feat: add reauthentication (#36)

Author: dkaser

src/usr/local/emhttp/plugins/tailscale/include/Pages/Info.php

@@ -32,6 +32,7 @@
 echo Utils::printRow($tr->tr("info.key_expire"), $tailscaleStatusInfo->KeyExpiration);
 echo Utils::printRow($tr->tr("info.tags"), $tailscaleStatusInfo->Tags);
 echo Utils::printRow("{$lockTranslate}: " . $tr->tr("enabled"), $tailscaleStatusInfo->LockEnabled);
+echo Utils::printRow($tr->tr("info.connected_via"), $tailscaleInfo->connectedViaTS() ? $tr->tr("yes") : $tr->tr("no"));
 
 if ($tailscaleStatusInfo->LockInfo != null) {
     echo Utils::printRow("{$lockTranslate}: " . $tr->tr("info.lock.signed"), $tailscaleStatusInfo->LockInfo->LockSigned);

src/usr/local/emhttp/plugins/tailscale/include/Pages/Settings.php

@@ -9,7 +9,20 @@
     echo("Missing required WebGUI variables");
     return;
 }
+
+// Used to disable buttons that should not be used over Tailscale since the connection will break.
+// (erase config, reauth, etc.)
+$tailscaleDisconnect = " disabled";
+
+if ($tailscaleConfig->Enable) {
+    $tailscaleInfo = $tailscaleInfo ?? new Info($tr);
+    if ( ! $tailscaleInfo->connectedViaTS()) {
+        $tailscaleDisconnect = "";
+    }
+}
+
 ?>
+
 <link type="text/css" rel="stylesheet" href="<?= Utils::auto_v('/webGui/styles/jquery.filetree.css');?>">
 <link type="text/css" rel="stylesheet" href="<?= Utils::auto_v('/webGui/styles/jquery.switchbutton.css');?>">
 <span class="status vhshift"><input type="checkbox" class="advancedview"></span>
@@ -157,14 +170,23 @@
 <?php } ?>
 
 <div class="advanced">
+<h3><?= $tr->tr("settings.reauthenticate"); ?></h3>
+
+<dl>
+    <dt><?= $tr->tr("settings.context.reauthenticate"); ?></dt>
+    <dd>
+        <input type="button" value="<?= $tr->tr('settings.reauthenticate'); ?>" onclick="expireTailscaleKeyNow()" <?= $tailscaleDisconnect; ?>>
+    </dd>
+</dl>
+
 <h3><?= $tr->tr("settings.erase"); ?></h3>
 
 <form method="POST" action="/update.php" target="progressFrame">
 <input type="hidden" name="#command" value="/usr/local/emhttp/plugins/tailscale/erase.sh">
 <dl>
     <dt><?= $tr->tr("settings.context.erase"); ?></dt>
     <dd>
-        <input type="button" value="<?= $tr->tr('Erase'); ?>" onclick="requestErase(this)"><input id="tailscale_erase_confirm" type="submit" value="<?= $tr->tr('Confirm'); ?>" style="display: none;">
+        <input type="button" value="<?= $tr->tr('Erase'); ?>" onclick="requestErase(this)" <?= $tailscaleDisconnect; ?>><input id="tailscale_erase_confirm" type="submit" value="<?= $tr->tr('Confirm'); ?>" style="display: none;">
     </dd>
 </dl>
 </form>
@@ -186,6 +208,12 @@ function requestErase(e) {
         var confirmButton = document.getElementById('tailscale_erase_confirm');
         confirmButton.style.display = "inline";
     }
+
+    async function expireTailscaleKeyNow() {
+        $('div.spinner.fixed').show('fast');
+        var res = await $.post('/plugins/tailscale/include/data/Config.php',{action: 'expire-key'});
+        location.reload();
+    }
 </script>
 <script>
     $(function() {

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/Info.php

@@ -375,7 +375,7 @@ public function getExitNodes(): array
     {
         $exitNodes = array();
 
-        foreach ($this->status->Peer as $node => $status) {
+        foreach (($this->status->Peer ?? array()) as $node => $status) {
             if ($status->ExitNodeOption ?? false) {
                 $nodeName = $status->DNSName;
                 if (isset($status->Location->City)) {
@@ -390,12 +390,17 @@ public function getExitNodes(): array
 
     public function getCurrentExitNode(): string
     {
-        foreach ($this->status->Peer as $node => $status) {
+        foreach (($this->status->Peer ?? array()) as $node => $status) {
             if ($status->ExitNode ?? false) {
                 return $status->ID;
             }
         }
 
         return "";
     }
+
+    public function connectedViaTS(): bool
+    {
+        return in_array($_SERVER['SERVER_ADDR'] ?? "", $this->status->TailscaleIPs ?? array());
+    }
 }

src/usr/local/emhttp/plugins/tailscale/include/Tailscale/LocalAPI.php

@@ -79,4 +79,9 @@ public function postTkaSign(string $key): void
         $body = ["NodeKey" => $key];
         $this->tailscaleLocalAPI("v0/tka/sign", APIMethods::POST, (object) $body);
     }
+
+    public function expireKey(): void
+    {
+        $this->tailscaleLocalAPI('v0/set-expiry-sooner?expiry=0', APIMethods::POST);
+    }
 }

src/usr/local/emhttp/plugins/tailscale/include/data/Config.php

@@ -232,6 +232,13 @@
 
             $localAPI->patchPref("AdvertiseRoutes", array_values($advertisedRoutes));
             break;
+        case 'expire-key':
+            if ($tailscaleInfo->connectedViaTS()) {
+                throw new \Exception("Cannot expire key while connected via Tailscale");
+            }
+            Utils::logmsg("Expiring node key");
+            $localAPI->expireKey();
+            break;
         case 'exit-node':
             if ( ! isset($_POST['node'])) {
                 throw new \Exception("Missing node parameter");

src/usr/local/emhttp/plugins/tailscale/locales/en_US.json

@@ -44,6 +44,7 @@
         "erase": "Erase Tailscale Configuration",
         "diagnostics": "Plugin Diagnostics",
         "donate": "Donate",
+        "reauthenticate": "Reauthenticate",
         "context": {
             "unraid_listen": "Configures Unraid services (SSH, WebGUI, SMB, etc.) to listen on Tailscale addresses.",
             "ip_forward": "Sets net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 1 in sysctl. This change occurs immediately when being enabled.",
@@ -58,7 +59,8 @@
             "ignore": "If set to ignore, the plugin will not modify the setting",
             "outbound_network": "These settings only apply to outbound network traffic from Unraid or running containers. They do not affect advertised routes, exit nodes, or the ability to access Unraid via MagicDNS. These should generally be left off unless specifically needed. Turning these on may cause network issues.",
             "save": "Tailscale will be restarted when changes are applied",
-            "donate": "If this plugin helps you, please consider donating."
+            "donate": "If this plugin helps you, please consider donating.",
+            "reauthenticate": "Force a Tailscale reauthentication. This will disconnect Tailscale until the authentication is completed."
         }
     },
     "help": {
@@ -97,6 +99,7 @@
         "use_exit_node": "Use Exit Node",
         "exit_node_local": "Allow LAN Access while using Exit Node",
         "unapproved": "Needs approval in admin console",
+        "connected_via": "Connected via Tailscale",
         "lock": {
             "node_key": "Node Key",
             "public_key": "Public Key",