feat: use sudo fallback for tailscale configuration commands

To avoid permission denied errors when modifying Tailscale configuration (serve/funnel), we now attempt the command directly first. If it fails, we catch the error and retry with `sudo -n`. This preserves existing behavior for users where it works, but attempts to escalate privileges (non-interactively) if needed. - Added `execWithSudoFallback` helper in `src/infra/tailscale.ts`. - Updated `ensureFunnel`, `enableTailscaleServe`, `disableTailscaleServe`, `enableTailscaleFunnel`, and `disableTailscaleFunnel` to use the fallback helper. - Added tests in `src/infra/tailscale.test.ts` to verify fallback behavior.
2026-01-23 23:16:19 +00:00
parent 29f0463f65
commit 908d9331af
2 changed files with 171 additions and 21 deletions
--- a/src/infra/tailscale.test.ts
+++ b/src/infra/tailscale.test.ts
@@ -1,6 +1,15 @@
 import { describe, expect, it, vi } from "vitest";

-import { ensureGoInstalled, ensureTailscaledInstalled, getTailnetHostname } from "./tailscale.js";
+import {
+  ensureGoInstalled,
+  ensureTailscaledInstalled,
+  getTailnetHostname,
+  enableTailscaleServe,
+  disableTailscaleServe,
+  enableTailscaleFunnel,
+  disableTailscaleFunnel,
+  ensureFunnel
+} from "./tailscale.js";

 describe("tailscale helpers", () => {
  it("parses DNS name from tailscale status", async () => {
@@ -48,4 +57,100 @@ describe("tailscale helpers", () => {
    await ensureTailscaledInstalled(exec as never, prompt, runtime);
    expect(exec).toHaveBeenCalledWith("brew", ["install", "tailscale"]);
  });
+
+  it("enableTailscaleServe attempts normal first, then sudo", async () => {
+    // 1. First attempt fails
+    // 2. Second attempt (sudo) succeeds
+    const exec = vi.fn()
+      .mockRejectedValueOnce(new Error("permission denied"))
+      .mockResolvedValueOnce({ stdout: "" });
+
+    await enableTailscaleServe(3000, exec as never);
+
+    expect(exec).toHaveBeenNthCalledWith(
+      1,
+      "tailscale",
+      expect.arrayContaining(["serve", "--bg", "--yes", "3000"]),
+      expect.any(Object)
+    );
+
+    expect(exec).toHaveBeenNthCalledWith(
+      2,
+      "sudo",
+      expect.arrayContaining(["-n", "tailscale", "serve", "--bg", "--yes", "3000"]),
+      expect.any(Object)
+    );
+  });
+
+  it("enableTailscaleServe does NOT use sudo if first attempt succeeds", async () => {
+    const exec = vi.fn().mockResolvedValue({ stdout: "" });
+
+    await enableTailscaleServe(3000, exec as never);
+
+    expect(exec).toHaveBeenCalledTimes(1);
+    expect(exec).toHaveBeenCalledWith(
+      "tailscale",
+      expect.arrayContaining(["serve", "--bg", "--yes", "3000"]),
+      expect.any(Object)
+    );
+  });
+
+  it("disableTailscaleServe uses fallback", async () => {
+    const exec = vi.fn()
+      .mockRejectedValueOnce(new Error("failed"))
+      .mockResolvedValueOnce({ stdout: "" });
+
+    await disableTailscaleServe(exec as never);
+
+    expect(exec).toHaveBeenCalledTimes(2);
+    expect(exec).toHaveBeenNthCalledWith(
+      2,
+      "sudo",
+      expect.arrayContaining(["-n", "tailscale", "serve", "reset"]),
+      expect.any(Object)
+    );
+  });
+
+  it("ensureFunnel uses fallback for enabling", async () => {
+    // Mock exec:
+    // 1. status (success)
+    // 2. enable (fails)
+    // 3. enable sudo (success)
+    const exec = vi.fn()
+      .mockResolvedValueOnce({ stdout: JSON.stringify({ BackendState: "Running" }) }) // status
+      .mockRejectedValueOnce(new Error("failed")) // enable normal
+      .mockResolvedValueOnce({ stdout: "" }); // enable sudo
+
+    const runtime = {
+      error: vi.fn(),
+      log: vi.fn(),
+      exit: vi.fn() as unknown as (code: number) => never,
+    };
+    const prompt = vi.fn();
+
+    await ensureFunnel(8080, exec as never, runtime, prompt);
+
+    // 1. status
+    expect(exec).toHaveBeenNthCalledWith(
+      1,
+      "tailscale",
+      expect.arrayContaining(["funnel", "status", "--json"])
+    );
+
+    // 2. enable normal
+    expect(exec).toHaveBeenNthCalledWith(
+      2,
+      "tailscale",
+      expect.arrayContaining(["funnel", "--yes", "--bg", "8080"]),
+      expect.any(Object)
+    );
+
+    // 3. enable sudo
+    expect(exec).toHaveBeenNthCalledWith(
+      3,
+      "sudo",
+      expect.arrayContaining(["-n", "tailscale", "funnel", "--yes", "--bg", "8080"]),
+      expect.any(Object)
+    );
+  });
 });