ipn: rename CapTailnetLockAlpha -> CapTailnetLock

Updates tailscale/corp#8568
Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto 2023-07-07 08:39:35 -07:00 committed by Tom
parent 60ab8089ff
commit 2bbedd2001
4 changed files with 16 additions and 45 deletions

View File

@ -1013,7 +1013,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
// Perform all reconfiguration based on the netmap here. // Perform all reconfiguration based on the netmap here.
if st.NetMap != nil { if st.NetMap != nil {
b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha) b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLock)
b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil { if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil {

View File

@ -20,7 +20,6 @@ import (
"path/filepath" "path/filepath"
"time" "time"
"tailscale.com/envknob"
"tailscale.com/health" "tailscale.com/health"
"tailscale.com/ipn" "tailscale.com/ipn"
"tailscale.com/ipn/ipnstate" "tailscale.com/ipn/ipnstate"
@ -53,20 +52,12 @@ type tkaState struct {
filtered []ipnstate.TKAFilteredPeer filtered []ipnstate.TKAFilteredPeer
} }
// permitTKAInitLocked returns true if tailnet lock initialization may
// occur.
// b.mu must be held.
func (b *LocalBackend) permitTKAInitLocked() bool {
return envknob.UseWIPCode() || b.capTailnetLock
}
// tkaFilterNetmapLocked checks the signatures on each node key, dropping // tkaFilterNetmapLocked checks the signatures on each node key, dropping
// nodes from the netmap whose signature does not verify. // nodes from the netmap whose signature does not verify.
// //
// b.mu must be held. // b.mu must be held.
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
// TODO(tom): Remove this guard for 1.35 and later. if b.tka == nil && !b.capTailnetLock {
if b.tka == nil && !b.permitTKAInitLocked() {
health.SetTKAHealth(nil) health.SetTKAHealth(nil)
return return
} }
@ -153,8 +144,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
b.mu.Lock() // take mu to protect access to synchronized fields. b.mu.Lock() // take mu to protect access to synchronized fields.
defer b.mu.Unlock() defer b.mu.Unlock()
// TODO(tom): Remove this guard for 1.35 and later. if b.tka == nil && !b.capTailnetLock {
if b.tka == nil && !b.permitTKAInitLocked() {
return nil return nil
} }
@ -483,10 +473,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
var nlPriv key.NLPrivate var nlPriv key.NLPrivate
b.mu.Lock() b.mu.Lock()
// TODO(tom): Remove this guard for 1.35 and later. if !b.capTailnetLock {
if !b.permitTKAInitLocked() {
b.mu.Unlock() b.mu.Unlock()
return errors.New("this feature is not yet complete, a later release may support this functionality") return errors.New("not permitted to enable tailnet lock")
} }
if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() { if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {

View File

@ -17,7 +17,6 @@ import (
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"tailscale.com/control/controlclient" "tailscale.com/control/controlclient"
"tailscale.com/envknob"
"tailscale.com/hostinfo" "tailscale.com/hostinfo"
"tailscale.com/ipn" "tailscale.com/ipn"
"tailscale.com/ipn/store/mem" "tailscale.com/ipn/store/mem"
@ -66,8 +65,6 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
} }
func TestTKAEnablementFlow(t *testing.T) { func TestTKAEnablementFlow(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
nodePriv := key.NewNode() nodePriv := key.NewNode()
// Make a fake TKA authority, getting a usable genesis AUM which // Make a fake TKA authority, getting a usable genesis AUM which
@ -150,12 +147,13 @@ func TestTKAEnablementFlow(t *testing.T) {
}, },
}).View())) }).View()))
b := LocalBackend{ b := LocalBackend{
varRoot: temp, capTailnetLock: true,
cc: cc, varRoot: temp,
ccAuto: cc, cc: cc,
logf: t.Logf, ccAuto: cc,
pm: pm, logf: t.Logf,
store: pm.Store(), pm: pm,
store: pm.Store(),
} }
err = b.tkaSyncIfNeeded(&netmap.NetworkMap{ err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
@ -174,8 +172,6 @@ func TestTKAEnablementFlow(t *testing.T) {
} }
func TestTKADisablementFlow(t *testing.T) { func TestTKADisablementFlow(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
nodePriv := key.NewNode() nodePriv := key.NewNode()
// Make a fake TKA authority, to seed local state. // Make a fake TKA authority, to seed local state.
@ -297,9 +293,6 @@ func TestTKADisablementFlow(t *testing.T) {
} }
func TestTKASync(t *testing.T) { func TestTKASync(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
someKeyPriv := key.NewNLPrivate() someKeyPriv := key.NewNLPrivate()
someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1} someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
@ -538,9 +531,6 @@ func TestTKASync(t *testing.T) {
} }
func TestTKAFilterNetmap(t *testing.T) { func TestTKAFilterNetmap(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2} nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
storage := &tka.Mem{} storage := &tka.Mem{}
@ -597,8 +587,6 @@ func TestTKAFilterNetmap(t *testing.T) {
} }
func TestTKADisable(t *testing.T) { func TestTKADisable(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
nodePriv := key.NewNode() nodePriv := key.NewNode()
// Make a fake TKA authority, to seed local state. // Make a fake TKA authority, to seed local state.
@ -692,8 +680,6 @@ func TestTKADisable(t *testing.T) {
} }
func TestTKASign(t *testing.T) { func TestTKASign(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
nodePriv := key.NewNode() nodePriv := key.NewNode()
toSign := key.NewNode() toSign := key.NewNode()
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
@ -780,8 +766,6 @@ func TestTKASign(t *testing.T) {
} }
func TestTKAForceDisable(t *testing.T) { func TestTKAForceDisable(t *testing.T) {
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
nodePriv := key.NewNode() nodePriv := key.NewNode()
// Make a fake TKA authority, to seed local state. // Make a fake TKA authority, to seed local state.

View File

@ -100,7 +100,8 @@ type CapabilityVersion int
// - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction // - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
// - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events // - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
// - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding. // - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
const CurrentCapabilityVersion CapabilityVersion = 63 // - 64: 2023-07-11: Client understands s/CapabilityTailnetLockAlpha/CapabilityTailnetLock
const CurrentCapabilityVersion CapabilityVersion = 64
type StableID string type StableID string
@ -1850,11 +1851,8 @@ const (
// of connections to the default network interface on Darwin nodes. // of connections to the default network interface on Darwin nodes.
CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface" CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface"
// CapabilityTailnetLockAlpha indicates the node is in the tailnet lock alpha, // CapabilityTailnetLock indicates the node may initialize tailnet lock.
// and initialization of tailnet lock may proceed. CapabilityTailnetLock = "https://tailscale.com/cap/tailnet-lock"
//
// TODO(tom): Remove this for 1.35 and later.
CapabilityTailnetLockAlpha = "https://tailscale.com/cap/tailnet-lock-alpha"
// Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants. // Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants.