mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
b8af91403d
While `clientupdate.Updater` won't be able to apply updates on macsys, we use `clientupdate.CanAutoUpdate` to gate the EditPrefs endpoint in localAPI. We should allow the GUI client to set AutoUpdate.Apply on macsys for it to properly get reported to the control plane. This also allows the tailnet-wide default for auto-updates to propagate to macsys clients. Updates https://github.com/tailscale/corp/issues/21339 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
575 lines
16 KiB
Go
575 lines
16 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package ipnlocal
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"os"
|
|
"os/exec"
|
|
"path"
|
|
"path/filepath"
|
|
"runtime"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/kortschak/wol"
|
|
"tailscale.com/clientupdate"
|
|
"tailscale.com/envknob"
|
|
"tailscale.com/ipn"
|
|
"tailscale.com/net/sockstats"
|
|
"tailscale.com/posture"
|
|
"tailscale.com/tailcfg"
|
|
"tailscale.com/util/clientmetric"
|
|
"tailscale.com/util/goroutines"
|
|
"tailscale.com/util/set"
|
|
"tailscale.com/util/syspolicy"
|
|
"tailscale.com/version"
|
|
"tailscale.com/version/distro"
|
|
)
|
|
|
|
// c2nHandlers maps an HTTP method and URI path (without query parameters) to
|
|
// its handler. The exact method+path match is preferred, but if no entry
|
|
// exists for that, a map entry with an empty method is used as a fallback.
|
|
var c2nHandlers = map[methodAndPath]c2nHandler{
|
|
// Debug.
|
|
req("/echo"): handleC2NEcho,
|
|
req("/debug/goroutines"): handleC2NDebugGoroutines,
|
|
req("/debug/prefs"): handleC2NDebugPrefs,
|
|
req("/debug/metrics"): handleC2NDebugMetrics,
|
|
req("/debug/component-logging"): handleC2NDebugComponentLogging,
|
|
req("/debug/logheap"): handleC2NDebugLogHeap,
|
|
|
|
// PPROF - We only expose a subset of typical pprof endpoints for security.
|
|
req("/debug/pprof/heap"): handleC2NPprof,
|
|
req("/debug/pprof/allocs"): handleC2NPprof,
|
|
|
|
req("POST /logtail/flush"): handleC2NLogtailFlush,
|
|
req("POST /sockstats"): handleC2NSockStats,
|
|
|
|
// Check TLS certificate status.
|
|
req("GET /tls-cert-status"): handleC2NTLSCertStatus,
|
|
|
|
// SSH
|
|
req("/ssh/usernames"): handleC2NSSHUsernames,
|
|
|
|
// Auto-updates.
|
|
req("GET /update"): handleC2NUpdateGet,
|
|
req("POST /update"): handleC2NUpdatePost,
|
|
|
|
// Wake-on-LAN.
|
|
req("POST /wol"): handleC2NWoL,
|
|
|
|
// Device posture.
|
|
req("GET /posture/identity"): handleC2NPostureIdentityGet,
|
|
|
|
// App Connectors.
|
|
req("GET /appconnector/routes"): handleC2NAppConnectorDomainRoutesGet,
|
|
|
|
// Linux netfilter.
|
|
req("POST /netfilter-kind"): handleC2NSetNetfilterKind,
|
|
}
|
|
|
|
type c2nHandler func(*LocalBackend, http.ResponseWriter, *http.Request)
|
|
|
|
type methodAndPath struct {
|
|
method string // empty string means fallback
|
|
path string // Request.URL.Path (without query string)
|
|
}
|
|
|
|
func req(s string) methodAndPath {
|
|
if m, p, ok := strings.Cut(s, " "); ok {
|
|
return methodAndPath{m, p}
|
|
}
|
|
return methodAndPath{"", s}
|
|
}
|
|
|
|
// c2nHandlerPaths is all the set of paths from c2nHandlers, without their HTTP methods.
|
|
// It's used to detect requests with a non-matching method.
|
|
var c2nHandlerPaths = set.Set[string]{}
|
|
|
|
func init() {
|
|
for k := range c2nHandlers {
|
|
c2nHandlerPaths.Add(k.path)
|
|
}
|
|
}
|
|
|
|
func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
|
|
// First try to match by both method and path,
|
|
if h, ok := c2nHandlers[methodAndPath{r.Method, r.URL.Path}]; ok {
|
|
h(b, w, r)
|
|
return
|
|
}
|
|
// Then try to match by just path.
|
|
if h, ok := c2nHandlers[methodAndPath{path: r.URL.Path}]; ok {
|
|
h(b, w, r)
|
|
return
|
|
}
|
|
if c2nHandlerPaths.Contains(r.URL.Path) {
|
|
http.Error(w, "bad method", http.StatusMethodNotAllowed)
|
|
} else {
|
|
http.Error(w, "unknown c2n path", http.StatusBadRequest)
|
|
}
|
|
}
|
|
|
|
func writeJSON(w http.ResponseWriter, v any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(v)
|
|
}
|
|
|
|
func handleC2NEcho(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
// Test handler.
|
|
body, _ := io.ReadAll(r.Body)
|
|
w.Write(body)
|
|
}
|
|
|
|
func handleC2NLogtailFlush(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
if b.TryFlushLogs() {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
} else {
|
|
http.Error(w, "no log flusher wired up", http.StatusInternalServerError)
|
|
}
|
|
}
|
|
|
|
func handleC2NDebugGoroutines(_ *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
w.Write(goroutines.ScrubbedGoroutineDump(true))
|
|
}
|
|
|
|
func handleC2NDebugPrefs(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
writeJSON(w, b.Prefs())
|
|
}
|
|
|
|
func handleC2NDebugMetrics(_ *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
clientmetric.WritePrometheusExpositionFormat(w)
|
|
}
|
|
|
|
func handleC2NDebugComponentLogging(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
component := r.FormValue("component")
|
|
secs, _ := strconv.Atoi(r.FormValue("secs"))
|
|
if secs == 0 {
|
|
secs -= 1
|
|
}
|
|
until := b.clock.Now().Add(time.Duration(secs) * time.Second)
|
|
err := b.SetComponentDebugLogging(component, until)
|
|
var res struct {
|
|
Error string `json:",omitempty"`
|
|
}
|
|
if err != nil {
|
|
res.Error = err.Error()
|
|
}
|
|
writeJSON(w, res)
|
|
}
|
|
|
|
var c2nLogHeap func(http.ResponseWriter, *http.Request) // non-nil on most platforms (c2n_pprof.go)
|
|
|
|
func handleC2NDebugLogHeap(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
if c2nLogHeap == nil {
|
|
// Not implemented on platforms trying to optimize for binary size or
|
|
// reduced memory usage.
|
|
http.Error(w, "not implemented", http.StatusNotImplemented)
|
|
return
|
|
}
|
|
c2nLogHeap(w, r)
|
|
}
|
|
|
|
var c2nPprof func(http.ResponseWriter, *http.Request, string) // non-nil on most platforms (c2n_pprof.go)
|
|
|
|
func handleC2NPprof(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
if c2nPprof == nil {
|
|
// Not implemented on platforms trying to optimize for binary size or
|
|
// reduced memory usage.
|
|
http.Error(w, "not implemented", http.StatusNotImplemented)
|
|
return
|
|
}
|
|
_, profile := path.Split(r.URL.Path)
|
|
c2nPprof(w, r, profile)
|
|
}
|
|
|
|
func handleC2NSSHUsernames(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
var req tailcfg.C2NSSHUsernamesRequest
|
|
if r.Method == "POST" {
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
http.Error(w, err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
}
|
|
res, err := b.getSSHUsernames(&req)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), 500)
|
|
return
|
|
}
|
|
writeJSON(w, res)
|
|
}
|
|
|
|
func handleC2NSockStats(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
if b.sockstatLogger == nil {
|
|
http.Error(w, "no sockstatLogger", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
b.sockstatLogger.Flush()
|
|
fmt.Fprintf(w, "logid: %s\n", b.sockstatLogger.LogID())
|
|
fmt.Fprintf(w, "debug info: %v\n", sockstats.DebugInfo())
|
|
}
|
|
|
|
// handleC2NAppConnectorDomainRoutesGet handles returning the domains
|
|
// that the app connector is responsible for, as well as the resolved
|
|
// IP addresses for each domain. If the node is not configured as
|
|
// an app connector, an empty map is returned.
|
|
func handleC2NAppConnectorDomainRoutesGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
b.logf("c2n: GET /appconnector/routes received")
|
|
|
|
var res tailcfg.C2NAppConnectorDomainRoutesResponse
|
|
if b.appConnector == nil {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(res)
|
|
return
|
|
}
|
|
|
|
res.Domains = b.appConnector.DomainRoutes()
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(res)
|
|
}
|
|
|
|
func handleC2NSetNetfilterKind(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
b.logf("c2n: POST /netfilter-kind received")
|
|
|
|
if version.OS() != "linux" {
|
|
http.Error(w, "netfilter kind only settable on linux", http.StatusNotImplemented)
|
|
}
|
|
|
|
kind := r.FormValue("kind")
|
|
b.logf("c2n: switching netfilter to %s", kind)
|
|
|
|
_, err := b.EditPrefs(&ipn.MaskedPrefs{
|
|
NetfilterKindSet: true,
|
|
Prefs: ipn.Prefs{
|
|
NetfilterKind: kind,
|
|
},
|
|
})
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
b.authReconfig()
|
|
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func handleC2NUpdateGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
b.logf("c2n: GET /update received")
|
|
|
|
res := b.newC2NUpdateResponse()
|
|
res.Started = b.c2nUpdateStarted()
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(res)
|
|
}
|
|
|
|
func handleC2NUpdatePost(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
b.logf("c2n: POST /update received")
|
|
res := b.newC2NUpdateResponse()
|
|
defer func() {
|
|
if res.Err != "" {
|
|
b.logf("c2n: POST /update failed: %s", res.Err)
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(res)
|
|
}()
|
|
|
|
if !res.Enabled {
|
|
res.Err = "not enabled"
|
|
return
|
|
}
|
|
if !res.Supported {
|
|
res.Err = "not supported"
|
|
return
|
|
}
|
|
|
|
// Do not update if we have active inbound SSH connections. Control can set
|
|
// force=true query parameter to override this.
|
|
if r.FormValue("force") != "true" && b.sshServer != nil && b.sshServer.NumActiveConns() > 0 {
|
|
res.Err = "not updating due to active SSH connections"
|
|
return
|
|
}
|
|
|
|
if err := b.startAutoUpdate("c2n"); err != nil {
|
|
res.Err = err.Error()
|
|
return
|
|
}
|
|
res.Started = true
|
|
}
|
|
|
|
func handleC2NPostureIdentityGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
b.logf("c2n: GET /posture/identity received")
|
|
|
|
res := tailcfg.C2NPostureIdentityResponse{}
|
|
|
|
// Only collect serial numbers if enabled on the client,
|
|
// this will first check syspolicy, MDM settings like Registry
|
|
// on Windows or defaults on macOS. If they are not set, it falls
|
|
// back to the cli-flag, `--posture-checking`.
|
|
choice, err := syspolicy.GetPreferenceOption(syspolicy.PostureChecking)
|
|
if err != nil {
|
|
b.logf(
|
|
"c2n: failed to read PostureChecking from syspolicy, returning default from CLI: %s; got error: %s",
|
|
b.Prefs().PostureChecking(),
|
|
err,
|
|
)
|
|
}
|
|
|
|
if choice.ShouldEnable(b.Prefs().PostureChecking()) {
|
|
sns, err := posture.GetSerialNumbers(b.logf)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
res.SerialNumbers = sns
|
|
} else {
|
|
res.PostureDisabled = true
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(res)
|
|
}
|
|
|
|
func (b *LocalBackend) newC2NUpdateResponse() tailcfg.C2NUpdateResponse {
|
|
// If NewUpdater does not return an error, we can update the installation.
|
|
//
|
|
// Note that we create the Updater solely to check for errors; we do not
|
|
// invoke it here. For this purpose, it is ok to pass it a zero Arguments.
|
|
prefs := b.Prefs().AutoUpdate()
|
|
return tailcfg.C2NUpdateResponse{
|
|
Enabled: envknob.AllowsRemoteUpdate() || prefs.Apply.EqualBool(true),
|
|
Supported: clientupdate.CanAutoUpdate() && !version.IsMacSysExt(),
|
|
}
|
|
}
|
|
|
|
func (b *LocalBackend) c2nUpdateStarted() bool {
|
|
b.mu.Lock()
|
|
defer b.mu.Unlock()
|
|
return b.c2nUpdateStatus.started
|
|
}
|
|
|
|
func (b *LocalBackend) setC2NUpdateStarted(v bool) {
|
|
b.mu.Lock()
|
|
defer b.mu.Unlock()
|
|
b.c2nUpdateStatus.started = v
|
|
}
|
|
|
|
func (b *LocalBackend) trySetC2NUpdateStarted() bool {
|
|
b.mu.Lock()
|
|
defer b.mu.Unlock()
|
|
if b.c2nUpdateStatus.started {
|
|
return false
|
|
}
|
|
b.c2nUpdateStatus.started = true
|
|
return true
|
|
}
|
|
|
|
// findCmdTailscale looks for the cmd/tailscale that corresponds to the
|
|
// currently running cmd/tailscaled. It's up to the caller to verify that the
|
|
// two match, but this function does its best to find the right one. Notably, it
|
|
// doesn't use $PATH for security reasons.
|
|
func findCmdTailscale() (string, error) {
|
|
self, err := os.Executable()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
var ts string
|
|
switch runtime.GOOS {
|
|
case "linux":
|
|
if self == "/usr/sbin/tailscaled" || self == "/usr/bin/tailscaled" {
|
|
ts = "/usr/bin/tailscale"
|
|
}
|
|
if self == "/usr/local/sbin/tailscaled" || self == "/usr/local/bin/tailscaled" {
|
|
ts = "/usr/local/bin/tailscale"
|
|
}
|
|
switch distro.Get() {
|
|
case distro.QNAP:
|
|
// The volume under /share/ where qpkg are installed is not
|
|
// predictable. But the rest of the path is.
|
|
ok, err := filepath.Match("/share/*/.qpkg/Tailscale/tailscaled", self)
|
|
if err == nil && ok {
|
|
ts = filepath.Join(filepath.Dir(self), "tailscale")
|
|
}
|
|
case distro.Unraid:
|
|
if self == "/usr/local/emhttp/plugins/tailscale/bin/tailscaled" {
|
|
ts = "/usr/local/emhttp/plugins/tailscale/bin/tailscale"
|
|
}
|
|
}
|
|
case "windows":
|
|
ts = filepath.Join(filepath.Dir(self), "tailscale.exe")
|
|
case "freebsd":
|
|
if self == "/usr/local/bin/tailscaled" {
|
|
ts = "/usr/local/bin/tailscale"
|
|
}
|
|
default:
|
|
return "", fmt.Errorf("unsupported OS %v", runtime.GOOS)
|
|
}
|
|
if ts != "" && regularFileExists(ts) {
|
|
return ts, nil
|
|
}
|
|
return "", errors.New("tailscale executable not found in expected place")
|
|
}
|
|
|
|
func tailscaleUpdateCmd(cmdTS string) *exec.Cmd {
|
|
defaultCmd := exec.Command(cmdTS, "update", "--yes")
|
|
if runtime.GOOS != "linux" {
|
|
return defaultCmd
|
|
}
|
|
if _, err := exec.LookPath("systemd-run"); err != nil {
|
|
return defaultCmd
|
|
}
|
|
|
|
// When systemd-run is available, use it to run the update command. This
|
|
// creates a new temporary unit separate from the tailscaled unit. When
|
|
// tailscaled is restarted during the update, systemd won't kill this
|
|
// temporary update unit, which could cause unexpected breakage.
|
|
//
|
|
// We want to use the --wait flag for systemd-run, to block the update
|
|
// command until completion and collect output. But this flag was added in
|
|
// systemd 232, so we need to check the version first.
|
|
//
|
|
// The output will look like:
|
|
//
|
|
// systemd 255 (255.7-1-arch)
|
|
// +PAM +AUDIT ... other feature flags ...
|
|
systemdVerOut, err := exec.Command("systemd-run", "--version").Output()
|
|
if err != nil {
|
|
return defaultCmd
|
|
}
|
|
parts := strings.Fields(string(systemdVerOut))
|
|
if len(parts) < 2 || parts[0] != "systemd" {
|
|
return defaultCmd
|
|
}
|
|
systemdVer, err := strconv.Atoi(parts[1])
|
|
if err != nil {
|
|
return defaultCmd
|
|
}
|
|
if systemdVer < 232 {
|
|
return exec.Command("systemd-run", "--pipe", "--collect", cmdTS, "update", "--yes")
|
|
} else {
|
|
return exec.Command("systemd-run", "--wait", "--pipe", "--collect", cmdTS, "update", "--yes")
|
|
}
|
|
}
|
|
|
|
func regularFileExists(path string) bool {
|
|
fi, err := os.Stat(path)
|
|
return err == nil && fi.Mode().IsRegular()
|
|
}
|
|
|
|
func handleC2NWoL(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
r.ParseForm()
|
|
var macs []net.HardwareAddr
|
|
for _, macStr := range r.Form["mac"] {
|
|
mac, err := net.ParseMAC(macStr)
|
|
if err != nil {
|
|
http.Error(w, "bad 'mac' param", http.StatusBadRequest)
|
|
return
|
|
}
|
|
macs = append(macs, mac)
|
|
}
|
|
var res struct {
|
|
SentTo []string
|
|
Errors []string
|
|
}
|
|
st := b.sys.NetMon.Get().InterfaceState()
|
|
if st == nil {
|
|
res.Errors = append(res.Errors, "no interface state")
|
|
writeJSON(w, &res)
|
|
return
|
|
}
|
|
var password []byte // TODO(bradfitz): support? does anything use WoL passwords?
|
|
for _, mac := range macs {
|
|
for ifName, ips := range st.InterfaceIPs {
|
|
for _, ip := range ips {
|
|
if ip.Addr().IsLoopback() || ip.Addr().Is6() {
|
|
continue
|
|
}
|
|
local := &net.UDPAddr{
|
|
IP: ip.Addr().AsSlice(),
|
|
Port: 0,
|
|
}
|
|
remote := &net.UDPAddr{
|
|
IP: net.IPv4bcast,
|
|
Port: 0,
|
|
}
|
|
if err := wol.Wake(mac, password, local, remote); err != nil {
|
|
res.Errors = append(res.Errors, err.Error())
|
|
} else {
|
|
res.SentTo = append(res.SentTo, ifName)
|
|
}
|
|
break // one per interface is enough
|
|
}
|
|
}
|
|
}
|
|
sort.Strings(res.SentTo)
|
|
writeJSON(w, &res)
|
|
}
|
|
|
|
// handleC2NTLSCertStatus returns info about the last TLS certificate issued for the
|
|
// provided domain. This can be called by the controlplane to clean up DNS TXT
|
|
// records when they're no longer needed by LetsEncrypt.
|
|
//
|
|
// It does not kick off a cert fetch or async refresh. It only reports anything
|
|
// that's already sitting on disk, and only reports metadata about the public
|
|
// cert (stuff that'd be the in CT logs anyway).
|
|
func handleC2NTLSCertStatus(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
|
|
cs, err := b.getCertStore()
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
domain := r.FormValue("domain")
|
|
if domain == "" {
|
|
http.Error(w, "no 'domain'", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
ret := &tailcfg.C2NTLSCertInfo{}
|
|
pair, err := getCertPEMCached(cs, domain, b.clock.Now())
|
|
ret.Valid = err == nil
|
|
if err != nil {
|
|
ret.Error = err.Error()
|
|
if errors.Is(err, errCertExpired) {
|
|
ret.Expired = true
|
|
} else if errors.Is(err, ipn.ErrStateNotExist) {
|
|
ret.Missing = true
|
|
ret.Error = "no certificate"
|
|
}
|
|
} else {
|
|
block, _ := pem.Decode(pair.CertPEM)
|
|
if block == nil {
|
|
ret.Error = "invalid PEM"
|
|
ret.Valid = false
|
|
} else {
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
ret.Error = fmt.Sprintf("invalid certificate: %v", err)
|
|
ret.Valid = false
|
|
} else {
|
|
ret.NotBefore = cert.NotBefore.UTC().Format(time.RFC3339)
|
|
ret.NotAfter = cert.NotAfter.UTC().Format(time.RFC3339)
|
|
}
|
|
}
|
|
}
|
|
|
|
writeJSON(w, ret)
|
|
}
|