wgengine/netstack: add debug page for TCP forwarder

To help in debugging issues with subnet routers in userspace mode–for
example, hitting the max inflight limit.

Updates tailscale/corp#12184

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Idd922f4ae37695f6598a914c2d050574755ef309

.bencher/config.yaml

@@ -1 +1 @@
-suppress_failure_on_regression: true
+suppress_failure_on_regression: true

.gitattributes

@@ -1,2 +1,2 @@
-go.mod filter=go-mod
-*.go  diff=golang
+go.mod filter=go-mod
+*.go  diff=golang

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,81 +1,81 @@
-name: Bug report
-description: File a bug report. If you need help, contact support instead
-labels: [needs-triage, bug]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
-        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: What is the issue?
-      description: What happened? What did you expect to happen?
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to reproduce
-      description: What are the steps you took that hit this issue?
-    validations:
-      required: false
-  - type: textarea
-    id: changes
-    attributes:
-      label: Are there any recent changes that introduced the issue?
-      description: If so, what are those changes?
-    validations:
-      required: false
-  - type: dropdown
-    id: os
-    attributes:
-      label: OS
-      description: What OS are you using? You may select more than one.
-      multiple: true
-      options:
-        - Linux
-        - macOS
-        - Windows
-        - iOS
-        - Android
-        - Synology
-        - Other
-    validations:
-      required: false
-  - type: input
-    id: os-version
-    attributes:
-      label: OS version
-      description: What OS version are you using?
-      placeholder: e.g., Debian 11.0, macOS Big Sur 11.6, Synology DSM 7
-    validations:
-      required: false
-  - type: input
-    id: ts-version
-    attributes:
-      label: Tailscale version
-      description: What Tailscale version are you using?
-      placeholder: e.g., 1.14.4
-    validations:
-      required: false
-  - type: textarea
-    id: other-software
-    attributes:
-      label: Other software
-      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
-    validations:
-      required: false
-  - type: input
-    id: bug-report
-    attributes:
-      label: Bug report
-      description: Please run [`tailscale bugreport`](https://tailscale.com/kb/1080/cli/?q=Cli#bugreport) and share the bug identifier. The identifier is a random string which allows Tailscale support to locate your account and gives a point to focus on when looking for errors.
-      placeholder: e.g., BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a bug report!
+name: Bug report
+description: File a bug report. If you need help, contact support instead
+labels: [needs-triage, bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
+        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What is the issue?
+      description: What happened? What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: What are the steps you took that hit this issue?
+    validations:
+      required: false
+  - type: textarea
+    id: changes
+    attributes:
+      label: Are there any recent changes that introduced the issue?
+      description: If so, what are those changes?
+    validations:
+      required: false
+  - type: dropdown
+    id: os
+    attributes:
+      label: OS
+      description: What OS are you using? You may select more than one.
+      multiple: true
+      options:
+        - Linux
+        - macOS
+        - Windows
+        - iOS
+        - Android
+        - Synology
+        - Other
+    validations:
+      required: false
+  - type: input
+    id: os-version
+    attributes:
+      label: OS version
+      description: What OS version are you using?
+      placeholder: e.g., Debian 11.0, macOS Big Sur 11.6, Synology DSM 7
+    validations:
+      required: false
+  - type: input
+    id: ts-version
+    attributes:
+      label: Tailscale version
+      description: What Tailscale version are you using?
+      placeholder: e.g., 1.14.4
+    validations:
+      required: false
+  - type: textarea
+    id: other-software
+    attributes:
+      label: Other software
+      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
+    validations:
+      required: false
+  - type: input
+    id: bug-report
+    attributes:
+      label: Bug report
+      description: Please run [`tailscale bugreport`](https://tailscale.com/kb/1080/cli/?q=Cli#bugreport) and share the bug identifier. The identifier is a random string which allows Tailscale support to locate your account and gives a point to focus on when looking for errors.
+      placeholder: e.g., BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
+    validations:
+      required: false
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug report!

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,8 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Support
-    url: https://tailscale.com/contact/support/
-    about: Contact us for support
-  - name: Troubleshooting
-    url: https://tailscale.com/kb/1023/troubleshooting
+blank_issues_enabled: true
+contact_links:
+  - name: Support
+    url: https://tailscale.com/contact/support/
+    about: Contact us for support
+  - name: Troubleshooting
+    url: https://tailscale.com/kb/1023/troubleshooting
     about: See the troubleshooting guide for help addressing common issues

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,42 +1,42 @@
-name: Feature request
-description: Propose a new feature
-title: "FR: "
-labels: [needs-triage, fr]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Please check if your feature request is [already filed](https://github.com/tailscale/tailscale/issues).
-        Tell us about your idea!
-  - type: textarea
-    id: problem
-    attributes:
-      label: What are you trying to do?
-      description: Tell us about the problem you're trying to solve.
-    validations:
-      required: false
-  - type: textarea
-    id: solution
-    attributes:
-      label: How should we solve this?
-      description: If you have an idea of how you'd like to see this feature work, let us know.
-    validations:
-      required: false
-  - type: textarea
-    id: alternative
-    attributes:
-      label: What is the impact of not solving this?
-      description: (How) Are you currently working around the issue?
-    validations:
-      required: false
-  - type: textarea
-    id: context
-    attributes:
-      label: Anything else?
-      description: Any additional context to share, e.g., links
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a feature request!
+name: Feature request
+description: Propose a new feature
+title: "FR: "
+labels: [needs-triage, fr]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please check if your feature request is [already filed](https://github.com/tailscale/tailscale/issues).
+        Tell us about your idea!
+  - type: textarea
+    id: problem
+    attributes:
+      label: What are you trying to do?
+      description: Tell us about the problem you're trying to solve.
+    validations:
+      required: false
+  - type: textarea
+    id: solution
+    attributes:
+      label: How should we solve this?
+      description: If you have an idea of how you'd like to see this feature work, let us know.
+    validations:
+      required: false
+  - type: textarea
+    id: alternative
+    attributes:
+      label: What is the impact of not solving this?
+      description: (How) Are you currently working around the issue?
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Anything else?
+      description: Any additional context to share, e.g., links
+    validations:
+      required: false
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a feature request!

.github/dependabot.yml

@@ -1,21 +1,21 @@
-# Documentation for this file can be found at:
-# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
-version: 2
-updates:
-  ## Disabled between releases. We reenable it briefly after every
-  ## stable release, pull in all changes, and close it again so that
-  ## the tree remains more stable during development and the upstream
-  ## changes have time to soak before the next release.
-  # - package-ecosystem: "gomod"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "daily"
-  #   commit-message:
-  #     prefix: "go.mod:"
-  #   open-pull-requests-limit: 100
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: ".github:"
+# Documentation for this file can be found at:
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
+version: 2
+updates:
+  ## Disabled between releases. We reenable it briefly after every
+  ## stable release, pull in all changes, and close it again so that
+  ## the tree remains more stable during development and the upstream
+  ## changes have time to soak before the next release.
+  # - package-ecosystem: "gomod"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "daily"
+  #   commit-message:
+  #     prefix: "go.mod:"
+  #   open-pull-requests-limit: 100
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: ".github:"

.github/workflows/checklocks.yml

@@ -18,17 +18,11 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@v4
 
       - name: Build checklocks
         run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
 
       - name: Run checklocks vet
-        # TODO(#12625): add more packages as we add annotations
-        run: |-
-          ./tool/go vet -vettool=/tmp/checklocks \
-            ./envknob           \
-            ./ipn/store/mem     \
-            ./net/stun/stuntest \
-            ./net/wsconn        \
-            ./proxymap
+        # TODO: remove || true once we have applied checklocks annotations everywhere.
+        run: ./tool/go vet -vettool=/tmp/checklocks ./... || true

.github/workflows/codeql-analysis.yml

@@ -45,17 +45,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
 
     # Install a more recent Go that understands modern go.mod content.
     - name: Install Go
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      uses: actions/setup-go@v4
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+      uses: github/codeql-action/analyze@v2

.github/workflows/docker-file-build.yml

@@ -10,6 +10,6 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/checkout@v4
     - name: "Build Docker image"
       run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -17,7 +17,7 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: "actions/checkout@v4"
         with:
           ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
       - uses: "DeterminateSystems/nix-installer-action@main"

.github/workflows/go-licenses.yml

@@ -0,0 +1,64 @@
+name: go-licenses
+
+on:
+  # run action when a change lands in the main branch which updates go.mod or
+  # our license template file. Also allow manual triggering.
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - .github/licenses.tmpl
+      - .github/workflows/go-licenses.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  update-licenses:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+
+      - name: Install go-licenses
+        run: |
+          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
+
+      - name: Run go-licenses
+        env:
+          # include all build tags to include platform-specific dependencies
+          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
+        run: |
+          [ -d licenses ] || mkdir licenses
+          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
+
+      - name: Get access token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.LICENSING_APP_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: License Updater <noreply+license-updater@tailscale.com>
+          committer: License Updater <noreply+license-updater@tailscale.com>
+          branch: licenses/cli
+          commit-message: "licenses: update tailscale{,d} licenses"
+          title: "licenses: update tailscale{,d} licenses"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          team-reviewers: opensource-license-reviewers

.github/workflows/golangci-lint.yml

@@ -23,18 +23,18 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@v4
         with:
           go-version-file: go.mod
           cache: false
 
       - name: golangci-lint
-        # Note: this is the 'v6.1.0' tag as of 2024-08-21
-        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86
+        # Note: this is the 'v3' tag as of 2023-08-14
+        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
         with:
-          version: v1.60
+          version: v1.56
 
           # Show only new issues if it's a pull request.
           only-new-issues: true

.github/workflows/govulncheck.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@v4
 
       - name: Install govulncheck
         run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
@@ -24,7 +24,7 @@ jobs:
 
       - name: Post to slack
         if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@v1.24.0
         env:
           SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
         with:

.github/workflows/installer.yml

@@ -32,6 +32,7 @@ jobs:
           - "ubuntu:18.04"
           - "ubuntu:20.04"
           - "ubuntu:22.04"
+          - "ubuntu:22.10"
           - "ubuntu:23.04"
           - "elementary/docker:stable"
           - "elementary/docker:unstable"
@@ -67,11 +68,6 @@ jobs:
       image: ${{ matrix.image }}
       options: --user root
     steps:
-    - name: install dependencies (pacman)
-      # Refresh the package databases to ensure that the tailscale package is
-      # defined.
-      run: pacman -Sy
-      if: contains(matrix.image, 'archlinux')
     - name: install dependencies (yum)
       # tar and gzip are needed by the actions/checkout below.
       run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
@@ -95,10 +91,7 @@ jobs:
         || contains(matrix.image, 'parrotsec')
         || contains(matrix.image, 'kalilinux')
     - name: checkout
-      # We cannot use v4, as it requires a newer glibc version than some of the
-      # tested images provide. See
-      # https://github.com/actions/checkout/issues/1487
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      uses: actions/checkout@v4
     - name: run installer
       run: scripts/installer.sh
       # Package installation can fail in docker because systemd is not running

.github/workflows/kubemanifests.yaml

@@ -2,8 +2,8 @@ name: "Kubernetes manifests"
 on:
   pull_request:
    paths: 
-   - 'cmd/k8s-operator/**'
-   - 'k8s-operator/**'
+   - './cmd/k8s-operator/**'
+   - './k8s-operator/**'
    - '.github/workflows/kubemanifests.yaml'
 
 # Cancel workflow run if there is a newer push to the same PR for which it is
@@ -17,7 +17,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
     - name: Check out code
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: Build and lint Helm chart
       run: |
         eval `./tool/go run ./cmd/mkversion`

.github/workflows/ssh-integrationtest.yml

@@ -1,23 +0,0 @@
-# Run the ssh integration tests with `make sshintegrationtest`.
-# These tests can also be running locally.
-name: "ssh-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "ssh/**"
-      - "tempfork/gliderlabs/ssh/**"
-      - ".github/workflows/ssh-integrationtest"
-jobs:
-  ssh-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Run SSH integration tests
-        run: |
-          make sshintegrationtest

.github/workflows/test.yml

@@ -50,7 +50,7 @@ jobs:
           - shard: '4/4'
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: build test wrapper
       run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
     - name: integration tests as root
@@ -78,9 +78,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: Restore Cache
-      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -150,16 +150,16 @@ jobs:
     runs-on: windows-2022
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
 
     - name: Install Go
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      uses: actions/setup-go@v4
       with:
         go-version-file: go.mod
         cache: false
 
     - name: Restore Cache
-      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -190,11 +190,11 @@ jobs:
       options: --privileged
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: chown
       run: chown -R $(id -u):$(id -g) $PWD
     - name: privileged tests
-      run: ./tool/go test ./util/linuxfw ./derp/xdp
+      run: ./tool/go test ./util/linuxfw
 
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
@@ -202,11 +202,11 @@ jobs:
     if: github.repository == 'tailscale/tailscale'
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: Run VM tests
       run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
       env:
-        HOME: "/var/lib/ghrunner/home"
+        HOME: "/tmp"
         TMPDIR: "/tmp"
         XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
 
@@ -214,7 +214,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: build all
       run: ./tool/go install -race ./cmd/...
     - name: build tests
@@ -254,13 +254,16 @@ jobs:
             goarch: amd64
           - goos: openbsd
             goarch: amd64
+          # Plan9 (disabled until 3p dependencies are fixed)
+          # - goos: plan9
+          #   goarch: amd64
 
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: Restore Cache
-      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -295,54 +298,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: build some
       run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
       env:
         GOOS: ios
         GOARCH: arm64
 
-  crossmin: # cross-compile for platforms where we only check cmd/tailscale{,d}
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Plan9
-          - goos: plan9
-            goarch: amd64
-          # AIX
-          - goos: aix
-            goarch: ppc64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - name: Restore Cache
-      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build core
-      run: ./tool/go build ./cmd/tailscale ./cmd/tailscaled
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-
   android:
     # similar to cross above, but android fails to build a few pieces of the
     # repo. We should fix those pieces, they're small, but as a stepping stone,
@@ -350,13 +312,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
       # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
       # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
       # some Android breakages early.
       # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
     - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/netmon ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
       env:
         GOOS: android
         GOARCH: arm64
@@ -365,9 +327,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: Restore Cache
-      uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache@v3
       with:
         # Note: unlike the other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache
@@ -399,7 +361,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: test tailscale_go
       run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
 
@@ -456,22 +418,18 @@ jobs:
         fuzz-seconds: 300
         dry-run: false
         language: go
-    - name: Set artifacts_path in env (workaround for actions/upload-artifact#176)
-      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
-      run: |
-        echo "artifacts_path=$(realpath .)" >> $GITHUB_ENV
     - name: upload crash
-      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      uses: actions/upload-artifact@v3
       if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
       with:
         name: artifacts
-        path: ${{ env.artifacts_path }}/out/artifacts
+        path: ./out/artifacts
 
   depaware:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: check depaware
       run: |
         export PATH=$(./tool/go env GOROOT)/bin:$PATH
@@ -481,10 +439,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: check that 'go generate' is clean
       run: |
-        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
+        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator')
         ./tool/go generate $pkgs
         echo
         echo
@@ -494,7 +452,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: check that 'go mod tidy' is clean
       run: |
         ./tool/go mod tidy
@@ -506,7 +464,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: check licenses
       run: ./scripts/check_license_headers.sh .
 
@@ -522,7 +480,7 @@ jobs:
             goarch: "386"
     steps:
     - name: checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@v4
     - name: install staticcheck
       run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
     - name: run staticcheck
@@ -563,7 +521,7 @@ jobs:
       # By having the job always run, but skipping its only step as needed, we
       # let the CI output collapse nicely in PRs.
       if: failure() && github.event_name == 'push'
-      uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+      uses: ruby/action-slack@v3.2.1
       with:
         payload: |
           {
@@ -578,7 +536,6 @@ jobs:
           }
       env:
         SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
 
   check_mergeability:
     if: always()
@@ -601,6 +558,6 @@ jobs:
     steps:
     - name: Decide if change is okay to merge
       if: github.event_name != 'push'
-      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+      uses: re-actors/alls-green@release/v1
       with:
         jobs: ${{ toJSON(needs) }}

.github/workflows/update-flake.yml

@@ -21,22 +21,21 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@v4
 
       - name: Run update-flakes
         run: ./update-flake.sh
 
       - name: Get access token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
         id: generate-token
         with:
           app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_retrieval_mode: "id"
-          installation_retrieval_payload: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: Flakes Updater <noreply+flakes-updater@tailscale.com>

.github/workflows/update-webclient-prebuilt.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@v4
 
       - name: Run go get
         run: |
@@ -23,19 +23,18 @@ jobs:
           ./tool/go mod tidy
 
       - name: Get access token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
         id: generate-token
         with:
           # TODO(will): this should use the code updater app rather than licensing.
           # It has the same permissions, so not a big deal, but still.
           app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_retrieval_mode: "id"
-          installation_retrieval_payload: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
         id: pull-request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           author: OSS Updater <noreply+oss-updater@tailscale.com>

.github/workflows/webclient.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@v4
       - name: Install deps
         run: ./tool/yarn --cwd client/web
       - name: Run lint

.gitignore

@@ -9,7 +9,6 @@
 
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
-ssh/tailssh/testcontainers/tailscaled
 
 # Test binary, built with `go test -c`
 *.test
@@ -43,9 +42,3 @@ client/web/build/assets
 
 /gocross
 /dist
-
-# Ignore xcode userstate and workspace data
-*.xcuserstate
-*.xcworkspacedata
-/tstest/tailmac/bin
-/tstest/tailmac/build

AUTHORS

@@ -1,17 +1,17 @@
-# This is the official list of Tailscale
-# authors for copyright purposes.
-#
-# Names should be added to this file as one of
-#     Organization's name
-#     Individual's name <submission email address>
-#     Individual's name <submission email address> <email2> <emailN>
-#
-# Please keep the list sorted.
-#
-# You do not need to add entries to this list, and we don't actively
-# populate this list. If you do want to be acknowledged explicitly as
-# a copyright holder, though, then please send a PR referencing your
-# earlier contributions and clarifying whether it's you or your
-# company that owns the rights to your contribution.
-
-Tailscale Inc.
+# This is the official list of Tailscale
+# authors for copyright purposes.
+#
+# Names should be added to this file as one of
+#     Organization's name
+#     Individual's name <submission email address>
+#     Individual's name <submission email address> <email2> <emailN>
+#
+# Please keep the list sorted.
+#
+# You do not need to add entries to this list, and we don't actively
+# populate this list. If you do want to be acknowledged explicitly as
+# a copyright holder, though, then please send a PR referencing your
+# earlier contributions and clarifying whether it's you or your
+# company that owns the rights to your contribution.
+
+Tailscale Inc.

CODEOWNERS

@@ -1 +1 @@
-/tailcfg/ @tailscale/control-protocol-owners
+/tailcfg/ @tailscale/control-protocol-owners

CODE_OF_CONDUCT.md

@@ -1,135 +1,135 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation
-in our community a harassment-free experience for everyone, regardless
-of age, body size, visible or invisible disability, ethnicity, sex
-characteristics, gender identity and expression, level of experience,
-education, socio-economic status, nationality, personal appearance,
-race, religion, or sexual identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open,
-welcoming, diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for
-our community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our
-  mistakes, and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or
-  political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in
-  a professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our
-standards of acceptable behavior and will take appropriate and fair
-corrective action in response to any behavior that they deem
-inappropriate, threatening, offensive, or harmful.
-
-Community leaders have the right and responsibility to remove, edit,
-or reject comments, commits, code, wiki edits, issues, and other
-contributions that are not aligned to this Code of Conduct, and will
-communicate reasons for moderation decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also
-applies when an individual is officially representing the community in
-public spaces. Examples of representing our community include using an
-official e-mail address, posting via an official social media account,
-or acting as an appointed representative at an online or offline
-event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior
-may be reported to the community leaders responsible for enforcement
-at [info@tailscale.com](mailto:info@tailscale.com). All complaints
-will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and
-security of the reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in
-determining the consequences for any action they deem in violation of
-this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior
-deemed unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders,
-providing clarity around the nature of the violation and an
-explanation of why the behavior was inappropriate. A public apology
-may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued
-behavior. No interaction with the people involved, including
-unsolicited interaction with those enforcing the Code of Conduct, for
-a specified period of time. This includes avoiding interactions in
-community spaces as well as external channels like social
-media. Violating these terms may lead to a temporary or permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards,
-including sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or
-public communication with the community for a specified period of
-time. No public or private interaction with the people involved,
-including unsolicited interaction with those enforcing the Code of
-Conduct, is allowed during this period. Violating these terms may lead
-to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of
-community standards, including sustained inappropriate behavior,
-harassment of an individual, or aggression toward or disparagement of
-classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction
-within the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor
-Covenant][homepage], version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
-
-Community Impact Guidelines were inspired by [Mozilla's code of
-conduct enforcement ladder](https://github.com/mozilla/diversity).
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see the
-FAQ at https://www.contributor-covenant.org/faq. Translations are
-available at https://www.contributor-covenant.org/translations.
-
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation
+in our community a harassment-free experience for everyone, regardless
+of age, body size, visible or invisible disability, ethnicity, sex
+characteristics, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance,
+race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open,
+welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for
+our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our
+  mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or
+  political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in
+  a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our
+standards of acceptable behavior and will take appropriate and fair
+corrective action in response to any behavior that they deem
+inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit,
+or reject comments, commits, code, wiki edits, issues, and other
+contributions that are not aligned to this Code of Conduct, and will
+communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also
+applies when an individual is officially representing the community in
+public spaces. Examples of representing our community include using an
+official e-mail address, posting via an official social media account,
+or acting as an appointed representative at an online or offline
+event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported to the community leaders responsible for enforcement
+at [info@tailscale.com](mailto:info@tailscale.com). All complaints
+will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and
+security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in
+determining the consequences for any action they deem in violation of
+this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior
+deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders,
+providing clarity around the nature of the violation and an
+explanation of why the behavior was inappropriate. A public apology
+may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued
+behavior. No interaction with the people involved, including
+unsolicited interaction with those enforcing the Code of Conduct, for
+a specified period of time. This includes avoiding interactions in
+community spaces as well as external channels like social
+media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards,
+including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or
+public communication with the community for a specified period of
+time. No public or private interaction with the people involved,
+including unsolicited interaction with those enforcing the Code of
+Conduct, is allowed during this period. Violating these terms may lead
+to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of
+community standards, including sustained inappropriate behavior,
+harassment of an individual, or aggression toward or disparagement of
+classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction
+within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor
+Covenant][homepage], version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of
+conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the
+FAQ at https://www.contributor-covenant.org/faq. Translations are
+available at https://www.contributor-covenant.org/translations.
+

Dockerfile

@@ -1,13 +1,17 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
-# Note that this Dockerfile is currently NOT used to build any of the published
-# Tailscale container images and may have drifted from the image build mechanism
-# we use.
-# Tailscale images are currently built using https://github.com/tailscale/mkctr,
-# and the build script can be found in ./build_docker.sh.
+############################################################################
 #
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
 #
+# See current bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
+
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
@@ -27,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.23-alpine AS build-env
+FROM golang:1.22-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
@@ -42,7 +46,7 @@ RUN go install \
     gvisor.dev/gvisor/pkg/tcpip/stack \
     golang.org/x/crypto/ssh \
     golang.org/x/crypto/acme \
-    github.com/coder/websocket \
+    nhooyr.io/websocket \
     github.com/mdlayher/netlink
 
 COPY . .

LICENSE

@@ -1,28 +1,28 @@
-BSD 3-Clause License
-
-Copyright (c) 2020 Tailscale Inc & AUTHORS.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+BSD 3-Clause License
+
+Copyright (c) 2020 Tailscale Inc & AUTHORS.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -1,5 +1,5 @@
 IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "x86_64"
+SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
 TAGS ?= "latest"
 
@@ -21,7 +21,6 @@ updatedeps: ## Update depaware deps
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
 
 depaware: ## Run depaware checks
@@ -31,7 +30,6 @@ depaware: ## Run depaware checks
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
 
 buildwindows: ## Build tailscale CLI for windows/amd64
@@ -100,25 +98,7 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-operator ./build_docker.sh
-
-publishdevnameserver: ## Build and publish k8s-nameserver image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-nameserver" || (echo "REPO=... must not be tailscale/k8s-nameserver" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-nameserver" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-nameserver" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-nameserver ./build_docker.sh
-
-.PHONY: sshintegrationtest
-sshintegrationtest: ## Run the SSH integration tests in various Docker containers
-	@GOOS=linux GOARCH=amd64 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
-	GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
-	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \
-	echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=operator ./build_docker.sh
 
 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"

PATENTS

@@ -1,24 +1,24 @@
-Additional IP Rights Grant (Patents)
-
-"This implementation" means the copyrightable works distributed by
-Tailscale Inc. as part of the Tailscale project.
-
-Tailscale Inc. hereby grants to You a perpetual, worldwide,
-non-exclusive, no-charge, royalty-free, irrevocable (except as stated
-in this section) patent license to make, have made, use, offer to
-sell, sell, import, transfer and otherwise run, modify and propagate
-the contents of this implementation of Tailscale, where such license
-applies only to those patent claims, both currently owned or
-controlled by Tailscale Inc. and acquired in the future, licensable
-by Tailscale Inc. that are necessarily infringed by this
-implementation of Tailscale.  This grant does not include claims that
-would be infringed only as a consequence of further modification of
-this implementation.  If you or your agent or exclusive licensee
-institute or order or agree to the institution of patent litigation
-against any entity (including a cross-claim or counterclaim in a
-lawsuit) alleging that this implementation of Tailscale or any code
-incorporated within this implementation of Tailscale constitutes
-direct or contributory patent infringement, or inducement of patent
-infringement, then any patent rights granted to you under this License
-for this implementation of Tailscale shall terminate as of the date
-such litigation is filed.
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Tailscale Inc. as part of the Tailscale project.
+
+Tailscale Inc. hereby grants to You a perpetual, worldwide,
+non-exclusive, no-charge, royalty-free, irrevocable (except as stated
+in this section) patent license to make, have made, use, offer to
+sell, sell, import, transfer and otherwise run, modify and propagate
+the contents of this implementation of Tailscale, where such license
+applies only to those patent claims, both currently owned or
+controlled by Tailscale Inc. and acquired in the future, licensable
+by Tailscale Inc. that are necessarily infringed by this
+implementation of Tailscale.  This grant does not include claims that
+would be infringed only as a consequence of further modification of
+this implementation.  If you or your agent or exclusive licensee
+institute or order or agree to the institution of patent litigation
+against any entity (including a cross-claim or counterclaim in a
+lawsuit) alleging that this implementation of Tailscale or any code
+incorporated within this implementation of Tailscale constitutes
+direct or contributory patent infringement, or inducement of patent
+infringement, then any patent rights granted to you under this License
+for this implementation of Tailscale shall terminate as of the date
+such litigation is filed.

README.md

@@ -37,7 +37,7 @@ not open source.
 
 ## Building
 
-We always require the latest Go release, currently Go 1.23. (While we build
+We always require the latest Go release, currently Go 1.22. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)
 

SECURITY.md

@@ -1,8 +1,8 @@
-# Security Policy
-
-## Reporting a Vulnerability
-
-You can report vulnerabilities privately to
-[security@tailscale.com](mailto:security@tailscale.com). Tailscale
-staff will triage the issue, and work with you on a coordinated
-disclosure timeline.
+# Security Policy
+
+## Reporting a Vulnerability
+
+You can report vulnerabilities privately to
+[security@tailscale.com](mailto:security@tailscale.com). Tailscale
+staff will triage the issue, and work with you on a coordinated
+disclosure timeline.

VERSION.txt

@@ -1 +1 @@
-1.78.0
+1.61.0

appc/appconnector.go

@@ -11,64 +11,20 @@ package appc
 
 import (
 	"context"
-	"fmt"
 	"net/netip"
 	"slices"
 	"strings"
 	"sync"
-	"time"
 
 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/execqueue"
 	"tailscale.com/util/mak"
-	"tailscale.com/util/slicesx"
 )
 
-// rateLogger responds to calls to update by adding a count for the current period and
-// calling the callback if any previous period has finished since update was last called
-type rateLogger struct {
-	interval    time.Duration
-	start       time.Time
-	periodStart time.Time
-	periodCount int64
-	now         func() time.Time
-	callback    func(int64, time.Time, int64)
-}
-
-func (rl *rateLogger) currentIntervalStart(now time.Time) time.Time {
-	millisSince := now.Sub(rl.start).Milliseconds() % rl.interval.Milliseconds()
-	return now.Add(-(time.Duration(millisSince)) * time.Millisecond)
-}
-
-func (rl *rateLogger) update(numRoutes int64) {
-	now := rl.now()
-	periodEnd := rl.periodStart.Add(rl.interval)
-	if periodEnd.Before(now) {
-		if rl.periodCount != 0 {
-			rl.callback(rl.periodCount, rl.periodStart, numRoutes)
-		}
-		rl.periodCount = 0
-		rl.periodStart = rl.currentIntervalStart(now)
-	}
-	rl.periodCount++
-}
-
-func newRateLogger(now func() time.Time, interval time.Duration, callback func(int64, time.Time, int64)) *rateLogger {
-	nowTime := now()
-	return &rateLogger{
-		callback:    callback,
-		now:         now,
-		interval:    interval,
-		start:       nowTime,
-		periodStart: nowTime,
-	}
-}
-
 // RouteAdvertiser is an interface that allows the AppConnector to advertise
 // newly discovered routes that need to be served through the AppConnector.
 type RouteAdvertiser interface {
@@ -80,55 +36,6 @@ type RouteAdvertiser interface {
 	UnadvertiseRoute(...netip.Prefix) error
 }
 
-var (
-	metricStoreRoutesRateBuckets = []int64{1, 2, 3, 4, 5, 10, 100, 1000}
-	metricStoreRoutesNBuckets    = []int64{1, 2, 3, 4, 5, 10, 100, 1000, 10000}
-	metricStoreRoutesRate        []*clientmetric.Metric
-	metricStoreRoutesN           []*clientmetric.Metric
-)
-
-func initMetricStoreRoutes() {
-	for _, n := range metricStoreRoutesRateBuckets {
-		metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_rate_%d", n)))
-	}
-	metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter("appc_store_routes_rate_over"))
-	for _, n := range metricStoreRoutesNBuckets {
-		metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_n_routes_%d", n)))
-	}
-	metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter("appc_store_routes_n_routes_over"))
-}
-
-func recordMetric(val int64, buckets []int64, metrics []*clientmetric.Metric) {
-	if len(buckets) < 1 {
-		return
-	}
-	// finds the first bucket where val <=, or len(buckets) if none match
-	// for bucket values of 1, 10, 100; 0-1 goes to [0], 2-10 goes to [1], 11-100 goes to [2], 101+ goes to [3]
-	bucket, _ := slices.BinarySearch(buckets, val)
-	metrics[bucket].Add(1)
-}
-
-func metricStoreRoutes(rate, nRoutes int64) {
-	if len(metricStoreRoutesRate) == 0 {
-		initMetricStoreRoutes()
-	}
-	recordMetric(rate, metricStoreRoutesRateBuckets, metricStoreRoutesRate)
-	recordMetric(nRoutes, metricStoreRoutesNBuckets, metricStoreRoutesN)
-}
-
-// RouteInfo is a data structure used to persist the in memory state of an AppConnector
-// so that we can know, even after a restart, which routes came from ACLs and which were
-// learned from domains.
-type RouteInfo struct {
-	// Control is the routes from the 'routes' section of an app connector acl.
-	Control []netip.Prefix `json:",omitempty"`
-	// Domains are the routes discovered by observing DNS lookups for configured domains.
-	Domains map[string][]netip.Addr `json:",omitempty"`
-	// Wildcards are the configured DNS lookup domains to observe. When a DNS query matches Wildcards,
-	// its result is added to Domains.
-	Wildcards []string `json:",omitempty"`
-}
-
 // AppConnector is an implementation of an AppConnector that performs
 // its function as a subsystem inside of a tailscale node. At the control plane
 // side App Connector routing is configured in terms of domains rather than IP
@@ -142,9 +49,6 @@ type AppConnector struct {
 	logf            logger.Logf
 	routeAdvertiser RouteAdvertiser
 
-	// storeRoutesFunc will be called to persist routes if it is not nil.
-	storeRoutesFunc func(*RouteInfo) error
-
 	// mu guards the fields that follow
 	mu sync.Mutex
 
@@ -160,68 +64,14 @@ type AppConnector struct {
 
 	// queue provides ordering for update operations
 	queue execqueue.ExecQueue
-
-	writeRateMinute *rateLogger
-	writeRateDay    *rateLogger
 }
 
 // NewAppConnector creates a new AppConnector.
-func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser, routeInfo *RouteInfo, storeRoutesFunc func(*RouteInfo) error) *AppConnector {
-	ac := &AppConnector{
+func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConnector {
+	return &AppConnector{
 		logf:            logger.WithPrefix(logf, "appc: "),
 		routeAdvertiser: routeAdvertiser,
-		storeRoutesFunc: storeRoutesFunc,
 	}
-	if routeInfo != nil {
-		ac.domains = routeInfo.Domains
-		ac.wildcards = routeInfo.Wildcards
-		ac.controlRoutes = routeInfo.Control
-	}
-	ac.writeRateMinute = newRateLogger(time.Now, time.Minute, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in minute starting at %v (%d routes)", c, s, l)
-		metricStoreRoutes(c, l)
-	})
-	ac.writeRateDay = newRateLogger(time.Now, 24*time.Hour, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in 24 hours starting at %v (%d routes)", c, s, l)
-	})
-	return ac
-}
-
-// ShouldStoreRoutes returns true if the appconnector was created with the controlknob on
-// and is storing its discovered routes persistently.
-func (e *AppConnector) ShouldStoreRoutes() bool {
-	return e.storeRoutesFunc != nil
-}
-
-// storeRoutesLocked takes the current state of the AppConnector and persists it
-func (e *AppConnector) storeRoutesLocked() error {
-	if !e.ShouldStoreRoutes() {
-		return nil
-	}
-
-	// log write rate and write size
-	numRoutes := int64(len(e.controlRoutes))
-	for _, rs := range e.domains {
-		numRoutes += int64(len(rs))
-	}
-	e.writeRateMinute.update(numRoutes)
-	e.writeRateDay.update(numRoutes)
-
-	return e.storeRoutesFunc(&RouteInfo{
-		Control:   e.controlRoutes,
-		Domains:   e.domains,
-		Wildcards: e.wildcards,
-	})
-}
-
-// ClearRoutes removes all route state from the AppConnector.
-func (e *AppConnector) ClearRoutes() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	e.controlRoutes = nil
-	e.domains = nil
-	e.wildcards = nil
-	return e.storeRoutesLocked()
 }
 
 // UpdateDomainsAndRoutes starts an asynchronous update of the configuration
@@ -275,26 +125,10 @@ func (e *AppConnector) updateDomains(domains []string) {
 		for _, wc := range e.wildcards {
 			if dnsname.HasSuffix(d, wc) {
 				e.domains[d] = addrs
-				delete(oldDomains, d)
 				break
 			}
 		}
 	}
-
-	// Everything left in oldDomains is a domain we're no longer tracking
-	// and if we are storing route info we can unadvertise the routes
-	if e.ShouldStoreRoutes() {
-		toRemove := []netip.Prefix{}
-		for _, addrs := range oldDomains {
-			for _, a := range addrs {
-				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
-			}
-		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", xmaps.Keys(oldDomains), toRemove, err)
-		}
-	}
-
 	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
 }
 
@@ -318,14 +152,6 @@ func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
 
 	var toRemove []netip.Prefix
 
-	// If we're storing routes and know e.controlRoutes is a good
-	// representation of what should be in AdvertisedRoutes we can stop
-	// advertising routes that used to be in e.controlRoutes but are not
-	// in routes.
-	if e.ShouldStoreRoutes() {
-		toRemove = routesWithout(e.controlRoutes, routes)
-	}
-
 nextRoute:
 	for _, r := range routes {
 		for _, addr := range e.domains {
@@ -344,9 +170,6 @@ nextRoute:
 	}
 
 	e.controlRoutes = routes
-	if err := e.storeRoutesLocked(); err != nil {
-		e.logf("failed to store route info: %v", err)
-	}
 }
 
 // Domains returns the currently configured domain list.
@@ -481,10 +304,8 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 			}
 		}
 
-		if len(toAdvertise) > 0 {
-			e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
-			e.scheduleAdvertisement(domain, toAdvertise...)
-		}
+		e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
+		e.scheduleAdvertisement(domain, toAdvertise...)
 	}
 }
 
@@ -559,9 +380,6 @@ func (e *AppConnector) scheduleAdvertisement(domain string, routes ...netip.Pref
 				e.logf("[v2] advertised route for %v: %v", domain, addr)
 			}
 		}
-		if err := e.storeRoutesLocked(); err != nil {
-			e.logf("failed to store route info: %v", err)
-		}
 	})
 }
 
@@ -582,15 +400,3 @@ func (e *AppConnector) addDomainAddrLocked(domain string, addr netip.Addr) {
 func compareAddr(l, r netip.Addr) int {
 	return l.Compare(r)
 }
-
-// routesWithout returns a without b where a and b
-// are unsorted slices of netip.Prefix
-func routesWithout(a, b []netip.Prefix) []netip.Prefix {
-	m := make(map[netip.Prefix]bool, len(b))
-	for _, p := range b {
-		m[p] = true
-	}
-	return slicesx.Filter(make([]netip.Prefix, 0, len(a)), a, func(p netip.Prefix) bool {
-		return !m[p]
-	})
-}

appc/appconnector_test.go

@@ -9,249 +9,202 @@ import (
 	"reflect"
 	"slices"
 	"testing"
-	"time"
 
 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc/appctest"
-	"tailscale.com/tstest"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )
 
-func fakeStoreRoutes(*RouteInfo) error { return nil }
-
 func TestUpdateDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, nil, nil)
-		}
-		a.UpdateDomains([]string{"example.com"})
+	ctx := context.Background()
+	a := NewAppConnector(t.Logf, nil)
+	a.UpdateDomains([]string{"example.com"})
 
-		a.Wait(ctx)
-		if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.Wait(ctx)
+	if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		addr := netip.MustParseAddr("192.0.0.8")
-		a.domains["example.com"] = append(a.domains["example.com"], addr)
-		a.UpdateDomains([]string{"example.com"})
-		a.Wait(ctx)
+	addr := netip.MustParseAddr("192.0.0.8")
+	a.domains["example.com"] = append(a.domains["example.com"], addr)
+	a.UpdateDomains([]string{"example.com"})
+	a.Wait(ctx)
 
-		if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// domains are explicitly downcased on set.
-		a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
-		a.Wait(ctx)
-		if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// domains are explicitly downcased on set.
+	a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
+	a.Wait(ctx)
+	if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
 	}
 }
 
 func TestUpdateRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"*.example.com"})
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.updateDomains([]string{"*.example.com"})
 
-		// This route should be collapsed into the range
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
-		a.Wait(ctx)
+	// This route should be collapsed into the range
+	a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
+	a.Wait(ctx)
 
-		if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
-			t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		}
+	if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
+		t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	}
 
-		// This route should not be collapsed or removed
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
-		a.Wait(ctx)
+	// This route should not be collapsed or removed
+	a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
+	a.Wait(ctx)
 
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
-		a.updateRoutes(routes)
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
+	a.updateRoutes(routes)
 
-		slices.SortFunc(rc.Routes(), prefixCompare)
-		rc.SetRoutes(slices.Compact(rc.Routes()))
-		slices.SortFunc(routes, prefixCompare)
+	slices.SortFunc(rc.Routes(), prefixCompare)
+	rc.SetRoutes(slices.Compact(rc.Routes()))
+	slices.SortFunc(routes, prefixCompare)
 
-		// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
-		}
+	// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
+	}
 
-		// Ensure that the contained /32 is removed, replaced by the /24.
-		wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
-		if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
-			t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
-		}
+	// Ensure that the contained /32 is removed, replaced by the /24.
+	wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
+	if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
+		t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
 	}
 }
 
 func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
-		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
-		a.updateRoutes(routes)
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
+	rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
+	a.updateRoutes(routes)
 
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Fatalf("got %v, want %v", rc.Routes(), routes)
-		}
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Fatalf("got %v, want %v", rc.Routes(), routes)
 	}
 }
 
 func TestDomainRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		a.Wait(context.Background())
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.updateDomains([]string{"example.com"})
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	a.Wait(context.Background())
 
-		want := map[string][]netip.Addr{
-			"example.com": {netip.MustParseAddr("192.0.0.8")},
-		}
+	want := map[string][]netip.Addr{
+		"example.com": {netip.MustParseAddr("192.0.0.8")},
+	}
 
-		if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
-			t.Fatalf("DomainRoutes: got %v, want %v", got, want)
-		}
+	if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
+		t.Fatalf("DomainRoutes: got %v, want %v", got, want)
 	}
 }
 
 func TestObserveDNSResponse(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
 
-		// a has no domains configured, so it should not advertise any routes
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a has no domains configured, so it should not advertise any routes
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
+	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
 
-		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.updateDomains([]string{"example.com"})
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	a.Wait(ctx)
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// a CNAME record chain should result in a route being added if the chain
-		// matches a routed domain.
-		a.updateDomains([]string{"www.example.com", "example.com"})
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a CNAME record chain should result in a route being added if the chain
+	// matches a routed domain.
+	a.updateDomains([]string{"www.example.com", "example.com"})
+	a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
+	a.Wait(ctx)
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// a CNAME record chain should result in a route being added if the chain
-		// even if only found in the middle of the chain
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a CNAME record chain should result in a route being added if the chain
+	// even if only found in the middle of the chain
+	a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
+	a.Wait(ctx)
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
 
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+	a.Wait(ctx)
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
 
-		// don't re-advertise routes that have already been advertised
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
+	// don't re-advertise routes that have already been advertised
+	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+	a.Wait(ctx)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
 
-		// don't advertise addresses that are already in a control provided route
-		pfx := netip.MustParsePrefix("192.0.2.0/24")
-		a.updateRoutes([]netip.Prefix{pfx})
-		wantRoutes = append(wantRoutes, pfx)
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
-		if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
-			t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
-		}
+	// don't advertise addresses that are already in a control provided route
+	pfx := netip.MustParsePrefix("192.0.2.0/24")
+	a.updateRoutes([]netip.Prefix{pfx})
+	wantRoutes = append(wantRoutes, pfx)
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
+	a.Wait(ctx)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
+	if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
+		t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
 	}
 }
 
 func TestWildcardDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
 
-		a.updateDomains([]string{"*.example.com"})
-		a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
-			t.Errorf("routes: got %v; want %v", got, want)
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
+	a.updateDomains([]string{"*.example.com"})
+	a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
+	a.Wait(ctx)
+	if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+		t.Errorf("routes: got %v; want %v", got, want)
+	}
+	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("wildcards: got %v; want %v", got, want)
+	}
 
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if _, ok := a.domains["foo.example.com"]; !ok {
-			t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
+	a.updateDomains([]string{"*.example.com", "example.com"})
+	if _, ok := a.domains["foo.example.com"]; !ok {
+		t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
+	}
+	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("wildcards: got %v; want %v", got, want)
+	}
 
-		// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if len(a.wildcards) != 1 {
-			t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
-		}
+	// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
+	a.updateDomains([]string{"*.example.com", "example.com"})
+	if len(a.wildcards) != 1 {
+		t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
 	}
 }
 
@@ -357,248 +310,3 @@ func prefixCompare(a, b netip.Prefix) int {
 	}
 	return a.Addr().Compare(b.Addr())
 }
-
-func prefixes(in ...string) []netip.Prefix {
-	toRet := make([]netip.Prefix, len(in))
-	for i, s := range in {
-		toRet[i] = netip.MustParsePrefix(s)
-	}
-	return toRet
-}
-
-func TestUpdateRouteRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		// nothing has yet been advertised
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.2/32"))
-		a.Wait(ctx)
-		// the routes passed to UpdateDomainsAndRoutes have been advertised
-		assertRoutes("simple update", prefixes("1.2.3.1/32", "1.2.3.2/32"), []netip.Prefix{})
-
-		// one route the same, one different
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.3/32"))
-		a.Wait(ctx)
-		// old behavior: routes are not removed, resulting routes are both old and new
-		// (we have dupe 1.2.3.1 routes because the test RouteAdvertiser doesn't have the deduplication
-		// the real one does)
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.1/32", "1.2.3.3/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior: routes are removed, resulting routes are new only
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.1/32", "1.2.3.3/32")
-			wantRemovedRoutes = prefixes("1.2.3.2/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateDomainRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.4"))
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateWildcardRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "*.b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("1.b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("2.b.example.com.", "1.2.3.4"))
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for *.b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestRoutesWithout(t *testing.T) {
-	assert := func(msg string, got, want []netip.Prefix) {
-		if !slices.Equal(want, got) {
-			t.Errorf("%s: want %v, got %v", msg, want, got)
-		}
-	}
-
-	assert("empty routes", routesWithout([]netip.Prefix{}, []netip.Prefix{}), []netip.Prefix{})
-	assert("a empty", routesWithout([]netip.Prefix{}, prefixes("1.1.1.1/32", "1.1.1.2/32")), []netip.Prefix{})
-	assert("b empty", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), []netip.Prefix{}), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("no overlap", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.3/32", "1.1.1.4/32")), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("a has fewer", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32")), []netip.Prefix{})
-	assert("a has more", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32"), prefixes("1.1.1.1/32", "1.1.1.3/32")), prefixes("1.1.1.2/32", "1.1.1.4/32"))
-}
-
-func TestRateLogger(t *testing.T) {
-	clock := tstest.Clock{}
-	wasCalled := false
-	rl := newRateLogger(func() time.Time { return clock.Now() }, 1*time.Second, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Millisecond)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Second)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-
-	wasCalled = false
-	rl = newRateLogger(func() time.Time { return clock.Now() }, 1*time.Hour, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Minute)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Hour)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-}
-
-func TestRouteStoreMetrics(t *testing.T) {
-	metricStoreRoutes(1, 1)
-	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
-	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1
-	metricStoreRoutes(6, 6)         // the 10 buckets value should be 1
-	metricStoreRoutes(10001, 10001) // the over buckets value should be 1
-	wanted := map[string]int64{
-		"appc_store_routes_n_routes_1":    2,
-		"appc_store_routes_rate_1":        2,
-		"appc_store_routes_n_routes_5":    1,
-		"appc_store_routes_rate_5":        1,
-		"appc_store_routes_n_routes_10":   1,
-		"appc_store_routes_rate_10":       1,
-		"appc_store_routes_n_routes_over": 1,
-		"appc_store_routes_rate_over":     1,
-	}
-	for _, x := range clientmetric.Metrics() {
-		if x.Value() != wanted[x.Name()] {
-			t.Errorf("%s: want: %d, got: %d", x.Name(), wanted[x.Name()], x.Value())
-		}
-	}
-}
-
-func TestMetricBucketsAreSorted(t *testing.T) {
-	if !slices.IsSorted(metricStoreRoutesRateBuckets) {
-		t.Errorf("metricStoreRoutesRateBuckets must be in order")
-	}
-	if !slices.IsSorted(metricStoreRoutesNBuckets) {
-		t.Errorf("metricStoreRoutesNBuckets must be in order")
-	}
-}

appc/appctest/appctest.go

@@ -1,7 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-// Package appctest contains code to help test App Connectors.
 package appctest
 
 import (

assert_ts_toolchain_match.go

@@ -1,27 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build tailscale_go
-
-package tailscaleroot
-
-import (
-	"fmt"
-	"os"
-	"strings"
-)
-
-func init() {
-	tsRev, ok := tailscaleToolchainRev()
-	if !ok {
-		panic("binary built with tailscale_go build tag but failed to read build info or find tailscale.toolchain.rev in build info")
-	}
-	want := strings.TrimSpace(GoToolchainRev)
-	if tsRev != want {
-		if os.Getenv("TS_PERMIT_TOOLCHAIN_MISMATCH") == "1" {
-			fmt.Fprintf(os.Stderr, "tailscale.toolchain.rev = %q, want %q; but ignoring due to TS_PERMIT_TOOLCHAIN_MISMATCH=1\n", tsRev, want)
-			return
-		}
-		panic(fmt.Sprintf("binary built with tailscale_go build tag but Go toolchain %q doesn't match github.com/tailscale/tailscale expected value %q; override this failure with TS_PERMIT_TOOLCHAIN_MISMATCH=1", tsRev, want))
-	}
-}

atomicfile/atomicfile.go

@@ -1,51 +1,51 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package atomicfile contains code related to writing to filesystems
-// atomically.
-//
-// This package should be considered internal; its API is not stable.
-package atomicfile // import "tailscale.com/atomicfile"
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"runtime"
-)
-
-// WriteFile writes data to filename+some suffix, then renames it into filename.
-// The perm argument is ignored on Windows. If the target filename already
-// exists but is not a regular file, WriteFile returns an error.
-func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	fi, err := os.Stat(filename)
-	if err == nil && !fi.Mode().IsRegular() {
-		return fmt.Errorf("%s already exists and is not a regular file", filename)
-	}
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
-	if err != nil {
-		return err
-	}
-	tmpName := f.Name()
-	defer func() {
-		if err != nil {
-			f.Close()
-			os.Remove(tmpName)
-		}
-	}()
-	if _, err := f.Write(data); err != nil {
-		return err
-	}
-	if runtime.GOOS != "windows" {
-		if err := f.Chmod(perm); err != nil {
-			return err
-		}
-	}
-	if err := f.Sync(); err != nil {
-		return err
-	}
-	if err := f.Close(); err != nil {
-		return err
-	}
-	return os.Rename(tmpName, filename)
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package atomicfile contains code related to writing to filesystems
+// atomically.
+//
+// This package should be considered internal; its API is not stable.
+package atomicfile // import "tailscale.com/atomicfile"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+)
+
+// WriteFile writes data to filename+some suffix, then renames it into filename.
+// The perm argument is ignored on Windows. If the target filename already
+// exists but is not a regular file, WriteFile returns an error.
+func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
+	fi, err := os.Stat(filename)
+	if err == nil && !fi.Mode().IsRegular() {
+		return fmt.Errorf("%s already exists and is not a regular file", filename)
+	}
+	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	if err != nil {
+		return err
+	}
+	tmpName := f.Name()
+	defer func() {
+		if err != nil {
+			f.Close()
+			os.Remove(tmpName)
+		}
+	}()
+	if _, err := f.Write(data); err != nil {
+		return err
+	}
+	if runtime.GOOS != "windows" {
+		if err := f.Chmod(perm); err != nil {
+			return err
+		}
+	}
+	if err := f.Sync(); err != nil {
+		return err
+	}
+	if err := f.Close(); err != nil {
+		return err
+	}
+	return os.Rename(tmpName, filename)
+}

atomicfile/atomicfile_test.go

@@ -1,47 +1,47 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !js && !windows
-
-package atomicfile
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-)
-
-func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
-	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
-	// atomicfile.Write should likely not attempt to overwrite an irregular file
-	// such as a device node, socket, or named pipe.
-
-	const filename = "TestDoesNotOverwriteIrregularFiles"
-	var path string
-	// macOS private temp does not allow unix socket creation, but /tmp does.
-	if runtime.GOOS == "darwin" {
-		path = filepath.Join("/tmp", filename)
-		t.Cleanup(func() { os.Remove(path) })
-	} else {
-		path = filepath.Join(t.TempDir(), filename)
-	}
-
-	// The least troublesome thing to make that is not a file is a unix socket.
-	// Making a null device sadly requires root.
-	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer l.Close()
-
-	err = WriteFile(path, []byte("hello"), 0644)
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	}
-	if !strings.Contains(err.Error(), "is not a regular file") {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !js && !windows
+
+package atomicfile
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
+	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
+	// atomicfile.Write should likely not attempt to overwrite an irregular file
+	// such as a device node, socket, or named pipe.
+
+	const filename = "TestDoesNotOverwriteIrregularFiles"
+	var path string
+	// macOS private temp does not allow unix socket creation, but /tmp does.
+	if runtime.GOOS == "darwin" {
+		path = filepath.Join("/tmp", filename)
+		t.Cleanup(func() { os.Remove(path) })
+	} else {
+		path = filepath.Join(t.TempDir(), filename)
+	}
+
+	// The least troublesome thing to make that is not a file is a unix socket.
+	// Making a null device sadly requires root.
+	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	err = WriteFile(path, []byte("hello"), 0644)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "is not a regular file") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}

build_dist.sh

@@ -37,7 +37,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
 		;;
 	--box)
 		shift

build_docker.sh

@@ -1,36 +1,38 @@
 #!/usr/bin/env sh
+
 #
-# This script builds Tailscale container images using
-# github.com/tailscale/mkctr.
-# By default the images will be tagged with the current version and git
-# hash of this repository as produced by ./cmd/mkversion.
-# This is the image build mechanim used to build the official Tailscale
-# container images.
+# Runs `go build` with flags configured for docker distribution. All
+# it does differently from `go build` is burn git commit and version
+# information into the binaries inside docker, so that we can track down user
+# issues.
+#
+############################################################################
+#
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
+#
+# See current bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
 
 set -eu
 
 # Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH="$PWD"/tool:"$PATH"
+export PATH=$PWD/tool:$PATH
 
-eval "$(./build_dist.sh shellvars)"
+eval $(./build_dist.sh shellvars)
 
 DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
 DEFAULT_BASE="tailscale/alpine-base:3.18"
-# Set a few pre-defined OCI annotations. The source annotation is used by tools such as Renovate that scan the linked
-# Github repo to find release notes for any new image tags. Note that for official Tailscale images the default
-# annotations defined here will be overriden by release scripts that call this script.
-# https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
-DEFAULT_ANNOTATIONS="org.opencontainers.image.source=https://github.com/tailscale/tailscale/blob/main/build_docker.sh,org.opencontainers.image.vendor=Tailscale"
 
 PUSH="${PUSH:-false}"
 TARGET="${TARGET:-${DEFAULT_TARGET}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
 PLATFORM="${PLATFORM:-}" # default to all platforms
-# OCI annotations that will be added to the image.
-# https://github.com/opencontainers/image-spec/blob/main/annotations.md
-ANNOTATIONS="${ANNOTATIONS:-${DEFAULT_ANNOTATIONS}}"
 
 case "$TARGET" in
   client)
@@ -47,14 +49,12 @@ case "$TARGET" in
         -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
       --target="${PLATFORM}" \
-      --annotations="${ANNOTATIONS}" \
       /usr/local/bin/containerboot
     ;;
-  k8s-operator)
+  operator)
     DEFAULT_REPOS="tailscale/k8s-operator"
     REPOS="${REPOS:-${DEFAULT_REPOS}}"
     go run github.com/tailscale/mkctr \
@@ -65,33 +65,13 @@ case "$TARGET" in
         -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
       --target="${PLATFORM}" \
-      --annotations="${ANNOTATIONS}" \
       /usr/local/bin/operator
     ;;
-  k8s-nameserver)
-    DEFAULT_REPOS="tailscale/k8s-nameserver"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="tailscale.com/cmd/k8s-nameserver:/usr/local/bin/k8s-nameserver" \
-      --ldflags=" \
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      --target="${PLATFORM}" \
-      --annotations="${ANNOTATIONS}" \
-      /usr/local/bin/k8s-nameserver
-    ;;
   *)
     echo "unknown target: $TARGET"
     exit 1
     ;;
-esac
+esac

chirp/chirp.go

@@ -1,163 +1,163 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package chirp implements a client to communicate with the BIRD Internet
-// Routing Daemon.
-package chirp
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-)
-
-const (
-	// Maximum amount of time we should wait when reading a response from BIRD.
-	responseTimeout = 10 * time.Second
-)
-
-// New creates a BIRDClient.
-func New(socket string) (*BIRDClient, error) {
-	return newWithTimeout(socket, responseTimeout)
-}
-
-func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
-	conn, err := net.Dial("unix", socket)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
-	}
-	defer func() {
-		if err != nil {
-			conn.Close()
-		}
-	}()
-
-	b := &BIRDClient{
-		socket:  socket,
-		conn:    conn,
-		scanner: bufio.NewScanner(conn),
-		timeNow: time.Now,
-		timeout: timeout,
-	}
-	// Read and discard the first line as that is the welcome message.
-	if _, err := b.readResponse(); err != nil {
-		return nil, err
-	}
-	return b, nil
-}
-
-// BIRDClient handles communication with the BIRD Internet Routing Daemon.
-type BIRDClient struct {
-	socket  string
-	conn    net.Conn
-	scanner *bufio.Scanner
-	timeNow func() time.Time
-	timeout time.Duration
-}
-
-// Close closes the underlying connection to BIRD.
-func (b *BIRDClient) Close() error { return b.conn.Close() }
-
-// DisableProtocol disables the provided protocol.
-func (b *BIRDClient) DisableProtocol(protocol string) error {
-	out, err := b.exec("disable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already disabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: disabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to disable %s: %v", protocol, out)
-}
-
-// EnableProtocol enables the provided protocol.
-func (b *BIRDClient) EnableProtocol(protocol string) error {
-	out, err := b.exec("enable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already enabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: enabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to enable %s: %v", protocol, out)
-}
-
-// BIRD CLI docs from https://bird.network.cz/?get_doc&v=20&f=prog-2.html#ss2.9
-
-// Each session of the CLI consists of a sequence of request and replies,
-// slightly resembling the FTP and SMTP protocols.
-// Requests are commands encoded as a single line of text,
-// replies are sequences of lines starting with a four-digit code
-// followed by either a space (if it's the last line of the reply) or
-// a minus sign (when the reply is going to continue with the next line),
-// the rest of the line contains a textual message semantics of which depends on the numeric code.
-// If a reply line has the same code as the previous one and it's a continuation line,
-// the whole prefix can be replaced by a single white space character.
-//
-// Reply codes starting with 0 stand for ‘action successfully completed’ messages,
-// 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
-
-func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
-	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
-		return "", err
-	}
-	if _, err := fmt.Fprintln(b.conn); err != nil {
-		return "", err
-	}
-	return b.readResponse()
-}
-
-// hasResponseCode reports whether the provided byte slice is
-// prefixed with a BIRD response code.
-// Equivalent regex: `^\d{4}[ -]`.
-func hasResponseCode(s []byte) bool {
-	if len(s) < 5 {
-		return false
-	}
-	for _, b := range s[:4] {
-		if '0' <= b && b <= '9' {
-			continue
-		}
-		return false
-	}
-	return s[4] == ' ' || s[4] == '-'
-}
-
-func (b *BIRDClient) readResponse() (string, error) {
-	// Set the read timeout before we start reading anything.
-	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-
-	var resp strings.Builder
-	var done bool
-	for !done {
-		if !b.scanner.Scan() {
-			if err := b.scanner.Err(); err != nil {
-				return "", err
-			}
-
-			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
-		}
-		out := b.scanner.Bytes()
-		if _, err := resp.Write(out); err != nil {
-			return "", err
-		}
-		if hasResponseCode(out) {
-			done = out[4] == ' '
-		}
-		if !done {
-			resp.WriteRune('\n')
-		}
-	}
-	return resp.String(), nil
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package chirp implements a client to communicate with the BIRD Internet
+// Routing Daemon.
+package chirp
+
+import (
+	"bufio"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+)
+
+const (
+	// Maximum amount of time we should wait when reading a response from BIRD.
+	responseTimeout = 10 * time.Second
+)
+
+// New creates a BIRDClient.
+func New(socket string) (*BIRDClient, error) {
+	return newWithTimeout(socket, responseTimeout)
+}
+
+func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
+	conn, err := net.Dial("unix", socket)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			conn.Close()
+		}
+	}()
+
+	b := &BIRDClient{
+		socket:  socket,
+		conn:    conn,
+		scanner: bufio.NewScanner(conn),
+		timeNow: time.Now,
+		timeout: timeout,
+	}
+	// Read and discard the first line as that is the welcome message.
+	if _, err := b.readResponse(); err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+// BIRDClient handles communication with the BIRD Internet Routing Daemon.
+type BIRDClient struct {
+	socket  string
+	conn    net.Conn
+	scanner *bufio.Scanner
+	timeNow func() time.Time
+	timeout time.Duration
+}
+
+// Close closes the underlying connection to BIRD.
+func (b *BIRDClient) Close() error { return b.conn.Close() }
+
+// DisableProtocol disables the provided protocol.
+func (b *BIRDClient) DisableProtocol(protocol string) error {
+	out, err := b.exec("disable %s", protocol)
+	if err != nil {
+		return err
+	}
+	if strings.Contains(out, fmt.Sprintf("%s: already disabled", protocol)) {
+		return nil
+	} else if strings.Contains(out, fmt.Sprintf("%s: disabled", protocol)) {
+		return nil
+	}
+	return fmt.Errorf("failed to disable %s: %v", protocol, out)
+}
+
+// EnableProtocol enables the provided protocol.
+func (b *BIRDClient) EnableProtocol(protocol string) error {
+	out, err := b.exec("enable %s", protocol)
+	if err != nil {
+		return err
+	}
+	if strings.Contains(out, fmt.Sprintf("%s: already enabled", protocol)) {
+		return nil
+	} else if strings.Contains(out, fmt.Sprintf("%s: enabled", protocol)) {
+		return nil
+	}
+	return fmt.Errorf("failed to enable %s: %v", protocol, out)
+}
+
+// BIRD CLI docs from https://bird.network.cz/?get_doc&v=20&f=prog-2.html#ss2.9
+
+// Each session of the CLI consists of a sequence of request and replies,
+// slightly resembling the FTP and SMTP protocols.
+// Requests are commands encoded as a single line of text,
+// replies are sequences of lines starting with a four-digit code
+// followed by either a space (if it's the last line of the reply) or
+// a minus sign (when the reply is going to continue with the next line),
+// the rest of the line contains a textual message semantics of which depends on the numeric code.
+// If a reply line has the same code as the previous one and it's a continuation line,
+// the whole prefix can be replaced by a single white space character.
+//
+// Reply codes starting with 0 stand for ‘action successfully completed’ messages,
+// 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
+
+func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
+	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
+		return "", err
+	}
+	if _, err := fmt.Fprintln(b.conn); err != nil {
+		return "", err
+	}
+	return b.readResponse()
+}
+
+// hasResponseCode reports whether the provided byte slice is
+// prefixed with a BIRD response code.
+// Equivalent regex: `^\d{4}[ -]`.
+func hasResponseCode(s []byte) bool {
+	if len(s) < 5 {
+		return false
+	}
+	for _, b := range s[:4] {
+		if '0' <= b && b <= '9' {
+			continue
+		}
+		return false
+	}
+	return s[4] == ' ' || s[4] == '-'
+}
+
+func (b *BIRDClient) readResponse() (string, error) {
+	// Set the read timeout before we start reading anything.
+	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
+		return "", err
+	}
+
+	var resp strings.Builder
+	var done bool
+	for !done {
+		if !b.scanner.Scan() {
+			if err := b.scanner.Err(); err != nil {
+				return "", err
+			}
+
+			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
+		}
+		out := b.scanner.Bytes()
+		if _, err := resp.Write(out); err != nil {
+			return "", err
+		}
+		if hasResponseCode(out) {
+			done = out[4] == ' '
+		}
+		if !done {
+			resp.WriteRune('\n')
+		}
+	}
+	return resp.String(), nil
+}

chirp/chirp_test.go

@@ -1,192 +1,192 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-package chirp
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-)
-
-type fakeBIRD struct {
-	net.Listener
-	protocolsEnabled map[string]bool
-	sock             string
-}
-
-func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pe := make(map[string]bool)
-	for _, p := range protocols {
-		pe[p] = false
-	}
-	return &fakeBIRD{
-		Listener:         l,
-		protocolsEnabled: pe,
-		sock:             sock,
-	}
-}
-
-func (fb *fakeBIRD) listen() error {
-	for {
-		c, err := fb.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		go fb.handle(c)
-	}
-}
-
-func (fb *fakeBIRD) handle(c net.Conn) {
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-	sc := bufio.NewScanner(c)
-	for sc.Scan() {
-		cmd := sc.Text()
-		args := strings.Split(cmd, " ")
-		switch args[0] {
-		case "enable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if en {
-				fmt.Fprintf(c, "0010-%s: already enabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0011-%s: enabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = true
-		case "disable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if !en {
-				fmt.Fprintf(c, "0008-%s: already disabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0009-%s: disabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = false
-		}
-	}
-}
-
-func TestChirp(t *testing.T) {
-	fb := newFakeBIRD(t, "tailscale")
-	defer fb.Close()
-	go fb.listen()
-	c, err := New(fb.sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeeded", "rando")
-	}
-	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeeded", "rando")
-	}
-}
-
-type hangingListener struct {
-	net.Listener
-	t    *testing.T
-	done chan struct{}
-	wg   sync.WaitGroup
-	sock string
-}
-
-func newHangingListener(t *testing.T) *hangingListener {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &hangingListener{
-		Listener: l,
-		t:        t,
-		done:     make(chan struct{}),
-		sock:     sock,
-	}
-}
-
-func (hl *hangingListener) Stop() {
-	hl.Close()
-	close(hl.done)
-	hl.wg.Wait()
-}
-
-func (hl *hangingListener) listen() error {
-	for {
-		c, err := hl.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		hl.wg.Add(1)
-		go hl.handle(c)
-	}
-}
-
-func (hl *hangingListener) handle(c net.Conn) {
-	defer hl.wg.Done()
-
-	// Write our fake first line of response so that we get into the read loop
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-
-	ticker := time.NewTicker(2 * time.Second)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ticker.C:
-			hl.t.Logf("connection still hanging")
-		case <-hl.done:
-			return
-		}
-	}
-}
-
-func TestChirpTimeout(t *testing.T) {
-	fb := newHangingListener(t)
-	defer fb.Stop()
-	go fb.listen()
-
-	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = c.EnableProtocol("tailscale")
-	if err == nil {
-		t.Fatal("got err=nil, want timeout")
-	}
-	if !os.IsTimeout(err) {
-		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
-	}
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+package chirp
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+)
+
+type fakeBIRD struct {
+	net.Listener
+	protocolsEnabled map[string]bool
+	sock             string
+}
+
+func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
+	sock := filepath.Join(t.TempDir(), "sock")
+	l, err := net.Listen("unix", sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pe := make(map[string]bool)
+	for _, p := range protocols {
+		pe[p] = false
+	}
+	return &fakeBIRD{
+		Listener:         l,
+		protocolsEnabled: pe,
+		sock:             sock,
+	}
+}
+
+func (fb *fakeBIRD) listen() error {
+	for {
+		c, err := fb.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return err
+		}
+		go fb.handle(c)
+	}
+}
+
+func (fb *fakeBIRD) handle(c net.Conn) {
+	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
+	sc := bufio.NewScanner(c)
+	for sc.Scan() {
+		cmd := sc.Text()
+		args := strings.Split(cmd, " ")
+		switch args[0] {
+		case "enable":
+			en, ok := fb.protocolsEnabled[args[1]]
+			if !ok {
+				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
+			} else if en {
+				fmt.Fprintf(c, "0010-%s: already enabled\n", args[1])
+			} else {
+				fmt.Fprintf(c, "0011-%s: enabled\n", args[1])
+			}
+			fmt.Fprintln(c, "0000 ")
+			fb.protocolsEnabled[args[1]] = true
+		case "disable":
+			en, ok := fb.protocolsEnabled[args[1]]
+			if !ok {
+				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
+			} else if !en {
+				fmt.Fprintf(c, "0008-%s: already disabled\n", args[1])
+			} else {
+				fmt.Fprintf(c, "0009-%s: disabled\n", args[1])
+			}
+			fmt.Fprintln(c, "0000 ")
+			fb.protocolsEnabled[args[1]] = false
+		}
+	}
+}
+
+func TestChirp(t *testing.T) {
+	fb := newFakeBIRD(t, "tailscale")
+	defer fb.Close()
+	go fb.listen()
+	c, err := New(fb.sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := c.EnableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.EnableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.DisableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.DisableProtocol("tailscale"); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.EnableProtocol("rando"); err == nil {
+		t.Fatalf("enabling %q succeeded", "rando")
+	}
+	if err := c.DisableProtocol("rando"); err == nil {
+		t.Fatalf("disabling %q succeeded", "rando")
+	}
+}
+
+type hangingListener struct {
+	net.Listener
+	t    *testing.T
+	done chan struct{}
+	wg   sync.WaitGroup
+	sock string
+}
+
+func newHangingListener(t *testing.T) *hangingListener {
+	sock := filepath.Join(t.TempDir(), "sock")
+	l, err := net.Listen("unix", sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &hangingListener{
+		Listener: l,
+		t:        t,
+		done:     make(chan struct{}),
+		sock:     sock,
+	}
+}
+
+func (hl *hangingListener) Stop() {
+	hl.Close()
+	close(hl.done)
+	hl.wg.Wait()
+}
+
+func (hl *hangingListener) listen() error {
+	for {
+		c, err := hl.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return err
+		}
+		hl.wg.Add(1)
+		go hl.handle(c)
+	}
+}
+
+func (hl *hangingListener) handle(c net.Conn) {
+	defer hl.wg.Done()
+
+	// Write our fake first line of response so that we get into the read loop
+	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
+
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ticker.C:
+			hl.t.Logf("connection still hanging")
+		case <-hl.done:
+			return
+		}
+	}
+}
+
+func TestChirpTimeout(t *testing.T) {
+	fb := newHangingListener(t)
+	defer fb.Stop()
+	go fb.listen()
+
+	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = c.EnableProtocol("tailscale")
+	if err == nil {
+		t.Fatal("got err=nil, want timeout")
+	}
+	if !os.IsTimeout(err) {
+		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
+	}
+}

client/tailscale/acl.go

@@ -19,7 +19,6 @@ import (
 // Only one of Src/Dst or Users/Ports may be specified.
 type ACLRow struct {
 	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Proto  string   `json:"proto,omitempty"`  // protocol
 	Users  []string `json:"users,omitempty"`  // old name for src
 	Ports  []string `json:"ports,omitempty"`  // old name for dst
 	Src    []string `json:"src,omitempty"`
@@ -32,23 +31,12 @@ type ACLRow struct {
 type ACLTest struct {
 	Src    string   `json:"src,omitempty"`    // source
 	User   string   `json:"user,omitempty"`   // old name for source
-	Proto  string   `json:"proto,omitempty"`  // protocol
 	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
 	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
 
 	Allow []string `json:"allow,omitempty"` // old name for accept
 }
 
-// NodeAttrGrant defines additional string attributes that apply to specific devices.
-type NodeAttrGrant struct {
-	// Target specifies which nodes the attributes apply to. The nodes can be a
-	// tag (tag:server), user (alice@example.com), group (group:kids), or *.
-	Target []string `json:"target,omitempty"`
-
-	// Attr are the attributes to set on Target(s).
-	Attr []string `json:"attr,omitempty"`
-}
-
 // ACLDetails contains all the details for an ACL.
 type ACLDetails struct {
 	Tests     []ACLTest           `json:"tests,omitempty"`
@@ -56,7 +44,6 @@ type ACLDetails struct {
 	Groups    map[string][]string `json:"groups,omitempty"`
 	TagOwners map[string][]string `json:"tagowners,omitempty"`
 	Hosts     map[string]string   `json:"hosts,omitempty"`
-	NodeAttrs []NodeAttrGrant     `json:"nodeAttrs,omitempty"`
 }
 
 // ACL contains an ACLDetails and metadata.
@@ -163,12 +150,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	// User is the source ("src") value of the ACL test that failed.
-	// The name "user" is a legacy holdover from the original naming and
-	// is kept for compatibility but it may also contain any value
-	// that's valid in a ACL test "src" field.
-	User string `json:"user,omitempty"`
-
+	User     string   `json:"user,omitempty"`
 	Errors   []string `json:"errors,omitempty"`
 	Warnings []string `json:"warnings,omitempty"`
 }
@@ -288,17 +270,6 @@ type UserRuleMatch struct {
 	Users      []string `json:"users"`
 	Ports      []string `json:"ports"`
 	LineNumber int      `json:"lineNumber"`
-	// Via is the list of targets through which Users can access Ports.
-	// See https://tailscale.com/kb/1378/via for more information.
-	Via []string `json:"via,omitempty"`
-
-	// Postures is a list of posture policies that are
-	// associated with this match. The rules can be looked
-	// up in the ACLPreviewResponse parent struct.
-	// The source of the list is from srcPosture on
-	// an ACL or Grant rule:
-	// https://tailscale.com/kb/1288/device-posture#posture-conditions
-	Postures []string `json:"postures"`
 }
 
 // ACLPreviewResponse is the response type of previewACLPostRequest
@@ -306,12 +277,6 @@ type ACLPreviewResponse struct {
 	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
 	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
 	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-
-	// Postures is a map of postures and associated rules that apply
-	// to this preview.
-	// For more details about the posture mapping, see:
-	// https://tailscale.com/kb/1288/device-posture#postures
-	Postures map[string][]string `json:"postures,omitempty"`
 }
 
 // ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
@@ -319,12 +284,6 @@ type ACLPreview struct {
 	Matches []UserRuleMatch `json:"matches"`
 	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
 	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-
-	// Postures is a map of postures and associated rules that apply
-	// to this preview.
-	// For more details about the posture mapping, see:
-	// https://tailscale.com/kb/1288/device-posture#postures
-	Postures map[string][]string `json:"postures,omitempty"`
 }
 
 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
@@ -382,9 +341,8 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 	}
 
 	return &ACLPreview{
-		Matches:  b.Matches,
-		User:     b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		User:    b.PreviewFor,
 	}, nil
 }
 
@@ -411,9 +369,8 @@ func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.
 	}
 
 	return &ACLPreview{
-		Matches:  b.Matches,
-		IPPort:   b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
 	}, nil
 }
 
@@ -437,9 +394,8 @@ func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, use
 	}
 
 	return &ACLPreview{
-		Matches:  b.Matches,
-		User:     b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		User:    b.PreviewFor,
 	}, nil
 }
 
@@ -463,9 +419,8 @@ func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, i
 	}
 
 	return &ACLPreview{
-		Matches:  b.Matches,
-		IPPort:   b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
 	}, nil
 }
 

client/tailscale/apitype/apitype.go

@@ -4,10 +4,7 @@
 // Package apitype contains types for the Tailscale LocalAPI and control plane API.
 package apitype
 
-import (
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
-)
+import "tailscale.com/tailcfg"
 
 // LocalAPIHost is the Host header value used by the LocalAPI.
 const LocalAPIHost = "local-tailscaled.sock"
@@ -52,27 +49,3 @@ type ReloadConfigResponse struct {
 	Reloaded bool   // whether the config was reloaded
 	Err      string // any error message
 }
-
-// ExitNodeSuggestionResponse is the response to a LocalAPI suggest-exit-node GET request.
-// It returns the StableNodeID, name, and location of a suggested exit node for the client making the request.
-type ExitNodeSuggestionResponse struct {
-	ID       tailcfg.StableNodeID
-	Name     string
-	Location tailcfg.LocationView `json:",omitempty"`
-}
-
-// DNSOSConfig mimics dns.OSConfig without forcing us to import the entire dns package
-// into the CLI.
-type DNSOSConfig struct {
-	Nameservers   []string
-	SearchDomains []string
-	MatchDomains  []string
-}
-
-// DNSQueryResponse is the response to a DNS query request sent via LocalAPI.
-type DNSQueryResponse struct {
-	// Bytes is the raw DNS response bytes.
-	Bytes []byte
-	// Resolvers is the list of resolvers that the forwarder deemed able to resolve the query.
-	Resolvers []*dnstype.Resolver
-}

client/tailscale/apitype/controltype.go

@@ -1,19 +1,19 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package apitype
-
-type DNSConfig struct {
-	Resolvers          []DNSResolver            `json:"resolvers"`
-	FallbackResolvers  []DNSResolver            `json:"fallbackResolvers"`
-	Routes             map[string][]DNSResolver `json:"routes"`
-	Domains            []string                 `json:"domains"`
-	Nameservers        []string                 `json:"nameservers"`
-	Proxied            bool                     `json:"proxied"`
-	TempCorpIssue13969 string                   `json:"TempCorpIssue13969,omitempty"`
-}
-
-type DNSResolver struct {
-	Addr                string   `json:"addr"`
-	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package apitype
+
+type DNSConfig struct {
+	Resolvers          []DNSResolver            `json:"resolvers"`
+	FallbackResolvers  []DNSResolver            `json:"fallbackResolvers"`
+	Routes             map[string][]DNSResolver `json:"routes"`
+	Domains            []string                 `json:"domains"`
+	Nameservers        []string                 `json:"nameservers"`
+	Proxied            bool                     `json:"proxied"`
+	TempCorpIssue13969 string                   `json:"TempCorpIssue13969,omitempty"`
+}
+
+type DNSResolver struct {
+	Addr                string   `json:"addr"`
+	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
+}

client/tailscale/devices.go

@@ -10,7 +10,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"log"
 	"net/http"
 	"net/url"
 
@@ -40,7 +39,6 @@ type Device struct {
 	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
 	Addresses []string `json:"addresses"`
 	DeviceID  string   `json:"id"`
-	NodeID    string   `json:"nodeId"`
 	User      string   `json:"user"`
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`
@@ -215,9 +213,6 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	if err != nil {
 		return err
 	}
-
-	log.Printf("RESP: %di, path: %s", resp.StatusCode, path)
-
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {

client/tailscale/dns.go

@@ -1,233 +1,233 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// DNSNameServers is returned when retrieving the list of nameservers.
-// It is also the structure provided when setting nameservers.
-type DNSNameServers struct {
-	DNS []string `json:"dns"` // DNS name servers
-}
-
-// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
-//
-// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
-type DNSNameServersPostResponse struct {
-	DNS      []string `json:"dns"`      // DNS name servers
-	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-// DNSSearchpaths is the list of search paths for a given domain.
-type DNSSearchPaths struct {
-	SearchPaths []string `json:"searchPaths"` // DNS search paths
-}
-
-// DNSPreferences is the preferences set for a given tailnet.
-//
-// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
-// there must be at least one nameserver. When all nameservers are removed,
-// MagicDNS is disabled.
-type DNSPreferences struct {
-	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	data, err := json.Marshal(&postData)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-// DNSConfig retrieves the DNSConfig settings for a domain.
-func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp apitype.DNSConfig
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
-		}
-	}()
-	var dnsResp apitype.DNSConfig
-	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-// NameServers retrieves the list of nameservers set for a domain.
-func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.NameServers: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "nameservers")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSNameServers
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.DNS, err
-}
-
-// SetNameServers sets the list of nameservers for a tailnet to the list provided
-// by the user.
-//
-// It returns the new list of nameservers and the MagicDNS status in case it was
-// affected by the change. For example, removing all nameservers will turn off
-// MagicDNS.
-func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
-		}
-	}()
-	dnsReq := DNSNameServers{DNS: nameservers}
-	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// DNSPreferences retrieves the DNS preferences set for a tailnet.
-//
-// It returns the status of MagicDNS.
-func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "preferences")
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SetDNSPreferences sets the DNS preferences for a tailnet.
-//
-// MagicDNS can only be enabled when there is at least one nameserver provided.
-// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
-// unless explicitly enabled by a user again.
-func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
-		}
-	}()
-	dnsReq := DNSPreferences{MagicDNS: magicDNS}
-	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
-	if err != nil {
-		return
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SearchPaths retrieves the list of searchpaths set for a tailnet.
-func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "searchpaths")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp *DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
-
-// SetSearchPaths sets the list of searchpaths for a tailnet.
-func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
-		}
-	}()
-	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
-	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build go1.19
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"tailscale.com/client/tailscale/apitype"
+)
+
+// DNSNameServers is returned when retrieving the list of nameservers.
+// It is also the structure provided when setting nameservers.
+type DNSNameServers struct {
+	DNS []string `json:"dns"` // DNS name servers
+}
+
+// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
+//
+// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
+type DNSNameServersPostResponse struct {
+	DNS      []string `json:"dns"`      // DNS name servers
+	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
+}
+
+// DNSSearchpaths is the list of search paths for a given domain.
+type DNSSearchPaths struct {
+	SearchPaths []string `json:"searchPaths"` // DNS search paths
+}
+
+// DNSPreferences is the preferences set for a given tailnet.
+//
+// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
+// there must be at least one nameserver. When all nameservers are removed,
+// MagicDNS is disabled.
+type DNSPreferences struct {
+	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
+}
+
+func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	return b, nil
+}
+
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	data, err := json.Marshal(&postData)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	req.Header.Set("Content-Type", "application/json")
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	return b, nil
+}
+
+// DNSConfig retrieves the DNSConfig settings for a domain.
+func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "config")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp apitype.DNSConfig
+	err = json.Unmarshal(b, &dnsResp)
+	return &dnsResp, err
+}
+
+func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
+		}
+	}()
+	var dnsResp apitype.DNSConfig
+	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return &dnsResp, err
+}
+
+// NameServers retrieves the list of nameservers set for a domain.
+func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.NameServers: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "nameservers")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp DNSNameServers
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.DNS, err
+}
+
+// SetNameServers sets the list of nameservers for a tailnet to the list provided
+// by the user.
+//
+// It returns the new list of nameservers and the MagicDNS status in case it was
+// affected by the change. For example, removing all nameservers will turn off
+// MagicDNS.
+func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
+		}
+	}()
+	dnsReq := DNSNameServers{DNS: nameservers}
+	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// DNSPreferences retrieves the DNS preferences set for a tailnet.
+//
+// It returns the status of MagicDNS.
+func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "preferences")
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// SetDNSPreferences sets the DNS preferences for a tailnet.
+//
+// MagicDNS can only be enabled when there is at least one nameserver provided.
+// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
+// unless explicitly enabled by a user again.
+func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
+		}
+	}()
+	dnsReq := DNSPreferences{MagicDNS: magicDNS}
+	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
+	if err != nil {
+		return
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// SearchPaths retrieves the list of searchpaths set for a tailnet.
+func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "searchpaths")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp *DNSSearchPaths
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.SearchPaths, err
+}
+
+// SetSearchPaths sets the list of searchpaths for a tailnet.
+func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
+		}
+	}()
+	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
+	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp DNSSearchPaths
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.SearchPaths, err
+}

client/tailscale/example/servetls/servetls.go

@@ -1,28 +1,28 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The servetls program shows how to run an HTTPS server
-// using a Tailscale cert via LetsEncrypt.
-package main
-
-import (
-	"crypto/tls"
-	"io"
-	"log"
-	"net/http"
-
-	"tailscale.com/client/tailscale"
-)
-
-func main() {
-	s := &http.Server{
-		TLSConfig: &tls.Config{
-			GetCertificate: tailscale.GetCertificate,
-		},
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
-		}),
-	}
-	log.Printf("Running TLS server on :443 ...")
-	log.Fatal(s.ListenAndServeTLS("", ""))
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// The servetls program shows how to run an HTTPS server
+// using a Tailscale cert via LetsEncrypt.
+package main
+
+import (
+	"crypto/tls"
+	"io"
+	"log"
+	"net/http"
+
+	"tailscale.com/client/tailscale"
+)
+
+func main() {
+	s := &http.Server{
+		TLSConfig: &tls.Config{
+			GetCertificate: tailscale.GetCertificate,
+		},
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
+		}),
+	}
+	log.Printf("Running TLS server on :443 ...")
+	log.Fatal(s.ListenAndServeTLS("", ""))
+}

client/tailscale/keys.go

@@ -1,166 +1,166 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-)
-
-// Key represents a Tailscale API or auth key.
-type Key struct {
-	ID           string          `json:"id"`
-	Created      time.Time       `json:"created"`
-	Expires      time.Time       `json:"expires"`
-	Capabilities KeyCapabilities `json:"capabilities"`
-}
-
-// KeyCapabilities are the capabilities of a Key.
-type KeyCapabilities struct {
-	Devices KeyDeviceCapabilities `json:"devices,omitempty"`
-}
-
-// KeyDeviceCapabilities are the device-related capabilities of a Key.
-type KeyDeviceCapabilities struct {
-	Create KeyDeviceCreateCapabilities `json:"create"`
-}
-
-// KeyDeviceCreateCapabilities are the device creation capabilities of a Key.
-type KeyDeviceCreateCapabilities struct {
-	Reusable      bool     `json:"reusable"`
-	Ephemeral     bool     `json:"ephemeral"`
-	Preauthorized bool     `json:"preauthorized"`
-	Tags          []string `json:"tags,omitempty"`
-}
-
-// Keys returns the list of keys for the current user.
-func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var keys struct {
-		Keys []*Key `json:"keys"`
-	}
-	if err := json.Unmarshal(b, &keys); err != nil {
-		return nil, err
-	}
-	ret := make([]string, 0, len(keys.Keys))
-	for _, k := range keys.Keys {
-		ret = append(ret, k.ID)
-	}
-	return ret, nil
-}
-
-// CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. It returns the secret key itself, which cannot be retrieved again
-// later, and the key metadata.
-//
-// To create a key with a specific expiry, use CreateKeyWithExpiry.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
-	return c.CreateKeyWithExpiry(ctx, caps, 0)
-}
-
-// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
-//
-// The time is truncated to a whole number of seconds. If zero, that means no expiration.
-func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
-
-	// convert expirySeconds to an int64 (seconds)
-	expirySeconds := int64(expiry.Seconds())
-	if expirySeconds < 0 {
-		return "", nil, fmt.Errorf("expiry must be positive")
-	}
-	if expirySeconds == 0 && expiry != 0 {
-		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
-	}
-
-	keyRequest := struct {
-		Capabilities  KeyCapabilities `json:"capabilities"`
-		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
-	}{caps, int64(expirySeconds)}
-	bs, err := json.Marshal(keyRequest)
-	if err != nil {
-		return "", nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
-	if err != nil {
-		return "", nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return "", nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return "", nil, handleErrorResponse(b, resp)
-	}
-
-	var key struct {
-		Key
-		Secret string `json:"key"`
-	}
-	if err := json.Unmarshal(b, &key); err != nil {
-		return "", nil, err
-	}
-	return key.Secret, &key.Key, nil
-}
-
-// Key returns the metadata for the given key ID. Currently, capabilities are
-// only returned for auth keys, API keys only return general metadata.
-func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var key Key
-	if err := json.Unmarshal(b, &key); err != nil {
-		return nil, err
-	}
-	return &key, nil
-}
-
-// DeleteKey deletes the key with the given ID.
-func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+)
+
+// Key represents a Tailscale API or auth key.
+type Key struct {
+	ID           string          `json:"id"`
+	Created      time.Time       `json:"created"`
+	Expires      time.Time       `json:"expires"`
+	Capabilities KeyCapabilities `json:"capabilities"`
+}
+
+// KeyCapabilities are the capabilities of a Key.
+type KeyCapabilities struct {
+	Devices KeyDeviceCapabilities `json:"devices,omitempty"`
+}
+
+// KeyDeviceCapabilities are the device-related capabilities of a Key.
+type KeyDeviceCapabilities struct {
+	Create KeyDeviceCreateCapabilities `json:"create"`
+}
+
+// KeyDeviceCreateCapabilities are the device creation capabilities of a Key.
+type KeyDeviceCreateCapabilities struct {
+	Reusable      bool     `json:"reusable"`
+	Ephemeral     bool     `json:"ephemeral"`
+	Preauthorized bool     `json:"preauthorized"`
+	Tags          []string `json:"tags,omitempty"`
+}
+
+// Keys returns the list of keys for the current user.
+func (c *Client) Keys(ctx context.Context) ([]string, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var keys struct {
+		Keys []*Key `json:"keys"`
+	}
+	if err := json.Unmarshal(b, &keys); err != nil {
+		return nil, err
+	}
+	ret := make([]string, 0, len(keys.Keys))
+	for _, k := range keys.Keys {
+		ret = append(ret, k.ID)
+	}
+	return ret, nil
+}
+
+// CreateKey creates a new key for the current user. Currently, only auth keys
+// can be created. It returns the secret key itself, which cannot be retrieved again
+// later, and the key metadata.
+//
+// To create a key with a specific expiry, use CreateKeyWithExpiry.
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
+	return c.CreateKeyWithExpiry(ctx, caps, 0)
+}
+
+// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
+//
+// The time is truncated to a whole number of seconds. If zero, that means no expiration.
+func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
+
+	// convert expirySeconds to an int64 (seconds)
+	expirySeconds := int64(expiry.Seconds())
+	if expirySeconds < 0 {
+		return "", nil, fmt.Errorf("expiry must be positive")
+	}
+	if expirySeconds == 0 && expiry != 0 {
+		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
+	}
+
+	keyRequest := struct {
+		Capabilities  KeyCapabilities `json:"capabilities"`
+		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
+	}{caps, int64(expirySeconds)}
+	bs, err := json.Marshal(keyRequest)
+	if err != nil {
+		return "", nil, err
+	}
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
+	if err != nil {
+		return "", nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return "", nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return "", nil, handleErrorResponse(b, resp)
+	}
+
+	var key struct {
+		Key
+		Secret string `json:"key"`
+	}
+	if err := json.Unmarshal(b, &key); err != nil {
+		return "", nil, err
+	}
+	return key.Secret, &key.Key, nil
+}
+
+// Key returns the metadata for the given key ID. Currently, capabilities are
+// only returned for auth keys, API keys only return general metadata.
+func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var key Key
+	if err := json.Unmarshal(b, &key); err != nil {
+		return nil, err
+	}
+	return &key, nil
+}
+
+// DeleteKey deletes the key with the given ID.
+func (c *Client) DeleteKey(ctx context.Context, id string) error {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}

client/tailscale/localclient.go

@@ -28,7 +28,6 @@ import (
 
 	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/drive"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -36,11 +35,10 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tailfs"
 	"tailscale.com/tka"
-	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
-	"tailscale.com/util/syspolicy/setting"
 )
 
