client/tailscale,ipn/ipn{local,server},util/syspolicy: implement the AlwaysOn.OverrideWithReason policy setting - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	Nick Khyl <nickk@tailscale.com>	2025-01-31 16:14:13 -0600
committer	Nick Khyl <1761190+nickkhyl@users.noreply.github.com>	2025-02-01 13:34:45 -0600
commit	d8324674610231c36dc010854e82f0c087637df1 (patch)
tree	8941011a6574dbb46e85266358283ef339e4297f /control/controlhttp/controlhttpserver/controlhttpserver.go
parent	2c02f712d1961b1260fcdf488d7971d7c833fabe (diff)
download	tailscale-d8324674610231c36dc010854e82f0c087637df1.tar.xz tailscale-d8324674610231c36dc010854e82f0c087637df1.zip

client/tailscale,ipn/ipn{local,server},util/syspolicy: implement the AlwaysOn.OverrideWithReason policy setting

In this PR, we update client/tailscale.LocalClient to allow sending requests with an optional X-Tailscale-Reason header. We then update ipn/ipnserver.{actor,Server} to retrieve this reason, if specified, and use it to determine whether ipnauth.Disconnect is allowed when the AlwaysOn.OverrideWithReason policy setting is enabled. For now, we log the reason, along with the profile and OS username, to the backend log. Finally, we update LocalBackend to remember when a disconnect was permitted and do not reconnect automatically unless the policy changes. Updates tailscale/corp#26146 Signed-off-by: Nick Khyl <nickk@tailscale.com>

Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: