Merge remote-tracking branch 'upstream/main'

Author: gautamg795

.github/workflows/docker.yml

@@ -3,12 +3,12 @@ name: Docker
 on:
   push:
     # push events will publish a new image, so only trigger on main branch or semver tags.
-    branches: [ 'main' ]
-    tags: [ 'v*' ]
+    branches: ["main"]
+    tags: ["v*"]
   pull_request:
     # Run the workflow on pull_request events to ensure we can still build the image.
     # We only publish the image on push events (see if statements in steps below).
-    branches: [ 'main' ]
+    branches: ["main"]
 
 env:
   REGISTRY: ghcr.io
@@ -27,46 +27,46 @@ jobs:
       id-token: write
 
     steps:
-    - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-    - name: Setup Docker buildx
-      uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
-      with:
-        # use buildx v0.9.1 (https://community.fly.io/t/10171/19)
-        version: v0.9.1
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
-    - name: Log into registry ${{ env.REGISTRY }}
-      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
-      if: github.event_name == 'push'
-      with:
-        registry: ${{ env.REGISTRY }}
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        if: github.event_name == 'push'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Extract Docker metadata
-      id: meta
-      uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1
-      with:
-        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
 
-    - name: Build and push Docker image
-      id: build-and-push
-      uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
-      with:
-        context: .
-        push: ${{ github.event_name == 'push' }}
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        platforms: linux/amd64,linux/arm64,linux/arm/v7
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-    # Sign the Docker image
-    - name: Install cosign
-      if: github.event_name == 'push'
-      uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b #v2.8.1
-    - name: Sign the published Docker image
-      if: github.event_name == 'push'
-      env:
-        COSIGN_EXPERIMENTAL: "true"
-      run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+      # Sign the Docker image
+      - name: Install cosign
+        if: github.event_name == 'push'
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 #v3.2.0
+      - name: Sign the published Docker image
+        if: github.event_name == 'push'
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

.github/workflows/tests.yml

@@ -6,8 +6,8 @@ on:
       - main
   pull_request:
     branches:
-      - '*'
-      - 'release-branch/*'
+      - "*"
+      - "release-branch/*"
 
 concurrency:
   group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}

Dockerfile

@@ -1,21 +1,23 @@
-FROM --platform=$BUILDPLATFORM cgr.dev/chainguard/wolfi-base as build
-RUN apk update && apk add build-base git openssh go-1.20
+FROM --platform=$BUILDPLATFORM golang:1.23-alpine as build
 
 WORKDIR /work
 
+# Install git so that go build populates the VCS details in build info, which
+# is then reported to Tailscale in the node version string.
+RUN apk add git
+
 COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
 ARG TARGETOS TARGETARCH TARGETVARIANT
 RUN \
-    if [ "${TARGETARCH}" = "arm" ] && [ -n "${TARGETVARIANT}" ]; then \
-      export GOARM="${TARGETVARIANT#v}"; \
-    fi; \
-    GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -v ./cmd/golink
-
+  if [ "${TARGETARCH}" = "arm" ] && [ -n "${TARGETVARIANT}" ]; then \
+  export GOARM="${TARGETVARIANT#v}"; \
+  fi; \
+  GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -v ./cmd/golink
 
-FROM cgr.dev/chainguard/static:latest
+FROM gcr.io/distroless/static-debian12:nonroot
 
 ENV HOME /home/nonroot
 

README.md

@@ -121,6 +121,100 @@ destination="/home/nonroot"
 
