ipn/ipnlocal,tailcfg: add /debug/tka c2n endpoint (#19198)
Updates tailscale/corp#35015 Signed-off-by: James Sanderson <jsanderson@tailscale.com>
This commit is contained in:
James 'zofrex' Sanderson
committed by
GitHub
GitHub
parent
ec86f0ff93
commit
ffae275d4d
@@ -27,6 +27,7 @@ import (
|
||||
"tailscale.com/util/goroutines"
|
||||
"tailscale.com/util/httpm"
|
||||
"tailscale.com/util/set"
|
||||
"tailscale.com/util/testenv"
|
||||
"tailscale.com/version"
|
||||
)
|
||||
|
||||
@@ -323,3 +324,10 @@ func handleC2NSetNetfilterKind(b *LocalBackend, w http.ResponseWriter, r *http.R
|
||||
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
// HandleC2NForTest calls [handleC2N], for use by feature/ packages that
|
||||
// register C2N handlers and want to test them.
|
||||
func (b *LocalBackend) HandleC2NForTest(w http.ResponseWriter, r *http.Request) {
|
||||
testenv.AssertInTest()
|
||||
b.handleC2N(w, r)
|
||||
}
|
||||
|
||||
@@ -27,6 +27,7 @@ import (
|
||||
"tailscale.com/health/healthmsg"
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/ipn/ipnstate"
|
||||
"tailscale.com/ipn/store/mem"
|
||||
"tailscale.com/net/tsaddr"
|
||||
"tailscale.com/tailcfg"
|
||||
"tailscale.com/tka"
|
||||
@@ -38,6 +39,7 @@ import (
|
||||
"tailscale.com/types/tkatype"
|
||||
"tailscale.com/util/mak"
|
||||
"tailscale.com/util/set"
|
||||
"tailscale.com/util/testenv"
|
||||
)
|
||||
|
||||
// TODO(tom): RPC retry/backoff was broken and has been removed. Fix?
|
||||
@@ -47,6 +49,13 @@ var (
|
||||
errNetworkLockNotActive = errors.New("tailnet-lock is not active")
|
||||
)
|
||||
|
||||
// IsNetworkLockNotActive reports whether the given error indicates that
|
||||
// network-lock is not active. Stop-gap for feature/tailnetlock to check this
|
||||
// until all of this is code is moved to the feature.
|
||||
func IsNetworkLockNotActive(err error) bool {
|
||||
return errors.Is(err, errNetworkLockNotActive)
|
||||
}
|
||||
|
||||
type tkaState struct {
|
||||
profile ipn.ProfileID
|
||||
authority *tka.Authority
|
||||
@@ -702,6 +711,7 @@ func (b *LocalBackend) NetworkLockAllowed() bool {
|
||||
|
||||
// Only use is in tests.
|
||||
func (b *LocalBackend) NetworkLockVerifySignatureForTest(nks tkatype.MarshaledSignature, nodeKey key.NodePublic) error {
|
||||
testenv.AssertInTest()
|
||||
b.mu.Lock()
|
||||
defer b.mu.Unlock()
|
||||
if b.tka == nil {
|
||||
@@ -712,6 +722,7 @@ func (b *LocalBackend) NetworkLockVerifySignatureForTest(nks tkatype.MarshaledSi
|
||||
|
||||
// Only use is in tests.
|
||||
func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
|
||||
testenv.AssertInTest()
|
||||
b.mu.Lock()
|
||||
defer b.mu.Unlock()
|
||||
if b.tka == nil {
|
||||
@@ -1481,3 +1492,24 @@ func (b *LocalBackend) tkaReadAffectedSigs(ourNodeKey key.NodePublic, key tkatyp
|
||||
|
||||
return a, nil
|
||||
}
|
||||
|
||||
// LocalBackendWithTKAForTest creates a LocalBackend with an initialized TKA
|
||||
// state for testing tailnet lock from the feature/tailnetlock package. Will be
|
||||
// removed when tailnet lock is fully moved to its own package. Do not use this
|
||||
// from any other package.
|
||||
func LocalBackendWithTKAForTest(chonk tka.CompactableChonk, tka *tka.Authority) *LocalBackend {
|
||||
testenv.AssertInTest()
|
||||
|
||||
var state *tkaState
|
||||
if tka != nil {
|
||||
state = &tkaState{
|
||||
authority: tka,
|
||||
storage: chonk,
|
||||
}
|
||||
}
|
||||
return &LocalBackend{
|
||||
store: &mem.Store{},
|
||||
logf: logger.Discard,
|
||||
tka: state,
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user