cmd/tailscale,ipn: support disablement args in lock cli, implement disable

* Support specifiying disablement values in lock init command * Support specifying rotation key in lock sign command * Implement lock disable command * Implement disablement-kdf command Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2022-11-04 12:12:51 -07:00
parent fb392e34b5
commit 3271daf7a3
4 changed files with 188 additions and 30 deletions
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httputil"
@@ -80,6 +81,7 @@ var handler = map[string]localAPIHandler{
 	"tka/modify":              (*Handler).serveTKAModify,
 	"tka/sign":                (*Handler).serveTKASign,
 	"tka/status":              (*Handler).serveTKAStatus,
+	"tka/disable":             (*Handler).serveTKADisable,
 	"upload-client-metrics":   (*Handler).serveUploadClientMetrics,
 	"whois":                   (*Handler).serveWhoIs,
 }
@@ -1073,6 +1075,30 @@ func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

+func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != http.MethodPost {
+		http.Error(w, "use POST", http.StatusMethodNotAllowed)
+		return
+	}
+
+	body := io.LimitReader(r.Body, 1024*1024)
+	secret, err := ioutil.ReadAll(body)
+	if err != nil {
+		http.Error(w, "reading secret", 400)
+		return
+	}
+
+	if err := h.b.NetworkLockDisable(secret); err != nil {
+		http.Error(w, "network-lock disable failed: "+err.Error(), http.StatusBadRequest)
+		return
+	}
+	w.WriteHeader(200)
+}
+
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def