cmd/tailscale,ipn: implement lock sign command

Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago · 0af57fce4c
parent 7d6775b082
commit 0af57fce4c
6 changed files with 252 additions and 0 deletions
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@ -36,6 +36,7 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
+	"tailscale.com/types/key"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@ -827,6 +828,25 @@ func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKey
 	return pr, nil
 }

+// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
+// rotationPublic, if specified, must be an ed25519 public key.
+func (lc *LocalClient) NetworkLockSign(ctx context.Context, nodeKey key.NodePublic, rotationPublic []byte) error {
+	var b bytes.Buffer
+	type signRequest struct {
+		NodeKey        key.NodePublic
+		RotationPublic []byte
+	}
+
+	if err := json.NewEncoder(&b).Encode(signRequest{NodeKey: nodeKey, RotationPublic: rotationPublic}); err != nil {
+		return err
+	}
+
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/sign", 200, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
+	}
+	return nil
+}
+
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@ -26,6 +26,7 @@ var netlockCmd = &ffcli.Command{
 		nlStatusCmd,
 		nlAddCmd,
 		nlRemoveCmd,
+		nlSignCmd,
 	},
 	Exec: runNetworkLockStatus,
 }
@ -163,3 +164,27 @@ func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) err
 	fmt.Printf("Status: %+v\n\n", status)
 	return nil
 }
+
+var nlSignCmd = &ffcli.Command{
+	Name:       "sign",
+	ShortUsage: "sign <node-key>",
+	ShortHelp:  "Signs a node-key and transmits that signature to the control plane",
+	Exec:       runNetworkLockSign,
+}
+
+// TODO(tom): Implement specifying the rotation key for the signature.
+func runNetworkLockSign(ctx context.Context, args []string) error {
+	switch len(args) {
+	case 0:
+		return errors.New("expected node-key as second argument")
+	case 1:
+		var nodeKey key.NodePublic
+		if err := nodeKey.UnmarshalText([]byte(args[0])); err != nil {
+			return fmt.Errorf("decoding node-key: %w", err)
+		}
+
+		return localClient.NetworkLockSign(ctx, nodeKey, nil)
+	default:
+		return errors.New("expected a single node-key as only argument")
+	}
+}
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@ -430,6 +430,47 @@ func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
 	return b.tka.authority.KeyTrusted(keyID)
 }

+// NetworkLockSign signs the given node-key and submits it to the control plane.
+// rotationPublic, if specified, must be an ed25519 public key.
+func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []byte) error {
+	ourNodeKey, sig, err := func(nodeKey key.NodePublic, rotationPublic []byte) (key.NodePublic, tka.NodeKeySignature, error) {
+		b.mu.Lock()
+		defer b.mu.Unlock()
+
+		if b.tka == nil {
+			return key.NodePublic{}, tka.NodeKeySignature{}, errNetworkLockNotActive
+		}
+		if !b.tka.authority.KeyTrusted(b.nlPrivKey.KeyID()) {
+			return key.NodePublic{}, tka.NodeKeySignature{}, errors.New("this node is not trusted by network lock")
+		}
+
+		p, err := nodeKey.MarshalBinary()
+		if err != nil {
+			return key.NodePublic{}, tka.NodeKeySignature{}, err
+		}
+		sig := tka.NodeKeySignature{
+			SigKind:        tka.SigDirect,
+			KeyID:          b.nlPrivKey.KeyID(),
+			Pubkey:         p,
+			WrappingPubkey: rotationPublic,
+		}
+		sig.Signature, err = b.nlPrivKey.SignNKS(sig.SigHash())
+		if err != nil {
+			return key.NodePublic{}, tka.NodeKeySignature{}, fmt.Errorf("signature failed: %w", err)
+		}
+		return b.prefs.Persist().PublicNodeKey(), sig, nil
+	}(nodeKey, rotationPublic)
+	if err != nil {
+		return err
+	}
+
+	b.logf("Generated network-lock signature for %v, submitting to control plane", nodeKey)
+	if _, err := b.tkaSubmitSignature(ourNodeKey, sig.Serialize()); err != nil {
+		return err
+	}
+	return nil
+}
+
 // NetworkLockModify adds and/or removes keys in the tailnet's key authority.
 func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
 	defer func() {
@ -817,3 +858,39 @@ func (b *LocalBackend) tkaDoDisablement(ourNodeKey key.NodePublic, head tka.AUMH

 	return a, nil
 }
+
+func (b *LocalBackend) tkaSubmitSignature(ourNodeKey key.NodePublic, sig tkatype.MarshaledSignature) (*tailcfg.TKASubmitSignatureResponse, error) {
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(tailcfg.TKASubmitSignatureRequest{
+		Version:   tailcfg.CurrentCapabilityVersion,
+		NodeKey:   ourNodeKey,
+		Signature: sig,
+	}); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sign", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKASubmitSignatureResponse)
+	err = json.NewDecoder(&io.LimitedReader{R: res.Body, N: 1024 * 1024}).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}
--- a/ipn/ipnlocal/network-lock_test.go
+++ b/ipn/ipnlocal/network-lock_test.go
@ -629,3 +629,83 @@ func TestTKADisable(t *testing.T) {
 		t.Errorf("NetworkLockDisable() failed: %v", err)
 	}
 }
+
+func TestTKASign(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	temp := t.TempDir()
+	os.Mkdir(filepath.Join(temp, "tka"), 0755)
+	nodePriv := key.NewNode()
+	toSign := key.NewNode()
+
+	// Make a fake TKA authority, to seed local state.
+	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
+	nlPriv := key.NewNLPrivate()
+	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
+	chonk, err := tka.ChonkDir(filepath.Join(temp, "tka"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	authority, _, err := tka.Create(chonk, tka.State{
+		Keys:               []tka.Key{key},
+		DisablementSecrets: [][]byte{tka.DisablementKDF(disablementSecret)},
+	}, nlPriv)
+	if err != nil {
+		t.Fatalf("tka.Create() failed: %v", err)
+	}
+
+	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		switch r.URL.Path {
+		case "/machine/tka/sign":
+			body := new(tailcfg.TKASubmitSignatureRequest)
+			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+				t.Fatal(err)
+			}
+			if body.Version != tailcfg.CurrentCapabilityVersion {
+				t.Errorf("sign CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
+			}
+			if body.NodeKey != nodePriv.Public() {
+				t.Errorf("nodeKey = %v, want %v", body.NodeKey, nodePriv.Public())
+			}
+
+			var sig tka.NodeKeySignature
+			if err := sig.Unserialize(body.Signature); err != nil {
+				t.Fatalf("malformed signature: %v", err)
+			}
+
+			if err := authority.NodeKeyAuthorized(toSign.Public(), body.Signature); err != nil {
+				t.Errorf("signature does not verify: %v", err)
+			}
+
+			w.WriteHeader(200)
+			if err := json.NewEncoder(w).Encode(tailcfg.TKASubmitSignatureResponse{}); err != nil {
+				t.Fatal(err)
+			}
+
+		default:
+			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
+			w.WriteHeader(404)
+		}
+	}))
+	defer ts.Close()
+
+	cc := fakeControlClient(t, client)
+	b := LocalBackend{
+		varRoot: temp,
+		cc:      cc,
+		ccAuto:  cc,
+		logf:    t.Logf,
+		tka: &tkaState{
+			authority: authority,
+			storage:   chonk,
+		},
+		prefs: (&ipn.Prefs{
+			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
+		}).View(),
+		nlPrivKey: nlPriv,
+	}
+
+	if err := b.NetworkLockSign(toSign.Public(), nil); err != nil {
+		t.Errorf("NetworkLockSign() failed: %v", err)
+	}
+}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@ -34,6 +34,7 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
+	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
@ -75,6 +76,7 @@ var handler = map[string]localAPIHandler{
 	"status":                  (*Handler).serveStatus,
 	"tka/init":                (*Handler).serveTKAInit,
 	"tka/modify":              (*Handler).serveTKAModify,
+	"tka/sign":                (*Handler).serveTKASign,
 	"tka/status":              (*Handler).serveTKAStatus,
 	"upload-client-metrics":   (*Handler).serveUploadClientMetrics,
 	"whois":                   (*Handler).serveWhoIs,
@ -921,6 +923,34 @@ func (h *Handler) serveTKAStatus(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

+func (h *Handler) serveTKASign(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitRead {
+		http.Error(w, "lock status access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != http.MethodPost {
+		http.Error(w, "use POST", http.StatusMethodNotAllowed)
+		return
+	}
+
+	type signRequest struct {
+		NodeKey        key.NodePublic
+		RotationPublic []byte
+	}
+	var req signRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "invalid JSON body", http.StatusBadRequest)
+		return
+	}
+
+	if err := h.b.NetworkLockSign(req.NodeKey, req.RotationPublic); err != nil {
+		http.Error(w, "signing failed: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
+
 func (h *Handler) serveTKAInit(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "lock init access denied", http.StatusForbidden)
--- a/tailcfg/tka.go
+++ b/tailcfg/tka.go
@ -214,3 +214,23 @@ type TKADisableRequest struct {
 type TKADisableResponse struct {
 	// Nothing. (yet?)
 }
+
+// TKASubmitSignatureRequest transmits a node-key signature to the control plane.
+//
+// This is the request schema for a /tka/sign noise RPC.
+type TKASubmitSignatureRequest struct {
+	// Version is the client's capabilities.
+	Version CapabilityVersion
+
+	// NodeKey is the client's current node key. The node-key which
+	// is being signed is embedded in Signature.
+	NodeKey key.NodePublic
+
+	// Signature encodes the node-key signature being submitted.
+	Signature tkatype.MarshaledSignature
+}
+
+// TKASubmitSignatureResponse is the JSON response from a /tka/sign RPC.
+type TKASubmitSignatureResponse struct {
+	// Nothing. (yet?)
+}