ipn,types/persist: store disallowed TKA's in prefs, lock local-disable

Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-10-09 16:11:23 +00:00 · 2022-11-28 16:39:03 -08:00
parent 659e7837c6
commit f1130421f0
10 changed files with 220 additions and 4 deletions
--- a/types/persist/persist.go
+++ b/types/persist/persist.go
@@ -7,6 +7,7 @@ package persist

 import (
 	"fmt"
+	"reflect"

 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -39,6 +40,12 @@ type Persist struct {
 	UserProfile       tailcfg.UserProfile
 	NetworkLockKey    key.NLPrivate
 	NodeID            tailcfg.StableNodeID
+
+	// DisallowedTKAStateIDs stores the tka.State.StateID values which
+	// this node will not operate network lock on. This is used to
+	// prevent bootstrapping TKA onto a key authority which was forcibly
+	// disabled.
+	DisallowedTKAStateIDs []string
 }

 // PublicNodeKey returns the public key for the node key.
@@ -70,7 +77,8 @@ func (p *Persist) Equals(p2 *Persist) bool {
 		p.LoginName == p2.LoginName &&
 		p.UserProfile == p2.UserProfile &&
 		p.NetworkLockKey.Equal(p2.NetworkLockKey) &&
-		p.NodeID == p2.NodeID
+		p.NodeID == p2.NodeID &&
+		reflect.DeepEqual(p.DisallowedTKAStateIDs, p2.DisallowedTKAStateIDs)
 }

 func (p *Persist) Pretty() string {