: Claire Wang <claire@tailscale.com>
2023-12-05 17:13:05 -05:00
Sonia Appasamy
a95b3cbfa8 client/web: add copyable components throughout UI
Updates the IP address on home view to open a copyable list of node
addresses on click. And makes various values on the details view
copyable text items, mirroring the machine admin panel table.

As part of these changes, pulls the AddressCard, NiceIP and QuickCopy
components from the admin panel, with the AddressCard slightly modified
to avoid needing to also pull in the CommandLine component.

A new toaster interface is also added, allowing us to display success
and failure toasts throughout the UI. The toaster code is slightly
modified from it's admin form to avoid the need for some excess
libraries.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-05 16:52:19 -05:00
Naman Sood
650c67a0a1 tailcfg: bump CapabilityVersion for Linux netfilter NodeAttrs and c2n endpoint
Updates tailscale/corp#14029.

Signed-off-by: Naman Sood <mail@nsood.in>
2023-12-05 14:22:02 -05:00
Naman Sood
0a59754eda linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter
Updates tailscale/corp#14029.

Signed-off-by: Naman Sood <mail@nsood.in>
2023-12-05 14:22:02 -05:00
James Tucker
215f657a5e wgengine/router: create netfilter runner in setNetfilterMode
This will enable the runner to be replaced as a configuration side
effect in a later change.

Updates tailscale/corp#14029

Signed-off-by: James Tucker <james@tailscale.com>
2023-12-05 14:22:02 -05:00
Adrian Dewhurst
94a64c0017 util/syspolicy: rename incorrectly named policy keys
These keys were intended to match the Apple platforms, but accidentally
used the wrong name.

Updates ENG-2133

Change-Id: I9ed7a17919e34e2d8896a5c64efc4d0c0003166e
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-05 13:58:31 -05:00
License Updater
70f201c691 licenses: update win/apple licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
2023-12-05 09:47:02 -08:00
License Updater
9095518c2d licenses: update tailscale{,d} licenses
Signed-off-by: License Updater <noreply+license-updater@tailscale.com>
2023-12-05 09:46:24 -08:00
Matt Layher
a217f1fccf all: fix nilness issues
Signed-off-by: Matt Layher <mdlayher@gmail.com>
2023-12-05 11:43:14 -05:00
Will Norris
c5208f8138 client/web: small tweaks for small screens
Add left and right padding around entire client so that the cards don't
run into the side of the screen. Also tighten up vertical spacing in
couple of places.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>
2023-12-05 08:05:09 -08:00
Andrew Dunham
c4ccdd1bd1 net/interfaces: ensure we return valid 'self' IP in LikelyHomeRouterIP
Before this fix, LikelyHomeRouterIP could return a 'self' IP that
doesn't correspond to the gateway address, since it picks the first
private address when iterating over the set interfaces as the 'self' IP,
without checking that the address corresponds with the
previously-detected gateway.

This behaviour was introduced by accident in aaf2df7, where we deleted
the following code:

    for _, prefix := range privatev4s {
        if prefix.Contains(gateway) && prefix.Contains(ip) {
            myIP = ip
            ok = true
            return
        }
    }

Other than checking that 'gateway' and 'ip' were private IP addresses
(which were correctly replaced with a call to the netip.Addr.IsPrivate
method), it also implicitly checked that both 'gateway' and 'ip' were a
part of the *same* prefix, and thus likely to be the same interface.

Restore that behaviour by explicitly checking pfx.Contains(gateway),
which, given that the 'ip' variable is derived from our prefix 'pfx',
ensures that the 'self' IP will correspond to the returned 'gateway'.

Fixes #10466

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Iddd2ee70cefb9fb40071986fefeace9ca2441ee6
2023-12-05 10:29:37 -05:00
Mario Minardi
6b083a8ddf
client/web: add metric logging logic to the web client (#10434)
Add metric logging logic for the web client frontend. This is an initial
pass of adding the base logic, plus a single point where it is used for
validation that the logging is working correctly. More metric logging
calls will follow in subsquent PRs.

Updates https://github.com/tailscale/tailscale/issues/10261

Signed-off-by: Mario Minardi <mario@tailscale.com>
2023-12-05 08:28:19 -07:00
Will Norris
9c4b73d77d client/web: handle login client inside an iframe
If the login client is inside an iframe, open the management client in a
new window, since it can't be loaded in the frame.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>
2023-12-04 14:28:51 -08:00
Will Norris
9441a4e15d client/web: render 404 message in empty card
Switch the "feature disabled" page to use the same treatment.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>
2023-12-04 14:04:15 -08:00
Sonia Appasamy
65643f6606 client/web: update device and connected icon
Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-04 16:39:56 -05:00
Will Norris
f5989f317f client/web: handle offline exit nodes
If the currently selected exit node is offline, render the exit node
selector in red with an error message. Update exit nodes in the dropdown
to indicate if they are offline, and don't allow them to be selected.

This also updates some older color values to use the new colors.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>
2023-12-04 13:31:05 -08:00
Sonia Appasamy
b144391c06 client/web: add cancel button to subnet router input section
Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-04 16:28:28 -05:00
Sonia Appasamy
95e9d22a16 client/web: button, link, and other small UI updates
Makes the following changes:
* Use “link” class in various spots
* Remove button appearance on Exit Node dropdown in readonly mode
* Update `-stone-` colors to `-gray-` (couple spots missed by
  original color config commit)
* Pull full ui/button component from admin panel, and update
  buttons throughout UI to use this component
* Remove various buttons in readonly view to match mocks
* Add route (and “pending approval”) highlights to Subnet router
  settings card
* Delete legacy client button styles from index.css
* Fix overflow of IPv6 address on device details view

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-04 15:50:29 -05:00
Aaron Klotz
64a26b221b net/dns: use an additional registry setting to disable dynamic DNS updates for our interface on Windows
Fixes #9775

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-12-04 09:10:35 -08:00
Irbe Krumina
49fd0a62c9
cmd/k8s-operator: generate static kube manifests from the Helm chart. (#10436)
* cmd/k8s-operator: generate static manifests from Helm charts

This is done to ensure that there is a single source of truth
for the operator kube manifests.
Also adds linux node selector to the static manifests as
this was added as a default to the Helm chart.

Static manifests can now be generated by running
`go generate tailscale.com/cmd/k8s-operator`.

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2023-12-04 10:18:07 +00:00
Andrew Lytvynov
263e01c47b
wgengine/filter: add protocol-agnostic packet checker (#10446)
For use in ACL tests, we need a way to check whether a packet is allowed
not just with TCP, but any protocol.

Updates #3561

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-12-02 16:30:33 -06:00
Flakes Updater
c85532270f go.mod.sri: update SRI hash for go.mod changes
Signed-off-by: Flakes Updater <noreply+flakes-updater@tailscale.com>
2023-12-01 20:20:03 -08:00
Adrian Dewhurst
2003d1139f go.mod: update certstore
Updates tailscale/coral#118

Change-Id: Ie535ab890f95d13d050b2acc7d4ad1e3f8316877
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-01 23:14:02 -05:00
Will Norris
f9550e0bed client/web: indicate if ACLs prevent access
Use the packet filter rules to determine if any device is allowed to
connect on port 5252.  This does not check whether a specific device can
connect (since we typically don't know the source device when this is
used).  Nor does it specifically check for wide-open ACLs, which is
something we may provide a warning about in the future.

Update the login popover content to display information when the src
device is unable to connect to the dst device over its Tailscale IP. If
we know it's an ACL issue, mention that, otherwise list a couple of
things to check. In both cases, link to a placeholder URL to get more
information about web client connection issues.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>
2023-12-01 16:51:12 -08:00
Sonia Appasamy
5e125750bc client/web: center and fix height of header
Centers login pill with Tailscale icon, and fixes height of login
pill.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-01 16:05:36 -08:00
OSS Updater
f13255d54d go.mod: update web-client-prebuilt module
Signed-off-by: OSS Updater <noreply+oss-updater@tailscale.com>
2023-12-01 17:32:44 -05:00
Sonia Appasamy
7a4ba609d9 client/web: show features based on platform support
Hiding/disabling UI features when not available on the running
client.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-01 17:01:13 -05:00
Sonia Appasamy
7d61b827e8 client/web: adjust colors and some UI margins
Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-01 15:41:57 -05:00
Sonia Appasamy
b155c7a091 client/web: move postcss config into package.json
A little cleanup.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-01 12:21:49 -05:00
Aaron Klotz
db39a43f06 util/winutil: add support for restarting Windows processes in specific sessions
This PR is all about adding functionality that will enable the installer's
upgrade sequence to terminate processes belonging to the previous version,
and then subsequently restart instances belonging to the new version within
the session(s) corresponding to the processes that were killed.

There are multiple parts to this:

* We add support for the Restart Manager APIs, which allow us to query the
  OS for a list of processes locking specific files;
* We add the RestartableProcess and RestartableProcesses types that query
  additional information about the running processes that will allow us
  to correctly restart them in the future. These types also provide the
  ability to terminate the processes.
* We add the StartProcessInSession family of APIs that permit us to create
  new processes within specific sessions. This is needed in order to
  properly attach a new GUI process to the same RDP session and desktop that
  its previously-terminated counterpart would have been running in.
* I tweaked the winutil token APIs again.
* A lot of this stuff is pretty hard to test without a very elaborate
  harness, but I added a unit test for the most complicated part (though it
  requires LocalSystem to run).

Updates https://github.com/tailscale/corp/issues/13998

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-11-30 14:04:27 -08:00
Andrew Lytvynov
59d1077e28
clientupdate: cleanup tailscale binary copies on Windows (#10433)
When updating on Windows, we make a copy of the tailscale.exe file in a
temp directory to perform the update, because the original tailscale.exe
gets deleted during the update.

This can eat up disk space if a machine is stuck doing repeated failed
update attempts. Clean up old copies explicitly before making a new one,
same as we do with MSIs.

Updates #10082

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-11-30 12:22:29 -08:00
Marwan Sulaiman
b819f66eb1 tsweb: propagate RequestID via context and entire request
The recent addition of RequestID was only populated if the
HTTP Request had returned an error. This meant that the underlying
handler has no access to this request id and any logs it may have
emitted were impossible to correlate to that request id. Therefore,
this PR adds a middleware to generate request ids and pass them
through the request context. The tsweb.StdHandler automatically
populates this request id if the middleware is being used. Finally,
inner handlers can use the context to retrieve that same request id
and use it so that all logs and events can be correlated.

Updates #2549

Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
2023-11-30 15:00:29 -05:00
Juergen Knaack
c27aa9e7ff net/dns: fix darwin dns resolver files
putting each nameserver on one line in /etc/resolver/<domain>

fixes: #10134
Signed-off-by: Juergen Knaack <jk@jk-1.de>
2023-11-29 19:25:31 -08:00