ipn/ipnlocal,cmd/tailscale: minor improvements to lock modify command

* Do not print the status at the end of a successful operation * Ensure the key of the current node is actually trusted to make these changes Signed-off-by: Tom DNetto <tom@tailscale.com>
2024-11-25 19:15:34 +00:00 · 2022-12-04 22:55:57 -08:00 · 2022-12-04 22:55:57 -08:00 · 55e0512a05
commit 55e0512a05
parent 98f21354c6
4 changed files with 19 additions and 27 deletions
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@ -805,7 +805,7 @@ type initRequest struct {
 }

 // NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
-func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
 	var b bytes.Buffer
 	type modifyRequest struct {
 		AddKeys    []tka.Key
@ -813,14 +813,13 @@ type modifyRequest struct {
 	}

 	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
-		return nil, err
+		return err
 	}

-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 204, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
 	}
-	return decodeJSON[*ipnstate.NetworkLockStatus](body)
+	return nil
 }

 // NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@ -310,12 +310,9 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
 		return err
 	}

-	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
-	if err != nil {
+	if err := localClient.NetworkLockModify(ctx, addKeys, removeKeys); err != nil {
 		return err
 	}
-
-	fmt.Printf("Status: %+v\n\n", status)
 	return nil
 }

--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@ -654,6 +654,9 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
 	if b.tka == nil {
 		return errNetworkLockNotActive
 	}
+	if !b.tka.authority.KeyTrusted(nlPriv.KeyID()) {
+		return errors.New("this node does not have a trusted tailnet lock key")
+	}

 	updater := b.tka.authority.NewUpdater(nlPriv)

--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@ -1254,14 +1254,7 @@ type modifyRequest struct {
 		http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
-
-	j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
-	if err != nil {
-		http.Error(w, "JSON encoding error", 500)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(j)
+	w.WriteHeader(204)
 }

 func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {