derp: add a verifyClients check to the consistency check

Only implemented for the local tailscaled variant for now. Updates tailscale/corp#20844 Signed-off-by: James Tucker <james@tailscale.com>
2024-11-29 04:55:31 +00:00 · 2024-06-17 15:56:46 -07:00 · 2024-06-17 15:56:46 -07:00 · 87c5ad4c2c
commit 87c5ad4c2c
parent 2db2d04a37
1 changed files with 25 additions and 0 deletions
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@ -1955,12 +1955,37 @@ func (s *Server) ConsistencyCheck() error {
 			s.curClients.Value(),
 			len(s.clients)))
 	}
+
+	if s.verifyClientsLocalTailscaled {
+		if err := s.checkVerifyClientsLocalTailscaled(); err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+
 	if len(errs) == 0 {
 		return nil
 	}
 	return errors.New(strings.Join(errs, ", "))
 }

+// checkVerifyClientsLocalTailscaled checks that a verifyClients call can be made successfully for the derper hosts own node key.
+func (s *Server) checkVerifyClientsLocalTailscaled() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	status, err := localClient.StatusWithoutPeers(ctx)
+	if err != nil {
+		return fmt.Errorf("localClient.Status: %w", err)
+	}
+	info := &clientInfo{
+		IsProber: true,
+	}
+	clientIP := netip.IPv6Loopback()
+	if err := s.verifyClient(ctx, status.Self.PublicKey, info, clientIP); err != nil {
+		return fmt.Errorf("verifyClient for self nodekey: %w", err)
+	}
+	return nil
+}
+
 const minTimeBetweenLogs = 2 * time.Second

 // BytesSentRecv records the number of bytes that have been sent since the last traffic check