tsrelay: break up routes into their own files (#112)

Our `main.go` is over 700 lines of code. This PR breaks up our routes
into their own files/package so that future tests and work can be easier
to handle.

Author: marwan-at-work

go.mod

@@ -3,6 +3,7 @@ module github.com/tailscale-dev/vscode-tailscale
 go 1.20
 
 require (
+	github.com/go-chi/chi/v5 v5.0.10
 	github.com/gorilla/websocket v1.5.0
 	github.com/mitchellh/go-ps v1.0.0
 	golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df

go.sum

@@ -10,6 +10,8 @@ github.com/cilium/ebpf v0.10.0 h1:nk5HPMeoBXtOzbkZBWym+ZWq1GIiHUsBFXxwewXAHLQ=
 github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
 github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
+github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
+github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
@@ -18,8 +20,6 @@ github.com/hdevalence/ed25519consensus v0.1.0 h1:jtBwzzcHuTmFrQN6xQZn6CQEO/V9f7H
 github.com/hdevalence/ed25519consensus v0.1.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
-github.com/jsimonetti/rtnetlink v1.3.2 h1:dcn0uWkfxycEEyNy0IGfx3GrhQ38LH7odjxAghimsVI=
-github.com/jsimonetti/rtnetlink v1.3.2/go.mod h1:BBu4jZCpTjP6Gk0/wfrO8qcqymnN3g0hoFqObRmUo6U=
 github.com/jsimonetti/rtnetlink v1.3.3 h1:ycpm3z8XlAzmaacVRjdUT3x6MM1o3YBXsXc7DXSRNCE=
 github.com/jsimonetti/rtnetlink v1.3.3/go.mod h1:mW4xSP3wkiqWxHMlfG/gOufp3XnhAxu7EhfABmrWSh8=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -37,42 +37,24 @@ go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 h1:nJAwRlGWZZDOD+6wni9KVUNHMpHko/OnRwsrCYeAzPo=
 go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
-golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 h1:5llv2sWeaMSnA3w2kS57ouQQ4pudlXrR0dCgw51QK9o=
-golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df h1:UA2aFVmmsIlefxMk29Dp2juaUSth8Pyn3Tq5Y5mJGME=
 golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
-golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
-golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
 golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
 golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
 golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
 golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
-golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
 golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-tailscale.com v1.1.1-0.20230607142209-f8f0b981ac9c h1:w69HAs+pB67hX+o3pvP7RSnOU8CaiPY9s1XkqwXkBaU=
-tailscale.com v1.1.1-0.20230607142209-f8f0b981ac9c/go.mod h1:1t0LGzRAX3TBG4k5XtXaAEmYxKnx6b2k18m7j71G3Po=
 tailscale.com v1.44.0 h1:MPos9n30kJvdyfL52045gVFyNg93K+bwgDsr8gqKq2o=
 tailscale.com v1.44.0/go.mod h1:+iYwTdeHyVJuNDu42Zafwihq1Uqfh+pW7pRaY1GD328=

tsrelay/handler/auth_middleware.go

@@ -0,0 +1,32 @@
+package handler
+
+import "net/http"
+
+func (h *handler) authMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		user, _, ok := r.BasicAuth()
+
+		// TODO: consider locking down to vscode-webviews://* URLs by checking
+		// r.Header.Get("Origin") only in production builds.
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+
+		if r.Method == http.MethodOptions {
+			// Handle preflight request
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		if !ok {
+			w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
+		}
+
+		if user != h.nonce {
+			// TODO: return JSON for all errors
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}

