webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

ipn,tka: improve Tailnet Lock logs

Browse Source 
* Refer to "tailnet-lock" instead of "network-lock" in log messages
* Log keys as `tlpub:<hex>` rather than as Go structs

Updates tailscale/corp#39455
Updates tailscale/corp#37904

Change-Id: I644407d1eda029ee11027bcc949897aa4ba52787
Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
Alex Chan
2026-04-01 12:27:51 +01:00
committed by Alex Chan
parent 1e2fdfd745
commit 88e7330ff1
3 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ipn/ipnlocal/network-lock.go
+3 -3
View File
@@ -44,7 +44,7 @@ import (
var ( var (
errMissingNetmap = errors.New("missing netmap: verify that you are logged in") errMissingNetmap = errors.New("missing netmap: verify that you are logged in")
errNetworkLockNotActive = errors.New("network-lock is not active") errNetworkLockNotActive = errors.New("tailnet-lock is not active")
tkaCompactionDefaults = tka.CompactionOptions{ tkaCompactionDefaults = tka.CompactionOptions{
MinChain: 24, // Keep at minimum 24 AUMs since head. MinChain: 24, // Keep at minimum 24 AUMs since head.
@@ -806,7 +806,7 @@ func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []
func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) { func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
defer func() { defer func() {
if err != nil { if err != nil {
err = fmt.Errorf("modify network-lock keys: %w", err) err = fmt.Errorf("modify tailnet-lock keys: %w", err)
} }
}() }()
@@ -1126,7 +1126,7 @@ func (b *LocalBackend) NetworkLockWrapPreauthKey(preauthKey string, tkaKey key.N
return "", fmt.Errorf("signing failed: %w", err) return "", fmt.Errorf("signing failed: %w", err)
} }
b.logf("Generated network-lock credential signature using %s", tkaKey.Public().CLIString()) b.logf("Generated tailnet-lock credential signature using %s", tkaKey.Public().CLIString())
return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil
} }
ipn/localapi/tailnetlock.go
+7 -7
View File
@@ -122,7 +122,7 @@ func (h *Handler) serveTKAInit(w http.ResponseWriter, r *http.Request) {
func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) { func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite { if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden) http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return return
} }
if r.Method != httpm.POST { if r.Method != httpm.POST {
@@ -141,7 +141,7 @@ func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
} }
if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil { if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil {
http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError) http.Error(w, "tailnet-lock modify failed: "+err.Error(), http.StatusInternalServerError)
return return
} }
w.WriteHeader(204) w.WriteHeader(204)
@@ -149,7 +149,7 @@ func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
func (h *Handler) serveTKAWrapPreauthKey(w http.ResponseWriter, r *http.Request) { func (h *Handler) serveTKAWrapPreauthKey(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite { if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden) http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return return
} }
if r.Method != httpm.POST { if r.Method != httpm.POST {
@@ -212,7 +212,7 @@ func (h *Handler) serveTKAVerifySigningDeeplink(w http.ResponseWriter, r *http.R
func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) { func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite { if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden) http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return return
} }
if r.Method != httpm.POST { if r.Method != httpm.POST {
@@ -228,7 +228,7 @@ func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
} }
if err := h.b.NetworkLockDisable(secret); err != nil { if err := h.b.NetworkLockDisable(secret); err != nil {
http.Error(w, "network-lock disable failed: "+err.Error(), http.StatusBadRequest) http.Error(w, "tailnet-lock disable failed: "+err.Error(), http.StatusBadRequest)
return return
} }
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
@@ -236,7 +236,7 @@ func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) { func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite { if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden) http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return return
} }
if r.Method != httpm.POST { if r.Method != httpm.POST {
@@ -252,7 +252,7 @@ func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) {
} }
if err := h.b.NetworkLockForceLocalDisable(); err != nil { if err := h.b.NetworkLockForceLocalDisable(); err != nil {
http.Error(w, "network-lock local disable failed: "+err.Error(), http.StatusBadRequest) http.Error(w, "tailnet-lock local disable failed: "+err.Error(), http.StatusBadRequest)
return return
} }
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
tka/builder.go
+2 -2
View File
@@ -67,11 +67,11 @@ func (b *UpdateBuilder) AddKey(key Key) error {
} }
if _, err := b.state.GetKey(keyID); err == nil { if _, err := b.state.GetKey(keyID); err == nil {
return fmt.Errorf("cannot add key %v: already exists", key) return fmt.Errorf("cannot add key tlpub:%x: already exists", key.Public)
} }
if len(b.state.Keys) >= maxKeys { if len(b.state.Keys) >= maxKeys {
return fmt.Errorf("cannot add key %v: maximum number of keys reached", key) return fmt.Errorf("cannot add key tlpub:%x: maximum number of keys reached", key.Public)
} }
return b.mkUpdate(AUM{MessageKind: AUMAddKey, Key: &key}) return b.mkUpdate(AUM{MessageKind: AUMAddKey, Key: &key})