Update dependencies

vendor/tailscale.com/ipn/ipnauth/actor.go

@@ -0,0 +1,47 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ipnauth
+
+import (
+	"tailscale.com/ipn"
+)
+
+// Actor is any actor using the [ipnlocal.LocalBackend].
+//
+// It typically represents a specific OS user, indicating that an operation
+// is performed on behalf of this user, should be evaluated against their
+// access rights, and performed in their security context when applicable.
+type Actor interface {
+	// UserID returns an OS-specific UID of the user represented by the receiver,
+	// or "" if the actor does not represent a specific user on a multi-user system.
+	// As of 2024-08-27, it is only used on Windows.
+	UserID() ipn.WindowsUserID
+	// Username returns the user name associated with the receiver,
+	// or "" if the actor does not represent a specific user.
+	Username() (string, error)
+
+	// IsLocalSystem reports whether the actor is the Windows' Local System account.
+	//
+	// Deprecated: this method exists for compatibility with the current (as of 2024-08-27)
+	// permission model and will be removed as we progress on tailscale/corp#18342.
+	IsLocalSystem() bool
+
+	// IsLocalAdmin reports whether the actor has administrative access to the
+	// local machine, for whatever that means with respect to the current OS.
+	//
+	// The operatorUID is only used on Unix-like platforms and specifies the ID
+	// of a local user (in the os/user.User.Uid string form) who is allowed to
+	// operate tailscaled without being root or using sudo.
+	//
+	// Deprecated: this method exists for compatibility with the current (as of 2024-08-27)
+	// permission model and will be removed as we progress on tailscale/corp#18342.
+	IsLocalAdmin(operatorUID string) bool
+}
+
+// ActorCloser is an optional interface that might be implemented by an [Actor]
+// that must be closed when done to release the resources.
+type ActorCloser interface {
+	// Close releases resources associated with the receiver.
+	Close() error
+}

vendor/tailscale.com/ipn/ipnauth/ipnauth.go

@@ -0,0 +1,209 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package ipnauth controls access to the LocalAPI.
+package ipnauth
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/user"
+	"runtime"
+	"strconv"
+
+	"github.com/tailscale/peercred"
+	"tailscale.com/envknob"
+	"tailscale.com/ipn"
+	"tailscale.com/safesocket"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/groupmember"
+	"tailscale.com/util/winutil"
+	"tailscale.com/version/distro"
+)
+
+// ErrNotImplemented is returned by ConnIdentity.WindowsToken when it is not
+// implemented for the current GOOS.
+var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)
+
+// WindowsToken represents the current security context of a Windows user.
+type WindowsToken interface {
+	io.Closer
+	// EqualUIDs reports whether other refers to the same user ID as the receiver.
+	EqualUIDs(other WindowsToken) bool
+	// IsAdministrator reports whether the receiver is a member of the built-in
+	// Administrators group, or else an error. Use IsElevated to determine whether
+	// the receiver is actually utilizing administrative rights.
+	IsAdministrator() (bool, error)
+	// IsUID reports whether the receiver's user ID matches uid.
+	IsUID(uid ipn.WindowsUserID) bool
+	// UID returns the ipn.WindowsUserID associated with the receiver, or else
+	// an error.
+	UID() (ipn.WindowsUserID, error)
+	// IsElevated reports whether the receiver is currently executing as an
+	// elevated administrative user.
+	IsElevated() bool
+	// IsLocalSystem reports whether the receiver is the built-in SYSTEM user.
+	IsLocalSystem() bool
+	// UserDir returns the special directory identified by folderID as associated
+	// with the receiver. folderID must be one of the KNOWNFOLDERID values from
+	// the x/sys/windows package, serialized as a stringified GUID.
+	UserDir(folderID string) (string, error)
+	// Username returns the user name associated with the receiver.
+	Username() (string, error)
+}
+
+// ConnIdentity represents the owner of a localhost TCP or unix socket connection
+// connecting to the LocalAPI.
+type ConnIdentity struct {
+	conn       net.Conn
+	notWindows bool // runtime.GOOS != "windows"
+
+	// Fields used when NotWindows:
+	isUnixSock bool            // Conn is a *net.UnixConn
+	creds      *peercred.Creds // or nil
+
+	// Used on Windows:
+	// TODO(bradfitz): merge these into the peercreds package and
+	// use that for all.
+	pid int
+}
+
+// WindowsUserID returns the local machine's userid of the connection
+// if it's on Windows. Otherwise it returns the empty string.
+//
+// It's suitable for passing to LookupUserFromID (os/user.LookupId) on any
+// operating system.
+func (ci *ConnIdentity) WindowsUserID() ipn.WindowsUserID {
+	if envknob.GOOS() != "windows" {
+		return ""
+	}
+	if tok, err := ci.WindowsToken(); err == nil {
+		defer tok.Close()
+		if uid, err := tok.UID(); err == nil {
+			return uid
+		}
+	}
+	// For Linux tests running as Windows:
+	const isBroken = true // TODO(bradfitz,maisem): fix tests; this doesn't work yet
+	if ci.creds != nil && !isBroken {
+		if uid, ok := ci.creds.UserID(); ok {
+			return ipn.WindowsUserID(uid)
+		}
+	}
+	return ""
+}
+
+func (ci *ConnIdentity) Pid() int               { return ci.pid }
+func (ci *ConnIdentity) IsUnixSock() bool       { return ci.isUnixSock }
+func (ci *ConnIdentity) Creds() *peercred.Creds { return ci.creds }
+
+var metricIssue869Workaround = clientmetric.NewCounter("issue_869_workaround")
+
+// LookupUserFromID is a wrapper around os/user.LookupId that works around some
