pairling 0.0.1 → 0.1.0

package/payload/mac/connectd/internal/status/status.go

@@ -0,0 +1,300 @@
+package status
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	SchemaVersion          = 2
+	DefaultListenPort      = 7773
+	DefaultConnectdVersion = "2026-05-24"
+	DefaultControlURLMode  = "tailscale_saas"
+	CustomControlURLMode   = "custom"
+	RouteIDPairlingConnect = "pairling-connect-tailnet"
+	RouteSourceConnectd    = "pairling_connectd"
+	RouteKindTailnet       = "tailnet"
+	RouteStatusReady       = "ready"
+)
+
+type AdvertisedRoute struct {
+	ID       string `json:"id"`
+	Kind     string `json:"kind"`
+	Source   string `json:"source"`
+	Priority int    `json:"priority"`
+	BaseURL  string `json:"base_url"`
+	Host     string `json:"host"`
+	Port     int    `json:"port"`
+	Status   string `json:"status"`
+}
+
+type Snapshot struct {
+	OK                   bool              `json:"ok"`
+	SchemaVersion        int               `json:"schema_version"`
+	AuthState            string            `json:"auth_state"`
+	Hostname             string            `json:"hostname"`
+	TailnetIP            string            `json:"tailnet_ip,omitempty"`
+	TailnetIPCount       int               `json:"tailnet_ip_count"`
+	AuthURLPresent       bool              `json:"auth_url_present"`
+	ControlURLMode       string            `json:"control_url_mode"`
+	UpstreamReachable    bool              `json:"upstream_reachable"`
+	ListenerRunning      bool              `json:"listener_running"`
+	GatewayHealthy       bool              `json:"gateway_healthy"`
+	ListenPort           int               `json:"listen_port"`
+	ConnectdVersion      string            `json:"connectd_version"`
+	AdvertisedRoutes     []AdvertisedRoute `json:"advertised_routes"`
+	LastError            string            `json:"last_error,omitempty"`
+	LastGatewayFailure   string            `json:"last_gateway_failure,omitempty"`
+	LastGatewayFailureAt string            `json:"last_gateway_failure_at,omitempty"`
+	UpdatedAt            string            `json:"updated_at"`
+}
+
+type Store struct {
+	mu                   sync.RWMutex
+	snapshot             Snapshot
+	authURL              string
+	gatewaySuccessStreak int
+}
+
+func NewStore(hostname string) *Store {
+	return &Store{
+		snapshot: Snapshot{
+			OK:               true,
+			SchemaVersion:    SchemaVersion,
+			AuthState:        "starting",
+			Hostname:         hostname,
+			ControlURLMode:   DefaultControlURLMode,
+			GatewayHealthy:   true,
+			ListenPort:       DefaultListenPort,
+			ConnectdVersion:  DefaultConnectdVersion,
+			AdvertisedRoutes: []AdvertisedRoute{},
+			UpdatedAt:        nowString(),
+		},
+	}
+}
+
+func (s *Store) SetControlURLMode(mode string) {
+	s.update(func(snapshot *Snapshot) {
+		if mode == "" {
+			mode = DefaultControlURLMode
+		}
+		snapshot.ControlURLMode = mode
+	})
+}
+
+func (s *Store) SetListenPort(port int) {
+	s.update(func(snapshot *Snapshot) {
+		if port <= 0 {
+			port = DefaultListenPort
+		}
+		snapshot.ListenPort = port
+	})
+}
+
+func (s *Store) SetConnectdVersion(version string) {
+	s.update(func(snapshot *Snapshot) {
+		if version == "" {
+			version = DefaultConnectdVersion
+		}
+		snapshot.ConnectdVersion = version
+	})
+}
+
+func (s *Store) SetAuthPending(message string) {
+	s.update(func(snapshot *Snapshot) {
+		snapshot.AuthState = "pending"
+		if authURL, ok := extractAuthURL(message); ok {
+			s.authURL = authURL
+			snapshot.AuthURLPresent = true
+		}
+	})
+}
+
+func (s *Store) SetAuthenticated() {