 // defaultLocalClient is the default LocalClient when using the legacy
@@ -71,14 +69,6 @@ type LocalClient struct {
 	// connecting to the GUI client variants.
 	UseSocketOnly bool
 
-	// OmitAuth, if true, omits sending the local Tailscale daemon any
-	// authentication token that might be required by the platform.
-	//
-	// As of 2024-08-12, only macOS uses an authentication token. OmitAuth is
-	// meant for when Dial is set and the LocalAPI is being proxied to a
-	// different operating system, such as in integration tests.
-	OmitAuth bool
-
 	// tsClient does HTTP requests to the local Tailscale daemon.
 	// It's lazily initialized on first use.
 	tsClient     *http.Client
@@ -113,7 +103,7 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
 		}
 	}
-	return safesocket.ConnectContext(ctx, lc.socket())
+	return safesocket.Connect(lc.socket())
 }
 
 // DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
@@ -134,10 +124,8 @@ func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error)
 			},
 		}
 	})
-	if !lc.OmitAuth {
-		if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			req.SetBasicAuth("", token)
-		}
+	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
+		req.SetBasicAuth("", token)
 	}
 	return lc.tsClient.Do(req)
 }
@@ -265,16 +253,11 @@ func (lc *LocalClient) sendWithHeaders(
 	}
 	if res.StatusCode != wantStatus {
 		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, nil, httpStatusError{bestError(err, slurp), res.StatusCode}
+		return nil, nil, bestError(err, slurp)
 	}
 	return slurp, res.Header, nil
 }
 
-type httpStatusError struct {
-	error
-	HTTPStatus int
-}
-
 func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
 	return lc.send(ctx, "GET", path, 200, nil)
 }
@@ -295,50 +278,9 @@ func decodeJSON[T any](b []byte) (ret T, err error) {
 }
 
 // WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-//
-// If not found, the error is ErrPeerNotFound.
-//
-// For connections proxied by tailscaled, this looks up the owner of the given
-// address as TCP first, falling back to UDP; if you want to only check a
-// specific address family, use WhoIsProto.
 func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
 	if err != nil {
-		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
-			return nil, ErrPeerNotFound
-		}
-		return nil, err
-	}
-	return decodeJSON[*apitype.WhoIsResponse](body)
-}
-
-// ErrPeerNotFound is returned by WhoIs and WhoIsNodeKey when a peer is not found.
-var ErrPeerNotFound = errors.New("peer not found")
-
-// WhoIsNodeKey returns the owner of the given wireguard public key.
-//
-// If not found, the error is ErrPeerNotFound.
-func (lc *LocalClient) WhoIsNodeKey(ctx context.Context, key key.NodePublic) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(key.String()))
-	if err != nil {
-		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
-			return nil, ErrPeerNotFound
-		}
-		return nil, err
-	}
-	return decodeJSON[*apitype.WhoIsResponse](body)
-}
-
-// WhoIsProto returns the owner of the remoteAddr, which must be an IP or
-// IP:port, for the given protocol (tcp or udp).
-//
-// If not found, the error is ErrPeerNotFound.
-func (lc *LocalClient) WhoIsProto(ctx context.Context, proto, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?proto="+url.QueryEscape(proto)+"&addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
-			return nil, ErrPeerNotFound
-		}
 		return nil, err
 	}
 	return decodeJSON[*apitype.WhoIsResponse](body)
@@ -355,12 +297,6 @@ func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
 	return lc.get200(ctx, "/localapi/v0/metrics")
 }
 
-// UserMetrics returns the user metrics in
-// the Prometheus text exposition format.
-func (lc *LocalClient) UserMetrics(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/usermetrics")
-}
-
 // IncrementCounter increments the value of a Tailscale daemon's counter
 // metric by the given delta. If the metric has yet to exist, a new counter
 // metric is created and initialized to delta.
@@ -493,17 +429,6 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }
 
-// DebugActionBody invokes a debug action with a body parameter, such as
-// "debug-force-prefer-derp".
-// These are development tools and subject to change or removal over time.
-func (lc *LocalClient) DebugActionBody(ctx context.Context, action string, rbody io.Reader) error {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, rbody)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
 // DebugResultJSON invokes a debug action and returns its result as something JSON-able.
 // These are development tools and subject to change or removal over time.
 func (lc *LocalClient) DebugResultJSON(ctx context.Context, action string) (any, error) {
@@ -774,27 +699,6 @@ func (lc *LocalClient) CheckUDPGROForwarding(ctx context.Context) error {
 	return nil
 }
 
-// SetUDPGROForwarding enables UDP GRO forwarding for the main interface of this
-// node. This can be done to improve performance of tailnet nodes acting as exit
-// nodes or subnet routers.
-// See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes
-func (lc *LocalClient) SetUDPGROForwarding(ctx context.Context) error {
-	body, err := lc.get200(ctx, "/localapi/v0/set-udp-gro-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from set-udp-gro-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
 // CheckPrefs validates the provided preferences, without making any changes.
 //
 // The CLI uses this before a Start call to fail fast if the preferences won't
@@ -826,62 +730,6 @@ func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn
 	return decodeJSON[*ipn.Prefs](body)
 }
 
-// GetEffectivePolicy returns the effective policy for the specified scope.
-func (lc *LocalClient) GetEffectivePolicy(ctx context.Context, scope setting.PolicyScope) (*setting.Snapshot, error) {
-	scopeID, err := scope.MarshalText()
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.get200(ctx, "/localapi/v0/policy/"+string(scopeID))
-	if err != nil {
-		return nil, err
-	}
-	return decodeJSON[*setting.Snapshot](body)
-}
-
-// ReloadEffectivePolicy reloads the effective policy for the specified scope
-// by reading and merging policy settings from all applicable policy sources.
-func (lc *LocalClient) ReloadEffectivePolicy(ctx context.Context, scope setting.PolicyScope) (*setting.Snapshot, error) {
-	scopeID, err := scope.MarshalText()
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.send(ctx, "POST", "/localapi/v0/policy/"+string(scopeID), 200, http.NoBody)
-	if err != nil {
-		return nil, err
-	}
-	return decodeJSON[*setting.Snapshot](body)
-}
-
-// GetDNSOSConfig returns the system DNS configuration for the current device.
-// That is, it returns the DNS configuration that the system would use if Tailscale weren't being used.
-func (lc *LocalClient) GetDNSOSConfig(ctx context.Context) (*apitype.DNSOSConfig, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/dns-osconfig")
-	if err != nil {
-		return nil, err
-	}
-	var osCfg apitype.DNSOSConfig
-	if err := json.Unmarshal(body, &osCfg); err != nil {
-		return nil, fmt.Errorf("invalid dns.OSConfig: %w", err)
-	}
-	return &osCfg, nil
-}
-
-// QueryDNS executes a DNS query for a name (`google.com.`) and query type (`CNAME`).
-// It returns the raw DNS response bytes and the resolvers that were used to answer the query
-// (often just one, but can be more if we raced multiple resolvers).
-func (lc *LocalClient) QueryDNS(ctx context.Context, name string, queryType string) (bytes []byte, resolvers []*dnstype.Resolver, err error) {
-	body, err := lc.get200(ctx, fmt.Sprintf("/localapi/v0/dns-query?name=%s&type=%s", url.QueryEscape(name), queryType))
-	if err != nil {
-		return nil, nil, err
-	}
-	var res apitype.DNSQueryResponse
-	if err := json.Unmarshal(body, &res); err != nil {
-		return nil, nil, fmt.Errorf("invalid query response: %w", err)
-	}
-	return res.Bytes, res.Resolvers, nil
-}
-
 // StartLoginInteractive starts an interactive login.
 func (lc *LocalClient) StartLoginInteractive(ctx context.Context) error {
 	_, err := lc.send(ctx, "POST", "/localapi/v0/login-interactive", http.StatusNoContent, nil)
@@ -930,17 +778,6 @@ func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
 //
 // The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
 func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	return lc.UserDial(ctx, "tcp", host, port)
-}
-
-// UserDial connects to the host's port via Tailscale for the given network.
-//
-// The host may be a base DNS name (resolved from the netmap inside tailscaled),
-// a FQDN, or an IP address.
-//
-// The ctx is only used for the duration of the call, not the lifetime of the
-// net.Conn.
-func (lc *LocalClient) UserDial(ctx context.Context, network, host string, port uint16) (net.Conn, error) {
 	connCh := make(chan net.Conn, 1)
 	trace := httptrace.ClientTrace{
 		GotConn: func(info httptrace.GotConnInfo) {
@@ -953,11 +790,10 @@ func (lc *LocalClient) UserDial(ctx context.Context, network, host string, port
 		return nil, err
 	}
 	req.Header = http.Header{
-		"Upgrade":      []string{"ts-dial"},
-		"Connection":   []string{"upgrade"},
-		"Dial-Host":    []string{host},
-		"Dial-Port":    []string{fmt.Sprint(port)},
-		"Dial-Network": []string{network},
+		"Upgrade":    []string{"ts-dial"},
+		"Connection": []string{"upgrade"},
+		"Dial-Host":  []string{host},
+		"Dial-Port":  []string{fmt.Sprint(port)},
 	}
 	res, err := lc.DoLocalRequest(req)
 	if err != nil {
@@ -1018,20 +854,7 @@ func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err e
 //
 // API maturity: this is considered a stable API.
 func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return lc.CertPairWithValidity(ctx, domain, 0)
-}
-
-// CertPairWithValidity returns a cert and private key for the provided DNS
-// domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-// When minValidity is non-zero, the returned certificate will be valid for at
-// least the given duration, if permitted by the CA. If the certificate is
-// valid, but for less than minValidity, it will be synchronously renewed.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) CertPairWithValidity(ctx context.Context, domain string, minValidity time.Duration) (certPEM, keyPEM []byte, err error) {
-	res, err := lc.send(ctx, "GET", fmt.Sprintf("/localapi/v0/cert/%s?type=pair&min_validity=%s", domain, minValidity), 200, nil)
+	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -1338,17 +1161,6 @@ func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConf
 	return nil
 }
 
-// DisconnectControl shuts down all connections to control, thus making control consider this node inactive. This can be
-// run on HA subnet router or app connector replicas before shutting them down to ensure peers get told to switch over
-// to another replica whilst there is still some grace period for the existing connections to terminate.
-func (lc *LocalClient) DisconnectControl(ctx context.Context) error {
-	_, _, err := lc.sendWithHeaders(ctx, "POST", "/localapi/v0/disconnect-control", 200, nil, nil)
-	if err != nil {
-		return fmt.Errorf("error disconnecting control: %w", err)
-	}
-	return nil
-}
-
 // NetworkLockDisable shuts down network-lock across the tailnet.
 func (lc *LocalClient) NetworkLockDisable(ctx context.Context, secret []byte) error {
 	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/disable", 200, bytes.NewReader(secret)); err != nil {
@@ -1606,62 +1418,44 @@ func (lc *LocalClient) CheckUpdate(ctx context.Context) (*tailcfg.ClientVersion,
 	return &cv, nil
 }
 
-// SetUseExitNode toggles the use of an exit node on or off.
-// To turn it on, there must have been a previously used exit node.
-// The most previously used one is reused.
-// This is a convenience method for GUIs. To select an actual one, update the prefs.
-func (lc *LocalClient) SetUseExitNode(ctx context.Context, on bool) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/set-use-exit-node-enabled?enabled="+strconv.FormatBool(on), http.StatusOK, nil)
-	return err
-}
-
-// DriveSetServerAddr instructs Taildrive to use the server at addr to access
+// TailFSSetFileServerAddr instructs TailFS to use the server at addr to access
 // the filesystem. This is used on platforms like Windows and MacOS to let
-// Taildrive know to use the file server running in the GUI app.
-func (lc *LocalClient) DriveSetServerAddr(ctx context.Context, addr string) error {
-	_, err := lc.send(ctx, "PUT", "/localapi/v0/drive/fileserver-address", http.StatusCreated, strings.NewReader(addr))
+// TailFS know to use the file server running in the GUI app.
+func (lc *LocalClient) TailFSSetFileServerAddr(ctx context.Context, addr string) error {
+	_, err := lc.send(ctx, "PUT", "/localapi/v0/tailfs/fileserver-address", http.StatusCreated, strings.NewReader(addr))
 	return err
 }
 
-// DriveShareSet adds or updates the given share in the list of shares that
-// Taildrive will serve to remote nodes. If a share with the same name already
-// exists, the existing share is replaced/updated.
-func (lc *LocalClient) DriveShareSet(ctx context.Context, share *drive.Share) error {
-	_, err := lc.send(ctx, "PUT", "/localapi/v0/drive/shares", http.StatusCreated, jsonBody(share))
+// TailFSShareAdd adds the given share to the list of shares that TailFS will
+// serve to remote nodes. If a share with the same name already exists, the
+// existing share is replaced/updated.
+func (lc *LocalClient) TailFSShareAdd(ctx context.Context, share *tailfs.Share) error {
+	_, err := lc.send(ctx, "PUT", "/localapi/v0/tailfs/shares", http.StatusCreated, jsonBody(share))
 	return err
 }
 
-// DriveShareRemove removes the share with the given name from the list of
-// shares that Taildrive will serve to remote nodes.
-func (lc *LocalClient) DriveShareRemove(ctx context.Context, name string) error {
+// TailFSShareRemove removes the share with the given name from the list of
+// shares that TailFS will serve to remote nodes.
+func (lc *LocalClient) TailFSShareRemove(ctx context.Context, name string) error {
 	_, err := lc.send(
 		ctx,
 		"DELETE",
-		"/localapi/v0/drive/shares",
+		"/localapi/v0/tailfs/shares",
 		http.StatusNoContent,
-		strings.NewReader(name))
+		jsonBody(&tailfs.Share{
+			Name: name,
+		}))
 	return err
 }
 
-// DriveShareRename renames the share from old to new name.
-func (lc *LocalClient) DriveShareRename(ctx context.Context, oldName, newName string) error {
-	_, err := lc.send(
-		ctx,
-		"POST",
-		"/localapi/v0/drive/shares",
-		http.StatusNoContent,
-		jsonBody([2]string{oldName, newName}))
-	return err
-}
-
-// DriveShareList returns the list of shares that drive is currently serving
+// TailFSShareList returns the list of shares that TailFS is currently serving
 // to remote nodes.
-func (lc *LocalClient) DriveShareList(ctx context.Context) ([]*drive.Share, error) {
-	result, err := lc.get200(ctx, "/localapi/v0/drive/shares")
+func (lc *LocalClient) TailFSShareList(ctx context.Context) (map[string]*tailfs.Share, error) {
+	result, err := lc.get200(ctx, "/localapi/v0/tailfs/shares")
 	if err != nil {
 		return nil, err
 	}
-	var shares []*drive.Share
+	var shares map[string]*tailfs.Share
 	err = json.Unmarshal(result, &shares)
 	return shares, err
 }
@@ -1702,12 +1496,3 @@ func (w *IPNBusWatcher) Next() (ipn.Notify, error) {
 	}
 	return n, nil
 }
-
-// SuggestExitNode requests an exit node suggestion and returns the exit node's details.
-func (lc *LocalClient) SuggestExitNode(ctx context.Context) (apitype.ExitNodeSuggestionResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/suggest-exit-node")
-	if err != nil {
-		return apitype.ExitNodeSuggestionResponse{}, err
-	}
-	return decodeJSON[apitype.ExitNodeSuggestionResponse](body)
-}

client/tailscale/localclient_test.go

@@ -6,14 +6,9 @@
 package tailscale
 
 import (
-	"context"
-	"net"
-	"net/http"
-	"net/http/httptest"
 	"testing"
 
 	"tailscale.com/tstest/deptest"
-	"tailscale.com/types/key"
 )
 
 func TestGetServeConfigFromJSON(t *testing.T) {
@@ -35,40 +30,13 @@ func TestGetServeConfigFromJSON(t *testing.T) {
 	}
 }
 
-func TestWhoIsPeerNotFound(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(404)
-	}))
-	defer ts.Close()
-
-	lc := &LocalClient{
-		Dial: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			var std net.Dialer
-			return std.DialContext(ctx, network, ts.Listener.Addr().(*net.TCPAddr).String())
-		},
-	}
-	var k key.NodePublic
-	if err := k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")); err != nil {
-		t.Fatal(err)
-	}
-	res, err := lc.WhoIsNodeKey(context.Background(), k)
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-	res, err = lc.WhoIs(context.Background(), "1.2.3.4:5678")
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-}
-
 func TestDeps(t *testing.T) {
 	deptest.DepChecker{
 		BadDeps: map[string]string{
 			// Make sure we don't again accidentally bring in a dependency on
-			// drive or its transitive dependencies
-			"testing":                        "do not use testing package in production code",
-			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
-			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
+			// TailFS or its transitive dependencies
+			"tailscale.com/tailfs/tailfsimpl": "https://github.com/tailscale/tailscale/pull/10631",
+			"github.com/studio-b12/gowebdav":  "https://github.com/tailscale/tailscale/pull/10631",
 		},
 	}.Check(t)
 }

client/tailscale/required_version.go

@@ -1,10 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !go1.23
+//go:build !go1.21
 
 package tailscale
 
 func init() {
-	you_need_Go_1_23_to_compile_Tailscale()
+	you_need_Go_1_21_to_compile_Tailscale()
 }

client/tailscale/routes.go

@@ -1,95 +1,95 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// Routes contains the lists of subnet routes that are currently advertised by a device,
-// as well as the subnets that are enabled to be routed by the device.
-type Routes struct {
-	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
-}
-
-// Routes retrieves the list of subnet routes that have been enabled for a device.
-// The routes that are returned are not necessarily advertised by the device,
-// they have only been preapproved.
-func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Routes: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var sr Routes
-	err = json.Unmarshal(b, &sr)
-	return &sr, err
-}
-
-type postRoutesParams struct {
-	Routes []netip.Prefix `json:"routes"`
-}
-
-// SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by net/netip.ParsePrefix.
-// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
-// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
-		}
-	}()
-	params := &postRoutesParams{Routes: subnets}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return nil, err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var srr *Routes
-	if err := json.Unmarshal(b, &srr); err != nil {
-		return nil, err
-	}
-	return srr, err
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build go1.19
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/netip"
+)
+
+// Routes contains the lists of subnet routes that are currently advertised by a device,
+// as well as the subnets that are enabled to be routed by the device.
+type Routes struct {
+	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
+	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
+}
+
+// Routes retrieves the list of subnet routes that have been enabled for a device.
+// The routes that are returned are not necessarily advertised by the device,
+// they have only been preapproved.
+func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Routes: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var sr Routes
+	err = json.Unmarshal(b, &sr)
+	return &sr, err
+}
+
+type postRoutesParams struct {
+	Routes []netip.Prefix `json:"routes"`
+}
+
+// SetRoutes updates the list of subnets that are enabled for a device.
+// Subnets must be parsable by net/netip.ParsePrefix.
+// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
+// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
+func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
+		}
+	}()
+	params := &postRoutesParams{Routes: subnets}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return nil, err
+	}
+	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var srr *Routes
+	if err := json.Unmarshal(b, &srr); err != nil {
+		return nil, err
+	}
+	return srr, err
+}

client/tailscale/tailnet.go

@@ -1,42 +1,42 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"tailscale.com/util/httpm"
-)
-
-// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
-func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
-	if err != nil {
-		return err
-	}
-
-	c.setAuth(req)
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build go1.19
+
+package tailscale
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"tailscale.com/util/httpm"
+)
+
+// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
+func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
+	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
+	if err != nil {
+		return err
+	}
+
+	c.setAuth(req)
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}

client/tailscale/tailscale.go

@@ -51,9 +51,6 @@ type Client struct {
 	// HTTPClient optionally specifies an alternate HTTP client to use.
 	// If nil, http.DefaultClient is used.
 	HTTPClient *http.Client
-
-	// UserAgent optionally specifies an alternate User-Agent header
-	UserAgent string
 }
 
 func (c *Client) httpClient() *http.Client {
@@ -100,9 +97,8 @@ func (c *Client) setAuth(r *http.Request) {
 // and can be changed manually by the user.
 func NewClient(tailnet string, auth AuthMethod) *Client {
 	return &Client{
-		tailnet:   tailnet,
-		auth:      auth,
-		UserAgent: "tailscale-client-oss",
+		tailnet: tailnet,
+		auth:    auth,
 	}
 }
 
@@ -114,16 +110,17 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
 	}
 	c.setAuth(req)
-	if c.UserAgent != "" {
-		req.Header.Set("User-Agent", c.UserAgent)
-	}
 	return c.httpClient().Do(req)
 }
 
 // sendRequest add the authentication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	resp, err := c.Do(req)
+	if !I_Acknowledge_This_API_Is_Unstable {
+		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+	}
+	c.setAuth(req)
+	resp, err := c.httpClient().Do(req)
 	if err != nil {
 		return nil, resp, err
 	}

client/web/auth.go

@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"slices"
 	"strings"
 	"time"
 
@@ -223,7 +222,7 @@ func (s *Server) awaitUserAuth(ctx context.Context, session *browserSession) err
 
 func (s *Server) newSessionID() (string, error) {
 	raw := make([]byte, 16)
-	for range 5 {
+	for i := 0; i < 5; i++ {
 		if _, err := rand.Read(raw); err != nil {
 			return "", err
 		}
@@ -235,12 +234,7 @@ func (s *Server) newSessionID() (string, error) {
 	return "", errors.New("too many collisions generating new session; please refresh page")
 }
 
-// peerCapabilities holds information about what a source
-// peer is allowed to edit via the web UI.
-//
-// map value is true if the peer can edit the given feature.
-// Only capFeatures included in validCaps will be included.
-type peerCapabilities map[capFeature]bool
+type peerCapabilities map[capFeature]bool // value is true if the peer can edit the given feature
 
 // canEdit is true if the peerCapabilities grant edit access
 // to the given feature.
@@ -254,47 +248,21 @@ func (p peerCapabilities) canEdit(feature capFeature) bool {
 	return p[feature]
 }
 
-// isEmpty is true if p is either nil or has no capabilities
-// with value true.
-func (p peerCapabilities) isEmpty() bool {
-	if p == nil {
-		return true
-	}
-	for _, v := range p {
-		if v == true {
-			return false
-		}
-	}
-	return true
-}
-
 type capFeature string
 
 const (
 	// The following values should not be edited.
 	// New caps can be added, but existing ones should not be changed,
 	// as these exact values are used by users in tailnet policy files.
-	//
-	// IMPORTANT: When adding a new cap, also update validCaps slice below.
 
-	capFeatureAll       capFeature = "*"         // grants peer management of all features
-	capFeatureSSH       capFeature = "ssh"       // grants peer SSH server management
-	capFeatureSubnets   capFeature = "subnets"   // grants peer subnet routes management
-	capFeatureExitNodes capFeature = "exitnodes" // grants peer ability to advertise-as and use exit nodes
-	capFeatureAccount   capFeature = "account"   // grants peer ability to turn on auto updates and log out of node
+	capFeatureAll      capFeature = "*"        // grants peer management of all features
+	capFeatureFunnel   capFeature = "funnel"   // grants peer serve/funnel management
+	capFeatureSSH      capFeature = "ssh"      // grants peer SSH server management
+	capFeatureSubnet   capFeature = "subnet"   // grants peer subnet routes management
+	capFeatureExitNode capFeature = "exitnode" // grants peer ability to advertise-as and use exit nodes
+	capFeatureAccount  capFeature = "account"  // grants peer ability to turn on auto updates and log out of node
 )
 
-// validCaps contains the list of valid capabilities used in the web client.
-// Any capabilities included in a peer's grants that do not fall into this
-// list will be ignored.
-var validCaps []capFeature = []capFeature{
-	capFeatureAll,
-	capFeatureSSH,
-	capFeatureSubnets,
-	capFeatureExitNodes,
-	capFeatureAccount,
-}
-
 type capRule struct {
 	CanEdit []string `json:"canEdit,omitempty"` // list of features peer is allowed to edit
 }
@@ -302,13 +270,7 @@ type capRule struct {
 // toPeerCapabilities parses out the web ui capabilities from the
 // given whois response.
 func toPeerCapabilities(status *ipnstate.Status, whois *apitype.WhoIsResponse) (peerCapabilities, error) {
-	if whois == nil || status == nil {
-		return peerCapabilities{}, nil
-	}
-	if whois.Node.IsTagged() {
-		// We don't allow management *from* tagged nodes, so ignore caps.
-		// The web client auth flow relies on having a true user identity
-		// that can be verified through login.
+	if whois == nil {
 		return peerCapabilities{}, nil
 	}
 
@@ -329,10 +291,7 @@ func toPeerCapabilities(status *ipnstate.Status, whois *apitype.WhoIsResponse) (
 	}
 	for _, c := range rules {
 		for _, f := range c.CanEdit {
-			cap := capFeature(strings.ToLower(f))
-			if slices.Contains(validCaps, cap) {
-				caps[cap] = true
-			}
+			caps[capFeature(strings.ToLower(f))] = true
 		}
 	}
 	return caps, nil

client/web/package.json

@@ -3,10 +3,9 @@
   "version": "0.0.1",
   "license": "BSD-3-Clause",
   "engines": {
-    "node": "18.20.4",
+    "node": "18.16.1",
     "yarn": "1.22.19"
   },
-  "type": "module",
   "private": true,
   "dependencies": {
     "@radix-ui/react-collapsible": "^1.0.3",
@@ -33,16 +32,12 @@
     "prettier": "^2.5.1",
     "prettier-plugin-organize-imports": "^3.2.2",
     "tailwindcss": "^3.3.3",
-    "typescript": "^5.3.3",
-    "vite": "^5.1.7",
+    "typescript": "^4.7.4",
+    "vite": "^5.1.4",
     "vite-plugin-svgr": "^4.2.0",
     "vite-tsconfig-paths": "^3.5.0",
     "vitest": "^1.3.1"
   },
-  "resolutions": {
-    "@typescript-eslint/eslint-plugin": "^6.2.1",
-    "@typescript-eslint/parser": "^6.2.1"
-  },
   "scripts": {
     "build": "vite build",
     "start": "vite",

client/web/qnap.go

@@ -1,127 +1,127 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// qnap.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on QNAP.
-
-package web
-
-import (
-	"crypto/tls"
-	"encoding/xml"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-)
-
-// authorizeQNAP authenticates the logged-in QNAP user and verifies that they
-// are authorized to use the web client.
-// If the user is not authorized to use the client, an error is returned.
-func authorizeQNAP(r *http.Request) (authorized bool, err error) {
-	_, resp, err := qnapAuthn(r)
-	if err != nil {
-		return false, err
-	}
-	if resp.IsAdmin == 0 {
-		return false, errors.New("user is not an admin")
-	}
-
-	return true, nil
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
-	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
-	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
-	// SAN. See https://github.com/tailscale/tailscale/issues/6903
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	resp, err := client.Get(url)
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user, authResp, nil
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// qnap.go contains handlers and logic, such as authentication,
+// that is specific to running the web client on QNAP.
+
+package web
+
+import (
+	"crypto/tls"
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+)
+
+// authorizeQNAP authenticates the logged-in QNAP user and verifies that they
+// are authorized to use the web client.
+// If the user is not authorized to use the client, an error is returned.
+func authorizeQNAP(r *http.Request) (authorized bool, err error) {
+	_, resp, err := qnapAuthn(r)
+	if err != nil {
+		return false, err
+	}
+	if resp.IsAdmin == 0 {
+		return false, errors.New("user is not an admin")
+	}
+
+	return true, nil
+}
+
+type qnapAuthResponse struct {
+	AuthPassed int    `xml:"authPassed"`
+	IsAdmin    int    `xml:"isAdmin"`
+	AuthSID    string `xml:"authSid"`
+	ErrorValue int    `xml:"errorValue"`
+}
+
+func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
+	user, err := r.Cookie("NAS_USER")
+	if err != nil {
+		return "", nil, err
+	}
+	token, err := r.Cookie("qtoken")
+	if err == nil {
+		return qnapAuthnQtoken(r, user.Value, token.Value)
+	}
+	sid, err := r.Cookie("NAS_SID")
+	if err == nil {
+		return qnapAuthnSid(r, user.Value, sid.Value)
+	}
+	return "", nil, fmt.Errorf("not authenticated by any mechanism")
+}
+
+// qnapAuthnURL returns the auth URL to use by inferring where the UI is
+// running based on the request URL. This is necessary because QNAP has so
+// many options, see https://github.com/tailscale/tailscale/issues/7108
+// and https://github.com/tailscale/tailscale/issues/6903
+func qnapAuthnURL(requestUrl string, query url.Values) string {
+	in, err := url.Parse(requestUrl)
+	scheme := ""
+	host := ""
+	if err != nil || in.Scheme == "" {
+		log.Printf("Cannot parse QNAP login URL %v", err)
+
+		// try localhost and hope for the best
+		scheme = "http"
+		host = "localhost"
+	} else {
+		scheme = in.Scheme
+		host = in.Host
+	}
+
+	u := url.URL{
+		Scheme:   scheme,
+		Host:     host,
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return u.String()
+}
+
+func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"qtoken": []string{token},
+		"user":   []string{user},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"sid": []string{sid},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
+	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
+	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
+	// SAN. See https://github.com/tailscale/tailscale/issues/6903
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+	resp, err := client.Get(url)
+	if err != nil {
+		return "", nil, err
+	}
+	defer resp.Body.Close()
+	out, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", nil, err
+	}
+	authResp := &qnapAuthResponse{}
+	if err := xml.Unmarshal(out, authResp); err != nil {
+		return "", nil, err
+	}
+	if authResp.AuthPassed == 0 {
+		return "", nil, fmt.Errorf("not authenticated")
+	}
+	return user, authResp, nil
+}

client/web/src/assets/icons/arrow-right.svg

@@ -1,4 +1,4 @@
-<svg width="24" height="25" viewBox="0 0 24 25" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M5 12.5H19" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M12 5.5L19 12.5L12 19.5" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="24" height="25" viewBox="0 0 24 25" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M5 12.5H19" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M12 5.5L19 12.5L12 19.5" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/arrow-up-circle.svg

@@ -1,5 +1,5 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-  <path d="M16 12L12 8L8 12" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-  <path d="M12 16V8" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+  <path d="M16 12L12 8L8 12" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+  <path d="M12 16V8" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/check-circle.svg

@@ -1,4 +1,4 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M22 11.08V12C21.9988 14.1564 21.3005 16.2547 20.0093 17.9818C18.7182 19.709 16.9033 20.9725 14.8354 21.5839C12.7674 22.1953 10.5573 22.1219 8.53447 21.3746C6.51168 20.6273 4.78465 19.2461 3.61096 17.4371C2.43727 15.628 1.87979 13.4881 2.02168 11.3363C2.16356 9.18455 2.99721 7.13631 4.39828 5.49706C5.79935 3.85781 7.69279 2.71537 9.79619 2.24013C11.8996 1.7649 14.1003 1.98232 16.07 2.85999" stroke="#1EA672" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M22 4L12 14.01L9 11.01" stroke="#1EA672" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M22 11.08V12C21.9988 14.1564 21.3005 16.2547 20.0093 17.9818C18.7182 19.709 16.9033 20.9725 14.8354 21.5839C12.7674 22.1953 10.5573 22.1219 8.53447 21.3746C6.51168 20.6273 4.78465 19.2461 3.61096 17.4371C2.43727 15.628 1.87979 13.4881 2.02168 11.3363C2.16356 9.18455 2.99721 7.13631 4.39828 5.49706C5.79935 3.85781 7.69279 2.71537 9.79619 2.24013C11.8996 1.7649 14.1003 1.98232 16.07 2.85999" stroke="#1EA672" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M22 4L12 14.01L9 11.01" stroke="#1EA672" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/check.svg

@@ -1,3 +1,3 @@
-<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M16.6673 5L7.50065 14.1667L3.33398 10" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M16.6673 5L7.50065 14.1667L3.33398 10" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/chevron-down.svg

@@ -1,3 +1,3 @@
-<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M5 7.5L10 12.5L15 7.5" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M5 7.5L10 12.5L15 7.5" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/eye.svg

@@ -1,11 +1,11 @@
-<svg width="15" height="16" viewBox="0 0 15 16" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_15367_14595)">
-<path d="M0.625 8C0.625 8 3.125 3 7.5 3C11.875 3 14.375 8 14.375 8C14.375 8 11.875 13 7.5 13C3.125 13 0.625 8 0.625 8Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M7.5 9.875C8.53553 9.875 9.375 9.03553 9.375 8C9.375 6.96447 8.53553 6.125 7.5 6.125C6.46447 6.125 5.625 6.96447 5.625 8C5.625 9.03553 6.46447 9.875 7.5 9.875Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</g>
-<defs>
-<clipPath id="clip0_15367_14595">
-<rect width="15" height="15" fill="white" transform="translate(0 0.5)"/>
-</clipPath>
-</defs>
-</svg>
+<svg width="15" height="16" viewBox="0 0 15 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_15367_14595)">
+<path d="M0.625 8C0.625 8 3.125 3 7.5 3C11.875 3 14.375 8 14.375 8C14.375 8 11.875 13 7.5 13C3.125 13 0.625 8 0.625 8Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M7.5 9.875C8.53553 9.875 9.375 9.03553 9.375 8C9.375 6.96447 8.53553 6.125 7.5 6.125C6.46447 6.125 5.625 6.96447 5.625 8C5.625 9.03553 6.46447 9.875 7.5 9.875Z" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</g>
+<defs>
+<clipPath id="clip0_15367_14595">
+<rect width="15" height="15" fill="white" transform="translate(0 0.5)"/>
+</clipPath>
+</defs>
+</svg>

client/web/src/assets/icons/search.svg

@@ -1,4 +1,4 @@
-<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M9.16667 15.8333C12.8486 15.8333 15.8333 12.8486 15.8333 9.16667C15.8333 5.48477 12.8486 2.5 9.16667 2.5C5.48477 2.5 2.5 5.48477 2.5 9.16667C2.5 12.8486 5.48477 15.8333 9.16667 15.8333Z" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M17.5 17.5L13.875 13.875" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M9.16667 15.8333C12.8486 15.8333 15.8333 12.8486 15.8333 9.16667C15.8333 5.48477 12.8486 2.5 9.16667 2.5C5.48477 2.5 2.5 5.48477 2.5 9.16667C2.5 12.8486 5.48477 15.8333 9.16667 15.8333Z" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M17.5 17.5L13.875 13.875" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/tailscale-icon.svg

