From 1005cbc1e4b1b77f4d9c8e6b6ab54d4d14ebe15e Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Sun, 6 Oct 2024 12:12:44 -0700
Subject: [PATCH] tailscaleroot: panic if tailscale_go build tag but Go
 toolchain mismatch

Fixes #13527

Change-Id: I05921969a84a303b60d1b3b9227aff9865662831
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 assert_ts_toolchain_match.go | 27 +++++++++++++++++++++++++++
 version-embed.go             | 18 +++++++++++++++++-
 version_tailscale_test.go    | 10 +---------
 3 files changed, 45 insertions(+), 10 deletions(-)
 create mode 100644 assert_ts_toolchain_match.go

diff --git a/assert_ts_toolchain_match.go b/assert_ts_toolchain_match.go
new file mode 100644
index 000000000..40b24b334
--- /dev/null
+++ b/assert_ts_toolchain_match.go
@@ -0,0 +1,27 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build tailscale_go
+
+package tailscaleroot
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+func init() {
+	tsRev, ok := tailscaleToolchainRev()
+	if !ok {
+		panic("binary built with tailscale_go build tag but failed to read build info or find tailscale.toolchain.rev in build info")
+	}
+	want := strings.TrimSpace(GoToolchainRev)
+	if tsRev != want {
+		if os.Getenv("TS_PERMIT_TOOLCHAIN_MISMATCH") == "1" {
+			fmt.Fprintf(os.Stderr, "tailscale.toolchain.rev = %q, want %q; but ignoring due to TS_PERMIT_TOOLCHAIN_MISMATCH=1\n", tsRev, want)
+			return
+		}
+		panic(fmt.Sprintf("binary built with tailscale_go build tag but Go toolchain %q doesn't match github.com/tailscale/tailscale expected value %q; override this failure with TS_PERMIT_TOOLCHAIN_MISMATCH=1", tsRev, want))
+	}
+}
diff --git a/version-embed.go b/version-embed.go
index 40c2e7cef..2d517339d 100644
--- a/version-embed.go
+++ b/version-embed.go
@@ -4,7 +4,10 @@
 // Package tailscaleroot embeds VERSION.txt into the binary.
 package tailscaleroot
 
-import _ "embed"
+import (
+	_ "embed"
+	"runtime/debug"
+)
 
 // VersionDotTxt is the contents of VERSION.txt. Despite the tempting filename,
 // this does not necessarily contain the accurate version number of the build, which
@@ -22,3 +25,16 @@ var AlpineDockerTag string
 //
 //go:embed go.toolchain.rev
 var GoToolchainRev string
+
+func tailscaleToolchainRev() (gitHash string, ok bool) {
+	bi, ok := debug.ReadBuildInfo()
+	if !ok {
+		return "", false
+	}
+	for _, s := range bi.Settings {
+		if s.Key == "tailscale.toolchain.rev" {
+			return s.Value, true
+		}
+	}
+	return "", false
+}
diff --git a/version_tailscale_test.go b/version_tailscale_test.go
index c15e0cbee..0a690e312 100644
--- a/version_tailscale_test.go
+++ b/version_tailscale_test.go
@@ -7,23 +7,15 @@ package tailscaleroot
 
 import (
 	"os"
-	"runtime/debug"
 	"strings"
 	"testing"
 )
 
 func TestToolchainMatches(t *testing.T) {
-	bi, ok := debug.ReadBuildInfo()
+	tsRev, ok := tailscaleToolchainRev()
 	if !ok {
 		t.Fatal("failed to read build info")
 	}
-	var tsRev string
-	for _, s := range bi.Settings {
-		if s.Key == "tailscale.toolchain.rev" {
-			tsRev = s.Value
-			break
-		}
-	}
 	want := strings.TrimSpace(GoToolchainRev)
 	if tsRev != want {
 		if os.Getenv("TS_PERMIT_TOOLCHAIN_MISMATCH") == "1" {