safesocket: remove the IPN protocol support
Updates #6417 Change-Id: I78908633de842d83b2cc8b10a864a0f88ab1b113 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
committed by
Brad Fitzpatrick
Brad Fitzpatrick
parent
06c4c47d46
commit
0cb2ccce7f
@@ -49,7 +49,7 @@ func TestBasics(t *testing.T) {
|
||||
|
||||
go func() {
|
||||
s := DefaultConnectionStrategy(sock)
|
||||
s.UsePort(port)
|
||||
s.port = port
|
||||
c, err := Connect(s)
|
||||
if err != nil {
|
||||
errs <- err
|
||||
|
||||
+14
-27
@@ -57,13 +57,19 @@ func tailscaledStillStarting() bool {
|
||||
return tailscaledProcExists()
|
||||
}
|
||||
|
||||
// A ConnectionStrategy is a plan for how to connect to tailscaled or equivalent (e.g. IPNExtension on macOS).
|
||||
// A ConnectionStrategy is a plan for how to connect to tailscaled or equivalent
|
||||
// (e.g. IPNExtension on macOS).
|
||||
//
|
||||
// This is a struct because prior to Tailscale 1.34.0 it was more complicated
|
||||
// and there were multiple protocols that could be used. See LocalClient's
|
||||
// dialer for what happens in practice these days (2022-11-28).
|
||||
//
|
||||
// TODO(bradfitz): we can remove this struct now and revert this package closer
|
||||
// to its original smaller API.
|
||||
type ConnectionStrategy struct {
|
||||
// For now, a ConnectionStrategy is just a unix socket path, a TCP port,
|
||||
// and a flag indicating whether to try fallback connections options.
|
||||
path string
|
||||
port uint16
|
||||
fallback bool
|
||||
path string // unix socket path
|
||||
port uint16 // TCP port
|
||||
|
||||
// Longer term, a ConnectionStrategy should be an ordered list of things to attempt,
|
||||
// with just the information required to connection for each.
|
||||
//
|
||||
@@ -71,7 +77,7 @@ type ConnectionStrategy struct {
|
||||
//
|
||||
// tailscale sandbox | tailscaled sandbox | OS | connection
|
||||
// ------------------|--------------------|---------|-----------
|
||||
// no | no | unix | unix socket
|
||||
// no | no | unix* | unix socket *includes tailscaled on darwin
|
||||
// no | no | Windows | TCP/port
|
||||
// no | no | wasm | memconn
|
||||
// no | Network Extension | macOS | TCP/port/token, port/token from lsof
|
||||
@@ -90,26 +96,7 @@ type ConnectionStrategy struct {
|
||||
// It falls back to auto-discovery across sandbox boundaries on macOS.
|
||||
// TODO: maybe take no arguments, since path is irrelevant on Windows? Discussion in PR 3499.
|
||||
func DefaultConnectionStrategy(path string) *ConnectionStrategy {
|
||||
return &ConnectionStrategy{path: path, port: WindowsLocalPort, fallback: true}
|
||||
}
|
||||
|
||||
// UsePort modifies s to use port for the TCP port when applicable.
|
||||
// UsePort is only applicable on Windows, and only then
|
||||
// when not using the default for Windows.
|
||||
func (s *ConnectionStrategy) UsePort(port uint16) {
|
||||
s.port = port
|
||||
}
|
||||
|
||||
// UseFallback modifies s to set whether it should fall back
|
||||
// to connecting to the macOS GUI's tailscaled
|
||||
// if the Unix socket path wasn't reachable.
|
||||
func (s *ConnectionStrategy) UseFallback(b bool) {
|
||||
s.fallback = b
|
||||
}
|
||||
|
||||
// ExactPath returns a connection strategy that only attempts to connect via path.
