Commit Graph

29 Commits

Author SHA1 Message Date
Maisem Ali
699b39dec1 ipn/ipnlocal: drop LocalBackend.inServerMode
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-11-25 22:16:37 +05:00
Tom DNetto
aeb80bf8cb ipn/ipnlocal,tka: generate a nonce for each TKA
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-22 10:31:22 -08:00
Tom DNetto
6708f9a93f cmd/tailscale,ipn: implement lock log command
This commit implements `tailscale lock log [--limit N]`, which displays an ordered list
of changes to network-lock state in a manner familiar to `git log`.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-22 10:30:59 -08:00
Tom DNetto
ed1fae6c73 ipn/ipnlocal: always tx TKA sync after enablement
By always firing off a sync after enablement, the control plane should know the node's TKA head
at all times.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-22 10:25:13 -08:00
Maisem Ali
235309adc4 all: store NL keys per profile
This moves the NetworkLock key from a dedicated StateKey to be part of the persist.Persist struct.
This struct is stored as part for ipn.Prefs and is also the place where we store the NodeKey.

It also moves the ChonkDir from "/tka" to "/tka-profile/<profile-id>". The rename was intentional
to be able to delete the "/tka" dir if it exists.

This means that we will have a unique key per profile, and a unique directory per profile.

Note: `tailscale logout` will delete the entire profile, including any keys. It currently does not
delete the ChonkDir.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-11-15 19:51:52 +00:00
Tom DNetto
42855d219b ipn/ipnlocal: fix checks for node-key presence in TKA logic
Found by tests in another repo. TKA code wasn't always checking enough to be sure a node-key was set for the current state.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-14 20:33:31 +00:00
Tom DNetto
4c31183781 cmd/tailscale,ipn: minor fixes to tailscale lock commands
* Fix broken add/remove key commands
 * Make lock status display whether the node is signed

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-11 07:48:40 -06:00
Maisem Ali
6cc0036b40 ipn/ipnlocal: use updated prefs in tkaSyncIfNeeded
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-11-11 12:03:17 +05:00
Maisem Ali
4d330bac14 ipn/ipnlocal: add support for multiple user profiles
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-11-11 10:45:47 +05:00
Brad Fitzpatrick
e55ae53169 tailcfg: add Node.UnsignedPeerAPIOnly to let server mark node as peerapi-only
capver 48

Change-Id: I20b2fa81d61ef8cc8a84e5f2afeefb68832bd904
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-11-02 21:55:04 -07:00
Tom DNetto
0af57fce4c cmd/tailscale,ipn: implement lock sign command
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-11-02 15:00:01 -05:00
Tom DNetto
d98305c537 cmd,ipn/ipnlocal,tailcfg: implement TKA disablement
* Plumb disablement values through some of the internals of TKA enablement.
 * Transmit the node's TKA hash at the end of sync so the control plane understands each node's head.
 * Implement /machine/tka/disable RPC to actuate disablement on the control plane.

There is a partner PR for the control server I'll send shortly.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-31 11:05:44 -05:00
Maisem Ali
a2d15924fb types/persist: add PublicNodeKey helper
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-24 15:57:00 -07:00
Maisem Ali
0957bc5af2 ipn/ipnlocal: use ipn.PrefsView
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-10-24 15:57:00 -07:00
Tom DNetto
a515fc517b ipn/ipnlocal: make tkaSyncIfNeeded exclusive with a mutex
Running corp/ipn#TestNetworkLockE2E has a 1/300 chance of failing, and
deskchecking suggests thats whats happening are two netmaps are racing each
other to be processed through tkaSyncIfNeededLocked. This happens in the
first place because we release b.mu during network RPCs.

To fix this, we make the tka sync logic an exclusive section, so two
netmaps will need to wait for tka sync to complete serially (which is what
we would want anyway, as the second run through probably wont need to
sync).

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-14 12:42:43 -07:00
Tom DNetto
a37ee8483f ipn/ipnlocal: fix data race from missing lock in NetworkLockStatus
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-05 11:51:49 -07:00
Tom DNetto
8602061f32 ipn/ipnlocal,tka: Fix bugs found by integration testing
* tka.State.staticValidateCheckpoint could call methods on a contained key prior to calling StaticValidate on that key
 * Remove broken backoff / RPC retry logic from tka methods in ipn/ipnlocal, to be fixed at a later time
 * Fix NetworkLockModify() which would attempt to take b.mu twice and deadlock, remove now-unused dependence on netmap
 * Add methods on ipnlocal.LocalBackend to be used in integration tests
 * Use TAILSCALE_USE_WIP_CODE as the feature flag so it can be manipulated in tests

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-05 11:12:34 -07:00
Tom DNetto
73db56af52 ipn/ipnlocal: filter peers with bad signatures when tka is enabled
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-10-05 10:56:17 -07:00
Josh Soref
d4811f11a0 all: fix spelling mistakes
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-09-29 13:36:13 -07:00
Adrian Dewhurst
c581ce7b00 cmd/tailscale, client, ipn, tailcfg: add network lock modify command
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2022-09-29 11:28:47 -07:00
Tom DNetto
58ffe928af ipn/ipnlocal, tka: Implement TKA synchronization with the control plane
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-09-29 11:07:02 -07:00
Tom DNetto
ebd1637e50 ipn/ipnlocal,tailcfg: Identify client using NodeKey in tka RPCs
Updates https://github.com/tailscale/corp/pull/7024

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-09-27 09:37:28 -07:00
Tom DNetto
e9b98dd2e1 control/controlclient,ipn/ipnlocal: wire tka enable/disable
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-09-21 12:57:59 -07:00
Brad Fitzpatrick
74674b110d envknob: support changing envknobs post-init
Updates #5114

Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-15 15:04:02 -07:00
Tom DNetto
be95aebabd tka: implement credential signatures (key material delegation)
This will be needed to support preauth-keys with network lock in the future,
so getting the core mechanics out of the way now.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-31 10:13:13 -07:00
Tom DNetto
79905a1162 tka: make storage a parameter rather than an Authority struct member
Updates #5435

Based on the discussion in #5435, we can better support transactional data models
by making the underlying storage layer a parameter (which can be specialized for
the request) rather than a long-lived member of Authority.

Now that Authority is just an instantaneous snapshot of state, we can do things
like provide idempotent methods and make it cloneable, too.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-26 10:44:28 -07:00
Tom DNetto
472529af38 tka: optimize common case of processing updates built from head
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-24 11:35:55 -07:00
Tom DNetto
039def3b50 ipn,tailcfg: transmit NodeID in tka init RPCs
Needed to identify the node. A serverside-check the machine key (used
to authenticate the noise session) is that of the specified NodeID
ensures the authenticity of the request.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-24 11:35:55 -07:00
Tom DNetto
facafd8819 client,cmd/tailscale,ipn,tka,types: implement tka initialization flow
This PR implements the client-side of initializing network-lock with the
Coordination server.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-22 11:35:16 -07:00