Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 40e1346ab5 |
+27
-132
@@ -370,13 +370,6 @@ func newIPN(jsConfig js.Value, shutdownCh chan struct{}) map[string]any {
|
||||
"shutdown": js.FuncOf(func(this js.Value, args []js.Value) any {
|
||||
return jsIPN.shutdown()
|
||||
}),
|
||||
"setServices": js.FuncOf(func(this js.Value, args []js.Value) any {
|
||||
if len(args) != 1 {
|
||||
log.Printf("Usage: setServices(services)")
|
||||
return nil
|
||||
}
|
||||
return jsIPN.setServices(args[0])
|
||||
}),
|
||||
"localAPI": js.FuncOf(func(this js.Value, args []js.Value) any {
|
||||
if len(args) < 2 {
|
||||
log.Printf("Usage: localAPI(method, path[, body])")
|
||||
@@ -491,7 +484,6 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
|
||||
NodeKey: nm.NodeKey.String(),
|
||||
MachineKey: nm.MachineKey.String(),
|
||||
PeerAPIURL: selfPeerAPIURL,
|
||||
Services: userServicesFromView(nm.SelfNode.Hostinfo().Services()),
|
||||
},
|
||||
MachineStatus: jsMachineStatus[nm.GetMachineStatus()],
|
||||
},
|
||||
@@ -516,7 +508,6 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
|
||||
MachineKey: p.Machine().String(),
|
||||
NodeKey: p.Key().String(),
|
||||
PeerAPIURL: peerURL,
|
||||
Services: userServicesFromView(p.Hostinfo().Services()),
|
||||
},
|
||||
Online: p.Online().Clone(),
|
||||
TailscaleSSHEnabled: p.Hostinfo().TailscaleSSHEnabled(),
|
||||
@@ -889,41 +880,6 @@ func (i *jsIPN) listen(network, addr string) js.Value {
|
||||
})
|
||||
}
|
||||
|
||||
// tlsClientConfigFromJS builds a client tls.Config from optional JS options
|
||||
// (serverName, insecureSkipVerify, caCerts). defaultServerName may be empty
|
||||
// (STARTTLS upgrade case), in which case serverName must be provided unless
|
||||
// insecureSkipVerify is set.
|
||||
//
|
||||
// On wasm there's no system root pool, so default to the baked-in
|
||||
// LetsEncrypt roots (which is what `tailscale cert` uses for tailnet
|
||||
// HTTPS endpoints). Callers can override with caCerts (PEM) or bypass
|
||||
// entirely with insecureSkipVerify.
|
||||
func tlsClientConfigFromJS(defaultServerName string, opts js.Value) (*tls.Config, error) {
|
||||
cfg := &tls.Config{
|
||||
ServerName: defaultServerName,
|
||||
RootCAs: bakedroots.Get(),
|
||||
}
|
||||
if !opts.IsUndefined() && !opts.IsNull() {
|
||||
if sn := opts.Get("serverName"); sn.Type() == js.TypeString {
|
||||
cfg.ServerName = sn.String()
|
||||
}
|
||||
if iv := opts.Get("insecureSkipVerify"); iv.Type() == js.TypeBoolean {
|
||||
cfg.InsecureSkipVerify = iv.Bool()
|
||||
}
|
||||
if ca := opts.Get("caCerts"); ca.Type() == js.TypeString {
|
||||
pool := x509.NewCertPool()
|
||||
if !pool.AppendCertsFromPEM([]byte(ca.String())) {
|
||||
return nil, fmt.Errorf("caCerts: no valid PEM certificates found")
|
||||
}
|
||||
cfg.RootCAs = pool
|
||||
}
|
||||
}
|
||||
if cfg.ServerName == "" && !cfg.InsecureSkipVerify {
|
||||
return nil, fmt.Errorf("serverName is required unless insecureSkipVerify is set")
|
||||
}
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
func (i *jsIPN) dialTLS(addr string, opts js.Value) js.Value {
|
||||
return makePromise(func() (any, error) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
@@ -934,9 +890,28 @@ func (i *jsIPN) dialTLS(addr string, opts js.Value) js.Value {
|
||||
return nil, fmt.Errorf("invalid address %q: %w", addr, err)
|
||||
}
|
||||
|
||||
cfg, err := tlsClientConfigFromJS(host, opts)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
// On wasm there's no system root pool, so default to the
|
||||
// baked-in LetsEncrypt roots (which is what `tailscale cert`
|
||||
// uses for tailnet HTTPS endpoints). Callers can override with
|
||||
// caCerts (PEM) or bypass entirely with insecureSkipVerify.
|
||||
cfg := &tls.Config{
|
||||
ServerName: host,
|
||||
RootCAs: bakedroots.Get(),
|
||||
}
|
||||
if !opts.IsUndefined() && !opts.IsNull() {
|
||||
if sn := opts.Get("serverName"); sn.Type() == js.TypeString {
|
||||
cfg.ServerName = sn.String()
|
||||
}
|
||||
if iv := opts.Get("insecureSkipVerify"); iv.Type() == js.TypeBoolean {
|
||||
cfg.InsecureSkipVerify = iv.Bool()
|
||||
}
|
||||
if ca := opts.Get("caCerts"); ca.Type() == js.TypeString {
|
||||
pool := x509.NewCertPool()
|
||||
if !pool.AppendCertsFromPEM([]byte(ca.String())) {
|
||||
return nil, fmt.Errorf("caCerts: no valid PEM certificates found")
|
||||
}
|
||||
cfg.RootCAs = pool
|
||||
}
|
||||
}
|
||||
|
||||
rawConn, err := i.dialer.UserDial(ctx, "tcp", addr)
|
||||
@@ -1368,39 +1343,6 @@ func (i *jsIPN) suggestExitNode() js.Value {
|
||||
})
|
||||
}
|
||||
|
||||
func (i *jsIPN) setServices(jsServices js.Value) js.Value {
|
||||
return makePromise(func() (any, error) {
|
||||
n := jsServices.Length()
|
||||
svcs := make([]tailcfg.Service, 0, n)
|
||||
for idx := range n {
|
||||
s := jsServices.Index(idx)
|
||||
proto := tailcfg.ServiceProto(s.Get("proto").String())
|
||||
port := uint16(s.Get("port").Int())
|
||||
var desc string
|
||||
if d := s.Get("description"); d.Type() == js.TypeString {
|
||||
desc = d.String()
|
||||
}
|
||||
svcs = append(svcs, tailcfg.Service{Proto: proto, Port: port, Description: desc})
|
||||
}
|
||||
i.lb.SetExplicitServices(svcs)
|
||||
return nil, nil
|
||||
})
|
||||
}
|
||||
|
||||
// userServicesFromView converts a hostinfo services slice to jsService entries,
|
||||
// filtering out internal peerapi protocol entries (already reflected in peerAPIURL).
|
||||
func userServicesFromView(svcs views.Slice[tailcfg.Service]) []jsService {
|
||||
out := make([]jsService, 0, svcs.Len())
|
||||
for _, s := range svcs.All() {
|
||||
switch s.Proto {
|
||||
case tailcfg.PeerAPI4, tailcfg.PeerAPI6, tailcfg.PeerAPIDNS:
|
||||
continue
|
||||
}
|
||||
out = append(out, jsService{Proto: string(s.Proto), Port: s.Port, Description: s.Description})
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func (i *jsIPN) localAPI(method, path, body string) js.Value {
|
||||
return makePromise(func() (any, error) {
|
||||
h := localapi.NewHandler(localapi.HandlerConfig{
|
||||
@@ -1480,46 +1422,6 @@ func wrapConn(conn net.Conn) map[string]any {
|
||||
"remoteAddr": js.FuncOf(func(this js.Value, args []js.Value) any {
|
||||
return conn.RemoteAddr().String()
|
||||
}),
|
||||
// upgradeTLS wraps the conn in TLS in place (STARTTLS-style) and
|
||||
// returns a new wrapped conn sharing the same underlying net.Conn;
|
||||
// the old handle must not be used afterward. On handshake failure
|
||||
// the underlying conn is closed. With isServer, certPem and keyPem
|
||||
// are required; otherwise client options as in dialTLS apply.
|
||||
"upgradeTLS": js.FuncOf(func(this js.Value, args []js.Value) any {
|
||||
opts := js.Undefined()
|
||||
if len(args) > 0 {
|
||||
opts = args[0]
|
||||
}
|
||||
return makePromise(func() (any, error) {
|
||||
var tlsConn *tls.Conn
|
||||
hasOpts := !opts.IsUndefined() && !opts.IsNull()
|
||||
if hasOpts && opts.Get("isServer").Type() == js.TypeBoolean && opts.Get("isServer").Bool() {
|
||||
certPem := opts.Get("certPem")
|
||||
keyPem := opts.Get("keyPem")
|
||||
if certPem.Type() != js.TypeString || keyPem.Type() != js.TypeString {
|
||||
return nil, fmt.Errorf("upgradeTLS: certPem and keyPem are required when isServer is set")
|
||||
}
|
||||
cert, err := tls.X509KeyPair([]byte(certPem.String()), []byte(keyPem.String()))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("upgradeTLS: parsing cert/key: %w", err)
|
||||
}
|
||||
tlsConn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{cert}})
|
||||
} else {
|
||||
cfg, err := tlsClientConfigFromJS("", opts)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConn = tls.Client(conn, cfg)
|
||||
}
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
||||
conn.Close()
|
||||
return nil, err
|
||||
}
|
||||
return wrapConn(tlsConn), nil
|
||||
})
|
||||
}),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1677,19 +1579,12 @@ type jsNetMap struct {
|
||||
LockedOut bool `json:"lockedOut"`
|
||||
}
|
||||
|
||||
type jsService struct {
|
||||
Proto string `json:"proto"`
|
||||
Port uint16 `json:"port"`
|
||||
Description string `json:"description,omitempty"`
|
||||
}
|
||||
|
||||
type jsNetMapNode struct {
|
||||
Name string `json:"name"`
|
||||
Addresses []string `json:"addresses"`
|
||||
MachineKey string `json:"machineKey"`
|
||||
NodeKey string `json:"nodeKey"`
|
||||
PeerAPIURL string `json:"peerAPIURL,omitempty"`
|
||||
Services []jsService `json:"services"`
|
||||
Name string `json:"name"`
|
||||
Addresses []string `json:"addresses"`
|
||||
MachineKey string `json:"machineKey"`
|
||||
NodeKey string `json:"nodeKey"`
|
||||
PeerAPIURL string `json:"peerAPIURL,omitempty"`
|
||||
}
|
||||
|
||||
type jsNetMapSelfNode struct {
|
||||
|
||||
@@ -302,12 +302,6 @@ func (c *Auto) restartMap() {
|
||||
c.updateControl()
|
||||
}
|
||||
|
||||
// RestartMap cancels the existing map poll and starts a fresh streaming one,
|
||||
// forcing the control server to send a new full netmap response.
|
||||
func (c *Auto) RestartMap() {
|
||||
c.restartMap()
|
||||
}
|
||||
|
||||
func (c *Auto) authRoutine() {
|
||||
defer close(c.authDone)
|
||||
bo := backoff.NewBackoff("authRoutine", c.logf, 30*time.Second)
|
||||
|
||||
+1
-28
@@ -294,7 +294,6 @@ type LocalBackend struct {
|
||||
capTailnetLock bool // whether netMap contains the tailnet lock capability
|
||||
// hostinfo is mutated in-place while mu is held.
|
||||
hostinfo *tailcfg.Hostinfo // TODO(nickkhyl): move to nodeBackend
|
||||
explicitServices []tailcfg.Service // services set explicitly via SetExplicitServices; always uploaded
|
||||
nmExpiryTimer tstime.TimerController // for updating netMap on node expiry; can be nil; TODO(nickkhyl): move to nodeBackend
|
||||
activeLogin string // last logged LoginName from netMap; TODO(nickkhyl): move to nodeBackend (or remove? it's in [ipn.LoginProfile]).
|
||||
engineStatus ipn.EngineStatus
|
||||
@@ -4968,30 +4967,6 @@ func (b *LocalBackend) setPortlistServices(sl []tailcfg.Service) {
|
||||
b.doSetHostinfoFilterServices()
|
||||
}
|
||||
|
||||
// SetExplicitServices sets the services this node advertises on the netmap.
|
||||
// Unlike the OS port-scan path (setPortlistServices), services set here are
|
||||
// always uploaded to the control server regardless of the ShouldUploadServices
|
||||
// hook — suitable for environments like browser WASM where OS port scanning is
|
||||
// unavailable and services are declared programmatically.
|
||||
func (b *LocalBackend) SetExplicitServices(sl []tailcfg.Service) {
|
||||
b.mu.Lock()
|
||||
if b.hostinfo == nil {
|
||||
b.hostinfo = new(tailcfg.Hostinfo)
|
||||
}
|
||||
b.hostinfo.Services = sl
|
||||
b.explicitServices = sl
|
||||
ccAuto := b.ccAuto
|
||||
b.mu.Unlock()
|
||||
|
||||
b.doSetHostinfoFilterServices()
|
||||
// Restart the streaming map poll so the control server sends back a fresh
|
||||
// netmap that includes our updated services in SelfNode, and so peers
|
||||
// receive the update promptly via the control server's push.
|
||||
if ccAuto != nil {
|
||||
ccAuto.RestartMap()
|
||||
}
|
||||
}
|
||||
|
||||
// doSetHostinfoFilterServices calls SetHostinfo on the controlclient,
|
||||
// possibly after mangling the given hostinfo.
|
||||
//
|
||||
@@ -5036,9 +5011,7 @@ func (b *LocalBackend) hostInfoWithServicesLocked() *tailcfg.Hostinfo {
|
||||
// Make a shallow copy of hostinfo so we can mutate
|
||||
// at the Service field.
|
||||
if f, ok := b.extHost.Hooks().ShouldUploadServices.GetOk(); !ok || !f() {
|
||||
if len(b.explicitServices) == 0 {
|
||||
hi.Services = []tailcfg.Service{}
|
||||
}
|
||||
hi.Services = []tailcfg.Service{}
|
||||
}
|
||||
|
||||
// Don't mutate hi.Service's underlying array. Append to
|
||||
|
||||
Reference in New Issue
Block a user