+// issues on Windows. On non-Windows platforms it's identical to user.LookupId.
+func LookupUserFromID(logf logger.Logf, uid string) (*user.User, error) {
+	u, err := user.LookupId(uid)
+	if err != nil && runtime.GOOS == "windows" {
+		// See if uid resolves as a pseudo-user. Temporary workaround until
+		// https://github.com/golang/go/issues/49509 resolves and ships.
+		if u, err := winutil.LookupPseudoUser(uid); err == nil {
+			return u, nil
+		}
+
+		// TODO(aaron): With LookupPseudoUser in place, I don't expect us to reach
+		// this point anymore. Leaving the below workaround in for now to confirm
+		// that pseudo-user resolution sufficiently handles this problem.
+
+		// The below workaround is only applicable when uid represents a
+		// valid security principal. Omitting this check causes us to succeed
+		// even when uid represents a deleted user.
+		if !winutil.IsSIDValidPrincipal(uid) {
+			return nil, err
+		}
+
+		metricIssue869Workaround.Add(1)
+		logf("[warning] issue 869: os/user.LookupId failed; ignoring")
+		// Work around https://github.com/tailscale/tailscale/issues/869 for
+		// now. We don't strictly need the username. It's just a nice-to-have.
+		// So make up a *user.User if their machine is broken in this way.
+		return &user.User{
+			Uid:      uid,
+			Username: "unknown-user-" + uid,
+			Name:     "unknown user " + uid,
+		}, nil
+	}
+	return u, err
+}
+
+// IsReadonlyConn reports whether the connection should be considered read-only,
+// meaning it's not allowed to change the state of the node.
+//
+// Read-only also means it's not allowed to access sensitive information, which
+// admittedly doesn't follow from the name. Consider this "IsUnprivileged".
+// Also, Windows doesn't use this. For Windows it always returns false.
+//
+// TODO(bradfitz): rename it? Also make Windows use this.
+func (ci *ConnIdentity) IsReadonlyConn(operatorUID string, logf logger.Logf) bool {
+	if runtime.GOOS == "windows" {
+		// Windows doesn't need/use this mechanism, at least yet. It
+		// has a different last-user-wins auth model.
+		return false
+	}
+	const ro = true
+	const rw = false
+	if !safesocket.PlatformUsesPeerCreds() {
+		return rw
+	}
+	creds := ci.creds
+	if creds == nil {
+		logf("connection from unknown peer; read-only")
+		return ro
+	}
+	uid, ok := creds.UserID()
+	if !ok {
+		logf("connection from peer with unknown userid; read-only")
+		return ro
+	}
+	if uid == "0" {
+		logf("connection from userid %v; root has access", uid)
+		return rw
+	}
+	if selfUID := os.Getuid(); selfUID != 0 && uid == strconv.Itoa(selfUID) {
+		logf("connection from userid %v; connection from non-root user matching daemon has access", uid)
+		return rw
+	}
+	if operatorUID != "" && uid == operatorUID {
+		logf("connection from userid %v; is configured operator", uid)
+		return rw
+	}
+	if yes, err := isLocalAdmin(uid); err != nil {
+		logf("connection from userid %v; read-only; %v", uid, err)
+		return ro
+	} else if yes {
+		logf("connection from userid %v; is local admin, has access", uid)
+		return rw
+	}
+	logf("connection from userid %v; read-only", uid)
+	return ro
+}
+
+func isLocalAdmin(uid string) (bool, error) {
+	u, err := user.LookupId(uid)
+	if err != nil {
+		return false, err
+	}
+	var adminGroup string
+	switch {
+	case runtime.GOOS == "darwin":
+		adminGroup = "admin"
+	case distro.Get() == distro.QNAP:
+		adminGroup = "administrators"
+	default:
+		return false, fmt.Errorf("no system admin group found")
+	}
+	return groupmember.IsMemberOfGroup(adminGroup, u.Username)
+}

vendor/tailscale.com/ipn/ipnauth/ipnauth_notwindows.go

@@ -0,0 +1,29 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !windows
+
+package ipnauth
+
+import (
+	"net"
+
+	"github.com/tailscale/peercred"
+	"tailscale.com/types/logger"
+)
+
+// GetConnIdentity extracts the identity information from the connection
+// based on the user who owns the other end of the connection.
+// and couldn't. The returned connIdentity has NotWindows set to true.
+func GetConnIdentity(_ logger.Logf, c net.Conn) (ci *ConnIdentity, err error) {
+	ci = &ConnIdentity{conn: c, notWindows: true}
+	_, ci.isUnixSock = c.(*net.UnixConn)
+	ci.creds, _ = peercred.Get(c)
+	return ci, nil
+}
+
+// WindowsToken is unsupported when GOOS != windows and always returns
+// ErrNotImplemented.
+func (ci *ConnIdentity) WindowsToken() (WindowsToken, error) {
+	return nil, ErrNotImplemented
+}

vendor/tailscale.com/ipn/ipnauth/ipnauth_windows.go

@@ -0,0 +1,190 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ipnauth
+
+import (
+	"fmt"
+	"net"
+	"runtime"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+	"tailscale.com/ipn"
+	"tailscale.com/safesocket"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/winutil"
+)
+
+// GetConnIdentity extracts the identity information from the connection
+// based on the user who owns the other end of the connection.
+// If c is not backed by a named pipe, an error is returned.
+func GetConnIdentity(logf logger.Logf, c net.Conn) (ci *ConnIdentity, err error) {
+	ci = &ConnIdentity{conn: c, notWindows: false}
+	wcc, ok := c.(*safesocket.WindowsClientConn)
+	if !ok {
+		return nil, fmt.Errorf("not a WindowsClientConn: %T", c)
+	}
+	ci.pid, err = wcc.ClientPID()
+	if err != nil {
+		return nil, err
+	}
+	return ci, nil
+}
+
+type token struct {
+	t windows.Token
+}
+
+func (t *token) UID() (ipn.WindowsUserID, error) {
+	sid, err := t.uid()
+	if err != nil {
+		return "", fmt.Errorf("failed to look up user from token: %w", err)
+	}
+
+	return ipn.WindowsUserID(sid.String()), nil
+}
+
+func (t *token) Username() (string, error) {
+	sid, err := t.uid()
+	if err != nil {
+		return "", fmt.Errorf("failed to look up user from token: %w", err)
+	}
+
+	username, domain, _, err := sid.LookupAccount("")
+	if err != nil {
+		return "", fmt.Errorf("failed to look up username from SID: %w", err)
+	}
+
+	return fmt.Sprintf(`%s\%s`, domain, username), nil
+}
+
+func (t *token) IsAdministrator() (bool, error) {
+	baSID, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
+	if err != nil {
+		return false, err
+	}
+
+	isMember, err := t.t.IsMember(baSID)
+	if err != nil {
+		return false, err
+	}
+	if isMember {
+		return true, nil
+	}
+
+	isLimited, err := winutil.IsTokenLimited(t.t)
+	if err != nil || !isLimited {
+		return false, err
+	}
+
+	// Try to obtain a linked token, and if present, check it.
+	// (This should be the elevated token associated with limited UAC accounts.)
+	linkedToken, err := t.t.GetLinkedToken()
+	if err != nil {
+		return false, err
+	}
+	defer linkedToken.Close()
+
+	return linkedToken.IsMember(baSID)
+}
+
+func (t *token) IsElevated() bool {
+	return t.t.IsElevated()
+}
+
+func (t *token) IsLocalSystem() bool {
+	// https://web.archive.org/web/2024/https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
+	const systemUID = ipn.WindowsUserID("S-1-5-18")
+	return t.IsUID(systemUID)
+}
+
+func (t *token) UserDir(folderID string) (string, error) {
+	guid, err := windows.GUIDFromString(folderID)
+	if err != nil {
+		return "", err
+	}
+
+	return t.t.KnownFolderPath((*windows.KNOWNFOLDERID)(unsafe.Pointer(&guid)), 0)
+}
+
+func (t *token) Close() error {
+	if t.t == 0 {
+		return nil
+	}
+	if err := t.t.Close(); err != nil {
+		return err
+	}
+	t.t = 0
+	runtime.SetFinalizer(t, nil)
+	return nil
+}
+
+func (t *token) EqualUIDs(other WindowsToken) bool {
+	if t != nil && other == nil || t == nil && other != nil {
+		return false
+	}
+	ot, ok := other.(*token)
+	if !ok {
+		return false
+	}
+	if t == ot {
+		return true
+	}
+	uid, err := t.uid()
+	if err != nil {
+		return false
+	}
+	oUID, err := ot.uid()
+	if err != nil {
+		return false
+	}
+	return uid.Equals(oUID)
+}
+
+func (t *token) uid() (*windows.SID, error) {
+	tu, err := t.t.GetTokenUser()
+	if err != nil {
+		return nil, err
+	}
+
+	return tu.User.Sid, nil
+}
+
+func (t *token) IsUID(uid ipn.WindowsUserID) bool {
+	tUID, err := t.UID()
+	if err != nil {
+		return false
+	}
+
+	return tUID == uid
+}
+
+// WindowsToken returns the WindowsToken representing the security context
+// of the connection's client.
+func (ci *ConnIdentity) WindowsToken() (WindowsToken, error) {
+	var wcc *safesocket.WindowsClientConn
+	var ok bool
+	if wcc, ok = ci.conn.(*safesocket.WindowsClientConn); !ok {
+		return nil, fmt.Errorf("not a WindowsClientConn: %T", ci.conn)
+	}
+
+	// We duplicate the token's handle so that the WindowsToken we return may have
+	// a lifetime independent from the original connection.
+	var h windows.Handle
+	if err := windows.DuplicateHandle(
+		windows.CurrentProcess(),
+		windows.Handle(wcc.Token()),
+		windows.CurrentProcess(),
+		&h,
+		0,
+		false,
+		windows.DUPLICATE_SAME_ACCESS,
+	); err != nil {
+		return nil, err
+	}
+
+	result := &token{t: windows.Token(h)}
+	runtime.SetFinalizer(result, func(t *token) { t.Close() })
+	return result, nil
+}