tka: reject removal of the last signing key

Fixes tailscale/corp#19447 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2025-12-24 01:26:39 +00:00 · 2025-06-13 14:45:28 +01:00
parent 59fab8bda7
commit 42da161b19
3 changed files with 25 additions and 0 deletions
--- a/tka/builder_test.go
+++ b/tka/builder_test.go
@@ -5,6 +5,7 @@ package tka

 import (
 	"crypto/ed25519"
+	"strings"
 	"testing"

 	"github.com/google/go-cmp/cmp"
@@ -90,6 +91,20 @@ func TestAuthorityBuilderRemoveKey(t *testing.T) {
 	if _, err := a.state.GetKey(key2.MustID()); err != ErrNoSuchKey {
 		t.Errorf("GetKey(key2).err = %v, want %v", err, ErrNoSuchKey)
 	}
+
+	// Check that removing the remaining key errors out.
+	b = a.NewUpdater(signer25519(priv))
+	if err := b.RemoveKey(key.MustID()); err != nil {
+		t.Fatalf("RemoveKey(%v) failed: %v", key, err)
+	}
+	updates, err = b.Finalize(storage)
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+	wantErr := "cannot remove the last key"
+	if err := a.Inform(storage, updates); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Fatalf("expected Inform() to return error %q, got: %v", wantErr, err)
+	}
 }

 func TestAuthorityBuilderSetKeyVote(t *testing.T) {