tsrelay/handler/create_serve.go

@@ -0,0 +1,123 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+)
+
+type serveRequest struct {
+	Protocol   string
+	Source     string
+	Port       uint16
+	MountPoint string
+	Funnel     bool
+}
+
+func (h *handler) createServeHandler(w http.ResponseWriter, r *http.Request) {
+	if err := h.createServe(r.Context(), r.Body); err != nil {
+		var re RelayError
+		if errors.As(err, &re) {
+			w.WriteHeader(re.statusCode)
+			json.NewEncoder(w).Encode(re)
+			return
+		}
+		h.l.Println("error creating serve:", err)
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	w.Write([]byte(`{}`))
+}
+
+// createServe is the programtic equivalent of "tailscale serve --set-raw"
+// it returns the config as json in case of an error.
+func (h *handler) createServe(ctx context.Context, body io.Reader) error {
+	var req serveRequest
+	err := json.NewDecoder(body).Decode(&req)
+	if err != nil {
+		return fmt.Errorf("error decoding request body: %w", err)
+	}
+	if req.Protocol != "https" {
+		return fmt.Errorf("unsupported protocol: %q", req.Protocol)
+	}
+	sc, dns, err := h.serveConfigDNS(ctx)
+	if err != nil {
+		return fmt.Errorf("error getting config: %w", err)
+	}
+	hostPort := ipn.HostPort(fmt.Sprintf("%s:%d", dns, req.Port))
+	setHandler(sc, hostPort, req)
+	if req.Funnel {
+		if sc.AllowFunnel == nil {
+			sc.AllowFunnel = make(map[ipn.HostPort]bool)
+		}
+		sc.AllowFunnel[hostPort] = true
+	} else {
+		delete(sc.AllowFunnel, hostPort)
+	}
+	err = h.setServeCfg(ctx, sc)
+	if err != nil {
+		if tailscale.IsAccessDeniedError(err) {
+			cfgJSON, err := json.Marshal(sc)
+			if err != nil {
+				return fmt.Errorf("error marshaling own config: %w", err)
+			}
+			re := RelayError{
+				statusCode: http.StatusForbidden,
+				Errors: []Error{{
+					Type:    RequiresSudo,
+					Command: fmt.Sprintf(`echo %s | sudo tailscale serve --set-raw`, cfgJSON),
+				}},
+			}
+			return re
+		}
+		if err != nil {
+			return fmt.Errorf("error marshaling config: %w", err)
+		}
+		return fmt.Errorf("error setting serve config: %w", err)
+	}
+	return nil
+}
+
+func (h *handler) serveConfigDNS(ctx context.Context) (*ipn.ServeConfig, string, error) {
+	st, sc, err := h.getConfigs(ctx)
+	if err != nil {
+		return nil, "", fmt.Errorf("error getting configs: %w", err)
+	}
+	if sc == nil {
+		sc = &ipn.ServeConfig{}
+	}
+	dns := strings.TrimSuffix(st.Self.DNSName, ".")
+	return sc, dns, nil
+}
+
+func setHandler(sc *ipn.ServeConfig, newHP ipn.HostPort, req serveRequest) {
+	if sc.TCP == nil {
+		sc.TCP = make(map[uint16]*ipn.TCPPortHandler)
+	}
+	if _, ok := sc.TCP[req.Port]; !ok {
+		sc.TCP[req.Port] = &ipn.TCPPortHandler{
+			HTTPS: true,
+		}
+	}
+	if sc.Web == nil {
+		sc.Web = make(map[ipn.HostPort]*ipn.WebServerConfig)
+	}
+	wsc, ok := sc.Web[newHP]
+	if !ok {
+		wsc = &ipn.WebServerConfig{}
+		sc.Web[newHP] = wsc
+	}
+	if wsc.Handlers == nil {
+		wsc.Handlers = make(map[string]*ipn.HTTPHandler)
+	}
+	wsc.Handlers[req.MountPoint] = &ipn.HTTPHandler{
+		Proxy: req.Source,
+	}
+}

