ipn,types/persist: store disallowed TKA's in prefs, lock local-disable

Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-12-01 17:49:02 +00:00 · 2022-11-28 16:39:03 -08:00
parent 659e7837c6
commit f1130421f0
10 changed files with 220 additions and 4 deletions
--- a/types/persist/persist.go
+++ b/types/persist/persist.go
@@ -7,6 +7,7 @@ package persist

 import (
 	"fmt"
+	"reflect"

 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -39,6 +40,12 @@ type Persist struct {
 	UserProfile       tailcfg.UserProfile
 	NetworkLockKey    key.NLPrivate
 	NodeID            tailcfg.StableNodeID
+
+	// DisallowedTKAStateIDs stores the tka.State.StateID values which
+	// this node will not operate network lock on. This is used to
+	// prevent bootstrapping TKA onto a key authority which was forcibly
+	// disabled.
+	DisallowedTKAStateIDs []string
 }

 // PublicNodeKey returns the public key for the node key.
@@ -70,7 +77,8 @@ func (p *Persist) Equals(p2 *Persist) bool {
 		p.LoginName == p2.LoginName &&
 		p.UserProfile == p2.UserProfile &&
 		p.NetworkLockKey.Equal(p2.NetworkLockKey) &&
-		p.NodeID == p2.NodeID
+		p.NodeID == p2.NodeID &&
+		reflect.DeepEqual(p.DisallowedTKAStateIDs, p2.DisallowedTKAStateIDs)
 }

 func (p *Persist) Pretty() string {
--- a/types/persist/persist_clone.go
+++ b/types/persist/persist_clone.go
@@ -20,6 +20,7 @@ func (src *Persist) Clone() *Persist {
 	}
 	dst := new(Persist)
 	*dst = *src
+	dst.DisallowedTKAStateIDs = append(src.DisallowedTKAStateIDs[:0:0], src.DisallowedTKAStateIDs...)
 	return dst
 }

@@ -34,4 +35,5 @@ var _PersistCloneNeedsRegeneration = Persist(struct {
 	UserProfile                     tailcfg.UserProfile
 	NetworkLockKey                  key.NLPrivate
 	NodeID                          tailcfg.StableNodeID
+	DisallowedTKAStateIDs           []string
 }{})
--- a/types/persist/persist_test.go
+++ b/types/persist/persist_test.go
@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 }

 func TestPersistEqual(t *testing.T) {
-	persistHandles := []string{"LegacyFrontendPrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName", "UserProfile", "NetworkLockKey", "NodeID"}
+	persistHandles := []string{"LegacyFrontendPrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName", "UserProfile", "NetworkLockKey", "NodeID", "DisallowedTKAStateIDs"}
 	if have := fieldsOf(reflect.TypeOf(Persist{})); !reflect.DeepEqual(have, persistHandles) {
 		t.Errorf("Persist.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, persistHandles)
@@ -133,6 +133,11 @@ func TestPersistEqual(t *testing.T) {
 			&Persist{NodeID: "abc"},
 			false,
 		},
+		{
+			&Persist{DisallowedTKAStateIDs: nil},
+			&Persist{DisallowedTKAStateIDs: []string{"0:0"}},
+			false,
+		},
 	}
 	for i, test := range tests {
 		if got := test.a.Equals(test.b); got != test.want {
--- a/types/persist/persist_view.go
+++ b/types/persist/persist_view.go
@@ -13,6 +13,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/structs"
+	"tailscale.com/types/views"
 )

 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=Persist
@@ -72,6 +73,9 @@ func (v PersistView) LoginName() string                  { return v.ж.LoginName
 func (v PersistView) UserProfile() tailcfg.UserProfile   { return v.ж.UserProfile }
 func (v PersistView) NetworkLockKey() key.NLPrivate      { return v.ж.NetworkLockKey }
 func (v PersistView) NodeID() tailcfg.StableNodeID       { return v.ж.NodeID }
+func (v PersistView) DisallowedTKAStateIDs() views.Slice[string] {
+	return views.SliceOf(v.ж.DisallowedTKAStateIDs)
+}

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _PersistViewNeedsRegeneration = Persist(struct {
@@ -84,4 +88,5 @@ var _PersistViewNeedsRegeneration = Persist(struct {
 	UserProfile                     tailcfg.UserProfile
 	NetworkLockKey                  key.NLPrivate
 	NodeID                          tailcfg.StableNodeID
+	DisallowedTKAStateIDs           []string
 }{})