[go] allow opt-in Tailscale ACLs for admin/view access#503
Open
patrickod wants to merge 2 commits into
Open
Conversation
🤖 Version Bump AdvisoryWarnings❌ Radar version unchanged - consider bumping version in New Featuresℹ️ New API handlers (2 handler(s)) - MINOR bump suggested 📖 See CHANGELOG.md for detailed guidelines. This is an automated advisory. Review the detected changes and update versions accordingly. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds an opt-in authorisation layer for Tailscale-served HTTP access, using Tailscale capability grants to distinguish view (read-only) vs admin access, while keeping LAN/loopback behaviour unchanged by default.
Changes:
- Add a Tailscale peer-capability lookup surface (with short-TTL caching) to resolve a peer’s
view/admingrants. - Add an API-layer auth gate + route classifier that applies to the entire HTTP mux (default-deny; view allowlists).
- Wire the feature behind a new
-ts-cap-enforcement=off|onflag and document the operational model.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/tailscale/peercaps.go | Implements peer capability lookup and short-TTL caches for peer identity and local prefixes. |
| internal/tailscale/peercaps_test.go | Unit tests for capability parsing and caching behaviours. |
| internal/tailscale/manager.go | Extends LocalClient with WhoIs and adds caches to the Manager. |
| internal/tailscale/manager_test.go | Updates test fake client to implement WhoIs. |
| internal/api/server.go | Adds route classification (view/admin/allowlist) and wraps the server handler with the auth gate. |
| internal/api/auth.go | New middleware implementing trust model, enforcement modes, and 403 JSON responses. |
| internal/api/auth_test.go | Unit + integration tests covering source classification, grant matrix, failure modes, and default-deny semantics. |
| docs/platform/operations/tailscale-remote-access.md | Updates ops documentation for capability grants, enforcement modes, and troubleshooting. |
| cmd/radar/radar.go | Adds -ts-cap-enforcement flag and wires SetAuthGate into server startup. |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
patrickod
force-pushed
the
patrickod/tailscale-acls
branch
from
234f34f to
3639adc
Compare
Extend the Tailscale serve integration to optionally consume Tailscale capability grants and use these to create admin and view roles for accessing the web UI with the latter being restricted from changing device settings. LAN access is unaffected and retains admin privileges to all endpoints.
Five fixes from the CoPilot review on #503: 1. Allowlist bare /app and view-gate bare /api/reports. The auth wrapper runs before the ServeMux trailing-slash redirect, so a request to /app or /api/reports would hit default-deny CapAdmin and 403 view-only peers instead of redirecting to the trailing-slash sibling. 2. Narrow isPeerNotFound to match only "no match for IP". The previous substring set ("not found", "404") caught generic transport errors and reported them as ErrPeerNotFound, which made the api layer fail closed (403) on a transient lookup blip instead of failing open as documented. 3. Remove the ineffective LocalTailnetPrefixes fallback in isTailnetIP. The method returned /32 and /128 prefixes for *this* node's own Tailscale IPs, so the fallback loop could only ever match the node's own address, never a remote peer. The method, the prefix cache, and the related fakePeerAuth wiring are removed; isTailnetIP and classifySource are simplified to drop the now-unused ctx/gate parameters. 4. Log "auth: capability enforcement armed (mode=on)" at SetAuthGate when EnforcementOn is the effective mode. The troubleshooting doc instructed operators to grep journald for this line but no such line was emitted. Test updates: route-classifier tests now cover bare /app and /api/reports, peercaps tests assert that transient errors containing "not found"/"404" are not misclassified, and the now-defunct TestLocalTailnetPrefixes_Cached is removed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
patrickod
force-pushed
the
patrickod/tailscale-acls
branch
from
3639adc to
aaca216
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extend the Tailscale serve integration to optionally consume Tailscale capability grants and use these to create admin and view roles for accessing the web UI with the latter being restricted from changing device settings.
LAN access is unaffected and retains admin privileges to all endpoints.