@@ -1,18 +1,18 @@
-<svg width="26" height="26" viewBox="0 0 26 26" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_13627_11860)">
-<path opacity="0.2" d="M3.8696 6.77137C5.56662 6.77137 6.94233 5.39567 6.94233 3.69865C6.94233 2.00163 5.56662 0.625919 3.8696 0.625919C2.17258 0.625919 0.796875 2.00163 0.796875 3.69865C0.796875 5.39567 2.17258 6.77137 3.8696 6.77137Z" fill="black"/>
-<path d="M3.8696 15.9327C5.56662 15.9327 6.94233 14.5569 6.94233 12.8599C6.94233 11.1629 5.56662 9.7872 3.8696 9.7872C2.17258 9.7872 0.796875 11.1629 0.796875 12.8599C0.796875 14.5569 2.17258 15.9327 3.8696 15.9327Z" fill="black"/>
-<path opacity="0.2" d="M3.8696 25.2646C5.56662 25.2646 6.94233 23.8889 6.94233 22.1919C6.94233 20.4949 5.56662 19.1192 3.8696 19.1192C2.17258 19.1192 0.796875 20.4949 0.796875 22.1919C0.796875 23.8889 2.17258 25.2646 3.8696 25.2646Z" fill="black"/>
-<path d="M13.0879 15.9327C14.7849 15.9327 16.1606 14.5569 16.1606 12.8599C16.1606 11.1629 14.7849 9.7872 13.0879 9.7872C11.3908 9.7872 10.0151 11.1629 10.0151 12.8599C10.0151 14.5569 11.3908 15.9327 13.0879 15.9327Z" fill="black"/>
-<path d="M13.0879 25.2646C14.7849 25.2646 16.1606 23.8889 16.1606 22.1919C16.1606 20.4949 14.7849 19.1192 13.0879 19.1192C11.3908 19.1192 10.0151 20.4949 10.0151 22.1919C10.0151 23.8889 11.3908 25.2646 13.0879 25.2646Z" fill="black"/>
-<path opacity="0.2" d="M13.0879 6.77137C14.7849 6.77137 16.1606 5.39567 16.1606 3.69865C16.1606 2.00163 14.7849 0.625919 13.0879 0.625919C11.3908 0.625919 10.0151 2.00163 10.0151 3.69865C10.0151 5.39567 11.3908 6.77137 13.0879 6.77137Z" fill="black"/>
-<path opacity="0.2" d="M22.1919 6.77137C23.8889 6.77137 25.2646 5.39567 25.2646 3.69865C25.2646 2.00163 23.8889 0.625919 22.1919 0.625919C20.4948 0.625919 19.1191 2.00163 19.1191 3.69865C19.1191 5.39567 20.4948 6.77137 22.1919 6.77137Z" fill="black"/>
-<path d="M22.1919 15.9327C23.8889 15.9327 25.2646 14.5569 25.2646 12.8599C25.2646 11.1629 23.8889 9.7872 22.1919 9.7872C20.4948 9.7872 19.1191 11.1629 19.1191 12.8599C19.1191 14.5569 20.4948 15.9327 22.1919 15.9327Z" fill="black"/>
-<path opacity="0.2" d="M22.1919 25.2646C23.8889 25.2646 25.2646 23.8889 25.2646 22.1919C25.2646 20.4949 23.8889 19.1192 22.1919 19.1192C20.4948 19.1192 19.1191 20.4949 19.1191 22.1919C19.1191 23.8889 20.4948 25.2646 22.1919 25.2646Z" fill="black"/>
-</g>
-<defs>
-<clipPath id="clip0_13627_11860">
-<rect width="26" height="26" fill="white"/>
-</clipPath>
-</defs>
-</svg>
+<svg width="26" height="26" viewBox="0 0 26 26" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_13627_11860)">
+<path opacity="0.2" d="M3.8696 6.77137C5.56662 6.77137 6.94233 5.39567 6.94233 3.69865C6.94233 2.00163 5.56662 0.625919 3.8696 0.625919C2.17258 0.625919 0.796875 2.00163 0.796875 3.69865C0.796875 5.39567 2.17258 6.77137 3.8696 6.77137Z" fill="black"/>
+<path d="M3.8696 15.9327C5.56662 15.9327 6.94233 14.5569 6.94233 12.8599C6.94233 11.1629 5.56662 9.7872 3.8696 9.7872C2.17258 9.7872 0.796875 11.1629 0.796875 12.8599C0.796875 14.5569 2.17258 15.9327 3.8696 15.9327Z" fill="black"/>
+<path opacity="0.2" d="M3.8696 25.2646C5.56662 25.2646 6.94233 23.8889 6.94233 22.1919C6.94233 20.4949 5.56662 19.1192 3.8696 19.1192C2.17258 19.1192 0.796875 20.4949 0.796875 22.1919C0.796875 23.8889 2.17258 25.2646 3.8696 25.2646Z" fill="black"/>
+<path d="M13.0879 15.9327C14.7849 15.9327 16.1606 14.5569 16.1606 12.8599C16.1606 11.1629 14.7849 9.7872 13.0879 9.7872C11.3908 9.7872 10.0151 11.1629 10.0151 12.8599C10.0151 14.5569 11.3908 15.9327 13.0879 15.9327Z" fill="black"/>
+<path d="M13.0879 25.2646C14.7849 25.2646 16.1606 23.8889 16.1606 22.1919C16.1606 20.4949 14.7849 19.1192 13.0879 19.1192C11.3908 19.1192 10.0151 20.4949 10.0151 22.1919C10.0151 23.8889 11.3908 25.2646 13.0879 25.2646Z" fill="black"/>
+<path opacity="0.2" d="M13.0879 6.77137C14.7849 6.77137 16.1606 5.39567 16.1606 3.69865C16.1606 2.00163 14.7849 0.625919 13.0879 0.625919C11.3908 0.625919 10.0151 2.00163 10.0151 3.69865C10.0151 5.39567 11.3908 6.77137 13.0879 6.77137Z" fill="black"/>
+<path opacity="0.2" d="M22.1919 6.77137C23.8889 6.77137 25.2646 5.39567 25.2646 3.69865C25.2646 2.00163 23.8889 0.625919 22.1919 0.625919C20.4948 0.625919 19.1191 2.00163 19.1191 3.69865C19.1191 5.39567 20.4948 6.77137 22.1919 6.77137Z" fill="black"/>
+<path d="M22.1919 15.9327C23.8889 15.9327 25.2646 14.5569 25.2646 12.8599C25.2646 11.1629 23.8889 9.7872 22.1919 9.7872C20.4948 9.7872 19.1191 11.1629 19.1191 12.8599C19.1191 14.5569 20.4948 15.9327 22.1919 15.9327Z" fill="black"/>
+<path opacity="0.2" d="M22.1919 25.2646C23.8889 25.2646 25.2646 23.8889 25.2646 22.1919C25.2646 20.4949 23.8889 19.1192 22.1919 19.1192C20.4948 19.1192 19.1191 20.4949 19.1191 22.1919C19.1191 23.8889 20.4948 25.2646 22.1919 25.2646Z" fill="black"/>
+</g>
+<defs>
+<clipPath id="clip0_13627_11860">
+<rect width="26" height="26" fill="white"/>
+</clipPath>
+</defs>
+</svg>

client/web/src/assets/icons/tailscale-logo.svg

@@ -1,20 +1,20 @@
-<svg width="121" height="22" viewBox="0 0 121 22" fill="none" xmlns="http://www.w3.org/2000/svg">
-<ellipse cx="2.69191" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
-<ellipse cx="10.7676" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
-<ellipse opacity="0.2" cx="2.69191" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
-<circle opacity="0.2" cx="18.8433" cy="18.8434" r="2.69191" fill="#141414"/>
-<ellipse cx="10.7676" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
-<circle cx="18.8433" cy="10.7677" r="2.69191" fill="#141414"/>
-<ellipse opacity="0.2" cx="2.69191" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
-<ellipse opacity="0.2" cx="10.7676" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
-<circle opacity="0.2" cx="18.8433" cy="2.69191" r="2.69191" fill="#141414"/>
-<path d="M37.8847 19.9603C38.6525 19.9603 39.2764 19.8883 40.0202 19.7443V16.9609C39.5643 17.1289 39.0605 17.1769 38.5806 17.1769C37.4048 17.1769 36.9729 16.601 36.9729 15.4973V9.83453H40.0202V7.05116H36.9729V2.92409H33.6137V7.05116H31.4302V9.83453H33.6137V15.8092C33.6137 18.4486 35.0054 19.9603 37.8847 19.9603Z" fill="#141414"/>
-<path d="M45.5064 19.9603C47.306 19.9603 48.5057 19.3604 49.1056 18.4246C49.1536 18.8325 49.2975 19.3844 49.4895 19.7203H52.5128C52.3448 19.1444 52.2249 18.2326 52.2249 17.6328V11.0583C52.2249 8.34687 50.2813 6.81121 46.994 6.81121C44.4986 6.81121 42.555 7.747 41.4753 9.1147L43.3949 11.0103C44.2587 10.0505 45.3624 9.5466 46.7061 9.5466C48.3377 9.5466 49.0576 10.0985 49.0576 10.9143C49.0576 11.6101 48.5777 12.09 45.9863 12.09C43.4908 12.09 40.9714 13.1218 40.9714 16.0011C40.9714 18.6645 42.891 19.9603 45.5064 19.9603ZM46.1782 17.4168C44.8825 17.4168 44.2827 16.8649 44.2827 15.8812C44.2827 15.0174 45.0025 14.4415 46.2022 14.4415C48.1218 14.4415 48.6497 14.3215 49.0576 13.9136V14.9454C49.0576 16.3131 47.9058 17.4168 46.1782 17.4168Z" fill="#141414"/>
-<path d="M54.4086 5.44352H57.9118V2.30023H54.4086V5.44352ZM54.4805 19.7203H57.8398V7.05116H54.4805V19.7203Z" fill="#141414"/>
-<path d="M60.287 19.7203H63.6463V2.68414H60.287V19.7203Z" fill="#141414"/>
-<path d="M70.6285 19.9603C74.3237 19.9603 76.2193 18.0167 76.2193 15.9771C76.2193 14.1296 75.2835 12.7619 72.2122 12.21C70.0527 11.8261 68.709 11.3462 68.709 10.6024C68.709 9.95451 69.4768 9.49861 70.7725 9.49861C71.9242 9.49861 72.884 9.88252 73.6038 10.7223L75.7394 8.92274C74.6596 7.57904 72.884 6.81121 70.7725 6.81121C67.5332 6.81121 65.5177 8.53883 65.5177 10.6503C65.5177 12.9538 67.6292 13.9856 69.9087 14.3935C71.8043 14.7294 72.86 15.0893 72.86 15.9052C72.86 16.601 72.1162 17.1769 70.7005 17.1769C69.3088 17.1769 68.2291 16.529 67.7252 15.5692L64.8938 16.9129C65.5897 18.6405 67.9651 19.9603 70.6285 19.9603Z" fill="#141414"/>
-<path d="M83.7294 19.9603C86.1288 19.9603 87.8564 19.0005 89.1521 16.841L86.4648 15.4733C85.9609 16.481 85.1451 17.1769 83.7294 17.1769C81.5939 17.1769 80.4421 15.4493 80.4421 13.3617C80.4421 11.2742 81.6658 9.59459 83.7294 9.59459C85.0251 9.59459 85.8889 10.2904 86.3928 11.3462L89.1042 9.90652C88.1924 7.91497 86.3928 6.81121 83.7294 6.81121C79.3384 6.81121 77.0829 10.0265 77.0829 13.3617C77.0829 16.9849 79.8183 19.9603 83.7294 19.9603Z" fill="#141414"/>
-<path d="M94.5031 19.9603C96.3027 19.9603 97.5025 19.3604 98.1023 18.4246C98.1503 18.8325 98.2943 19.3844 98.4862 19.7203H101.51C101.342 19.1444 101.222 18.2326 101.222 17.6328V11.0583C101.222 8.34687 99.2781 6.81121 95.9908 6.81121C93.4954 6.81121 91.5518 7.747 90.472 9.1147L92.3916 11.0103C93.2554 10.0505 94.3592 9.5466 95.7029 9.5466C97.3345 9.5466 98.0543 10.0985 98.0543 10.9143C98.0543 11.6101 97.5744 12.09 94.983 12.09C92.4876 12.09 89.9682 13.1218 89.9682 16.0011C89.9682 18.6645 91.8877 19.9603 94.5031 19.9603ZM95.175 17.4168C93.8793 17.4168 93.2794 16.8649 93.2794 15.8812C93.2794 15.0174 93.9992 14.4415 95.199 14.4415C97.1185 14.4415 97.6464 14.3215 98.0543 13.9136V14.9454C98.0543 16.3131 96.9026 17.4168 95.175 17.4168Z" fill="#141414"/>
-<path d="M103.196 19.7203H106.555V2.68414H103.196V19.7203Z" fill="#141414"/>
-<path d="M114.617 19.9603C117.089 19.9603 119.08 18.9765 120.184 17.2249L117.641 15.5932C116.969 16.649 116.081 17.2249 114.617 17.2249C112.962 17.2249 111.762 16.3131 111.45 14.5375H121V13.3617C121 10.0265 118.96 6.81121 114.593 6.81121C110.442 6.81121 108.187 10.0505 108.187 13.3857C108.187 18.1367 111.762 19.9603 114.617 19.9603ZM111.57 11.8981C112.098 10.2904 113.202 9.5466 114.665 9.5466C116.321 9.5466 117.329 10.5304 117.665 11.8981H111.57Z" fill="#141414"/>
-</svg>
+<svg width="121" height="22" viewBox="0 0 121 22" fill="none" xmlns="http://www.w3.org/2000/svg">
+<ellipse cx="2.69191" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse cx="10.7676" cy="10.7677" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="2.69191" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle opacity="0.2" cx="18.8433" cy="18.8434" r="2.69191" fill="#141414"/>
+<ellipse cx="10.7676" cy="18.8434" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle cx="18.8433" cy="10.7677" r="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="2.69191" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
+<ellipse opacity="0.2" cx="10.7676" cy="2.69191" rx="2.69191" ry="2.69191" fill="#141414"/>
+<circle opacity="0.2" cx="18.8433" cy="2.69191" r="2.69191" fill="#141414"/>
+<path d="M37.8847 19.9603C38.6525 19.9603 39.2764 19.8883 40.0202 19.7443V16.9609C39.5643 17.1289 39.0605 17.1769 38.5806 17.1769C37.4048 17.1769 36.9729 16.601 36.9729 15.4973V9.83453H40.0202V7.05116H36.9729V2.92409H33.6137V7.05116H31.4302V9.83453H33.6137V15.8092C33.6137 18.4486 35.0054 19.9603 37.8847 19.9603Z" fill="#141414"/>
+<path d="M45.5064 19.9603C47.306 19.9603 48.5057 19.3604 49.1056 18.4246C49.1536 18.8325 49.2975 19.3844 49.4895 19.7203H52.5128C52.3448 19.1444 52.2249 18.2326 52.2249 17.6328V11.0583C52.2249 8.34687 50.2813 6.81121 46.994 6.81121C44.4986 6.81121 42.555 7.747 41.4753 9.1147L43.3949 11.0103C44.2587 10.0505 45.3624 9.5466 46.7061 9.5466C48.3377 9.5466 49.0576 10.0985 49.0576 10.9143C49.0576 11.6101 48.5777 12.09 45.9863 12.09C43.4908 12.09 40.9714 13.1218 40.9714 16.0011C40.9714 18.6645 42.891 19.9603 45.5064 19.9603ZM46.1782 17.4168C44.8825 17.4168 44.2827 16.8649 44.2827 15.8812C44.2827 15.0174 45.0025 14.4415 46.2022 14.4415C48.1218 14.4415 48.6497 14.3215 49.0576 13.9136V14.9454C49.0576 16.3131 47.9058 17.4168 46.1782 17.4168Z" fill="#141414"/>
+<path d="M54.4086 5.44352H57.9118V2.30023H54.4086V5.44352ZM54.4805 19.7203H57.8398V7.05116H54.4805V19.7203Z" fill="#141414"/>
+<path d="M60.287 19.7203H63.6463V2.68414H60.287V19.7203Z" fill="#141414"/>
+<path d="M70.6285 19.9603C74.3237 19.9603 76.2193 18.0167 76.2193 15.9771C76.2193 14.1296 75.2835 12.7619 72.2122 12.21C70.0527 11.8261 68.709 11.3462 68.709 10.6024C68.709 9.95451 69.4768 9.49861 70.7725 9.49861C71.9242 9.49861 72.884 9.88252 73.6038 10.7223L75.7394 8.92274C74.6596 7.57904 72.884 6.81121 70.7725 6.81121C67.5332 6.81121 65.5177 8.53883 65.5177 10.6503C65.5177 12.9538 67.6292 13.9856 69.9087 14.3935C71.8043 14.7294 72.86 15.0893 72.86 15.9052C72.86 16.601 72.1162 17.1769 70.7005 17.1769C69.3088 17.1769 68.2291 16.529 67.7252 15.5692L64.8938 16.9129C65.5897 18.6405 67.9651 19.9603 70.6285 19.9603Z" fill="#141414"/>
+<path d="M83.7294 19.9603C86.1288 19.9603 87.8564 19.0005 89.1521 16.841L86.4648 15.4733C85.9609 16.481 85.1451 17.1769 83.7294 17.1769C81.5939 17.1769 80.4421 15.4493 80.4421 13.3617C80.4421 11.2742 81.6658 9.59459 83.7294 9.59459C85.0251 9.59459 85.8889 10.2904 86.3928 11.3462L89.1042 9.90652C88.1924 7.91497 86.3928 6.81121 83.7294 6.81121C79.3384 6.81121 77.0829 10.0265 77.0829 13.3617C77.0829 16.9849 79.8183 19.9603 83.7294 19.9603Z" fill="#141414"/>
+<path d="M94.5031 19.9603C96.3027 19.9603 97.5025 19.3604 98.1023 18.4246C98.1503 18.8325 98.2943 19.3844 98.4862 19.7203H101.51C101.342 19.1444 101.222 18.2326 101.222 17.6328V11.0583C101.222 8.34687 99.2781 6.81121 95.9908 6.81121C93.4954 6.81121 91.5518 7.747 90.472 9.1147L92.3916 11.0103C93.2554 10.0505 94.3592 9.5466 95.7029 9.5466C97.3345 9.5466 98.0543 10.0985 98.0543 10.9143C98.0543 11.6101 97.5744 12.09 94.983 12.09C92.4876 12.09 89.9682 13.1218 89.9682 16.0011C89.9682 18.6645 91.8877 19.9603 94.5031 19.9603ZM95.175 17.4168C93.8793 17.4168 93.2794 16.8649 93.2794 15.8812C93.2794 15.0174 93.9992 14.4415 95.199 14.4415C97.1185 14.4415 97.6464 14.3215 98.0543 13.9136V14.9454C98.0543 16.3131 96.9026 17.4168 95.175 17.4168Z" fill="#141414"/>
+<path d="M103.196 19.7203H106.555V2.68414H103.196V19.7203Z" fill="#141414"/>
+<path d="M114.617 19.9603C117.089 19.9603 119.08 18.9765 120.184 17.2249L117.641 15.5932C116.969 16.649 116.081 17.2249 114.617 17.2249C112.962 17.2249 111.762 16.3131 111.45 14.5375H121V13.3617C121 10.0265 118.96 6.81121 114.593 6.81121C110.442 6.81121 108.187 10.0505 108.187 13.3857C108.187 18.1367 111.762 19.9603 114.617 19.9603ZM111.57 11.8981C112.098 10.2904 113.202 9.5466 114.665 9.5466C116.321 9.5466 117.329 10.5304 117.665 11.8981H111.57Z" fill="#141414"/>
+</svg>

client/web/src/assets/icons/user.svg

@@ -1,4 +1,4 @@
-<svg width="15" height="16" viewBox="0 0 15 16" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M12.5 13.625V12.375C12.5 11.712 12.2366 11.0761 11.7678 10.6072C11.2989 10.1384 10.663 9.875 10 9.875H5C4.33696 9.875 3.70107 10.1384 3.23223 10.6072C2.76339 11.0761 2.5 11.712 2.5 12.375V13.625" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M7.5 7.375C8.88071 7.375 10 6.25571 10 4.875C10 3.49429 8.88071 2.375 7.5 2.375C6.11929 2.375 5 3.49429 5 4.875C5 6.25571 6.11929 7.375 7.5 7.375Z" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="15" height="16" viewBox="0 0 15 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M12.5 13.625V12.375C12.5 11.712 12.2366 11.0761 11.7678 10.6072C11.2989 10.1384 10.663 9.875 10 9.875H5C4.33696 9.875 3.70107 10.1384 3.23223 10.6072C2.76339 11.0761 2.5 11.712 2.5 12.375V13.625" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M7.5 7.375C8.88071 7.375 10 6.25571 10 4.875C10 3.49429 8.88071 2.375 7.5 2.375C6.11929 2.375 5 3.49429 5 4.875C5 6.25571 6.11929 7.375 7.5 7.375Z" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/assets/icons/x-circle.svg

@@ -1,5 +1,5 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="red" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M15 9L9 15" stroke="red" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M9 9L15 15" stroke="red" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="red" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M15 9L9 15" stroke="red" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M9 9L15 15" stroke="red" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/web/src/components/app.tsx

@@ -11,8 +11,8 @@ import LoginView from "src/components/views/login-view"
 import SSHView from "src/components/views/ssh-view"
 import SubnetRouterView from "src/components/views/subnet-router-view"
 import { UpdatingView } from "src/components/views/updating-view"
-import useAuth, { AuthResponse, canEdit } from "src/hooks/auth"
-import { Feature, NodeData, featureDescription } from "src/types"
+import useAuth, { AuthResponse } from "src/hooks/auth"
+import { Feature, featureDescription, NodeData } from "src/types"
 import Card from "src/ui/card"
 import EmptyState from "src/ui/empty-state"
 import LoadingDots from "src/ui/loading-dots"
@@ -56,19 +56,16 @@ function WebClient({
         <Header node={node} auth={auth} newSession={newSession} />
         <Switch>
           <Route path="/">
-            <HomeView node={node} auth={auth} />
+            <HomeView readonly={!auth.canManageNode} node={node} />
           </Route>
           <Route path="/details">
-            <DeviceDetailsView node={node} auth={auth} />
+            <DeviceDetailsView readonly={!auth.canManageNode} node={node} />
           </Route>
           <FeatureRoute path="/subnets" feature="advertise-routes" node={node}>
-            <SubnetRouterView
-              readonly={!canEdit("subnets", auth)}
-              node={node}
-            />
+            <SubnetRouterView readonly={!auth.canManageNode} node={node} />
           </FeatureRoute>
           <FeatureRoute path="/ssh" feature="ssh" node={node}>
-            <SSHView readonly={!canEdit("ssh", auth)} node={node} />
+            <SSHView readonly={!auth.canManageNode} node={node} />
           </FeatureRoute>
           {/* <Route path="/serve">Share local content</Route> */}
           <FeatureRoute path="/update" feature="auto-update" node={node}>

client/web/src/components/login-toggle.tsx

@@ -2,17 +2,15 @@
 // SPDX-License-Identifier: BSD-3-Clause
 
 import cx from "classnames"
-import React, { useCallback, useMemo, useState } from "react"
+import React, { useCallback, useEffect, useState } from "react"
 import ChevronDown from "src/assets/icons/chevron-down.svg?react"
 import Eye from "src/assets/icons/eye.svg?react"
 import User from "src/assets/icons/user.svg?react"
-import { AuthResponse, hasAnyEditCapabilities } from "src/hooks/auth"
-import { useTSWebConnected } from "src/hooks/ts-web-connected"
+import { AuthResponse, AuthType } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Popover from "src/ui/popover"
 import ProfilePic from "src/ui/profile-pic"
-import { assertNever, isHTTPS } from "src/utils/util"
 
 export default function LoginToggle({
   node,
@@ -24,29 +22,12 @@ export default function LoginToggle({
   newSession: () => Promise<void>
 }) {
   const [open, setOpen] = useState<boolean>(false)
-  const { tsWebConnected, checkTSWebConnection } = useTSWebConnected(
-    auth.serverMode,
-    node.IPv4
-  )
 
   return (
     <Popover
-      className="p-3 bg-white rounded-lg shadow flex flex-col max-w-[317px]"
+      className="p-3 bg-white rounded-lg shadow flex flex-col gap-2 max-w-[317px]"
       content={
-        auth.serverMode === "readonly" ? (
-          <ReadonlyModeContent auth={auth} />
-        ) : auth.serverMode === "login" ? (
-          <LoginModeContent
-            auth={auth}
-            node={node}
-            tsWebConnected={tsWebConnected}
-            checkTSWebConnection={checkTSWebConnection}
-          />
-        ) : auth.serverMode === "manage" ? (
-          <ManageModeContent auth={auth} node={node} newSession={newSession} />
-        ) : (
-          assertNever(auth.serverMode)
-        )
+        <LoginPopoverContent node={node} auth={auth} newSession={newSession} />
       }
       side="bottom"
       align="end"
@@ -54,303 +35,228 @@ export default function LoginToggle({
       onOpenChange={setOpen}
       asChild
     >
-      <div>
-        {auth.authorized ? (
-          <TriggerWhenManaging auth={auth} open={open} setOpen={setOpen} />
-        ) : (
-          <TriggerWhenReading auth={auth} open={open} setOpen={setOpen} />
-        )}
-      </div>
+      {!auth.canManageNode ? (
+        <button
+          className={cx(
+            "pl-3 py-1 bg-gray-700 rounded-full flex justify-start items-center h-[34px]",
+            { "pr-1": auth.viewerIdentity, "pr-3": !auth.viewerIdentity }
+          )}
+          onClick={() => setOpen(!open)}
+        >
+          <Eye />
+          <div className="text-white leading-snug ml-2 mr-1">Viewing</div>
+          <ChevronDown className="stroke-white w-[15px] h-[15px]" />
+          {auth.viewerIdentity && (
+            <ProfilePic
+              className="ml-2"
+              size="medium"
+              url={auth.viewerIdentity.profilePicUrl}
+            />
+          )}
+        </button>
+      ) : (
+        <div
+          className={cx(
+            "w-[34px] h-[34px] p-1 rounded-full justify-center items-center inline-flex hover:bg-gray-300",
+            {
+              "bg-transparent": !open,
+              "bg-gray-300": open,
+            }
+          )}
+        >
+          <button onClick={() => setOpen(!open)}>
+            <ProfilePic
+              size="medium"
+              url={auth.viewerIdentity?.profilePicUrl}
+            />
+          </button>
+        </div>
+      )}
     </Popover>
   )
 }
 
-/**
- * TriggerWhenManaging is displayed as the trigger for the login popover
- * when the user has an active authorized managment session.
- */
-function TriggerWhenManaging({
-  auth,
-  open,
-  setOpen,
-}: {
-  auth: AuthResponse
-  open: boolean
-  setOpen: (next: boolean) => void
-}) {
-  return (
-    <div
-      className={cx(
-        "w-[34px] h-[34px] p-1 rounded-full justify-center items-center inline-flex hover:bg-gray-300",
-        {
-          "bg-transparent": !open,
-          "bg-gray-300": open,
-        }
-      )}
-    >
-      <button onClick={() => setOpen(!open)}>
-        <ProfilePic size="medium" url={auth.viewerIdentity?.profilePicUrl} />
-      </button>
-    </div>
-  )
-}
-
-/**
- * TriggerWhenReading is displayed as the trigger for the login popover
- * when the user is currently in read mode (doesn't have an authorized
- * management session).
- */
-function TriggerWhenReading({
-  auth,
-  open,
-  setOpen,
-}: {
-  auth: AuthResponse
-  open: boolean
-  setOpen: (next: boolean) => void
-}) {
-  return (
-    <button
-      className={cx(
-        "pl-3 py-1 bg-gray-700 rounded-full flex justify-start items-center h-[34px]",
-        { "pr-1": auth.viewerIdentity, "pr-3": !auth.viewerIdentity }
-      )}
-      onClick={() => setOpen(!open)}
-    >
-      <Eye />
-      <div className="text-white leading-snug ml-2 mr-1">Viewing</div>
-      <ChevronDown className="stroke-white w-[15px] h-[15px]" />
-      {auth.viewerIdentity && (
-        <ProfilePic
-          className="ml-2"
-          size="medium"
-          url={auth.viewerIdentity.profilePicUrl}
-        />
-      )}
-    </button>
-  )
-}
-
-/**
- * PopoverContentHeader is the header for the login popover.
- */
-function PopoverContentHeader({ auth }: { auth: AuthResponse }) {
-  return (
-    <div className="text-black text-sm font-medium leading-tight mb-1">
-      {auth.authorized ? "Managing" : "Viewing"}
-      {auth.viewerIdentity && ` as ${auth.viewerIdentity.loginName}`}
-    </div>
-  )
-}
-
-/**
- * PopoverContentFooter is the footer for the login popover.
- */
-function PopoverContentFooter({ auth }: { auth: AuthResponse }) {
-  return auth.viewerIdentity ? (
-    <>
-      <hr className="my-2" />
-      <div className="flex items-center">
-        <User className="flex-shrink-0" />
-        <p className="text-gray-500 text-xs ml-2">
-          We recognize you because you are accessing this page from{" "}
-          <span className="font-medium">
-            {auth.viewerIdentity.nodeName || auth.viewerIdentity.nodeIP}
-          </span>
-        </p>
-      </div>
-    </>
-  ) : null
-}
-
-/**
- * ReadonlyModeContent is the body of the login popover when the web
- * client is being run in "readonly" server mode.
- */
-function ReadonlyModeContent({ auth }: { auth: AuthResponse }) {
-  return (
-    <>
-      <PopoverContentHeader auth={auth} />
-      <p className="text-gray-500 text-xs">
-        This web interface is running in read-only mode.{" "}
-        <a
-          href="https://tailscale.com/s/web-client-read-only"
-          className="text-blue-700"
-          target="_blank"
-          rel="noreferrer"
-        >
-          Learn more &rarr;
-        </a>
-      </p>
-      <PopoverContentFooter auth={auth} />
-    </>
-  )
-}
-
-/**
- * LoginModeContent is the body of the login popover when the web
- * client is being run in "login" server mode.
- */
-function LoginModeContent({
+function LoginPopoverContent({
   node,
-  auth,
-  tsWebConnected,
-  checkTSWebConnection,
-}: {
-  node: NodeData
-  auth: AuthResponse
-  tsWebConnected: boolean
-  checkTSWebConnection: () => void
-}) {
-  const https = isHTTPS()
-  // We can't run the ts web connection test when the webpage is loaded
-  // over HTTPS. So in this case, we default to presenting a login button
-  // with some helper text reminding the user to check their connection
-  // themselves.
-  const hasACLAccess = https || tsWebConnected
-
-  const hasEditCaps = useMemo(() => {
-    if (!auth.viewerIdentity) {
-      // If not connected to login client over tailscale, we won't know the viewer's
-      // identity. So we must assume they may be able to edit something and have the
-      // management client handle permissions once the user gets there.
-      return true
-    }
-    return hasAnyEditCapabilities(auth)
-  }, [auth])
-
-  const handleLogin = useCallback(() => {
-    // Must be connected over Tailscale to log in.
-    // Send user to Tailscale IP and start check mode
-    const manageURL = `http://${node.IPv4}:5252/?check=now`
-    if (window.self !== window.top) {
-      // If we're inside an iframe, open management client in new window.
-      window.open(manageURL, "_blank")
-    } else {
-      window.location.href = manageURL
-    }
-  }, [node.IPv4])
-
-  return (
-    <div
-      onMouseEnter={
-        hasEditCaps && !hasACLAccess ? checkTSWebConnection : undefined
-      }
-    >
-      <PopoverContentHeader auth={auth} />
-      {!hasACLAccess || !hasEditCaps ? (
-        <>
-          <p className="text-gray-500 text-xs">
-            {!hasEditCaps ? (
-              // ACLs allow access, but user isn't allowed to edit any features,
-              // restricted to readonly. No point in sending them over to the
-              // tailscaleIP:5252 address.
-              <>
-                You don’t have permission to make changes to this device, but
-                you can view most of its details.
-              </>
-            ) : !node.ACLAllowsAnyIncomingTraffic ? (
-              // Tailnet ACLs don't allow access to anyone.
-              <>
-                The current tailnet policy file does not allow connecting to
-                this device.
-              </>
-            ) : (
-              // ACLs don't allow access to this user specifically.
-              <>
-                Cannot access this device’s Tailscale IP. Make sure you are
-                connected to your tailnet, and that your policy file allows
-                access.
-              </>
-            )}{" "}
-            <a
-              href="https://tailscale.com/s/web-client-access"
-              className="text-blue-700"
-              target="_blank"
-              rel="noreferrer"
-            >
-              Learn more &rarr;
-            </a>
-          </p>
-        </>
-      ) : (
-        // User can connect to Tailcale IP; sign in when ready.
-        <>
-          <p className="text-gray-500 text-xs">
-            You can see most of this device’s details. To make changes, you need
-            to sign in.
-          </p>
-          {https && (
-            // we don't know if the user can connect over TS, so
-            // provide extra tips in case they have trouble.
-            <p className="text-gray-500 text-xs font-semibold pt-2">
-              Make sure you are connected to your tailnet, and that your policy
-              file allows access.
-            </p>
-          )}
-          <SignInButton auth={auth} onClick={handleLogin} />
-        </>
-      )}
-      <PopoverContentFooter auth={auth} />
-    </div>
-  )
-}
-
-/**
- * ManageModeContent is the body of the login popover when the web
- * client is being run in "manage" server mode.
- */
-function ManageModeContent({
   auth,
   newSession,
 }: {
   node: NodeData
   auth: AuthResponse
-  newSession: () => void
+  newSession: () => Promise<void>
 }) {
-  const handleLogin = useCallback(() => {
-    if (window.self !== window.top) {
-      // If we're inside an iframe, start session in new window.
-      let url = new URL(window.location.href)
-      url.searchParams.set("check", "now")
-      window.open(url, "_blank")
-    } else {
-      newSession()
-    }
-  }, [newSession])
+  /**
+   * canConnectOverTS indicates whether the current viewer
+   * is able to hit the node's web client that's being served
+   * at http://${node.IP}:5252. If false, this means that the
+   * viewer must connect to the correct tailnet before being
+   * able to sign in.
+   */
+  const [canConnectOverTS, setCanConnectOverTS] = useState<boolean>(false)
+  const [isRunningCheck, setIsRunningCheck] = useState<boolean>(false)
 
-  const hasAnyPermissions = useMemo(() => hasAnyEditCapabilities(auth), [auth])
+  // Whether the current page is loaded over HTTPS.
+  // If it is, then the connectivity check to the management client
+  // will fail with a mixed-content error.
+  const isHTTPS = window.location.protocol === "https:"
+
+  const checkTSConnection = useCallback(() => {
+    if (auth.viewerIdentity || isHTTPS) {
+      // Skip the connectivity check if we either already know we're connected over Tailscale,
+      // or know the connectivity check will fail because the current page is loaded over HTTPS.
+      setCanConnectOverTS(true)
+      return
+    }
+    // Otherwise, test connection to the ts IP.
+    if (isRunningCheck) {
+      return // already checking
+    }
+    setIsRunningCheck(true)
+    fetch(`http://${node.IPv4}:5252/ok`, { mode: "no-cors" })
+      .then(() => {
+        setCanConnectOverTS(true)
+        setIsRunningCheck(false)
+      })
+      .catch(() => setIsRunningCheck(false))
+  }, [auth.viewerIdentity, isRunningCheck, node.IPv4, isHTTPS])
+
+  /**
+   * Checking connection for first time on page load.
+   *
+   * While not connected, we check again whenever the mouse
+   * enters the popover component, to pick up on the user
+   * leaving to turn on Tailscale then returning to the view.
+   * See `onMouseEnter` on the div below.
+   */
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  useEffect(() => checkTSConnection(), [])
+
+  const handleSignInClick = useCallback(() => {
+    if (auth.viewerIdentity && auth.serverMode === "manage") {
+      if (window.self !== window.top) {
+        // if we're inside an iframe, start session in new window
+        let url = new URL(window.location.href)
+        url.searchParams.set("check", "now")
+        window.open(url, "_blank")
+      } else {
+        newSession()
+      }
+    } else {
+      // Must be connected over Tailscale to log in.
+      // Send user to Tailscale IP and start check mode
+      const manageURL = `http://${node.IPv4}:5252/?check=now`
+      if (window.self !== window.top) {
+        // if we're inside an iframe, open management client in new window
+        window.open(manageURL, "_blank")
+      } else {
+        window.location.href = manageURL
+      }
+    }
+  }, [auth.viewerIdentity, auth.serverMode, newSession, node.IPv4])
 
   return (
-    <>
-      <PopoverContentHeader auth={auth} />
-      {!auth.authorized &&
-        (hasAnyPermissions ? (
-          // User is connected over Tailscale, but needs to complete check mode.
-          <>
+    <div onMouseEnter={!canConnectOverTS ? checkTSConnection : undefined}>
+      <div className="text-black text-sm font-medium leading-tight mb-1">
+        {!auth.canManageNode ? "Viewing" : "Managing"}
+        {auth.viewerIdentity && ` as ${auth.viewerIdentity.loginName}`}
+      </div>
+      {!auth.canManageNode && (
+        <>
+          {auth.serverMode === "readonly" ? (
             <p className="text-gray-500 text-xs">
-              To make changes, sign in to confirm your identity. This extra step
-              helps us keep your device secure.
+              This web interface is running in read-only mode.{" "}
+              <a
+                href="https://tailscale.com/s/web-client-read-only"
+                className="text-blue-700"
+                target="_blank"
+                rel="noreferrer"
+              >
+                Learn more &rarr;
+              </a>
             </p>
-            <SignInButton auth={auth} onClick={handleLogin} />
-          </>
-        ) : (
-          // User is connected over tailscale, but doesn't have permission to manage.
-          <p className="text-gray-500 text-xs">
-            You don’t have permission to make changes to this device, but you
-            can view most of its details.{" "}
-            <a
-              href="https://tailscale.com/s/web-client-access"
-              className="text-blue-700"
-              target="_blank"
-              rel="noreferrer"
-            >
-              Learn more &rarr;
-            </a>
-          </p>
-        ))}
-      <PopoverContentFooter auth={auth} />
-    </>
+          ) : !auth.viewerIdentity ? (
+            // User is not connected over Tailscale.
+            // These states are only possible on the login client.
+            <>
+              {!canConnectOverTS ? (
+                <>
+                  <p className="text-gray-500 text-xs">
+                    {!node.ACLAllowsAnyIncomingTraffic ? (
+                      // Tailnet ACLs don't allow access.
+                      <>
+                        The current tailnet policy file does not allow
+                        connecting to this device.
+                      </>
+                    ) : (
+                      // ACLs allow access, but user can't connect.
+                      <>
+                        Cannot access this device’s Tailscale IP. Make sure you
+                        are connected to your tailnet, and that your policy file
+                        allows access.
+                      </>
+                    )}{" "}
+                    <a
+                      href="https://tailscale.com/s/web-client-connection"
+                      className="text-blue-700"
+                      target="_blank"
+                      rel="noreferrer"
+                    >
+                      Learn more &rarr;
+                    </a>
+                  </p>
+                </>
+              ) : (
+                // User can connect to Tailcale IP; sign in when ready.
+                <>
+                  <p className="text-gray-500 text-xs">
+                    You can see most of this device’s details. To make changes,
+                    you need to sign in.
+                  </p>
+                  {isHTTPS && (
+                    // we don't know if the user can connect over TS, so
+                    // provide extra tips in case they have trouble.
+                    <p className="text-gray-500 text-xs font-semibold pt-2">
+                      Make sure you are connected to your tailnet, and that your
+                      policy file allows access.
+                    </p>
+                  )}
+                  <SignInButton auth={auth} onClick={handleSignInClick} />
+                </>
+              )}
+            </>
+          ) : auth.authNeeded === AuthType.tailscale ? (
+            // User is connected over Tailscale, but needs to complete check mode.
+            <>
+              <p className="text-gray-500 text-xs">
+                To make changes, sign in to confirm your identity. This extra
+                step helps us keep your device secure.
+              </p>
+              <SignInButton auth={auth} onClick={handleSignInClick} />
+            </>
+          ) : (
+            // User is connected over tailscale, but doesn't have permission to manage.
+            <p className="text-gray-500 text-xs">
+              You don’t have permission to make changes to this device, but you
+              can view most of its details.
+            </p>
+          )}
+        </>
+      )}
+      {auth.viewerIdentity && (
+        <>
+          <hr className="my-2" />
+          <div className="flex items-center">
+            <User className="flex-shrink-0" />
+            <p className="text-gray-500 text-xs ml-2">
+              We recognize you because you are accessing this page from{" "}
+              <span className="font-medium">
+                {auth.viewerIdentity.nodeName || auth.viewerIdentity.nodeIP}
+              </span>
+            </p>
+          </div>
+        </>
+      )}
+    </div>
   )
 }
 

client/web/src/components/views/device-details-view.tsx

@@ -8,7 +8,6 @@ import ACLTag from "src/components/acl-tag"
 import * as Control from "src/components/control-components"
 import NiceIP from "src/components/nice-ip"
 import { UpdateAvailableNotification } from "src/components/update-available"
-import { AuthResponse, canEdit } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Card from "src/ui/card"
@@ -17,11 +16,11 @@ import QuickCopy from "src/ui/quick-copy"
 import { useLocation } from "wouter"
 
 export default function DeviceDetailsView({
+  readonly,
   node,
-  auth,
 }: {
+  readonly: boolean
   node: NodeData
-  auth: AuthResponse
 }) {
   return (
     <>
@@ -38,11 +37,11 @@ export default function DeviceDetailsView({
                 })}
               />
             </div>
-            {canEdit("account", auth) && <DisconnectDialog />}
+            {!readonly && <DisconnectDialog />}
           </div>
         </Card>
         {node.Features["auto-update"] &&
-          canEdit("account", auth) &&
+          !readonly &&
           node.ClientVersion &&
           !node.ClientVersion.RunningLatest && (
             <UpdateAvailableNotification details={node.ClientVersion} />

client/web/src/components/views/home-view.tsx

@@ -8,18 +8,17 @@ import ArrowRight from "src/assets/icons/arrow-right.svg?react"
 import Machine from "src/assets/icons/machine.svg?react"
 import AddressCard from "src/components/address-copy-card"
 import ExitNodeSelector from "src/components/exit-node-selector"
-import { AuthResponse, canEdit } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Card from "src/ui/card"
 import { pluralize } from "src/utils/util"
 import { Link, useLocation } from "wouter"
 
 export default function HomeView({
+  readonly,
   node,
-  auth,
 }: {
+  readonly: boolean
   node: NodeData
-  auth: AuthResponse
 }) {
   const [allSubnetRoutes, pendingSubnetRoutes] = useMemo(
     () => [
@@ -64,11 +63,7 @@ export default function HomeView({
         </div>
         {(node.Features["advertise-exit-node"] ||
           node.Features["use-exit-node"]) && (
-          <ExitNodeSelector
-            className="mb-5"
-            node={node}
-            disabled={!canEdit("exitnodes", auth)}
-          />
+          <ExitNodeSelector className="mb-5" node={node} disabled={readonly} />
         )}
         <Link
           className="link font-medium"

client/web/src/hooks/auth.ts

@@ -4,50 +4,25 @@
 import { useCallback, useEffect, useState } from "react"
 import { apiFetch, setSynoToken } from "src/api"
 
+export enum AuthType {
+  synology = "synology",
+  tailscale = "tailscale",
+}
+
 export type AuthResponse = {
-  serverMode: AuthServerMode
-  authorized: boolean
+  authNeeded?: AuthType
+  canManageNode: boolean
+  serverMode: "login" | "readonly" | "manage"
   viewerIdentity?: {
     loginName: string
     nodeName: string
     nodeIP: string
     profilePicUrl?: string
-    capabilities: { [key in PeerCapability]: boolean }
   }
-  needsSynoAuth?: boolean
 }
 
