From 0b2a9500a7d9efae0f2bf1b5e592d65e56095a19 Mon Sep 17 00:00:00 2001 From: Anton Tolchanov Date: Tue, 13 May 2025 11:07:12 +0100 Subject: [PATCH] ipn/ipnlocal: group LocalBackend changes, remove unnecessary check Updates #test Signed-off-by: Anton Tolchanov --- ipn/ipnlocal/local.go | 65 +++++++++++++++++++++++++++++++++ ipn/ipnlocal/network-lock.go | 71 ------------------------------------ 2 files changed, 65 insertions(+), 71 deletions(-) diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 79383aa37..51b3b035c 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -7691,3 +7691,68 @@ func (b *LocalBackend) vipServicesFromPrefsLocked(prefs ipn.PrefsView) []*tailcf var ( metricCurrentWatchIPNBus = clientmetric.NewGauge("localbackend_current_watch_ipn_bus") ) + +// tkaFilterNetmapLocked checks the signatures on each node key, dropping +// nodes from the netmap whose signature does not verify. +// +// b.mu must be held. +func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { + if b.tka == nil { + b.health.SetTKAHealth(nil) + return // TKA not enabled. + } + + tracker := rotationTracker{logf: b.logf} + var toDelete map[int]bool // peer index => true + for i, p := range nm.Peers { + if p.UnsignedPeerAPIOnly() { + // Not subject to tailnet lock. + continue + } + if p.KeySignature().Len() == 0 { + b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID(), p.StableID()) + mak.Set(&toDelete, i, true) + } else { + details, err := b.tka.authority.NodeKeyAuthorizedWithDetails(p.Key(), p.KeySignature().AsSlice()) + if err != nil { + b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID(), p.StableID(), err) + mak.Set(&toDelete, i, true) + continue + } + if details != nil { + // Rotation details are returned when the node key is signed by a valid SigRotation signature. + tracker.addRotationDetails(p.Key(), details) + } + } + } + + obsoleteByRotation := tracker.obsoleteKeys() + + // nm.Peers is ordered, so deletion must be order-preserving. + if len(toDelete) > 0 || len(obsoleteByRotation) > 0 { + peers := make([]tailcfg.NodeView, 0, len(nm.Peers)) + filtered := make([]ipnstate.TKAPeer, 0, len(toDelete)+len(obsoleteByRotation)) + for i, p := range nm.Peers { + if !toDelete[i] && !obsoleteByRotation.Contains(p.Key()) { + peers = append(peers, p) + } else { + if obsoleteByRotation.Contains(p.Key()) { + b.logf("Network lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID()) + } + // Record information about the node we filtered out. + filtered = append(filtered, tkaStateFromPeer(p)) + } + } + nm.Peers = peers + b.tka.filtered = filtered + } else { + b.tka.filtered = nil + } + + // Check that we ourselves are not locked out, report a health issue if so. + if nm.SelfNode.Valid() && b.tka.authority.NodeKeyAuthorized(nm.SelfNode.Key(), nm.SelfNode.KeySignature().AsSlice()) != nil { + b.health.SetTKAHealth(errors.New(healthmsg.LockedOut)) + } else { + b.health.SetTKAHealth(nil) + } +} diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go index 36d39a465..158b39ebc 100644 --- a/ipn/ipnlocal/network-lock.go +++ b/ipn/ipnlocal/network-lock.go @@ -21,7 +21,6 @@ import ( "slices" "time" - "tailscale.com/health/healthmsg" "tailscale.com/ipn" "tailscale.com/ipn/ipnstate" "tailscale.com/net/tsaddr" @@ -33,7 +32,6 @@ import ( "tailscale.com/types/netmap" "tailscale.com/types/persist" "tailscale.com/types/tkatype" - "tailscale.com/util/mak" "tailscale.com/util/set" ) @@ -56,75 +54,6 @@ type tkaState struct { filtered []ipnstate.TKAPeer } -// tkaFilterNetmapLocked checks the signatures on each node key, dropping -// nodes from the netmap whose signature does not verify. -// -// b.mu must be held. -func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { - if b.tka == nil && !b.capTailnetLock { - b.health.SetTKAHealth(nil) - return - } - if b.tka == nil { - b.health.SetTKAHealth(nil) - return // TKA not enabled. - } - - tracker := rotationTracker{logf: b.logf} - var toDelete map[int]bool // peer index => true - for i, p := range nm.Peers { - if p.UnsignedPeerAPIOnly() { - // Not subject to tailnet lock. - continue - } - if p.KeySignature().Len() == 0 { - b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID(), p.StableID()) - mak.Set(&toDelete, i, true) - } else { - details, err := b.tka.authority.NodeKeyAuthorizedWithDetails(p.Key(), p.KeySignature().AsSlice()) - if err != nil { - b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID(), p.StableID(), err) - mak.Set(&toDelete, i, true) - continue - } - if details != nil { - // Rotation details are returned when the node key is signed by a valid SigRotation signature. - tracker.addRotationDetails(p.Key(), details) - } - } - } - - obsoleteByRotation := tracker.obsoleteKeys() - - // nm.Peers is ordered, so deletion must be order-preserving. - if len(toDelete) > 0 || len(obsoleteByRotation) > 0 { - peers := make([]tailcfg.NodeView, 0, len(nm.Peers)) - filtered := make([]ipnstate.TKAPeer, 0, len(toDelete)+len(obsoleteByRotation)) - for i, p := range nm.Peers { - if !toDelete[i] && !obsoleteByRotation.Contains(p.Key()) { - peers = append(peers, p) - } else { - if obsoleteByRotation.Contains(p.Key()) { - b.logf("Network lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID()) - } - // Record information about the node we filtered out. - filtered = append(filtered, tkaStateFromPeer(p)) - } - } - nm.Peers = peers - b.tka.filtered = filtered - } else { - b.tka.filtered = nil - } - - // Check that we ourselves are not locked out, report a health issue if so. - if nm.SelfNode.Valid() && b.tka.authority.NodeKeyAuthorized(nm.SelfNode.Key(), nm.SelfNode.KeySignature().AsSlice()) != nil { - b.health.SetTKAHealth(errors.New(healthmsg.LockedOut)) - } else { - b.health.SetTKAHealth(nil) - } -} - // rotationTracker determines the set of node keys that are made obsolete by key // rotation. // - for each SigRotation signature, all previous node keys referenced by the