android: show locked out view

MainViewModel listens for tailnet lock status, and MainView shows "admin signing required" messaging for devices that require signing. This also refactors ConnectView a bit for readability. Fixes tailscale/corp#23657 Signed-off-by: kari-ts <kari@tailscale.com>
2 months ago · d83564f22a
parent be89cb10fe
commit d83564f22a
3 changed files with 200 additions and 110 deletions
--- a/android/src/main/java/com/tailscale/ipn/ui/view/MainView.kt
+++ b/android/src/main/java/com/tailscale/ipn/ui/view/MainView.kt
@ -121,6 +121,7 @@ fun MainView(
 ) {
  val currentPingDevice by viewModel.pingViewModel.peer.collectAsState()
  val healthIcon by viewModel.healthIcon.collectAsState()
+  val isLockedOut by viewModel.isLockedOut.collectAsState()

  LoadingIndicator.Wrap {
    Scaffold(contentWindowInsets = WindowInsets.Companion.statusBars) { paddingInsets ->
@ -213,24 +214,38 @@ fun MainView(

            when (state) {
              Ipn.State.Running -> {
+                if (isLockedOut){
+                  ConnectView(
+                    state,
+                    isPrepared,
+                    isLockedOut,
+                    state != Ipn.State.Stopping,
+                    user,
+                    { viewModel.toggleVpn() },
+                    { viewModel.login() },
+                    loginAtUrl,
+                    netmap?.SelfNode,
+                    { viewModel.showVPNPermissionLauncherIfUnauthorized() })
+                } else {

-                PromptPermissionsIfNecessary()
+                  PromptPermissionsIfNecessary()

-                viewModel.showVPNPermissionLauncherIfUnauthorized()
+                  viewModel.showVPNPermissionLauncherIfUnauthorized()

-                if (showKeyExpiry) {
-                  ExpiryNotification(netmap = netmap, action = { viewModel.login() })
-                }
+                  if (showKeyExpiry) {
+                    ExpiryNotification(netmap = netmap, action = { viewModel.login() })
+                  }

-                if (showExitNodePicker.value == ShowHide.Show) {
-                  ExitNodeStatus(
-                      navAction = navigation.onNavigateToExitNodes, viewModel = viewModel)
-                }
+                  if (showExitNodePicker.value == ShowHide.Show) {
+                    ExitNodeStatus(
+                        navAction = navigation.onNavigateToExitNodes, viewModel = viewModel)
+                  }

-                PeerList(
-                    viewModel = viewModel,
-                    onNavigateToPeerDetails = navigation.onNavigateToPeerDetails,
-                    onSearch = { viewModel.searchPeers(it) })
+                  PeerList(
+                      viewModel = viewModel,
+                      onNavigateToPeerDetails = navigation.onNavigateToPeerDetails,
+                      onSearch = { viewModel.searchPeers(it) })
+                }
              }
              Ipn.State.NoState,
              Ipn.State.Starting -> StartingView()
@ -241,6 +256,7 @@ fun MainView(
                    // If Tailscale is stopping, don't automatically restart; wait for user to take
                    // action (eg, if the user connected to another VPN).
                    state != Ipn.State.Stopping,
+                    isLockedOut,
                    user,
                    { viewModel.toggleVpn() },
                    { viewModel.login() },
@ -417,6 +433,7 @@ fun ConnectView(
    state: Ipn.State,
    isPrepared: Boolean,
    shouldStartAutomatically: Boolean,
+    isLockedOut: Boolean,
    user: IpnLocal.LoginProfile?,
    connectAction: () -> Unit,
    loginAction: () -> Unit,
@ -424,108 +441,165 @@ fun ConnectView(
    selfNode: Tailcfg.Node?,
    showVPNPermissionLauncherIfUnauthorized: () -> Unit
 ) {
-  LaunchedEffect(isPrepared) {
-    if (!isPrepared && shouldStartAutomatically) {
-      showVPNPermissionLauncherIfUnauthorized()
+    // Handle VPN permission automatically
+    LaunchedEffect(isPrepared) {
+        if (!isPrepared && shouldStartAutomatically) {
+            showVPNPermissionLauncherIfUnauthorized()
+        }
    }
-  }
-  Row(horizontalArrangement = Arrangement.Center, modifier = Modifier.fillMaxWidth()) {
-    Column(horizontalAlignment = Alignment.CenterHorizontally, modifier = Modifier.fillMaxWidth()) {
-      Column(
-          modifier = Modifier.padding(8.dp).fillMaxWidth(0.7f).fillMaxHeight(),
-          verticalArrangement = Arrangement.spacedBy(8.dp, alignment = Alignment.CenterVertically),
-          horizontalAlignment = Alignment.CenterHorizontally,
-      ) {
-        if (!isPrepared) {
-          TailscaleLogoView(modifier = Modifier.size(50.dp))
-          Spacer(modifier = Modifier.size(1.dp))
-          Text(
-              text = stringResource(id = R.string.welcome_to_tailscale),
-              style = MaterialTheme.typography.titleMedium,
-              textAlign = TextAlign.Center)
-          Text(
-              stringResource(R.string.give_permissions),
-              style = MaterialTheme.typography.titleSmall,
-              textAlign = TextAlign.Center)
-          Spacer(modifier = Modifier.size(1.dp))
-          PrimaryActionButton(onClick = connectAction) {
-            Text(
-                text = stringResource(id = R.string.connect),
-                fontSize = MaterialTheme.typography.titleMedium.fontSize)
-          }
-        } else if (state == Ipn.State.NeedsMachineAuth) {
-          Icon(
-              modifier = Modifier.size(40.dp),
-              imageVector = Icons.Outlined.Lock,
-              contentDescription = "Device requires authentication")
-          Text(
-              text = stringResource(id = R.string.machine_auth_required),
-              style = MaterialTheme.typography.titleMedium,
-              textAlign = TextAlign.Center)
-          Text(
-              text = stringResource(id = R.string.machine_auth_explainer),
-              style = MaterialTheme.typography.bodyMedium,
-              textAlign = TextAlign.Center)
-          Spacer(modifier = Modifier.size(1.dp))
-          selfNode?.let {
-            PrimaryActionButton(onClick = { loginAtUrlAction(it.nodeAdminUrl) }) {
-              Text(
-                  text = stringResource(id = R.string.open_admin_console),
-                  fontSize = MaterialTheme.typography.titleMedium.fontSize)
+
+    Row(horizontalArrangement = Arrangement.Center, modifier = Modifier.fillMaxWidth()) {
+        Column(horizontalAlignment = Alignment.CenterHorizontally, modifier = Modifier.fillMaxWidth()) {
+            if (isLockedOut) {
+                LockedOutView()  
+            } else if (!isPrepared) {
+                NotPreparedView(connectAction)
+            } else if (state == Ipn.State.NeedsMachineAuth) {
+                MachineAuthView(selfNode, loginAtUrlAction)
+            } else if (state != Ipn.State.NeedsLogin && user != null && !user.isEmpty()) {
+                NotConnectedView(user, connectAction)
+            } else {
+                WelcomeView(loginAction)
            }
-          }
-        } else if (state != Ipn.State.NeedsLogin && user != null && !user.isEmpty()) {
-          Icon(
-              painter = painterResource(id = R.drawable.power),
-              contentDescription = null,
-              modifier = Modifier.size(40.dp),
-              tint = MaterialTheme.colorScheme.disabled)
-          Text(
-              text = stringResource(id = R.string.not_connected),
-              fontSize = MaterialTheme.typography.titleMedium.fontSize,
-              fontWeight = FontWeight.SemiBold,
-              textAlign = TextAlign.Center,
-              fontFamily = MaterialTheme.typography.titleMedium.fontFamily)
-          val tailnetName = user.NetworkProfile?.DomainName ?: ""
-          Text(
-              buildAnnotatedString {
-                append(stringResource(id = R.string.connect_to_tailnet_prefix))
-                pushStyle(SpanStyle(fontWeight = FontWeight.Bold))
-                append(tailnetName)
-                pop()
-                append(stringResource(id = R.string.connect_to_tailnet_suffix))
-              },
-              fontSize = MaterialTheme.typography.titleMedium.fontSize,
-              fontWeight = FontWeight.Normal,
