webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Compare commits

base: webnet/tailscale:705eebe5fc301c229f5b8f69997c64ca5921ac9d
Branches Tags
webnet/tailscale:webnet webnet/tailscale:rebase/2026-05-18 webnet/tailscale:main
...
compare: webnet/tailscale:rebase/2026-05-18
Branches Tags
webnet/tailscale:rebase/2026-05-18 webnet/tailscale:main webnet/tailscale:webnet

10 Commits
705eebe5fc ... rebase/2026-05-18

Author SHA1 Message Date
codinget 6893723ccf fix(wasm): correct ICMP case in ping type error message 
The constant tailcfg.PingICMP is "ICMP" not "icmp"; the error message
was listing the wrong string, causing user confusion about valid values.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 18:01:34 +00:00
codinget c2ddadca72 fix(wasm): validate ping type early; fallback DNS resolver for exit node 
Add a switch guard before the 30-second context in ping() so that invalid
ping type strings (e.g. "disco" vs "Disco") reject immediately with a clear
error rather than silently timing out because userspaceEngine.Ping has no
default case.

For queryDNS(), detect SERVFAIL responses returned with an empty resolver
list (the typical state when an exit node is active but the DNS manager
forwarder has no configured upstreams) and fall back to querying 8.8.8.8
via the dialer — which honours exit-node routing — for A/AAAA record types.
Fall further back to the browser's native resolver if UserDial fails.

Also accept bare IP addresses in whoIs() (in addition to ip:port) so
callers don't need to fabricate a port when they only have a peer IP.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 18:01:34 +00:00
codinget 453261aef0 feat(tsconnect): add peerAPIURL to netmap and localAPI in-process bridge 
Include the PeerAPI base URL (http://ip:port) in every node entry of the
notifyNetMap payload — for self via LocalBackend.GetPeerAPIPort, for peers
by reading the PeerAPI4/PeerAPI6 Services entries in their Hostinfo. The URL
mirrors the address-family preference used by peerAPIBase (prefer IPv4).

Add a localAPI(method, path, body?) WASM binding that dispatches in-process
HTTP requests directly to a LocalAPI handler with full read/write/cert
permissions, returning {status, body}. Enables TypeScript callers to access
any LocalAPI endpoint (ACL policy, Taildrive shares, etc.) without network
setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 18:01:34 +00:00
codinget bd124abc3c feat(tsconnect): add whoIs, queryDNS, ping, suggestExitNode WASM bindings 
Expose four LocalBackend capabilities to JavaScript:
- whoIs(addrPort, proto?): resolves a connecting ip:port to a tailnet node
  and user profile; returns null for unknown peers
- queryDNS(name, type?): queries the tailnet DNS resolver (MagicDNS +
  upstream); parses A/AAAA/CNAME/TXT answers into strings
- ping(ip, type?, size?): pings a tailnet peer (TSMP, disco, ICMP, peerapi)
  with a 30 s context timeout; returns latency and path details
- suggestExitNode(): asks the coordination server for the best exit node

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
codinget 9fd2f3bbf4 feat(tsconnect): add getCert, listenTLS, setFunnel + fix TLS cert for WASM 
Enable ACME TLS certificates on js/wasm by dropping the !js build tag from
cert.go and routing storage through the state store. Add getCert, listenTLS,
and setFunnel WASM bindings with a combinedTLSListener that merges Funnel
ingress and direct tailnet connections. Notify the control plane immediately
after serve config changes to accelerate Funnel DNS provisioning.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
codinget a6b286b414 fix(tsconnect): pin types to avoid monorepo @types pollution 
Replace skipLibCheck with an explicit types list so TypeScript and
dts-bundle-generator only auto-include @types/golang-wasm-exec and
@types/qrcode, preventing @types/eslint-scope and @types/ws from
leaking in from a parent node_modules when built inside a monorepo.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
codinget bc9884ce69 fix(tsconnect): skipLibCheck to avoid monorepo @types conflicts 
When tsconnect is built inside a JS monorepo, TypeScript walks up the
directory tree and auto-discovers @types/eslint-scope and @types/ws
from the root node_modules, causing spurious type errors unrelated to
tsconnect itself. skipLibCheck suppresses these.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
codinget 3f52ae7be2 fix(tsconnect): lowercase name/size in waitingFiles JSON 
apitype.WaitingFile has no json tags so it serialised as {Name, Size}.
