ipn/ipnlocal,tailcfg: add /debug/tka c2n endpoint (#19198)

Updates tailscale/corp#35015

Signed-off-by: James Sanderson <jsanderson@tailscale.com>

feature/condregister/maybe_tailnetlock.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & contributors
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_tailnetlock
+
+package condregister
+
+import _ "tailscale.com/feature/tailnetlock"

feature/tailnetlock/tailnetlock.go

@@ -0,0 +1,54 @@
+// Copyright (c) Tailscale Inc & contributors
+// SPDX-License-Identifier: BSD-3-Clause
+
+// package tailnetlock registers the tailnet lock debug C2N handler. In the
+// future, all tailnet lock code should move here.
+package tailnetlock
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"tailscale.com/cmd/tailscale/cli/jsonoutput"
+	"tailscale.com/feature"
+	"tailscale.com/feature/buildfeatures"
+	"tailscale.com/ipn/ipnlocal"
+)
+
+func init() {
+	feature.Register("tailnetlock")
+	ipnlocal.RegisterC2N("/debug/tka/log", handleC2NDebugTKALog)
+}
+
+const defaultC2NLogLimit = 50
+const maxC2NLogLimit = 1000
+
+func handleC2NDebugTKALog(b *ipnlocal.LocalBackend, w http.ResponseWriter, r *http.Request) {
+	if !buildfeatures.HasDebug {
+		http.Error(w, feature.ErrUnavailable.Error(), http.StatusNotImplemented)
+		return
+	}
+
+	logf := b.Logger()
+	logf("c2n: %s %s received", r.Method, r.URL)
+
+	limit := defaultC2NLogLimit
+	limitStr := r.URL.Query().Get("limit")
+	if limitStr != "" {
+		if parsed, err := strconv.Atoi(limitStr); err == nil {
+			limit = min(parsed, maxC2NLogLimit)
+		}
+	}
+
+	updates, err := b.NetworkLockLog(limit)
+	if ipnlocal.IsNetworkLockNotActive(err) {
+		http.Error(w, "tailnet lock not active", http.StatusBadRequest)
+		return
+	} else if err != nil {
+		http.Error(w, fmt.Sprintf("failed to get tailnet lock log: %v", err), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	jsonoutput.PrintNetworkLockLogJSONV1(w, updates)
+}

feature/tailnetlock/tailnetlock_test.go

@@ -0,0 +1,146 @@
+// Copyright (c) Tailscale Inc & contributors
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailnetlock
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"tailscale.com/ipn/ipnlocal"
+	"tailscale.com/tka"
+	"tailscale.com/types/key"
+	"tailscale.com/util/must"
+)
+
+func TestHandleC2NDebugTKA(t *testing.T) {
+	makeTKA := func(length int) (tka.CompactableChonk, *tka.Authority) {
+		if length == 0 {
+			return nil, nil
+		}
+
+		disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
+		signerKey := key.NewNLPrivate()
+		key1 := tka.Key{Kind: tka.Key25519, Public: signerKey.Public().Verifier(), Votes: 2}
+
+		chonk := tka.ChonkMem()
+		authority, _, err := tka.Create(chonk, tka.State{
+			Keys:              []tka.Key{key1},
+			DisablementValues: [][]byte{tka.DisablementKDF(disablementSecret)},
+		}, signerKey)
+		if err != nil {
+			t.Fatalf("tka.Create() failed: %v", err)
+		}
+
+		for range length - 1 {
+			updater := authority.NewUpdater(signerKey)
+			key2 := tka.Key{Kind: tka.Key25519, Public: key.NewNLPrivate().Public().Verifier(), Votes: 2}
+			updater.AddKey(key2)
+			aums := must.Get(updater.Finalize(chonk))
+			must.Do(authority.Inform(chonk, aums))
+		}
+
+		return chonk, authority
+	}
+
+	bodyHead := func(body *bytes.Buffer) string {
+		count := 0
+		var sb strings.Builder
+		for line := range strings.Lines(body.String()) {
+			if count == 10 {
+				sb.WriteString("...")
+				break
+			}
+			sb.WriteString(line)
+			count++
+		}
+		return sb.String()
+	}
+
+	// matches [jsonoutput.PrintNetworkLockLogJSONV1]
+	type response struct {
+		SchemaVersion string
+		Messages      []any
+	}
+
+	t.Run("tailnet-lock-disabled", func(t *testing.T) {
+		b := ipnlocal.LocalBackendWithTKAForTest(nil, nil)
+
+		req := httptest.NewRequest("GET", "/debug/tka/log", nil)
+		rec := httptest.NewRecorder()
+		b.HandleC2NForTest(rec, req)
+
+		if rec.Code != 400 {
+			t.Fatalf("got status code: %v, want: 400\nBody: %s", rec.Code, rec.Body)
+		}
+	})
+
+	t.Run("tailnet-lock-enabled", func(t *testing.T) {
+		chonk, authority := makeTKA(2)
+		b := ipnlocal.LocalBackendWithTKAForTest(chonk, authority)
+
+		req := httptest.NewRequest("GET", "/debug/tka/log", nil)
+		rec := httptest.NewRecorder()
+		b.HandleC2NForTest(rec, req)
+
+		if rec.Code != 200 {
+			t.Fatalf("got status code: %v, want: 200\nBody: %s", rec.Code, bodyHead(rec.Body))
+		}
+
+		var got response
+		if err := json.Unmarshal(rec.Body.Bytes(), &got); err != nil {
+			t.Fatalf("couldn't parse JSON: %v\nbody: %s", err, bodyHead(rec.Body))
+		}
+
+		if len(got.Messages) != 2 {
+			t.Fatalf("got %d items, want 2", len(got.Messages))
+		}
+	})
+
+	t.Run("default-limit", func(t *testing.T) {
+		chonk, authority := makeTKA(60)
+		b := ipnlocal.LocalBackendWithTKAForTest(chonk, authority)
+
+		req := httptest.NewRequest("GET", "/debug/tka/log", nil)
+		rec := httptest.NewRecorder()
+		b.HandleC2NForTest(rec, req)
+
+		if rec.Code != 200 {
+			t.Fatalf("got status code: %v, want: 200\nBody: %s", rec.Code, bodyHead(rec.Body))
+		}
+
+		var got response
+		if err := json.Unmarshal(rec.Body.Bytes(), &got); err != nil {
+			t.Fatalf("couldn't parse JSON: %v\nbody: %s", err, bodyHead(rec.Body))
+		}
+
+		if len(got.Messages) != 50 {
+			t.Fatalf("got %d items, want 50", len(got.Messages))
+		}
+	})
+
+	t.Run("override-limit", func(t *testing.T) {
+		chonk, authority := makeTKA(65)
+		b := ipnlocal.LocalBackendWithTKAForTest(chonk, authority)
+
+		req := httptest.NewRequest("GET", "/debug/tka/log?limit=60", nil)
+		rec := httptest.NewRecorder()
+		b.HandleC2NForTest(rec, req)
+
+		if rec.Code != 200 {
+			t.Fatalf("got status code: %v, want: 200\nBody: %s", rec.Code, bodyHead(rec.Body))
+		}
+
+		var got response
+		if err := json.Unmarshal(rec.Body.Bytes(), &got); err != nil {
+			t.Fatalf("couldn't parse JSON: %v\nbody: %s", err, bodyHead(rec.Body))
+		}
+
+		if len(got.Messages) != 60 {
+			t.Fatalf("got %d items, want 60", len(got.Messages))
+		}
+	})
+}