ipn: rename CapTailnetLockAlpha -> CapTailnetLock
Updates tailscale/corp#8568 Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
parent
60ab8089ff
commit
2bbedd2001
|
@ -1013,7 +1013,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
|
||||||
|
|
||||||
// Perform all reconfiguration based on the netmap here.
|
// Perform all reconfiguration based on the netmap here.
|
||||||
if st.NetMap != nil {
|
if st.NetMap != nil {
|
||||||
b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha)
|
b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLock)
|
||||||
|
|
||||||
b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
|
b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
|
||||||
if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil {
|
if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil {
|
||||||
|
|
|
@ -20,7 +20,6 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"tailscale.com/envknob"
|
|
||||||
"tailscale.com/health"
|
"tailscale.com/health"
|
||||||
"tailscale.com/ipn"
|
"tailscale.com/ipn"
|
||||||
"tailscale.com/ipn/ipnstate"
|
"tailscale.com/ipn/ipnstate"
|
||||||
|
@ -53,20 +52,12 @@ type tkaState struct {
|
||||||
filtered []ipnstate.TKAFilteredPeer
|
filtered []ipnstate.TKAFilteredPeer
|
||||||
}
|
}
|
||||||
|
|
||||||
// permitTKAInitLocked returns true if tailnet lock initialization may
|
|
||||||
// occur.
|
|
||||||
// b.mu must be held.
|
|
||||||
func (b *LocalBackend) permitTKAInitLocked() bool {
|
|
||||||
return envknob.UseWIPCode() || b.capTailnetLock
|
|
||||||
}
|
|
||||||
|
|
||||||
// tkaFilterNetmapLocked checks the signatures on each node key, dropping
|
// tkaFilterNetmapLocked checks the signatures on each node key, dropping
|
||||||
// nodes from the netmap whose signature does not verify.
|
// nodes from the netmap whose signature does not verify.
|
||||||
//
|
//
|
||||||
// b.mu must be held.
|
// b.mu must be held.
|
||||||
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
|
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
|
||||||
// TODO(tom): Remove this guard for 1.35 and later.
|
if b.tka == nil && !b.capTailnetLock {
|
||||||
if b.tka == nil && !b.permitTKAInitLocked() {
|
|
||||||
health.SetTKAHealth(nil)
|
health.SetTKAHealth(nil)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -153,8 +144,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
|
||||||
b.mu.Lock() // take mu to protect access to synchronized fields.
|
b.mu.Lock() // take mu to protect access to synchronized fields.
|
||||||
defer b.mu.Unlock()
|
defer b.mu.Unlock()
|
||||||
|
|
||||||
// TODO(tom): Remove this guard for 1.35 and later.
|
if b.tka == nil && !b.capTailnetLock {
|
||||||
if b.tka == nil && !b.permitTKAInitLocked() {
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -483,10 +473,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
|
||||||
var nlPriv key.NLPrivate
|
var nlPriv key.NLPrivate
|
||||||
b.mu.Lock()
|
b.mu.Lock()
|
||||||
|
|
||||||
// TODO(tom): Remove this guard for 1.35 and later.
|
if !b.capTailnetLock {
|
||||||
if !b.permitTKAInitLocked() {
|
|
||||||
b.mu.Unlock()
|
b.mu.Unlock()
|
||||||
return errors.New("this feature is not yet complete, a later release may support this functionality")
|
return errors.New("not permitted to enable tailnet lock")
|
||||||
}
|
}
|
||||||
|
|
||||||
if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {
|
if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {
|
||||||
|
|
|
@ -17,7 +17,6 @@ import (
|
||||||
|
|
||||||
"github.com/google/go-cmp/cmp"
|
"github.com/google/go-cmp/cmp"
|
||||||
"tailscale.com/control/controlclient"
|
"tailscale.com/control/controlclient"
|
||||||
"tailscale.com/envknob"
|
|
||||||
"tailscale.com/hostinfo"
|
"tailscale.com/hostinfo"
|
||||||
"tailscale.com/ipn"
|
"tailscale.com/ipn"
|
||||||
"tailscale.com/ipn/store/mem"
|
"tailscale.com/ipn/store/mem"
|
||||||
|
@ -66,8 +65,6 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKAEnablementFlow(t *testing.T) {
|
func TestTKAEnablementFlow(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
nodePriv := key.NewNode()
|
nodePriv := key.NewNode()
|
||||||
|
|
||||||
// Make a fake TKA authority, getting a usable genesis AUM which
|
// Make a fake TKA authority, getting a usable genesis AUM which
|
||||||
|
@ -150,12 +147,13 @@ func TestTKAEnablementFlow(t *testing.T) {
|
||||||
},
|
},
|
||||||
}).View()))
|
}).View()))
|
||||||
b := LocalBackend{
|
b := LocalBackend{
|
||||||
varRoot: temp,
|
capTailnetLock: true,
|
||||||
cc: cc,
|
varRoot: temp,
|
||||||
ccAuto: cc,
|
cc: cc,
|
||||||
logf: t.Logf,
|
ccAuto: cc,
|
||||||
pm: pm,
|
logf: t.Logf,
|
||||||
store: pm.Store(),
|
pm: pm,
|
||||||
|
store: pm.Store(),
|
||||||
}
|
}
|
||||||
|
|
||||||
err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
|
err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
|
||||||
|
@ -174,8 +172,6 @@ func TestTKAEnablementFlow(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKADisablementFlow(t *testing.T) {
|
func TestTKADisablementFlow(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
nodePriv := key.NewNode()
|
nodePriv := key.NewNode()
|
||||||
|
|
||||||
// Make a fake TKA authority, to seed local state.
