mirror of
https://github.com/tailscale/tailscale.git
synced 2025-02-18 02:48:40 +00:00
ipn/ipnlocal,cmd/tailscale: minor improvements to lock modify command
* Do not print the status at the end of a successful operation * Ensure the key of the current node is actually trusted to make these changes Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto
Tom
parent
98f21354c6
commit
55e0512a05
@ -805,7 +805,7 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key, disa
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
|
// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
|
||||||
func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
|
func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
|
||||||
var b bytes.Buffer
|
var b bytes.Buffer
|
||||||
type modifyRequest struct {
|
type modifyRequest struct {
|
||||||
AddKeys []tka.Key
|
AddKeys []tka.Key
|
||||||
@ -813,14 +813,13 @@ func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKey
|
|||||||
}
|
}
|
||||||
|
|
||||||
if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
|
if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
|
||||||
return nil, err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
|
if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 204, &b); err != nil {
|
||||||
if err != nil {
|
return fmt.Errorf("error: %w", err)
|
||||||
return nil, fmt.Errorf("error: %w", err)
|
|
||||||
}
|
}
|
||||||
return decodeJSON[*ipnstate.NetworkLockStatus](body)
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
|
// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
|
||||||
|
|||||||
@ -28,7 +28,7 @@ var netlockCmd = &ffcli.Command{
|
|||||||
Name: "lock",
|
Name: "lock",
|
||||||
ShortUsage: "lock <sub-command> <arguments>",
|
ShortUsage: "lock <sub-command> <arguments>",
|
||||||
ShortHelp: "Manage tailnet lock",
|
ShortHelp: "Manage tailnet lock",
|
||||||
LongHelp: "Manage tailnet lock",
|
LongHelp: "Manage tailnet lock",
|
||||||
Subcommands: []*ffcli.Command{
|
Subcommands: []*ffcli.Command{
|
||||||
nlInitCmd,
|
nlInitCmd,
|
||||||
nlStatusCmd,
|
nlStatusCmd,
|
||||||
@ -155,7 +155,7 @@ var nlStatusCmd = &ffcli.Command{
|
|||||||
Name: "status",
|
Name: "status",
|
||||||
ShortUsage: "status",
|
ShortUsage: "status",
|
||||||
ShortHelp: "Outputs the state of network lock",
|
ShortHelp: "Outputs the state of network lock",
|
||||||
LongHelp: "Outputs the state of network lock",
|
LongHelp: "Outputs the state of network lock",
|
||||||
Exec: runNetworkLockStatus,
|
Exec: runNetworkLockStatus,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -229,7 +229,7 @@ var nlAddCmd = &ffcli.Command{
|
|||||||
Name: "add",
|
Name: "add",
|
||||||
ShortUsage: "add <public-key>...",
|
ShortUsage: "add <public-key>...",
|
||||||
ShortHelp: "Adds one or more trusted signing keys to tailnet lock",
|
ShortHelp: "Adds one or more trusted signing keys to tailnet lock",
|
||||||
LongHelp: "Adds one or more trusted signing keys to tailnet lock",
|
LongHelp: "Adds one or more trusted signing keys to tailnet lock",
|
||||||
Exec: func(ctx context.Context, args []string) error {
|
Exec: func(ctx context.Context, args []string) error {
|
||||||
return runNetworkLockModify(ctx, args, nil)
|
return runNetworkLockModify(ctx, args, nil)
|
||||||
},
|
},
|
||||||
@ -239,7 +239,7 @@ var nlRemoveCmd = &ffcli.Command{
|
|||||||
Name: "remove",
|
Name: "remove",
|
||||||
ShortUsage: "remove <public-key>...",
|
ShortUsage: "remove <public-key>...",
|
||||||
ShortHelp: "Removes one or more trusted signing keys from tailnet lock",
|
ShortHelp: "Removes one or more trusted signing keys from tailnet lock",
|
||||||
LongHelp: "Removes one or more trusted signing keys from tailnet lock",
|
LongHelp: "Removes one or more trusted signing keys from tailnet lock",
|
||||||
Exec: func(ctx context.Context, args []string) error {
|
Exec: func(ctx context.Context, args []string) error {
|
||||||
return runNetworkLockModify(ctx, nil, args)
|
return runNetworkLockModify(ctx, nil, args)
|
||||||
},
|
},
|
||||||
@ -310,12 +310,9 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
|
if err := localClient.NetworkLockModify(ctx, addKeys, removeKeys); err != nil {
|
||||||
if err != nil {
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
fmt.Printf("Status: %+v\n\n", status)
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -323,7 +320,7 @@ var nlSignCmd = &ffcli.Command{
|
|||||||
Name: "sign",
|
Name: "sign",
|
||||||
ShortUsage: "sign <node-key> [<rotation-key>]",
|
ShortUsage: "sign <node-key> [<rotation-key>]",
|
||||||
ShortHelp: "Signs a node key and transmits the signature to the coordination server",
|
ShortHelp: "Signs a node key and transmits the signature to the coordination server",
|
||||||
LongHelp: "Signs a node key and transmits the signature to the coordination server",
|
LongHelp: "Signs a node key and transmits the signature to the coordination server",
|
||||||
Exec: runNetworkLockSign,
|
Exec: runNetworkLockSign,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -363,7 +360,7 @@ Once this secret is used, it has been distributed
|
|||||||
to all nodes in the tailnet and should be considered public.
|
to all nodes in the tailnet and should be considered public.
|
||||||
|
|
||||||
`),
|
`),
|
||||||
Exec: runNetworkLockDisable,
|
Exec: runNetworkLockDisable,
|
||||||
}
|
}
|
||||||
|
|
||||||
func runNetworkLockDisable(ctx context.Context, args []string) error {
|
func runNetworkLockDisable(ctx context.Context, args []string) error {
|
||||||
@ -392,7 +389,7 @@ that the current node will accept traffic from other nodes in the tailnet
|
|||||||
that are locked out.
|
that are locked out.
|
||||||
|
|
||||||
`),
|
`),
|
||||||
Exec: runNetworkLockLocalDisable,
|
Exec: runNetworkLockLocalDisable,
|
||||||
}
|
}
|
||||||
|
|
||||||
func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
|
func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
|
||||||
@ -403,7 +400,7 @@ var nlDisablementKDFCmd = &ffcli.Command{
|
|||||||
Name: "disablement-kdf",
|
Name: "disablement-kdf",
|
||||||
ShortUsage: "disablement-kdf <hex-encoded-disablement-secret>",
|
ShortUsage: "disablement-kdf <hex-encoded-disablement-secret>",
|
||||||
ShortHelp: "Computes a disablement value from a disablement secret (advanced users only)",
|
ShortHelp: "Computes a disablement value from a disablement secret (advanced users only)",
|
||||||
LongHelp: "Computes a disablement value from a disablement secret (advanced users only)",
|
LongHelp: "Computes a disablement value from a disablement secret (advanced users only)",
|
||||||
Exec: runNetworkLockDisablementKDF,
|
Exec: runNetworkLockDisablementKDF,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -427,7 +424,7 @@ var nlLogCmd = &ffcli.Command{
|
|||||||
Name: "log",
|
Name: "log",
|
||||||
ShortUsage: "log [--limit N]",
|
ShortUsage: "log [--limit N]",
|
||||||
ShortHelp: "List changes applied to tailnet lock",
|
ShortHelp: "List changes applied to tailnet lock",
|
||||||
LongHelp: "List changes applied to tailnet lock",
|
LongHelp: "List changes applied to tailnet lock",
|
||||||
Exec: runNetworkLockLog,
|
Exec: runNetworkLockLog,
|
||||||
FlagSet: (func() *flag.FlagSet {
|
FlagSet: (func() *flag.FlagSet {
|
||||||
fs := newFlagSet("lock log")
|
fs := newFlagSet("lock log")
|
||||||
|
|||||||
@ -654,6 +654,9 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
|
|||||||
if b.tka == nil {
|
if b.tka == nil {
|
||||||
return errNetworkLockNotActive
|
return errNetworkLockNotActive
|
||||||
}
|
}
|
||||||
|
if !b.tka.authority.KeyTrusted(nlPriv.KeyID()) {
|
||||||
|
return errors.New("this node does not have a trusted tailnet lock key")
|
||||||
|
}
|
||||||
|
|
||||||
updater := b.tka.authority.NewUpdater(nlPriv)
|
updater := b.tka.authority.NewUpdater(nlPriv)
|
||||||
|
|
||||||
|
|||||||
@ -1254,14 +1254,7 @@ func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
|
|||||||
http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
|
http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
w.WriteHeader(204)
|
||||||
j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
|
|
||||||
if err != nil {
|
|
||||||
http.Error(w, "JSON encoding error", 500)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
w.Header().Set("Content-Type", "application/json")
|
|
||||||
w.Write(j)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
|
func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user