TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-12 13:48:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

tailcfg: add Node.UnsignedPeerAPIOnly to let server mark node as peerapi-only

Browse Source 
capver 48

Change-Id: I20b2fa81d61ef8cc8a84e5f2afeefb68832bd904
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
2022-11-02 13:13:26 -07:00
committed by Brad Fitzpatrick
parent 3367136d9e
commit e55ae53169
9 changed files with 193 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
ipn/ipnlocal/network-lock.go
View File

@@ -23,6 +23,7 @@ import (
"tailscale.com/types/key"
"tailscale.com/types/netmap"
"tailscale.com/types/tkatype"
"tailscale.com/util/mak"
)
// TODO(tom): RPC retry/backoff was broken and has been removed. Fix?
@@ -38,7 +39,7 @@ type tkaState struct {
}
// tkaFilterNetmapLocked checks the signatures on each node key, dropping
// nodes from the netmap who's signature does not verify.
// nodes from the netmap whose signature does not verify.
//
// b.mu must be held.
func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
@@ -49,27 +50,33 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
return // TKA not enabled.
}
toDelete := make(map[int]struct{}, len(nm.Peers))
var toDelete map[int]bool // peer index => true
for i, p := range nm.Peers {
if p.UnsignedPeerAPIOnly {
// Not subject to TKA.
continue
}
if len(p.KeySignature) == 0 {
b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID, p.StableID)
toDelete[i] = struct{}{}
mak.Set(&toDelete, i, true)
} else {
if err := b.tka.authority.NodeKeyAuthorized(p.Key, p.KeySignature); err != nil {
b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID, p.StableID, err)
toDelete[i] = struct{}{}
mak.Set(&toDelete, i, true)
}
}
}
// nm.Peers is ordered, so deletion must be order-preserving.
peers := make([]*tailcfg.Node, 0, len(nm.Peers))
for i, p := range nm.Peers {
if _, delete := toDelete[i]; !delete {
peers = append(peers, p)
if len(toDelete) > 0 {
peers := make([]*tailcfg.Node, 0, len(nm.Peers))
for i, p := range nm.Peers {
if !toDelete[i] {
peers = append(peers, p)
}
}
nm.Peers = peers
}
nm.Peers = peers
}
// tkaSyncIfNeeded examines TKA info reported from the control plane,