2020-02-05 22:16:58 +00:00
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package tailcfg
2021-08-05 22:05:24 +01:00
//go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode --clonefunc=true --output=tailcfg_clone.go
2020-07-27 18:40:34 +01:00
2020-02-05 22:16:58 +00:00
import (
2021-05-08 01:01:44 +01:00
"encoding/hex"
2022-02-15 05:20:41 +00:00
"encoding/json"
2020-02-05 22:16:58 +00:00
"errors"
"fmt"
2020-02-16 06:23:58 +00:00
"reflect"
2020-02-05 22:16:58 +00:00
"strings"
"time"
2020-07-31 21:27:09 +01:00
"inet.af/netaddr"
2021-08-05 22:05:24 +01:00
"tailscale.com/types/dnstype"
2020-06-19 03:32:55 +01:00
"tailscale.com/types/key"
2020-02-25 22:05:17 +00:00
"tailscale.com/types/opt"
2020-05-03 21:58:39 +01:00
"tailscale.com/types/structs"
2022-02-15 05:20:41 +00:00
"tailscale.com/types/views"
2021-01-25 22:41:39 +00:00
"tailscale.com/util/dnsname"
2020-02-05 22:16:58 +00:00
)
2022-03-06 17:32:52 +00:00
// CapabilityVersion represents the client's capability level. That
// is, it can be thought of as the client's simple version number: a
// single monotonically increasing integer, rather than the relatively
// complex x.y.z-xxxxx semver+hash(es). Whenever the client gains a
// capability or wants to negotiate a change in semantics with the
// server (control plane), bump this number and document what's new.
//
// Previously (prior to 2022-03-06), it was known as the "MapRequest
// version" or "mapVer" or "map cap" and that name and usage persists
// in places.
type CapabilityVersion int
// CurrentCapabilityVersion is the current capability version of the codebase.
2021-01-05 18:37:15 +00:00
//
// History of versions:
// 3: implicit compression, keep-alives
// 4: opt-in keep-alives via KeepAlive field, opt-in compression via Compress
// 5: 2020-10-19, implies IncludeIPv6, delta Peers/UserProfiles, supports MagicDNS
// 6: 2020-12-07: means MapResponse.PacketFilter nil means unchanged
// 7: 2020-12-15: FilterRule.SrcIPs accepts CIDRs+ranges, doesn't warn about 0.0.0.0/::
2021-03-03 20:01:15 +00:00
// 8: 2020-12-19: client can buggily receive IPv6 addresses and routes if beta enabled server-side
2021-01-05 18:37:15 +00:00
// 9: 2020-12-30: client doesn't auto-add implicit search domains from peers; only DNSConfig.Domains
2021-01-17 20:00:56 +00:00
// 10: 2021-01-17: client understands MapResponse.PeerSeenChange
2021-03-03 23:06:35 +00:00
// 11: 2021-03-03: client understands IPv6, multiple default routes, and goroutine dumping
2021-03-05 04:54:44 +00:00
// 12: 2021-03-04: client understands PingRequest
2021-03-17 21:24:32 +00:00
// 13: 2021-03-19: client understands FilterRule.IPProto
2021-04-08 09:35:14 +01:00
// 14: 2021-04-07: client understands DNSConfig.Routes and DNSConfig.Resolvers
2021-04-12 20:12:13 +01:00
// 15: 2021-04-12: client treats nil MapResponse.DNSConfig as meaning unchanged
2021-04-16 00:03:59 +01:00
// 16: 2021-04-15: client understands Node.Online, MapResponse.OnlineChange
2021-04-19 04:48:24 +01:00
// 17: 2021-04-18: MapResponse.Domain empty means unchanged
2021-04-19 18:56:48 +01:00
// 18: 2021-04-19: MapResponse.Node nil means unchanged (all fields now omitempty)
2021-04-21 22:17:21 +01:00
// 19: 2021-04-21: MapResponse.Debug.SleepSeconds
2021-06-11 16:40:05 +01:00
// 20: 2021-06-11: MapResponse.LastSeen used even less (https://github.com/tailscale/tailscale/issues/2107)
2021-06-15 20:12:15 +01:00
// 21: 2021-06-15: added MapResponse.DNSConfig.CertDomains
2021-06-16 18:58:25 +01:00
// 22: 2021-06-16: added MapResponse.DNSConfig.ExtraRecords
2021-08-25 17:07:21 +01:00
// 23: 2021-08-25: DNSConfig.Routes values may be empty (for ExtraRecords support in 1.14.1+)
2021-09-18 20:59:55 +01:00
// 24: 2021-09-18: MapResponse.Health from control to node; node shows in "tailscale status"
2021-11-01 18:50:46 +00:00
// 25: 2021-11-01: MapResponse.Debug.Exit
2022-01-12 23:00:20 +00:00
// 26: 2022-01-12: (nothing, just bumping for 1.20.0)
2022-02-18 22:10:26 +00:00
// 27: 2022-02-18: start of SSHPolicy being respected
2022-03-09 22:18:54 +00:00
// 28: 2022-03-09: client can communicate over Noise.
2022-03-29 20:43:26 +01:00
// 29: 2022-03-21: MapResponse.PopBrowserURL
// 30: 2022-03-22: client can request id tokens.
2022-04-15 17:00:27 +01:00
// 31: 2022-04-15: PingRequest & PingResponse TSMP & disco support
2022-03-18 18:48:40 +00:00
// 32: 2022-04-17: client knows FilterRule.CapMatch
const CurrentCapabilityVersion CapabilityVersion = 32
2021-01-05 18:37:15 +00:00
2021-01-21 02:34:50 +00:00
type StableID string
2020-02-05 22:16:58 +00:00
type ID int64
type UserID ID
2020-09-30 01:38:56 +01:00
func ( u UserID ) IsZero ( ) bool {
return u == 0
}
2020-02-05 22:16:58 +00:00
type LoginID ID
2020-10-01 01:55:12 +01:00
func ( u LoginID ) IsZero ( ) bool {
return u == 0
}
2020-02-05 22:16:58 +00:00
type NodeID ID
2020-09-30 01:38:56 +01:00
func ( u NodeID ) IsZero ( ) bool {
return u == 0
}
2021-01-21 02:34:50 +00:00
type StableNodeID StableID
func ( u StableNodeID ) IsZero ( ) bool {
return u == ""
}
2020-02-05 22:16:58 +00:00
// User is an IPN user.
//
// A user can have multiple logins associated with it (e.g. gmail and github oauth).
// (Note: none of our UIs support this yet.)
//
// Some properties are inhereted from the logins and can be overridden, such as
// display name and profile picture.
//
// Other properties must be the same for all logins associated with a user.
// In particular: domain. If a user has a "tailscale.io" domain login, they cannot
// have a general gmail address login associated with the user.
type User struct {
ID UserID
LoginName string ` json:"-" ` // not stored, filled from Login // TODO REMOVE
DisplayName string // if non-empty overrides Login field
ProfilePicURL string // if non-empty overrides Login field
Domain string
Logins [ ] LoginID
Created time . Time
2020-02-27 20:20:29 +00:00
}
2020-02-05 22:16:58 +00:00
type Login struct {
2020-05-03 21:58:39 +01:00
_ structs . Incomparable
2020-02-05 22:16:58 +00:00
ID LoginID
Provider string
LoginName string
DisplayName string
ProfilePicURL string
Domain string
}
// A UserProfile is display-friendly data for a user.
// It includes the LoginName for display purposes but *not* the Provider.
// It also includes derived data from one of the user's logins.
type UserProfile struct {
ID UserID
2020-06-12 16:17:03 +01:00
LoginName string // "alice@smith.com"; for display purposes only (provider is not listed)
DisplayName string // "Alice Smith"
2020-02-05 22:16:58 +00:00
ProfilePicURL string
2021-04-01 22:44:40 +01:00
// Roles exists for legacy reasons, to keep old macOS clients
// happy. It JSON marshals as [].
Roles emptyStructJSONSlice
}
type emptyStructJSONSlice struct { }
var emptyJSONSliceBytes = [ ] byte ( "[]" )
func ( emptyStructJSONSlice ) MarshalJSON ( ) ( [ ] byte , error ) {
return emptyJSONSliceBytes , nil
2020-02-05 22:16:58 +00:00
}
2021-04-01 22:44:40 +01:00
func ( emptyStructJSONSlice ) UnmarshalJSON ( [ ] byte ) error { return nil }
2020-02-05 22:16:58 +00:00
type Node struct {
2021-01-21 02:34:50 +00:00
ID NodeID
StableID StableNodeID
Name string // DNS
2021-01-05 21:52:33 +00:00
// User is the user who created the node. If ACL tags are in
// use for the node then it doesn't reflect the ACL identity
// that the node is running as.
User UserID
// Sharer, if non-zero, is the user who shared this node, if different than User.
Sharer UserID ` json:",omitempty" `
2021-11-02 03:55:52 +00:00
Key key . NodePublic
2020-02-05 22:16:58 +00:00
KeyExpiry time . Time
2021-09-03 21:17:46 +01:00
Machine key . MachinePublic
2021-11-02 21:41:56 +00:00
DiscoKey key . DiscoPublic
2020-12-24 20:33:55 +00:00
Addresses [ ] netaddr . IPPrefix // IP addresses of this Node directly
AllowedIPs [ ] netaddr . IPPrefix // range of IP addresses to route to this node
Endpoints [ ] string ` json:",omitempty" ` // IP+port (public via STUN, and local LANs)
DERP string ` json:",omitempty" ` // DERP-in-IP:port ("127.3.3.40:N") endpoint
2022-02-15 16:19:44 +00:00
Hostinfo HostinfoView
2020-02-05 22:16:58 +00:00
Created time . Time
2021-04-16 00:03:59 +01:00
2021-10-20 22:26:31 +01:00
// Tags are the list of ACL tags applied to this node.
// Tags take the form of `tag:<value>` where value starts
// with a letter and only contains alphanumerics and dashes `-`.
// Some valid tag examples:
// `tag:prod`
// `tag:database`
// `tag:lab-1`
Tags [ ] string ` json:",omitempty" `
2021-07-27 16:01:29 +01:00
// PrimaryRoutes are the routes from AllowedIPs that this node
// is currently the primary subnet router for, as determined
// by the control plane. It does not include the self address
// values from Addresses that are in AllowedIPs.
PrimaryRoutes [ ] netaddr . IPPrefix ` json:",omitempty" `
2021-04-16 00:03:59 +01:00
// LastSeen is when the node was last online. It is not
// updated when Online is true. It is nil if the current
// node doesn't have permission to know, or the node
// has never been online.
LastSeen * time . Time ` json:",omitempty" `
// Online is whether the node is currently connected to the
// coordination server. A value of nil means unknown, or the
// current node doesn't have permission to know.
Online * bool ` json:",omitempty" `
2020-02-05 22:16:58 +00:00
2020-11-25 18:27:01 +00:00
KeepAlive bool ` json:",omitempty" ` // open and keep open a connection to this peer
2020-03-14 15:56:52 +00:00
2020-11-25 18:27:01 +00:00
MachineAuthorized bool ` json:",omitempty" ` // TODO(crawshaw): replace with MachineStatus
2021-01-27 16:50:31 +00:00
2021-04-01 22:03:34 +01:00
// Capabilities are capabilities that the node has.
// They're free-form strings, but should be in the form of URLs/URIs
// such as:
// "https://tailscale.com/cap/is-admin"
2021-04-16 18:57:46 +01:00
// "https://tailscale.com/cap/file-sharing"
2021-04-01 22:03:34 +01:00
Capabilities [ ] string ` json:",omitempty" `
2021-01-27 16:50:31 +00:00
// The following three computed fields hold the various names that can
// be used for this node in UIs. They are populated from controlclient
// (not from control) by calling node.InitDisplayNames. These can be
// used directly or accessed via node.DisplayName or node.DisplayNames.
ComputedName string ` json:",omitempty" ` // MagicDNS base name (for normal non-shared-in nodes), FQDN (without trailing dot, for shared-in nodes), or Hostname (if no MagicDNS)
computedHostIfDifferent string // hostname, if different than ComputedName, otherwise empty
ComputedNameWithHost string ` json:",omitempty" ` // either "ComputedName" or "ComputedName (computedHostIfDifferent)", if computedHostIfDifferent is set
2020-02-05 22:16:58 +00:00
}
2021-01-27 16:50:31 +00:00
// DisplayName returns the user-facing name for a node which should
// be shown in client UIs.
//
// Parameter forOwner specifies whether the name is requested by
// the owner of the node. When forOwner is false, the hostname is
// never included in the return value.
//
// Return value is either either "Name" or "Name (Hostname)", where
// Name is the node's MagicDNS base name (for normal non-shared-in
// nodes), FQDN (without trailing dot, for shared-in nodes), or
// Hostname (if no MagicDNS). Hostname is only included in the
// return value if it varies from Name and forOwner is provided true.
//
// DisplayName is only valid if InitDisplayNames has been called.
func ( n * Node ) DisplayName ( forOwner bool ) string {
if forOwner {
return n . ComputedNameWithHost
2021-01-25 22:41:39 +00:00
}
2021-01-27 16:50:31 +00:00
return n . ComputedName
}
// DisplayName returns the decomposed user-facing name for a node.
//
// Parameter forOwner specifies whether the name is requested by
// the owner of the node. When forOwner is false, hostIfDifferent
// is always returned empty.
//
// Return value name is the node's primary name, populated with the
// node's MagicDNS base name (for normal non-shared-in nodes), FQDN
// (without trailing dot, for shared-in nodes), or Hostname (if no
// MagicDNS).
//
// Return value hostIfDifferent, when non-empty, is the node's
// hostname. hostIfDifferent is only populated when the hostname
// varies from name and forOwner is provided as true.
//
// DisplayNames is only valid if InitDisplayNames has been called.
func ( n * Node ) DisplayNames ( forOwner bool ) ( name , hostIfDifferent string ) {
if forOwner {
return n . ComputedName , n . computedHostIfDifferent
2021-01-25 22:41:39 +00:00
}
2021-01-27 16:50:31 +00:00
return n . ComputedName , ""
}
// InitDisplayNames computes and populates n's display name
// fields: n.ComputedName, n.computedHostIfDifferent, and
// n.ComputedNameWithHost.
func ( n * Node ) InitDisplayNames ( networkMagicDNSSuffix string ) {
2021-02-18 22:15:38 +00:00
name := dnsname . TrimSuffix ( n . Name , networkMagicDNSSuffix )
2022-02-15 16:19:44 +00:00
var hostIfDifferent string
if n . Hostinfo . Valid ( ) {
hostIfDifferent = dnsname . SanitizeHostname ( n . Hostinfo . Hostname ( ) )
}
2021-01-27 16:50:31 +00:00
if strings . EqualFold ( name , hostIfDifferent ) {
hostIfDifferent = ""
}
if name == "" {
if hostIfDifferent != "" {
name = hostIfDifferent
hostIfDifferent = ""
} else {
name = n . Key . String ( )
}
}
var nameWithHost string
if hostIfDifferent != "" {
nameWithHost = fmt . Sprintf ( "%s (%s)" , name , hostIfDifferent )
} else {
nameWithHost = name
}
n . ComputedName = name
n . computedHostIfDifferent = hostIfDifferent
n . ComputedNameWithHost = nameWithHost
2021-01-25 22:41:39 +00:00
}
2020-02-05 22:16:58 +00:00
type MachineStatus int
const (
MachineUnknown = MachineStatus ( iota )
MachineUnauthorized // server has yet to approve
MachineAuthorized // server has approved
MachineInvalid // server has explicitly rejected this machine key
)
func ( m MachineStatus ) MarshalText ( ) ( [ ] byte , error ) {
return [ ] byte ( m . String ( ) ) , nil
}
func ( m * MachineStatus ) UnmarshalText ( b [ ] byte ) error {
switch string ( b ) {
case "machine-unknown" :
* m = MachineUnknown
case "machine-unauthorized" :
* m = MachineUnauthorized
case "machine-authorized" :
* m = MachineAuthorized
case "machine-invalid" :
* m = MachineInvalid
default :
var val int
if _ , err := fmt . Sscanf ( string ( b ) , "machine-unknown(%d)" , & val ) ; err != nil {
* m = MachineStatus ( val )
} else {
* m = MachineUnknown
}
}
return nil
}
func ( m MachineStatus ) String ( ) string {
switch m {
case MachineUnknown :
return "machine-unknown"
case MachineUnauthorized :
return "machine-unauthorized"
case MachineAuthorized :
return "machine-authorized"
case MachineInvalid :
return "machine-invalid"
default :
return fmt . Sprintf ( "machine-unknown(%d)" , int ( m ) )
}
}
2020-11-11 03:26:23 +00:00
func isNum ( b byte ) bool {
return b >= '0' && b <= '9'
}
func isAlpha ( b byte ) bool {
return ( b >= 'A' && b <= 'Z' ) || ( b >= 'a' && b <= 'z' )
}
2020-05-01 06:01:27 +01:00
2020-11-04 00:10:23 +00:00
// CheckTag validates tag for use as an ACL tag.
2020-05-01 06:01:27 +01:00
// For now we allow only ascii alphanumeric tags, and they need to start
// with a letter. No unicode shenanigans allowed, and we reserve punctuation
// marks other than '-' for a possible future URI scheme.
//
// Because we're ignoring unicode entirely, we can treat utf-8 as a series of
// bytes. Anything >= 128 is disqualified anyway.
//
// We might relax these rules later.
func CheckTag ( tag string ) error {
if ! strings . HasPrefix ( tag , "tag:" ) {
return errors . New ( "tags must start with 'tag:'" )
}
2020-11-11 03:26:23 +00:00
tag = tag [ 4 : ]
2020-05-01 06:01:27 +01:00
if tag == "" {
return errors . New ( "tag names must not be empty" )
}
2020-11-11 03:26:23 +00:00
if ! isAlpha ( tag [ 0 ] ) {
return errors . New ( "tag names must start with a letter, after 'tag:'" )
2020-10-28 14:59:57 +00:00
}
2020-11-11 03:26:23 +00:00
for _ , b := range [ ] byte ( tag ) {
if ! isNum ( b ) && ! isAlpha ( b ) && b != '-' {
2020-05-01 06:01:27 +01:00
return errors . New ( "tag names can only contain numbers, letters, or dashes" )
}
}
2020-11-11 03:26:23 +00:00
2020-05-01 06:01:27 +01:00
return nil
}
2020-11-04 00:10:23 +00:00
// CheckRequestTags checks that all of h.RequestTags are valid.
func ( h * Hostinfo ) CheckRequestTags ( ) error {
if h == nil {
return nil
}
for _ , tag := range h . RequestTags {
2020-11-04 00:19:20 +00:00
if err := CheckTag ( tag ) ; err != nil {
return fmt . Errorf ( "tag(%#v): %w" , tag , err )
2020-11-04 00:10:23 +00:00
}
}
return nil
}
2021-11-30 01:19:17 +00:00
// ServiceProto is a service type. It's usually
// TCP ("tcp") or UDP ("udp"), but it can also have
// meta service values as defined in Service.Proto.
2020-02-05 22:16:58 +00:00
type ServiceProto string
const (
2021-11-30 01:19:17 +00:00
TCP = ServiceProto ( "tcp" )
UDP = ServiceProto ( "udp" )
PeerAPI4 = ServiceProto ( "peerapi4" )
PeerAPI6 = ServiceProto ( "peerapi6" )
PeerAPIDNS = ServiceProto ( "peerapi-dns-proxy" )
2020-02-05 22:16:58 +00:00
)
2021-11-30 01:19:17 +00:00
// Service represents a service running on a node.
2020-02-05 22:16:58 +00:00
type Service struct {
2021-11-30 01:19:17 +00:00
_ structs . Incomparable
// Proto is the type of service. It's usually the constant TCP
// or UDP ("tcp" or "udp"), but it can also be one of the
// following meta service values:
//
// * "peerapi4": peerapi is available on IPv4; Port is the
// port number that the peerapi is running on the
// node's Tailscale IPv4 address.
// * "peerapi6": peerapi is available on IPv6; Port is the
// port number that the peerapi is running on the
// node's Tailscale IPv6 address.
// * "peerapi-dns": the local peerapi service supports
// being a DNS proxy (when the node is an exit
// node). For this service, the Port number is really
// the version number of the service.
Proto ServiceProto
// Port is the port number.
//
// For Proto "peerapi-dns", it's the version number of the DNS proxy,
// currently 1.
Port uint16
// Description is the textual description of the service,
// usually the process name that's running.
Description string ` json:",omitempty" `
2020-02-05 22:16:58 +00:00
// TODO(apenwarr): allow advertising services on subnet IPs?
// TODO(apenwarr): add "tags" here for each service?
}
2020-02-25 18:04:20 +00:00
// Hostinfo contains a summary of a Tailscale host.
//
// Because it contains pointers (slices), this type should not be used
// as a value type.
2020-02-05 22:16:58 +00:00
type Hostinfo struct {
2020-12-24 20:33:55 +00:00
IPNVersion string ` json:",omitempty" ` // version of this code
FrontendLogID string ` json:",omitempty" ` // logtail ID of frontend instance
BackendLogID string ` json:",omitempty" ` // logtail ID of backend instance
2022-04-05 21:25:14 +01:00
OS string ` json:",omitempty" ` // operating system the client runs on (a version.OS value)
2020-12-24 20:33:55 +00:00
OSVersion string ` json:",omitempty" ` // operating system version, with optional distro prefix ("Debian 10.4", "Windows 10 Pro 10.0.19041")
2022-04-07 19:42:48 +01:00
Desktop opt . Bool ` json:",omitempty" ` // if a desktop was detected on Linux
2021-02-15 20:58:56 +00:00
Package string ` json:",omitempty" ` // Tailscale package to disambiguate ("choco", "appstore", etc; "" for unknown)
2021-08-20 18:34:13 +01:00
DeviceModel string ` json:",omitempty" ` // mobile phone model ("Pixel 3a", "iPhone12,3")
2022-04-05 21:25:14 +01:00
Hostname string ` json:",omitempty" ` // name of the host the client runs on
2020-12-24 20:33:55 +00:00
ShieldsUp bool ` json:",omitempty" ` // indicates whether the host is blocking incoming connections
ShareeNode bool ` json:",omitempty" ` // indicates this node exists in netmap because it's owned by a shared-to user
GoArch string ` json:",omitempty" ` // the host's GOARCH value (of the running binary)
RoutableIPs [ ] netaddr . IPPrefix ` json:",omitempty" ` // set of IP ranges this client can route
RequestTags [ ] string ` json:",omitempty" ` // set of ACL tags this node wants to claim
Services [ ] Service ` json:",omitempty" ` // services advertised by this machine
NetInfo * NetInfo ` json:",omitempty" `
2022-02-17 23:00:41 +00:00
SSH_HostKeys [ ] string ` json:"sshHostKeys,omitempty" ` // if advertised
2020-02-05 22:16:58 +00:00
// NOTE: any new fields containing pointers in this type
2020-11-23 14:28:32 +00:00
// require changes to Hostinfo.Equal.
2020-02-05 22:16:58 +00:00
}
2022-02-15 16:19:44 +00:00
// View returns a read-only accessor for hi.
2022-02-15 05:20:41 +00:00
func ( hi * Hostinfo ) View ( ) HostinfoView { return HostinfoView { hi } }
// HostinfoView is a read-only accessor for Hostinfo.
// See Hostinfo.
type HostinfoView struct {
// It is named distinctively to make you think of how dangerous it is to escape
// to callers. You must not let callers be able to mutate it.
ж * Hostinfo
}
func ( v HostinfoView ) MarshalJSON ( ) ( [ ] byte , error ) {
return json . Marshal ( v . ж )
}
func ( v * HostinfoView ) UnmarshalJSON ( b [ ] byte ) error {
if v . ж != nil {
return errors . New ( "HostinfoView is already initialized" )
}
if len ( b ) == 0 {
return nil
}
hi := & Hostinfo { }
if err := json . Unmarshal ( b , hi ) ; err != nil {
return err
}
v . ж = hi
return nil
}
// Valid reports whether the underlying value is not nil.
func ( v HostinfoView ) Valid ( ) bool { return v . ж != nil }
// AsStruct returns a deep-copy of the underlying value.
func ( v HostinfoView ) AsStruct ( ) * Hostinfo { return v . ж . Clone ( ) }
func ( v HostinfoView ) IPNVersion ( ) string { return v . ж . IPNVersion }
func ( v HostinfoView ) FrontendLogID ( ) string { return v . ж . FrontendLogID }
func ( v HostinfoView ) BackendLogID ( ) string { return v . ж . BackendLogID }
func ( v HostinfoView ) OS ( ) string { return v . ж . OS }
func ( v HostinfoView ) OSVersion ( ) string { return v . ж . OSVersion }
func ( v HostinfoView ) Package ( ) string { return v . ж . Package }
func ( v HostinfoView ) DeviceModel ( ) string { return v . ж . DeviceModel }
func ( v HostinfoView ) Hostname ( ) string { return v . ж . Hostname }
func ( v HostinfoView ) ShieldsUp ( ) bool { return v . ж . ShieldsUp }
func ( v HostinfoView ) ShareeNode ( ) bool { return v . ж . ShareeNode }
func ( v HostinfoView ) GoArch ( ) string { return v . ж . GoArch }
2022-02-15 16:19:44 +00:00
func ( v HostinfoView ) Equal ( v2 HostinfoView ) bool { return v . ж . Equal ( v2 . ж ) }
2022-02-15 05:20:41 +00:00
func ( v HostinfoView ) RoutableIPs ( ) views . IPPrefixSlice {
return views . IPPrefixSliceOf ( v . ж . RoutableIPs )
}
2022-03-17 04:45:19 +00:00
func ( v HostinfoView ) RequestTags ( ) views . Slice [ string ] {
return views . SliceOf ( v . ж . RequestTags )
2022-02-15 05:20:41 +00:00
}
2022-03-17 04:45:19 +00:00
func ( v HostinfoView ) SSH_HostKeys ( ) views . Slice [ string ] {
return views . SliceOf ( v . ж . SSH_HostKeys )
2022-02-17 23:00:41 +00:00
}
2022-02-15 05:20:41 +00:00
func ( v HostinfoView ) Services ( ) ServiceSlice {
return ServiceSliceOf ( v . ж . Services )
}
func ( v HostinfoView ) NetInfo ( ) NetInfoView { return v . ж . NetInfo . View ( ) }
// ServiceSlice is a read-only accessor for a slice of Services
type ServiceSlice struct {
// It is named distinctively to make you think of how dangerous it is to escape
// to callers. You must not let callers be able to mutate it.
ж [ ] Service
}
// ServiceSliceOf returns a ServiceSlice for the provided slice.
func ServiceSliceOf ( x [ ] Service ) ServiceSlice { return ServiceSlice { x } }
// Len returns the length of the slice.
func ( v ServiceSlice ) Len ( ) int { return len ( v . ж ) }
// At returns the Service at index `i` of the slice.
func ( v ServiceSlice ) At ( i int ) Service { return v . ж [ i ] }
// Append appends the underlying slice values to dst.
func ( v ServiceSlice ) Append ( dst [ ] Service ) [ ] Service {
return append ( dst , v . ж ... )
}
// AsSlice returns a copy of underlying slice.
func ( v ServiceSlice ) AsSlice ( ) [ ] Service {
return v . Append ( v . ж [ : 0 : 0 ] )
}
// NetInfoView is a read-only accessor for NetInfo.
// See NetInfo.
type NetInfoView struct {
// It is named distinctively to make you think of how dangerous it is to escape
// to callers. You must not let callers be able to mutate it.
ж * NetInfo
}
// Valid reports whether the underlying value is not nil.
func ( v NetInfoView ) Valid ( ) bool { return v . ж != nil }
// AsStruct returns a deep-copy of the underlying value.
func ( v NetInfoView ) AsStruct ( ) * NetInfo { return v . ж . Clone ( ) }
func ( v NetInfoView ) MappingVariesByDestIP ( ) opt . Bool { return v . ж . MappingVariesByDestIP }
func ( v NetInfoView ) HairPinning ( ) opt . Bool { return v . ж . HairPinning }
func ( v NetInfoView ) WorkingIPv6 ( ) opt . Bool { return v . ж . WorkingIPv6 }
func ( v NetInfoView ) WorkingUDP ( ) opt . Bool { return v . ж . WorkingUDP }
func ( v NetInfoView ) HavePortMap ( ) bool { return v . ж . HavePortMap }
func ( v NetInfoView ) UPnP ( ) opt . Bool { return v . ж . UPnP }
func ( v NetInfoView ) PMP ( ) opt . Bool { return v . ж . PMP }
func ( v NetInfoView ) PCP ( ) opt . Bool { return v . ж . PCP }
func ( v NetInfoView ) PreferredDERP ( ) int { return v . ж . PreferredDERP }
func ( v NetInfoView ) LinkType ( ) string { return v . ж . LinkType }
func ( v NetInfoView ) String ( ) string { return v . ж . String ( ) }
// DERPLatencyForEach calls fn for each value in the DERPLatency map.
func ( v NetInfoView ) DERPLatencyForEach ( fn func ( k string , v float64 ) ) {
for k , v := range v . ж . DERPLatency {
fn ( k , v )
}
}
2020-02-25 22:05:17 +00:00
// NetInfo contains information about the host's network state.
type NetInfo struct {
// MappingVariesByDestIP says whether the host's NAT mappings
// vary based on the destination IP.
MappingVariesByDestIP opt . Bool
2020-02-28 22:14:02 +00:00
// HairPinning is their router does hairpinning.
// It reports true even if there's no NAT involved.
HairPinning opt . Bool
2020-02-25 22:05:17 +00:00
// WorkingIPv6 is whether IPv6 works.
WorkingIPv6 opt . Bool
// WorkingUDP is whether UDP works.
WorkingUDP opt . Bool
2021-03-09 23:09:10 +00:00
// HavePortMap is whether we have an existing portmap open
// (UPnP, PMP, or PCP).
HavePortMap bool ` json:",omitempty" `
2020-07-06 21:51:17 +01:00
// UPnP is whether UPnP appears present on the LAN.
// Empty means not checked.
UPnP opt . Bool
// PMP is whether NAT-PMP appears present on the LAN.
// Empty means not checked.
PMP opt . Bool
// PCP is whether PCP appears present on the LAN.
// Empty means not checked.
PCP opt . Bool
2020-03-04 06:21:56 +00:00
// PreferredDERP is this node's preferred DERP server
// for incoming traffic. The node might be be temporarily
// connected to multiple DERP servers (to send to other nodes)
// but PreferredDERP is the instance number that the node
// subscribes to traffic at.
// Zero means disconnected or unknown.
PreferredDERP int
// LinkType is the current link type, if known.
2020-10-19 16:30:36 +01:00
LinkType string ` json:",omitempty" ` // "wired", "wifi", "mobile" (LTE, 4G, 3G, etc)
2020-03-04 06:21:56 +00:00
2020-02-25 22:05:17 +00:00
// DERPLatency is the fastest recent time to reach various
2020-05-17 17:51:38 +01:00
// DERP STUN servers, in seconds. The map key is the
// "regionID-v4" or "-v6"; it was previously the DERP server's
// STUN host:port.
2020-02-25 22:05:17 +00:00
//
// This should only be updated rarely, or when there's a
// material change, as any change here also gets uploaded to
// the control plane.
DERPLatency map [ string ] float64 ` json:",omitempty" `
2020-03-04 06:21:56 +00:00
2020-11-23 14:28:32 +00:00
// Update BasicallyEqual when adding fields.
2020-03-04 06:21:56 +00:00
}
2020-03-13 05:29:47 +00:00
func ( ni * NetInfo ) String ( ) string {
2020-03-23 02:34:09 +00:00
if ni == nil {
return "NetInfo(nil)"
}
2020-07-06 21:51:17 +01:00
return fmt . Sprintf ( "NetInfo{varies=%v hairpin=%v ipv6=%v udp=%v derp=#%v portmap=%v link=%q}" ,
2020-03-13 05:29:47 +00:00
ni . MappingVariesByDestIP , ni . HairPinning , ni . WorkingIPv6 ,
2020-07-06 21:51:17 +01:00
ni . WorkingUDP , ni . PreferredDERP ,
ni . portMapSummary ( ) ,
ni . LinkType )
}
func ( ni * NetInfo ) portMapSummary ( ) string {
2021-03-09 23:09:10 +00:00
if ! ni . HavePortMap && ni . UPnP == "" && ni . PMP == "" && ni . PCP == "" {
2020-07-08 02:54:41 +01:00
return "?"
2020-07-06 21:51:17 +01:00
}
2021-03-09 23:09:10 +00:00
var prefix string
if ni . HavePortMap {
prefix = "active-"
}
return prefix + conciseOptBool ( ni . UPnP , "U" ) + conciseOptBool ( ni . PMP , "M" ) + conciseOptBool ( ni . PCP , "C" )
2020-07-06 21:51:17 +01:00
}
2022-02-15 16:19:44 +00:00
// View returns a read-only accessor for ni.
2022-02-15 05:20:41 +00:00
func ( ni * NetInfo ) View ( ) NetInfoView { return NetInfoView { ni } }
2020-07-06 21:51:17 +01:00
func conciseOptBool ( b opt . Bool , trueVal string ) string {
if b == "" {
return "_"
}
v , ok := b . Get ( )
if ! ok {
return "x"
}
if v {
return trueVal
}
return ""
2020-03-13 05:29:47 +00:00
}
2020-03-04 06:21:56 +00:00
// BasicallyEqual reports whether ni and ni2 are basically equal, ignoring
2020-05-17 17:51:38 +01:00
// changes in DERP ServerLatency & RegionLatency.