|
// Make a fake TKA authority, to seed local state.
|
||||||
|
@ -297,9 +293,6 @@ func TestTKADisablementFlow(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKASync(t *testing.T) {
|
func TestTKASync(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
|
|
||||||
someKeyPriv := key.NewNLPrivate()
|
someKeyPriv := key.NewNLPrivate()
|
||||||
someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
|
someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
|
||||||
|
|
||||||
|
@ -538,9 +531,6 @@ func TestTKASync(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKAFilterNetmap(t *testing.T) {
|
func TestTKAFilterNetmap(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
|
|
||||||
nlPriv := key.NewNLPrivate()
|
nlPriv := key.NewNLPrivate()
|
||||||
nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
|
nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
|
||||||
storage := &tka.Mem{}
|
storage := &tka.Mem{}
|
||||||
|
@ -597,8 +587,6 @@ func TestTKAFilterNetmap(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKADisable(t *testing.T) {
|
func TestTKADisable(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
nodePriv := key.NewNode()
|
nodePriv := key.NewNode()
|
||||||
|
|
||||||
// Make a fake TKA authority, to seed local state.
|
// Make a fake TKA authority, to seed local state.
|
||||||
|
@ -692,8 +680,6 @@ func TestTKADisable(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKASign(t *testing.T) {
|
func TestTKASign(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
nodePriv := key.NewNode()
|
nodePriv := key.NewNode()
|
||||||
toSign := key.NewNode()
|
toSign := key.NewNode()
|
||||||
nlPriv := key.NewNLPrivate()
|
nlPriv := key.NewNLPrivate()
|
||||||
|
@ -780,8 +766,6 @@ func TestTKASign(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTKAForceDisable(t *testing.T) {
|
func TestTKAForceDisable(t *testing.T) {
|
||||||
envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
|
|
||||||
defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
|
|
||||||
nodePriv := key.NewNode()
|
nodePriv := key.NewNode()
|
||||||
|
|
||||||
// Make a fake TKA authority, to seed local state.
|
// Make a fake TKA authority, to seed local state.
|
||||||
|
|
|
@ -100,7 +100,8 @@ type CapabilityVersion int
|
||||||
// - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
|
// - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
|
||||||
// - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
|
// - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
|
||||||
// - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
|
// - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding.
|
||||||
const CurrentCapabilityVersion CapabilityVersion = 63
|
// - 64: 2023-07-11: Client understands s/CapabilityTailnetLockAlpha/CapabilityTailnetLock
|
||||||
|
const CurrentCapabilityVersion CapabilityVersion = 64
|
||||||
|
|
||||||
type StableID string
|
type StableID string
|
||||||
|
|
||||||
|
@ -1850,11 +1851,8 @@ const (
|
||||||
// of connections to the default network interface on Darwin nodes.
|
// of connections to the default network interface on Darwin nodes.
|
||||||
CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface"
|
CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface"
|
||||||
|
|
||||||
// CapabilityTailnetLockAlpha indicates the node is in the tailnet lock alpha,
|
// CapabilityTailnetLock indicates the node may initialize tailnet lock.
|
||||||
// and initialization of tailnet lock may proceed.
|
CapabilityTailnetLock = "https://tailscale.com/cap/tailnet-lock"
|
||||||
//
|
|
||||||
// TODO(tom): Remove this for 1.35 and later.
|
|
||||||
CapabilityTailnetLockAlpha = "https://tailscale.com/cap/tailnet-lock-alpha"
|
|
||||||
|
|
||||||
// Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants.
|
// Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue