all: update more references to Tailnet/Network Lock

Updates tailscale/corp#37904 Change-Id: I09e73b3248b9ddf86dafe33dfb621bd560f6596d Signed-off-by: Alex Chan <alexc@tailscale.com>
2026-05-15 11:13:38 +01:00
parent c355618e73
commit 0cb432ed84
13 changed files with 46 additions and 46 deletions
@@ -117,7 +117,7 @@ func (lc *Client) NetworkLockAffectedSigs(ctx context.Context, keyID tkatype.Key
 	return decodeJSON[[]tkatype.MarshaledSignature](body)
 }
-// NetworkLockLog returns up to maxEntries number of changes to network-lock state.
+// NetworkLockLog returns up to maxEntries number of changes to tailnet-lock state.
 func (lc *Client) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstate.NetworkLockUpdate, error) {
 	v := url.Values{}
 	v.Set("limit", fmt.Sprint(maxEntries))
@@ -128,7 +128,7 @@ func (lc *Client) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstat
 	return decodeJSON[[]ipnstate.NetworkLockUpdate](body)
 }
-// NetworkLockForceLocalDisable forcibly shuts down network lock on this node.
+// NetworkLockForceLocalDisable forcibly shuts down tailnet lock on this node.
 func (lc *Client) NetworkLockForceLocalDisable(ctx context.Context) error {
 	// This endpoint expects an empty JSON stanza as the payload.
 	var b bytes.Buffer
@@ -142,7 +142,7 @@ func (lc *Client) NetworkLockForceLocalDisable(ctx context.Context) error {
 	return nil
 }
-// NetworkLockVerifySigningDeeplink verifies the network lock deeplink contained
+// NetworkLockVerifySigningDeeplink verifies the tailnet lock deeplink contained
 // in url and returns information extracted from it.
 func (lc *Client) NetworkLockVerifySigningDeeplink(ctx context.Context, url string) (*tka.DeeplinkValidationResult, error) {
 	vr := struct {
@@ -193,7 +193,7 @@ func (lc *Client) NetworkLockSubmitRecoveryAUM(ctx context.Context, aum tka.AUM)
 	return nil
 }
-// NetworkLockDisable shuts down network-lock across the tailnet.
+// NetworkLockDisable shuts down tailnet-lock across the tailnet.
 func (lc *Client) NetworkLockDisable(ctx context.Context, secret []byte) error {
 	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/disable", 200, bytes.NewReader(secret)); err != nil {
 		return fmt.Errorf("error: %w", err)
@@ -159,7 +159,7 @@ type expandedAUMV1 struct {
 }
 // tkaKeyV1 is the expanded version of a [tka.Key], which describes
-// the public components of a key known to network-lock.
+// the public components of a key known to tailnet-lock.
 type tkaKeyV1 struct {
 	Kind string `json:"Kind,omitzero"`
@@ -116,7 +116,7 @@ type tailnetLockStatusV1Base struct {
 	// Enabled is true if Tailnet Lock is enabled.
 	Enabled bool
-	// PublicKey describes the node's network-lock public key.
+	// PublicKey describes the node's tailnet-lock public key.
 	PublicKey string `json:"PublicKey,omitzero"`
 	// NodeKey describes the node's current node-key. This field is not
@@ -144,7 +144,7 @@ type tailnetLockEnabledStatusV1 struct {
 	NodeKeySignature *tkaNodeKeySignatureV1
 	// TrustedKeys describes the keys currently trusted to make changes
-	// to network-lock.
+	// to tailnet-lock.
