ipn/ipnlocal,cmd/tailscale: minor improvements to lock modify command

* Do not print the status at the end of a successful operation
 * Ensure the key of the current node is actually trusted to make these changes

Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto 2022-12-04 22:55:57 -08:00 committed by Tom
parent 98f21354c6
commit 55e0512a05
4 changed files with 19 additions and 27 deletions

View File

@ -805,7 +805,7 @@ type initRequest struct {
}
// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
var b bytes.Buffer
type modifyRequest struct {
AddKeys []tka.Key
@ -813,14 +813,13 @@ type modifyRequest struct {
}
if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
return nil, err
return err
}
body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
if err != nil {
return nil, fmt.Errorf("error: %w", err)
if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 204, &b); err != nil {
return fmt.Errorf("error: %w", err)
}
return decodeJSON[*ipnstate.NetworkLockStatus](body)
return nil
}
// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.

View File

@ -28,7 +28,7 @@
Name: "lock",
ShortUsage: "lock <sub-command> <arguments>",
ShortHelp: "Manage tailnet lock",
LongHelp: "Manage tailnet lock",
LongHelp: "Manage tailnet lock",
Subcommands: []*ffcli.Command{
nlInitCmd,
nlStatusCmd,
@ -155,7 +155,7 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
Name: "status",
ShortUsage: "status",
ShortHelp: "Outputs the state of network lock",
LongHelp: "Outputs the state of network lock",
LongHelp: "Outputs the state of network lock",
Exec: runNetworkLockStatus,
}
@ -229,7 +229,7 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
Name: "add",
ShortUsage: "add <public-key>...",
ShortHelp: "Adds one or more trusted signing keys to tailnet lock",
LongHelp: "Adds one or more trusted signing keys to tailnet lock",
LongHelp: "Adds one or more trusted signing keys to tailnet lock",
Exec: func(ctx context.Context, args []string) error {
return runNetworkLockModify(ctx, args, nil)
},
@ -239,7 +239,7 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
Name: "remove",
ShortUsage: "remove <public-key>...",
ShortHelp: "Removes one or more trusted signing keys from tailnet lock",
LongHelp: "Removes one or more trusted signing keys from tailnet lock",
LongHelp: "Removes one or more trusted signing keys from tailnet lock",
Exec: func(ctx context.Context, args []string) error {
return runNetworkLockModify(ctx, nil, args)
},
@ -310,12 +310,9 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
return err
}
status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
if err != nil {
if err := localClient.NetworkLockModify(ctx, addKeys, removeKeys); err != nil {
return err
}
fmt.Printf("Status: %+v\n\n", status)
return nil
}
@ -323,7 +320,7 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
Name: "sign",
ShortUsage: "sign <node-key> [<rotation-key>]",
ShortHelp: "Signs a node key and transmits the signature to the coordination server",
LongHelp: "Signs a node key and transmits the signature to the coordination server",
LongHelp: "Signs a node key and transmits the signature to the coordination server",
Exec: runNetworkLockSign,
}
@ -363,7 +360,7 @@ func runNetworkLockSign(ctx context.Context, args []string) error {
to all nodes in the tailnet and should be considered public.
`),
Exec: runNetworkLockDisable,
Exec: runNetworkLockDisable,
}
func runNetworkLockDisable(ctx context.Context, args []string) error {
@ -392,7 +389,7 @@ func runNetworkLockDisable(ctx context.Context, args []string) error {
that are locked out.
`),
Exec: runNetworkLockLocalDisable,
Exec: runNetworkLockLocalDisable,
}
func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
@ -403,7 +400,7 @@ func runNetworkLockLocalDisable(ctx context.Context, args []string) error {
Name: "disablement-kdf",
ShortUsage: "disablement-kdf <hex-encoded-disablement-secret>",
ShortHelp: "Computes a disablement value from a disablement secret (advanced users only)",
LongHelp: "Computes a disablement value from a disablement secret (advanced users only)",
LongHelp: "Computes a disablement value from a disablement secret (advanced users only)",
Exec: runNetworkLockDisablementKDF,
}
@ -427,7 +424,7 @@ func runNetworkLockDisablementKDF(ctx context.Context, args []string) error {
Name: "log",
ShortUsage: "log [--limit N]",
ShortHelp: "List changes applied to tailnet lock",
LongHelp: "List changes applied to tailnet lock",
LongHelp: "List changes applied to tailnet lock",
Exec: runNetworkLockLog,
FlagSet: (func() *flag.FlagSet {
fs := newFlagSet("lock log")

View File

@ -654,6 +654,9 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
if b.tka == nil {
return errNetworkLockNotActive
}
if !b.tka.authority.KeyTrusted(nlPriv.KeyID()) {
return errors.New("this node does not have a trusted tailnet lock key")
}
updater := b.tka.authority.NewUpdater(nlPriv)

View File

@ -1254,14 +1254,7 @@ type modifyRequest struct {
http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
return
}
j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
if err != nil {
http.Error(w, "JSON encoding error", 500)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write(j)
w.WriteHeader(204)
}
func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {