mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-26 11:35:35 +00:00
98ad7f279c
The localapi was double-unescaping: once by net/http populating the URL, and once by ourselves later. We need to start with the raw escaped URL if we're doing it ourselves. Started to write a test but it got invasive. Will have to add those tests later in a commit that's not being cherry-picked to a release branch. Fixes #2288 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
476 lines
11 KiB
Go
476 lines
11 KiB
Go
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package localapi contains the HTTP server handlers for tailscaled's API server.
|
|
package localapi
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
"reflect"
|
|
"runtime"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"inet.af/netaddr"
|
|
"tailscale.com/client/tailscale/apitype"
|
|
"tailscale.com/ipn"
|
|
"tailscale.com/ipn/ipnlocal"
|
|
"tailscale.com/ipn/ipnstate"
|
|
"tailscale.com/tailcfg"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
func randHex(n int) string {
|
|
b := make([]byte, n)
|
|
rand.Read(b)
|
|
return hex.EncodeToString(b)
|
|
}
|
|
|
|
func NewHandler(b *ipnlocal.LocalBackend, logf logger.Logf, logID string) *Handler {
|
|
return &Handler{b: b, logf: logf, backendLogID: logID}
|
|
}
|
|
|
|
type Handler struct {
|
|
// RequiredPassword, if non-empty, forces all HTTP
|
|
// requests to have HTTP basic auth with this password.
|
|
// It's used by the sandboxed macOS sameuserproof GUI auth mechanism.
|
|
RequiredPassword string
|
|
|
|
// PermitRead is whether read-only HTTP handlers are allowed.
|
|
PermitRead bool
|
|
|
|
// PermitWrite is whether mutating HTTP handlers are allowed.
|
|
PermitWrite bool
|
|
|
|
b *ipnlocal.LocalBackend
|
|
logf logger.Logf
|
|
backendLogID string
|
|
}
|
|
|
|
func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
if h.b == nil {
|
|
http.Error(w, "server has no local backend", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if h.RequiredPassword != "" {
|
|
_, pass, ok := r.BasicAuth()
|
|
if !ok {
|
|
http.Error(w, "auth required", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
if pass != h.RequiredPassword {
|
|
http.Error(w, "bad password", http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
if strings.HasPrefix(r.URL.Path, "/localapi/v0/files/") {
|
|
h.serveFiles(w, r)
|
|
return
|
|
}
|
|
if strings.HasPrefix(r.URL.Path, "/localapi/v0/file-put/") {
|
|
h.serveFilePut(w, r)
|
|
return
|
|
}
|
|
switch r.URL.Path {
|
|
case "/localapi/v0/whois":
|
|
h.serveWhoIs(w, r)
|
|
case "/localapi/v0/goroutines":
|
|
h.serveGoroutines(w, r)
|
|
case "/localapi/v0/status":
|
|
h.serveStatus(w, r)
|
|
case "/localapi/v0/logout":
|
|
h.serveLogout(w, r)
|
|
case "/localapi/v0/prefs":
|
|
h.servePrefs(w, r)
|
|
case "/localapi/v0/check-ip-forwarding":
|
|
h.serveCheckIPForwarding(w, r)
|
|
case "/localapi/v0/bugreport":
|
|
h.serveBugReport(w, r)
|
|
case "/localapi/v0/file-targets":
|
|
h.serveFileTargets(w, r)
|
|
case "/localapi/v0/set-dns":
|
|
h.serveSetDNS(w, r)
|
|
case "/localapi/v0/derpmap":
|
|
h.serveDERPMap(w, r)
|
|
case "/":
|
|
io.WriteString(w, "tailscaled\n")
|
|
default:
|
|
http.Error(w, "404 not found", 404)
|
|
}
|
|
}
|
|
|
|
func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "bugreport access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
logMarker := fmt.Sprintf("BUG-%v-%v-%v", h.backendLogID, time.Now().UTC().Format("20060102150405Z"), randHex(8))
|
|
h.logf("user bugreport: %s", logMarker)
|
|
if note := r.FormValue("note"); len(note) > 0 {
|
|
h.logf("user bugreport note: %s", note)
|
|
}
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
fmt.Fprintln(w, logMarker)
|
|
}
|
|
|
|
func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "whois access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
b := h.b
|
|
var ipp netaddr.IPPort
|
|
if v := r.FormValue("addr"); v != "" {
|
|
var err error
|
|
ipp, err = netaddr.ParseIPPort(v)
|
|
if err != nil {
|
|
http.Error(w, "invalid 'addr' parameter", 400)
|
|
return
|
|
}
|
|
} else {
|
|
http.Error(w, "missing 'addr' parameter", 400)
|
|
return
|
|
}
|
|
n, u, ok := b.WhoIs(ipp)
|
|
if !ok {
|
|
http.Error(w, "no match for IP:port", 404)
|
|
return
|
|
}
|
|
res := &apitype.WhoIsResponse{
|
|
Node: n,
|
|
UserProfile: &u,
|
|
}
|
|
j, err := json.MarshalIndent(res, "", "\t")
|
|
if err != nil {
|
|
http.Error(w, "JSON encoding error", 500)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Write(j)
|
|
}
|
|
|
|
func (h *Handler) serveGoroutines(w http.ResponseWriter, r *http.Request) {
|
|
// Require write access out of paranoia that the goroutine dump
|
|
// (at least its arguments) might contain something sensitive.
