control/controlclient, localapi: shorten expiry time via localapi (#4112)

Signed-off-by: Nick O'Neill <nick@tailscale.com>
2025-10-08 23:49:56 +00:00 · 2022-03-09 14:42:42 -08:00
parent 2bcc047d4f
commit 1625e87526
6 changed files with 73 additions and 2 deletions
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -657,6 +657,10 @@ func (c *Auto) Logout(ctx context.Context) error {
 	}
 }

+func (c *Auto) SetExpirySooner(ctx context.Context, expiry time.Time) error {
+	return c.direct.SetExpirySooner(ctx, expiry)
+}
+
 // UpdateEndpoints sets the client's discovered endpoints and sends
 // them to the control server if they've changed.
 //
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -11,6 +11,7 @@ package controlclient

 import (
 	"context"
+	"time"

 	"tailscale.com/tailcfg"
 )
@@ -45,6 +46,9 @@ type Client interface {
 	// Logout starts a synchronous logout process. It doesn't return
 	// until the logout operation has been completed.
 	Logout(context.Context) error
+	// SetExpirySooner sets the node's expiry time via the controlclient,
+	// as long as it's shorter than the current expiry time.
+	SetExpirySooner(context.Context, time.Time) error
 	// SetPaused pauses or unpauses the controlclient activity as much
 	// as possible, without losing its internal state, to minimize
 	// unnecessary network activity.
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -302,12 +302,27 @@ func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL strin
 	return url, err
 }

+// SetExpirySooner attempts to shorten the expiry to the specified time.
+func (c *Direct) SetExpirySooner(ctx context.Context, expiry time.Time) error {
+	c.logf("[v1] direct.SetExpirySooner()")
+
+	newURL, err := c.doLoginOrRegen(ctx, loginOpt{Expiry: &expiry})
+	c.logf("[v1] SetExpirySooner control response: newURL=%v, err=%v", newURL, err)
+
+	return err
+}
+
 type loginOpt struct {
 	Token  *tailcfg.Oauth2Token
 	Flags  LoginFlags
-	Regen  bool
+	Regen  bool // generate a new nodekey, can be overridden in doLogin
 	URL    string
-	Logout bool
+	Logout bool // set the expiry to the far past, expiring the node
+	// Expiry, if non-nil, attempts to set the node expiry to the
+	// specified time and cannot be used to extend the expiry.
+	// It is ignored if Logout is set since Logout works by setting a
+	// expiry time in the far past.
+	Expiry *time.Time
 }

 // httpClient provides a common interface for the noiseClient and
@@ -406,6 +421,8 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}
 	if opt.Logout {
 		request.Expiry = time.Unix(123, 0) // far in the past
+	} else if opt.Expiry != nil {
+		request.Expiry = *opt.Expiry
 	}
 	c.logf("RegisterReq: onode=%v node=%v fup=%v",
 		request.OldNodeKey.ShortString(),