diff --git a/client/local/tailnetlock.go b/client/local/tailnetlock.go index 5af90eb16..54e795833 100644 --- a/client/local/tailnetlock.go +++ b/client/local/tailnetlock.go @@ -117,7 +117,7 @@ func (lc *Client) NetworkLockAffectedSigs(ctx context.Context, keyID tkatype.Key return decodeJSON[[]tkatype.MarshaledSignature](body) } -// NetworkLockLog returns up to maxEntries number of changes to network-lock state. +// NetworkLockLog returns up to maxEntries number of changes to tailnet-lock state. func (lc *Client) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstate.NetworkLockUpdate, error) { v := url.Values{} v.Set("limit", fmt.Sprint(maxEntries)) @@ -128,7 +128,7 @@ func (lc *Client) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstat return decodeJSON[[]ipnstate.NetworkLockUpdate](body) } -// NetworkLockForceLocalDisable forcibly shuts down network lock on this node. +// NetworkLockForceLocalDisable forcibly shuts down tailnet lock on this node. func (lc *Client) NetworkLockForceLocalDisable(ctx context.Context) error { // This endpoint expects an empty JSON stanza as the payload. var b bytes.Buffer @@ -142,7 +142,7 @@ func (lc *Client) NetworkLockForceLocalDisable(ctx context.Context) error { return nil } -// NetworkLockVerifySigningDeeplink verifies the network lock deeplink contained +// NetworkLockVerifySigningDeeplink verifies the tailnet lock deeplink contained // in url and returns information extracted from it. func (lc *Client) NetworkLockVerifySigningDeeplink(ctx context.Context, url string) (*tka.DeeplinkValidationResult, error) { vr := struct { @@ -193,7 +193,7 @@ func (lc *Client) NetworkLockSubmitRecoveryAUM(ctx context.Context, aum tka.AUM) return nil } -// NetworkLockDisable shuts down network-lock across the tailnet. +// NetworkLockDisable shuts down tailnet-lock across the tailnet. func (lc *Client) NetworkLockDisable(ctx context.Context, secret []byte) error { if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/disable", 200, bytes.NewReader(secret)); err != nil { return fmt.Errorf("error: %w", err) diff --git a/cmd/tailscale/cli/jsonoutput/network-lock-log.go b/cmd/tailscale/cli/jsonoutput/network-lock-log.go index c7c16e223..779a99883 100644 --- a/cmd/tailscale/cli/jsonoutput/network-lock-log.go +++ b/cmd/tailscale/cli/jsonoutput/network-lock-log.go @@ -159,7 +159,7 @@ type expandedAUMV1 struct { } // tkaKeyV1 is the expanded version of a [tka.Key], which describes -// the public components of a key known to network-lock. +// the public components of a key known to tailnet-lock. type tkaKeyV1 struct { Kind string `json:"Kind,omitzero"` diff --git a/cmd/tailscale/cli/jsonoutput/network-lock-status.go b/cmd/tailscale/cli/jsonoutput/network-lock-status.go index a1d95b871..fce2276ef 100644 --- a/cmd/tailscale/cli/jsonoutput/network-lock-status.go +++ b/cmd/tailscale/cli/jsonoutput/network-lock-status.go @@ -116,7 +116,7 @@ type tailnetLockStatusV1Base struct { // Enabled is true if Tailnet Lock is enabled. Enabled bool - // PublicKey describes the node's network-lock public key. + // PublicKey describes the node's tailnet-lock public key. PublicKey string `json:"PublicKey,omitzero"` // NodeKey describes the node's current node-key. This field is not @@ -144,7 +144,7 @@ type tailnetLockEnabledStatusV1 struct { NodeKeySignature *tkaNodeKeySignatureV1 // TrustedKeys describes the keys currently trusted to make changes - // to network-lock. + // to tailnet-lock. TrustedKeys []tkaKeyV1 // VisiblePeers describes peers which are visible in the netmap that diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go index 75d5d9511..3238a0a07 100644 --- a/ipn/ipnlocal/network-lock.go +++ b/ipn/ipnlocal/network-lock.go @@ -50,7 +50,7 @@ var ( ) // IsNetworkLockNotActive reports whether the given error indicates that -// network-lock is not active. Stop-gap for feature/tailnetlock to check this +// tailnet-lock is not active. Stop-gap for feature/tailnetlock to check this // until all of this is code is moved to the feature. func IsNetworkLockNotActive(err error) bool { return errors.Is(err, errNetworkLockNotActive) @@ -80,13 +80,13 @@ func (b *LocalBackend) initTKALocked() error { root := b.TailscaleVarRoot() if root == "" { b.tka = nil - b.logf("cannot fetch existing TKA state; no state directory for network-lock") + b.logf("cannot fetch existing TKA state; no state directory for tailnet-lock") return nil } chonkDir := b.chonkPathLocked() if _, err := os.Stat(chonkDir); err == nil { - // The directory exists, which means network-lock has been initialized. + // The directory exists, which means tailnet-lock has been initialized. storage, err := tka.ChonkDir(chonkDir) if err != nil { return fmt.Errorf("opening tailchonk: %v", err) @@ -139,12 +139,12 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { continue } if p.KeySignature().Len() == 0 { - b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID(), p.StableID()) + b.logf("Tailnet lock is dropping peer %v(%v) due to missing signature", p.ID(), p.StableID()) mak.Set(&toDelete, i, true) } else { details, err := b.tka.authority.NodeKeyAuthorizedWithDetails(p.Key(), p.KeySignature().AsSlice()) if err != nil { - b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID(), p.StableID(), err) + b.logf("Tailnet lock is dropping peer %v(%v) due to failed signature check: %v", p.ID(), p.StableID(), err) mak.Set(&toDelete, i, true) continue } @@ -166,7 +166,7 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { peers = append(peers, p) } else { if obsoleteByRotation.Contains(p.Key()) { - b.logf("Network lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID()) + b.logf("Tailnet lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID()) } // Record information about the node we filtered out. filtered = append(filtered, tkaStateFromPeer(p)) @@ -496,7 +496,7 @@ func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM, per var storage tka.CompactableChonk if root == "" { b.health.SetUnhealthy(noNetworkLockStateDirWarnable, nil) - b.logf("network-lock using in-memory storage; no state directory") + b.logf("tailnet-lock using in-memory storage; no state directory") storage = tka.ChonkMem() } else { chonkDir := b.chonkPathLocked() @@ -624,7 +624,7 @@ func tkaStateFromPeer(p tailcfg.NodeView) ipnstate.TKAPeer { return fp } -// NetworkLockInit enables network-lock for the tailnet, with the tailnets' +// NetworkLockInit enables tailnet-lock for the tailnet, with the tailnets' // key authority initialized to trust the provided keys. // // Initialization involves two RPCs with control, termed 'begin' and 'finish'. @@ -632,7 +632,7 @@ func tkaStateFromPeer(p tailcfg.NodeView) ipnstate.TKAPeer { // encodes the initial state of the authority, and the list of all nodes // needing signatures is returned as a response. // The Finish RPC submits signatures for all these nodes, at which point -// Control has everything it needs to atomically enable network lock. +// Control has everything it needs to atomically enable tailnet lock. func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byte, supportDisablement []byte) error { var ourNodeKey key.NodePublic var nlPriv key.NLPrivate @@ -667,7 +667,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt return fmt.Errorf("tka.Create: %v", err) } - b.logf("Generated genesis AUM to initialize network lock, trusting the following keys:") + b.logf("Generated genesis AUM to initialize tailnet lock, trusting the following keys:") for i, k := range genesisAUM.State.Keys { b.logf(" - key[%d] = tlpub:%x with %d votes", i, k.Public, k.Votes) } @@ -682,7 +682,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt // node-key signatures, we need to sign keys for all the existing nodes. // If we don't get these signatures ahead of time, everyone will lose // connectivity because control won't have any signatures to send which - // satisfy network-lock checks. + // satisfy tailnet-lock checks. sigs := make(map[tailcfg.NodeID]tkatype.MarshaledSignature, len(initResp.NeedSignatures)) for _, nodeInfo := range initResp.NeedSignatures { nks, err := signNodeKey(nodeInfo, nlPriv) @@ -722,7 +722,7 @@ func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool { b.mu.Lock() defer b.mu.Unlock() if b.tka == nil { - panic("network lock not initialized") + panic("tailnet lock not initialized") } return b.tka.authority.KeyTrusted(keyID) } @@ -796,7 +796,7 @@ func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic [] return err } - b.logf("Generated network-lock signature for %v, submitting to control plane", nodeKey) + b.logf("Generated tailnet-lock signature for %v, submitting to control plane", nodeKey) if _, err := b.tkaSubmitSignature(ourNodeKey, sig.Serialize()); err != nil { return err } @@ -883,7 +883,7 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err return nil } -// NetworkLockDisable disables network-lock using the provided disablement secret. +// NetworkLockDisable disables tailnet-lock using the provided disablement secret. func (b *LocalBackend) NetworkLockDisable(secret []byte) error { var ( ourNodeKey key.NodePublic diff --git a/ipn/ipnstate/ipnstate.go b/ipn/ipnstate/ipnstate.go index 17e6ac870..f7df7e5a2 100644 --- a/ipn/ipnstate/ipnstate.go +++ b/ipn/ipnstate/ipnstate.go @@ -86,7 +86,7 @@ type Status struct { ClientVersion *tailcfg.ClientVersion } -// TKAKey describes a key trusted by network lock. +// TKAKey describes a key trusted by tailnet lock. type TKAKey struct { Kind string Key key.NLPublic @@ -94,7 +94,7 @@ type TKAKey struct { Votes uint } -// TKAPeer describes a peer and its network lock details. +// TKAPeer describes a peer and its tailnet lock details. type TKAPeer struct { Name string // DNS ID tailcfg.NodeID @@ -104,7 +104,7 @@ type TKAPeer struct { NodeKeySignature tka.NodeKeySignature } -// NetworkLockStatus represents whether network-lock is enabled, +// NetworkLockStatus represents whether tailnet-lock is enabled, // along with details about the locally-known state of the tailnet // key authority. type NetworkLockStatus struct { @@ -115,7 +115,7 @@ type NetworkLockStatus struct { // if network lock is not enabled. Head *[32]byte - // PublicKey describes the node's network-lock public key. + // PublicKey describes the node's tailnet-lock public key. // It may be zero if the node has not logged in. PublicKey key.NLPublic @@ -123,14 +123,14 @@ type NetworkLockStatus struct { // populated if the node is not operating (i.e. waiting for a login). NodeKey *key.NodePublic - // NodeKeySigned is true if our node is authorized by network-lock. + // NodeKeySigned is true if our node is authorized by tailnet-lock. NodeKeySigned bool // NodeKeySignature is the current signature of this node's key. NodeKeySignature *tka.NodeKeySignature // TrustedKeys describes the keys currently trusted to make changes - // to network-lock. + // to tailnet-lock. TrustedKeys []TKAKey // VisiblePeers describes peers which are visible in the netmap that @@ -148,7 +148,7 @@ type NetworkLockStatus struct { StateID uint64 } -// NetworkLockUpdate describes a change to network-lock state. +// NetworkLockUpdate describes a change to tailnet-lock state. type NetworkLockUpdate struct { Hash [32]byte Change string // values of tka.AUMKind.String() diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index 0cb7597c3..57c68fad6 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -1283,7 +1283,7 @@ type RegisterRequest struct { Ephemeral bool `json:",omitempty"` // NodeKeySignature is the node's own node-key signature, re-signed - // for its new node key using its network-lock key. + // for its new node key using its tailnet-lock key. // // This field is set when the client retries registration after learning // its NodeKeySignature (which is in need of rotation). diff --git a/tailcfg/tailcfg_view.go b/tailcfg/tailcfg_view.go index 9900efbcc..846663388 100644 --- a/tailcfg/tailcfg_view.go +++ b/tailcfg/tailcfg_view.go @@ -1349,7 +1349,7 @@ func (v RegisterRequestView) Hostinfo() HostinfoView { return v.ж.Hostinfo.View func (v RegisterRequestView) Ephemeral() bool { return v.ж.Ephemeral } // NodeKeySignature is the node's own node-key signature, re-signed -// for its new node key using its network-lock key. +// for its new node key using its tailnet-lock key. // // This field is set when the client retries registration after learning // its NodeKeySignature (which is in need of rotation). diff --git a/tailcfg/tka.go b/tailcfg/tka.go index 29c17b756..f392e6fd3 100644 --- a/tailcfg/tka.go +++ b/tailcfg/tka.go @@ -36,7 +36,7 @@ type TKASignInfo struct { // a NodeKeySignature (NKS), which rotates the node key. // // This is necessary so the node can rotate its node-key without - // talking to a node which holds a trusted network-lock key. + // talking to a node which holds a trusted tailnet-lock key. // It does this by nesting the original NKS in a 'rotation' NKS, // which it then signs with the key corresponding to RotationPubkey. // @@ -193,7 +193,7 @@ type TKASyncSendResponse struct { Head string } -// TKADisableRequest disables network-lock across the tailnet using the +// TKADisableRequest disables tailnet-lock across the tailnet using the // provided disablement secret. // // This is the request schema for a /tka/disable noise RPC. diff --git a/tka/key.go b/tka/key.go index 08897d409..840a65f5c 100644 --- a/tka/key.go +++ b/tka/key.go @@ -32,7 +32,7 @@ func (k KeyKind) String() string { } } -// Key describes the public components of a key known to network-lock. +// Key describes the public components of a key known to tailnet-lock. type Key struct { Kind KeyKind `cbor:"1,keyasint"` diff --git a/tka/sig.go b/tka/sig.go index 9d107c98f..7361da3c4 100644 --- a/tka/sig.go +++ b/tka/sig.go @@ -178,7 +178,7 @@ func (s NodeKeySignature) UnverifiedAuthorizingKeyID() (tkatype.KeyID, error) { return s.authorizingKeyID() } -// authorizingKeyID returns the KeyID of the key trusted by network-lock which authorizes +// authorizingKeyID returns the KeyID of the key trusted by tailnet-lock which authorizes // this signature. func (s NodeKeySignature) authorizingKeyID() (tkatype.KeyID, error) { switch s.SigKind { @@ -349,14 +349,14 @@ func (s *NodeKeySignature) rotationDetails() (*RotationDetails, error) { // ResignNKS re-signs a node-key signature for a new node-key. // -// This only matters on network-locked tailnets, because node-key signatures are +// This only matters on tailnet-locked tailnets, because node-key signatures are // how other nodes know that a node-key is authentic. When the node-key is // rotated then the existing signature becomes invalid, so this function is // responsible for generating a new wrapping signature to certify the new node-key. // // The signature itself is a SigRotation signature, which embeds the old signature // and certifies the new node-key as a replacement for the old by signing the new -// signature with RotationPubkey (which is the node's own network-lock key). +// signature with RotationPubkey (which is the node's own tailnet-lock key). func ResignNKS(priv key.NLPrivate, nodeKey key.NodePublic, oldNKS tkatype.MarshaledSignature) (tkatype.MarshaledSignature, error) { var oldSig NodeKeySignature if err := oldSig.Unserialize(oldNKS); err != nil { diff --git a/tka/sig_test.go b/tka/sig_test.go index 4581d4cc3..700967af2 100644 --- a/tka/sig_test.go +++ b/tka/sig_test.go @@ -51,7 +51,7 @@ func TestSigDirect(t *testing.T) { } func TestSigNested(t *testing.T) { - // Network-lock key (the key used to sign the nested sig) + // tailnet-lock key (the key used to sign the nested sig) pub, priv := testingKey25519(t, 1) k := Key{Kind: Key25519, Public: pub, Votes: 2} // Rotation key (the key used to sign the outer sig) @@ -64,7 +64,7 @@ func TestSigNested(t *testing.T) { nodeKeyPub, _ := node.Public().MarshalBinary() // The original signature for the old node key, signed by - // the network-lock key. + // the tailnet-lock key. nestedSig := NodeKeySignature{ SigKind: SigDirect, KeyID: k.MustID(), @@ -127,7 +127,7 @@ func TestSigNested(t *testing.T) { } func TestSigNested_DeepNesting(t *testing.T) { - // Network-lock key (the key used to sign the nested sig) + // tailnet-lock key (the key used to sign the nested sig) pub, priv := testingKey25519(t, 1) k := Key{Kind: Key25519, Public: pub, Votes: 2} // Rotation key (the key used to sign the outer sig) @@ -137,7 +137,7 @@ func TestSigNested_DeepNesting(t *testing.T) { oldPub, _ := oldNode.Public().MarshalBinary() // The original signature for the old node key, signed by - // the network-lock key. + // the tailnet-lock key. nestedSig := NodeKeySignature{ SigKind: SigDirect, KeyID: k.MustID(), @@ -196,7 +196,7 @@ func TestSigNested_DeepNesting(t *testing.T) { } func TestSigCredential(t *testing.T) { - // Network-lock key (the key used to sign the nested sig) + // tailnet-lock key (the key used to sign the nested sig) pub, priv := testingKey25519(t, 1) k := Key{Kind: Key25519, Public: pub, Votes: 2} // 'credential' key (the one being delegated to) @@ -513,7 +513,7 @@ func TestResignNKS(t *testing.T) { origPub, _ := origNode.Public().MarshalBinary() // The original signature for the old node key, signed by - // the network-lock key. + // the tailnet-lock key. directSig := NodeKeySignature{ SigKind: SigDirect, KeyID: authKey.MustID(), diff --git a/tka/tka.go b/tka/tka.go index 9b22edc2e..cb1c08326 100644 --- a/tka/tka.go +++ b/tka/tka.go @@ -567,7 +567,7 @@ func Bootstrap(storage Chonk, bootstrap AUM) (*Authority, error) { // ValidDisablement returns true if the disablement secret was correct. // // If this method returns true, the caller should shut down the authority -// and purge all network-lock state. +// and purge all tailnet-lock state. func (a *Authority) ValidDisablement(secret []byte) bool { return a.state.checkDisablement(secret) } diff --git a/types/key/nl.go b/types/key/nl.go index 0e8c5ed96..32bc94364 100644 --- a/types/key/nl.go +++ b/types/key/nl.go @@ -29,7 +29,7 @@ const ( nlPublicHexPrefixCLI = "tlpub:" ) -// NLPrivate is a node-managed network-lock key, used for signing +// NLPrivate is a node-managed tailnet-lock key, used for signing // node-key signatures and authority update messages. type NLPrivate struct { _ structs.Incomparable // because == isn't constant-time @@ -42,7 +42,7 @@ func (k NLPrivate) IsZero() bool { return subtle.ConstantTimeCompare(k.k[:], empty.k[:]) == 1 } -// NewNLPrivate creates and returns a new network-lock key. +// NewNLPrivate creates and returns a new tailnet-lock key. func NewNLPrivate() NLPrivate { // ed25519.GenerateKey 'clamps' the key, not that it // matters given we don't do Diffie-Hellman. @@ -120,7 +120,7 @@ type NLPublic struct { // a type of NLPublic. // // New uses of this function should be avoided, as it's possible to -// accidentally construct an NLPublic from a non network-lock key. +// accidentally construct an NLPublic from a non tailnet-lock key. func NLPublicFromEd25519Unsafe(public ed25519.PublicKey) NLPublic { var out NLPublic copy(out.k[:], public)