+	s.update(func(snapshot *Snapshot) {
+		snapshot.AuthState = "authenticated"
+		s.authURL = ""
+		snapshot.AuthURLPresent = false
+	})
+}
+
+func (s *Store) SetTailnetIP(ip string) {
+	s.update(func(snapshot *Snapshot) {
+		snapshot.TailnetIP = ip
+		if ip == "" {
+			snapshot.TailnetIPCount = 0
+		} else {
+			snapshot.TailnetIPCount = 1
+		}
+	})
+}
+
+func (s *Store) SetUpstreamReachable(reachable bool) {
+	s.update(func(snapshot *Snapshot) {
+		snapshot.UpstreamReachable = reachable
+	})
+}
+
+func (s *Store) SetListenerRunning(running bool) {
+	s.update(func(snapshot *Snapshot) {
+		snapshot.ListenerRunning = running
+	})
+}
+
+func (s *Store) RecordGatewayEvent(method, path string, status int, outcome string) {
+	s.update(func(snapshot *Snapshot) {
+		method = strings.ToUpper(strings.TrimSpace(method))
+		path = strings.TrimSpace(path)
+		outcome = strings.TrimSpace(outcome)
+		if gatewayEventIsFailure(path, status, outcome) {
+			s.gatewaySuccessStreak = 0
+			snapshot.GatewayHealthy = false
+			snapshot.LastGatewayFailure = redact(fmt.Sprintf("%s %s status=%d outcome=%s", method, path, status, outcome))
+			snapshot.LastGatewayFailureAt = nowString()
+			return
+		}
+		if gatewayEventIsRecoveryProbe(path, status, outcome) {
+			s.gatewaySuccessStreak = 1
+			snapshot.GatewayHealthy = true
+			snapshot.LastGatewayFailure = ""
+			snapshot.LastGatewayFailureAt = ""
+			return
+		}
+	})
+}
+
+func (s *Store) SetLastError(message string) {
+	s.update(func(snapshot *Snapshot) {
+		snapshot.LastError = redact(message)
+		if message != "" {
+			snapshot.OK = false
+		}
+	})
+}
+
+func (s *Store) Snapshot() Snapshot {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.snapshot
+}
+
+func (s *Store) AuthURLForOpen() (string, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	if s.authURL == "" || !s.snapshot.AuthURLPresent {
+		return "", false
+	}
+	return validateAuthURL(s.authURL)
+}
+
+func (s *Store) Handler() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			http.Error(w, "GET required", http.StatusMethodNotAllowed)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(s.Snapshot())
+	})
+}
+
+func (s *Store) update(fn func(*Snapshot)) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	fn(&s.snapshot)
+	s.snapshot.AdvertisedRoutes = advertisedRoutes(s.snapshot)
+	s.snapshot.UpdatedAt = nowString()
+}
+
+func advertisedRoutes(snapshot Snapshot) []AdvertisedRoute {
+	if snapshot.AuthState != "authenticated" || snapshot.TailnetIP == "" || !snapshot.ListenerRunning || !snapshot.UpstreamReachable || !snapshot.GatewayHealthy {
+		return []AdvertisedRoute{}
+	}
+	port := snapshot.ListenPort
+	if port <= 0 {
+		port = DefaultListenPort
+	}
+	return []AdvertisedRoute{{
+		ID:       RouteIDPairlingConnect,
+		Kind:     RouteKindTailnet,
+		Source:   RouteSourceConnectd,
+		Priority: 100,
+		BaseURL:  fmt.Sprintf("http://%s:%d", snapshot.TailnetIP, port),
+		Host:     snapshot.TailnetIP,
+		Port:     port,
+		Status:   RouteStatusReady,
+	}}
+}
+
+func gatewayEventIsFailure(path string, status int, outcome string) bool {
+	path = strings.TrimSpace(path)
+	if path != "/routez" {
+		return false
+	}
+	outcome = strings.ToLower(strings.TrimSpace(outcome))
+	if outcome == "upstream_error" || outcome == "validation_failed" || outcome == "timeout" {
+		return true
+	}
+	if status >= 500 {
+		return true
+	}
+	return false
+}
+
+func gatewayEventIsRecoveryProbe(path string, status int, outcome string) bool {
+	outcome = strings.ToLower(strings.TrimSpace(outcome))
+	return path == "/routez" && outcome == "forwarded" && status >= 200 && status < 400
+}
+
+func nowString() string {
+	return time.Now().UTC().Format(time.RFC3339)
+}
+
+var secretPattern = regexp.MustCompile(`(?i)(sk-[A-Za-z0-9._-]+|[A-Za-z0-9._-]*secret[A-Za-z0-9._-]*|[A-Za-z0-9._-]*token[A-Za-z0-9._-]*)`)
+var authURLPattern = regexp.MustCompile(`https://login\.tailscale\.com/a/[A-Za-z0-9._~!$&'()*+,;=:@%/?-]+`)
+var bearerPattern = regexp.MustCompile(`(?i)Bearer\s+[A-Za-z0-9._~+/=-]+`)
+var tailscaleAuthKeyPattern = regexp.MustCompile(`(?i)tskey-[A-Za-z0-9._-]+`)
+
+func extractAuthURL(value string) (string, bool) {
+	raw := authURLPattern.FindString(value)
+	if raw == "" {
+		return "", false
+	}
+	return validateAuthURL(raw)
+}
+
+func ValidAuthURL(value string) bool {
+	_, ok := validateAuthURL(value)
+	return ok
+}
+
+func validateAuthURL(raw string) (string, bool) {
+	parsed, err := url.Parse(raw)
+	if err != nil {
+		return "", false
+	}
+	if parsed.Scheme != "https" || strings.ToLower(parsed.Host) != "login.tailscale.com" {
+		return "", false
+	}
+	if parsed.User != nil || parsed.Fragment != "" || !strings.HasPrefix(parsed.Path, "/a/") || len(parsed.Path) <= len("/a/") {
+		return "", false
+	}
+	return raw, true
+}
+
+func redact(value string) string {
+	value = authURLPattern.ReplaceAllString(value, "https://login.tailscale.com/a/[redacted]")
+	value = bearerPattern.ReplaceAllString(value, "Bearer [redacted]")
+	value = tailscaleAuthKeyPattern.ReplaceAllString(value, "[redacted]")
+	return secretPattern.ReplaceAllString(value, "[redacted]")
+}
+
+func Redact(value string) string {
+	return redact(value)
+}

package/payload/mac/connectd/internal/status/status_test.go

@@ -0,0 +1,263 @@
+package status
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestStoreServesHelperReadableSnapshotWithoutSecrets(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	store.SetAuthPending("https://login.tailscale.com/a/secret-auth-token")
+	store.SetTailnetIP("100.64.0.10")
+	store.SetUpstreamReachable(true)
+	store.SetListenerRunning(true)
+	store.SetLastError("provider key sk-secret leaked elsewhere")
+
+	rec := httptest.NewRecorder()
+	store.Handler().ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/status", nil))
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want 200", rec.Code)
+	}
+	var body Snapshot
+	if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil {
+		t.Fatal(err)
+	}
+	if body.Hostname != "pairling-inst-abcdef" || body.TailnetIP != "100.64.0.10" {
+		t.Fatalf("bad snapshot: %+v", body)
+	}
+	if body.SchemaVersion != 2 || body.AuthState != "pending" || !body.AuthURLPresent || !body.UpstreamReachable || !body.ListenerRunning {
+		t.Fatalf("bad status fields: %+v", body)
+	}
+	if body.TailnetIPCount != 1 || body.ControlURLMode != DefaultControlURLMode || body.ListenPort != DefaultListenPort {
+		t.Fatalf("bad v2 status fields: %+v", body)
+	}
+	if len(body.AdvertisedRoutes) != 0 {
+		t.Fatalf("pending auth should not advertise routes: %+v", body.AdvertisedRoutes)
+	}
+	raw := rec.Body.String()
+	for _, forbidden := range []string{"secret-auth-token", "sk-secret"} {
+		if strings.Contains(raw, forbidden) {
+			t.Fatalf("status leaked %q: %s", forbidden, raw)
+		}
+	}
+}
+
+func TestStoreAdvertisesRouteOnlyWhenReady(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	store.SetAuthPending("open https://login.tailscale.com/a/example-token")
+	store.SetListenPort(7773)
+	store.SetTailnetIP("100.64.0.10")
+	store.SetListenerRunning(true)
+	store.SetUpstreamReachable(true)