-export type AuthServerMode = "login" | "readonly" | "manage"
-
-export type PeerCapability = "*" | "ssh" | "subnets" | "exitnodes" | "account"
-
-/**
- * canEdit reports whether the given auth response specifies that the viewer
- * has the ability to edit the given capability.
- */
-export function canEdit(cap: PeerCapability, auth: AuthResponse): boolean {
-  if (!auth.authorized || !auth.viewerIdentity) {
-    return false
-  }
-  if (auth.viewerIdentity.capabilities["*"] === true) {
-    return true // can edit all features
-  }
-  return auth.viewerIdentity.capabilities[cap] === true
-}
-
-/**
- * hasAnyEditCapabilities reports whether the given auth response specifies
- * that the viewer has at least one edit capability. If this is true, the
- * user is able to go through the auth flow to authenticate a management
- * session.
- */
-export function hasAnyEditCapabilities(auth: AuthResponse): boolean {
-  return Object.values(auth.viewerIdentity?.capabilities || {}).includes(true)
-}
-
-/**
- * useAuth reports and refreshes Tailscale auth status for the web client.
- */
+// useAuth reports and refreshes Tailscale auth status
+// for the web client.
 export default function useAuth() {
   const [data, setData] = useState<AuthResponse>()
   const [loading, setLoading] = useState<boolean>(true)
@@ -58,16 +33,18 @@ export default function useAuth() {
     return apiFetch<AuthResponse>("/auth", "GET")
       .then((d) => {
         setData(d)
-        if (d.needsSynoAuth) {
-          fetch("/webman/login.cgi")
-            .then((r) => r.json())
-            .then((a) => {
-              setSynoToken(a.SynoToken)
-              setRanSynoAuth(true)
-              setLoading(false)
-            })
-        } else {
-          setLoading(false)
+        switch (d.authNeeded) {
+          case AuthType.synology:
+            fetch("/webman/login.cgi")
+              .then((r) => r.json())
+              .then((a) => {
+                setSynoToken(a.SynoToken)
+                setRanSynoAuth(true)
+                setLoading(false)
+              })
+            break
+          default:
+            setLoading(false)
         }
         return d
       })
@@ -95,13 +72,8 @@ export default function useAuth() {
 
   useEffect(() => {
     loadAuth().then((d) => {
-      if (!d) {
-        return
-      }
       if (
-        !d.authorized &&
-        hasAnyEditCapabilities(d) &&
-        // Start auth flow immediately if browser has requested it.
+        !d?.canManageNode &&
         new URLSearchParams(window.location.search).get("check") === "now"
       ) {
         newSession()

client/web/src/hooks/ts-web-connected.ts

@@ -1,46 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-import { useCallback, useEffect, useState } from "react"
-import { isHTTPS } from "src/utils/util"
-import { AuthServerMode } from "./auth"
-
-/**
- * useTSWebConnected hook is used to check whether the browser is able to
- * connect to the web client served at http://${nodeIPv4}:5252
- */
-export function useTSWebConnected(mode: AuthServerMode, nodeIPv4: string) {
-  const [tsWebConnected, setTSWebConnected] = useState<boolean>(
-    mode === "manage" // browser already on the web client
-  )
-  const [isLoading, setIsLoading] = useState<boolean>(false)
-
-  const checkTSWebConnection = useCallback(() => {
-    if (mode === "manage") {
-      // Already connected to the web client.
-      setTSWebConnected(true)
-      return
-    }
-    if (isHTTPS()) {
-      // When page is loaded over HTTPS, the connectivity check will always
-      // fail with a mixed-content error. In this case don't bother doing
-      // the check.
-      return
-    }
-    if (isLoading) {
-      return // already checking
-    }
-    setIsLoading(true)
-    fetch(`http://${nodeIPv4}:5252/ok`, { mode: "no-cors" })
-      .then(() => {
-        setTSWebConnected(true)
-        setIsLoading(false)
-      })
-      .catch(() => setIsLoading(false))
-  }, [isLoading, mode, nodeIPv4])
-
-  // eslint-disable-next-line react-hooks/exhaustive-deps
-  useEffect(() => checkTSWebConnection(), []) // checking connection for first time on page load
-
-  return { tsWebConnected, checkTSWebConnection, isLoading }
-}

client/web/src/utils/util.ts

@@ -49,10 +49,3 @@ export function isPromise<T = unknown>(val: unknown): val is Promise<T> {
   }
   return typeof val === "object" && "then" in val
 }
-
-/**
- * isHTTPS reports whether the current page is loaded over HTTPS.
- */
-export function isHTTPS() {
-  return window.location.protocol === "https:"
-}

client/web/synology.go

@@ -1,59 +1,59 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// synology.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on Synology.
-
-package web
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-	"os/exec"
-	"strings"
-
-	"tailscale.com/util/groupmember"
-)
-
-// authorizeSynology authenticates the logged-in Synology user and verifies
-// that they are authorized to use the web client.
-// If the user is authenticated, but not authorized to use the client, an error is returned.
-func authorizeSynology(r *http.Request) (authorized bool, err error) {
-	if !hasSynoToken(r) {
-		return false, nil
-	}
-
-	// authenticate the Synology user
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return false, fmt.Errorf("auth: %v: %s", err, out)
-	}
-	user := strings.TrimSpace(string(out))
-
-	// check if the user is in the administrators group
-	isAdmin, err := groupmember.IsMemberOfGroup("administrators", user)
-	if err != nil {
-		return false, err
-	}
-	if !isAdmin {
-		return false, errors.New("not a member of administrators group")
-	}
-
-	return true, nil
-}
-
-// hasSynoToken returns true if the request include a SynoToken used for synology auth.
-func hasSynoToken(r *http.Request) bool {
-	if r.Header.Get("X-Syno-Token") != "" {
-		return true
-	}
-	if r.URL.Query().Get("SynoToken") != "" {
-		return true
-	}
-	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
-		return true
-	}
-	return false
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// synology.go contains handlers and logic, such as authentication,
+// that is specific to running the web client on Synology.
+
+package web
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"os/exec"
+	"strings"
+
+	"tailscale.com/util/groupmember"
+)
+
+// authorizeSynology authenticates the logged-in Synology user and verifies
+// that they are authorized to use the web client.
+// If the user is authenticated, but not authorized to use the client, an error is returned.
+func authorizeSynology(r *http.Request) (authorized bool, err error) {
+	if !hasSynoToken(r) {
+		return false, nil
+	}
+
+	// authenticate the Synology user
+	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return false, fmt.Errorf("auth: %v: %s", err, out)
+	}
+	user := strings.TrimSpace(string(out))
+
+	// check if the user is in the administrators group
+	isAdmin, err := groupmember.IsMemberOfGroup("administrators", user)
+	if err != nil {
+		return false, err
+	}
+	if !isAdmin {
+		return false, errors.New("not a member of administrators group")
+	}
+
+	return true, nil
+}
+
+// hasSynoToken returns true if the request include a SynoToken used for synology auth.
+func hasSynoToken(r *http.Request) bool {
+	if r.Header.Get("X-Syno-Token") != "" {
+		return true
+	}
+	if r.URL.Query().Get("SynoToken") != "" {
+		return true
+	}
+	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
+		return true
+	}
+	return false
+}

client/web/tailwind.config.js

@@ -1,7 +1,7 @@
-import plugin from "tailwindcss/plugin"
-import styles from "./styles.json"
+const plugin = require("tailwindcss/plugin")
+const styles = require("./styles.json")
 
-const config = {
+module.exports = {
   theme: {
     screens: {
       sm: "420px",
@@ -96,22 +96,20 @@ const config = {
   plugins: [
     plugin(function ({ addVariant }) {
       addVariant("state-open", [
-        "&[data-state=“open”]",
-        "[data-state=“open”] &",
+        '&[data-state="open"]',
+        '[data-state="open"] &',
       ])
       addVariant("state-closed", [
-        "&[data-state=“closed”]",
-        "[data-state=“closed”] &",
+        '&[data-state="closed"]',
+        '[data-state="closed"] &',
       ])
       addVariant("state-delayed-open", [
-        "&[data-state=“delayed-open”]",
-        "[data-state=“delayed-open”] &",
+        '&[data-state="delayed-open"]',
+        '[data-state="delayed-open"] &',
       ])
-      addVariant("state-active", ["&[data-state=“active”]"])
-      addVariant("state-inactive", ["&[data-state=“inactive”]"])
+      addVariant("state-active", ['&[data-state="active"]'])
+      addVariant("state-inactive", ['&[data-state="inactive"]'])
     }),
   ],
   content: ["./src/**/*.html", "./src/**/*.{ts,tsx}", "./index.html"],
 }
-
-export default config

client/web/web.go

@@ -17,6 +17,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -26,7 +27,6 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
 	"tailscale.com/envknob"
-	"tailscale.com/envknob/featureknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -35,7 +35,6 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/views"
 	"tailscale.com/util/httpm"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -114,6 +113,11 @@ const (
 	ManageServerMode ServerMode = "manage"
 )
 
+var (
+	exitNodeRouteV4 = netip.MustParsePrefix("0.0.0.0/0")
+	exitNodeRouteV6 = netip.MustParsePrefix("::/0")
+)
+
 // ServerOpts contains options for constructing a new Server.
 type ServerOpts struct {
 	// Mode specifies the mode of web client being constructed.
@@ -279,12 +283,6 @@ func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if r.URL.Path == "/metrics" {
-		r.URL.Path = "/api/local/v0/usermetrics"
-		s.proxyRequestToLocalAPI(w, r)
-		return
-	}
-
 	if strings.HasPrefix(r.URL.Path, "/api/") {
 		switch {
 		case r.URL.Path == "/api/auth" && r.Method == httpm.GET:
@@ -447,188 +445,18 @@ func (s *Server) serveLoginAPI(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-type apiHandler[data any] struct {
-	s *Server
-	w http.ResponseWriter
-	r *http.Request
+type authType string
 
-	// permissionCheck allows for defining whether a requesting peer's
-	// capabilities grant them access to make the given data update.
-	// If permissionCheck reports false, the request fails as unauthorized.
-	permissionCheck func(data data, peer peerCapabilities) bool
-}
-
-// newHandler constructs a new api handler which restricts the given request
-// to the specified permission check. If the permission check fails for
-// the peer associated with the request, an unauthorized error is returned
-// to the client.
-func newHandler[data any](s *Server, w http.ResponseWriter, r *http.Request, permissionCheck func(data data, peer peerCapabilities) bool) *apiHandler[data] {
-	return &apiHandler[data]{
-		s:               s,
-		w:               w,
-		r:               r,
-		permissionCheck: permissionCheck,
-	}
-}
-
-// alwaysAllowed can be passed as the permissionCheck argument to newHandler
-// for requests that are always allowed to complete regardless of a peer's
-// capabilities.
-func alwaysAllowed[data any](_ data, _ peerCapabilities) bool { return true }
-
-func (a *apiHandler[data]) getPeer() (peerCapabilities, error) {
-	// TODO(tailscale/corp#16695,sonia): We also call StatusWithoutPeers and
-	// WhoIs when originally checking for a session from authorizeRequest.
-	// Would be nice if we could pipe those through to here so we don't end
-	// up having to re-call them to grab the peer capabilities.
-	status, err := a.s.lc.StatusWithoutPeers(a.r.Context())
-	if err != nil {
-		return nil, err
-	}
-	whois, err := a.s.lc.WhoIs(a.r.Context(), a.r.RemoteAddr)
-	if err != nil {
-		return nil, err
-	}
-	peer, err := toPeerCapabilities(status, whois)
-	if err != nil {
-		return nil, err
-	}
-	return peer, nil
-}
-
-type noBodyData any // empty type, for use from serveAPI for endpoints with empty body
-
-// handle runs the given handler if the source peer satisfies the
-// constraints for running this request.
-//
-// handle is expected for use when `data` type is empty, or set to
-// `noBodyData` in practice. For requests that expect JSON body data
-// to be attached, use handleJSON instead.
-func (a *apiHandler[data]) handle(h http.HandlerFunc) {
-	peer, err := a.getPeer()
-	if err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	var body data // not used
-	if !a.permissionCheck(body, peer) {
-		http.Error(a.w, "not allowed", http.StatusUnauthorized)
-		return
-	}
-	h(a.w, a.r)
-}
-
-// handleJSON manages decoding the request's body JSON and passing
-// it on to the provided function if the source peer satisfies the
-// constraints for running this request.
-func (a *apiHandler[data]) handleJSON(h func(ctx context.Context, data data) error) {
-	defer a.r.Body.Close()
-	var body data
-	if err := json.NewDecoder(a.r.Body).Decode(&body); err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	peer, err := a.getPeer()
-	if err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	if !a.permissionCheck(body, peer) {
-		http.Error(a.w, "not allowed", http.StatusUnauthorized)
-		return
-	}
-
-	if err := h(a.r.Context(), body); err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	a.w.WriteHeader(http.StatusOK)
-}
-
-// serveAPI serves requests for the web client api.
-// It should only be called by Server.ServeHTTP, via Server.apiHandler,
-// which protects the handler using gorilla csrf.
-func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
-	if r.Method == httpm.PATCH {
-		// Enforce that PATCH requests are always application/json.
-		if ct := r.Header.Get("Content-Type"); ct != "application/json" {
-			http.Error(w, "invalid request", http.StatusBadRequest)
-			return
-		}
-	}
-
-	w.Header().Set("X-CSRF-Token", csrf.Token(r))
-	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch {
-	case path == "/data" && r.Method == httpm.GET:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.serveGetNodeData)
-		return
-	case path == "/exit-nodes" && r.Method == httpm.GET:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.serveGetExitNodes)
-		return
-	case path == "/routes" && r.Method == httpm.POST:
-		peerAllowed := func(d postRoutesRequest, p peerCapabilities) bool {
-			if d.SetExitNode && !p.canEdit(capFeatureExitNodes) {
-				return false
-			} else if d.SetRoutes && !p.canEdit(capFeatureSubnets) {
-				return false
-			}
-			return true
-		}
-		newHandler[postRoutesRequest](s, w, r, peerAllowed).
-			handleJSON(s.servePostRoutes)
-		return
-	case path == "/device-details-click" && r.Method == httpm.POST:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.serveDeviceDetailsClick)
-		return
-	case path == "/local/v0/logout" && r.Method == httpm.POST:
-		peerAllowed := func(_ noBodyData, peer peerCapabilities) bool {
-			return peer.canEdit(capFeatureAccount)
-		}
-		newHandler[noBodyData](s, w, r, peerAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/prefs" && r.Method == httpm.PATCH:
-		peerAllowed := func(data maskedPrefs, peer peerCapabilities) bool {
-			if data.RunSSHSet && !peer.canEdit(capFeatureSSH) {
-				return false
-			}
-			return true
-		}
-		newHandler[maskedPrefs](s, w, r, peerAllowed).
-			handleJSON(s.serveUpdatePrefs)
-		return
-	case path == "/local/v0/update/check" && r.Method == httpm.GET:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/update/check" && r.Method == httpm.POST:
-		peerAllowed := func(_ noBodyData, peer peerCapabilities) bool {
-			return peer.canEdit(capFeatureAccount)
-		}
-		newHandler[noBodyData](s, w, r, peerAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/update/progress" && r.Method == httpm.POST:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/upload-client-metrics" && r.Method == httpm.POST:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	}
-	http.Error(w, "invalid endpoint", http.StatusNotFound)
-}
+var (
+	synoAuth      authType = "synology"  // user needs a SynoToken for subsequent API calls
+	tailscaleAuth authType = "tailscale" // user needs to complete Tailscale check mode
+)
 
 type authResponse struct {
-	ServerMode     ServerMode      `json:"serverMode"`
-	Authorized     bool            `json:"authorized"` // has an authorized management session
+	AuthNeeded     authType        `json:"authNeeded,omitempty"` // filled when user needs to complete a specific type of auth
+	CanManageNode  bool            `json:"canManageNode"`
 	ViewerIdentity *viewerIdentity `json:"viewerIdentity,omitempty"`
-	NeedsSynoAuth  bool            `json:"needsSynoAuth,omitempty"`
+	ServerMode     ServerMode      `json:"serverMode"`
 }
 
 // viewerIdentity is the Tailscale identity of the source node
@@ -647,11 +475,9 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	var resp authResponse
 	resp.ServerMode = s.mode
 	session, whois, status, sErr := s.getSession(r)
-	var caps peerCapabilities
 
 	if whois != nil {
-		var err error
-		caps, err = toPeerCapabilities(status, whois)
+		caps, err := toPeerCapabilities(status, whois)
 		if err != nil {
 			http.Error(w, sErr.Error(), http.StatusInternalServerError)
 			return
@@ -678,7 +504,7 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 			if !authorized {
-				resp.NeedsSynoAuth = true
+				resp.AuthNeeded = synoAuth
 				writeJSON(w, resp)
 				return
 			}
@@ -694,17 +520,21 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 
 	switch {
 	case sErr != nil && errors.Is(sErr, errNotUsingTailscale):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && errors.Is(sErr, errNotOwner):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_not_owner", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && errors.Is(sErr, errTaggedLocalSource):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local_tag", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && errors.Is(sErr, errTaggedRemoteSource):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote_tag", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && !errors.Is(sErr, errNoSession):
 		// Any other error.
 		http.Error(w, sErr.Error(), http.StatusInternalServerError)
@@ -715,26 +545,16 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 		} else {
 			s.lc.IncrementCounter(r.Context(), "web_client_managing_remote", 1)
 		}
-		// User has a valid session. They're now authorized to edit if they
-		// have any edit capabilities. In practice, they won't be sent through
-		// the auth flow if they don't have edit caps, but their ACL granted
-		// permissions may change at any time. The frontend views and backend
-		// endpoints are always restricted to their current capabilities in
-		// addition to a valid session.
-		//
-		// But, we also check the caps here for a better user experience on
-		// the frontend login toggle, which uses resp.Authorized to display
-		// "viewing" vs "managing" copy. If they don't have caps, we want to
-		// display "viewing" even if they have a valid session.
-		resp.Authorized = !caps.isEmpty()
+		resp.CanManageNode = true
+		resp.AuthNeeded = ""
 	default:
+		// whois being nil implies local as the request did not come over Tailscale
 		if whois == nil || (whois.Node.StableID == status.Self.ID) {
-			// whois being nil implies local as the request did not come over Tailscale.
 			s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
 		} else {
 			s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote", 1)
 		}
-		resp.Authorized = false // not yet authorized
+		resp.AuthNeeded = tailscaleAuth
 	}
 
 	writeJSON(w, resp)
@@ -798,6 +618,32 @@ func (s *Server) serveAPIAuthSessionWait(w http.ResponseWriter, r *http.Request)
 	}
 }
 
+// serveAPI serves requests for the web client api.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	path := strings.TrimPrefix(r.URL.Path, "/api")
+	switch {
+	case path == "/data" && r.Method == httpm.GET:
+		s.serveGetNodeData(w, r)
+		return
+	case path == "/exit-nodes" && r.Method == httpm.GET:
+		s.serveGetExitNodes(w, r)
+		return
+	case path == "/routes" && r.Method == httpm.POST:
+		s.servePostRoutes(w, r)
+		return
+	case path == "/device-details-click" && r.Method == httpm.POST:
+		s.serveDeviceDetailsClick(w, r)
+		return
+	case strings.HasPrefix(path, "/local/"):
+		s.proxyRequestToLocalAPI(w, r)
+		return
+	}
+	http.Error(w, "invalid endpoint", http.StatusNotFound)
+}
+
 type nodeData struct {
 	ID          tailcfg.StableNodeID
 	Status      string
@@ -923,10 +769,10 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 			return p == route
 		})
 	}
-	data.AdvertisingExitNodeApproved = routeApproved(tsaddr.AllIPv4()) || routeApproved(tsaddr.AllIPv6())
+	data.AdvertisingExitNodeApproved = routeApproved(exitNodeRouteV4) || routeApproved(exitNodeRouteV6)
 
 	for _, r := range prefs.AdvertiseRoutes {
-		if tsaddr.IsExitRoute(r) {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			data.AdvertisingExitNode = true
 		} else {
 			data.AdvertisedRoutes = append(data.AdvertisedRoutes, subnetRoute{
@@ -961,16 +807,37 @@ func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
 }
 
 func availableFeatures() map[string]bool {
+	env := hostinfo.GetEnvType()
 	features := map[string]bool{
 		"advertise-exit-node": true, // available on all platforms
 		"advertise-routes":    true, // available on all platforms
-		"use-exit-node":       featureknob.CanUseExitNode() == nil,
-		"ssh":                 featureknob.CanRunTailscaleSSH() == nil,
+		"use-exit-node":       canUseExitNode(env) == nil,
+		"ssh":                 envknob.CanRunTailscaleSSH() == nil,
 		"auto-update":         version.IsUnstableBuild() && clientupdate.CanAutoUpdate(),
 	}
+	if env == hostinfo.HomeAssistantAddOn {
+		// Setting SSH on Home Assistant causes trouble on startup
+		// (since the flag is not being passed to `tailscale up`).
+		// Although Tailscale SSH does work here,
+		// it's not terribly useful since it's running in a separate container.
+		features["ssh"] = false
+	}
 	return features
 }
 
+func canUseExitNode(env hostinfo.EnvType) error {
+	switch dist := distro.Get(); dist {
+	case distro.Synology, // see https://github.com/tailscale/tailscale/issues/1995
+		distro.QNAP,
+		distro.Unraid:
+		return fmt.Errorf("Tailscale exit nodes cannot be used on %s.", dist)
+	}
+	if env == hostinfo.HomeAssistantAddOn {
+		return errors.New("Tailscale exit nodes cannot be used on Home Assistant.")
+	}
+	return nil
+}
+
 // aclsAllowAccess returns whether tailnet ACLs (as expressed in the provided filter rules)
 // permit any devices to access the local web client.
 // This does not currently check whether a specific device can connect, just any device.
@@ -1013,23 +880,6 @@ func (s *Server) serveGetExitNodes(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, exitNodes)
 }
 
-// maskedPrefs is the subset of ipn.MaskedPrefs that are
-// allowed to be editable via the web UI.
-type maskedPrefs struct {
-	RunSSHSet bool
-	RunSSH    bool
-}
-
-func (s *Server) serveUpdatePrefs(ctx context.Context, prefs maskedPrefs) error {
-	_, err := s.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-		RunSSHSet: prefs.RunSSHSet,
-		Prefs: ipn.Prefs{
-			RunSSH: prefs.RunSSH,
-		},
-	})
-	return err
-}
-
 type postRoutesRequest struct {
 	SetExitNode       bool // when set, UseExitNode and AdvertiseExitNode values are applied
 	SetRoutes         bool // when set, AdvertiseRoutes value is applied
@@ -1038,15 +888,23 @@ type postRoutesRequest struct {
 	AdvertiseRoutes   []string
 }
 
-func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) error {
-	prefs, err := s.lc.GetPrefs(ctx)
+func (s *Server) servePostRoutes(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+
+	var data postRoutesRequest
+	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	prefs, err := s.lc.GetPrefs(r.Context())
 	if err != nil {
-		return err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 	var currNonExitRoutes []string
 	var currAdvertisingExitNode bool
 	for _, r := range prefs.AdvertiseRoutes {
-		if tsaddr.IsExitRoute(r) {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			currAdvertisingExitNode = true
 			continue
 		}
@@ -1064,11 +922,18 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 	routesStr := strings.Join(data.AdvertiseRoutes, ",")
 	routes, err := netutil.CalcAdvertiseRoutes(routesStr, data.AdvertiseExitNode)
 	if err != nil {
-		return err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 
-	if !data.UseExitNode.IsZero() && tsaddr.ContainsExitRoutes(views.SliceOf(routes)) {
-		return errors.New("cannot use and advertise exit node at same time")
+	hasExitNodeRoute := func(all []netip.Prefix) bool {
+		return slices.Contains(all, exitNodeRouteV4) ||
+			slices.Contains(all, exitNodeRouteV6)
+	}
+
+	if !data.UseExitNode.IsZero() && hasExitNodeRoute(routes) {
+		http.Error(w, "cannot use and advertise exit node at same time", http.StatusBadRequest)
+		return
 	}
 
 	// Make prefs update.
@@ -1080,8 +945,12 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 			AdvertiseRoutes: routes,
 		},
 	}
-	_, err = s.lc.EditPrefs(ctx, p)
-	return err
+	if _, err := s.lc.EditPrefs(r.Context(), p); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
 }
 
 // tailscaleUp starts the daemon with the provided options.
@@ -1126,15 +995,7 @@ func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, opt tails
 		if !isRunning {
 			ipnOptions := ipn.Options{AuthKey: opt.AuthKey}
 			if opt.ControlURL != "" {
-				_, err := s.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-					Prefs: ipn.Prefs{
-						ControlURL: opt.ControlURL,
-					},
-					ControlURLSet: true,
-				})
-				if err != nil {
-					s.logf("edit prefs: %v", err)
-				}
+				ipnOptions.UpdatePrefs = &ipn.Prefs{ControlURL: opt.ControlURL}
 			}
 			if err := s.lc.Start(ctx, ipnOptions); err != nil {
 				s.logf("start: %v", err)
@@ -1228,12 +1089,26 @@ func (s *Server) serveDeviceDetailsClick(w http.ResponseWriter, r *http.Request)
 //
 // The web API request path is expected to exactly match a localapi path,
 // with prefix /api/local/ rather than /localapi/.
+//
+// If the localapi path is not included in localapiAllowlist,
+// the request is rejected.
 func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimPrefix(r.URL.Path, "/api/local")
 	if r.URL.Path == path { // missing prefix
 		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
 	}
+	if r.Method == httpm.PATCH {
+		// enforce that PATCH requests are always application/json
+		if ct := r.Header.Get("Content-Type"); ct != "application/json" {
+			http.Error(w, "invalid request", http.StatusBadRequest)
+			return
+		}
+	}
+	if !slices.Contains(localapiAllowlist, path) {
+		http.Error(w, fmt.Sprintf("%s not allowed from localapi proxy", path), http.StatusForbidden)
+		return
+	}
 
 	localAPIURL := "http://" + apitype.LocalAPIHost + "/localapi" + path
 	req, err := http.NewRequestWithContext(r.Context(), r.Method, localAPIURL, r.Body)
@@ -1258,6 +1133,21 @@ func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request)
 	}
 }
 
+// localapiAllowlist is an allowlist of localapi endpoints the
+// web client is allowed to proxy to the client's localapi.
+//
+// Rather than exposing all localapi endpoints over the proxy,
+// this limits to just the ones actually used from the web
+// client frontend.
+var localapiAllowlist = []string{
+	"/v0/logout",
+	"/v0/prefs",
+	"/v0/update/check",
+	"/v0/update/install",
+	"/v0/update/progress",
+	"/v0/upload-client-metrics",
+}
+
 // csrfKey returns a key that can be used for CSRF protection.
 // If an error occurs during key creation, the error is logged and the active process terminated.
 // If the server is running in CGI mode, the key is cached to disk and reused between requests.

client/web/web_test.go

@@ -4,7 +4,6 @@
 package web
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -87,172 +86,75 @@ func TestQnapAuthnURL(t *testing.T) {
 
 // TestServeAPI tests the web client api's handling of
 //  1. invalid endpoint errors
-//  2. permissioning of api endpoints based on node capabilities
+//  2. localapi proxy allowlist
 func TestServeAPI(t *testing.T) {
-	selfTags := views.SliceOf([]string{"tag:server"})
-	self := &ipnstate.PeerStatus{ID: "self", Tags: &selfTags}
-	prefs := &ipn.Prefs{}
-
-	remoteUser := &tailcfg.UserProfile{ID: tailcfg.UserID(1)}
-	remoteIPWithAllCapabilities := "100.100.100.101"
-	remoteIPWithNoCapabilities := "100.100.100.102"
-
 	lal := memnet.Listen("local-tailscaled.sock:80")
 	defer lal.Close()
-	localapi := mockLocalAPI(t,
-		map[string]*apitype.WhoIsResponse{
-			remoteIPWithAllCapabilities: {
-				Node:        &tailcfg.Node{StableID: "node1"},
-				UserProfile: remoteUser,
-				CapMap:      tailcfg.PeerCapMap{tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{"{\"canEdit\":[\"*\"]}"}},
-			},
-			remoteIPWithNoCapabilities: {
-				Node:        &tailcfg.Node{StableID: "node2"},
-				UserProfile: remoteUser,
-			},
-		},
-		func() *ipnstate.PeerStatus { return self },
-		func() *ipn.Prefs { return prefs },
-		nil,
-	)
+	// Serve dummy localapi. Just returns "success".
+	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "success")
+	})}
 	defer localapi.Close()
+
 	go localapi.Serve(lal)
-
-	s := &Server{
-		mode:    ManageServerMode,
-		lc:      &tailscale.LocalClient{Dial: lal.Dial},
-		timeNow: time.Now,
-	}
-
-	type requestTest struct {
-		remoteIP     string
-		wantResponse string
-		wantStatus   int
-	}
+	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}
 
 	tests := []struct {
-		reqPath        string
+		name           string
 		reqMethod      string
+		reqPath        string
 		reqContentType string
-		reqBody        string
-		tests          []requestTest
+		wantResp       string
+		wantStatus     int
 	}{{
-		reqPath:   "/not-an-endpoint",
-		reqMethod: httpm.POST,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}},
+		name:       "invalid_endpoint",
+		reqMethod:  httpm.POST,
+		reqPath:    "/not-an-endpoint",
+		wantResp:   "invalid endpoint",
+		wantStatus: http.StatusNotFound,
 	}, {
-		reqPath:   "/local/v0/not-an-endpoint",
-		reqMethod: httpm.POST,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}},
+		name:       "not_in_localapi_allowlist",
+		reqMethod:  httpm.POST,
+		reqPath:    "/local/v0/not-allowlisted",
+		wantResp:   "/v0/not-allowlisted not allowed from localapi proxy",
+		wantStatus: http.StatusForbidden,
 	}, {
-		reqPath:   "/local/v0/logout",
-		reqMethod: httpm.POST,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "not allowed", // requesting node has insufficient permissions
-			wantStatus:   http.StatusUnauthorized,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "success", // requesting node has sufficient permissions
-			wantStatus:   http.StatusOK,
-		}},
+		name:       "in_localapi_allowlist",
+		reqMethod:  httpm.POST,
+		reqPath:    "/local/v0/logout",
+		wantResp:   "success", // Successfully allowed to hit localapi.
+		wantStatus: http.StatusOK,
 	}, {
-		reqPath:   "/exit-nodes",
-		reqMethod: httpm.GET,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "null",
-			wantStatus:   http.StatusOK, // allowed, no additional capabilities required
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "null",
-			wantStatus:   http.StatusOK,
-		}},
-	}, {
-		reqPath:   "/routes",
-		reqMethod: httpm.POST,
-		reqBody:   "{\"setExitNode\":true}",
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "not allowed",
-			wantStatus:   http.StatusUnauthorized,
-		}, {
-			remoteIP:   remoteIPWithAllCapabilities,
-			wantStatus: http.StatusOK,
-		}},
-	}, {
-		reqPath:        "/local/v0/prefs",
+		name:           "patch_bad_contenttype",
 		reqMethod:      httpm.PATCH,
-		reqBody:        "{\"runSSHSet\":true}",
-		reqContentType: "application/json",
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "not allowed",
-			wantStatus:   http.StatusUnauthorized,
-		}, {
-			remoteIP:   remoteIPWithAllCapabilities,
-			wantStatus: http.StatusOK,
-		}},
-	}, {
 		reqPath:        "/local/v0/prefs",
-		reqMethod:      httpm.PATCH,
 		reqContentType: "multipart/form-data",
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "invalid request",
-			wantStatus:   http.StatusBadRequest,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "invalid request",
-			wantStatus:   http.StatusBadRequest,
-		}},
+		wantResp:       "invalid request",
+		wantStatus:     http.StatusBadRequest,
 	}}
 	for _, tt := range tests {
-		for _, req := range tt.tests {
-			t.Run(req.remoteIP+"_requesting_"+tt.reqPath, func(t *testing.T) {
-				var reqBody io.Reader
-				if tt.reqBody != "" {
-					reqBody = bytes.NewBuffer([]byte(tt.reqBody))
-				}
-				r := httptest.NewRequest(tt.reqMethod, "/api"+tt.reqPath, reqBody)
-				r.RemoteAddr = req.remoteIP
-				if tt.reqContentType != "" {
-					r.Header.Add("Content-Type", tt.reqContentType)
-				}
-				w := httptest.NewRecorder()
+		t.Run(tt.name, func(t *testing.T) {
+			r := httptest.NewRequest(tt.reqMethod, "/api"+tt.reqPath, nil)
+			if tt.reqContentType != "" {
+				r.Header.Add("Content-Type", tt.reqContentType)
+			}
+			w := httptest.NewRecorder()
 
-				s.serveAPI(w, r)
-				res := w.Result()
-				defer res.Body.Close()
-				if gotStatus := res.StatusCode; req.wantStatus != gotStatus {
-					t.Errorf("wrong status; want=%v, got=%v", req.wantStatus, gotStatus)
-				}
-				body, err := io.ReadAll(res.Body)
-				if err != nil {
-					t.Fatal(err)
-				}
-				gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
-				if req.wantResponse != gotResp {
-					t.Errorf("wrong response; want=%q, got=%q", req.wantResponse, gotResp)
-				}
-			})
-		}
+			s.serveAPI(w, r)
+			res := w.Result()
+			defer res.Body.Close()
+			if gotStatus := res.StatusCode; tt.wantStatus != gotStatus {
+				t.Errorf("wrong status; want=%v, got=%v", tt.wantStatus, gotStatus)
+			}
+			body, err := io.ReadAll(res.Body)
+			if err != nil {
+				t.Fatal(err)
+			}
+			gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
+			if tt.wantResp != gotResp {
+				t.Errorf("wrong response; want=%q, got=%q", tt.wantResp, gotResp)
+			}
+		})
 	}
 }
 
@@ -622,7 +524,7 @@ func TestServeAuth(t *testing.T) {
 			name:          "no-session",
 			path:          "/api/auth",
 			wantStatus:    http.StatusOK,
-			wantResp:      &authResponse{ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:      &authResponse{AuthNeeded: tailscaleAuth, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantNewCookie: false,
 			wantSession:   nil,
 		},
@@ -647,7 +549,7 @@ func TestServeAuth(t *testing.T) {
 			path:       "/api/auth",
 			cookie:     successCookie,
 			wantStatus: http.StatusOK,
-			wantResp:   &authResponse{ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:   &authResponse{AuthNeeded: tailscaleAuth, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantSession: &browserSession{
 				ID:            successCookie,
 				SrcNode:       remoteNode.Node.ID,
@@ -695,7 +597,7 @@ func TestServeAuth(t *testing.T) {
 			path:       "/api/auth",
 			cookie:     successCookie,
 			wantStatus: http.StatusOK,
-			wantResp:   &authResponse{Authorized: true, ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:   &authResponse{CanManageNode: true, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantSession: &browserSession{
 				ID:            successCookie,
 				SrcNode:       remoteNode.Node.ID,
@@ -1219,10 +1121,9 @@ func TestPeerCapabilities(t *testing.T) {
 			status: userOwnedStatus,
 			whois: &apitype.WhoIsResponse{
 				UserProfile: &tailcfg.UserProfile{ID: tailcfg.UserID(2)},
-				Node:        &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
 					},
 				},
 			},
@@ -1233,10 +1134,9 @@ func TestPeerCapabilities(t *testing.T) {
 			status: userOwnedStatus,
 			whois: &apitype.WhoIsResponse{
 				UserProfile: &tailcfg.UserProfile{ID: tailcfg.UserID(1)},
-				Node:        &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
 					},
 				},
 			},
@@ -1246,7 +1146,6 @@ func TestPeerCapabilities(t *testing.T) {
 			name:   "tag-owned-no-webui-caps",
 			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityDebugPeer: []tailcfg.RawMessage{},
 				},
@@ -1257,71 +1156,68 @@ func TestPeerCapabilities(t *testing.T) {
 			name:   "tag-owned-one-webui-cap",
 			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:     true,
-				capFeatureSubnets: true,
+				capFeatureSSH:    true,
+				capFeatureSubnet: true,
 			},
 		},
 		{
 			name:   "tag-owned-multiple-webui-cap",
 			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
-						"{\"canEdit\":[\"subnets\",\"exitnodes\",\"*\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
+						"{\"canEdit\":[\"subnet\",\"exitnode\",\"*\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:       true,
-				capFeatureSubnets:   true,
-				capFeatureExitNodes: true,
-				capFeatureAll:       true,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   true,
+				capFeatureExitNode: true,
+				capFeatureAll:      true,
 			},
 		},
 		{
 			name:   "tag-owned-case-insensitive-caps",
 			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"SSH\",\"sUBnets\"]}",
+						"{\"canEdit\":[\"SSH\",\"sUBnet\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:     true,
-				capFeatureSubnets: true,
+				capFeatureSSH:    true,
+				capFeatureSubnet: true,
 			},
 		},
 		{
-			name:   "tag-owned-random-canEdit-contents-get-dropped",
+			name:   "tag-owned-random-canEdit-contents-dont-error",
 			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
 						"{\"canEdit\":[\"unknown-feature\"]}",
 					},
 				},
 			},
-			wantCaps: peerCapabilities{},
+			wantCaps: peerCapabilities{
+				"unknown-feature": true,
+			},
 		},
 		{
 			name:   "tag-owned-no-canEdit-section",
 			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
 						"{\"canDoSomething\":[\"*\"]}",
@@ -1330,19 +1226,6 @@ func TestPeerCapabilities(t *testing.T) {
 			},
 			wantCaps: peerCapabilities{},
 		},
-		{
-			name:   "tagged-source-caps-ignored",
-			status: tagOwnedStatus,
-			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1), Tags: tags.AsSlice()},
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{},
-		},
 	}
 	for _, tt := range toPeerCapsTests {
 		t.Run("toPeerCapabilities-"+tt.name, func(t *testing.T) {
@@ -1366,33 +1249,36 @@ func TestPeerCapabilities(t *testing.T) {
 			name: "empty-caps",
 			caps: nil,
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:       false,
-				capFeatureSSH:       false,
-				capFeatureSubnets:   false,
-				capFeatureExitNodes: false,
-				capFeatureAccount:   false,
+				capFeatureAll:      false,
+				capFeatureFunnel:   false,
+				capFeatureSSH:      false,
+				capFeatureSubnet:   false,
+				capFeatureExitNode: false,
+				capFeatureAccount:  false,
 			},
 		},
 		{
 			name: "some-caps",
 			caps: peerCapabilities{capFeatureSSH: true, capFeatureAccount: true},
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:       false,
-				capFeatureSSH:       true,
-				capFeatureSubnets:   false,
-				capFeatureExitNodes: false,
-				capFeatureAccount:   true,
+				capFeatureAll:      false,
+				capFeatureFunnel:   false,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   false,
+				capFeatureExitNode: false,
+				capFeatureAccount:  true,
 			},
 		},
 		{
 			name: "wildcard-in-caps",
 			caps: peerCapabilities{capFeatureAll: true, capFeatureAccount: true},
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:       true,
-				capFeatureSSH:       true,
-				capFeatureSubnets:   true,
-				capFeatureExitNodes: true,
-				capFeatureAccount:   true,
+				capFeatureAll:      true,
+				capFeatureFunnel:   true,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   true,
+				capFeatureExitNode: true,
+				capFeatureAccount:  true,
 			},
 		},
 	}
@@ -1453,9 +1339,6 @@ func mockLocalAPI(t *testing.T, whoIs map[string]*apitype.WhoIsResponse, self fu
 			metricCapture(metricNames[0].Name)
 			writeJSON(w, struct{}{})
 			return
-		case "/localapi/v0/logout":
-			fmt.Fprintf(w, "success")
-			return
 		default:
 			t.Fatalf("unhandled localapi test endpoint %q, add to localapi handler func in test", r.URL.Path)
 		}

client/web/yarn.lock

@@ -20,7 +20,23 @@
     "@jridgewell/gen-mapping" "^0.3.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
-"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.22.13", "@babel/code-frame@^7.23.4":
+"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.22.10", "@babel/code-frame@^7.22.5":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.22.10.tgz#1c20e612b768fefa75f6e90d6ecb86329247f0a3"
+  integrity sha512-/KKIMG4UEL35WmI9OlvMhurwtytjvXoFcGNrOvyG9zIzA8YmPjVtIZUf7b05+TPO7G7/GEmLHDaoCgACHl9hhA==
+  dependencies:
+    "@babel/highlight" "^7.22.10"
+    chalk "^2.4.2"
+
+"@babel/code-frame@^7.22.13":
+  version "7.22.13"
+  resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.22.13.tgz#e3c1c099402598483b7a8c46a721d1038803755e"
+  integrity sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==
+  dependencies:
+    "@babel/highlight" "^7.22.13"
+    chalk "^2.4.2"
+
+"@babel/code-frame@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.23.4.tgz#03ae5af150be94392cb5c7ccd97db5a19a5da6aa"
   integrity sha512-r1IONyb6Ia+jYR2vvIDhdWdlTGhqbBoFqLTQidzZ4kepUFH15ejXvFHxCVbtl7BOXIudsIubf4E81xeA3h3IXA==
@@ -28,12 +44,17 @@
     "@babel/highlight" "^7.23.4"
     chalk "^2.4.2"
 
-"@babel/compat-data@^7.22.6", "@babel/compat-data@^7.22.9", "@babel/compat-data@^7.23.3":
+"@babel/compat-data@^7.22.6", "@babel/compat-data@^7.23.3":
   version "7.23.3"
   resolved "https://registry.yarnpkg.com/@babel/compat-data/-/compat-data-7.23.3.tgz#3febd552541e62b5e883a25eb3effd7c7379db11"
   integrity sha512-BmR4bWbDIoFJmJ9z2cZ8Gmm2MXgEDgjdWgpKmKWUt54UGFJdlj31ECtbaDvCG/qVdG3AQ1SfpZEs01lUFbzLOQ==
 
-"@babel/core@^7.16.0", "@babel/core@^7.21.3":
+"@babel/compat-data@^7.22.9":
+  version "7.22.9"
+  resolved "https://registry.yarnpkg.com/@babel/compat-data/-/compat-data-7.22.9.tgz#71cdb00a1ce3a329ce4cbec3a44f9fef35669730"
+  integrity sha512-5UamI7xkUcJ3i9qVDS+KFDEK8/7oJ55/sJMB1Ge7IEapr7KfdfV/HErR+koZwOfd+SgtFKOKRhRakdg++DcJpQ==
+
+"@babel/core@^7.16.0":
   version "7.23.3"
   resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.3.tgz#5ec09c8803b91f51cc887dedc2654a35852849c9"
   integrity sha512-Jg+msLuNuCJDyBvFv5+OKOUjWMZgd85bKjbICd3zWrKAo+bJ49HJufi7CQE0q0uR8NGyO6xkCACScNqyjHSZew==
@@ -54,6 +75,27 @@
     json5 "^2.2.3"
     semver "^6.3.1"
 
+"@babel/core@^7.21.3":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.22.10.tgz#aad442c7bcd1582252cb4576747ace35bc122f35"
+  integrity sha512-fTmqbbUBAwCcre6zPzNngvsI0aNrPZe77AeqvDxWM9Nm+04RrJ3CAmGHA9f7lJQY6ZMhRztNemy4uslDxTX4Qw==
+  dependencies:
+    "@ampproject/remapping" "^2.2.0"
+    "@babel/code-frame" "^7.22.10"
+    "@babel/generator" "^7.22.10"
+    "@babel/helper-compilation-targets" "^7.22.10"
+    "@babel/helper-module-transforms" "^7.22.9"
+    "@babel/helpers" "^7.22.10"
+    "@babel/parser" "^7.22.10"
+    "@babel/template" "^7.22.5"
+    "@babel/traverse" "^7.22.10"
+    "@babel/types" "^7.22.10"
+    convert-source-map "^1.7.0"
+    debug "^4.1.0"
+    gensync "^1.0.0-beta.2"
+    json5 "^2.2.2"
+    semver "^6.3.1"
+
 "@babel/eslint-parser@^7.16.3":
   version "7.23.3"
   resolved "https://registry.yarnpkg.com/@babel/eslint-parser/-/eslint-parser-7.23.3.tgz#7bf0db1c53b54da0c8a12627373554a0828479ca"
@@ -63,6 +105,26 @@
     eslint-visitor-keys "^2.1.0"
     semver "^6.3.1"
 
+"@babel/generator@^7.22.10":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.22.10.tgz#c92254361f398e160645ac58831069707382b722"
+  integrity sha512-79KIf7YiWjjdZ81JnLujDRApWtl7BxTqWD88+FFdQEIOG8LJ0etDOM7CXuIgGJa55sGOwZVwuEsaLEm0PJ5/+A==
+  dependencies:
+    "@babel/types" "^7.22.10"
+    "@jridgewell/gen-mapping" "^0.3.2"
+    "@jridgewell/trace-mapping" "^0.3.17"
+    jsesc "^2.5.1"
+
+"@babel/generator@^7.23.0":
+  version "7.23.0"
+  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.0.tgz#df5c386e2218be505b34837acbcb874d7a983420"
+  integrity sha512-lN85QRR+5IbYrMWM6Y4pE/noaQtg4pNiqeNGX60eqOfo6gtEj6uw/JagelB8vVztSd7R6M5n1+PQkDbHbBRU4g==
+  dependencies:
+    "@babel/types" "^7.23.0"
+    "@jridgewell/gen-mapping" "^0.3.2"
+    "@jridgewell/trace-mapping" "^0.3.17"
+    jsesc "^2.5.1"
+
 "@babel/generator@^7.23.3", "@babel/generator@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.4.tgz#4a41377d8566ec18f807f42962a7f3551de83d1c"
@@ -87,6 +149,17 @@
   dependencies:
     "@babel/types" "^7.22.15"
 
+"@babel/helper-compilation-targets@^7.22.10":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/helper-compilation-targets/-/helper-compilation-targets-7.22.10.tgz#01d648bbc25dd88f513d862ee0df27b7d4e67024"
+  integrity sha512-JMSwHD4J7SLod0idLq5PKgI+6g/hLD/iuWBq08ZX49xE14VpVEojJ5rHWptpirV2j020MvypRLAXAO50igCJ5Q==
+  dependencies:
+    "@babel/compat-data" "^7.22.9"
+    "@babel/helper-validator-option" "^7.22.5"
+    browserslist "^4.21.9"
+    lru-cache "^5.1.1"
+    semver "^6.3.1"
+
 "@babel/helper-compilation-targets@^7.22.15", "@babel/helper-compilation-targets@^7.22.6":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/helper-compilation-targets/-/helper-compilation-targets-7.22.15.tgz#0698fc44551a26cf29f18d4662d5bf545a6cfc52"
@@ -133,11 +206,16 @@
     lodash.debounce "^4.0.8"
     resolve "^1.14.2"
 
-"@babel/helper-environment-visitor@^7.22.20", "@babel/helper-environment-visitor@^7.22.5":
+"@babel/helper-environment-visitor@^7.22.20":
   version "7.22.20"
   resolved "https://registry.yarnpkg.com/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.20.tgz#96159db61d34a29dba454c959f5ae4a649ba9167"
   integrity sha512-zfedSIzFhat/gFhWfHtgWvlec0nqB9YEIVrpuwjruLlXfUSnA8cJB0miHKwqDnQ7d32aKo2xt88/xZptwxbfhA==
 
+"@babel/helper-environment-visitor@^7.22.5":
+  version "7.22.5"
+  resolved "https://registry.yarnpkg.com/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.5.tgz#f06dd41b7c1f44e1f8da6c4055b41ab3a09a7e98"
+  integrity sha512-XGmhECfVA/5sAt+H+xpSg0mfrHq6FzNr9Oxh7PSEBBRUb/mL7Kz3NICXb194rCqAEdxkhPT1a88teizAFyvk8Q==
+
 "@babel/helper-function-name@^7.22.5", "@babel/helper-function-name@^7.23.0":
   version "7.23.0"
   resolved "https://registry.yarnpkg.com/@babel/helper-function-name/-/helper-function-name-7.23.0.tgz#1f9a3cdbd5b2698a670c30d2735f9af95ed52759"
@@ -167,6 +245,24 @@
   dependencies:
     "@babel/types" "^7.22.15"
 
+"@babel/helper-module-imports@^7.22.5":
+  version "7.22.5"
+  resolved "https://registry.yarnpkg.com/@babel/helper-module-imports/-/helper-module-imports-7.22.5.tgz#1a8f4c9f4027d23f520bd76b364d44434a72660c"
+  integrity sha512-8Dl6+HD/cKifutF5qGd/8ZJi84QeAKh+CEe1sBzz8UayBBGg1dAIJrdHOcOM5b2MpzWL2yuotJTtGjETq0qjXg==
+  dependencies:
+    "@babel/types" "^7.22.5"
+
+"@babel/helper-module-transforms@^7.22.9":
+  version "7.22.9"
+  resolved "https://registry.yarnpkg.com/@babel/helper-module-transforms/-/helper-module-transforms-7.22.9.tgz#92dfcb1fbbb2bc62529024f72d942a8c97142129"
+  integrity sha512-t+WA2Xn5K+rTeGtC8jCsdAH52bjggG5TKRuRrAGNM/mjIbO4GxvlLMFOEz9wXY5I2XQ60PMFsAG2WIcG82dQMQ==
+  dependencies:
+    "@babel/helper-environment-visitor" "^7.22.5"
+    "@babel/helper-module-imports" "^7.22.5"
+    "@babel/helper-simple-access" "^7.22.5"
+    "@babel/helper-split-export-declaration" "^7.22.6"
+    "@babel/helper-validator-identifier" "^7.22.5"
+
 "@babel/helper-module-transforms@^7.23.3":
   version "7.23.3"
   resolved "https://registry.yarnpkg.com/@babel/helper-module-transforms/-/helper-module-transforms-7.23.3.tgz#d7d12c3c5d30af5b3c0fcab2a6d5217773e2d0f1"
@@ -229,6 +325,11 @@
   dependencies:
     "@babel/types" "^7.22.5"
 
+"@babel/helper-string-parser@^7.22.5":
+  version "7.22.5"
+  resolved "https://registry.yarnpkg.com/@babel/helper-string-parser/-/helper-string-parser-7.22.5.tgz#533f36457a25814cf1df6488523ad547d784a99f"
+  integrity sha512-mM4COjgZox8U+JcXQwPijIZLElkgEpO5rsERVDJTc2qfCDfERyob6k5WegS14SX18IIjv+XD+GrqNumY5JRCDw==
+
 "@babel/helper-string-parser@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/helper-string-parser/-/helper-string-parser-7.23.4.tgz#9478c707febcbbe1ddb38a3d91a2e054ae622d83"
@@ -239,11 +340,21 @@
   resolved "https://registry.yarnpkg.com/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz#c4ae002c61d2879e724581d96665583dbc1dc0e0"
   integrity sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==
 
+"@babel/helper-validator-identifier@^7.22.5":
+  version "7.22.5"
+  resolved "https://registry.yarnpkg.com/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.5.tgz#9544ef6a33999343c8740fa51350f30eeaaaf193"
+  integrity sha512-aJXu+6lErq8ltp+JhkJUfk1MTGyuA4v7f3pA+BJ5HLfNC6nAQ0Cpi9uOquUj8Hehg0aUiHzWQbOVJGao6ztBAQ==
+
 "@babel/helper-validator-option@^7.22.15":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/helper-validator-option/-/helper-validator-option-7.22.15.tgz#694c30dfa1d09a6534cdfcafbe56789d36aba040"
   integrity sha512-bMn7RmyFjY/mdECUbgn9eoSY4vqvacUnS9i9vGAGttgFWesO6B4CYWA7XlpbWgBt71iv/hfbPlynohStqnu5hA==
 
+"@babel/helper-validator-option@^7.22.5":
+  version "7.22.5"
+  resolved "https://registry.yarnpkg.com/@babel/helper-validator-option/-/helper-validator-option-7.22.5.tgz#de52000a15a177413c8234fa3a8af4ee8102d0ac"
+  integrity sha512-R3oB6xlIVKUnxNUxbmgq7pKjxpru24zlimpE8WK47fACIlM0II/Hm1RS8IaOI7NgCr6LNS+jl5l75m20npAziw==
+
 "@babel/helper-wrap-function@^7.22.20":
   version "7.22.20"
   resolved "https://registry.yarnpkg.com/@babel/helper-wrap-function/-/helper-wrap-function-7.22.20.tgz#15352b0b9bfb10fc9c76f79f6342c00e3411a569"
@@ -253,6 +364,15 @@
     "@babel/template" "^7.22.15"
     "@babel/types" "^7.22.19"
 
+"@babel/helpers@^7.22.10":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.22.10.tgz#ae6005c539dfbcb5cd71fb51bfc8a52ba63bc37a"
+  integrity sha512-a41J4NW8HyZa1I1vAndrraTlPZ/eZoga2ZgS7fEr0tZJGVU4xqdE80CEm0CcNjha5EZ8fTBYLKHF0kqDUuAwQw==
+  dependencies:
+    "@babel/template" "^7.22.5"
+    "@babel/traverse" "^7.22.10"
+    "@babel/types" "^7.22.10"
+
 "@babel/helpers@^7.23.2":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.23.4.tgz#7d2cfb969aa43222032193accd7329851facf3c1"
@@ -262,6 +382,24 @@
     "@babel/traverse" "^7.23.4"
     "@babel/types" "^7.23.4"
 
+"@babel/highlight@^7.22.10":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/highlight/-/highlight-7.22.10.tgz#02a3f6d8c1cb4521b2fd0ab0da8f4739936137d7"
+  integrity sha512-78aUtVcT7MUscr0K5mIEnkwxPE0MaxkR5RxRwuHaQ+JuU5AmTPhY+do2mdzVTnIJJpyBglql2pehuBIWHug+WQ==
+  dependencies:
+    "@babel/helper-validator-identifier" "^7.22.5"
+    chalk "^2.4.2"
+    js-tokens "^4.0.0"
+
+"@babel/highlight@^7.22.13":
+  version "7.22.20"
+  resolved "https://registry.yarnpkg.com/@babel/highlight/-/highlight-7.22.20.tgz#4ca92b71d80554b01427815e06f2df965b9c1f54"
+  integrity sha512-dkdMCN3py0+ksCgYmGG8jKeGA/8Tk+gJwSYYlFGxG5lmhfKNoAy004YpLxpS1W2J8m/EK2Ew+yOs9pVRwO89mg==
+  dependencies:
+    "@babel/helper-validator-identifier" "^7.22.20"
+    chalk "^2.4.2"
+    js-tokens "^4.0.0"
+
 "@babel/highlight@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/highlight/-/highlight-7.23.4.tgz#edaadf4d8232e1a961432db785091207ead0621b"
@@ -271,7 +409,17 @@
     chalk "^2.4.2"
     js-tokens "^4.0.0"
 
-"@babel/parser@^7.22.15", "@babel/parser@^7.23.3", "@babel/parser@^7.23.4":
+"@babel/parser@^7.22.10", "@babel/parser@^7.22.5":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.22.10.tgz#e37634f9a12a1716136c44624ef54283cabd3f55"
+  integrity sha512-lNbdGsQb9ekfsnjFGhEiF4hfFqGgfOP3H3d27re3n+CGhNuTSUEQdfWk556sTLNTloczcdM5TYF2LhzmDQKyvQ==
+
+"@babel/parser@^7.22.15", "@babel/parser@^7.23.0":
+  version "7.23.0"
+  resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.23.0.tgz#da950e622420bf96ca0d0f2909cdddac3acd8719"
+  integrity sha512-vvPKKdMemU85V9WE/l5wZEmImpCtLqbnTvqDS2U1fJ96KrxoW7KrXhNsNCblQlg8Ck4b85yxdTyelsMUgFUXiw==
+
+"@babel/parser@^7.23.3", "@babel/parser@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.23.4.tgz#409fbe690c333bb70187e2de4021e1e47a026661"
   integrity sha512-vf3Xna6UEprW+7t6EtOmFpHNAuxw3xqPZghy+brsnusscJRW5BMUzzHZc5ICjULee81WeUV2jjakG09MDglJXQ==
@@ -1086,13 +1234,20 @@
   resolved "https://registry.yarnpkg.com/@babel/regjsgen/-/regjsgen-0.8.0.tgz#f0ba69b075e1f05fb2825b7fad991e7adbb18310"
   integrity sha512-x/rqGMdzj+fWZvCOYForTghzbtqPDZ5gPwaoNGHdgDfF2QA/XZbCBp4Moo5scrkAMPhB7z26XM/AaHuIJdgauA==
 
-"@babel/runtime@^7.12.5", "@babel/runtime@^7.13.10", "@babel/runtime@^7.16.3", "@babel/runtime@^7.23.2", "@babel/runtime@^7.8.4":
+"@babel/runtime@^7.12.5", "@babel/runtime@^7.16.3", "@babel/runtime@^7.23.2", "@babel/runtime@^7.8.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.23.4.tgz#36fa1d2b36db873d25ec631dcc4923fdc1cf2e2e"
   integrity sha512-2Yv65nlWnWlSpe3fXEyX5i7fx5kIKo4Qbcj+hMO0odwaneFjfXw5fdum+4yL20O0QiaHpia0cYQ9xpNMqrBwHg==
   dependencies:
     regenerator-runtime "^0.14.0"
 
+"@babel/runtime@^7.13.10":
+  version "7.23.2"
+  resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.23.2.tgz#062b0ac103261d68a966c4c7baf2ae3e62ec3885"
+  integrity sha512-mM8eg4yl5D6i3lu2QKPuPH4FArvJ8KhTofbE7jwMUv9KX5mBvwPAqnV3MlyBNqdp9RyRKP6Yck8TrfYrPvX3bg==
+  dependencies:
+    regenerator-runtime "^0.14.0"
+
 "@babel/template@^7.22.15":
   version "7.22.15"
   resolved "https://registry.yarnpkg.com/@babel/template/-/template-7.22.15.tgz#09576efc3830f0430f4548ef971dde1350ef2f38"
@@ -1102,6 +1257,31 @@
     "@babel/parser" "^7.22.15"
     "@babel/types" "^7.22.15"
 
+"@babel/template@^7.22.5":
+  version "7.22.5"
+  resolved "https://registry.yarnpkg.com/@babel/template/-/template-7.22.5.tgz#0c8c4d944509875849bd0344ff0050756eefc6ec"
+  integrity sha512-X7yV7eiwAxdj9k94NEylvbVHLiVG1nvzCV2EAowhxLTwODV1jl9UzZ48leOC0sH7OnuHrIkllaBgneUykIcZaw==
+  dependencies:
+    "@babel/code-frame" "^7.22.5"
+    "@babel/parser" "^7.22.5"
+    "@babel/types" "^7.22.5"
+
+"@babel/traverse@^7.22.10":
+  version "7.23.2"
+  resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.2.tgz#329c7a06735e144a506bdb2cad0268b7f46f4ad8"
+  integrity sha512-azpe59SQ48qG6nu2CzcMLbxUudtN+dOM9kDbUqGq3HXUJRlo7i8fvPoxQUzYgLZ4cMVmuZgm8vvBpNeRhd6XSw==
+  dependencies:
+    "@babel/code-frame" "^7.22.13"
+    "@babel/generator" "^7.23.0"
+    "@babel/helper-environment-visitor" "^7.22.20"
+    "@babel/helper-function-name" "^7.23.0"
+    "@babel/helper-hoist-variables" "^7.22.5"
+    "@babel/helper-split-export-declaration" "^7.22.6"
+    "@babel/parser" "^7.23.0"
+    "@babel/types" "^7.23.0"
+    debug "^4.1.0"
+    globals "^11.1.0"
+
 "@babel/traverse@^7.23.3", "@babel/traverse@^7.23.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.4.tgz#c2790f7edf106d059a0098770fe70801417f3f85"
@@ -1118,7 +1298,25 @@
     debug "^4.1.0"
     globals "^11.1.0"
 
-"@babel/types@^7.21.3", "@babel/types@^7.22.15", "@babel/types@^7.22.19", "@babel/types@^7.22.5", "@babel/types@^7.23.0", "@babel/types@^7.23.3", "@babel/types@^7.23.4", "@babel/types@^7.4.4":
+"@babel/types@^7.21.3", "@babel/types@^7.22.10", "@babel/types@^7.22.5":
+  version "7.22.10"
+  resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.22.10.tgz#4a9e76446048f2c66982d1a989dd12b8a2d2dc03"
+  integrity sha512-obaoigiLrlDZ7TUQln/8m4mSqIW2QFeOrCQc9r+xsaHGNoplVNYlRVpsfE8Vj35GEm2ZH4ZhrNYogs/3fj85kg==
+  dependencies:
+    "@babel/helper-string-parser" "^7.22.5"
+    "@babel/helper-validator-identifier" "^7.22.5"
+    to-fast-properties "^2.0.0"
+
+"@babel/types@^7.22.15", "@babel/types@^7.23.0":
+  version "7.23.0"
+  resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.23.0.tgz#8c1f020c9df0e737e4e247c0619f58c68458aaeb"
+  integrity sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==
+  dependencies:
+    "@babel/helper-string-parser" "^7.22.5"
+    "@babel/helper-validator-identifier" "^7.22.20"
+    to-fast-properties "^2.0.0"
+
+"@babel/types@^7.22.19", "@babel/types@^7.23.3", "@babel/types@^7.23.4", "@babel/types@^7.4.4":
   version "7.23.4"
   resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.23.4.tgz#7206a1810fc512a7f7f7d4dace4cb4c1c9dbfb8e"
   integrity sha512-7uIFwVYpoplT5jp/kVv6EF93VaJ8H+Yn5IczYiaAi98ajzjfoZfslet/e0sLh+wVBjb2qqIut1b0S26VSafsSQ==
@@ -1247,14 +1445,14 @@
   resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.19.12.tgz#c57c8afbb4054a3ab8317591a0b7320360b444ae"
   integrity sha512-T1QyPSDCyMXaO3pzBkF96E8xMkiRYbUEZADd29SyPGabqxMViNoii+NcK7eWJAEoU6RZyEm5lVSIjTmcdoB9HA==
 
-"@eslint-community/eslint-utils@^4.2.0", "@eslint-community/eslint-utils@^4.4.0":
+"@eslint-community/eslint-utils@^4.2.0":
   version "4.4.0"
   resolved "https://registry.yarnpkg.com/@eslint-community/eslint-utils/-/eslint-utils-4.4.0.tgz#a23514e8fb9af1269d5f7788aa556798d61c6b59"
   integrity sha512-1/sA4dwrzBAyeUoQ6oxahHKmrZvsnLCg4RfxW3ZFGGmQkSNQPFNLV9CUEFQP1x9EYXHTo5p6xdhZM1Ne9p/AfA==
   dependencies:
     eslint-visitor-keys "^3.3.0"
 
-"@eslint-community/regexpp@^4.5.1", "@eslint-community/regexpp@^4.6.1":
+"@eslint-community/regexpp@^4.4.0", "@eslint-community/regexpp@^4.6.1":
   version "4.10.0"
   resolved "https://registry.yarnpkg.com/@eslint-community/regexpp/-/regexpp-4.10.0.tgz#548f6de556857c8bb73bbee70c35dc82a2e74d63"
   integrity sha512-Cu96Sd2By9mCNTx2iyKOmq10v22jUVQv0lQnlGNy16oE9589yE+QADPbrMGCkA51cKZSg3Pu/aTJVTGfL/qjUA==
@@ -1865,12 +2063,17 @@
   resolved "https://registry.yarnpkg.com/@swc/types/-/types-0.1.5.tgz#043b731d4f56a79b4897a3de1af35e75d56bc63a"
   integrity sha512-myfUej5naTBWnqOCc/MdVOLVjXUXtIA+NpDrDBKJtLLg2shUjBu3cZmB/85RyitKc55+lUUyl7oRfLOvkr2hsw==
 
-"@types/estree@1.0.5", "@types/estree@^1.0.0":
+"@types/estree@1.0.5":
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/@types/estree/-/estree-1.0.5.tgz#a6ce3e556e00fd9895dd872dd172ad0d4bd687f4"
   integrity sha512-/kYRxGDLWzHOB7q+wtSUQlFrtcdUccpfy+X+9iMBpHK8QLLhx2wIPYuS5DYtR9Wa/YlZAbIovy7qVdB1Aq6Lyw==
 
-"@types/json-schema@^7.0.12", "@types/json-schema@^7.0.9":
+"@types/estree@^1.0.0":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/@types/estree/-/estree-1.0.1.tgz#aa22750962f3bf0e79d753d3cc067f010c95f194"
+  integrity sha512-LG4opVs2ANWZ1TJoKc937iMmNstM/d0ae1vNbnBvBhqCSezgVUOzcLCqbI5elV8Vy6WKwKjaqR+zO9VKirBBCA==
+
+"@types/json-schema@^7.0.9":
   version "7.0.15"
   resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.15.tgz#596a1747233694d50f6ad8a7869fcb6f56cf5841"
   integrity sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==
@@ -1918,27 +2121,26 @@
   resolved "https://registry.yarnpkg.com/@types/scheduler/-/scheduler-0.16.3.tgz#cef09e3ec9af1d63d2a6cc5b383a737e24e6dcf5"
   integrity sha512-5cJ8CB4yAx7BH1oMvdU0Jh9lrEXyPkar6F9G/ERswkCuvP4KQZfZkSjcMbAICCpQTN4OuZn8tz0HiKv9TGZgrQ==
 
-"@types/semver@^7.3.12", "@types/semver@^7.5.0":
-  version "7.5.8"
-  resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.5.8.tgz#8268a8c57a3e4abd25c165ecd36237db7948a55e"
-  integrity sha512-I8EUhyrgfLrcTkzV3TSsGyl1tSuPrEDzr0yd5m90UgNxQkyDXULk3b6MlQqTCpZpNtWe1K0hzclnZkTcLBe2UQ==
+"@types/semver@^7.3.12":
+  version "7.5.6"
+  resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.5.6.tgz#c65b2bfce1bec346582c07724e3f8c1017a20339"
+  integrity sha512-dn1l8LaMea/IjDoHNd9J52uBbInB796CDffS6VdIxvqYCPSG0V0DzHp76GpaWnlhg88uYyPbXCDIowa86ybd5A==
 
-"@typescript-eslint/eslint-plugin@^5.5.0", "@typescript-eslint/eslint-plugin@^6.2.1":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.21.0.tgz#30830c1ca81fd5f3c2714e524c4303e0194f9cd3"
-  integrity sha512-oy9+hTPCUFpngkEZUSzbf9MxI65wbKFoQYsgPdILTfbUldp5ovUuphZVe4i30emU9M/kP+T64Di0mxl7dSw3MA==
+"@typescript-eslint/eslint-plugin@^5.5.0":
+  version "5.62.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.62.0.tgz#aeef0328d172b9e37d9bab6dbc13b87ed88977db"
+  integrity sha512-TiZzBSJja/LbhNPvk6yc0JrX9XqhQ0hdh6M2svYfsHGejaKFIAGd9MQ+ERIMzLGlN/kZoYIgdxFV0PuljTKXag==
   dependencies:
-    "@eslint-community/regexpp" "^4.5.1"
-    "@typescript-eslint/scope-manager" "6.21.0"
-    "@typescript-eslint/type-utils" "6.21.0"
-    "@typescript-eslint/utils" "6.21.0"
-    "@typescript-eslint/visitor-keys" "6.21.0"
+    "@eslint-community/regexpp" "^4.4.0"
+    "@typescript-eslint/scope-manager" "5.62.0"
+    "@typescript-eslint/type-utils" "5.62.0"
+    "@typescript-eslint/utils" "5.62.0"
     debug "^4.3.4"
     graphemer "^1.4.0"
-    ignore "^5.2.4"
-    natural-compare "^1.4.0"
-    semver "^7.5.4"
-    ts-api-utils "^1.0.1"
+    ignore "^5.2.0"
+    natural-compare-lite "^1.4.0"
+    semver "^7.3.7"
+    tsutils "^3.21.0"
 
 "@typescript-eslint/experimental-utils@^5.0.0":
   version "5.62.0"
@@ -1947,15 +2149,14 @@
   dependencies:
     "@typescript-eslint/utils" "5.62.0"
 
-"@typescript-eslint/parser@^5.5.0", "@typescript-eslint/parser@^6.2.1":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/parser/-/parser-6.21.0.tgz#af8fcf66feee2edc86bc5d1cf45e33b0630bf35b"
-  integrity sha512-tbsV1jPne5CkFQCgPBcDOt30ItF7aJoZL997JSF7MhGQqOeT3svWRYxiqlfA5RUdlHN6Fi+EI9bxqbdyAUZjYQ==
+"@typescript-eslint/parser@^5.5.0":
+  version "5.62.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/parser/-/parser-5.62.0.tgz#1b63d082d849a2fcae8a569248fbe2ee1b8a56c7"
+  integrity sha512-VlJEV0fOQ7BExOsHYAGrgbEiZoi8D+Bl2+f6V2RrXerRSylnp+ZBHmPvaIa8cz0Ajx7WO7Z5RqfgYg7ED1nRhA==
   dependencies:
-    "@typescript-eslint/scope-manager" "6.21.0"
-    "@typescript-eslint/types" "6.21.0"
-    "@typescript-eslint/typescript-estree" "6.21.0"
-    "@typescript-eslint/visitor-keys" "6.21.0"
+    "@typescript-eslint/scope-manager" "5.62.0"
+    "@typescript-eslint/types" "5.62.0"
+    "@typescript-eslint/typescript-estree" "5.62.0"
     debug "^4.3.4"
 
 "@typescript-eslint/scope-manager@5.62.0":
@@ -1966,34 +2167,21 @@
     "@typescript-eslint/types" "5.62.0"
     "@typescript-eslint/visitor-keys" "5.62.0"
 
-"@typescript-eslint/scope-manager@6.21.0":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/scope-manager/-/scope-manager-6.21.0.tgz#ea8a9bfc8f1504a6ac5d59a6df308d3a0630a2b1"
-  integrity sha512-OwLUIWZJry80O99zvqXVEioyniJMa+d2GrqpUTqi5/v5D5rOrppJVBPa0yKCblcigC0/aYAzxxqQ1B+DS2RYsg==
+"@typescript-eslint/type-utils@5.62.0":
+  version "5.62.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/type-utils/-/type-utils-5.62.0.tgz#286f0389c41681376cdad96b309cedd17d70346a"
+  integrity sha512-xsSQreu+VnfbqQpW5vnCJdq1Z3Q0U31qiWmRhr98ONQmcp/yhiPJFPq8MXiJVLiksmOKSjIldZzkebzHuCGzew==
   dependencies:
-    "@typescript-eslint/types" "6.21.0"
-    "@typescript-eslint/visitor-keys" "6.21.0"
-
-"@typescript-eslint/type-utils@6.21.0":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/type-utils/-/type-utils-6.21.0.tgz#6473281cfed4dacabe8004e8521cee0bd9d4c01e"
-  integrity sha512-rZQI7wHfao8qMX3Rd3xqeYSMCL3SoiSQLBATSiVKARdFGCYSRvmViieZjqc58jKgs8Y8i9YvVVhRbHSTA4VBag==
-  dependencies:
-    "@typescript-eslint/typescript-estree" "6.21.0"
-    "@typescript-eslint/utils" "6.21.0"
+    "@typescript-eslint/typescript-estree" "5.62.0"
+    "@typescript-eslint/utils" "5.62.0"
     debug "^4.3.4"
-    ts-api-utils "^1.0.1"
+    tsutils "^3.21.0"
 
 "@typescript-eslint/types@5.62.0":
   version "5.62.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-5.62.0.tgz#258607e60effa309f067608931c3df6fed41fd2f"
   integrity sha512-87NVngcbVXUahrRTqIK27gD2t5Cu1yuCXxbLcFtCzZGlfyVWWh8mLHkoxzjsB6DDNnvdL+fW8MiwPEJyGJQDgQ==
 
-"@typescript-eslint/types@6.21.0":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-6.21.0.tgz#205724c5123a8fef7ecd195075fa6e85bac3436d"
-  integrity sha512-1kFmZ1rOm5epu9NZEZm1kckCDGj5UJEf7P1kliH4LKu/RkwpsfqqGmY2OOcUs18lSlQBKLDYBOGxRVtrMN5lpg==
-
 "@typescript-eslint/typescript-estree@5.62.0":
   version "5.62.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-5.62.0.tgz#7d17794b77fabcac615d6a48fb143330d962eb9b"
@@ -2007,20 +2195,6 @@
     semver "^7.3.7"
     tsutils "^3.21.0"
 
-"@typescript-eslint/typescript-estree@6.21.0":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-6.21.0.tgz#c47ae7901db3b8bddc3ecd73daff2d0895688c46"
-  integrity sha512-6npJTkZcO+y2/kr+z0hc4HwNfrrP4kNYh57ek7yCNlrBjWQ1Y0OS7jiZTkgumrvkX5HkEKXFZkkdFNkaW2wmUQ==
-  dependencies:
-    "@typescript-eslint/types" "6.21.0"
-    "@typescript-eslint/visitor-keys" "6.21.0"
-    debug "^4.3.4"
-    globby "^11.1.0"
-    is-glob "^4.0.3"
-    minimatch "9.0.3"
-    semver "^7.5.4"
-    ts-api-utils "^1.0.1"
-
 "@typescript-eslint/utils@5.62.0", "@typescript-eslint/utils@^5.58.0":
   version "5.62.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/utils/-/utils-5.62.0.tgz#141e809c71636e4a75daa39faed2fb5f4b10df86"
@@ -2035,19 +2209,6 @@
     eslint-scope "^5.1.1"
     semver "^7.3.7"
 
-"@typescript-eslint/utils@6.21.0":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/utils/-/utils-6.21.0.tgz#4714e7a6b39e773c1c8e97ec587f520840cd8134"
-  integrity sha512-NfWVaC8HP9T8cbKQxHcsJBY5YE1O33+jpMwN45qzWWaPDZgLIbo12toGMWnmhvCpd3sIxkpDw3Wv1B3dYrbDQQ==
-  dependencies:
-    "@eslint-community/eslint-utils" "^4.4.0"
-    "@types/json-schema" "^7.0.12"
-    "@types/semver" "^7.5.0"
-    "@typescript-eslint/scope-manager" "6.21.0"
-    "@typescript-eslint/types" "6.21.0"
-    "@typescript-eslint/typescript-estree" "6.21.0"
-    semver "^7.5.4"
-
 "@typescript-eslint/visitor-keys@5.62.0":
   version "5.62.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/visitor-keys/-/visitor-keys-5.62.0.tgz#2174011917ce582875954ffe2f6912d5931e353e"
@@ -2056,14 +2217,6 @@
     "@typescript-eslint/types" "5.62.0"
     eslint-visitor-keys "^3.3.0"
 
-"@typescript-eslint/visitor-keys@6.21.0":
-  version "6.21.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/visitor-keys/-/visitor-keys-6.21.0.tgz#87a99d077aa507e20e238b11d56cc26ade45fe47"
-  integrity sha512-JJtkDduxLi9bivAB+cYOVMtbkqdPOhZ+ZI5LC47MIRrDV4Yn2o+ZnW10Nkmr28xRpSpdJ6Sm42Hjf2+REYXm0A==
-  dependencies:
-    "@typescript-eslint/types" "6.21.0"
-    eslint-visitor-keys "^3.4.1"
-
 "@ungap/structured-clone@^1.2.0":
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/@ungap/structured-clone/-/structured-clone-1.2.0.tgz#756641adb587851b5ccb3e095daf27ae581c8406"
@@ -2130,11 +2283,16 @@ acorn-walk@^8.3.2:
   resolved "https://registry.yarnpkg.com/acorn-walk/-/acorn-walk-8.3.2.tgz#7703af9415f1b6db9315d6895503862e231d34aa"
   integrity sha512-cjkyv4OtNCIeqhHrfS81QWXoCBPExR/J62oyEqepVw8WaQeSqpW2uhuLPh1m9eWhDuOo/jUXVTlifvesOWp/4A==
 
-acorn@^8.11.3, acorn@^8.9.0:
+acorn@^8.11.3:
   version "8.11.3"
   resolved "https://registry.yarnpkg.com/acorn/-/acorn-8.11.3.tgz#71e0b14e13a4ec160724b38fb7b0f233b1b81d7a"
   integrity sha512-Y9rRfJG5jcKOE0CLisYbojUjIrIEE7AGMzA/Sm4BslANhbS+cDMpgBdcPT91oJ7OuJ9hYJBx59RjbhxVnrF8Xg==
 
+acorn@^8.9.0:
+  version "8.10.0"
+  resolved "https://registry.yarnpkg.com/acorn/-/acorn-8.10.0.tgz#8be5b3907a67221a81ab23c7889c4c5526b62ec5"
+  integrity sha512-F0SAmZ8iUtS//m8DmCTA0jlh6TDKkHQyK6xc6V4KDTyZKA9dnvX9/3sRTVQrWm79glUAZbnmmNcdYwUIHWVybw==
+
 agent-base@^7.0.2, agent-base@^7.1.0:
   version "7.1.0"
   resolved "https://registry.yarnpkg.com/agent-base/-/agent-base-7.1.0.tgz#536802b76bc0b34aa50195eb2442276d613e3434"
@@ -2421,13 +2579,6 @@ brace-expansion@^1.1.7:
     balanced-match "^1.0.0"
     concat-map "0.0.1"
 
-brace-expansion@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-2.0.1.tgz#1edc459e0f0c548486ecf9fc99f2221364b9a0ae"
-  integrity sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==
-  dependencies:
-    balanced-match "^1.0.0"
-
 braces@^3.0.2, braces@~3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
@@ -2435,7 +2586,17 @@ braces@^3.0.2, braces@~3.0.2:
   dependencies:
     fill-range "^7.0.1"
 
-browserslist@^4.21.10, browserslist@^4.21.9, browserslist@^4.22.1:
+browserslist@^4.21.10, browserslist@^4.21.9:
+  version "4.21.10"
+  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.21.10.tgz#dbbac576628c13d3b2231332cb2ec5a46e015bb0"
+  integrity sha512-bipEBdZfVH5/pwrvqc+Ub0kUPVfGUhlKxbvfD+z1BDnPEO/X98ruXGA1WP5ASpAFKan7Qr6j736IacbZQuAlKQ==
+  dependencies:
+    caniuse-lite "^1.0.30001517"
+    electron-to-chromium "^1.4.477"
+    node-releases "^2.0.13"
+    update-browserslist-db "^1.0.11"
+
+browserslist@^4.22.1:
   version "4.22.1"
   resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.22.1.tgz#ba91958d1a59b87dab6fed8dfbcb3da5e2e9c619"
   integrity sha512-FEVc202+2iuClEhZhrWy6ZiAcRLvNMyYcxZ8raemul1DYVOVdFsbqckWLdsixQZCpJlwe77Z3UTalE7jsjnKfQ==
@@ -2474,7 +2635,17 @@ camelcase@^6.2.0:
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-6.3.0.tgz#5685b95eb209ac9c0c177467778c9c84df58ba9a"
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
-caniuse-lite@^1.0.30001520, caniuse-lite@^1.0.30001541:
+caniuse-lite@^1.0.30001517:
+  version "1.0.30001519"
+  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001519.tgz#3e7b8b8a7077e78b0eb054d69e6edf5c7df35601"
+  integrity sha512-0QHgqR+Jv4bxHMp8kZ1Kn8CH55OikjKJ6JmKkZYP1F3D7w+lnFXF70nG5eNfsZS89jadi5Ywy5UCSKLAglIRkg==
+
+caniuse-lite@^1.0.30001520:
+  version "1.0.30001520"
+  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001520.tgz#62e2b7a1c7b35269594cf296a80bdf8cb9565006"
+  integrity sha512-tahF5O9EiiTzwTUqAeFjIZbn4Dnqxzz7ktrgGlMYNLH43Ul26IgTMH/zvL3DG0lZxBYnlT04axvInszUsZULdA==
+
+caniuse-lite@^1.0.30001541:
   version "1.0.30001565"
   resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001565.tgz#a528b253c8a2d95d2b415e11d8b9942acc100c4f"
   integrity sha512-xrE//a3O7TP0vaJ8ikzkD2c2NgcVUvsEe2IvFTntV4Yd1Z9FVzh+gW+enX96L0psrbaFMcVcH2l90xNuGDWc8w==
@@ -2587,6 +2758,11 @@ confusing-browser-globals@^1.0.11:
   resolved "https://registry.yarnpkg.com/confusing-browser-globals/-/confusing-browser-globals-1.0.11.tgz#ae40e9b57cdd3915408a2805ebd3a5585608dc81"
   integrity sha512-JsPKdmh8ZkmnHxDk55FZ1TqVLvEQTvoByJZRN9jzI0UjxK/QgAmsphz7PGtqgPieQZ/CQcHWXCR7ATDNhGe+YA==
 
+convert-source-map@^1.7.0:
+  version "1.9.0"
+  resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-1.9.0.tgz#7faae62353fb4213366d0ca98358d22e8368b05f"
+  integrity sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==
+
 convert-source-map@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-2.0.0.tgz#4b560f649fc4e918dd0ab75cf4961e8bc882d82a"
@@ -2767,6 +2943,11 @@ dot-case@^3.0.4:
     no-case "^3.0.4"
     tslib "^2.0.3"
 
+electron-to-chromium@^1.4.477:
+  version "1.4.490"
+  resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.490.tgz#d99286f6e915667fa18ea4554def1aa60eb4d5f1"
+  integrity sha512-6s7NVJz+sATdYnIwhdshx/N/9O6rvMxmhVoDSDFdj6iA45gHR8EQje70+RYsF4GeB+k0IeNSBnP7yG9ZXJFr7A==
+
 electron-to-chromium@^1.4.535:
   version "1.4.596"
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.596.tgz#6752d1aa795d942d49dfc5d3764d6ea283fab1d7"
@@ -3198,7 +3379,18 @@ fast-deep-equal@^3.1.1, fast-deep-equal@^3.1.3:
   resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz#3a7d56b559d6cbc3eb512325244e619a65c6c525"
   integrity sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==
 
-fast-glob@^3.2.12, fast-glob@^3.2.9:
+fast-glob@^3.2.12:
+  version "3.3.1"
+  resolved "https://registry.yarnpkg.com/fast-glob/-/fast-glob-3.3.1.tgz#784b4e897340f3dbbef17413b3f11acf03c874c4"
+  integrity sha512-kNFPyjhh5cKjrUltxs+wFx+ZkbRaxxmZ+X0ZU31SOsxCEtP9VPgtq2teZw1DebupL5GmDaNQ6yKMMVcM41iqDg==
+  dependencies:
+    "@nodelib/fs.stat" "^2.0.2"
+    "@nodelib/fs.walk" "^1.2.3"
+    glob-parent "^5.1.2"
+    merge2 "^1.3.0"
+    micromatch "^4.0.4"
+
+fast-glob@^3.2.9:
   version "3.3.2"
   resolved "https://registry.yarnpkg.com/fast-glob/-/fast-glob-3.3.2.tgz#a904501e57cfdd2ffcded45e99a54fef55e46129"
   integrity sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==
@@ -3288,12 +3480,22 @@ fs.realpath@^1.0.0:
   resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f"
   integrity sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==
 
-fsevents@~2.3.2, fsevents@~2.3.3:
+fsevents@~2.3.2:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.2.tgz#8a526f78b8fdf4623b709e0b975c52c24c02fd1a"
+  integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==
+
+fsevents@~2.3.3:
   version "2.3.3"
   resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.3.tgz#cac6407785d03675a2a5e1a5305c697b347d90d6"
   integrity sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==
 
-function-bind@^1.1.1, function-bind@^1.1.2:
+function-bind@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
+  integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==
+
+function-bind@^1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.2.tgz#2c02d864d97f3ea6c8830c464cbd11ab6eab7a1c"
   integrity sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==
@@ -3318,7 +3520,7 @@ gensync@^1.0.0-beta.2:
   resolved "https://registry.yarnpkg.com/gensync/-/gensync-1.0.0-beta.2.tgz#32a6ee76c3d7f52d46b2b1ae5d93fea8580a25e0"
   integrity sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==
 
-get-func-name@^2.0.1, get-func-name@^2.0.2:
+get-func-name@^2.0.0, get-func-name@^2.0.1, get-func-name@^2.0.2:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/get-func-name/-/get-func-name-2.0.2.tgz#0d7cf20cd13fda808669ffa88f4ffc7a3943fc41"
   integrity sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==
@@ -3481,6 +3683,13 @@ has-tostringtag@^1.0.0:
   dependencies:
     has-symbols "^1.0.2"
 
+has@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796"
+  integrity sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==
+  dependencies:
+    function-bind "^1.1.1"
+
 hasown@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/hasown/-/hasown-2.0.0.tgz#f4c513d454a57b7c7e1650778de226b11700546c"
@@ -3523,10 +3732,10 @@ iconv-lite@0.6.3:
   dependencies:
     safer-buffer ">= 2.1.2 < 3.0.0"
 
-ignore@^5.2.0, ignore@^5.2.4:
-  version "5.3.1"
-  resolved "https://registry.yarnpkg.com/ignore/-/ignore-5.3.1.tgz#5073e554cd42c5b33b394375f538b8593e34d4ef"
-  integrity sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==
+ignore@^5.2.0:
+  version "5.3.0"
+  resolved "https://registry.yarnpkg.com/ignore/-/ignore-5.3.0.tgz#67418ae40d34d6999c95ff56016759c718c82f78"
+  integrity sha512-g7dmpshy+gD7mh88OC9NwSGTKoc3kyLAZQRU1mt53Aw/vnvfXnbC+F/7F7QoYVKbV+KNvJx8wArewKy1vXMtlg==
 
 import-fresh@^3.2.1:
   version "3.3.0"
@@ -3618,7 +3827,14 @@ is-callable@^1.1.3, is-callable@^1.1.4, is-callable@^1.2.7:
   resolved "https://registry.yarnpkg.com/is-callable/-/is-callable-1.2.7.tgz#3bc2a85ea742d9e36205dcacdd72ca1fdc51b055"
   integrity sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==
 
-is-core-module@^2.13.0, is-core-module@^2.13.1:
+is-core-module@^2.13.0:
+  version "2.13.0"
+  resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.13.0.tgz#bb52aa6e2cbd49a30c2ba68c42bf3435ba6072db"
+  integrity sha512-Z7dk6Qo8pOCp3l4tsX2C5ZVas4V+UxwQodwZhLopL91TX8UyyHEXafPcyoeeWuLrwzHcr3igO78wNLwHJHsMCQ==
+  dependencies:
+    has "^1.0.3"
+
+is-core-module@^2.13.1:
   version "2.13.1"
   resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.13.1.tgz#ad0d7532c6fea9da1ebdc82742d74525c6273384"
   integrity sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==
@@ -3957,7 +4173,14 @@ loose-envify@^1.0.0, loose-envify@^1.1.0, loose-envify@^1.4.0:
   dependencies:
     js-tokens "^3.0.0 || ^4.0.0"
 
-loupe@^2.3.6, loupe@^2.3.7:
+loupe@^2.3.6:
+  version "2.3.6"
+  resolved "https://registry.yarnpkg.com/loupe/-/loupe-2.3.6.tgz#76e4af498103c532d1ecc9be102036a21f787b53"
+  integrity sha512-RaPMZKiMy8/JruncMU5Bt6na1eftNoo++R4Y+N2FrxkDVTrGvcyzFTsaGif4QTeKESheMGegbhw6iUAq+5A8zA==
+  dependencies:
+    get-func-name "^2.0.0"
+
+loupe@^2.3.7:
   version "2.3.7"
   resolved "https://registry.yarnpkg.com/loupe/-/loupe-2.3.7.tgz#6e69b7d4db7d3ab436328013d37d1c8c3540c697"
   integrity sha512-zSMINGVYkdpYSOBmLi0D1Uo7JU9nVdQKrHxC8eYlV+9YKK9WePqAlL7lSlorG/U2Fw1w0hTBmaa/jrQ3UbPHtA==
@@ -4027,13 +4250,6 @@ mimic-fn@^4.0.0:
   resolved "https://registry.yarnpkg.com/mimic-fn/-/mimic-fn-4.0.0.tgz#60a90550d5cb0b239cca65d893b1a53b29871ecc"
   integrity sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==
 
-minimatch@9.0.3:
-  version "9.0.3"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-9.0.3.tgz#a6e00c3de44c3a542bfaae70abfc22420a6da825"
-  integrity sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==
-  dependencies:
-    brace-expansion "^2.0.1"
-
 minimatch@^3.0.4, minimatch@^3.0.5, minimatch@^3.1.1, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
@@ -4046,7 +4262,17 @@ minimist@^1.2.0, minimist@^1.2.6:
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
   integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==
 