 </details>
 
+<details>
+  <summary>Deploy on Modal</summary>
+
+  See the [Modal docs](https://modal.com/docs/guide/managing-deployments) for full instructions on long-lived deployments.
+
+  Create a `golinks.py` file:
+
+  ```python
+import subprocess
+
+import modal
+
+app = modal.App(name="golinks")
+
+vol = modal.Volume.from_name("golinks-data", create_if_missing=True)
+
+image = modal.Image.from_registry(
+    "golang:1.23.0-bookworm",
+    add_python="3.10",
+).run_commands(["go install -v github.com/tailscale/golink/cmd/golink@latest"])
+
+@app.cls(
+    image=image,
+    secrets=[modal.Secret.from_name("golinks")],
+    volumes={"/root/.config": vol},
+    keep_warm=1,
+    concurrency_limit=1,
+)
+class Golinks:
+    @modal.enter()
+    def start_golinks(self):
+        subprocess.Popen(
+            [
+                "golink",
+                "-verbose",
+                "--sqlitedb",
+                "/root/.config/golink.db",
+            ]
+        )
+```
+
+  Then create your secret and deploy with the [Modal CLI](https://github.com/modal-labs/modal-client):
+
+  ```sh
+$ modal secret create golinks TS_AUTHKEY=<key>
+$ modal deploy golinks.py
+  ```
+
+</details>
+
+## Permissions
+
+By default, users own the links they create and only they can update or delete those links.
+Ownership can be transferred to another user from the link edit page.
+Links whose owner is no longer part of the tailnet can be edited by any user,
+at which point that user will become the new owner.
+
+Users can be granted admin access to edit all links using [ACL grants] in your tailnet policy file.
+For example, if you have your golink instance tagged with `tag:golink` and a user group named `group:golink-admins`,
+you can grant them admin access using:
+
+```json
+{
+  "grants": [{
+      "src": ["group:golink-admins"],
+      "dst": ["tag:golink"],
+      "app": {
+        "tailscale.com/cap/golink": [{
+            "admin": true
+        }]
+      }
+  }]
+}
+```
+
+Or if you want to effectively disable the ownership model and allow everyone in your tailnet to edit all links,
+you could assign the grant to `autogroup:member`:
+
+```json
+{
+  "grants": [{
+      "src": ["autogroup:member"],
+      "dst": ["tag:golink"],
+      "app": {
+        "tailscale.com/cap/golink": [{
+            "admin": true
+        }]
+      }
+  }]
+}
+```
+
+[ACL grants]: https://tailscale.com/kb/1324/acl-grants
+
 ## Backups
 
 Once you have golink running, you can backup all of your links in [JSON lines] format from <http://go/.export>.
@@ -146,3 +240,16 @@ If you're using Firefox, you might want to configure two options to make it easy
     with a value of _true_
 
   * if you use HTTPS-Only Mode, [add an exception](https://support.mozilla.org/en-US/kb/https-only-prefs#w_add-exceptions-for-http-websites-when-youre-in-https-only-mode)
+
+## HTTPS
+
+When golink joins your tailnet it will check to see if HTTPS is enabled and
+begin serving HTTPS traffic it detects that it is. When HTTPS is enabled golink
+will redirect all requests received by the HTTP endpoint first to their internal
+HTTPS equivalent before redirecting to the external link destination.
+
+**NB:** If you use `curl` to interact with the API of a golink instance with HTTPS
+enabled over its HTTP interface you _must_ specify the `-L` flag to follow these
+redirects or else your request will terminate early with an empty response. We
+recommend the use of the `-L` flag in all deployments regardless of current
+HTTPS status to avoid accidental outages should it be enabled in the future.

convex.go

@@ -171,6 +171,11 @@ func (c *ConvexDB) Save(link *Link) error {
 	return c.mutation(&args)
 }
 
+func (c *ConvexDB) Delete(short string) error {
+	args := UdfExecution{"deleteLink", map[string]interface{}{"normalizedId": linkID(short)}, "json"}
+	return c.mutation(&args)
+}
+
 func (c *ConvexDB) LoadStats() (ClickStats, error) {
 	args := UdfExecution{"stats:loadStats", map[string]interface{}{}, "json"}
 	response, err := c.query(&args)
@@ -203,3 +208,8 @@ func (c *ConvexDB) SaveStats(stats ClickStats) error {
 	args := UdfExecution{"stats:saveStats", map[string]interface{}{"stats": mungedStats}, "json"}
 	return c.mutation(&args)
 }
+
+func (c *ConvexDB) DeleteStats(short string) error {
+	args := UdfExecution{"stats:deleteStats", map[string]interface{}{"normalizedId": linkID(short)}, "json"}
+	return c.mutation(&args)
+}

convex_test.go

@@ -30,7 +30,7 @@ func getDbUrl() string {
 }
 
 // Test saving and loading links for SQLiteDB
-func Test_Convex_SaveLoadLinks(t *testing.T) {
+func Test_Convex_SaveLoadDeleteLinks(t *testing.T) {
 	url := getDbUrl()
 	db := NewConvexDB(url, "test")
 	clear(db)
@@ -66,35 +66,51 @@ func Test_Convex_SaveLoadLinks(t *testing.T) {
 	if !cmp.Equal(got, links, sortLinks, approximateTimeEq) {
 		t.Errorf("db.LoadAll got %v, want %v", got, links)
 	}
+
+	for _, link := range links {
+		if err := db.Delete(link.Short); err != nil {
+			t.Error(err)
+		}
+	}
+
+	got, err = db.LoadAll()
+	if err != nil {
+		t.Error(err)
+	}
+	want := []*Link(nil)
+	if !cmp.Equal(got, want) {
+		t.Errorf("db.LoadAll got %v, want %v", got, want)
+	}
 }
 
 // Test saving and loading stats for SQLiteDB
-func Test_Convex_SaveLoadStats(t *testing.T) {
+func Test_Convex_SaveLoadDeleteStats(t *testing.T) {
 	url := getDbUrl()
 	db := NewConvexDB(url, "test")
 	clear(db)
-	defer clear(db)
+	// defer clear(db)
 
 	// preload some links
 	links := []*Link{
 		{Short: "a"},
-		{Short: "b"},
+		{Short: "B-c"},
 	}
 	for _, link := range links {
 		if err := db.Save(link); err != nil {
 			t.Error(err)
 		}
 	}
 
-	// stats to record and then retrieve
+	// Stats to store do not need to be their canonical short name,
+	// but returned stats always should be.
 	stats := []ClickStats{
 		{"a": 1},
-		{"b": 1},
-		{"a": 1, "b": 2},
+		{"b-c": 1},
+		{"a": 1, "bc": 2},
 	}
 	want := ClickStats{
-		"a": 2,
-		"b": 3,
+		"a":   2,
+		"B-c": 3,
 	}
 
 	for _, s := range stats {
@@ -110,4 +126,19 @@ func Test_Convex_SaveLoadStats(t *testing.T) {
 	if !cmp.Equal(got, want) {
 		t.Errorf("db.LoadStats got %v, want %v", got, want)
 	}
+
+	for k := range want {
+		if err := db.DeleteStats(k); err != nil {
+			t.Error(err)
+		}
+	}
+
+	got, err = db.LoadStats()
+	if err != nil {
+		t.Error(err)
+	}
+	want = ClickStats{}
+	if !cmp.Equal(got, want) {
+		t.Errorf("db.LoadStats got %v, want %v", got, want)
+	}
 }

db.go

@@ -34,6 +34,8 @@ type Database interface {
 	LoadAll() ([]*Link, error)
 	Load(short string) (*Link, error)
 	Save(link *Link) error
+	Delete(short string) error
 	LoadStats() (ClickStats, error)
 	SaveStats(stats ClickStats) error
+	DeleteStats(short string) error
 }