feat: use LocalAPI for Tailscale config changes instead of exec (#33)

* feat: add initial local-api support

* fix: authURL requires POST

* feat: move config page to LocalAPI

* feat: use localAPI for lock

* feat: use localAPI for watcher

Author: dkaser

src/usr/local/emhttp/plugins/tailscale/approve-nodes.php

@@ -1,9 +1,13 @@
 #!/usr/bin/php -q
 <?php
 
+namespace Tailscale;
+
 require_once "include/common.php";
 
+$localAPI = new LocalAPI();
+
 foreach (array_slice($argv, 1) as $key => $value) {
-    Tailscale\Utils::logmsg("Tailnet lock: signing {$value}");
-    exec("tailscale lock sign {$value}");
+    Utils::logmsg("Tailnet lock: signing {$value}");
+    $localAPI->postTkaSign($value);
 }

src/usr/local/emhttp/plugins/tailscale/include/Pages/Tailscale.php

@@ -54,6 +54,12 @@ function showTailscaleConfig() {
     var res = await $.post('/plugins/tailscale/include/data/Config.php',{action: 'set-feature', feature: feature, enable: enable});
     showTailscaleConfig();
 }
+async function setAdvertiseExitNode(enable) {
+    $('div.spinner.fixed').show('fast');
+    tailscaleControlsDisabled(true);
+    var res = await $.post('/plugins/tailscale/include/data/Config.php',{action: 'set-advertise-exit-node', enable: enable});
+    showTailscaleConfig();
+}
 async function tailscaleUp() {
   $('div.spinner.fixed').show('fast');
   tailscaleControlsDisabled(true);
@@ -70,7 +76,6 @@ function showTailscaleConfig() {
     var res = await $.post('/plugins/tailscale/include/data/Config.php',{action: 'exit-node', node: $('#exitNodeSelect').val()});
     showTailscaleConfig();
 }
-
 async function removeTailscaleRoute(route) {
     $('div.spinner.fixed').show('fast');
     tailscaleControlsDisabled(true);

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/Info.php

@@ -7,6 +7,7 @@ class Info
     private string $useNetbios;
     private string $smbEnabled;
     private Translator $tr;
+    private LocalAPI $localAPI;
     private \stdClass $status;
     private \stdClass $prefs;
     private \stdClass $lock;
@@ -16,30 +17,29 @@ public function __construct(Translator $tr)
         $share_config = parse_ini_file("/boot/config/share.cfg") ?: array();
         $ident_config = parse_ini_file("/boot/config/ident.cfg") ?: array();
 
+        $this->localAPI = new LocalAPI();
+
         $this->tr         = $tr;
         $this->smbEnabled = $share_config['shareSMBEnabled'] ?? "";
         $this->useNetbios = $ident_config['USE_NETBIOS']     ?? "";
-        $this->status     = self::getStatus();
-        $this->prefs      = self::getPrefs();
-        $this->lock       = self::getLock();
+        $this->status     = $this->localAPI->getStatus();
+        $this->prefs      = $this->localAPI->getPrefs();
+        $this->lock       = $this->localAPI->getTkaStatus();
     }
 
-    public static function getStatus(): \stdClass
+    public function getStatus(): \stdClass
     {
-        exec("tailscale status --json", $out_status);
-        return (object) json_decode(implode($out_status));
+        return $this->status;
     }
 
-    public static function getPrefs(): \stdClass
+    public function getPrefs(): \stdClass
     {
-        exec("tailscale debug prefs", $out_prefs);
-        return (object) json_decode(implode($out_prefs));
+        return $this->prefs;
     }
 
-    public static function getLock(): \stdClass
+    public function getLock(): \stdClass
     {
-        exec("tailscale lock status -json=true", $out_status);
-        return (object) json_decode(implode($out_status));
+        return $this->lock;
     }
 
     private function tr(string $message): string
@@ -381,7 +381,7 @@ public function getExitNodes(): array
                 if (isset($status->Location->City)) {
                     $nodeName .= " (" . $status->Location->City . ")";
                 }
-                $exitNodes[$status->DNSName] = $nodeName;
+                $exitNodes[$status->ID] = $nodeName;
             }
         }
 
@@ -392,7 +392,7 @@ public function getCurrentExitNode(): string
     {
         foreach ($this->status->Peer as $node => $status) {
             if ($status->ExitNode ?? false) {
-                return $status->DNSName;
+                return $status->ID;
             }
         }
 

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/LocalAPI.php

@@ -0,0 +1,82 @@
+<?php
+
+namespace Tailscale;
+
+enum APIMethods
+{
+    case GET;
+    case POST;
+    case PATCH;
+}
+
+class LocalAPI
+{
+    private string $tailscaleSocket = '/var/run/tailscale/tailscaled.sock';
+
+    private function tailscaleLocalAPI(string $url, APIMethods $method = APIMethods::GET, object $body = new \stdClass()): string
+    {
+        $ch = curl_init();
+
+        $headers = [];
+
+        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
+        curl_setopt($ch, CURLOPT_UNIX_SOCKET_PATH, $this->tailscaleSocket);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_URL, "http://local-tailscaled.sock/localapi/{$url}");
+
+        if ($method == APIMethods::POST) {
+            curl_setopt($ch, CURLOPT_POST, true);
+            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
+            Utils::logmsg("Tailscale Local API: {$url} POST " . json_encode($body));
+            $headers[] = "Content-Type: application/json";
+        }
+
+        if ($method == APIMethods::PATCH) {
+            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PATCH');
+            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
+            Utils::logmsg("Tailscale Local API: {$url} PATCH " . json_encode($body));
+            $headers[] = "Content-Type: application/json";
+        }
+
+        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+
+        $out = curl_exec($ch) ?: false;
+        curl_close($ch);
+        return strval($out);
+    }
+
+    public function getStatus(): \stdClass
+    {
+        return (object) json_decode($this->tailscaleLocalAPI('v0/status'));
+    }
+
+    public function getPrefs(): \stdClass
+    {
+        return (object) json_decode($this->tailscaleLocalAPI('v0/prefs'));
+    }
+
+    public function getTkaStatus(): \stdClass
+    {
+        return (object) json_decode($this->tailscaleLocalAPI('v0/tka/status'));
+    }
+
+    public function postLoginInteractive(): void
+    {
+        $this->tailscaleLocalAPI('v0/login-interactive', APIMethods::POST);
+    }
+
+    public function patchPref(string $key, mixed $value): void
+    {
+        $body              = [];
+        $body[$key]        = $value;
+        $body["{$key}Set"] = true;
+
+        $this->tailscaleLocalAPI('v0/prefs', APIMethods::PATCH, (object) $body);
+    }
+
+    public function postTkaSign(string $key): void
+    {
+        $body = ["NodeKey" => $key];
+        $this->tailscaleLocalAPI("v0/tka/sign", APIMethods::POST, (object) $body);
+    }
+}

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/System.php

@@ -137,7 +137,8 @@ public static function applyGRO(): void
 
     public static function notifyOnKeyExpiration(): void
     {
-        $status = Info::getStatus();
+        $localAPI = new LocalAPI();
+        $status   = $localAPI->getStatus();
 
         if (isset($status->Self->KeyExpiry)) {
             $expiryTime = new \DateTime($status->Self->KeyExpiry);
@@ -173,7 +174,8 @@ public static function notifyOnKeyExpiration(): void
 
     public static function refreshWebGuiCert(bool $restartIfChanged = true): void
     {
-        $status = Info::getStatus();
+        $localAPI = new LocalAPI();
+        $status   = $localAPI->getStatus();
 
         $certDomains = $status->CertDomains;
 
@@ -262,21 +264,23 @@ public static function setExtraInterface(Config $config): void
         }
     }
 
-    private static function disableTailscaleFeature(bool $allow, string $flag): void
+    private static function disableTailscaleFeature(LocalAPI $localAPI, bool $allow, string $flag): void
     {
         if ($allow) {
             Utils::logmsg("Ignoring {$flag}");
         } else {
-            Utils::run_command("/usr/local/sbin/tailscale set {$flag}=false");
+            $localAPI->patchPref($flag, false);
         }
     }
 
     public static function applyTailscaleConfig(Config $config): void
     {
-        self::disableTailscaleFeature($config->AllowRoutes, '--accept-routes');
-        self::disableTailscaleFeature($config->AllowDNS, '--accept-dns');
+        $localAPI = new LocalAPI();
 
-        self::disableTailscaleFeature(false, '--stateful-filtering');
+        self::disableTailscaleFeature($localAPI, $config->AllowRoutes, 'RouteAll');
+        self::disableTailscaleFeature($localAPI, $config->AllowDNS, 'CorpDNS');
+
+        $localAPI->patchPref('NoStatefulFiltering', true);
     }
 
     public static function createTailscaledParamsFile(Config $config): void

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/Utils.php

@@ -76,7 +76,7 @@ public static function sendUsageData(Config $config): void
 
             $tailscaleInfo = new Info(new Translator());
 
-            $prefs = Info::getPrefs();
+            $prefs = $tailscaleInfo->getPrefs();
             if (isset($prefs->LoggedOut) ? ($prefs->LoggedOut ? true : false) : true) {
                 Utils::logmsg("Skipping usage data collection; not logged in.");
                 return;
@@ -251,4 +251,12 @@ public static function validateCidr(string $cidr): bool
 
         return false;
     }
+
+    /**
+     * @return array<string>
+     */
+    public static function getExitRoutes(): array
+    {
+        return ["0.0.0.0/0", "::/0"];
+    }
 }

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/Watcher.php

@@ -42,8 +42,9 @@ public function run(): void
                     Utils::logmsg("Tailscale IP detected, applying configuration");
                     $need_ip = false;
 
-                    $status = Info::getStatus();
-                    $tsName = $status->Self->DNSName;
+                    $localAPI = new LocalAPI();
+                    $status   = $localAPI->getStatus();
+                    $tsName   = $status->Self->DNSName;
 
                     Utils::run_task('Tailscale\System::applyTailscaleConfig', array($this->config));
                     Utils::run_task('Tailscale\System::applyGRO');
@@ -55,7 +56,8 @@ public function run(): void
 
                 // Watch for changes to the DNS name (e.g., if someone changes the tailnet name or the Tailscale name of the server via the admin console)
                 // If a change happens, refresh the Tailscale WebGUI certificate
-                $status    = Info::getStatus();
+                $localAPI  = new LocalAPI();
+                $status    = $localAPI->getStatus();
                 $newTsName = $status->Self->DNSName;
 
                 if ($newTsName != $tsName) {