ipn: rename CapTailnetLockAlpha -> CapTailnetLock
Updates tailscale/corp#8568 Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
parent
60ab8089ff
commit
2bbedd2001
|
@ -1013,7 +1013,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
|
|||
|
||||
// Perform all reconfiguration based on the netmap here.
|
||||
if st.NetMap != nil {
|
||||
b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha)
|
||||
b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLock)
|
||||
|
||||
b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
|
||||
if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil {
|
||||
|
|
|
@ -20,7 +20,6 @@ import (
|
|||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"tailscale.com/envknob"
|
||||
"tailscale.com/health"
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/ipn/ipnstate"
|
||||
|
@ -53,20 +52,12 @@ type tkaState struct {
|
|||
filtered []ipnstate.TKAFilteredPeer
|
||||
}
|
||||
|
||||
// permitTKAInitLocked returns true if tailnet lock initialization may
|
||||
// occur.
|
||||
// b.mu must be held.
|
||||
func (b *LocalBackend) permitTKAInitLocked() bool {
|
||||
return envknob.UseWIPCode() || b.capTailnetLock
|
||||
}
|
||||
|
||||
// tkaFilterNetmapLocked checks the signatures on each node key, dropping
|
||||
// nodes from the netmap whose signature does not verify.
|
||||
//
|
||||
// b.mu must be held.
|
||||
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
|
||||
// TODO(tom): Remove this guard for 1.35 and later.
|
||||
if b.tka == nil && !b.permitTKAInitLocked() {
|
||||
if b.tka == nil && !b.capTailnetLock {
|
||||
health.SetTKAHealth(nil)
|
||||
return
|
||||
}
|
||||
|
@ -153,8 +144,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
|
|||
b.mu.Lock() // take mu to protect access to synchronized fields.
|
||||
defer b.mu.Unlock()
|
||||
|
||||
// TODO(tom): Remove this guard for 1.35 and later.
|
||||
if b.tka == nil && !b.permitTKAInitLocked() {
|
||||
if b.tka == nil && !b.capTailnetLock {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -483,10 +473,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
|
|||
var nlPriv key.NLPrivate
|
||||
b.mu.Lock()
|
||||
|
||||
// TODO(tom): Remove this guard for 1.35 and later.
|
||||
if !b.permitTKAInitLocked() {
|
||||
if !b.capTailnetLock {
|
||||
b.mu.Unlock()
|
||||
return errors.New("this feature is not yet complete, a later release may support this functionality")
|
||||
return errors.New("not permitted to enable tailnet lock")
|
||||
}
|
||||
|
||||
if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {
|
||||
|
|
|
@ -17,7 +17,6 @@ import (
|
|||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
"tailscale.com/control/controlclient"
|
||||
"tailscale.com/envknob"
|
||||
"tailscale.com/hostinfo"
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/ipn/store/mem"
|
||||
|
@ -66,8 +65,6 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
|
|||
}
|
||||
|
||||
func TestTKAEnablementFlow(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
nodePriv := key.NewNode()
|
||||
|
||||
// Make a fake TKA authority, getting a usable genesis AUM which
|
||||
|
@ -150,12 +147,13 @@ func TestTKAEnablementFlow(t *testing.T) {
|
|||
},
|
||||
}).View()))
|
||||
b := LocalBackend{
|
||||
varRoot: temp,
|
||||
cc: cc,
|
||||
ccAuto: cc,
|
||||
logf: t.Logf,
|
||||
pm: pm,
|
||||
store: pm.Store(),
|
||||
capTailnetLock: true,
|
||||
varRoot: temp,
|
||||
cc: cc,
|
||||
ccAuto: cc,
|
||||
logf: t.Logf,
|
||||
pm: pm,
|
||||
store: pm.Store(),
|
||||
}
|
||||
|
||||
err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
|
||||
|
@ -174,8 +172,6 @@ func TestTKAEnablementFlow(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTKADisablementFlow(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
nodePriv := key.NewNode()
|
||||
|
||||
// Make a fake TKA authority, to seed local state.
|
||||
|
@ -297,9 +293,6 @@ func TestTKADisablementFlow(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTKASync(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
|
||||
someKeyPriv := key.NewNLPrivate()
|
||||
someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
|
||||
|
||||
|
@ -538,9 +531,6 @@ func TestTKASync(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTKAFilterNetmap(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
|
||||
nlPriv := key.NewNLPrivate()
|
||||
nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
|
||||
storage := &tka.Mem{}
|
||||
|
@ -597,8 +587,6 @@ func TestTKAFilterNetmap(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTKADisable(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
nodePriv := key.NewNode()
|
||||
|
||||
// Make a fake TKA authority, to seed local state.
|
||||
|
@ -692,8 +680,6 @@ func TestTKADisable(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTKASign(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
nodePriv := key.NewNode()
|
||||
toSign := key.NewNode()
|
||||
nlPriv := key.NewNLPrivate()
|
||||
|
@ -780,8 +766,6 @@ func TestTKASign(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTKAForceDisable(t *testing.T) {
|
||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
||||
nodePriv := key.NewNode()
|
||||
|
||||
// Make a fake TKA authority, to seed local state.
|
||||
|
|
|
@ -100,7 +100,8 @@ type CapabilityVersion int
|
|||
// - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
|
||||
// - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
|
||||
// - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
|
||||
const CurrentCapabilityVersion CapabilityVersion = 63
|
||||
// - 64: 2023-07-11: Client understands s/CapabilityTailnetLockAlpha/CapabilityTailnetLock
|
||||
const CurrentCapabilityVersion CapabilityVersion = 64
|
||||
|
||||
type StableID string
|
||||
|
||||
|
@ -1850,11 +1851,8 @@ const (
|
|||
// of connections to the default network interface on Darwin nodes.
|
||||
CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface"
|
||||
|
||||
// CapabilityTailnetLockAlpha indicates the node is in the tailnet lock alpha,
|
||||
// and initialization of tailnet lock may proceed.
|
||||
//
|
||||
// TODO(tom): Remove this for 1.35 and later.
|
||||
CapabilityTailnetLockAlpha = "https://tailscale.com/cap/tailnet-lock-alpha"
|
||||
// CapabilityTailnetLock indicates the node may initialize tailnet lock.
|
||||
CapabilityTailnetLock = "https://tailscale.com/cap/tailnet-lock"
|
||||
|
||||
// Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants.
|
||||
|
||||
|
|
Loading…
Reference in New Issue