|
||||
func ExactPath(path string) *ConnectionStrategy {
|
||||
return &ConnectionStrategy{path: path, fallback: false}
|
||||
return &ConnectionStrategy{path: path, port: WindowsLocalPort}
|
||||
}
|
||||
|
||||
// Connect connects to tailscaled using s
|
||||
|
||||
@@ -9,39 +9,21 @@ package safesocket
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
// TODO(apenwarr): handle magic cookie auth
|
||||
func connect(s *ConnectionStrategy) (net.Conn, error) {
|
||||
if runtime.GOOS == "js" {
|
||||
return nil, errors.New("safesocket.Connect not yet implemented on js/wasm")
|
||||
}
|
||||
if runtime.GOOS == "darwin" && s.fallback && s.path == "" && s.port == 0 {
|
||||
return connectMacOSAppSandbox()
|
||||
}
|
||||
pipe, err := net.Dial("unix", s.path)
|
||||
if err != nil {
|
||||
if runtime.GOOS == "darwin" && s.fallback {
|
||||
extConn, extErr := connectMacOSAppSandbox()
|
||||
if extErr != nil {
|
||||
return nil, fmt.Errorf("safesocket: failed to connect to %v: %v; failed to connect to Tailscale IPNExtension: %v", s.path, err, extErr)
|
||||
}
|
||||
return extConn, nil
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
return pipe, nil
|
||||
return net.Dial("unix", s.path)
|
||||
}
|
||||
|
||||
// TODO(apenwarr): handle magic cookie auth
|
||||
func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
|
||||
// Unix sockets hang around in the filesystem even after nobody
|
||||
// is listening on them. (Which is really unfortunate but long-
|
||||
@@ -110,46 +92,3 @@ func socketPermissionsForOS() os.FileMode {
|
||||
// Otherwise, root only.
|
||||
return 0600
|
||||
}
|
||||
|
||||
// connectMacOSAppSandbox connects to the Tailscale Network Extension (macOS App
|
||||
// Store build) or App Extension (macsys standalone build), where the CLI itself
|
||||
// is either running within the macOS App Sandbox or built separately (e.g.
|
||||
// homebrew or go install). This little dance to connect a regular user binary
|
||||
// to the sandboxed network extension is:
|
||||
//
|
||||
// - the sandboxed IPNExtension picks a random localhost:0 TCP port
|
||||
// to listen on
|
||||
// - it also picks a random hex string that acts as an auth token
|
||||
// - the CLI looks on disk for that TCP port + auth token (see localTCPPortAndTokenDarwin)
|
||||
// - we send it upon TCP connect to prove to the Tailscale daemon that
|
||||
// we're a suitably privileged user to have access the files on disk
|
||||
// which the Network/App Extension wrote.
|
||||
func connectMacOSAppSandbox() (net.Conn, error) {
|
||||
port, token, err := LocalTCPPortAndToken()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to find local Tailscale daemon: %w", err)
|
||||
}
|
||||
return connectMacTCP(port, token)
|
||||
}
|
||||
|
||||
// connectMacTCP creates an authenticated net.Conn to the local macOS Tailscale
|
||||
// daemon for used by the "IPN" JSON message bus protocol (Tailscale's original
|
||||
// local non-HTTP IPC protocol).
|
||||
func connectMacTCP(port int, token string) (net.Conn, error) {
|
||||
c, err := net.Dial("tcp", "localhost:"+strconv.Itoa(port))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error dialing IPNExtension: %w", err)
|
||||
}
|
||||
if _, err := io.WriteString(c, token+"\n"); err != nil {
|
||||
return nil, fmt.Errorf("error writing auth token: %w", err)
|
||||
}
|
||||
buf := make([]byte, 5)
|
||||
const authOK = "#IPN\n"
|
||||
if _, err := io.ReadFull(c, buf); err != nil {
|
||||
return nil, fmt.Errorf("error reading from IPNExtension post-auth: %w", err)
|
||||
}
|
||||
if string(buf) != authOK {
|
||||
return nil, fmt.Errorf("invalid response reading from IPNExtension post-auth")
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user