2020-03-04 06:21:56 +00:00
func ( ni * NetInfo ) BasicallyEqual ( ni2 * NetInfo ) bool {
if ( ni == nil ) != ( ni2 == nil ) {
return false
}
if ni == nil {
return true
}
return ni . MappingVariesByDestIP == ni2 . MappingVariesByDestIP &&
ni . HairPinning == ni2 . HairPinning &&
ni . WorkingIPv6 == ni2 . WorkingIPv6 &&
ni . WorkingUDP == ni2 . WorkingUDP &&
2021-03-09 23:09:10 +00:00
ni . HavePortMap == ni2 . HavePortMap &&
2020-07-06 21:51:17 +01:00
ni . UPnP == ni2 . UPnP &&
ni . PMP == ni2 . PMP &&
ni . PCP == ni2 . PCP &&
2020-03-04 06:21:56 +00:00
ni . PreferredDERP == ni2 . PreferredDERP &&
ni . LinkType == ni2 . LinkType
2020-02-25 22:05:17 +00:00
}
2020-02-18 03:33:01 +00:00
// Equal reports whether h and h2 are equal.
func ( h * Hostinfo ) Equal ( h2 * Hostinfo ) bool {
2020-07-23 18:41:54 +01:00
if h == nil && h2 == nil {
return true
}
if ( h == nil ) != ( h2 == nil ) {
return false
}
2020-02-18 03:33:01 +00:00
return reflect . DeepEqual ( h , h2 )
}
2021-12-22 23:04:44 +00:00
// HowUnequal returns a list of paths through Hostinfo where h and h2 differ.
// If they differ in nil-ness, the path is "nil", otherwise the path is like
// "ShieldsUp" or "NetInfo.nil" or "NetInfo.PCP".
func ( h * Hostinfo ) HowUnequal ( h2 * Hostinfo ) ( path [ ] string ) {
return appendStructPtrDiff ( nil , "" , reflect . ValueOf ( h ) , reflect . ValueOf ( h2 ) )
}
func appendStructPtrDiff ( base [ ] string , pfx string , p1 , p2 reflect . Value ) ( ret [ ] string ) {
ret = base
if p1 . IsNil ( ) && p2 . IsNil ( ) {
return base
}
mkPath := func ( b string ) string {
if pfx == "" {
return b
}
return pfx + "." + b
}
if p1 . IsNil ( ) || p2 . IsNil ( ) {
return append ( base , mkPath ( "nil" ) )
}
v1 , v2 := p1 . Elem ( ) , p2 . Elem ( )
t := v1 . Type ( )
for i , n := 0 , t . NumField ( ) ; i < n ; i ++ {
sf := t . Field ( i )
switch sf . Type . Kind ( ) {
case reflect . String :
if v1 . Field ( i ) . String ( ) != v2 . Field ( i ) . String ( ) {
ret = append ( ret , mkPath ( sf . Name ) )
}
continue
case reflect . Bool :
if v1 . Field ( i ) . Bool ( ) != v2 . Field ( i ) . Bool ( ) {
ret = append ( ret , mkPath ( sf . Name ) )
}
continue
case reflect . Int , reflect . Int8 , reflect . Int16 , reflect . Int32 , reflect . Int64 :
if v1 . Field ( i ) . Int ( ) != v2 . Field ( i ) . Int ( ) {
ret = append ( ret , mkPath ( sf . Name ) )
}
continue
case reflect . Uint , reflect . Uint8 , reflect . Uint16 , reflect . Uint32 , reflect . Uint64 , reflect . Uintptr :
if v1 . Field ( i ) . Uint ( ) != v2 . Field ( i ) . Uint ( ) {
ret = append ( ret , mkPath ( sf . Name ) )
}
continue
case reflect . Slice , reflect . Map :
if ! reflect . DeepEqual ( v1 . Field ( i ) . Interface ( ) , v2 . Field ( i ) . Interface ( ) ) {
ret = append ( ret , mkPath ( sf . Name ) )
}
continue
case reflect . Ptr :
if sf . Type . Elem ( ) . Kind ( ) == reflect . Struct {
ret = appendStructPtrDiff ( ret , sf . Name , v1 . Field ( i ) , v2 . Field ( i ) )
continue
}
}
panic ( fmt . Sprintf ( "unsupported type at %s: %s" , mkPath ( sf . Name ) , sf . Type . String ( ) ) )
}
return ret
}
2021-03-26 14:01:08 +00:00
// SignatureType specifies a scheme for signing RegisterRequest messages. It
// specifies the crypto algorithms to use, the contents of what is signed, and
// any other relevant details. Historically, requests were unsigned so the zero
// value is SignatureNone.
type SignatureType int
const (
// SignatureNone indicates that there is no signature, no Timestamp is
// required (but may be specified if desired), and both DeviceCert and
// Signature should be empty.
SignatureNone = SignatureType ( iota )
// SignatureUnknown represents an unknown signature scheme, which should
// be considered an error if seen.
SignatureUnknown
// SignatureV1 is computed as RSA-PSS-Sign(privateKeyForDeviceCert,
2021-09-17 18:17:57 +01:00
// SHA256(Timestamp || ServerIdentity || DeviceCert || ServerShortPubKey ||
// MachineShortPubKey)). The PSS salt length is equal to hash length
// (rsa.PSSSaltLengthEqualsHash). Device cert is required.
// Deprecated: uses old key serialization format.
SignatureV1
// SignatureV2 is computed as RSA-PSS-Sign(privateKeyForDeviceCert,
2021-03-26 14:01:08 +00:00
// SHA256(Timestamp || ServerIdentity || DeviceCert || ServerPubKey ||
// MachinePubKey)). The PSS salt length is equal to hash length
// (rsa.PSSSaltLengthEqualsHash). Device cert is required.
2021-09-17 18:17:57 +01:00
SignatureV2
2021-03-26 14:01:08 +00:00
)
func ( st SignatureType ) MarshalText ( ) ( [ ] byte , error ) {
return [ ] byte ( st . String ( ) ) , nil
}
func ( st * SignatureType ) UnmarshalText ( b [ ] byte ) error {
switch string ( b ) {
case "signature-none" :
* st = SignatureNone
case "signature-v1" :
* st = SignatureV1
2021-09-17 18:17:57 +01:00
case "signature-v2" :
* st = SignatureV2
2021-03-26 14:01:08 +00:00
default :
var val int
if _ , err := fmt . Sscanf ( string ( b ) , "signature-unknown(%d)" , & val ) ; err != nil {
* st = SignatureType ( val )
} else {
* st = SignatureUnknown
}
}
return nil
}
func ( st SignatureType ) String ( ) string {
switch st {
case SignatureNone :
return "signature-none"
case SignatureUnknown :
return "signature-unknown"
case SignatureV1 :
return "signature-v1"
2021-09-17 18:17:57 +01:00
case SignatureV2 :
return "signature-v2"
2021-03-26 14:01:08 +00:00
default :
return fmt . Sprintf ( "signature-unknown(%d)" , int ( st ) )
}
}
2020-02-18 11:45:42 +00:00
// RegisterRequest is sent by a client to register the key for a node.
// It is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
// using the local machine key, and sent to:
// https://login.tailscale.com/machine/<mkey hex>
2020-02-05 22:16:58 +00:00
type RegisterRequest struct {
2022-03-06 17:32:52 +00:00
_ structs . Incomparable
// Version is the client's capabilities when using the Noise
// transport.
//
// When using the original nacl crypto_box transport, the
// value must be 1.
Version CapabilityVersion
2021-11-02 03:55:52 +00:00
NodeKey key . NodePublic
OldNodeKey key . NodePublic
2020-02-05 22:16:58 +00:00
Auth struct {
2020-05-03 21:58:39 +01:00
_ structs . Incomparable
2020-04-09 08:16:20 +01:00
// One of Provider/LoginName, Oauth2Token, or AuthKey is set.
Provider , LoginName string
2021-03-19 17:21:33 +00:00
Oauth2Token * Oauth2Token
2020-04-09 08:16:20 +01:00
AuthKey string
2020-02-05 22:16:58 +00:00
}
2021-04-09 06:26:27 +01:00
// Expiry optionally specifies the requested key expiry.
// The server policy may override.
// As a special case, if Expiry is in the past and NodeKey is
// the node's current key, the key is expired.
Expiry time . Time
Followup string // response waits until AuthURL is visited
2020-02-25 18:04:20 +00:00
Hostinfo * Hostinfo
2021-03-26 14:01:08 +00:00
2021-10-28 04:48:01 +01:00
// Ephemeral is whether the client is requesting that this
// node be considered ephemeral and be automatically deleted
// when it stops being active.
Ephemeral bool ` json:",omitempty" `
2021-03-26 14:01:08 +00:00
// The following fields are not used for SignatureNone and are required for
// SignatureV1:
SignatureType SignatureType ` json:",omitempty" `
Timestamp * time . Time ` json:",omitempty" ` // creation time of request to prevent replay
DeviceCert [ ] byte ` json:",omitempty" ` // X.509 certificate for client device
Signature [ ] byte ` json:",omitempty" ` // as described by SignatureType
2020-02-05 22:16:58 +00:00
}
2020-02-27 20:20:29 +00:00
// Clone makes a deep copy of RegisterRequest.
2020-02-18 11:45:42 +00:00
// The result aliases no memory with the original.
2020-07-24 08:59:49 +01:00
//
// TODO: extend cmd/cloner to generate this method.
2020-02-27 20:20:29 +00:00
func ( req * RegisterRequest ) Clone ( ) * RegisterRequest {
2021-09-14 17:00:04 +01:00
if req == nil {
return nil
}
2020-02-25 18:04:20 +00:00
res := new ( RegisterRequest )
* res = * req
if res . Hostinfo != nil {
2020-02-27 20:20:29 +00:00
res . Hostinfo = res . Hostinfo . Clone ( )
2020-02-25 18:04:20 +00:00
}
2020-02-18 11:45:42 +00:00
if res . Auth . Oauth2Token != nil {
tok := * res . Auth . Oauth2Token
res . Auth . Oauth2Token = & tok
}
2021-03-26 14:01:08 +00:00
res . DeviceCert = append ( res . DeviceCert [ : 0 : 0 ] , res . DeviceCert ... )
res . Signature = append ( res . Signature [ : 0 : 0 ] , res . Signature ... )
2020-02-25 18:04:20 +00:00
return res
2020-02-18 11:45:42 +00:00
}
// RegisterResponse is returned by the server in response to a RegisterRequest.
2020-02-05 22:16:58 +00:00
type RegisterResponse struct {
User User
Login Login
NodeKeyExpired bool // if true, the NodeKey needs to be replaced
MachineAuthorized bool // TODO(crawshaw): move to using MachineStatus
AuthURL string // if set, authorization pending
2021-10-26 18:19:35 +01:00
// Error indiciates that authorization failed. If this is non-empty,
// other status fields should be ignored.
Error string
2020-02-05 22:16:58 +00:00
}
tailcfg: add Endpoint, EndpointType, MapRequest.EndpointType
Track endpoints internally with a new tailcfg.Endpoint type that
includes a typed netaddr.IPPort (instead of just a string) and
includes a type for how that endpoint was discovered (STUN, local,
etc).
Use []tailcfg.Endpoint instead of []string internally.
At the last second, send it to the control server as the existing
[]string for endpoints, but also include a new parallel
MapRequest.EndpointType []tailcfg.EndpointType, so the control server
can start filtering out less-important endpoint changes from
new-enough clients. Notably, STUN-discovered endpoints can be filtered
out from 1.6+ clients, as they can discover them amongst each other
via CallMeMaybe disco exchanges started over DERP. And STUN endpoints
change a lot, causing a lot of MapResposne updates. But portmapped
endpoints are worth keeping for now, as they they work right away
without requiring the firewall traversal extra RTT dance.
End result will be less control->client bandwidth. (despite negligible
increase in client->control bandwidth)
Updates tailscale/corp#1543
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-12 21:24:29 +01:00
// EndpointType distinguishes different sources of MapRequest.Endpoint values.
type EndpointType int
const (
EndpointUnknownType = EndpointType ( 0 )
EndpointLocal = EndpointType ( 1 )
EndpointSTUN = EndpointType ( 2 )
EndpointPortmapped = EndpointType ( 3 )
EndpointSTUN4LocalPort = EndpointType ( 4 ) // hard NAT: STUN'ed IPv4 address + local fixed port
)
func ( et EndpointType ) String ( ) string {
switch et {
case EndpointUnknownType :
return "?"
case EndpointLocal :
return "local"
case EndpointSTUN :
return "stun"
case EndpointPortmapped :
return "portmap"
case EndpointSTUN4LocalPort :
return "stun4localport"
}
return "other"
}
// Endpoint is an endpoint IPPort and an associated type.
// It doesn't currently go over the wire as is but is instead
2021-03-29 21:47:12 +01:00
// broken up into two parallel slices in MapRequest, for compatibility
tailcfg: add Endpoint, EndpointType, MapRequest.EndpointType
Track endpoints internally with a new tailcfg.Endpoint type that
includes a typed netaddr.IPPort (instead of just a string) and
includes a type for how that endpoint was discovered (STUN, local,
etc).
Use []tailcfg.Endpoint instead of []string internally.
At the last second, send it to the control server as the existing
[]string for endpoints, but also include a new parallel
MapRequest.EndpointType []tailcfg.EndpointType, so the control server
can start filtering out less-important endpoint changes from
new-enough clients. Notably, STUN-discovered endpoints can be filtered
out from 1.6+ clients, as they can discover them amongst each other
via CallMeMaybe disco exchanges started over DERP. And STUN endpoints
change a lot, causing a lot of MapResposne updates. But portmapped
endpoints are worth keeping for now, as they they work right away
without requiring the firewall traversal extra RTT dance.
End result will be less control->client bandwidth. (despite negligible
increase in client->control bandwidth)
Updates tailscale/corp#1543
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-12 21:24:29 +01:00
// reasons. But this type is used in the codebase.
type Endpoint struct {
Addr netaddr . IPPort
Type EndpointType
}
2020-02-18 11:45:42 +00:00
// MapRequest is sent by a client to start a long-poll network map updates.
// The request includes a copy of the client's current set of WireGuard
// endpoints and general host information.
//
// The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
// using the local machine key, and sent to:
// https://login.tailscale.com/machine/<mkey hex>/map
2020-02-05 22:16:58 +00:00
type MapRequest struct {
2020-10-19 23:32:22 +01:00
// Version is incremented whenever the client code changes enough that
// we want to signal to the control server that we're capable of something
// different.
//
2022-03-06 17:32:52 +00:00
// For current values and history, see the CapabilityVersion type's docs.
Version CapabilityVersion
2021-01-05 18:37:15 +00:00
2020-10-19 23:32:22 +01:00
Compress string // "zstd" or "" (no compression)
KeepAlive bool // whether server should send keep-alives back to us
2021-11-02 03:55:52 +00:00
NodeKey key . NodePublic
2021-11-02 21:41:56 +00:00
DiscoKey key . DiscoPublic
tailcfg: add Endpoint, EndpointType, MapRequest.EndpointType
Track endpoints internally with a new tailcfg.Endpoint type that
includes a typed netaddr.IPPort (instead of just a string) and
includes a type for how that endpoint was discovered (STUN, local,
etc).
Use []tailcfg.Endpoint instead of []string internally.
At the last second, send it to the control server as the existing
[]string for endpoints, but also include a new parallel
MapRequest.EndpointType []tailcfg.EndpointType, so the control server
can start filtering out less-important endpoint changes from
new-enough clients. Notably, STUN-discovered endpoints can be filtered
out from 1.6+ clients, as they can discover them amongst each other
via CallMeMaybe disco exchanges started over DERP. And STUN endpoints
change a lot, causing a lot of MapResposne updates. But portmapped
endpoints are worth keeping for now, as they they work right away
without requiring the firewall traversal extra RTT dance.
End result will be less control->client bandwidth. (despite negligible
increase in client->control bandwidth)
Updates tailscale/corp#1543
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-12 21:24:29 +01:00
IncludeIPv6 bool ` json:",omitempty" ` // include IPv6 endpoints in returned Node Endpoints (for Version 4 clients)
Stream bool // if true, multiple MapResponse objects are returned
2020-10-19 23:32:22 +01:00
Hostinfo * Hostinfo
2020-07-03 21:55:33 +01:00
tailcfg: add Endpoint, EndpointType, MapRequest.EndpointType
Track endpoints internally with a new tailcfg.Endpoint type that
includes a typed netaddr.IPPort (instead of just a string) and
includes a type for how that endpoint was discovered (STUN, local,
etc).
Use []tailcfg.Endpoint instead of []string internally.
At the last second, send it to the control server as the existing
[]string for endpoints, but also include a new parallel
MapRequest.EndpointType []tailcfg.EndpointType, so the control server
can start filtering out less-important endpoint changes from
new-enough clients. Notably, STUN-discovered endpoints can be filtered
out from 1.6+ clients, as they can discover them amongst each other
via CallMeMaybe disco exchanges started over DERP. And STUN endpoints
change a lot, causing a lot of MapResposne updates. But portmapped
endpoints are worth keeping for now, as they they work right away
without requiring the firewall traversal extra RTT dance.
End result will be less control->client bandwidth. (despite negligible
increase in client->control bandwidth)
Updates tailscale/corp#1543
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-04-12 21:24:29 +01:00
// Endpoints are the client's magicsock UDP ip:port endpoints (IPv4 or IPv6).
Endpoints [ ] string
// EndpointTypes are the types of the corresponding endpoints in Endpoints.
EndpointTypes [ ] EndpointType ` json:",omitempty" `
2020-09-17 19:28:09 +01:00
// ReadOnly is whether the client just wants to fetch the
// MapResponse, without updating their Endpoints. The
// Endpoints field will be ignored and LastSeen will not be
// updated and peers will not be notified of changes.
//
2020-09-28 22:44:34 +01:00
// The intended use is for clients to discover the DERP map at
2020-09-17 19:28:09 +01:00
// start-up before their first real endpoint update.
ReadOnly bool ` json:",omitempty" `
// OmitPeers is whether the client is okay with the Peers list
// being omitted in the response. (For example, a client on
// start up using ReadOnly to get the DERP map.)
2020-12-15 20:16:15 +00:00
//
// If OmitPeers is true, Stream is false, and ReadOnly is false,
// then the server will let clients update their endpoints without
// breaking existing long-polling (Stream == true) connections.
2020-09-17 19:28:09 +01:00
OmitPeers bool ` json:",omitempty" `
2020-10-19 23:56:59 +01:00
// DebugFlags is a list of strings specifying debugging and
// development features to enable in handling this map
// request. The values are deliberately unspecified, as they get
// added and removed all the time during development, and offer no
// compatibility promise. To roll out semantic changes, bump
// Version instead.
2020-11-04 21:48:50 +00:00
//
// Current DebugFlags values are:
// * "warn-ip-forwarding-off": client is trying to be a subnet
// router but their IP forwarding is broken.
2021-02-18 16:58:13 +00:00
// * "warn-router-unhealthy": client's Router implementation is
// having problems.
2021-02-04 00:11:46 +00:00
// * "v6-overlay": IPv6 development flag to have control send
// v6 node addrs
2020-12-02 02:16:39 +00:00
// * "minimize-netmap": have control minimize the netmap, removing
// peers that are unreachable per ACLS.
2020-10-19 23:56:59 +01:00
DebugFlags [ ] string ` json:",omitempty" `
2020-02-05 22:16:58 +00:00
}
2020-04-30 06:49:17 +01:00
// PortRange represents a range of UDP or TCP port numbers.
type PortRange struct {
First uint16
Last uint16
}
var PortRangeAny = PortRange { 0 , 65535 }
2020-12-14 16:21:41 +00:00
// NetPortRange represents a range of ports that's allowed for one or more IPs.
2020-04-30 06:49:17 +01:00
type NetPortRange struct {
2020-05-03 21:58:39 +01:00
_ structs . Incomparable
2020-12-14 16:21:41 +00:00
IP string // IP, CIDR, Range, or "*" (same formats as FilterRule.SrcIPs)
Bits * int // deprecated; the old way to turn IP into a CIDR
2020-04-30 06:49:17 +01:00
Ports PortRange
}
2022-03-18 18:48:40 +00:00
// CapGrant grants capabilities in a FilterRule.
type CapGrant struct {
// Dsts are the destination IP ranges that this capabilty
// grant matches.
Dsts [ ] netaddr . IPPrefix
// Caps are the capabilities the source IP matched by
// FilterRule.SrcIPs are granted to the destination IP,
// matched by Dsts.
Caps [ ] string ` json:",omitempty" `
}
2020-04-30 06:49:17 +01:00
// FilterRule represents one rule in a packet filter.
2020-11-05 19:54:54 +00:00
//
// A rule is logically a set of source CIDRs to match (described by
// SrcIPs and SrcBits), and a set of destination targets that are then
// allowed if a source IP is mathces of those CIDRs.
2020-04-30 06:49:17 +01:00
type FilterRule struct {
2020-11-05 19:54:54 +00:00
// SrcIPs are the source IPs/networks to match.
2020-12-14 16:21:41 +00:00
//
// It may take the following forms:
// * an IP address (IPv4 or IPv6)
// * the string "*" to match everything (both IPv4 & IPv6)
// * a CIDR (e.g. "192.168.0.0/16")
// * a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
2020-11-05 19:54:54 +00:00
SrcIPs [ ] string
2020-12-14 16:21:41 +00:00
// SrcBits is deprecated; it's the old way to specify a CIDR
2022-03-06 17:32:52 +00:00
// prior to CapabilityVersion 7. Its values correspond to the
2020-12-14 16:21:41 +00:00
// SrcIPs above.
2020-11-05 19:54:54 +00:00
//
2020-12-14 16:21:41 +00:00
// If an entry of SrcBits is present for the same index as a
// SrcIPs entry, it changes the SrcIP above to be a network
// with /n CIDR bits. If the slice is nil or insufficiently
// long, the default value (for an IPv4 address) for a
// position is 32, as if the SrcIPs above were a /32 mask. For
// a "*" SrcIPs value, the corresponding SrcBits value is
// ignored.
2021-01-05 18:54:01 +00:00
SrcBits [ ] int ` json:",omitempty" `
2020-11-05 19:54:54 +00:00
// DstPorts are the port ranges to allow once a source IP
// matches (is in the CIDR described by SrcIPs & SrcBits).
2022-03-18 18:48:40 +00:00
//
// CapGrant and DstPorts are mutually exclusive: at most one can be non-nil.
DstPorts [ ] NetPortRange ` json:",omitempty" `
2021-03-17 21:24:32 +00:00
// IPProto are the IP protocol numbers to match.
//
// As a special case, nil or empty means TCP, UDP, and ICMP.
//
// Numbers outside the uint8 range (below 0 or above 255) are
// reserved for Tailscale's use. Unknown ones are ignored.
//
// Depending on the IPProto values, DstPorts may or may not be
// used.
IPProto [ ] int ` json:",omitempty" `
2022-03-18 18:48:40 +00:00
// CapGrant, if non-empty, are the capabilities to
// conditionally grant to the source IP in SrcIPs.
//
// Think of DstPorts as "capabilities for networking" and
// CapGrant as arbitrary application-defined capabilities
// defined between the admin's ACLs and the application
// doing WhoIs lookups, looking up the remote IP address's
// application-level capabilities.
//
// CapGrant and DstPorts are mutually exclusive: at most one can be non-nil.
CapGrant [ ] CapGrant ` json:",omitempty" `
2020-04-30 06:49:17 +01:00
}
var FilterAllowAll = [ ] FilterRule {
2020-10-26 15:53:07 +00:00
{
2020-04-30 06:49:17 +01:00
SrcIPs : [ ] string { "*" } ,
SrcBits : nil ,
2020-10-26 15:53:07 +00:00
DstPorts : [ ] NetPortRange { {
2020-04-30 06:49:17 +01:00
IP : "*" ,
Bits : nil ,
Ports : PortRange { 0 , 65535 } ,
} } ,
} ,
}
2020-07-31 21:27:09 +01:00
// DNSConfig is the DNS configuration.
type DNSConfig struct {
2021-04-08 09:35:14 +01:00
// Resolvers are the DNS resolvers to use, in order of preference.
2021-08-05 22:05:24 +01:00
Resolvers [ ] dnstype . Resolver ` json:",omitempty" `
2021-08-25 17:07:21 +01:00
2021-04-08 09:35:14 +01:00
// Routes maps DNS name suffixes to a set of DNS resolvers to
// use. It is used to implement "split DNS" and other advanced DNS
// routing overlays.
2021-08-25 17:07:21 +01:00
//
// Map keys are fully-qualified DNS name suffixes; they may
// optionally contain a trailing dot but no leading dot.
//
// If the value is an empty slice, that means the suffix should still
// be handled by Tailscale's built-in resolver (100.100.100.100), such
// as for the purpose of handling ExtraRecords.
2021-08-05 22:05:24 +01:00
Routes map [ string ] [ ] dnstype . Resolver ` json:",omitempty" `
2021-08-25 17:07:21 +01:00
2021-04-20 05:30:39 +01:00
// FallbackResolvers is like Resolvers, but is only used if a
// split DNS configuration is requested in a configuration that
// doesn't work yet without explicit default resolvers.
2021-04-20 05:58:26 +01:00
// https://github.com/tailscale/tailscale/issues/1743
2021-08-05 22:05:24 +01:00
FallbackResolvers [ ] dnstype . Resolver ` json:",omitempty" `
2020-08-24 22:27:21 +01:00
// Domains are the search domains to use.
2021-04-08 09:35:14 +01:00
// Search domains must be FQDNs, but *without* the trailing dot.
2020-08-24 22:27:21 +01:00
Domains [ ] string ` json:",omitempty" `
2021-04-08 09:35:14 +01:00
// Proxied turns on automatic resolution of hostnames for devices
// in the network map, aka MagicDNS.
// Despite the (legacy) name, does not necessarily cause request
// proxying to be enabled.
Proxied bool ` json:",omitempty" `
// The following fields are only set and used by
// MapRequest.Version >=9 and <14.
// Nameservers are the IP addresses of the nameservers to use.
Nameservers [ ] netaddr . IP ` json:",omitempty" `
2021-04-02 06:54:40 +01:00
// PerDomain is not set by the control server, and does nothing.
2021-04-08 09:35:14 +01:00
PerDomain bool ` json:",omitempty" `
2021-06-15 20:12:15 +01:00
// CertDomains are the set of DNS names for which the control
// plane server will assist with provisioning TLS
// certificates. See SetDNSRequest, which can be used to
// answer dns-01 ACME challenges for e.g. LetsEncrypt.
// These names are FQDNs without trailing periods, and without
// any "_acme-challenge." prefix.
CertDomains [ ] string ` json:",omitempty" `
2021-06-16 18:58:25 +01:00
// ExtraRecords contains extra DNS records to add to the
// MagicDNS config.
ExtraRecords [ ] DNSRecord ` json:",omitempty" `
2021-11-29 22:18:09 +00:00
// ExitNodeFilteredSuffixes are the the DNS suffixes that the
// node, when being an exit node DNS proxy, should not answer.
//
// The entries do not contain trailing periods and are always
// all lowercase.
//
// If an entry starts with a period, it's a suffix match (but
// suffix ".a.b" doesn't match "a.b"; a prefix is required).
//
// If an entry does not start with a period, it's an exact
// match.
//
// Matches are case insensitive.
ExitNodeFilteredSet [ ] string
2021-06-16 18:58:25 +01:00
}
// DNSRecord is an extra DNS record to add to MagicDNS.
type DNSRecord struct {
// Name is the fully qualified domain name of
// the record to add. The trailing dot is optional.
Name string
// Type is the DNS record type.
// Empty means A or AAAA, depending on value.
// Other values are currently ignored.
Type string ` json:",omitempty" `
// Value is the IP address in string form.
// TODO(bradfitz): if we ever add support for record types
// with non-UTF8 binary data, add ValueBytes []byte that
// would take precedence.
Value string
2020-07-31 21:27:09 +01:00
}
2021-07-16 15:51:54 +01:00
// PingRequest with no IP and Types is a request to send an HTTP request to prove the
2021-03-05 04:54:44 +00:00
// long-polling client is still connected.
2022-04-15 17:00:27 +01:00
// PingRequest with Types and IP, will send a ping to the IP and send a POST
// request containing a PingResponse to the URL containing results.
2021-03-05 04:54:44 +00:00
type PingRequest struct {
// URL is the URL to send a HEAD request to.
// It will be a unique URL each time. No auth headers are necessary.
2021-06-15 20:28:34 +01:00
//
// If the client sees multiple PingRequests with the same URL,
// subsequent ones should be ignored.
2021-07-16 15:51:54 +01:00
// If Types and IP are defined, then URL is the URL to send a POST request to.
2021-03-05 04:54:44 +00:00
URL string
// Log is whether to log about this ping in the success case.
// For failure cases, the client will log regardless.
Log bool ` json:",omitempty" `
2021-07-16 15:51:54 +01:00
// Types is the types of ping that is initiated. Can be TSMP, ICMP or disco.
// Types will be comma separated, such as TSMP,disco.
Types string
// IP is the ping target.
// It is used in TSMP pings, if IP is invalid or empty then do a HEAD request to the URL.
IP netaddr . IP
2021-03-05 04:54:44 +00:00
}
2022-04-15 17:00:27 +01:00
// PingResponse provides result information for a TSMP or Disco PingRequest.
// Typically populated from an ipnstate.PingResult used in `tailscale ping`.
type PingResponse struct {
Type string // ping type, such as TSMP or disco.
IP string ` json:",omitempty" ` // ping destination
NodeIP string ` json:",omitempty" ` // Tailscale IP of node handling IP (different for subnet routers)
NodeName string ` json:",omitempty" ` // DNS name base or (possibly not unique) hostname
// Err contains a short description of error conditions if the PingRequest
// could not be fulfilled for some reason.
// e.g. "100.1.2.3 is local Tailscale IP"
Err string ` json:",omitempty" `
// LatencySeconds reports measurement of the round-trip time of a message to
// the requested target, if it could be determined. If LatencySeconds is
// omitted, Err should contain information as to the cause.
LatencySeconds float64 ` json:",omitempty" `
// Endpoint is the ip:port if direct UDP was used.
// It is not currently set for TSMP pings.
Endpoint string ` json:",omitempty" `
// DERPRegionID is non-zero DERP region ID if DERP was used.
// It is not currently set for TSMP pings.
DERPRegionID int ` json:",omitempty" `
// DERPRegionCode is the three-letter region code
// corresponding to DERPRegionID.
// It is not currently set for TSMP pings.
DERPRegionCode string ` json:",omitempty" `
// PeerAPIPort is set by TSMP ping responses for peers that
// are running a peerapi server. This is the port they're
// running the server on.
PeerAPIPort uint16 ` json:",omitempty" `
// IsLocalIP is whether the ping request error is due to it being
// a ping to the local node.
IsLocalIP bool ` json:",omitempty" `
}
2020-02-05 22:16:58 +00:00
type MapResponse struct {
2021-03-05 04:54:44 +00:00
// KeepAlive, if set, represents an empty message just to keep
// the connection alive. When true, all other fields except
2022-03-21 21:10:25 +00:00
// PingRequest, ControlTime, and PopBrowserURL are ignored.
2021-03-05 04:54:44 +00:00
KeepAlive bool ` json:",omitempty" `
// PingRequest, if non-empty, is a request to the client to
// prove it's still there by sending an HTTP request to the
// provided URL. No auth headers are necessary.
// PingRequest may be sent on any MapResponse (ones with
// KeepAlive true or false).
PingRequest * PingRequest ` json:",omitempty" `
2020-02-05 22:16:58 +00:00
2022-03-21 21:10:25 +00:00
// PopBrowserURL, if non-empty, is a URL for the client to
// open to complete an action. The client should dup suppress
// identical URLs and only open it once for the same URL.
PopBrowserURL string
2020-02-05 22:16:58 +00:00
// Networking
2021-04-19 18:56:48 +01:00
// Node describes the node making the map request.
// Starting with MapRequest.Version 18, nil means unchanged.
Node * Node ` json:",omitempty" `
// DERPMap describe the set of DERP servers available.
// A nil value means unchanged.
DERPMap * DERPMap ` json:",omitempty" `
2020-08-08 04:44:04 +01:00
// Peers, if non-empty, is the complete list of peers.
// It will be set in the first MapResponse for a long-polled request/response.
2020-12-03 20:16:10 +00:00
// Subsequent responses will be delta-encoded if MapRequest.Version >= 5 and server
// chooses, in which case Peers will be nil or zero length.
2020-08-08 04:44:04 +01:00
// If Peers is non-empty, PeersChanged and PeersRemoved should
// be ignored (and should be empty).
// Peers is always returned sorted by Node.ID.
Peers [ ] * Node ` json:",omitempty" `
// PeersChanged are the Nodes (identified by their ID) that
// have changed or been added since the past update on the
2020-12-03 20:16:10 +00:00
// HTTP response. It's not used by the server if MapRequest.Version < 5.
2020-08-08 04:44:04 +01:00
// PeersChanged is always returned sorted by Node.ID.
PeersChanged [ ] * Node ` json:",omitempty" `
// PeersRemoved are the NodeIDs that are no longer in the peer list.
PeersRemoved [ ] NodeID ` json:",omitempty" `
2020-07-31 21:27:09 +01:00
2021-01-17 20:00:56 +00:00
// PeerSeenChange contains information on how to update peers' LastSeen
// times. If the value is false, the peer is gone. If the value is true,
// the LastSeen time is now. Absent means unchanged.
PeerSeenChange map [ NodeID ] bool ` json:",omitempty" `
2021-04-16 00:03:59 +01:00
// OnlineChange changes the value of a Peer Node.Online value.
OnlineChange map [ NodeID ] bool ` json:",omitempty" `
2020-07-31 21:27:09 +01:00
// DNS is the same as DNSConfig.Nameservers.
2021-04-08 09:35:14 +01:00
// Only populated if MapRequest.Version < 9.
2020-12-24 20:33:55 +00:00
DNS [ ] netaddr . IP ` json:",omitempty" `
2021-01-05 18:37:15 +00:00
2021-04-08 09:35:14 +01:00
// SearchPaths is the old way to specify DNS search domains.
// Only populated if MapRequest.Version < 9.