+
+	if got := store.Snapshot().AdvertisedRoutes; len(got) != 0 {
+		t.Fatalf("unauthenticated status advertised routes: %+v", got)
+	}
+
+	store.SetAuthenticated()
+	snapshot := store.Snapshot()
+	if len(snapshot.AdvertisedRoutes) != 1 {
+		t.Fatalf("advertised routes = %+v, want one ready route", snapshot.AdvertisedRoutes)
+	}
+	route := snapshot.AdvertisedRoutes[0]
+	if route.ID != RouteIDPairlingConnect || route.Source != RouteSourceConnectd || route.Kind != RouteKindTailnet {
+		t.Fatalf("bad route identity: %+v", route)
+	}
+	if route.BaseURL != "http://100.64.0.10:7773" || route.Host != "100.64.0.10" || route.Port != 7773 || route.Status != RouteStatusReady {
+		t.Fatalf("bad route fields: %+v", route)
+	}
+	if snapshot.AuthURLPresent {
+		t.Fatalf("authenticated snapshot should clear auth URL presence: %+v", snapshot)
+	}
+	if authURL, ok := store.AuthURLForOpen(); ok || authURL != "" {
+		t.Fatalf("authenticated status should clear raw auth URL, got ok=%t url=%q", ok, authURL)
+	}
+}
+
+func TestStoreSuppressesAdvertisedRouteAfterRecentGatewayValidationFailure(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	store.SetAuthenticated()
+	store.SetTailnetIP("100.64.0.10")
+	store.SetListenerRunning(true)
+	store.SetUpstreamReachable(true)
+
+	store.RecordGatewayEvent("GET", "/routez", 502, "upstream_error")
+	snapshot := store.Snapshot()
+	if snapshot.GatewayHealthy {
+		t.Fatalf("gateway should be unhealthy after route validation failure: %+v", snapshot)
+	}
+	if snapshot.LastGatewayFailure == "" {
+		t.Fatalf("gateway failure should be exposed as redacted diagnostic: %+v", snapshot)
+	}
+	if got := snapshot.AdvertisedRoutes; len(got) != 0 {
+		t.Fatalf("gateway failure advertised routes: %+v", got)
+	}
+
+	store.RecordGatewayEvent("GET", "/routez", 200, "forwarded")
+	snapshot = store.Snapshot()
+	if !snapshot.GatewayHealthy {
+		t.Fatalf("gateway should recover after fresh successful routez proof: %+v", snapshot)
+	}
+	if len(snapshot.AdvertisedRoutes) != 1 {
+		t.Fatalf("recovered gateway did not advertise route: %+v", snapshot.AdvertisedRoutes)
+	}
+}
+
+func TestStoreDoesNotPoisonRouteHealthForProductEndpointFailures(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	store.SetAuthenticated()
+	store.SetTailnetIP("100.64.0.10")
+	store.SetListenerRunning(true)
+	store.SetUpstreamReachable(true)
+
+	store.RecordGatewayEvent("POST", "/push/test", 500, "upstream_error")
+	snapshot := store.Snapshot()
+	if !snapshot.GatewayHealthy {
+		t.Fatalf("product endpoint 5xx should not poison route health: %+v", snapshot)
+	}
+	if snapshot.LastGatewayFailure != "" {
+		t.Fatalf("product endpoint failure should not be stored as route failure: %+v", snapshot)
+	}
+	if len(snapshot.AdvertisedRoutes) != 1 {
+		t.Fatalf("product endpoint failure should not suppress advertised routes: %+v", snapshot.AdvertisedRoutes)
+	}
+}
+
+func TestStoreRecoversRouteHealthAfterFreshSuccessfulRouteProof(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	store.SetAuthenticated()
+	store.SetTailnetIP("100.64.0.10")
+	store.SetListenerRunning(true)
+	store.SetUpstreamReachable(true)
+
+	store.RecordGatewayEvent("GET", "/routez", 502, "upstream_error")
+	if store.Snapshot().GatewayHealthy {
+		t.Fatalf("route proof failure should mark route unhealthy")
+	}
+
+	store.RecordGatewayEvent("GET", "/routez", 200, "forwarded")
+	snapshot := store.Snapshot()
+	if !snapshot.GatewayHealthy {
+		t.Fatalf("fresh routez proof should recover route health: %+v", snapshot)
+	}
+	if len(snapshot.AdvertisedRoutes) != 1 {
+		t.Fatalf("fresh routez proof should restore advertised route: %+v", snapshot.AdvertisedRoutes)
+	}
+}
+
+func TestStoreKeepsRawAuthURLPrivateForLocalOpenOnly(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	rawAuthURL := "https://login.tailscale.com/a/secret-auth-token?next=pairling"
+	store.SetAuthPending("Approve Pairling Connect at " + rawAuthURL)
+
+	authURL, ok := store.AuthURLForOpen()
+	if !ok || authURL != rawAuthURL {
+		t.Fatalf("auth URL for local open = %q, %t; want raw in-memory URL", authURL, ok)
+	}
+
+	rec := httptest.NewRecorder()
+	store.Handler().ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/status", nil))
+	if strings.Contains(rec.Body.String(), "secret-auth-token") || strings.Contains(rec.Body.String(), "login.tailscale.com/a/") {
+		t.Fatalf("status response leaked raw auth URL: %s", rec.Body.String())
+	}
+}
+
+func TestStoreRejectsInvalidAuthURLForLocalOpen(t *testing.T) {
+	store := NewStore("pairling-inst-abcdef")
+	store.SetAuthPending("Approve Pairling Connect at http://login.tailscale.com/a/not-secure")
+
+	if authURL, ok := store.AuthURLForOpen(); ok || authURL != "" {
+		t.Fatalf("invalid auth URL should not be available for local open, got ok=%t url=%q", ok, authURL)
+	}
+
+	snapshot := store.Snapshot()
+	if snapshot.AuthURLPresent {
+		t.Fatalf("invalid auth URL should not set presence: %+v", snapshot)
+	}
+	if !ValidAuthURL("https://login.tailscale.com/a/example-token?next=pairling") {
+		t.Fatal("valid auth URL was rejected")
+	}
+	if ValidAuthURL("https://login.tailscale.com.evil/a/example-token") {
+		t.Fatal("evil host was accepted")
+	}
+}
+
+func TestStoreSuppressesAdvertisedRouteForDegradedStates(t *testing.T) {
+	cases := []struct {
+		name      string
+		configure func(*Store)
+	}{
+		{
+			name: "auth pending",
+			configure: func(store *Store) {
+				store.SetAuthPending("open https://login.tailscale.com/a/example")
+				store.SetTailnetIP("100.64.0.10")
+				store.SetListenerRunning(true)
+				store.SetUpstreamReachable(true)
+			},
+		},
+		{
+			name: "missing tailnet IP",
+			configure: func(store *Store) {
+				store.SetAuthenticated()
+				store.SetListenerRunning(true)
+				store.SetUpstreamReachable(true)
+			},
+		},
+		{
+			name: "listener down",
+			configure: func(store *Store) {
+				store.SetAuthenticated()
+				store.SetTailnetIP("100.64.0.10")
+				store.SetUpstreamReachable(true)
+			},
+		},
+		{
+			name: "upstream down",
+			configure: func(store *Store) {
+				store.SetAuthenticated()
+				store.SetTailnetIP("100.64.0.10")
+				store.SetListenerRunning(true)
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			store := NewStore("pairling-inst-abcdef")
+			tc.configure(store)
+			if got := store.Snapshot().AdvertisedRoutes; len(got) != 0 {
+				t.Fatalf("degraded state advertised routes: %+v", got)
+			}
+		})
+	}
+}
+
+func TestRedactRemovesAuthURLsAndBearerMaterial(t *testing.T) {
+	cases := map[string][]string{
+		"open https://login.tailscale.com/a/abc123DEF456 to authenticate": {
+			"abc123DEF456",
+		},
+		"Authorization: Bearer device-token-value": {
+			"device-token-value",
+		},
+		"auth key tskey-auth-k9uFq_secret_part": {
+			"tskey-auth-k9uFq_secret_part",
+		},
+	}
+
+	for input, forbidden := range cases {
+		t.Run(input, func(t *testing.T) {
+			redacted := Redact(input)
+			for _, value := range forbidden {
+				if strings.Contains(redacted, value) {
+					t.Fatalf("redacted output leaked %q: %s", value, redacted)
+				}
+			}
+		})
+	}
+}