ipn/localapi,client/tailscale,cmd/derper: add WhoIs lookup by nodekey, use in derper

Fixes #12465 Change-Id: I9b7c87315a3d2b2ecae2b8db9e94b4f5a1eef74a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2024-06-14 08:05:47 -07:00
parent 72c8f7700b
commit 6908fb0de3
6 changed files with 141 additions and 25 deletions
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -1151,20 +1151,19 @@ func (c *sclient) requestMeshUpdate() {
 	}
 }

+var localClient tailscale.LocalClient
+
 // verifyClient checks whether the client is allowed to connect to the derper,
 // depending on how & whether the server's been configured to verify.
 func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, info *clientInfo, clientIP netip.Addr) error {
 	// tailscaled-based verification:
 	if s.verifyClientsLocalTailscaled {
-		status, err := tailscale.Status(ctx)
+		_, err := localClient.WhoIsNodeKey(ctx, clientKey)
+		if err == tailscale.ErrPeerNotFound {
+			return fmt.Errorf("peer %v not authorized (not found in local tailscaled)", clientKey)
+		}
 		if err != nil {
-			return fmt.Errorf("failed to query local tailscaled status: %w", err)
-		}
-		if clientKey == status.Self.PublicKey {
-			return nil
-		}
-		if _, exists := status.Peer[clientKey]; !exists {
-			return fmt.Errorf("client %v not in set of peers", clientKey)
+			return fmt.Errorf("failed to query local tailscaled status for %v: %w", clientKey, err)
 		}
 	}