Introduce a local jsWaitingFile struct with json:"name" / json:"size"
so the JS side receives idiomatic camelCase property names.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
codinget fbc7982e01 fix(taildrop): restore incoming file progress notifications 
The io.Copy in PutFile was writing directly to wc, bypassing the
incomingFile wrapper whose Write method increments f.copied and fires
a throttled sendFileNotify on progress. As a result, notifyIncomingFiles
on the JS side only ever fired once (on completion) with received=0,
making progress UI impossible. The original inFile wrapping was lost
during the Android SAF refactor.

Also surface the PartialFile.Done flag through jsIncomingFile so JS can
distinguish the final "transfer complete" notification from in-progress
updates.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
codinget c4a2eb3451 fix(tsconnect): guard nil n.Prefs in notify callback 
n.Prefs is *PrefsView (a pointer), so calling n.Prefs.Valid() on a
Notify where Prefs is nil auto-dereferenced nil and panicked. The
callback's defer recover() swallowed the panic, which meant every
Notify without Prefs (Health-only, FilesWaiting, IncomingFiles,
OutgoingFiles, etc.) never reached the file-related JS calls.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-18 17:56:31 +00:00
8 changed files with 629 additions and 20 deletions
Expand all files Collapse all files
cmd/tsconnect/tsconfig.json
+2 -1
View File
@@ -8,7 +8,8 @@
"forceConsistentCasingInFileNames": true,
"sourceMap": true,
"jsx": "react-jsx",
"jsxImportSource": "preact"
"jsxImportSource": "preact",
"types": ["golang-wasm-exec", "qrcode"]
},
"include": ["src/**/*"],
"exclude": ["node_modules"]
cmd/tsconnect/wasm/taildrop.go
+8 -3
View File
@@ -166,10 +166,15 @@ func (i *jsIPN) waitingFiles() js.Value {
if err != nil {
return nil, err
}
if wfs == nil {
wfs = []apitype.WaitingFile{}
type jsWaitingFile struct {
Name string `json:"name"`
Size int64 `json:"size"`
}
b, err := json.Marshal(wfs)
out := make([]jsWaitingFile, len(wfs))
for i, wf := range wfs {
out[i] = jsWaitingFile{Name: wf.Name, Size: wf.Size}
}
b, err := json.Marshal(out)
if err != nil {
return nil, err
}
cmd/tsconnect/wasm/wasm_js.go
+589 -12
View File
@@ -18,17 +18,21 @@ import (
"encoding/json"
"errors"
"fmt"
"io"
"log"
"math/rand/v2"
"net"
"net/http"
"net/http/httptest"
"net/netip"
"strconv"
"strings"
"sync"
"syscall/js"
"time"
"golang.org/x/crypto/ssh"
"golang.org/x/net/dns/dnsmessage"
"gvisor.dev/gvisor/pkg/tcpip"
"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
@@ -40,6 +44,7 @@ import (
"tailscale.com/ipn/ipnauth"
"tailscale.com/ipn/ipnlocal"
"tailscale.com/ipn/ipnserver"
"tailscale.com/ipn/localapi"
"tailscale.com/ipn/store/mem"
"tailscale.com/logpolicy"
"tailscale.com/logtail"
@@ -50,6 +55,7 @@ import (
"tailscale.com/safesocket"
"tailscale.com/tailcfg"
"tailscale.com/tsd"
"tailscale.com/types/logid"
"tailscale.com/types/views"
"tailscale.com/wgengine"
"tailscale.com/wgengine/netstack"
@@ -164,14 +170,17 @@ func newIPN(jsConfig js.Value) map[string]any {
srv.SetLocalBackend(lb)
jsIPN := &jsIPN{
dialer: dialer,
srv: srv,
lb: lb,
ns: ns,
controlURL: controlURL,
authKey: authKey,
hostname: hostname,
dialer: dialer,
srv: srv,
lb: lb,
ns: ns,
controlURL: controlURL,
authKey: authKey,
hostname: hostname,
logID: logid,
funnelPorts: make(map[uint16]*funnelListenerEntry),
}
lb.SetTCPHandlerForFunnelFlow(jsIPN.handleFunnelTCP)
return map[string]any{
"run": js.FuncOf(func(this js.Value, args []js.Value) any {
@@ -295,6 +304,74 @@ func newIPN(jsConfig js.Value) map[string]any {
}
return jsIPN.deleteWaitingFile(args[0].String())
}),
"getCert": js.FuncOf(func(this js.Value, args []js.Value) any {
return jsIPN.getCert()
}),
"listenTLS": js.FuncOf(func(this js.Value, args []js.Value) any {
if len(args) != 3 {
log.Printf("Usage: listenTLS(addr, certPEM, keyPEM)")
return nil
}
return jsIPN.listenTLS(args[0].String(), args[1].String(), args[2].String())
}),
"setFunnel": js.FuncOf(func(this js.Value, args []js.Value) any {
if len(args) != 3 {
log.Printf("Usage: setFunnel(hostname, port, enabled)")
return nil
}
return jsIPN.setFunnel(args[0].String(), uint16(args[1].Int()), args[2].Bool())
}),
"whoIs": js.FuncOf(func(this js.Value, args []js.Value) any {
if len(args) < 1 {
log.Printf("Usage: whoIs(addrPort[, proto])")
return nil
}
proto := ""
if len(args) >= 2 {
proto = args[1].String()
}
return jsIPN.whoIs(args[0].String(), proto)
}),
"queryDNS": js.FuncOf(func(this js.Value, args []js.Value) any {
if len(args) < 1 {
log.Printf("Usage: queryDNS(name[, type])")
return nil
}
qtype := 1 // TypeA
if len(args) >= 2 {
qtype = args[1].Int()
}
return jsIPN.queryDNS(args[0].String(), qtype)
}),
"ping": js.FuncOf(func(this js.Value, args []js.Value) any {
if len(args) < 1 {
log.Printf("Usage: ping(ip[, type[, size]])")
return nil
}
pingType := "TSMP"
if len(args) >= 2 {
pingType = args[1].String()
}
size := 0
if len(args) >= 3 {
size = args[2].Int()
}
return jsIPN.ping(args[0].String(), pingType, size)
}),
"suggestExitNode": js.FuncOf(func(this js.Value, args []js.Value) any {
return jsIPN.suggestExitNode()
}),
"localAPI": js.FuncOf(func(this js.Value, args []js.Value) any {
if len(args) < 2 {
log.Printf("Usage: localAPI(method, path[, body])")
return nil
}
body := ""
if len(args) >= 3 {
body = args[2].String()
}
return jsIPN.localAPI(args[0].String(), args[1].String(), body)
}),
}
}
@@ -306,6 +383,16 @@ type jsIPN struct {
controlURL string
authKey string
hostname string
logID logid.PublicID
funnelMu sync.Mutex
funnelPorts map[uint16]*funnelListenerEntry
}
// funnelListenerEntry is the per-port state for routing Funnel connections to a listenTLS listener.
type funnelListenerEntry struct {
ch chan net.Conn
tlsCfg *tls.Config
}
var jsIPNState = map[ipn.State]string{
@@ -352,6 +439,31 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
// from LocalBackend.
nm := i.lb.NetMapWithPeers()
if nm != nil {
// Determine which address families we have, for peer peerAPI URL selection.
var selfHave4, selfHave6 bool
for _, a := range nm.GetAddresses().All() {
if !a.IsSingleIP() {
continue
}
if a.Addr().Is4() {
selfHave4 = true
} else if a.Addr().Is6() {
selfHave6 = true
}
}
// Self peerAPI URL: own port as reported by LocalBackend.
selfPeerAPIURL := ""
for _, a := range nm.GetAddresses().All() {
if !a.IsSingleIP() {
continue
}
if port, ok := i.lb.GetPeerAPIPort(a.Addr()); ok && port != 0 {
selfPeerAPIURL = fmt.Sprintf("http://%v", netip.AddrPortFrom(a.Addr(), port))
break
}
}
jsNetMap := jsNetMap{
Self: jsNetMapSelfNode{
jsNetMapNode: jsNetMapNode{
@@ -359,6 +471,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
Addresses: mapSliceView(nm.GetAddresses(), func(a netip.Prefix) string { return a.Addr().String() }),
NodeKey: nm.NodeKey.String(),
MachineKey: nm.MachineKey.String(),
PeerAPIURL: selfPeerAPIURL,
},
MachineStatus: jsMachineStatus[nm.GetMachineStatus()],
},
@@ -372,12 +485,42 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
for i, ap := range p.Addresses().All() {
addrs[i] = ap.Addr().String()
}
// Peer peerAPI URL from the peer's advertised Services.
peerURL := ""
var pp4, pp6 uint16
for _, s := range p.Hostinfo().Services().All() {
switch s.Proto {
case tailcfg.PeerAPI4:
pp4 = s.Port
case tailcfg.PeerAPI6:
pp6 = s.Port
}
}
if selfHave4 && pp4 != 0 {
for _, a := range p.Addresses().All() {
if a.IsSingleIP() && a.Addr().Is4() {
peerURL = fmt.Sprintf("http://%v", netip.AddrPortFrom(a.Addr(), pp4))
break
}
}
}
if peerURL == "" && selfHave6 && pp6 != 0 {
for _, a := range p.Addresses().All() {
if a.IsSingleIP() && a.Addr().Is6() {
peerURL = fmt.Sprintf("http://%v", netip.AddrPortFrom(a.Addr(), pp6))
break
}
}
}
return jsNetMapPeerNode{
jsNetMapNode: jsNetMapNode{
Name: name,
Addresses: addrs,
MachineKey: p.Machine().String(),
NodeKey: p.Key().String(),
PeerAPIURL: peerURL,
},
Online: p.Online().Clone(),
TailscaleSSHEnabled: p.Hostinfo().TailscaleSSHEnabled(),
@@ -394,7 +537,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
}
}
}
if n.Prefs.Valid() {
if n.Prefs != nil && n.Prefs.Valid() {
jsCallbacks.Call("notifyExitNode", string(n.Prefs.ExitNodeID()))
}
if n.BrowseToURL != nil {
@@ -411,6 +554,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
Started: f.Started.UnixMilli(),
DeclaredSize: f.DeclaredSize,
Received: f.Received,
Done: f.Done,
}
}
if b, err := json.Marshal(files); err == nil {
@@ -802,6 +946,437 @@ func (i *jsIPN) listenICMP(network string) js.Value {
})
}
func (i *jsIPN) getCert() js.Value {
return makePromise(func() (any, error) {
nm := i.lb.NetMap()
if nm == nil {
return nil, errors.New("getCert: no network map available")
}
certDomains := nm.DNS.CertDomains
if len(certDomains) == 0 {
return nil, errors.New("getCert: this tailnet does not support TLS certificates")
}
pair, err := i.lb.GetCertPEM(context.Background(), certDomains[0])
if err != nil {
return nil, err
}
return map[string]any{
"certPEM": string(pair.CertPEM),
"keyPEM": string(pair.KeyPEM),
}, nil
})
}
func (i *jsIPN) listenTLS(addr, certPEM, keyPEM string) js.Value {
return makePromise(func() (any, error) {
cert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
if err != nil {
return nil, fmt.Errorf("listenTLS: parsing cert/key: %w", err)
}
tlsCfg := &tls.Config{Certificates: []tls.Certificate{cert}}
tcpLn, err := i.ns.ListenTCP("tcp4", addr)
if err != nil {
return nil, err
}
// Determine the actual port (handles ":0" ephemeral assignment).
// Use SplitHostPort rather than netip.ParseAddrPort because gVisor
// may return ":443" (empty host) which ParseAddrPort rejects.
_, portStr, err := net.SplitHostPort(tcpLn.Addr().String())
if err != nil {
tcpLn.Close()
return nil, fmt.Errorf("listenTLS: getting port from listener addr: %w", err)
}
portNum, err := strconv.ParseUint(portStr, 10, 16)
if err != nil {
tcpLn.Close()
return nil, fmt.Errorf("listenTLS: parsing port %q: %w", portStr, err)
}
port := uint16(portNum)
// Register a Funnel entry so handleFunnelTCP can route to this listener.
entry := &funnelListenerEntry{
ch: make(chan net.Conn, 8),
tlsCfg: tlsCfg,
}
i.funnelMu.Lock()
i.funnelPorts[port] = entry
i.funnelMu.Unlock()
ln := newCombinedTLSListener(tcpLn, tlsCfg, entry.ch, port, i)
return wrapTCPListener(ln), nil
})
}
// handleFunnelTCP is registered with LocalBackend.SetTCPHandlerForFunnelFlow.
// It routes incoming Funnel connections to the matching listenTLS listener.
func (i *jsIPN) handleFunnelTCP(src netip.AddrPort, dstPort uint16) func(net.Conn) {
i.funnelMu.Lock()
entry := i.funnelPorts[dstPort]
i.funnelMu.Unlock()
if entry == nil {
return nil
}
return func(conn net.Conn) {
tlsConn := tls.Server(conn, entry.tlsCfg)
select {
case entry.ch <- tlsConn:
default:
// Channel full; drop the connection rather than block.
conn.Close()
}
}
}
// combinedTLSListener merges TLS connections from the local netstack (direct
// tailnet access) and from Funnel ingress into a single net.Listener.
type combinedTLSListener struct {
tcpLn net.Listener
tlsCfg *tls.Config
funnelCh <-chan net.Conn
port uint16
ipn *jsIPN
netstackCh chan net.Conn
errCh chan error
done chan struct{}
closeOnce sync.Once
}
func newCombinedTLSListener(tcpLn net.Listener, tlsCfg *tls.Config, funnelCh <-chan net.Conn, port uint16, ipn *jsIPN) *combinedTLSListener {
l := &combinedTLSListener{
tcpLn: tcpLn,
tlsCfg: tlsCfg,
funnelCh: funnelCh,
port: port,
ipn: ipn,
netstackCh: make(chan net.Conn, 8),
errCh: make(chan error, 1),
done: make(chan struct{}),
}
go l.drainNetstack()
return l
}
func (l *combinedTLSListener) drainNetstack() {
for {
conn, err := l.tcpLn.Accept()
if err != nil {
select {
case l.errCh <- err:
default:
}
return
}
tlsConn := tls.Server(conn, l.tlsCfg)
select {
case l.netstackCh <- tlsConn:
case <-l.done:
conn.Close()
return
}
}
}
func (l *combinedTLSListener) Accept() (net.Conn, error) {
select {
case conn := <-l.funnelCh:
return conn, nil
case conn := <-l.netstackCh:
return conn, nil
case err := <-l.errCh:
return nil, err
case <-l.done:
return nil, net.ErrClosed
}
}
func (l *combinedTLSListener) Close() error {
l.closeOnce.Do(func() {
close(l.done)
l.tcpLn.Close()
l.ipn.funnelMu.Lock()
delete(l.ipn.funnelPorts, l.port)
l.ipn.funnelMu.Unlock()
})
return nil
}
func (l *combinedTLSListener) Addr() net.Addr {
return l.tcpLn.Addr()
}
func (i *jsIPN) setFunnel(hostname string, port uint16, enabled bool) js.Value {
return makePromise(func() (any, error) {
hp := ipn.HostPort(fmt.Sprintf("%s:%d", hostname, port))
var cfg *ipn.ServeConfig
if enabled {
cfg = &ipn.ServeConfig{
AllowFunnel: map[ipn.HostPort]bool{hp: true},
}
} else {
cfg = &ipn.ServeConfig{}
}
return nil, i.lb.SetServeConfig(cfg, "")
})
}
func (i *jsIPN) whoIs(addr string, proto string) js.Value {
return makePromise(func() (any, error) {
// Accept both "ip:port" and bare "ip" (port 0 still resolves by IP).
var ipp netip.AddrPort
if ap, err := netip.ParseAddrPort(addr); err == nil {
ipp = ap
} else if ip, err := netip.ParseAddr(addr); err == nil {
ipp = netip.AddrPortFrom(ip, 0)
} else {
return nil, fmt.Errorf("whoIs: invalid address %q (want ip:port or ip)", addr)
}
n, u, ok := i.lb.WhoIs(proto, ipp)
if !ok {
return nil, nil
}
addrs := make([]any, n.Addresses().Len())
for idx, ap := range n.Addresses().All() {
addrs[idx] = ap.Addr().String()
}
return map[string]any{
"node": map[string]any{
"id": string(n.StableID()),
"name": n.Name(),
"addresses": addrs,
},
"user": map[string]any{
"id": int64(u.ID),
"loginName": u.LoginName,
"displayName": u.DisplayName,
"profilePicURL": u.ProfilePicURL,
},
}, nil
})
}
func (i *jsIPN) queryDNS(name string, queryType int) js.Value {
return makePromise(func() (any, error) {
res, resolvers, err := i.lb.QueryDNS(name, dnsmessage.Type(queryType))
// Detect SERVFAIL with no upstream resolvers (common when an exit node is
// active but the DNS manager forwarder has no configured upstreams). Fall
// back to querying 8.8.8.8 via the dialer (which routes through the exit
// node), then as a last resort use the browser's default name resolver.
needsFallback := err != nil
if !needsFallback && len(resolvers) == 0 && len(res) > 0 {
var hdrParser dnsmessage.Parser
if hdr, hdrErr := hdrParser.Start(res); hdrErr == nil && hdr.RCode == dnsmessage.RCodeServerFailure {
needsFallback = true
}
}
if needsFallback {
qt := dnsmessage.Type(queryType)
if qt != dnsmessage.TypeA && qt != dnsmessage.TypeAAAA {
if err != nil {
return nil, fmt.Errorf("queryDNS: %w (no upstream resolver; only A/AAAA queries support fallback)", err)
}
return nil, fmt.Errorf("queryDNS: no upstream resolver available; only A/AAAA queries support fallback lookup")
}
ctx := context.Background()
d := i.dialer
r := &net.Resolver{
PreferGo: true,
Dial: func(rctx context.Context, network, address string) (net.Conn, error) {
return d.UserDial(rctx, "tcp", "8.8.8.8:53")
},
}
ips, rerr := r.LookupIPAddr(ctx, name)
if rerr != nil {
// Last resort: browser-native resolution (no exit-node routing).
ips, rerr = (&net.Resolver{PreferGo: false}).LookupIPAddr(ctx, name)
if rerr != nil {
return nil, fmt.Errorf("queryDNS: fallback resolution failed: %w", rerr)
}
}
var answers []any
for _, ia := range ips {
ip, ok := netip.AddrFromSlice(ia.IP)
if !ok {
continue
}
ip = ip.Unmap()
if qt == dnsmessage.TypeA && ip.Is4() {
answers = append(answers, ip.String())
} else if qt == dnsmessage.TypeAAAA && ip.Is6() {
answers = append(answers, ip.String())
}
}
return map[string]any{
"answers": answers,
"resolvers": []any{},
}, nil
}
var p dnsmessage.Parser
if _, err := p.Start(res); err != nil {
return nil, fmt.Errorf("queryDNS: parsing response: %w", err)
}
if err := p.SkipAllQuestions(); err != nil {
return nil, fmt.Errorf("queryDNS: skipping questions: %w", err)
}
var answers []any
for {
h, err := p.AnswerHeader()
if err == dnsmessage.ErrSectionDone {
break
}
if err != nil {
return nil, fmt.Errorf("queryDNS: reading answer: %w", err)
}
switch h.Type {
case dnsmessage.TypeA:
r, err := p.AResource()
if err != nil {
return nil, fmt.Errorf("queryDNS: reading A record: %w", err)
}
answers = append(answers, netip.AddrFrom4(r.A).String())
case dnsmessage.TypeAAAA:
r, err := p.AAAAResource()
if err != nil {
return nil, fmt.Errorf("queryDNS: reading AAAA record: %w", err)
}
answers = append(answers, netip.AddrFrom16(r.AAAA).String())
case dnsmessage.TypeCNAME:
r, err := p.CNAMEResource()
if err != nil {
return nil, fmt.Errorf("queryDNS: reading CNAME record: %w", err)
}
answers = append(answers, r.CNAME.String())
case dnsmessage.TypeTXT:
r, err := p.TXTResource()
if err != nil {
return nil, fmt.Errorf("queryDNS: reading TXT record: %w", err)
}
for _, s := range r.TXT {
answers = append(answers, s)
}
default:
if err := p.SkipAnswer(); err != nil {
return nil, fmt.Errorf("queryDNS: skipping unknown answer: %w", err)
}
}
}
resolverAddrs := make([]any, len(resolvers))
for idx, r := range resolvers {
resolverAddrs[idx] = r.Addr
}
return map[string]any{
"answers": answers,
"resolvers": resolverAddrs,
}, nil
})
}
func (i *jsIPN) ping(ip string, pingType string, size int) js.Value {
return makePromise(func() (any, error) {
addr, err := netip.ParseAddr(ip)
if err != nil {
return nil, fmt.Errorf("ping: invalid IP %q: %w", ip, err)
}
switch tailcfg.PingType(pingType) {
case tailcfg.PingDisco, tailcfg.PingTSMP, tailcfg.PingICMP, tailcfg.PingPeerAPI:
// valid
default:
return nil, fmt.Errorf("ping: unknown type %q, must be one of: disco, TSMP, ICMP, peerapi", pingType)
}
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
pr, err := i.lb.Ping(ctx, addr, tailcfg.PingType(pingType), size)
if err != nil {
return nil, err
}
result := map[string]any{
"ip": pr.IP,
"nodeIP": pr.NodeIP,
"nodeName": pr.NodeName,
"latencySeconds": pr.LatencySeconds,
"endpoint": pr.Endpoint,
"derpRegionID": pr.DERPRegionID,
"derpRegionCode": pr.DERPRegionCode,
"peerAPIURL": pr.PeerAPIURL,
"isLocalIP": pr.IsLocalIP,
}
if pr.Err != "" {
result["err"] = pr.Err
}
return result, nil
})
}
func (i *jsIPN) suggestExitNode() js.Value {
return makePromise(func() (any, error) {
resp, err := i.lb.SuggestExitNode()
if err != nil {
return nil, err
}
result := map[string]any{
"id": string(resp.ID),
"name": resp.Name,
}
if l := resp.Location; l.Valid() {
result["location"] = map[string]any{
"country": l.Country(),
"countryCode": l.CountryCode(),
"city": l.City(),
"cityCode": l.CityCode(),
"latitude": l.Latitude(),
"longitude": l.Longitude(),
}
}
return result, nil
})
}
func (i *jsIPN) localAPI(method, path, body string) js.Value {
return makePromise(func() (any, error) {
h := localapi.NewHandler(localapi.HandlerConfig{
Actor: &ipnauth.TestActor{
Name: "wasm",
LocalAdmin: true,
},
Backend: i.lb,
Logf: log.Printf,
LogID: i.logID,
EventBus: i.lb.Sys().Bus.Get(),
})
h.PermitRead = true
h.PermitWrite = true
h.PermitCert = true
var bodyReader io.Reader
if body != "" {
bodyReader = strings.NewReader(body)
}
req, err := http.NewRequest(method, "http://local-tailscaled.sock"+path, bodyReader)
if err != nil {
return nil, fmt.Errorf("localAPI: %w", err)
}
// Empty Host passes the validHost check in the LocalAPI handler.
req.Host = ""
if body != "" {
req.Header.Set("Content-Type", "application/json")
}
w := httptest.NewRecorder()
h.ServeHTTP(w, req)
resp := w.Result()
respBody, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("localAPI: reading response: %w", err)
}
return map[string]any{
"status": resp.StatusCode,
"body": string(respBody),
}, nil
})
}
// wrapConn exposes a net.Conn to JavaScript with binary (Uint8Array) I/O.
func wrapConn(conn net.Conn) map[string]any {
return map[string]any{
@@ -973,6 +1548,7 @@ type jsIncomingFile struct {
Started int64 `json:"started"` // Unix milliseconds; use new Date(started) in JS
DeclaredSize int64 `json:"declaredSize"` // -1 if unknown
Received int64 `json:"received"` // bytes received so far
Done bool `json:"done"` // true once the file has been fully received
}
// jsOutgoingFile is the JSON representation of an outgoing file transfer
@@ -995,10 +1571,11 @@ type jsNetMap struct {
}
type jsNetMapNode struct {
Name string `json:"name"`
Addresses []string `json:"addresses"`
MachineKey string `json:"machineKey"`
NodeKey string `json:"nodeKey"`
Name string `json:"name"`
Addresses []string `json:"addresses"`
MachineKey string `json:"machineKey"`
NodeKey string `json:"nodeKey"`
PeerAPIURL string `json:"peerAPIURL,omitempty"`
}
type jsNetMapSelfNode struct {
feature/taildrop/send.go
+3 -2
View File
@@ -134,8 +134,9 @@ func (m *manager) PutFile(id clientID, baseName string, r io.Reader, offset, len
}
}
// Copy the contents of the file to the writer.
copyLength, err := io.Copy(wc, r)
// Copy via inFile (which wraps wc) so [incomingFile.Write] can track
// progress and fire periodic sendFileNotify callbacks.
copyLength, err := io.Copy(inFile, r)
if err != nil {
return 0, m.redactAndLogError("Copy", err)
}
ipn/ipnlocal/cert.go
+17 -1
View File
@@ -1,7 +1,7 @@
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
//go:build !js && !ts_omit_acme
//go:build !ts_omit_acme
package ipnlocal
@@ -302,6 +302,9 @@ var errCertExpired = errors.New("cert expired")
var testX509Roots *x509.CertPool // set non-nil by tests
func (b *LocalBackend) getCertStore() (certStore, error) {
if runtime.GOOS == "js" {
return certStateStore{StateStore: b.store}, nil
}
switch b.store.(type) {
case *store.FileStore:
case *mem.Store:
@@ -333,6 +336,16 @@ func (b *LocalBackend) ConfigureCertsForTest(getCert func(hostname string) (*TLS
b.mu.Unlock()
}
// SetACMEHTTPClient sets a custom HTTP client for ACME certificate operations.
// On js/wasm, this can be used to route requests through the Tailscale network
// stack to bypass browser CORS if Let's Encrypt endpoints fail preflight.
// A nil value (the default) uses the standard http.DefaultClient.
func (b *LocalBackend) SetACMEHTTPClient(c *http.Client) {
b.mu.Lock()
defer b.mu.Unlock()
b.acmeHTTPClient = c
}
// certFileStore implements certStore by storing the cert & key files in the named directory.
type certFileStore struct {
dir string
@@ -550,6 +563,9 @@ var getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf l
if err != nil {
return nil, err
}
b.mu.Lock()
ac.HTTPClient = b.acmeHTTPClient
b.mu.Unlock()
if !isDefaultDirectoryURL(ac.DirectoryURL) {
logf("acme: using Directory URL %q", ac.DirectoryURL)
ipn/ipnlocal/cert_disabled.go
+1 -1
View File
@@ -1,7 +1,7 @@
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
//go:build js || ts_omit_acme
//go:build ts_omit_acme
package ipnlocal
ipn/ipnlocal/local.go
+4
View File
@@ -412,6 +412,10 @@ type LocalBackend struct {
// See [LocalBackend.ConfigureCertsForTest].
getCertForTest func(hostname string) (*TLSCertKeyPair, error)
// acmeHTTPClient, if non-nil, is used for all ACME HTTP requests instead
// of http.DefaultClient. Set via SetACMEHTTPClient before first cert use.
acmeHTTPClient *http.Client
// existsPendingAuthReconfig tracks if a goroutine is waiting to
// acquire [LocalBackend]'s mutex inside of [LocalBackend.AuthReconfig].
// It is used to prevent goroutines from piling up to do the same
ipn/ipnlocal/serve.go
+5
View File
@@ -393,6 +393,11 @@ func (b *LocalBackend) setServeConfigLocked(config *ipn.ServeConfig, etag string
}
}
// Notify the control plane immediately so that changes to IngressEnabled /
// WireIngress (required for Funnel DNS provisioning) are not delayed until
// the next periodic heartbeat.
b.authReconfigLocked()
return nil
}