tsrelay/handler/delete_serve.go

@@ -0,0 +1,94 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+
+	"tailscale.com/ipn"
+)
+
+func (h *handler) deleteServeHandler(w http.ResponseWriter, r *http.Request) {
+	if err := h.deleteServe(r.Context(), r.Body); err != nil {
+		var re RelayError
+		if errors.As(err, &re) {
+			w.WriteHeader(re.statusCode)
+			json.NewEncoder(w).Encode(re)
+			return
+		}
+		h.l.Println("error deleting serve:", err)
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	w.Write([]byte(`{}`))
+}
+
+func (h *handler) deleteServe(ctx context.Context, body io.Reader) error {
+	var req serveRequest
+	if body != nil && body != http.NoBody {
+		err := json.NewDecoder(body).Decode(&req)
+		if err != nil {
+			return fmt.Errorf("error decoding request body: %w", err)
+		}
+	}
+
+	// reset serve config if no request body
+	if (req == serveRequest{}) {
+		sc := &ipn.ServeConfig{}
+		err := h.setServeCfg(ctx, sc)
+		if err != nil {
+			return fmt.Errorf("error setting serve config: %w", err)
+		}
+		return nil
+	}
+
+	if req.Protocol != "https" {
+		return fmt.Errorf("unsupported protocol: %q", req.Protocol)
+	}
+	sc, dns, err := h.serveConfigDNS(ctx)
+	if err != nil {
+		return fmt.Errorf("error getting config: %w", err)
+	}
+	hostPort := ipn.HostPort(fmt.Sprintf("%s:%d", dns, req.Port))
+	deleteFromConfig(sc, hostPort, req)
+	delete(sc.AllowFunnel, hostPort)
+	if len(sc.AllowFunnel) == 0 {
+		sc.AllowFunnel = nil
+	}
+	err = h.setServeCfg(ctx, sc)
+	if err != nil {
+		return fmt.Errorf("error setting serve config: %w", err)
+	}
+	return nil
+}
+
+func deleteFromConfig(sc *ipn.ServeConfig, newHP ipn.HostPort, req serveRequest) {
+	delete(sc.AllowFunnel, newHP)
+	if sc.TCP != nil {
+		delete(sc.TCP, req.Port)
+	}
+	if sc.Web == nil {
+		return
+	}
+	if sc.Web[newHP] == nil {
+		return
+	}
+	wsc, ok := sc.Web[newHP]
+	if !ok {
+		return
+	}
+	if wsc.Handlers == nil {
+		return
+	}
+	_, ok = wsc.Handlers[req.MountPoint]
+	if !ok {
+		return
+	}
+	delete(wsc.Handlers, req.MountPoint)
+	if len(wsc.Handlers) == 0 {
+		delete(sc.Web, newHP)
+	}
+}

tsrelay/handler/error.go

@@ -0,0 +1,45 @@
+package handler
+
+// ErrorTypes for signaling
+// invalid states to the VSCode
+// extension.
+const (
+	// FunnelOff means the user does not have
+	// funnel in their ACLs.
+	FunnelOff = "FUNNEL_OFF"
+	// HTTPSOff means the user has not enabled
+	// https in the DNS section of the UI
+	HTTPSOff = "HTTPS_OFF"
+	// Offline can mean a user is not logged in
+	// or is logged in but their key has expired.
+	Offline = "OFFLINE"
+	// RequiresSudo for when LocalBackend is run
+	// with sudo but tsrelay is not
+	RequiresSudo = "REQUIRES_SUDO"
+	// NotRunning indicates tailscaled is
+	// not running
+	NotRunning = "NOT_RUNNING"
+	// FlatpakRequiresRestart indicates that the flatpak
+	// container needs to be fully restarted
+	FlatpakRequiresRestart = "FLATPAK_REQUIRES_RESTART"
+)
+
+// RelayError is a wrapper for Error
+type RelayError struct {
+	statusCode int
+	Errors     []Error
+}
+
+// Error implements error. It returns a
+// static string as it is only needed to be
+// used for programatic type assertion.
+func (RelayError) Error() string {
+	return "relay error"
+}
+
+// Error is a programmable error returned
+// to the typescript client
+type Error struct {
+	Type    string `json:",omitempty"`
+	Command string `json:",omitempty"`
+}