-              textAlign = TextAlign.Center,
-          )
-          Spacer(modifier = Modifier.size(1.dp))
-          PrimaryActionButton(onClick = connectAction) {
-            Text(
-                text = stringResource(id = R.string.connect),
-                fontSize = MaterialTheme.typography.titleMedium.fontSize)
-          }
-        } else {
-          TailscaleLogoView(modifier = Modifier.size(50.dp))
-          Spacer(modifier = Modifier.size(1.dp))
-          Text(
-              text = stringResource(id = R.string.welcome_to_tailscale),
-              style = MaterialTheme.typography.titleMedium,
-              textAlign = TextAlign.Center)
-          Text(
-              stringResource(R.string.login_to_join_your_tailnet),
-              style = MaterialTheme.typography.titleSmall,
-              textAlign = TextAlign.Center)
-          Spacer(modifier = Modifier.size(1.dp))
-          PrimaryActionButton(onClick = loginAction) {
+        }
+    }
+}
+
+@Composable
+fun LockedOutView() {
+    Column(
+        modifier = Modifier
+            .fillMaxHeight()
+            .fillMaxWidth(),
+        verticalArrangement = Arrangement.Center,
+        horizontalAlignment = Alignment.CenterHorizontally
+    ) {
+        Icon(
+            modifier = Modifier.size(40.dp),
+            imageVector = Icons.Outlined.Lock,
+            contentDescription = "Device requires signing"
+        )
+        Text(
+            text = stringResource(id = R.string.admin_signing_required),
+            style = MaterialTheme.typography.titleMedium,
+            textAlign = TextAlign.Center
+        )
+        Text(
+            text = stringResource(id = R.string.admin_signing_explainer),
+            style = MaterialTheme.typography.bodyMedium,
+            textAlign = TextAlign.Center
+        )
+    }
+}
+
+@Composable
+fun NotPreparedView(connectAction: () -> Unit) {
+    TailscaleLogoView(modifier = Modifier.size(50.dp))
+    Spacer(modifier = Modifier.size(1.dp))
+    Text(
+        text = stringResource(id = R.string.welcome_to_tailscale),
+        style = MaterialTheme.typography.titleMedium,
+        textAlign = TextAlign.Center
+    )
+    Text(
+        stringResource(R.string.give_permissions),
+        style = MaterialTheme.typography.titleSmall,
+        textAlign = TextAlign.Center
+    )
+    Spacer(modifier = Modifier.size(1.dp))
+    PrimaryActionButton(onClick = connectAction) {
+        Text(
+            text = stringResource(id = R.string.connect),
+            fontSize = MaterialTheme.typography.titleMedium.fontSize
+        )
+    }
+}
+
+@Composable
+fun MachineAuthView(selfNode: Tailcfg.Node?, loginAtUrlAction: (String) -> Unit) {
+    Icon(
+        modifier = Modifier.size(40.dp),
+        imageVector = Icons.Outlined.Lock,
+        contentDescription = "Device requires authentication"
+    )
+    Text(
+        text = stringResource(id = R.string.machine_auth_required),
+        style = MaterialTheme.typography.titleMedium,
+        textAlign = TextAlign.Center
+    )
+    Text(
+        text = stringResource(id = R.string.machine_auth_explainer),
+        style = MaterialTheme.typography.bodyMedium,
+        textAlign = TextAlign.Center
+    )
+    Spacer(modifier = Modifier.size(1.dp))
+    selfNode?.let {
+        PrimaryActionButton(onClick = { loginAtUrlAction(it.nodeAdminUrl) }) {
            Text(
-                text = stringResource(id = R.string.log_in),
-                fontSize = MaterialTheme.typography.titleMedium.fontSize)
-          }
+                text = stringResource(id = R.string.open_admin_console),
+                fontSize = MaterialTheme.typography.titleMedium.fontSize
+            )
        }
-      }
    }
-  }
+}
+
+@Composable
+fun NotConnectedView(user: IpnLocal.LoginProfile, connectAction: () -> Unit) {
+    Icon(
+        painter = painterResource(id = R.drawable.power),
+        contentDescription = null,
+        modifier = Modifier.size(40.dp),
+        tint = MaterialTheme.colorScheme.disabled
+    )
+    Text(
+        text = stringResource(id = R.string.not_connected),
+        fontSize = MaterialTheme.typography.titleMedium.fontSize,
+        fontWeight = FontWeight.SemiBold,
+        textAlign = TextAlign.Center
+    )
+    val tailnetName = user.NetworkProfile?.DomainName ?: ""
+    Text(
+        buildAnnotatedString {
+            append(stringResource(id = R.string.connect_to_tailnet_prefix))
+            pushStyle(SpanStyle(fontWeight = FontWeight.Bold))
+            append(tailnetName)
+            pop()
+            append(stringResource(id = R.string.connect_to_tailnet_suffix))
+        },
+        fontSize = MaterialTheme.typography.titleMedium.fontSize,
+        fontWeight = FontWeight.Normal,
+        textAlign = TextAlign.Center
+    )
+    Spacer(modifier = Modifier.size(1.dp))
+    PrimaryActionButton(onClick = connectAction) {
+        Text(
+            text = stringResource(id = R.string.connect),
+            fontSize = MaterialTheme.typography.titleMedium.fontSize
+        )
+    }
+}
+
+@Composable
+fun WelcomeView(loginAction: () -> Unit) {
+    TailscaleLogoView(modifier = Modifier.size(50.dp))
+    Spacer(modifier = Modifier.size(1.dp))
+    Text(
+        text = stringResource(id = R.string.welcome_to_tailscale),
+        style = MaterialTheme.typography.titleMedium,
+        textAlign = TextAlign.Center
+    )
+    Text(
+        stringResource(R.string.login_to_join_your_tailnet),
+        style = MaterialTheme.typography.titleSmall,
+        textAlign = TextAlign.Center
+    )
+    Spacer(modifier = Modifier.size(1.dp))
+    PrimaryActionButton(onClick = loginAction) {
+        Text(
+            text = stringResource(id = R.string.log_in),
+            fontSize = MaterialTheme.typography.titleMedium.fontSize
+        )
+    }
 }

@OptIn(ExperimentalMaterial3Api::class, ExperimentalFoundationApi::class)
--- a/android/src/main/java/com/tailscale/ipn/ui/viewModel/MainViewModel.kt
+++ b/android/src/main/java/com/tailscale/ipn/ui/viewModel/MainViewModel.kt
@ -14,6 +14,7 @@ import androidx.lifecycle.viewModelScope
 import com.tailscale.ipn.App
 import com.tailscale.ipn.R
 import com.tailscale.ipn.mdm.MDMSettings
+import com.tailscale.ipn.ui.localapi.Client
 import com.tailscale.ipn.ui.model.Ipn
 import com.tailscale.ipn.ui.model.Ipn.State
 import com.tailscale.ipn.ui.model.Tailcfg
@ -75,6 +76,9 @@ class MainViewModel(private val vpnViewModel: VpnViewModel) : IpnViewModel() {

  val isVpnActive: StateFlow<Boolean> = vpnViewModel.vpnActive

+  // If tailnet lock is enabled, whether the node is locked out
+  val isLockedOut: StateFlow<Boolean> = MutableStateFlow(false)
+
  // Icon displayed in the button to present the health view
  val healthIcon: StateFlow<Int?> = MutableStateFlow(null)

@ -152,6 +156,16 @@ class MainViewModel(private val vpnViewModel: VpnViewModel) : IpnViewModel() {
    viewModelScope.launch {
      App.get().healthNotifier?.currentIcon?.collect { icon -> healthIcon.set(icon) }
    }
+
+    Client(viewModelScope).tailnetLockStatus { result ->
+      result.onSuccess { status ->
+        if (status.Enabled == true && status.NodeKeySigned == false) {
+          isLockedOut.set(true)
+        } else {
+          isLockedOut.set(false)
+        }
+      }
+    }
  }

  fun showVPNPermissionLauncherIfUnauthorized() {
--- a/android/src/main/res/values/strings.xml
+++ b/android/src/main/res/values/strings.xml
@ -69,6 +69,8 @@
    <string name="machine_auth_explainer">This device must be approved by an administrator before it can connect to the tailnet.</string>
    <string name="open_admin_console">Open admin console</string>
    <string name="needs_machine_auth">Authorization required</string>
+    <string name="admin_signing_required">Admin signing required</string>
+    <string name="admin_signing_explainer">This device must be signed by an administrator in this tailnet. Please contact your network administrator for assistance.</string>
    <string name="disable">Disable</string>
    <string name="enable">Enable</string>
    <string name="stop">Stop</string>