-mlly@^1.2.0, mlly@^1.4.2:
+mlly@^1.2.0:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/mlly/-/mlly-1.4.0.tgz#830c10d63f1f97bd8785377b24dc2a15d972832b"
+  integrity sha512-ua8PAThnTwpprIaU47EPeZ/bPUVp2QYBbWMphUQpVdBI3Lgqzm5KZQ45Agm3YJedHXaIHl6pBGabaLSUPPSptg==
+  dependencies:
+    acorn "^8.9.0"
+    pathe "^1.1.1"
+    pkg-types "^1.0.3"
+    ufo "^1.1.2"
+
+mlly@^1.4.2:
   version "1.6.0"
   resolved "https://registry.yarnpkg.com/mlly/-/mlly-1.6.0.tgz#0ecfbddc706857f5e170ccd28c6b0b9c81d3f548"
   integrity sha512-YOvg9hfYQmnaB56Yb+KrJE2u0Yzz5zR+sLejEvF4fzwzV1Al6hkf2vyHTwqCRyv0hCi9rVCqVoXpyYevQIRwLQ==
@@ -4075,11 +4301,21 @@ mz@^2.7.0:
     object-assign "^4.0.1"
     thenify-all "^1.0.0"
 
+nanoid@^3.3.6:
+  version "3.3.6"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c"
+  integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
+
 nanoid@^3.3.7:
   version "3.3.7"
   resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.7.tgz#d0c301a691bc8d54efa0a2226ccf3fe2fd656bd8"
   integrity sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==
 
+natural-compare-lite@^1.4.0:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/natural-compare-lite/-/natural-compare-lite-1.4.0.tgz#17b09581988979fddafe0201e931ba933c96cbb4"
+  integrity sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==
+
 natural-compare@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
@@ -4296,7 +4532,12 @@ path-type@^4.0.0:
   resolved "https://registry.yarnpkg.com/path-type/-/path-type-4.0.0.tgz#84ed01c0a7ba380afe09d90a8c180dcd9d03043b"
   integrity sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==
 
-pathe@^1.1.0, pathe@^1.1.1, pathe@^1.1.2:
+pathe@^1.1.0, pathe@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/pathe/-/pathe-1.1.1.tgz#1dd31d382b974ba69809adc9a7a347e65d84829a"
+  integrity sha512-d+RQGp0MAYTIaDBIMmOfMwz3E+LOZnxx1HZd5R18mmCZY0QBlK0LDZfPc8FW8Ed2DlvsuE6PRjroDY+wg4+j/Q==
+
+pathe@^1.1.2:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/pathe/-/pathe-1.1.2.tgz#6c4cb47a945692e48a1ddd6e4094d170516437ec"
   integrity sha512-whLdWMYL2TwI08hn8/ZqAbrVemu0LNaNNJZX73O6qaIdCTfXutsLhMkjdENX0qhsQ9uIimo4/aQOmXkoon2nDQ==
@@ -4379,7 +4620,16 @@ postcss-value-parser@^4.0.0, postcss-value-parser@^4.2.0:
   resolved "https://registry.yarnpkg.com/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz#723c09920836ba6d3e5af019f92bc0971c02e514"
   integrity sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==
 
-postcss@^8.4.23, postcss@^8.4.31, postcss@^8.4.35:
+postcss@^8.4.23, postcss@^8.4.31:
+  version "8.4.31"
+  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.31.tgz#92b451050a9f914da6755af352bdc0192508656d"
+  integrity sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==
+  dependencies:
+    nanoid "^3.3.6"
+    picocolors "^1.0.0"
+    source-map-js "^1.0.2"
+
+postcss@^8.4.35:
   version "8.4.35"
   resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.35.tgz#60997775689ce09011edf083a549cea44aabe2f7"
   integrity sha512-u5U8qYpBCpN13BsiEB0CbR1Hhh4Gc0zLFuedrHJKMctHCHAGrMdG0PRM/KErzAL3CU6/eckEtmHNB3x6e3c0vA==
@@ -4593,7 +4843,16 @@ resolve-from@^4.0.0:
   resolved "https://registry.yarnpkg.com/resolve-from/-/resolve-from-4.0.0.tgz#4abcd852ad32dd7baabfe9b40e00a36db5f392e6"
   integrity sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==
 
-resolve@^1.1.7, resolve@^1.14.2, resolve@^1.19.0, resolve@^1.22.2, resolve@^1.22.4:
+resolve@^1.1.7, resolve@^1.22.2:
+  version "1.22.4"
+  resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.22.4.tgz#1dc40df46554cdaf8948a486a10f6ba1e2026c34"
+  integrity sha512-PXNdCiPqDqeUou+w1C2eTQbNfxKSuMxqTCuvlmmMsk1NWHL5fRrhY6Pl0qEYYc6+QqGClco1Qj8XnjPego4wfg==
+  dependencies:
+    is-core-module "^2.13.0"
+    path-parse "^1.0.7"
+    supports-preserve-symlinks-flag "^1.0.0"
+
+resolve@^1.14.2, resolve@^1.19.0, resolve@^1.22.4:
   version "1.22.8"
   resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.22.8.tgz#b6c87a9f2aa06dfab52e3d70ac8cde321fa5a48d"
   integrity sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==
@@ -4700,10 +4959,10 @@ semver@^6.3.1:
   resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
   integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
 
-semver@^7.3.7, semver@^7.5.4:
-  version "7.6.0"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.6.0.tgz#1a46a4db4bffcccd97b743b5005c8325f23d4e2d"
-  integrity sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==
+semver@^7.3.7:
+  version "7.5.4"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
+  integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
   dependencies:
     lru-cache "^6.0.0"
 
@@ -5002,11 +5261,6 @@ tr46@^5.0.0:
   dependencies:
     punycode "^2.3.1"
 
-ts-api-utils@^1.0.1:
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/ts-api-utils/-/ts-api-utils-1.2.1.tgz#f716c7e027494629485b21c0df6180f4d08f5e8b"
-  integrity sha512-RIYA36cJn2WiH9Hy77hdF9r7oEwxAtB/TS9/S4Qd90Ap4z5FSiin5zEiTL44OII1Y3IIlEvxwxFUVgrHSZ/UpA==
-
 ts-interface-checker@^0.1.9:
   version "0.1.13"
   resolved "https://registry.yarnpkg.com/ts-interface-checker/-/ts-interface-checker-0.1.13.tgz#784fd3d679722bc103b1b4b8030bcddb5db2a699"
@@ -5104,10 +5358,15 @@ typed-array-length@^1.0.4:
     for-each "^0.3.3"
     is-typed-array "^1.1.9"
 
-typescript@^5.3.3:
-  version "5.3.3"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.3.3.tgz#b3ce6ba258e72e6305ba66f5c9b452aaee3ffe37"
-  integrity sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==
+typescript@^4.7.4:
+  version "4.9.5"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.9.5.tgz#095979f9bcc0d09da324d58d03ce8f8374cbe65a"
+  integrity sha512-1FXk9E2Hm+QzZQ7z+McJiHL4NW1F2EzMu9Nq9i3zAaGqibafqYwCVU6WyWAuyQRRzOlxou8xZSyXLEN8oKj24g==
+
+ufo@^1.1.2:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/ufo/-/ufo-1.2.0.tgz#28d127a087a46729133fdc89cb1358508b3f80ba"
+  integrity sha512-RsPyTbqORDNDxqAdQPQBpgqhWle1VcTSou/FraClYlHf6TZnQcGslpLcAphNR+sQW4q5lLWLbOsRlh9j24baQg==
 
 ufo@^1.3.2:
   version "1.4.0"
@@ -5157,6 +5416,14 @@ universalify@^0.2.0:
   resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.2.0.tgz#6451760566fa857534745ab1dde952d1b1761be0"
   integrity sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==
 
+update-browserslist-db@^1.0.11:
+  version "1.0.11"
+  resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.0.11.tgz#9a2a641ad2907ae7b3616506f4b977851db5b940"
+  integrity sha512-dCwEFf0/oT85M1fHBg4F0jtLwJrutGoHSQXCh7u4o2t1drG+c0a9Flnqww6XUKSfQMPpJBRjU8d4RXB09qtvaA==
+  dependencies:
+    escalade "^3.1.1"
+    picocolors "^1.0.0"
+
 update-browserslist-db@^1.0.13:
   version "1.0.13"
   resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.0.13.tgz#3c5e4f5c083661bd38ef64b6328c26ed6c8248c4"
@@ -5235,10 +5502,10 @@ vite-tsconfig-paths@^3.5.0:
     recrawl-sync "^2.0.3"
     tsconfig-paths "^4.0.0"
 
-vite@^5.0.0, vite@^5.1.7:
-  version "5.1.7"
-  resolved "https://registry.yarnpkg.com/vite/-/vite-5.1.7.tgz#9f685a2c4c70707fef6d37341b0e809c366da619"
-  integrity sha512-sgnEEFTZYMui/sTlH1/XEnVNHMujOahPLGMxn1+5sIT45Xjng1Ec1K78jRP15dSmVgg5WBin9yO81j3o9OxofA==
+vite@^5.0.0, vite@^5.1.4:
+  version "5.1.4"
+  resolved "https://registry.yarnpkg.com/vite/-/vite-5.1.4.tgz#14e9d3e7a6e488f36284ef13cebe149f060bcfb6"
+  integrity sha512-n+MPqzq+d9nMVTKyewqw6kSt+R3CkvF9QAKY8obiQn8g1fwTscKxyfaYnC632HtBXAQGc1Yjomphwn1dtwGAHg==
   dependencies:
     esbuild "^0.19.3"
     postcss "^8.4.35"
@@ -5382,9 +5649,9 @@ wrappy@1:
   integrity sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==
 
 ws@^8.14.2:
-  version "8.17.1"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b"
-  integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==
+  version "8.14.2"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-8.14.2.tgz#6c249a806eb2db7a20d26d51e7709eab7b2e6c7f"
+  integrity sha512-wEBG1ftX4jcglPxgFCMJmZ2PLtSbJ2Peg6TmpJFTbe9GZYOQCDPdMYu/Tm0/bGZkw8paZnJY45J4K2PZrLYq8g==
 
 xml-name-validator@^5.0.0:
   version "5.0.0"

clientupdate/clientupdate.go

@@ -27,25 +27,21 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/google/uuid"
+	"tailscale.com/clientupdate/distsign"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cmpver"
+	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
 
 const (
+	CurrentTrack  = ""
 	StableTrack   = "stable"
 	UnstableTrack = "unstable"
 )
 
-var CurrentTrack = func() string {
-	if version.IsUnstableBuild() {
-		return UnstableTrack
-	} else {
-		return StableTrack
-	}
-}()
-
 func versionToTrack(v string) (string, error) {
 	_, rest, ok := strings.Cut(v, ".")
 	if !ok {
@@ -110,7 +106,7 @@ func (args Arguments) validate() error {
 		return fmt.Errorf("only one of Version(%q) or Track(%q) can be set", args.Version, args.Track)
 	}
 	switch args.Track {
-	case StableTrack, UnstableTrack, "":
+	case StableTrack, UnstableTrack, CurrentTrack:
 		// All valid values.
 	default:
 		return fmt.Errorf("unsupported track %q", args.Track)
@@ -123,17 +119,11 @@ type Updater struct {
 	// Update is a platform-specific method that updates the installation. May be
 	// nil (not all platforms support updates from within Tailscale).
 	Update func() error
-
-	// currentVersion is the short form of the current client version as
-	// returned by version.Short(), typically "x.y.z". Used for tests to
-	// override the actual current version.
-	currentVersion string
 }
 
 func NewUpdater(args Arguments) (*Updater, error) {
 	up := Updater{
-		Arguments:      args,
-		currentVersion: version.Short(),
+		Arguments: args,
 	}
 	if up.Stdout == nil {
 		up.Stdout = os.Stdout
@@ -149,15 +139,18 @@ func NewUpdater(args Arguments) (*Updater, error) {
 	if args.ForAutoUpdate && !canAutoUpdate {
 		return nil, errors.ErrUnsupported
 	}
-	if up.Track == "" {
-		if up.Version != "" {
+	if up.Track == CurrentTrack {
+		switch {
+		case up.Version != "":
 			var err error
 			up.Track, err = versionToTrack(args.Version)
 			if err != nil {
 				return nil, err
 			}
-		} else {
-			up.Track = CurrentTrack
+		case version.IsUnstableBuild():
+			up.Track = UnstableTrack
+		default:
+			up.Track = StableTrack
 		}
 	}
 	if up.Arguments.PkgsAddr == "" {
@@ -245,11 +238,6 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 // CanAutoUpdate reports whether auto-updating via the clientupdate package
 // is supported for the current os/distro.
 func CanAutoUpdate() bool {
-	if version.IsMacSysExt() {
-		// Macsys uses Sparkle for auto-updates, which doesn't have an update
-		// function in this package.
-		return true
-	}
 	_, canAutoUpdate := (&Updater{}).getUpdateFunction()
 	return canAutoUpdate
 }
@@ -271,16 +259,13 @@ func Update(args Arguments) error {
 }
 
 func (up *Updater) confirm(ver string) bool {
-	// Only check version when we're not switching tracks.
-	if up.Track == "" || up.Track == CurrentTrack {
-		switch c := cmpver.Compare(up.currentVersion, ver); {
-		case c == 0:
-			up.Logf("already running %v version %v; no update needed", up.Track, ver)
-			return false
-		case c > 0:
-			up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, up.currentVersion, ver)
-			return false
-		}
+	switch cmpver.Compare(version.Short(), ver) {
+	case 0:
+		up.Logf("already running %v version %v; no update needed", up.Track, ver)
+		return false
+	case 1:
+		up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, version.Short(), ver)
+		return false
 	}
 	if up.Confirm != nil {
 		return up.Confirm(ver)
@@ -451,7 +436,7 @@ func (up *Updater) updateDebLike() error {
 		return fmt.Errorf("apt-get update failed: %w; output:\n%s", err, out)
 	}
 
-	for range 2 {
+	for i := 0; i < 2; i++ {
 		out, err := exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver).CombinedOutput()
 		if err != nil {
 			if !bytes.Contains(out, []byte(`dpkg was interrupted`)) {
@@ -666,9 +651,6 @@ func (up *Updater) updateAlpineLike() (err error) {
 		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
 	}
 	if !up.confirm(ver) {
-		if err := checkOutdatedAlpineRepo(up.Logf, ver, up.Track); err != nil {
-			up.Logf("failed to check whether Alpine release is outdated: %v", err)
-		}
 		return nil
 	}
 
@@ -683,7 +665,6 @@ func (up *Updater) updateAlpineLike() (err error) {
 
 func parseAlpinePackageVersion(out []byte) (string, error) {
 	s := bufio.NewScanner(bytes.NewReader(out))
-	var maxVer string
 	for s.Scan() {
 		// The line should look like this:
 		// tailscale-1.44.2-r0 description:
@@ -695,48 +676,11 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 		if len(parts) < 3 {
 			return "", fmt.Errorf("malformed info line: %q", line)
 		}
-		ver := parts[1]
-		if cmpver.Compare(ver, maxVer) > 0 {
-			maxVer = ver
-		}
-	}
-	if maxVer != "" {
-		return maxVer, nil
+		return parts[1], nil
 	}
 	return "", errors.New("tailscale version not found in output")
 }
 
-var apkRepoVersionRE = regexp.MustCompile(`v[0-9]+\.[0-9]+`)
-
-func checkOutdatedAlpineRepo(logf logger.Logf, apkVer, track string) error {
-	latest, err := LatestTailscaleVersion(track)
-	if err != nil {
-		return err
-	}
-	if latest == apkVer {
-		// Actually on latest release.
-		return nil
-	}
-	f, err := os.Open("/etc/apk/repositories")
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	// Read the first repo line. Typically, there are multiple repos that all
-	// contain the same version in the path, like:
-	//   https://dl-cdn.alpinelinux.org/alpine/v3.20/main
-	//   https://dl-cdn.alpinelinux.org/alpine/v3.20/community
-	s := bufio.NewScanner(f)
-	if !s.Scan() {
-		return s.Err()
-	}
-	alpineVer := apkRepoVersionRE.FindString(s.Text())
-	if alpineVer != "" {
-		logf("The latest Tailscale release for Linux is %q, but your apk repository only provides %q.\nYour Alpine version is %q, you may need to upgrade the system to get the latest Tailscale version: https://wiki.alpinelinux.org/wiki/Upgrading_Alpine", latest, apkVer, alpineVer)
-	}
-	return nil
-}
-
 func (up *Updater) updateMacSys() error {
 	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
 }
@@ -753,6 +697,164 @@ func (up *Updater) updateMacAppStore() error {
 	return nil
 }
 
+const (
+	// winMSIEnv is the environment variable that, if set, is the MSI file for
+	// the update command to install. It's passed like this so we can stop the
+	// tailscale.exe process from running before the msiexec process runs and
+	// tries to overwrite ourselves.
+	winMSIEnv = "TS_UPDATE_WIN_MSI"
+	// winExePathEnv is the environment variable that is set along with
+	// winMSIEnv and carries the full path of the calling tailscale.exe binary.
+	// It is used to re-launch the GUI process (tailscale-ipn.exe) after
+	// install is complete.
+	winExePathEnv = "TS_UPDATE_WIN_EXE_PATH"
+)
+
+var (
+	verifyAuthenticode func(string) error // set non-nil only on Windows
+	markTempFileFunc   func(string) error // set non-nil only on Windows
+)
+
+func (up *Updater) updateWindows() error {
+	if msi := os.Getenv(winMSIEnv); msi != "" {
+		// stdout/stderr from this part of the install could be lost since the
+		// parent tailscaled is replaced. Create a temp log file to have some
+		// output to debug with in case update fails.
+		close, err := up.switchOutputToFile()
+		if err != nil {
+			up.Logf("failed to create log file for installation: %v; proceeding with existing outputs", err)
+		} else {
+			defer close.Close()
+		}
+
+		up.Logf("installing %v ...", msi)
+		if err := up.installMSI(msi); err != nil {
+			up.Logf("MSI install failed: %v", err)
+			return err
+		}
+
+		up.Logf("success.")
+		return nil
+	}
+
+	if !winutil.IsCurrentProcessElevated() {
+		return errors.New(`update must be run as Administrator
+
+you can run the command prompt as Administrator one of these ways:
+* right-click cmd.exe, select 'Run as administrator'
+* press Windows+x, then press a
+* press Windows+r, type in "cmd", then press Ctrl+Shift+Enter`)
+	}
+	ver, err := requestedTailscaleVersion(up.Version, up.Track)
+	if err != nil {
+		return err
+	}
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
+	msiDir := filepath.Join(tsDir, "MSICache")
+	if fi, err := os.Stat(tsDir); err != nil {
+		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
+	} else if !fi.IsDir() {
+		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
+	}
+	if err := os.MkdirAll(msiDir, 0700); err != nil {
+		return err
+	}
+	up.cleanupOldDownloads(filepath.Join(msiDir, "*.msi"))
+	pkgsPath := fmt.Sprintf("%s/tailscale-setup-%s-%s.msi", up.Track, ver, arch)
+	msiTarget := filepath.Join(msiDir, path.Base(pkgsPath))
+	if err := up.downloadURLToFile(pkgsPath, msiTarget); err != nil {
+		return err
+	}
+
+	up.Logf("verifying MSI authenticode...")
+	if err := verifyAuthenticode(msiTarget); err != nil {
+		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
+	}
+	up.Logf("authenticode verification succeeded")
+
+	up.Logf("making tailscale.exe copy to switch to...")
+	up.cleanupOldDownloads(filepath.Join(os.TempDir(), "tailscale-updater-*.exe"))
+	selfOrig, selfCopy, err := makeSelfCopy()
+	if err != nil {
+		return err
+	}
+	defer os.Remove(selfCopy)
+	up.Logf("running tailscale.exe copy for final install...")
+
+	cmd := exec.Command(selfCopy, "update")
+	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget, winExePathEnv+"="+selfOrig)
+	cmd.Stdout = up.Stderr
+	cmd.Stderr = up.Stderr
+	cmd.Stdin = os.Stdin
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// Once it's started, exit ourselves, so the binary is free
+	// to be replaced.
+	os.Exit(0)
+	panic("unreachable")
+}
+
+func (up *Updater) switchOutputToFile() (io.Closer, error) {
+	var logFilePath string
+	exePath, err := os.Executable()
+	if err != nil {
+		logFilePath = filepath.Join(os.TempDir(), "tailscale-updater.log")
+	} else {
+		logFilePath = strings.TrimSuffix(exePath, ".exe") + ".log"
+	}
+
+	up.Logf("writing update output to %q", logFilePath)
+	logFile, err := os.Create(logFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	up.Logf = func(m string, args ...any) {
+		fmt.Fprintf(logFile, m+"\n", args...)
+	}
+	up.Stdout = logFile
+	up.Stderr = logFile
+	return logFile, nil
+}
+
+func (up *Updater) installMSI(msi string) error {
+	var err error
+	for tries := 0; tries < 2; tries++ {
+		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
+		cmd.Dir = filepath.Dir(msi)
+		cmd.Stdout = up.Stdout
+		cmd.Stderr = up.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		if err == nil {
+			break
+		}
+		up.Logf("Install attempt failed: %v", err)
+		uninstallVersion := version.Short()
+		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
+			uninstallVersion = v
+		}
+		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
+		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
+		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
+		cmd.Stdout = up.Stdout
+		cmd.Stderr = up.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		up.Logf("msiexec uninstall: %v", err)
+	}
+	return err
+}
+
 // cleanupOldDownloads removes all files matching glob (see filepath.Glob).
 // Only regular files are removed, so the glob must match specific files and
 // not directories.
@@ -777,6 +879,53 @@ func (up *Updater) cleanupOldDownloads(glob string) {
 	}
 }
 
+func msiUUIDForVersion(ver string) string {
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	track, err := versionToTrack(ver)
+	if err != nil {
+		track = UnstableTrack
+	}
+	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
+	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
+}
+
+func makeSelfCopy() (origPathExe, tmpPathExe string, err error) {
+	selfExe, err := os.Executable()
+	if err != nil {
+		return "", "", err
+	}
+	f, err := os.Open(selfExe)
+	if err != nil {
+		return "", "", err
+	}
+	defer f.Close()
+	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
+	if err != nil {
+		return "", "", err
+	}
+	if f := markTempFileFunc; f != nil {
+		if err := f(f2.Name()); err != nil {
+			return "", "", err
+		}
+	}
+	if _, err := io.Copy(f2, f); err != nil {
+		f2.Close()
+		return "", "", err
+	}
+	return selfExe, f2.Name(), f2.Close()
+}
+
+func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
+	c, err := distsign.NewClient(up.Logf, up.PkgsAddr)
+	if err != nil {
+		return err
+	}
+	return c.Download(context.Background(), pathSrc, fileDst)
+}
+
 func (up *Updater) updateFreeBSD() (err error) {
 	if up.Version != "" {
 		return errors.New("installing a specific version on FreeBSD is not supported")
@@ -861,20 +1010,6 @@ func (up *Updater) updateLinuxBinary() error {
 	return nil
 }
 
-func restartSystemdUnit(ctx context.Context) error {
-	if _, err := exec.LookPath("systemctl"); err != nil {
-		// Likely not a systemd-managed distro.
-		return errors.ErrUnsupported
-	}
-	if out, err := exec.Command("systemctl", "daemon-reload").CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl daemon-reload failed: %w\noutput: %s", err, out)
-	}
-	if out, err := exec.Command("systemctl", "restart", "tailscaled.service").CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl restart failed: %w\noutput: %s", err, out)
-	}
-	return nil
-}
-
 func (up *Updater) downloadLinuxTarball(ver string) (string, error) {
 	dlDir, err := os.UserCacheDir()
 	if err != nil {
@@ -1141,31 +1276,22 @@ func requestedTailscaleVersion(ver, track string) (string, error) {
 // LatestTailscaleVersion returns the latest released version for the given
 // track from pkgs.tailscale.com.
 func LatestTailscaleVersion(track string) (string, error) {
-	if track == "" {
-		track = CurrentTrack
+	if track == CurrentTrack {
+		if version.IsUnstableBuild() {
+			track = UnstableTrack
+		} else {
+			track = StableTrack
+		}
 	}
 
 	latest, err := latestPackages(track)
 	if err != nil {
 		return "", err
 	}
-	ver := latest.Version
-	switch runtime.GOOS {
-	case "windows":
-		ver = latest.MSIsVersion
-	case "darwin":
-		ver = latest.MacZipsVersion
-	case "linux":
-		ver = latest.TarballsVersion
-		if distro.Get() == distro.Synology {
-			ver = latest.SPKsVersion
-		}
+	if latest.Version == "" {
+		return "", fmt.Errorf("no latest version found for %q track", track)
 	}
-
-	if ver == "" {
-		return "", fmt.Errorf("no latest version found for OS %q on %q track", runtime.GOOS, track)
-	}
-	return ver, nil
+	return latest.Version, nil
 }
 
 type trackPackages struct {

clientupdate/clientupdate_downloads.go

@@ -1,20 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build (linux && !android) || windows
-
-package clientupdate
-
-import (
-	"context"
-
-	"tailscale.com/clientupdate/distsign"
-)
-
-func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
-	c, err := distsign.NewClient(up.Logf, up.PkgsAddr)
-	if err != nil {
-		return err
-	}
-	return c.Download(context.Background(), pathSrc, fileDst)
-}

clientupdate/clientupdate_not_downloads.go

@@ -1,10 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !((linux && !android) || windows)
-
-package clientupdate
-
-func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
-	panic("unreachable")
-}

clientupdate/clientupdate_notwindows.go

@@ -1,10 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !windows
-
-package clientupdate
-
-func (up *Updater) updateWindows() error {
-	panic("unreachable")
-}

clientupdate/clientupdate_test.go

@@ -251,29 +251,6 @@ tailscale installed size:
 			out:     "",
 			wantErr: true,
 		},
-		{
-			desc: "multiple versions",
-			out: `
-tailscale-1.54.1-r0 description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale-1.54.1-r0 webpage:
-https://tailscale.com/
-
-tailscale-1.54.1-r0 installed size:
-34 MiB
-
-tailscale-1.58.2-r0 description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale-1.58.2-r0 webpage:
-https://tailscale.com/
-
-tailscale-1.58.2-r0 installed size:
-35 MiB
-`,
-			want: "1.58.2",
-		},
 	}
 
 	for _, tt := range tests {
@@ -663,7 +640,7 @@ func genTarball(t *testing.T, path string, files map[string]string) {
 
 func TestWriteFileOverwrite(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "test")
-	for i := range 2 {
+	for i := 0; i < 2; i++ {
 		content := fmt.Sprintf("content %d", i)
 		if err := writeFile(strings.NewReader(content), path, 0600); err != nil {
 			t.Fatal(err)
@@ -846,107 +823,3 @@ func TestParseUnraidPluginVersion(t *testing.T) {
 		})
 	}
 }
-
-func TestConfirm(t *testing.T) {
-	curTrack := CurrentTrack
-	defer func() { CurrentTrack = curTrack }()
-
-	tests := []struct {
-		desc      string
-		fromTrack string
-		toTrack   string
-		fromVer   string
-		toVer     string
-		confirm   func(string) bool
-		want      bool
-	}{
-		{
-			desc:      "on latest stable",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.0",
-			want:      false,
-		},
-		{
-			desc:      "stable upgrade",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.68.0",
-			want:      true,
-		},
-		{
-			desc:      "unstable upgrade",
-			fromTrack: UnstableTrack,
-			toTrack:   UnstableTrack,
-			fromVer:   "1.67.1",
-			toVer:     "1.67.2",
-			want:      true,
-		},
-		{
-			desc:      "from stable to unstable",
-			fromTrack: StableTrack,
-			toTrack:   UnstableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.67.1",
-			want:      true,
-		},
-		{
-			desc:      "from unstable to stable",
-			fromTrack: UnstableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.67.1",
-			toVer:     "1.66.0",
-			want:      true,
-		},
-		{
-			desc:      "confirm callback rejects",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.1",
-			confirm: func(string) bool {
-				return false
-			},
-			want: false,
-		},
-		{
-			desc:      "confirm callback allows",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.1",
-			confirm: func(string) bool {
-				return true
-			},
-			want: true,
-		},
-		{
-			desc:      "downgrade",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.1",
-			toVer:     "1.66.0",
-			want:      false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			CurrentTrack = tt.fromTrack
-			up := Updater{
-				currentVersion: tt.fromVer,
-				Arguments: Arguments{
-					Track:   tt.toTrack,
-					Confirm: tt.confirm,
-					Logf:    t.Logf,
-				},
-			}
-
-			if got := up.confirm(tt.toVer); got != tt.want {
-				t.Errorf("got %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

clientupdate/clientupdate_windows.go

@@ -7,57 +7,13 @@
 package clientupdate
 
 import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	"github.com/google/uuid"
 	"golang.org/x/sys/windows"
-	"tailscale.com/util/winutil"
 	"tailscale.com/util/winutil/authenticode"
 )
 
-const (
-	// winMSIEnv is the environment variable that, if set, is the MSI file for
-	// the update command to install. It's passed like this so we can stop the
-	// tailscale.exe process from running before the msiexec process runs and
-	// tries to overwrite ourselves.
-	winMSIEnv = "TS_UPDATE_WIN_MSI"
-	// winExePathEnv is the environment variable that is set along with
-	// winMSIEnv and carries the full path of the calling tailscale.exe binary.
-	// It is used to re-launch the GUI process (tailscale-ipn.exe) after
-	// install is complete.
-	winExePathEnv = "TS_UPDATE_WIN_EXE_PATH"
-)
-
-func makeSelfCopy() (origPathExe, tmpPathExe string, err error) {
-	selfExe, err := os.Executable()
-	if err != nil {
-		return "", "", err
-	}
-	f, err := os.Open(selfExe)
-	if err != nil {
-		return "", "", err
-	}
-	defer f.Close()
-	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
-	if err != nil {
-		return "", "", err
-	}
-	if err := markTempFileWindows(f2.Name()); err != nil {
-		return "", "", err
-	}
-	if _, err := io.Copy(f2, f); err != nil {
-		f2.Close()
-		return "", "", err
-	}
-	return selfExe, f2.Name(), f2.Close()
+func init() {
+	markTempFileFunc = markTempFileWindows
+	verifyAuthenticode = verifyTailscale
 }
 
 func markTempFileWindows(name string) error {
@@ -67,159 +23,6 @@ func markTempFileWindows(name string) error {
 
 const certSubjectTailscale = "Tailscale Inc."
 
-func verifyAuthenticode(path string) error {
+func verifyTailscale(path string) error {
 	return authenticode.Verify(path, certSubjectTailscale)
 }
-
-func (up *Updater) updateWindows() error {
-	if msi := os.Getenv(winMSIEnv); msi != "" {
-		// stdout/stderr from this part of the install could be lost since the
-		// parent tailscaled is replaced. Create a temp log file to have some
-		// output to debug with in case update fails.
-		close, err := up.switchOutputToFile()
-		if err != nil {
-			up.Logf("failed to create log file for installation: %v; proceeding with existing outputs", err)
-		} else {
-			defer close.Close()
-		}
-
-		up.Logf("installing %v ...", msi)
-		if err := up.installMSI(msi); err != nil {
-			up.Logf("MSI install failed: %v", err)
-			return err
-		}
-
-		up.Logf("success.")
-		return nil
-	}
-
-	if !winutil.IsCurrentProcessElevated() {
-		return errors.New(`update must be run as Administrator
-
-you can run the command prompt as Administrator one of these ways:
-* right-click cmd.exe, select 'Run as administrator'
-* press Windows+x, then press a
-* press Windows+r, type in "cmd", then press Ctrl+Shift+Enter`)
-	}
-	ver, err := requestedTailscaleVersion(up.Version, up.Track)
-	if err != nil {
-		return err
-	}
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
-	msiDir := filepath.Join(tsDir, "MSICache")
-	if fi, err := os.Stat(tsDir); err != nil {
-		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
-	} else if !fi.IsDir() {
-		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
-	}
-	if err := os.MkdirAll(msiDir, 0700); err != nil {
-		return err
-	}
-	up.cleanupOldDownloads(filepath.Join(msiDir, "*.msi"))
-	pkgsPath := fmt.Sprintf("%s/tailscale-setup-%s-%s.msi", up.Track, ver, arch)
-	msiTarget := filepath.Join(msiDir, path.Base(pkgsPath))
-	if err := up.downloadURLToFile(pkgsPath, msiTarget); err != nil {
-		return err
-	}
-
-	up.Logf("verifying MSI authenticode...")
-	if err := verifyAuthenticode(msiTarget); err != nil {
-		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
-	}
-	up.Logf("authenticode verification succeeded")
-
-	up.Logf("making tailscale.exe copy to switch to...")
-	up.cleanupOldDownloads(filepath.Join(os.TempDir(), "tailscale-updater-*.exe"))
-	selfOrig, selfCopy, err := makeSelfCopy()
-	if err != nil {
-		return err
-	}
-	defer os.Remove(selfCopy)
-	up.Logf("running tailscale.exe copy for final install...")
-
-	cmd := exec.Command(selfCopy, "update")
-	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget, winExePathEnv+"="+selfOrig)
-	cmd.Stdout = up.Stderr
-	cmd.Stderr = up.Stderr
-	cmd.Stdin = os.Stdin
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	// Once it's started, exit ourselves, so the binary is free
-	// to be replaced.
-	os.Exit(0)
-	panic("unreachable")
-}
-
-func (up *Updater) installMSI(msi string) error {
-	var err error
-	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/norestart", "/qn")
-		cmd.Dir = filepath.Dir(msi)
-		cmd.Stdout = up.Stdout
-		cmd.Stderr = up.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		if err == nil {
-			break
-		}
-		up.Logf("Install attempt failed: %v", err)
-		uninstallVersion := up.currentVersion
-		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
-			uninstallVersion = v
-		}
-		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
-		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
-		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
-		cmd.Stdout = up.Stdout
-		cmd.Stderr = up.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		up.Logf("msiexec uninstall: %v", err)
-	}
-	return err
-}
-
-func msiUUIDForVersion(ver string) string {
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	track, err := versionToTrack(ver)
-	if err != nil {
-		track = UnstableTrack
-	}
-	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
-	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
-}
-
-func (up *Updater) switchOutputToFile() (io.Closer, error) {
-	var logFilePath string
-	exePath, err := os.Executable()
-	if err != nil {
-		logFilePath = filepath.Join(os.TempDir(), "tailscale-updater.log")
-	} else {
-		logFilePath = strings.TrimSuffix(exePath, ".exe") + ".log"
-	}
-
-	up.Logf("writing update output to %q", logFilePath)
-	logFile, err := os.Create(logFilePath)
-	if err != nil {
-		return nil, err
-	}
-
-	up.Logf = func(m string, args ...any) {
-		fmt.Fprintf(logFile, m+"\n", args...)
-	}
-	up.Stdout = logFile
-	up.Stderr = logFile
-	return logFile, nil
-}

clientupdate/distsign/distsign.go

@@ -1,486 +1,486 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package distsign implements signature and validation of arbitrary
-// distributable files.
-//
-// There are 3 parties in this exchange:
-//   - builder, which creates files, signs them with signing keys and publishes
-//     to server
-//   - server, which distributes public signing keys, files and signatures
-//   - client, which downloads files and signatures from server, and validates
-//     the signatures
-//
-// There are 2 types of keys:
-//   - signing keys, that sign individual distributable files on the builder
-//   - root keys, that sign signing keys and are kept offline
-//
-// root keys -(sign)-> signing keys -(sign)-> files
-//
-// All keys are asymmetric Ed25519 key pairs.
-//
-// The server serves static files under some known prefix. The kinds of files are:
-//   - distsign.pub - bundle of PEM-encoded public signing keys
-//   - distsign.pub.sig - signature of distsign.pub using one of the root keys
-//   - $file - any distributable file
-//   - $file.sig - signature of $file using any of the signing keys
-//
-// The root public keys are baked into the client software at compile time.
-// These keys are long-lived and prove the validity of current signing keys
-// from distsign.pub. To rotate root keys, a new client release must be
-// published, they are not rotated dynamically. There are multiple root keys in
-// different locations specifically to allow this rotation without using the
-// discarded root key for any new signatures.
-//
-// The signing public keys are fetched by the client dynamically before every
-// download and can be rotated more readily, assuming that most deployed
-// clients trust the root keys used to issue fresh signing keys.
-package distsign
-
-import (
-	"context"
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/binary"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"hash"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-	"os"
-	"time"
-
-	"github.com/hdevalence/ed25519consensus"
-	"golang.org/x/crypto/blake2s"
-	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/httpm"
-	"tailscale.com/util/must"
-)
-
-const (
-	pemTypeRootPrivate    = "ROOT PRIVATE KEY"
-	pemTypeRootPublic     = "ROOT PUBLIC KEY"
-	pemTypeSigningPrivate = "SIGNING PRIVATE KEY"
-	pemTypeSigningPublic  = "SIGNING PUBLIC KEY"
-
-	downloadSizeLimit    = 1 << 29 // 512MB
-	signingKeysSizeLimit = 1 << 20 // 1MB
-	signatureSizeLimit   = ed25519.SignatureSize
-)
-
-// RootKey is a root key used to sign signing keys.
-type RootKey struct {
-	k ed25519.PrivateKey
-}
-
-// GenerateRootKey generates a new root key pair and encodes it as PEM.
-func GenerateRootKey() (priv, pub []byte, err error) {
-	pub, priv, err = ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	return pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeRootPrivate,
-			Bytes: []byte(priv),
-		}), pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeRootPublic,
-			Bytes: []byte(pub),
-		}), nil
-}
-
-// ParseRootKey parses the PEM-encoded private root key. The key must be in the
-// same format as returned by GenerateRootKey.
-func ParseRootKey(privKey []byte) (*RootKey, error) {
-	k, err := parsePrivateKey(privKey, pemTypeRootPrivate)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse root key: %w", err)
-	}
-	return &RootKey{k: k}, nil
-}
-
-// SignSigningKeys signs the bundle of public signing keys. The bundle must be
-// a sequence of PEM blocks joined with newlines.
-func (r *RootKey) SignSigningKeys(pubBundle []byte) ([]byte, error) {
-	if _, err := ParseSigningKeyBundle(pubBundle); err != nil {
-		return nil, err
-	}
-	return ed25519.Sign(r.k, pubBundle), nil
-}
-
-// SigningKey is a signing key used to sign packages.
-type SigningKey struct {
-	k ed25519.PrivateKey
-}
-
-// GenerateSigningKey generates a new signing key pair and encodes it as PEM.
-func GenerateSigningKey() (priv, pub []byte, err error) {
-	pub, priv, err = ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	return pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeSigningPrivate,
-			Bytes: []byte(priv),
-		}), pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeSigningPublic,
-			Bytes: []byte(pub),
-		}), nil
-}
-
-// ParseSigningKey parses the PEM-encoded private signing key. The key must be
-// in the same format as returned by GenerateSigningKey.
-func ParseSigningKey(privKey []byte) (*SigningKey, error) {
-	k, err := parsePrivateKey(privKey, pemTypeSigningPrivate)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse root key: %w", err)
-	}
-	return &SigningKey{k: k}, nil
-}
-
-// SignPackageHash signs the hash and the length of a package. Use PackageHash
-// to compute the inputs.
-func (s *SigningKey) SignPackageHash(hash []byte, len int64) ([]byte, error) {
-	if len <= 0 {
-		return nil, fmt.Errorf("package length must be positive, got %d", len)
-	}
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
-	return ed25519.Sign(s.k, msg), nil
-}
-
-// PackageHash is a hash.Hash that counts the number of bytes written. Use it
-// to get the hash and length inputs to SigningKey.SignPackageHash.
-type PackageHash struct {
-	hash.Hash
-	len int64
-}
-
-// NewPackageHash returns an initialized PackageHash using BLAKE2s.
-func NewPackageHash() *PackageHash {
-	h, err := blake2s.New256(nil)
-	if err != nil {
-		// Should never happen with a nil key passed to blake2s.
-		panic(err)
-	}
-	return &PackageHash{Hash: h}
-}
-
-func (ph *PackageHash) Write(b []byte) (int, error) {
-	ph.len += int64(len(b))
-	return ph.Hash.Write(b)
-}
-
-// Reset the PackageHash to its initial state.
-func (ph *PackageHash) Reset() {
-	ph.len = 0
-	ph.Hash.Reset()
-}
-
-// Len returns the total number of bytes written.
-func (ph *PackageHash) Len() int64 { return ph.len }
-
-// Client downloads and validates files from a distribution server.
-type Client struct {
-	logf     logger.Logf
-	roots    []ed25519.PublicKey
-	pkgsAddr *url.URL
-}
-
-// NewClient returns a new client for distribution server located at pkgsAddr,
-// and uses embedded root keys from the roots/ subdirectory of this package.
-func NewClient(logf logger.Logf, pkgsAddr string) (*Client, error) {
-	if logf == nil {
-		logf = log.Printf
-	}
-	u, err := url.Parse(pkgsAddr)
-	if err != nil {
-		return nil, fmt.Errorf("invalid pkgsAddr %q: %w", pkgsAddr, err)
-	}
-	return &Client{logf: logf, roots: roots(), pkgsAddr: u}, nil
-}
-
-func (c *Client) url(path string) string {
-	return c.pkgsAddr.JoinPath(path).String()
-}
-
-// Download fetches a file at path srcPath from pkgsAddr passed in NewClient.
-// The file is downloaded to dstPath and its signature is validated using the
-// embedded root keys. Download returns an error if anything goes wrong with
-// the actual file download or with signature validation.
-func (c *Client) Download(ctx context.Context, srcPath, dstPath string) error {
-	// Always fetch a fresh signing key.
-	sigPub, err := c.signingKeys()
-	if err != nil {
-		return err
-	}
-
-	srcURL := c.url(srcPath)
-	sigURL := srcURL + ".sig"
-
-	c.logf("Downloading %q", srcURL)
-	dstPathUnverified := dstPath + ".unverified"
-	hash, len, err := c.download(ctx, srcURL, dstPathUnverified, downloadSizeLimit)
-	if err != nil {
-		return err
-	}
-	c.logf("Downloading %q", sigURL)
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		// Best-effort clean up of downloaded package.
-		os.Remove(dstPathUnverified)
-		return err
-	}
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
-	if !VerifyAny(sigPub, msg, sig) {
-		// Best-effort clean up of downloaded package.
-		os.Remove(dstPathUnverified)
-		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, srcURL)
-	}
-	c.logf("Signature OK")
-
-	if err := os.Rename(dstPathUnverified, dstPath); err != nil {
-		return fmt.Errorf("failed to move %q to %q after signature validation", dstPathUnverified, dstPath)
-	}
-
-	return nil
-}
-
-// ValidateLocalBinary fetches the latest signature associated with the binary
-// at srcURLPath and uses it to validate the file located on disk via
-// localFilePath. ValidateLocalBinary returns an error if anything goes wrong
-// with the signature download or with signature validation.
-func (c *Client) ValidateLocalBinary(srcURLPath, localFilePath string) error {
-	// Always fetch a fresh signing key.
-	sigPub, err := c.signingKeys()
-	if err != nil {
-		return err
-	}
-
-	srcURL := c.url(srcURLPath)
-	sigURL := srcURL + ".sig"
-
-	localFile, err := os.Open(localFilePath)
-	if err != nil {
-		return err
-	}
-	defer localFile.Close()
-
-	h := NewPackageHash()
-	_, err = io.Copy(h, localFile)
-	if err != nil {
-		return err
-	}
-	hash, hashLen := h.Sum(nil), h.Len()
-
-	c.logf("Downloading %q", sigURL)
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		return err
-	}
-
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(hashLen))
-	if !VerifyAny(sigPub, msg, sig) {
-		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, localFilePath)
-	}
-	c.logf("Signature OK")
-
-	return nil
-}
-
-// signingKeys fetches current signing keys from the server and validates them
-// against the roots. Should be called before validation of any downloaded file
-// to get the fresh keys.
-func (c *Client) signingKeys() ([]ed25519.PublicKey, error) {
-	keyURL := c.url("distsign.pub")
-	sigURL := keyURL + ".sig"
-	raw, err := fetch(keyURL, signingKeysSizeLimit)
-	if err != nil {
-		return nil, err
-	}
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		return nil, err
-	}
-	if !VerifyAny(c.roots, raw, sig) {
-		return nil, fmt.Errorf("signature %q for key %q does not validate with any known root key; either you are under attack, or running a very old version of Tailscale with outdated root keys", sigURL, keyURL)
-	}
-
-	keys, err := ParseSigningKeyBundle(raw)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse signing key bundle from %q: %w", keyURL, err)
-	}
-	return keys, nil
-}
-
-// fetch reads the response body from url into memory, up to limit bytes.
-func fetch(url string, limit int64) ([]byte, error) {
-	resp, err := http.Get(url)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(io.LimitReader(resp.Body, limit))
-}
-
-// download writes the response body of url into a local file at dst, up to
-// limit bytes. On success, the returned value is a BLAKE2s hash of the file.
-func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]byte, int64, error) {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.Proxy = tshttpproxy.ProxyFromEnvironment
-	defer tr.CloseIdleConnections()
-	hc := &http.Client{Transport: tr}
-
-	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, httpm.HEAD, url, nil))
-
-	res, err := hc.Do(headReq)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.StatusCode != http.StatusOK {
-		return nil, 0, fmt.Errorf("HEAD %q: %v", url, res.Status)
-	}
-	if res.ContentLength <= 0 {
-		return nil, 0, fmt.Errorf("HEAD %q: unexpected Content-Length %v", url, res.ContentLength)
-	}
-	c.logf("Download size: %v", res.ContentLength)
-
-	dlReq := must.Get(http.NewRequestWithContext(ctx, httpm.GET, url, nil))
-	dlRes, err := hc.Do(dlReq)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer dlRes.Body.Close()
-	// TODO(bradfitz): resume from existing partial file on disk
-	if dlRes.StatusCode != http.StatusOK {
-		return nil, 0, fmt.Errorf("GET %q: %v", url, dlRes.Status)
-	}
-
-	of, err := os.Create(dst)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer of.Close()
-	pw := &progressWriter{total: res.ContentLength, logf: c.logf}
-	h := NewPackageHash()
-	n, err := io.Copy(io.MultiWriter(of, h, pw), io.LimitReader(dlRes.Body, limit))
-	if err != nil {
-		return nil, n, err
-	}
-	if n != res.ContentLength {
-		return nil, n, fmt.Errorf("GET %q: downloaded %v, want %v", url, n, res.ContentLength)
-	}
-	if err := dlRes.Body.Close(); err != nil {
-		return nil, n, err
-	}
-	if err := of.Close(); err != nil {
-		return nil, n, err
-	}
-	pw.print()
-
-	return h.Sum(nil), h.Len(), nil
-}
-
-type progressWriter struct {
-	done      int64
-	total     int64
-	lastPrint time.Time
-	logf      logger.Logf
-}
-
-func (pw *progressWriter) Write(p []byte) (n int, err error) {
-	pw.done += int64(len(p))
-	if time.Since(pw.lastPrint) > 2*time.Second {
-		pw.print()
-	}
-	return len(p), nil
-}
-
-func (pw *progressWriter) print() {
-	pw.lastPrint = time.Now()
-	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
-}
-
-func parsePrivateKey(data []byte, typeTag string) (ed25519.PrivateKey, error) {
-	b, rest := pem.Decode(data)
-	if b == nil {
-		return nil, errors.New("failed to decode PEM data")
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("trailing PEM data")
-	}
-	if b.Type != typeTag {
-		return nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
-	}
-	if len(b.Bytes) != ed25519.PrivateKeySize {
-		return nil, errors.New("private key has incorrect length for an Ed25519 private key")
-	}
-	return ed25519.PrivateKey(b.Bytes), nil
-}
-
-// ParseSigningKeyBundle parses the bundle of PEM-encoded public signing keys.
-func ParseSigningKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
-	return parsePublicKeyBundle(bundle, pemTypeSigningPublic)
-}
-
-// ParseRootKeyBundle parses the bundle of PEM-encoded public root keys.
-func ParseRootKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
-	return parsePublicKeyBundle(bundle, pemTypeRootPublic)
-}
-
-func parsePublicKeyBundle(bundle []byte, typeTag string) ([]ed25519.PublicKey, error) {
-	var keys []ed25519.PublicKey
-	for len(bundle) > 0 {
-		pub, rest, err := parsePublicKey(bundle, typeTag)
-		if err != nil {
-			return nil, err
-		}
-		keys = append(keys, pub)
-		bundle = rest
-	}
-	if len(keys) == 0 {
-		return nil, errors.New("no signing keys found in the bundle")
-	}
-	return keys, nil
-}
-
-func parseSinglePublicKey(data []byte, typeTag string) (ed25519.PublicKey, error) {
-	pub, rest, err := parsePublicKey(data, typeTag)
-	if err != nil {
-		return nil, err
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("trailing PEM data")
-	}
-	return pub, err
-}
-
-func parsePublicKey(data []byte, typeTag string) (pub ed25519.PublicKey, rest []byte, retErr error) {
-	b, rest := pem.Decode(data)
-	if b == nil {
-		return nil, nil, errors.New("failed to decode PEM data")
-	}
-	if b.Type != typeTag {
-		return nil, nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
-	}
-	if len(b.Bytes) != ed25519.PublicKeySize {
-		return nil, nil, errors.New("public key has incorrect length for an Ed25519 public key")
-	}
-	return ed25519.PublicKey(b.Bytes), rest, nil
-}
-
-// VerifyAny verifies whether sig is valid for msg using any of the keys.
-// VerifyAny will panic if any of the keys have the wrong size for Ed25519.
-func VerifyAny(keys []ed25519.PublicKey, msg, sig []byte) bool {
-	for _, k := range keys {
-		if ed25519consensus.Verify(k, msg, sig) {
-			return true
-		}
-	}
-	return false
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package distsign implements signature and validation of arbitrary
+// distributable files.
+//
+// There are 3 parties in this exchange:
+//   - builder, which creates files, signs them with signing keys and publishes
+//     to server
+//   - server, which distributes public signing keys, files and signatures
+//   - client, which downloads files and signatures from server, and validates
+//     the signatures
+//
+// There are 2 types of keys:
+//   - signing keys, that sign individual distributable files on the builder
+//   - root keys, that sign signing keys and are kept offline
+//
+// root keys -(sign)-> signing keys -(sign)-> files
+//
+// All keys are asymmetric Ed25519 key pairs.
+//
+// The server serves static files under some known prefix. The kinds of files are:
+//   - distsign.pub - bundle of PEM-encoded public signing keys
+//   - distsign.pub.sig - signature of distsign.pub using one of the root keys
+//   - $file - any distributable file
+//   - $file.sig - signature of $file using any of the signing keys
+//
+// The root public keys are baked into the client software at compile time.
+// These keys are long-lived and prove the validity of current signing keys
+// from distsign.pub. To rotate root keys, a new client release must be
+// published, they are not rotated dynamically. There are multiple root keys in
+// different locations specifically to allow this rotation without using the
+// discarded root key for any new signatures.
+//
+// The signing public keys are fetched by the client dynamically before every
+// download and can be rotated more readily, assuming that most deployed
+// clients trust the root keys used to issue fresh signing keys.
+package distsign
+
+import (
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/binary"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/hdevalence/ed25519consensus"
+	"golang.org/x/crypto/blake2s"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/httpm"
+	"tailscale.com/util/must"
+)
+
+const (
+	pemTypeRootPrivate    = "ROOT PRIVATE KEY"
+	pemTypeRootPublic     = "ROOT PUBLIC KEY"
+	pemTypeSigningPrivate = "SIGNING PRIVATE KEY"
+	pemTypeSigningPublic  = "SIGNING PUBLIC KEY"
+
+	downloadSizeLimit    = 1 << 29 // 512MB
+	signingKeysSizeLimit = 1 << 20 // 1MB
+	signatureSizeLimit   = ed25519.SignatureSize
+)
+
+// RootKey is a root key used to sign signing keys.
+type RootKey struct {
+	k ed25519.PrivateKey
+}
+
+// GenerateRootKey generates a new root key pair and encodes it as PEM.
+func GenerateRootKey() (priv, pub []byte, err error) {
+	pub, priv, err = ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	return pem.EncodeToMemory(&pem.Block{
+			Type:  pemTypeRootPrivate,
+			Bytes: []byte(priv),
+		}), pem.EncodeToMemory(&pem.Block{
+			Type:  pemTypeRootPublic,
+			Bytes: []byte(pub),
+		}), nil
+}
+
+// ParseRootKey parses the PEM-encoded private root key. The key must be in the
+// same format as returned by GenerateRootKey.
+func ParseRootKey(privKey []byte) (*RootKey, error) {
+	k, err := parsePrivateKey(privKey, pemTypeRootPrivate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse root key: %w", err)
+	}
+	return &RootKey{k: k}, nil
+}
+
+// SignSigningKeys signs the bundle of public signing keys. The bundle must be
+// a sequence of PEM blocks joined with newlines.
+func (r *RootKey) SignSigningKeys(pubBundle []byte) ([]byte, error) {
+	if _, err := ParseSigningKeyBundle(pubBundle); err != nil {
+		return nil, err
+	}
+	return ed25519.Sign(r.k, pubBundle), nil
+}
+
+// SigningKey is a signing key used to sign packages.
+type SigningKey struct {
+	k ed25519.PrivateKey
+}
+
+// GenerateSigningKey generates a new signing key pair and encodes it as PEM.
+func GenerateSigningKey() (priv, pub []byte, err error) {
+	pub, priv, err = ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	return pem.EncodeToMemory(&pem.Block{
+			Type:  pemTypeSigningPrivate,
+			Bytes: []byte(priv),
+		}), pem.EncodeToMemory(&pem.Block{
+			Type:  pemTypeSigningPublic,
+			Bytes: []byte(pub),
+		}), nil
+}
+
+// ParseSigningKey parses the PEM-encoded private signing key. The key must be
+// in the same format as returned by GenerateSigningKey.
+func ParseSigningKey(privKey []byte) (*SigningKey, error) {
+	k, err := parsePrivateKey(privKey, pemTypeSigningPrivate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse root key: %w", err)
+	}
+	return &SigningKey{k: k}, nil
+}
+
+// SignPackageHash signs the hash and the length of a package. Use PackageHash
+// to compute the inputs.
+func (s *SigningKey) SignPackageHash(hash []byte, len int64) ([]byte, error) {
+	if len <= 0 {
+		return nil, fmt.Errorf("package length must be positive, got %d", len)
+	}
+	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
+	return ed25519.Sign(s.k, msg), nil
+}
+
+// PackageHash is a hash.Hash that counts the number of bytes written. Use it
+// to get the hash and length inputs to SigningKey.SignPackageHash.
+type PackageHash struct {
+	hash.Hash
+	len int64
+}
+
+// NewPackageHash returns an initialized PackageHash using BLAKE2s.
+func NewPackageHash() *PackageHash {
+	h, err := blake2s.New256(nil)
+	if err != nil {
+		// Should never happen with a nil key passed to blake2s.
+		panic(err)
+	}
+	return &PackageHash{Hash: h}
+}
+
+func (ph *PackageHash) Write(b []byte) (int, error) {
+	ph.len += int64(len(b))
+	return ph.Hash.Write(b)
+}
+
+// Reset the PackageHash to its initial state.
+func (ph *PackageHash) Reset() {
+	ph.len = 0
+	ph.Hash.Reset()
+}
+
+// Len returns the total number of bytes written.
+func (ph *PackageHash) Len() int64 { return ph.len }
+
+// Client downloads and validates files from a distribution server.
+type Client struct {
+	logf     logger.Logf
+	roots    []ed25519.PublicKey
+	pkgsAddr *url.URL
+}
+
+// NewClient returns a new client for distribution server located at pkgsAddr,
+// and uses embedded root keys from the roots/ subdirectory of this package.
+func NewClient(logf logger.Logf, pkgsAddr string) (*Client, error) {
+	if logf == nil {
+		logf = log.Printf
+	}
+	u, err := url.Parse(pkgsAddr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid pkgsAddr %q: %w", pkgsAddr, err)
+	}
+	return &Client{logf: logf, roots: roots(), pkgsAddr: u}, nil
+}
+
+func (c *Client) url(path string) string {
+	return c.pkgsAddr.JoinPath(path).String()
+}
+
+// Download fetches a file at path srcPath from pkgsAddr passed in NewClient.
+// The file is downloaded to dstPath and its signature is validated using the
+// embedded root keys. Download returns an error if anything goes wrong with
+// the actual file download or with signature validation.
+func (c *Client) Download(ctx context.Context, srcPath, dstPath string) error {
+	// Always fetch a fresh signing key.
+	sigPub, err := c.signingKeys()
+	if err != nil {
+		return err
+	}
+
+	srcURL := c.url(srcPath)
+	sigURL := srcURL + ".sig"
+
+	c.logf("Downloading %q", srcURL)
+	dstPathUnverified := dstPath + ".unverified"
+	hash, len, err := c.download(ctx, srcURL, dstPathUnverified, downloadSizeLimit)
+	if err != nil {
+		return err
+	}
+	c.logf("Downloading %q", sigURL)
+	sig, err := fetch(sigURL, signatureSizeLimit)
+	if err != nil {
+		// Best-effort clean up of downloaded package.
+		os.Remove(dstPathUnverified)
+		return err
+	}
+	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
+	if !VerifyAny(sigPub, msg, sig) {
+		// Best-effort clean up of downloaded package.
+		os.Remove(dstPathUnverified)
+		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, srcURL)
+	}
+	c.logf("Signature OK")
+
+	if err := os.Rename(dstPathUnverified, dstPath); err != nil {
+		return fmt.Errorf("failed to move %q to %q after signature validation", dstPathUnverified, dstPath)
+	}
+
+	return nil
+}
+
+// ValidateLocalBinary fetches the latest signature associated with the binary
+// at srcURLPath and uses it to validate the file located on disk via
+// localFilePath. ValidateLocalBinary returns an error if anything goes wrong
+// with the signature download or with signature validation.
+func (c *Client) ValidateLocalBinary(srcURLPath, localFilePath string) error {
+	// Always fetch a fresh signing key.
+	sigPub, err := c.signingKeys()
+	if err != nil {
+		return err
+	}
+
+	srcURL := c.url(srcURLPath)
+	sigURL := srcURL + ".sig"
+
+	localFile, err := os.Open(localFilePath)
+	if err != nil {
+		return err
+	}
+	defer localFile.Close()
+
+	h := NewPackageHash()
+	_, err = io.Copy(h, localFile)
+	if err != nil {
+		return err
+	}
+	hash, hashLen := h.Sum(nil), h.Len()
+
+	c.logf("Downloading %q", sigURL)
+	sig, err := fetch(sigURL, signatureSizeLimit)
+	if err != nil {
+		return err
+	}
+
+	msg := binary.LittleEndian.AppendUint64(hash, uint64(hashLen))
+	if !VerifyAny(sigPub, msg, sig) {
+		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, localFilePath)
+	}
+	c.logf("Signature OK")
+
+	return nil
+}
+
+// signingKeys fetches current signing keys from the server and validates them
+// against the roots. Should be called before validation of any downloaded file
+// to get the fresh keys.
+func (c *Client) signingKeys() ([]ed25519.PublicKey, error) {
+	keyURL := c.url("distsign.pub")
+	sigURL := keyURL + ".sig"
+	raw, err := fetch(keyURL, signingKeysSizeLimit)
+	if err != nil {
+		return nil, err
+	}
+	sig, err := fetch(sigURL, signatureSizeLimit)
+	if err != nil {
+		return nil, err
+	}
+	if !VerifyAny(c.roots, raw, sig) {
+		return nil, fmt.Errorf("signature %q for key %q does not validate with any known root key; either you are under attack, or running a very old version of Tailscale with outdated root keys", sigURL, keyURL)
+	}
+
+	keys, err := ParseSigningKeyBundle(raw)
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse signing key bundle from %q: %w", keyURL, err)
+	}
+	return keys, nil
+}
+
+// fetch reads the response body from url into memory, up to limit bytes.
+func fetch(url string, limit int64) ([]byte, error) {
+	resp, err := http.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return io.ReadAll(io.LimitReader(resp.Body, limit))
+}
+
+// download writes the response body of url into a local file at dst, up to
+// limit bytes. On success, the returned value is a BLAKE2s hash of the file.
+func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]byte, int64, error) {
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	defer tr.CloseIdleConnections()
+	hc := &http.Client{Transport: tr}
+
+	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+	headReq := must.Get(http.NewRequestWithContext(quickCtx, httpm.HEAD, url, nil))
+
+	res, err := hc.Do(headReq)
+	if err != nil {
+		return nil, 0, err
+	}
+	if res.StatusCode != http.StatusOK {
+		return nil, 0, fmt.Errorf("HEAD %q: %v", url, res.Status)
+	}
+	if res.ContentLength <= 0 {
+		return nil, 0, fmt.Errorf("HEAD %q: unexpected Content-Length %v", url, res.ContentLength)
+	}
+	c.logf("Download size: %v", res.ContentLength)
+
+	dlReq := must.Get(http.NewRequestWithContext(ctx, httpm.GET, url, nil))
+	dlRes, err := hc.Do(dlReq)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer dlRes.Body.Close()
+	// TODO(bradfitz): resume from existing partial file on disk
+	if dlRes.StatusCode != http.StatusOK {
+		return nil, 0, fmt.Errorf("GET %q: %v", url, dlRes.Status)
+	}
+
+	of, err := os.Create(dst)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer of.Close()
+	pw := &progressWriter{total: res.ContentLength, logf: c.logf}
+	h := NewPackageHash()
+	n, err := io.Copy(io.MultiWriter(of, h, pw), io.LimitReader(dlRes.Body, limit))
+	if err != nil {
+		return nil, n, err
+	}
+	if n != res.ContentLength {
+		return nil, n, fmt.Errorf("GET %q: downloaded %v, want %v", url, n, res.ContentLength)
+	}
+	if err := dlRes.Body.Close(); err != nil {
+		return nil, n, err
+	}
+	if err := of.Close(); err != nil {
+		return nil, n, err
+	}
+	pw.print()
+
+	return h.Sum(nil), h.Len(), nil
+}
+
+type progressWriter struct {
+	done      int64
+	total     int64
+	lastPrint time.Time
+	logf      logger.Logf
+}
+
+func (pw *progressWriter) Write(p []byte) (n int, err error) {
+	pw.done += int64(len(p))
+	if time.Since(pw.lastPrint) > 2*time.Second {
+		pw.print()
+	}
+	return len(p), nil
+}
+
+func (pw *progressWriter) print() {
+	pw.lastPrint = time.Now()
+	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
+}
+
+func parsePrivateKey(data []byte, typeTag string) (ed25519.PrivateKey, error) {
+	b, rest := pem.Decode(data)
+	if b == nil {
+		return nil, errors.New("failed to decode PEM data")
+	}
+	if len(rest) > 0 {
+		return nil, errors.New("trailing PEM data")
+	}
+	if b.Type != typeTag {
+		return nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
+	}
+	if len(b.Bytes) != ed25519.PrivateKeySize {
+		return nil, errors.New("private key has incorrect length for an Ed25519 private key")
+	}
+	return ed25519.PrivateKey(b.Bytes), nil
+}
+
+// ParseSigningKeyBundle parses the bundle of PEM-encoded public signing keys.
+func ParseSigningKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
+	return parsePublicKeyBundle(bundle, pemTypeSigningPublic)
+}
+
+// ParseRootKeyBundle parses the bundle of PEM-encoded public root keys.
+func ParseRootKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
+	return parsePublicKeyBundle(bundle, pemTypeRootPublic)
+}
+
+func parsePublicKeyBundle(bundle []byte, typeTag string) ([]ed25519.PublicKey, error) {
+	var keys []ed25519.PublicKey
+	for len(bundle) > 0 {
+		pub, rest, err := parsePublicKey(bundle, typeTag)
+		if err != nil {
+			return nil, err
+		}
+		keys = append(keys, pub)
+		bundle = rest
+	}
+	if len(keys) == 0 {
+		return nil, errors.New("no signing keys found in the bundle")
+	}
+	return keys, nil
+}
+
+func parseSinglePublicKey(data []byte, typeTag string) (ed25519.PublicKey, error) {
+	pub, rest, err := parsePublicKey(data, typeTag)
+	if err != nil {
+		return nil, err
+	}
+	if len(rest) > 0 {
+		return nil, errors.New("trailing PEM data")
+	}
+	return pub, err
+}
+
+func parsePublicKey(data []byte, typeTag string) (pub ed25519.PublicKey, rest []byte, retErr error) {
+	b, rest := pem.Decode(data)
+	if b == nil {
+		return nil, nil, errors.New("failed to decode PEM data")
+	}
+	if b.Type != typeTag {
+		return nil, nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
+	}
+	if len(b.Bytes) != ed25519.PublicKeySize {
+		return nil, nil, errors.New("public key has incorrect length for an Ed25519 public key")
+	}
+	return ed25519.PublicKey(b.Bytes), rest, nil
+}
+
+// VerifyAny verifies whether sig is valid for msg using any of the keys.
+// VerifyAny will panic if any of the keys have the wrong size for Ed25519.
+func VerifyAny(keys []ed25519.PublicKey, msg, sig []byte) bool {
+	for _, k := range keys {
+		if ed25519consensus.Verify(k, msg, sig) {
+			return true
+		}
+	}
+	return false
+}

clientupdate/distsign/distsign_test.go

@@ -445,7 +445,7 @@ type testServer struct {
 
 func newTestServer(t *testing.T) *testServer {
 	var roots []rootKeyPair
-	for range 3 {
+	for i := 0; i < 3; i++ {
 		roots = append(roots, newRootKeyPair(t))
 	}
 

clientupdate/distsign/roots.go

@@ -1,54 +1,54 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import (
-	"crypto/ed25519"
-	"embed"
-	"errors"
-	"fmt"
-	"path"
-	"path/filepath"
-	"sync"
-)
-
-//go:embed roots
-var rootsFS embed.FS
-
-var roots = sync.OnceValue(func() []ed25519.PublicKey {
-	roots, err := parseRoots()
-	if err != nil {
-		panic(err)
-	}
-	return roots
-})
-
-func parseRoots() ([]ed25519.PublicKey, error) {
-	files, err := rootsFS.ReadDir("roots")
-	if err != nil {
-		return nil, err
-	}
-	var keys []ed25519.PublicKey
-	for _, f := range files {
-		if !f.Type().IsRegular() {
-			continue
-		}
-		if filepath.Ext(f.Name()) != ".pem" {
-			continue
-		}
-		raw, err := rootsFS.ReadFile(path.Join("roots", f.Name()))
-		if err != nil {
-			return nil, err
-		}
-		key, err := parseSinglePublicKey(raw, pemTypeRootPublic)
-		if err != nil {
-			return nil, fmt.Errorf("parsing root key %q: %w", f.Name(), err)
-		}
-		keys = append(keys, key)
-	}
-	if len(keys) == 0 {
-		return nil, errors.New("no embedded root keys, please check clientupdate/distsign/roots/")
-	}
-	return keys, nil
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package distsign
+
+import (
+	"crypto/ed25519"
+	"embed"
+	"errors"
+	"fmt"
+	"path"
+	"path/filepath"
+	"sync"
+)
+
+//go:embed roots
+var rootsFS embed.FS
+
+var roots = sync.OnceValue(func() []ed25519.PublicKey {
+	roots, err := parseRoots()
+	if err != nil {
+		panic(err)
+	}
+	return roots
+})
+
+func parseRoots() ([]ed25519.PublicKey, error) {
+	files, err := rootsFS.ReadDir("roots")
+	if err != nil {
+		return nil, err
+	}
+	var keys []ed25519.PublicKey
+	for _, f := range files {
+		if !f.Type().IsRegular() {
+			continue
+		}
+		if filepath.Ext(f.Name()) != ".pem" {
+			continue
+		}
+		raw, err := rootsFS.ReadFile(path.Join("roots", f.Name()))
+		if err != nil {
+			return nil, err
+		}
+		key, err := parseSinglePublicKey(raw, pemTypeRootPublic)
+		if err != nil {
+			return nil, fmt.Errorf("parsing root key %q: %w", f.Name(), err)
+		}
+		keys = append(keys, key)
+	}
+	if len(keys) == 0 {
+		return nil, errors.New("no embedded root keys, please check clientupdate/distsign/roots/")
+	}
+	return keys, nil
+}

clientupdate/distsign/roots/crawshaw-root.pem

@@ -1,3 +1,3 @@
------BEGIN ROOT PUBLIC KEY-----
-Psrabv2YNiEDhPlnLVSMtB5EKACm7zxvKxfvYD4i7X8=
------END ROOT PUBLIC KEY-----
+-----BEGIN ROOT PUBLIC KEY-----
+Psrabv2YNiEDhPlnLVSMtB5EKACm7zxvKxfvYD4i7X8=
+-----END ROOT PUBLIC KEY-----

clientupdate/distsign/roots/distsign-prod-root-1-pub.pem

@@ -1,3 +1,3 @@
------BEGIN ROOT PUBLIC KEY-----
-ZjjKhUHBtLNRSO1dhOTjrXJGJ8lDe1594WM2XDuheVQ=
------END ROOT PUBLIC KEY-----
+-----BEGIN ROOT PUBLIC KEY-----
+ZjjKhUHBtLNRSO1dhOTjrXJGJ8lDe1594WM2XDuheVQ=
+-----END ROOT PUBLIC KEY-----

clientupdate/distsign/roots_test.go

@@ -1,16 +1,16 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import "testing"
-
-func TestParseRoots(t *testing.T) {
-	roots, err := parseRoots()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(roots) == 0 {
-		t.Error("parseRoots returned no root keys")
-	}
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package distsign
+
+import "testing"
+
+func TestParseRoots(t *testing.T) {
+	roots, err := parseRoots()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(roots) == 0 {
+		t.Error("parseRoots returned no root keys")
+	}
+}

clientupdate/systemd_linux.go

@@ -0,0 +1,37 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-systemd/v22/dbus"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	c, err := dbus.NewWithContext(ctx)
+	if err != nil {
+		// Likely not a systemd-managed distro.
+		return errors.ErrUnsupported
+	}
+	defer c.Close()
+	if err := c.ReloadContext(ctx); err != nil {
+		return fmt.Errorf("failed to reload tailsacled.service: %w", err)
+	}
+	ch := make(chan string, 1)
+	if _, err := c.RestartUnitContext(ctx, "tailscaled.service", "replace", ch); err != nil {
+		return fmt.Errorf("failed to restart tailsacled.service: %w", err)
+	}
+	select {
+	case res := <-ch:
+		if res != "done" {
+			return fmt.Errorf("systemd service restart failed with result %q", res)
+		}
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+	return nil
+}

clientupdate/systemd_other.go

@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !linux
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	return errors.ErrUnsupported
+}

cmd/addlicense/main.go

@@ -1,73 +1,73 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Program addlicense adds a license header to a file.
-// It is intended for use with 'go generate',
-// so it has a slightly weird usage.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"os/exec"
-)
-
-var (
-	file = flag.String("file", "", "file to modify")
-)
-
-func usage() {
-	fmt.Fprintf(os.Stderr, `
-usage: addlicense -file FILE <subcommand args...>
-`[1:])
-
-	flag.PrintDefaults()
-	fmt.Fprintf(os.Stderr, `
-addlicense adds a Tailscale license to the beginning of file.
-
-It is intended for use with 'go generate', so it also runs a subcommand,
-which presumably creates the file.
-
-Sample usage:
-
-addlicense -file pull_strings.go stringer -type=pull
-`[1:])
-	os.Exit(2)
-}
-
-func main() {
-	flag.Usage = usage
-	flag.Parse()
-	if len(flag.Args()) == 0 {
-		flag.Usage()
-	}
-	cmd := exec.Command(flag.Arg(0), flag.Args()[1:]...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err := cmd.Run()
-	check(err)
-	b, err := os.ReadFile(*file)
-	check(err)
-	f, err := os.OpenFile(*file, os.O_TRUNC|os.O_WRONLY, 0644)
-	check(err)
-	_, err = fmt.Fprint(f, license)
-	check(err)
-	_, err = f.Write(b)
-	check(err)
-	err = f.Close()
-	check(err)
-}
-
-func check(err error) {
-	if err != nil {
-		fmt.Fprintln(os.Stderr, err)
-		os.Exit(1)
-	}
-}
-
-var license = `
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-`[1:]
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Program addlicense adds a license header to a file.
+// It is intended for use with 'go generate',
+// so it has a slightly weird usage.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"os/exec"
+)
+
+var (
+	file = flag.String("file", "", "file to modify")
+)
+
+func usage() {
+	fmt.Fprintf(os.Stderr, `
+usage: addlicense -file FILE <subcommand args...>
+`[1:])
+
+	flag.PrintDefaults()
+	fmt.Fprintf(os.Stderr, `
+addlicense adds a Tailscale license to the beginning of file.
+
+It is intended for use with 'go generate', so it also runs a subcommand,
+which presumably creates the file.
+
+Sample usage:
+
+addlicense -file pull_strings.go stringer -type=pull
+`[1:])
+	os.Exit(2)
+}
+
+func main() {
+	flag.Usage = usage
+	flag.Parse()
+	if len(flag.Args()) == 0 {
+		flag.Usage()
+	}
+	cmd := exec.Command(flag.Arg(0), flag.Args()[1:]...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err := cmd.Run()
+	check(err)
+	b, err := os.ReadFile(*file)
+	check(err)
+	f, err := os.OpenFile(*file, os.O_TRUNC|os.O_WRONLY, 0644)
+	check(err)
+	_, err = fmt.Fprint(f, license)
+	check(err)
+	_, err = f.Write(b)
+	check(err)
+	err = f.Close()
+	check(err)
+}
+
+func check(err error) {
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+var license = `
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+`[1:]

cmd/checkmetrics/checkmetrics.go

@@ -1,131 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// checkmetrics validates that all metrics in the tailscale client-metrics
-// are documented in a given path or URL.
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"strings"
-	"time"
-
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tsnet"
-	"tailscale.com/tstest/integration/testcontrol"
-	"tailscale.com/util/httpm"
-)
-
-var (
-	kbPath = flag.String("kb-path", "", "filepath to the client-metrics knowledge base")
-	kbUrl  = flag.String("kb-url", "", "URL to the client-metrics knowledge base page")
-)
-
-func main() {
-	flag.Parse()
-	if *kbPath == "" && *kbUrl == "" {
-		log.Fatalf("either -kb-path or -kb-url must be set")
-	}
-
-	var control testcontrol.Server
-	ts := httptest.NewServer(&control)
-	defer ts.Close()
-
-	td, err := os.MkdirTemp("", "testcontrol")
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer os.RemoveAll(td)
-
-	// tsnet is used not used as a Tailscale client, but as a way to
-	// boot up Tailscale, have all the metrics registered, and then
-	// verifiy that all the metrics are documented.
-	tsn := &tsnet.Server{
-		Dir:        td,
-		Store:      new(mem.Store),
-		UserLogf:   log.Printf,
-		Ephemeral:  true,
-		ControlURL: ts.URL,
-	}
-	if err := tsn.Start(); err != nil {
-		log.Fatal(err)
-	}
-	defer tsn.Close()
-
-	log.Printf("checking that all metrics are documented, looking for: %s", tsn.Sys().UserMetricsRegistry().MetricNames())
-
-	if *kbPath != "" {
-		kb, err := readKB(*kbPath)
-		if err != nil {
-			log.Fatalf("reading kb: %v", err)
-		}
-		missing := undocumentedMetrics(kb, tsn.Sys().UserMetricsRegistry().MetricNames())
-
-		if len(missing) > 0 {
-			log.Fatalf("found undocumented metrics in %q: %v", *kbPath, missing)
-		}
-	}
-
-	if *kbUrl != "" {
-		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-		defer cancel()
-
-		kb, err := getKB(ctx, *kbUrl)
-		if err != nil {
-			log.Fatalf("getting kb: %v", err)
-		}
-		missing := undocumentedMetrics(kb, tsn.Sys().UserMetricsRegistry().MetricNames())
-
-		if len(missing) > 0 {
-			log.Fatalf("found undocumented metrics in %q: %v", *kbUrl, missing)
-		}
-	}
-}
-
-func readKB(path string) (string, error) {
-	b, err := os.ReadFile(path)
-	if err != nil {
-		return "", fmt.Errorf("reading file: %w", err)
-	}
-
-	return string(b), nil
-}
-
-func getKB(ctx context.Context, url string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, url, nil)
-	if err != nil {
-		return "", fmt.Errorf("creating request: %w", err)
-	}
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("getting kb page: %w", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("unexpected status code: %d", resp.StatusCode)
-	}
-
-	b, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", fmt.Errorf("reading body: %w", err)
-	}
-	return string(b), nil
-}
-
-func undocumentedMetrics(b string, metrics []string) []string {
-	var missing []string
-	for _, metric := range metrics {
-		if !strings.Contains(b, metric) {
-			missing = append(missing, metric)
-		}
-	}
-	return missing
-}

cmd/cloner/cloner.go

@@ -47,7 +47,7 @@ func main() {
 	it := codegen.NewImportTracker(pkg.Types)
 	buf := new(bytes.Buffer)
 	for _, typeName := range typeNames {
-		typ, ok := namedTypes[typeName].(*types.Named)
+		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
 		}
@@ -78,11 +78,7 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-	cloneOutput := pkg.Name + "_clone"
-	if *flagBuildTags == "test" {
-		cloneOutput += "_test"
-	}
-	cloneOutput += ".go"
+	cloneOutput := pkg.Name + "_clone.go"
 	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
 		log.Fatal(err)
 	}
@@ -95,27 +91,24 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	}
 
 	name := typ.Obj().Name()
-	typeParams := typ.Origin().TypeParams()
-	_, typeParamNames := codegen.FormatTypeParams(typeParams, it)
-	nameWithParams := name + typeParamNames
 	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", nameWithParams, nameWithParams)
+	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
 	writef := func(format string, args ...any) {
 		fmt.Fprintf(buf, "\t"+format+"\n", args...)
 	}
 	writef("if src == nil {")
 	writef("\treturn nil")
 	writef("}")
-	writef("dst := new(%s)", nameWithParams)
+	writef("dst := new(%s)", name)
 	writef("*dst = *src")
-	for i := range t.NumFields() {
+	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
 		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
 			continue
 		}
-		if named, _ := codegen.NamedTypeOf(ft); named != nil {
+		if named, _ := ft.(*types.Named); named != nil {
 			if codegen.IsViewType(ft) {
 				writef("dst.%s = src.%s", fname, fname)
 				continue
@@ -133,23 +126,16 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
-					if codegen.ContainsPointers(ptr.Elem()) {
-						if _, isIface := ptr.Elem().Underlying().(*types.Interface); isIface {
-							it.Import("tailscale.com/types/ptr")
-							writef("\tdst.%s[i] = ptr.To((*src.%s[i]).Clone())", fname, fname)
-						} else {
-							writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
-						}
-					} else {
+					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
 						it.Import("tailscale.com/types/ptr")
+						writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
 						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
+						writef("}")
+					} else {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
-					writef("}")
 				} else if ft.Elem().String() == "encoding/json.RawMessage" {
 					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
-				} else if _, isIface := ft.Elem().Underlying().(*types.Interface); isIface {
-					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -159,19 +145,14 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
 			}
 		case *types.Pointer:
-			base := ft.Elem()
-			hasPtrs := codegen.ContainsPointers(base)
-			if named, _ := codegen.NamedTypeOf(base); named != nil && hasPtrs {
+			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
 			it.Import("tailscale.com/types/ptr")
 			writef("if dst.%s != nil {", fname)
-			if _, isIface := base.Underlying().(*types.Interface); isIface && hasPtrs {
-				writef("\tdst.%s = ptr.To((*src.%s).Clone())", fname, fname)
-			} else if !hasPtrs {
-				writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
-			} else {
+			writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
+			if codegen.ContainsPointers(ft.Elem()) {
 				writef("\t" + `panic("TODO pointers in pointers")`)
 			}
 			writef("}")
@@ -191,50 +172,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("if dst.%s != nil {", fname)
 				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 				writef("\tfor k, v := range src.%s {", fname)
-
-				switch elem := elem.Underlying().(type) {
+				switch elem.(type) {
 				case *types.Pointer:
-					writef("\t\tif v == nil { dst.%s[k] = nil } else {", fname)
-					if base := elem.Elem().Underlying(); codegen.ContainsPointers(base) {
-						if _, isIface := base.(*types.Interface); isIface {
-							it.Import("tailscale.com/types/ptr")
-							writef("\t\t\tdst.%s[k] = ptr.To((*v).Clone())", fname)
-						} else {
-							writef("\t\t\tdst.%s[k] = v.Clone()", fname)
-						}
-					} else {
-						it.Import("tailscale.com/types/ptr")
-						writef("\t\t\tdst.%s[k] = ptr.To(*v)", fname)
-					}
-					writef("}")
-				case *types.Interface:
-					if cloneResultType := methodResultType(elem, "Clone"); cloneResultType != nil {
-						if _, isPtr := cloneResultType.(*types.Pointer); isPtr {
-							writef("\t\tdst.%s[k] = *(v.Clone())", fname)
-						} else {
-							writef("\t\tdst.%s[k] = v.Clone()", fname)
-						}
-					} else {
-						writef(`panic("%s (%v) does not have a Clone method")`, fname, elem)
-					}
+					writef("\t\tdst.%s[k] = v.Clone()", fname)
 				default:
 					writef("\t\tdst.%s[k] = *(v.Clone())", fname)
 				}
-
 				writef("\t}")
 				writef("}")
 			} else {
 				it.Import("maps")
 				writef("\tdst.%s = maps.Clone(src.%s)", fname, fname)
 			}
-		case *types.Interface:
-			// If ft is an interface with a "Clone() ft" method, it can be used to clone the field.
-			// This includes scenarios where ft is a constrained type parameter.
-			if cloneResultType := methodResultType(ft, "Clone"); cloneResultType.Underlying() == ft {
-				writef("dst.%s = src.%s.Clone()", fname, fname)
-				continue
-			}
-			writef(`panic("%s (%v) does not have a compatible Clone method")`, fname, ft)
 		default:
 			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
@@ -242,7 +191,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")
 
-	buf.Write(codegen.AssertStructUnchanged(t, name, typeParams, "Clone", it))
+	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }
 
 // hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
@@ -254,15 +203,3 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
-
-func methodResultType(typ types.Type, method string) types.Type {
-	viewMethod := codegen.LookupMethod(typ, method)
-	if viewMethod == nil {
-		return nil
-	}
-	sig, ok := viewMethod.Type().(*types.Signature)
-	if !ok || sig.Results().Len() != 1 {
-		return nil
-	}
-	return sig.Results().At(0).Type()
-}

cmd/cloner/cloner_test.go

@@ -1,60 +1,60 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-package main
-
-import (
-	"reflect"
-	"testing"
-
-	"tailscale.com/cmd/cloner/clonerex"
-)
-
-func TestSliceContainer(t *testing.T) {
-	num := 5
-	examples := []struct {
-		name string
-		in   *clonerex.SliceContainer
-	}{
-		{
-			name: "nil",
-			in:   nil,
-		},
-		{
-			name: "zero",
-			in:   &clonerex.SliceContainer{},
-		},
-		{
-			name: "empty",
-			in: &clonerex.SliceContainer{
-				Slice: []*int{},
-			},
-		},
-		{
-			name: "nils",
-			in: &clonerex.SliceContainer{
-				Slice: []*int{nil, nil, nil, nil, nil},
-			},
-		},
-		{
-			name: "one",
-			in: &clonerex.SliceContainer{
-				Slice: []*int{&num},
-			},
-		},
-		{
-			name: "several",
-			in: &clonerex.SliceContainer{
-				Slice: []*int{&num, &num, &num, &num, &num},
-			},
-		},
-	}
-
-	for _, ex := range examples {
-		t.Run(ex.name, func(t *testing.T) {
-			out := ex.in.Clone()
-			if !reflect.DeepEqual(ex.in, out) {
-				t.Errorf("Clone() = %v, want %v", out, ex.in)
-			}
-		})
-	}
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+package main
+
+import (
+	"reflect"
+	"testing"
+
+	"tailscale.com/cmd/cloner/clonerex"
+)
+
+func TestSliceContainer(t *testing.T) {
+	num := 5
+	examples := []struct {
+		name string
+		in   *clonerex.SliceContainer
+	}{
+		{
+			name: "nil",
+			in:   nil,
+		},
+		{
+			name: "zero",
+			in:   &clonerex.SliceContainer{},
+		},
+		{
+			name: "empty",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{},
+			},
+		},
+		{
+			name: "nils",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{nil, nil, nil, nil, nil},
+			},
+		},
+		{
+			name: "one",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{&num},
+			},
+		},
+		{
+			name: "several",
+			in: &clonerex.SliceContainer{
+				Slice: []*int{&num, &num, &num, &num, &num},
+			},
+		},
+	}
+
+	for _, ex := range examples {
+		t.Run(ex.name, func(t *testing.T) {
+			out := ex.in.Clone()
+			if !reflect.DeepEqual(ex.in, out) {
+				t.Errorf("Clone() = %v, want %v", out, ex.in)
+			}
+		})
+	}
+}

cmd/cloner/clonerex/clonerex.go

@@ -3,7 +3,6 @@
 
 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type SliceContainer
 
-// Package clonerex is an example package for the cloner tool.
 package clonerex
 
 type SliceContainer struct {