 	TrustedKeys []tkaKeyV1
 	// VisiblePeers describes peers which are visible in the netmap that
@@ -50,7 +50,7 @@ var (
 )
 // IsNetworkLockNotActive reports whether the given error indicates that
-// network-lock is not active. Stop-gap for feature/tailnetlock to check this
+// tailnet-lock is not active. Stop-gap for feature/tailnetlock to check this
 // until all of this is code is moved to the feature.
 func IsNetworkLockNotActive(err error) bool {
 	return errors.Is(err, errNetworkLockNotActive)
@@ -80,13 +80,13 @@ func (b *LocalBackend) initTKALocked() error {
 	root := b.TailscaleVarRoot()
 	if root == "" {
 		b.tka = nil
-		b.logf("cannot fetch existing TKA state; no state directory for network-lock")
+		b.logf("cannot fetch existing TKA state; no state directory for tailnet-lock")
 		return nil
 	}
 	chonkDir := b.chonkPathLocked()
 	if _, err := os.Stat(chonkDir); err == nil {
-		// The directory exists, which means network-lock has been initialized.
+		// The directory exists, which means tailnet-lock has been initialized.
 		storage, err := tka.ChonkDir(chonkDir)
 		if err != nil {
 			return fmt.Errorf("opening tailchonk: %v", err)
@@ -139,12 +139,12 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
 			continue
 		}
 		if p.KeySignature().Len() == 0 {
-			b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID(), p.StableID())
+			b.logf("Tailnet lock is dropping peer %v(%v) due to missing signature", p.ID(), p.StableID())
 			mak.Set(&toDelete, i, true)
 		} else {
 			details, err := b.tka.authority.NodeKeyAuthorizedWithDetails(p.Key(), p.KeySignature().AsSlice())
 			if err != nil {
-				b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID(), p.StableID(), err)
+				b.logf("Tailnet lock is dropping peer %v(%v) due to failed signature check: %v", p.ID(), p.StableID(), err)
 				mak.Set(&toDelete, i, true)
 				continue
 			}
@@ -166,7 +166,7 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
 				peers = append(peers, p)
 			} else {
 				if obsoleteByRotation.Contains(p.Key()) {
-					b.logf("Network lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID())
+					b.logf("Tailnet lock is dropping peer %v(%v) due to key rotation", p.ID(), p.StableID())
 				}
 				// Record information about the node we filtered out.
 				filtered = append(filtered, tkaStateFromPeer(p))
@@ -496,7 +496,7 @@ func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM, per
 	var storage tka.CompactableChonk
 	if root == "" {
 		b.health.SetUnhealthy(noNetworkLockStateDirWarnable, nil)
-		b.logf("network-lock using in-memory storage; no state directory")
+		b.logf("tailnet-lock using in-memory storage; no state directory")
 		storage = tka.ChonkMem()
 	} else {
 		chonkDir := b.chonkPathLocked()
@@ -624,7 +624,7 @@ func tkaStateFromPeer(p tailcfg.NodeView) ipnstate.TKAPeer {
 	return fp
 }
-// NetworkLockInit enables network-lock for the tailnet, with the tailnets'
+// NetworkLockInit enables tailnet-lock for the tailnet, with the tailnets'
 // key authority initialized to trust the provided keys.
 //
 // Initialization involves two RPCs with control, termed 'begin' and 'finish'.
@@ -632,7 +632,7 @@ func tkaStateFromPeer(p tailcfg.NodeView) ipnstate.TKAPeer {
 // encodes the initial state of the authority, and the list of all nodes
 // needing signatures is returned as a response.
 // The Finish RPC submits signatures for all these nodes, at which point
-// Control has everything it needs to atomically enable network lock.
+// Control has everything it needs to atomically enable tailnet lock.
 func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byte, supportDisablement []byte) error {
 	var ourNodeKey key.NodePublic
 	var nlPriv key.NLPrivate
@@ -667,7 +667,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
 		return fmt.Errorf("tka.Create: %v", err)
 	}
-	b.logf("Generated genesis AUM to initialize network lock, trusting the following keys:")
+	b.logf("Generated genesis AUM to initialize tailnet lock, trusting the following keys:")
 	for i, k := range genesisAUM.State.Keys {
 		b.logf(" - key[%d] = tlpub:%x with %d votes", i, k.Public, k.Votes)
 	}
@@ -682,7 +682,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
 	// node-key signatures, we need to sign keys for all the existing nodes.
 	// If we don't get these signatures ahead of time, everyone will lose
 	// connectivity because control won't have any signatures to send which
-	// satisfy network-lock checks.
+	// satisfy tailnet-lock checks.
 	sigs := make(map[tailcfg.NodeID]tkatype.MarshaledSignature, len(initResp.NeedSignatures))
 	for _, nodeInfo := range initResp.NeedSignatures {
 		nks, err := signNodeKey(nodeInfo, nlPriv)
@@ -722,7 +722,7 @@ func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	if b.tka == nil {
-		panic("network lock not initialized")
+		panic("tailnet lock not initialized")
 	}
 	return b.tka.authority.KeyTrusted(keyID)
 }
@@ -796,7 +796,7 @@ func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []
 		return err
 	}
-	b.logf("Generated network-lock signature for %v, submitting to control plane", nodeKey)
+	b.logf("Generated tailnet-lock signature for %v, submitting to control plane", nodeKey)
 	if _, err := b.tkaSubmitSignature(ourNodeKey, sig.Serialize()); err != nil {
 		return err
 	}
@@ -883,7 +883,7 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
 	return nil
 }
-// NetworkLockDisable disables network-lock using the provided disablement secret.
+// NetworkLockDisable disables tailnet-lock using the provided disablement secret.
 func (b *LocalBackend) NetworkLockDisable(secret []byte) error {
 	var (
 		ourNodeKey key.NodePublic
@@ -86,7 +86,7 @@ type Status struct {
 	ClientVersion *tailcfg.ClientVersion
 }
-// TKAKey describes a key trusted by network lock.
+// TKAKey describes a key trusted by tailnet lock.
 type TKAKey struct {
 	Kind     string
 	Key      key.NLPublic
@@ -94,7 +94,7 @@ type TKAKey struct {
 	Votes    uint
 }
-// TKAPeer describes a peer and its network lock details.
+// TKAPeer describes a peer and its tailnet lock details.
 type TKAPeer struct {
 	Name             string // DNS
 	ID               tailcfg.NodeID
@@ -104,7 +104,7 @@ type TKAPeer struct {
 	NodeKeySignature tka.NodeKeySignature
 }
-// NetworkLockStatus represents whether network-lock is enabled,
+// NetworkLockStatus represents whether tailnet-lock is enabled,
 // along with details about the locally-known state of the tailnet
 // key authority.
 type NetworkLockStatus struct {
@@ -115,7 +115,7 @@ type NetworkLockStatus struct {
 	// if network lock is not enabled.
 	Head *[32]byte
-	// PublicKey describes the node's network-lock public key.
+	// PublicKey describes the node's tailnet-lock public key.
 	// It may be zero if the node has not logged in.
 	PublicKey key.NLPublic
@@ -123,14 +123,14 @@ type NetworkLockStatus struct {
 	// populated if the node is not operating (i.e. waiting for a login).
 	NodeKey *key.NodePublic
-	// NodeKeySigned is true if our node is authorized by network-lock.
+	// NodeKeySigned is true if our node is authorized by tailnet-lock.
 	NodeKeySigned bool
 	// NodeKeySignature is the current signature of this node's key.
 	NodeKeySignature *tka.NodeKeySignature
 	// TrustedKeys describes the keys currently trusted to make changes
-	// to network-lock.
+	// to tailnet-lock.
 	TrustedKeys []TKAKey
 	// VisiblePeers describes peers which are visible in the netmap that
@@ -148,7 +148,7 @@ type NetworkLockStatus struct {
 	StateID uint64
 }
-// NetworkLockUpdate describes a change to network-lock state.
+// NetworkLockUpdate describes a change to tailnet-lock state.
 type NetworkLockUpdate struct {
 	Hash   [32]byte
 	Change string // values of tka.AUMKind.String()
@@ -1283,7 +1283,7 @@ type RegisterRequest struct {
 	Ephemeral bool `json:",omitempty"`
 	// NodeKeySignature is the node's own node-key signature, re-signed
-	// for its new node key using its network-lock key.
+	// for its new node key using its tailnet-lock key.
 	//
 	// This field is set when the client retries registration after learning
 	// its NodeKeySignature (which is in need of rotation).
@@ -1349,7 +1349,7 @@ func (v RegisterRequestView) Hostinfo() HostinfoView { return v.ж.Hostinfo.View
 func (v RegisterRequestView) Ephemeral() bool { return v.ж.Ephemeral }
 // NodeKeySignature is the node's own node-key signature, re-signed
-// for its new node key using its network-lock key.
+// for its new node key using its tailnet-lock key.
 //
 // This field is set when the client retries registration after learning
 // its NodeKeySignature (which is in need of rotation).
@@ -36,7 +36,7 @@ type TKASignInfo struct {
 	// a NodeKeySignature (NKS), which rotates the node key.
 	//
 	// This is necessary so the node can rotate its node-key without
-	// talking to a node which holds a trusted network-lock key.
+	// talking to a node which holds a trusted tailnet-lock key.
 	// It does this by nesting the original NKS in a 'rotation' NKS,
 	// which it then signs with the key corresponding to RotationPubkey.
 	//
@@ -193,7 +193,7 @@ type TKASyncSendResponse struct {
 	Head string
 }
-// TKADisableRequest disables network-lock across the tailnet using the
+// TKADisableRequest disables tailnet-lock across the tailnet using the
 // provided disablement secret.
 //
 // This is the request schema for a /tka/disable noise RPC.
@@ -32,7 +32,7 @@ func (k KeyKind) String() string {
 	}
 }
-// Key describes the public components of a key known to network-lock.
+// Key describes the public components of a key known to tailnet-lock.
 type Key struct {
 	Kind KeyKind `cbor:"1,keyasint"`
@@ -178,7 +178,7 @@ func (s NodeKeySignature) UnverifiedAuthorizingKeyID() (tkatype.KeyID, error) {
 	return s.authorizingKeyID()
 }
-// authorizingKeyID returns the KeyID of the key trusted by network-lock which authorizes
+// authorizingKeyID returns the KeyID of the key trusted by tailnet-lock which authorizes
 // this signature.
 func (s NodeKeySignature) authorizingKeyID() (tkatype.KeyID, error) {
 	switch s.SigKind {
@@ -349,14 +349,14 @@ func (s *NodeKeySignature) rotationDetails() (*RotationDetails, error) {
 // ResignNKS re-signs a node-key signature for a new node-key.
 //
-// This only matters on network-locked tailnets, because node-key signatures are
+// This only matters on tailnet-locked tailnets, because node-key signatures are
 // how other nodes know that a node-key is authentic. When the node-key is
 // rotated then the existing signature becomes invalid, so this function is
 // responsible for generating a new wrapping signature to certify the new node-key.
 //
 // The signature itself is a SigRotation signature, which embeds the old signature
 // and certifies the new node-key as a replacement for the old by signing the new
-// signature with RotationPubkey (which is the node's own network-lock key).
+// signature with RotationPubkey (which is the node's own tailnet-lock key).
 func ResignNKS(priv key.NLPrivate, nodeKey key.NodePublic, oldNKS tkatype.MarshaledSignature) (tkatype.MarshaledSignature, error) {
 	var oldSig NodeKeySignature
 	if err := oldSig.Unserialize(oldNKS); err != nil {
@@ -51,7 +51,7 @@ func TestSigDirect(t *testing.T) {
 }
 func TestSigNested(t *testing.T) {
-	// Network-lock key (the key used to sign the nested sig)
+	// tailnet-lock key (the key used to sign the nested sig)
 	pub, priv := testingKey25519(t, 1)
 	k := Key{Kind: Key25519, Public: pub, Votes: 2}
 	// Rotation key (the key used to sign the outer sig)
@@ -64,7 +64,7 @@ func TestSigNested(t *testing.T) {
 	nodeKeyPub, _ := node.Public().MarshalBinary()
 	// The original signature for the old node key, signed by
-	// the network-lock key.
+	// the tailnet-lock key.
 	nestedSig := NodeKeySignature{
 		SigKind:        SigDirect,
 		KeyID:          k.MustID(),
@@ -127,7 +127,7 @@ func TestSigNested(t *testing.T) {
 }
 func TestSigNested_DeepNesting(t *testing.T) {
-	// Network-lock key (the key used to sign the nested sig)
+	// tailnet-lock key (the key used to sign the nested sig)
 	pub, priv := testingKey25519(t, 1)
 	k := Key{Kind: Key25519, Public: pub, Votes: 2}
 	// Rotation key (the key used to sign the outer sig)
@@ -137,7 +137,7 @@ func TestSigNested_DeepNesting(t *testing.T) {
 	oldPub, _ := oldNode.Public().MarshalBinary()
 	// The original signature for the old node key, signed by
-	// the network-lock key.
+	// the tailnet-lock key.
 	nestedSig := NodeKeySignature{
 		SigKind:        SigDirect,
 		KeyID:          k.MustID(),
@@ -196,7 +196,7 @@ func TestSigNested_DeepNesting(t *testing.T) {
 }
 func TestSigCredential(t *testing.T) {
-	// Network-lock key (the key used to sign the nested sig)
+	// tailnet-lock key (the key used to sign the nested sig)
 	pub, priv := testingKey25519(t, 1)
 	k := Key{Kind: Key25519, Public: pub, Votes: 2}
 	// 'credential' key (the one being delegated to)
@@ -513,7 +513,7 @@ func TestResignNKS(t *testing.T) {
 	origPub, _ := origNode.Public().MarshalBinary()
 	// The original signature for the old node key, signed by
-	// the network-lock key.
+	// the tailnet-lock key.
 	directSig := NodeKeySignature{
 		SigKind:        SigDirect,
 		KeyID:          authKey.MustID(),
@@ -567,7 +567,7 @@ func Bootstrap(storage Chonk, bootstrap AUM) (*Authority, error) {
 // ValidDisablement returns true if the disablement secret was correct.
 //
 // If this method returns true, the caller should shut down the authority
-// and purge all network-lock state.
+// and purge all tailnet-lock state.
 func (a *Authority) ValidDisablement(secret []byte) bool {
 	return a.state.checkDisablement(secret)
 }
@@ -29,7 +29,7 @@ const (
 	nlPublicHexPrefixCLI = "tlpub:"
 )
-// NLPrivate is a node-managed network-lock key, used for signing
+// NLPrivate is a node-managed tailnet-lock key, used for signing
 // node-key signatures and authority update messages.
 type NLPrivate struct {
 	_ structs.Incomparable // because == isn't constant-time
@@ -42,7 +42,7 @@ func (k NLPrivate) IsZero() bool {
 	return subtle.ConstantTimeCompare(k.k[:], empty.k[:]) == 1
 }
-// NewNLPrivate creates and returns a new network-lock key.
+// NewNLPrivate creates and returns a new tailnet-lock key.
 func NewNLPrivate() NLPrivate {
 	// ed25519.GenerateKey 'clamps' the key, not that it
 	// matters given we don't do Diffie-Hellman.
@@ -120,7 +120,7 @@ type NLPublic struct {
 // a type of NLPublic.
 //
 // New uses of this function should be avoided, as it's possible to
-// accidentally construct an NLPublic from a non network-lock key.
+// accidentally construct an NLPublic from a non tailnet-lock key.
 func NLPublicFromEd25519Unsafe(public ed25519.PublicKey) NLPublic {
 	var out NLPublic
 	copy(out.k[:], public)