2021-01-05 18:37:15 +00:00
SearchPaths [ ] string ` json:",omitempty" `
// DNSConfig contains the DNS settings for the client to use.
2021-04-12 20:12:13 +01:00
// A nil value means no change from an earlier non-nil value.
DNSConfig * DNSConfig ` json:",omitempty" `
2020-02-05 22:16:58 +00:00
2020-12-07 17:13:26 +00:00
// Domain is the name of the network that this node is
// in. It's either of the form "example.com" (for user
// foo@example.com, for multi-user networks) or
// "foo@gmail.com" (for siloed users on shared email
// providers). Its exact form should not be depended on; new
// forms are coming later.
2021-04-19 04:48:24 +01:00
// If empty, the value is unchanged.
Domain string ` json:",omitempty" `
2020-12-07 17:13:26 +00:00
2021-01-11 22:24:32 +00:00
// CollectServices reports whether this node's Tailnet has
// requested that info about services be included in HostInfo.
2021-01-12 15:54:34 +00:00
// If unset, the most recent non-empty MapResponse value in
// the HTTP response stream is used.
CollectServices opt . Bool ` json:",omitempty" `
2021-01-11 22:24:32 +00:00
2020-12-07 17:13:26 +00:00
// PacketFilter are the firewall rules.
//
// For MapRequest.Version >= 6, a nil value means the most
// previously streamed non-nil MapResponse.PacketFilter within
// the same HTTP response. A non-nil but empty list always means
// no PacketFilter (that is, to block everything).
2021-04-19 18:56:48 +01:00
PacketFilter [ ] FilterRule ` json:",omitempty" `
2020-12-07 17:13:26 +00:00
2021-04-19 18:56:48 +01:00
// UserProfiles are the user profiles of nodes in the network.
// As as of 1.1.541 (mapver 5), this contains new or updated
// user profiles only.
UserProfiles [ ] UserProfile ` json:",omitempty" `
2020-04-08 06:24:06 +01:00
2021-09-18 20:59:55 +01:00
// Health, if non-nil, sets the health state
// of the node from the control plane's perspective.
// A nil value means no change from the previous MapResponse.
// A non-nil 0-length slice restores the health to good (no known problems).
// A non-zero length slice are the list of problems that the control place
// sees.
Health [ ] string ` json:",omitempty" `
2022-02-10 22:12:34 +00:00
// SSHPolicy, if non-nil, updates the SSH policy for how incoming
// SSH connections should be handled.
SSHPolicy * SSHPolicy ` json:",omitempty" `
2022-02-17 02:36:04 +00:00
// ControlTime, if non-zero, is the current timestamp according to the control server.
2022-02-18 18:14:14 +00:00
ControlTime * time . Time ` json:",omitempty" `
2022-02-17 02:36:04 +00:00
2020-04-08 06:24:06 +01:00
// Debug is normally nil, except for when the control server
// is setting debug settings on a node.
Debug * Debug ` json:",omitempty" `
}
// Debug are instructions from the control server to the client
// to adjust debug settings.
type Debug struct {
2020-06-12 18:12:35 +01:00
// LogHeapPprof controls whether the client should log
2020-04-08 06:24:06 +01:00
// its heap pprof data. Each true value sent from the server
// means that client should do one more log.
LogHeapPprof bool ` json:",omitempty" `
2020-06-12 18:12:35 +01:00
// LogHeapURL is the URL to POST its heap pprof to.
// Empty means to not log.
LogHeapURL string ` json:",omitempty" `
2020-06-25 22:19:12 +01:00
// ForceBackgroundSTUN controls whether magicsock should
// always do its background STUN queries (see magicsock's
// periodicReSTUN), regardless of inactivity.
ForceBackgroundSTUN bool ` json:",omitempty" `
2020-08-17 20:56:17 +01:00
// DERPRoute controls whether the DERP reverse path
// optimization (see Issue 150) should be enabled or
// disabled. The environment variable in magicsock is the
// highest priority (if set), then this (if set), then the
// binary default value.
DERPRoute opt . Bool ` json:",omitempty" `
2020-08-20 21:21:25 +01:00
// TrimWGConfig controls whether Tailscale does lazy, on-demand
// wireguard configuration of peers.
TrimWGConfig opt . Bool ` json:",omitempty" `
2020-11-10 18:31:07 +00:00
// DisableSubnetsIfPAC controls whether subnet routers should be
// disabled if WPAD is present on the network.
DisableSubnetsIfPAC opt . Bool ` json:",omitempty" `
2021-03-03 18:17:05 +00:00
// GoroutineDumpURL, if non-empty, requests that the client do
// a one-time dump of its active goroutines to the given URL.
GoroutineDumpURL string ` json:",omitempty" `
2021-04-21 22:17:21 +01:00
// SleepSeconds requests that the client sleep for the
// provided number of seconds.
// The client can (and should) limit the value (such as 5
// minutes).
SleepSeconds float64 ` json:",omitempty" `
2021-06-22 19:53:41 +01:00
// RandomizeClientPort is whether magicsock should UDP bind to
// :0 to get a random local port, ignoring any configured
// fixed port.
RandomizeClientPort bool ` json:",omitempty" `
2021-06-22 23:29:01 +01:00
2022-04-14 22:40:17 +01:00
// OneCGNATRoute controls whether the client should prefer to make one
// big CGNAT /10 route rather than a /32 per peer.
OneCGNATRoute opt . Bool ` json:",omitempty" `
2021-11-01 18:50:46 +00:00
// DisableUPnP is whether the client will attempt to perform a UPnP portmapping.
2021-06-22 23:29:01 +01:00
// By default, we want to enable it to see if it works on more clients.
//
// If UPnP catastrophically fails for people, this should be set to True to kill
// new attempts at UPnP connections.
DisableUPnP opt . Bool ` json:",omitempty" `
2021-11-01 18:50:46 +00:00
2022-04-18 21:43:03 +01:00
// DisableLogTail disables the logtail package. Once disabled it can't be
// re-enabled for the lifetime of the process.
DisableLogTail bool ` json:",omitempty" `
2021-11-01 18:50:46 +00:00
// Exit optionally specifies that the client should os.Exit
// with this code.
Exit * int ` json:",omitempty" `
2020-02-05 22:16:58 +00:00
}
2021-05-24 22:54:47 +01:00
func appendKey ( base [ ] byte , prefix string , k [ 32 ] byte ) [ ] byte {
ret := append ( base , make ( [ ] byte , len ( prefix ) + 64 ) ... )
buf := ret [ len ( base ) : ]
2021-05-08 01:01:44 +01:00
copy ( buf , prefix )
hex . Encode ( buf [ len ( prefix ) : ] , k [ : ] )
2021-05-24 22:54:47 +01:00
return ret
}
func keyMarshalText ( prefix string , k [ 32 ] byte ) [ ] byte {
return appendKey ( nil , prefix , k )
2020-02-05 22:16:58 +00:00
}
2021-04-01 22:03:34 +01:00
func ( id ID ) String ( ) string { return fmt . Sprintf ( "id:%x" , int64 ( id ) ) }
func ( id UserID ) String ( ) string { return fmt . Sprintf ( "userid:%x" , int64 ( id ) ) }
func ( id LoginID ) String ( ) string { return fmt . Sprintf ( "loginid:%x" , int64 ( id ) ) }
func ( id NodeID ) String ( ) string { return fmt . Sprintf ( "nodeid:%x" , int64 ( id ) ) }
2020-02-05 22:16:58 +00:00
2020-02-16 06:23:58 +00:00
// Equal reports whether n and n2 are equal.
2020-02-05 22:16:58 +00:00
func ( n * Node ) Equal ( n2 * Node ) bool {
2020-02-16 06:23:58 +00:00
if n == nil && n2 == nil {
return true
2020-02-05 22:16:58 +00:00
}
2020-02-16 06:23:58 +00:00
return n != nil && n2 != nil &&
n . ID == n2 . ID &&
2021-01-21 02:34:50 +00:00
n . StableID == n2 . StableID &&
2020-02-16 06:23:58 +00:00
n . Name == n2 . Name &&
n . User == n2 . User &&
2021-01-05 21:52:33 +00:00
n . Sharer == n2 . Sharer &&
2020-02-16 06:23:58 +00:00
n . Key == n2 . Key &&
n . KeyExpiry . Equal ( n2 . KeyExpiry ) &&
n . Machine == n2 . Machine &&
2020-06-19 03:32:55 +01:00
n . DiscoKey == n2 . DiscoKey &&
2021-04-16 00:03:59 +01:00
eqBoolPtr ( n . Online , n2 . Online ) &&
2020-07-23 18:41:54 +01:00
eqCIDRs ( n . Addresses , n2 . Addresses ) &&
eqCIDRs ( n . AllowedIPs , n2 . AllowedIPs ) &&
2021-07-27 16:01:29 +01:00
eqCIDRs ( n . PrimaryRoutes , n2 . PrimaryRoutes ) &&
2020-07-23 18:41:54 +01:00
eqStrings ( n . Endpoints , n2 . Endpoints ) &&
2020-08-11 03:45:20 +01:00
n . DERP == n2 . DERP &&
2022-02-15 16:19:44 +00:00
n . Hostinfo . Equal ( n2 . Hostinfo ) &&
2020-02-16 06:23:58 +00:00
n . Created . Equal ( n2 . Created ) &&
2020-07-23 18:41:54 +01:00
eqTimePtr ( n . LastSeen , n2 . LastSeen ) &&
2021-01-27 16:50:31 +00:00
n . MachineAuthorized == n2 . MachineAuthorized &&
2021-04-01 22:03:34 +01:00
eqStrings ( n . Capabilities , n2 . Capabilities ) &&
2021-01-27 16:50:31 +00:00
n . ComputedName == n2 . ComputedName &&
n . computedHostIfDifferent == n2 . computedHostIfDifferent &&
2021-10-20 22:26:31 +01:00
n . ComputedNameWithHost == n2 . ComputedNameWithHost &&
eqStrings ( n . Tags , n2 . Tags )
2020-02-05 22:16:58 +00:00
}
2020-07-23 18:41:54 +01:00
2021-04-16 00:03:59 +01:00
func eqBoolPtr ( a , b * bool ) bool {
if a == b { // covers nil
return true
}
if a == nil || b == nil {
return false
}
return * a == * b
}
2020-07-23 18:41:54 +01:00
func eqStrings ( a , b [ ] string ) bool {
if len ( a ) != len ( b ) || ( ( a == nil ) != ( b == nil ) ) {
return false
}
for i , v := range a {
if v != b [ i ] {
return false
}
}
return true
}
2020-12-24 20:33:55 +00:00
func eqCIDRs ( a , b [ ] netaddr . IPPrefix ) bool {
2020-07-23 18:41:54 +01:00
if len ( a ) != len ( b ) || ( ( a == nil ) != ( b == nil ) ) {
return false
}
for i , v := range a {
if v != b [ i ] {
return false
}
}
return true
}
func eqTimePtr ( a , b * time . Time ) bool {
return ( ( a == nil ) == ( b == nil ) ) && ( a == nil || a . Equal ( * b ) )
}
2021-01-28 23:29:17 +00:00
2021-03-19 17:21:33 +00:00
// Oauth2Token is a copy of golang.org/x/oauth2.Token, to avoid the
// go.mod dependency on App Engine and grpc, which was causing problems.
// All we actually needed was this struct on the client side.
type Oauth2Token struct {
// AccessToken is the token that authorizes and authenticates
// the requests.
AccessToken string ` json:"access_token" `
// TokenType is the type of token.
// The Type method returns either this or "Bearer", the default.
TokenType string ` json:"token_type,omitempty" `
// RefreshToken is a token that's used by the application
// (as opposed to the user) to refresh the access token
// if it expires.
RefreshToken string ` json:"refresh_token,omitempty" `
// Expiry is the optional expiration time of the access token.
//
// If zero, TokenSource implementations will reuse the same
// token forever and RefreshToken or equivalent
// mechanisms for that TokenSource will not be used.
Expiry time . Time ` json:"expiry,omitempty" `
}
2021-04-16 18:57:46 +01:00
const (
2022-04-17 16:45:49 +01:00
// MapResponse.Node self capabilities.
2021-04-16 18:57:46 +01:00
CapabilityFileSharing = "https://tailscale.com/cap/file-sharing"
CapabilityAdmin = "https://tailscale.com/cap/is-admin"
2022-04-17 16:45:49 +01:00
// Inter-node capabilities.
// CapabilityFileSharingSend grants the ability to receive files from a
// node that's owned by a different user.
CapabilityFileSharingSend = "https://tailscale.com/cap/file-send"
2022-04-18 18:06:41 +01:00
// CapabilityDebugPeer grants the ability for a peer to read this node's
// goroutines, metrics, magicsock internal state, etc.
CapabilityDebugPeer = "https://tailscale.com/cap/debug-peer"
2021-04-16 18:57:46 +01:00
)
2021-06-02 04:04:37 +01:00
// SetDNSRequest is a request to add a DNS record.
//
// This is used for ACME DNS-01 challenges (so people can use
// LetsEncrypt, etc).
//
// The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
// using the local machine key, and sent to:
// https://login.tailscale.com/machine/<mkey hex>/set-dns
type SetDNSRequest struct {
2022-03-06 17:32:52 +00:00
// Version is the client's capabilities
// (CurrentCapabilityVersion) when using the Noise transport.
//
// When using the original nacl crypto_box transport, the
// value must be 1.
Version CapabilityVersion
2021-06-02 04:04:37 +01:00
// NodeKey is the client's current node key.
2021-11-02 03:55:52 +00:00
NodeKey key . NodePublic
2021-06-02 04:04:37 +01:00
// Name is the domain name for which to create a record.
2021-06-15 20:12:15 +01:00
// For ACME DNS-01 challenges, it should be one of the domains
// in MapResponse.DNSConfig.CertDomains with the prefix
// "_acme-challenge.".
2021-06-02 04:04:37 +01:00
Name string
// Type is the DNS record type. For ACME DNS-01 challenges, it
// should be "TXT".
Type string
// Value is the value to add.
Value string
}
2022-02-10 22:12:34 +00:00
2022-03-07 20:37:06 +00:00
// SetDNSResponse is the response to a SetDNSRequest.
type SetDNSResponse struct { }
2022-02-10 22:12:34 +00:00
// SSHPolicy is the policy for how to handle incoming SSH connections
// over Tailscale.
type SSHPolicy struct {
2022-04-19 05:36:32 +01:00
// Rules are the rules to process for an incoming SSH connection. The first
// matching rule takes its action and stops processing further rules.
//
// When an incoming connection first starts, all rules are evaluated in
// "none" auth mode, where the client hasn't even been asked to send a
// public key. All SSHRule.Principals requiring a public key won't match. If
// a rule matches on the first pass and its Action is reject, the
// authentication fails with that action's rejection message, if any.
//
// If the first pass rule evaluation matches nothing without matching an
// Action with Reject set, the rules are considered to see whether public
// keys might still result in a match. If not, "none" auth is terminated
// before proceeding to public key mode. If so, the client is asked to try
// public key authentication and the rules are evaluated again for each of
// the client's present keys.
2022-02-10 22:12:34 +00:00
Rules [ ] * SSHRule ` json:"rules" `
}
// An SSH rule is a match predicate and associated action for an incoming SSH connection.
type SSHRule struct {
// RuleExpires, if non-nil, is when this rule expires.
//
// For example, a (principal,sshuser) tuple might be granted
// prompt-free SSH access for N minutes, so this rule would be
// before a expiration-free rule for the same principal that
// required an auth prompt. This permits the control plane to
// be out of the path for already-authorized SSH pairs.
//
// Once a rule matches, the lifetime of any accepting connection
// is subject to the SSHAction.SessionExpires time, if any.
RuleExpires * time . Time ` json:"ruleExpires,omitempty" `
// Principals matches an incoming connection. If the connection
// matches anything in this list and also matches SSHUsers,
// then Action is applied.
Principals [ ] * SSHPrincipal ` json:"principals" `
// SSHUsers are the SSH users that this rule matches. It is a
// map from either ssh-user|"*" => local-user. The map must
// contain a key for either ssh-user or, as a fallback, "*" to
// match anything. If it does, the map entry's value is the
// actual user that's logged in.
2022-02-18 22:10:26 +00:00
// If the map value is the empty string (for either the
// requested SSH user or "*"), the rule doesn't match.
2022-03-21 17:39:54 +00:00
// If the map value is "=", it means the ssh-user should map
// directly to the local-user.
2022-02-18 22:10:26 +00:00
// It may be nil if the Action is reject.
2022-02-10 22:12:34 +00:00
SSHUsers map [ string ] string ` json:"sshUsers" `
// Action is the outcome to task.
// A nil or invalid action means to deny.
Action * SSHAction ` json:"action" `
}
// SSHPrincipal is either a particular node or a user on any node.
type SSHPrincipal struct {
2022-04-01 20:57:12 +01:00
// Matching any one of the following four field causes a match.
// It must also match Certs, if non-empty.
2022-02-10 22:12:34 +00:00
Node StableNodeID ` json:"node,omitempty" `
NodeIP string ` json:"nodeIP,omitempty" `
UserLogin string ` json:"userLogin,omitempty" ` // email-ish: foo@example.com, bar@github
2022-04-01 20:57:12 +01:00
Any bool ` json:"any,omitempty" ` // if true, match any connection
2022-02-10 22:12:34 +00:00
// TODO(bradfitz): add StableUserID, once that exists
2022-04-01 20:57:12 +01:00
// PubKeys, if non-empty, means that this SSHPrincipal only
// matches if one of these public keys is presented by the user.
//
// As a special case, if len(PubKeys) == 1 and PubKeys[0] starts
// with "https://", then it's fetched (like https://github.com/username.keys).
2022-04-21 04:10:04 +01:00
// In that case, the following variable expansions are also supported
// in the URL:
// * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github")
// * $LOGINNAME_LOCALPART (the "foo" from either of the above)
2022-04-01 20:57:12 +01:00
PubKeys [ ] string ` json:"pubKeys,omitempty" `
2022-02-10 22:12:34 +00:00
}
// SSHAction is how to handle an incoming connection.
// At most one field should be non-zero.
type SSHAction struct {
// Message, if non-empty, is shown to the user before the
// action occurs.
Message string ` json:"message,omitempty" `
// Reject, if true, terminates the connection. This action
// has higher priority that Accept, if given.
// The reason this is exists is primarily so a response
// from HoldAndDelegate has a way to stop the poll.
Reject bool ` json:"reject,omitempty" `
// Accept, if true, accepts the connection immediately
// without further prompts.
Accept bool ` json:"accept,omitempty" `
2022-04-21 22:13:42 +01:00
// SessionDuration, if non-zero, is how long the session can stay open
2022-02-18 22:10:26 +00:00
// before being forcefully terminated.
2022-04-21 22:13:42 +01:00
SessionDuration time . Duration ` json:"sessionDuration,omitempty" `
2022-02-10 22:12:34 +00:00
2022-03-14 20:26:06 +00:00
// AllowAgentForwarding, if true, allows accepted connections to forward
// the ssh agent if requested.
AllowAgentForwarding bool ` json:"allowAgentForwarding,omitempty" `
2022-03-10 18:28:42 +00:00
// HoldAndDelegate, if non-empty, is a URL that serves an
// outcome verdict. The connection will be accepted and will
// block until the provided long-polling URL serves a new
// SSHAction JSON value. The URL must be fetched using the
// Noise transport (in package control/control{base,http}).
// If the long poll breaks before returning a complete HTTP
// response, it should be re-fetched as long as the SSH
// session is open.
2022-03-23 00:36:55 +00:00
//
// The following variables in the URL are expanded by tailscaled:
//
// * $SRC_NODE_IP (URL escaped)
// * $SRC_NODE_ID (Node.ID as int64 string)
// * $DST_NODE_IP (URL escaped)
// * $DST_NODE_ID (Node.ID as int64 string)
// * $SSH_USER (URL escaped, ssh user requested)
// * $LOCAL_USER (URL escaped, local user mapped)
2022-02-10 22:12:34 +00:00
HoldAndDelegate string ` json:"holdAndDelegate,omitempty" `
2022-03-14 20:23:17 +00:00
// AllowLocalPortForwarding, if true, allows accepted connections
// to use local port forwarding if requested.
AllowLocalPortForwarding bool ` json:"allowLocalPortForwarding,omitempty" `
2022-02-10 22:12:34 +00:00
}
2022-03-06 04:43:49 +00:00
// OverTLSPublicKeyResponse is the JSON response to /key?v=<n>
// over HTTPS (regular TLS) to the Tailscale control plane server,
// where the 'v' argument is the client's current capability version
// (previously known as the "MapRequest version").
//
// The "OverTLS" prefix is to loudly declare that this exchange
// doesn't happen over Noise and can be intercepted/MITM'ed by
// enterprise/corp proxies where the orgnanization can put TLS roots
// on devices.
type OverTLSPublicKeyResponse struct {
// LegacyPublic specifies the control plane server's original
// NaCl crypto_box machine key.
// It will be zero for sufficiently new clients, based on their
// advertised "v" parameter (the CurrentMapRequestVersion).
// In that case, only the newer Noise-based transport may be used
// using the PublicKey field.
LegacyPublicKey key . MachinePublic ` json:"legacyPublicKey" `
// PublicKey specifies the server's public key for the
// Noise-based control plane protocol. (see packages
// control/controlbase and control/controlhttp)
PublicKey key . MachinePublic ` json:"publicKey" `
}
2022-03-23 04:49:27 +00:00
// TokenRequest is a request to get an OIDC ID token for an audience.
// The token can be presented to any resource provider which offers OIDC
// Federation.
//
// It is JSON-encoded and sent over Noise to "/machine/id-token".
type TokenRequest struct {
// CapVersion is the client's current CapabilityVersion.
CapVersion CapabilityVersion
// NodeKey is the client's current node key.
NodeKey key . NodePublic
// Audience the token is being requested for.
Audience string
}
// TokenResponse is the response to a TokenRequest.
type TokenResponse struct {
// IDToken is a JWT encoding the following standard claims:
//
// `sub` | the MagicDNS name of the node
// `aud` | Audience from the request
// `exp` | Token expiry
// `iat` | Token issuance time
// `iss` | Issuer
// `jti` | Random token identifier
// `nbf` | Not before time
//
// It also encodes the following Tailscale specific claims:
//
// `key` | the node public key
// `addresses` | the Tailscale IPs of the node
// `nid` | the node ID
// `node` | the name of the node
// `domain` | the domain of the node, it has the same format as MapResponse.Domain.
// `tags` | an array of <domain:tag> on the node (like alice.github:tag:foo or example.com:tag:foo)
// `user` | user emailish (like alice.github:alice@github or example.com:bob@example.com), if not tagged
// `uid` | user ID, if not tagged
IDToken string ` json:"id_token" `
}