wgengine/wgcfg: plumb down audit log IDs (#5855)

The node and domain audit log IDs are provided in the map response, but are ultimately going to be used in wgengine since that's the layer that manages the tstun.Wrapper. Do the plumbing work to get this field passed down the stack. Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-10-06 16:19:38 -07:00
parent 92ad56ddcb
commit 82f5f438e0
5 changed files with 64 additions and 20 deletions
@@ -8,6 +8,7 @@ package wgcfg
 import (
 	"net/netip"

+	"tailscale.com/logtail"
 	"tailscale.com/types/key"
 )

@@ -22,6 +23,13 @@ type Config struct {
 	MTU        uint16
 	DNS        []netip.Addr
 	Peers      []Peer
+
+	// NetworkLogging enables network logging.
+	// It is disabled if either ID is the zero value.
+	NetworkLogging struct {
+		NodeID   logtail.PrivateID
+		DomainID logtail.PrivateID
+	}
 }

 type Peer struct {
@@ -11,6 +11,8 @@ import (
 	"net/netip"
 	"strings"

+	"golang.org/x/exp/slices"
+	"tailscale.com/logtail"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -58,6 +60,25 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
 	}

+	// Setup log IDs for data plane audit logging.
+	if nm.SelfNode != nil {
+		canNetworkLog := slices.Contains(nm.SelfNode.Capabilities, tailcfg.CapabilityDataPlaneAuditLogs)
+		if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID != "" && nm.DomainAuditLogID != "" {
+			nodeID, errNode := logtail.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID)
+			if errNode != nil {
+				logf("[v1] wgcfg: unable to parse node audit log ID: %v", errNode)
+			}
+			domainID, errDomain := logtail.ParsePrivateID(nm.DomainAuditLogID)
+			if errDomain != nil {
+				logf("[v1] wgcfg: unable to parse domain audit log ID: %v", errDomain)
+			}
+			if errNode == nil && errDomain == nil {
+				cfg.NetworkLogging.NodeID = nodeID
+				cfg.NetworkLogging.DomainID = domainID
+			}
+		}
+	}
+
 	// Logging buffers
 	skippedUnselected := new(bytes.Buffer)
 	skippedIPs := new(bytes.Buffer)
@@ -9,6 +9,7 @@ package wgcfg
 import (
 	"net/netip"

+	"tailscale.com/logtail"
 	"tailscale.com/types/key"
 )

@@ -31,12 +32,16 @@ func (src *Config) Clone() *Config {

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _ConfigCloneNeedsRegeneration = Config(struct {
-	Name       string
-	PrivateKey key.NodePrivate
-	Addresses  []netip.Prefix
-	MTU        uint16
-	DNS        []netip.Addr
-	Peers      []Peer
+	Name           string
+	PrivateKey     key.NodePrivate
+	Addresses      []netip.Prefix
+	MTU            uint16
+	DNS            []netip.Addr
+	Peers          []Peer
+	NetworkLogging struct {
+		NodeID   logtail.PrivateID
+		DomainID logtail.PrivateID
+	}
 }{})

 // Clone makes a deep copy of Peer.