|
|
if !h.PermitWrite {
|
|
http.Error(w, "goroutine dump access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
buf := make([]byte, 2<<20)
|
|
buf = buf[:runtime.Stack(buf, true)]
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
w.Write(buf)
|
|
}
|
|
|
|
func (h *Handler) serveCheckIPForwarding(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "IP forwarding check access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
var warning string
|
|
if err := h.b.CheckIPForwarding(); err != nil {
|
|
warning = err.Error()
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(struct {
|
|
Warning string
|
|
}{
|
|
Warning: warning,
|
|
})
|
|
}
|
|
|
|
func (h *Handler) serveStatus(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "status access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
var st *ipnstate.Status
|
|
if defBool(r.FormValue("peers"), true) {
|
|
st = h.b.Status()
|
|
} else {
|
|
st = h.b.StatusWithoutPeers()
|
|
}
|
|
e := json.NewEncoder(w)
|
|
e.SetIndent("", "\t")
|
|
e.Encode(st)
|
|
}
|
|
|
|
func (h *Handler) serveLogout(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitWrite {
|
|
http.Error(w, "logout access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
if r.Method != "POST" {
|
|
http.Error(w, "want POST", 400)
|
|
return
|
|
}
|
|
err := h.b.LogoutSync(r.Context())
|
|
if err == nil {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
http.Error(w, err.Error(), 500)
|
|
}
|
|
|
|
func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "prefs access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
var prefs *ipn.Prefs
|
|
switch r.Method {
|
|
case "PATCH":
|
|
if !h.PermitWrite {
|
|
http.Error(w, "prefs write access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
mp := new(ipn.MaskedPrefs)
|
|
if err := json.NewDecoder(r.Body).Decode(mp); err != nil {
|
|
http.Error(w, err.Error(), 400)
|
|
return
|
|
}
|
|
var err error
|
|
prefs, err = h.b.EditPrefs(mp)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), 400)
|
|
return
|
|
}
|
|
case "GET", "HEAD":
|
|
prefs = h.b.Prefs()
|
|
default:
|
|
http.Error(w, "unsupported method", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
e := json.NewEncoder(w)
|
|
e.SetIndent("", "\t")
|
|
e.Encode(prefs)
|
|
}
|
|
|
|
func (h *Handler) serveFiles(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitWrite {
|
|
http.Error(w, "file access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
suffix := strings.TrimPrefix(r.URL.EscapedPath(), "/localapi/v0/files/")
|
|
if suffix == "" {
|
|
if r.Method != "GET" {
|
|
http.Error(w, "want GET to list files", 400)
|
|
return
|
|
}
|
|
wfs, err := h.b.WaitingFiles()
|
|
if err != nil {
|
|
http.Error(w, err.Error(), 500)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(wfs)
|
|
return
|
|
}
|
|
name, err := url.PathUnescape(suffix)
|
|
if err != nil {
|
|
http.Error(w, "bad filename", 400)
|
|
return
|
|
}
|
|
if r.Method == "DELETE" {
|
|
if err := h.b.DeleteFile(name); err != nil {
|
|
http.Error(w, err.Error(), 500)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
rc, size, err := h.b.OpenFile(name)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), 500)
|
|
return
|
|
}
|
|
defer rc.Close()
|
|
w.Header().Set("Content-Length", fmt.Sprint(size))
|
|
io.Copy(w, rc)
|
|
}
|
|
|
|
func writeErrorJSON(w http.ResponseWriter, err error) {
|
|
if err == nil {
|
|
err = errors.New("unexpected nil error")
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(500)
|
|
type E struct {
|
|
Error string `json:"error"`
|
|
}
|
|
json.NewEncoder(w).Encode(E{err.Error()})
|
|
}
|
|
|
|
func (h *Handler) serveFileTargets(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitRead {
|
|
http.Error(w, "access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
if r.Method != "GET" {
|
|
http.Error(w, "want GET to list targets", 400)
|
|
return
|
|
}
|
|
fts, err := h.b.FileTargets()
|
|
if err != nil {
|
|
writeErrorJSON(w, err)
|
|
return
|
|
}
|
|
makeNonNil(&fts)
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(fts)
|
|
}
|
|
|
|
func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitWrite {
|
|
http.Error(w, "file access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
if r.Method != "PUT" {
|
|
http.Error(w, "want PUT to put file", 400)
|
|
return
|
|
}
|
|
fts, err := h.b.FileTargets()
|
|
if err != nil {
|
|
http.Error(w, err.Error(), 500)
|
|
return
|
|
}
|
|
|
|
upath := strings.TrimPrefix(r.URL.EscapedPath(), "/localapi/v0/file-put/")
|
|
slash := strings.Index(upath, "/")
|
|
if slash == -1 {
|
|
http.Error(w, "bogus URL", 400)
|
|
return
|
|
}
|
|
stableID, filenameEscaped := tailcfg.StableNodeID(upath[:slash]), upath[slash+1:]
|
|
|
|
var ft *apitype.FileTarget
|
|
for _, x := range fts {
|
|
if x.Node.StableID == stableID {
|
|
ft = x
|
|
break
|
|
}
|
|
}
|
|
if ft == nil {
|
|
http.Error(w, "node not found", 404)
|
|
return
|
|
}
|
|
dstURL, err := url.Parse(ft.PeerAPIURL)
|
|
if err != nil {
|
|
http.Error(w, "bogus peer URL", 500)
|
|
return
|
|
}
|
|
outReq, err := http.NewRequestWithContext(r.Context(), "PUT", "http://peer/v0/put/"+filenameEscaped, r.Body)
|
|
if err != nil {
|
|
http.Error(w, "bogus outreq", 500)
|
|
return
|
|
}
|
|
outReq.ContentLength = r.ContentLength
|
|
|
|
rp := httputil.NewSingleHostReverseProxy(dstURL)
|
|
rp.Transport = getDialPeerTransport(h.b)
|
|
rp.ServeHTTP(w, outReq)
|
|
}
|
|
|
|
func (h *Handler) serveSetDNS(w http.ResponseWriter, r *http.Request) {
|
|
if !h.PermitWrite {
|
|
http.Error(w, "access denied", http.StatusForbidden)
|
|
return
|
|
}
|
|
if r.Method != "POST" {
|
|
http.Error(w, "want POST", 400)
|
|
return
|
|
}
|
|
ctx := r.Context()
|
|
err := h.b.SetDNS(ctx, r.FormValue("name"), r.FormValue("value"))
|
|
if err != nil {
|
|
writeErrorJSON(w, err)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(struct{}{})
|
|
}
|
|
|
|
func (h *Handler) serveDERPMap(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "GET" {
|
|
http.Error(w, "want GET", 400)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
e := json.NewEncoder(w)
|
|
e.SetIndent("", "\t")
|
|
e.Encode(h.b.DERPMap())
|
|
}
|
|
|
|
var dialPeerTransportOnce struct {
|
|
sync.Once
|
|
v *http.Transport
|
|
}
|
|
|
|
func getDialPeerTransport(b *ipnlocal.LocalBackend) *http.Transport {
|
|
dialPeerTransportOnce.Do(func() {
|
|
t := http.DefaultTransport.(*http.Transport).Clone()
|
|
t.Dial = nil
|
|
dialer := net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
Control: b.PeerDialControlFunc(),
|
|
}
|
|
t.DialContext = dialer.DialContext
|
|
dialPeerTransportOnce.v = t
|
|
})
|
|
return dialPeerTransportOnce.v
|
|
}
|
|
|
|
func defBool(a string, def bool) bool {
|
|
if a == "" {
|
|
return def
|
|
}
|
|
v, err := strconv.ParseBool(a)
|
|
if err != nil {
|
|
return def
|
|
}
|
|
return v
|
|
}
|
|
|
|
// makeNonNil takes a pointer to a Go data structure
|
|
// (currently only a slice or a map) and makes sure it's non-nil for
|
|
// JSON serialization. (In particular, JavaScript clients usually want
|
|
// the field to be defined after they decode the JSON.)
|
|
func makeNonNil(ptr interface{}) {
|
|
if ptr == nil {
|
|
panic("nil interface")
|
|
}
|
|
rv := reflect.ValueOf(ptr)
|
|
if rv.Kind() != reflect.Ptr {
|
|
panic(fmt.Sprintf("kind %v, not Ptr", rv.Kind()))
|
|
}
|
|
if rv.Pointer() == 0 {
|
|
panic("nil pointer")
|
|
}
|
|
rv = rv.Elem()
|
|
if rv.Pointer() != 0 {
|
|
return
|
|
}
|
|
switch rv.Type().Kind() {
|
|
case reflect.Slice:
|
|
rv.Set(reflect.MakeSlice(rv.Type(), 0, 0))
|
|
case reflect.Map:
|
|
rv.Set(reflect.MakeMap(rv.Type()))
|
|
}
|
|
}
|