From 2263d9c44b5d8d795871a02f95cd7382760ef906 Mon Sep 17 00:00:00 2001
From: Tom DNetto <tom@tailscale.com>
Date: Fri, 3 Mar 2023 13:28:23 -0800
Subject: [PATCH] cmd/tsconnect: pop CTA to make everything work with tailnet
 lock

Signed-off-by: Tom DNetto <tom@tailscale.com>
---
 cmd/tsconnect/src/app/app.tsx        | 21 ++++++++++++++++++++-
 cmd/tsconnect/src/app/ssh.tsx        |  4 ++--
 cmd/tsconnect/src/types/wasm_js.d.ts |  1 +
 cmd/tsconnect/wasm/wasm_js.go        |  6 ++++--
 flake.nix                            |  1 +
 5 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/cmd/tsconnect/src/app/app.tsx b/cmd/tsconnect/src/app/app.tsx
index b21b1893f..ee538eaea 100644
--- a/cmd/tsconnect/src/app/app.tsx
+++ b/cmd/tsconnect/src/app/app.tsx
@@ -43,8 +43,26 @@ class App extends Component<{}, AppState> {
       )
     }
 
+    const lockedOut = netMap?.lockedOut
+    let lockedOutInstructions
+    if (lockedOut) {
+      lockedOutInstructions = (
+        <div class="container mx-auto px-4 text-center space-y-4">
+          <p>This instance of Tailscale Connect needs to be signed, due to
+            {" "}<a href="https://tailscale.com/kb/1226/tailnet-lock/" class="link">tailnet lock</a>{" "}
+            being enabled on this domain.
+          </p>
+
+          <p>
+            Run the following command on a device with a trusted tailnet lock key:
+            <pre>tailscale lock sign {netMap.self.nodeKey}</pre>
+          </p>
+        </div>
+      )
+    }
+
     let ssh
-    if (ipn && ipnState === "Running" && netMap) {
+    if (ipn && ipnState === "Running" && netMap && !lockedOut) {
       ssh = <SSH netMap={netMap} ipn={ipn} />
     }
 
@@ -55,6 +73,7 @@ class App extends Component<{}, AppState> {
         <div class="flex-grow flex flex-col justify-center overflow-hidden">
           {urlDisplay}
           {machineAuthInstructions}
+          {lockedOutInstructions}
           {ssh}
         </div>
       </>
diff --git a/cmd/tsconnect/src/app/ssh.tsx b/cmd/tsconnect/src/app/ssh.tsx
index a15f42b6d..df81745bd 100644
--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@@ -60,11 +60,11 @@ function SSHSession({
 function NoSSHPeers() {
   return (
     <div class="container mx-auto px-4 text-center">
-      None of your machines have
+      None of your machines have{" "}
       <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link">
         Tailscale SSH
       </a>
-      enabled. Give it a try!
+      {" "}enabled. Give it a try!
     </div>
   )
 }
diff --git a/cmd/tsconnect/src/types/wasm_js.d.ts b/cmd/tsconnect/src/types/wasm_js.d.ts
index c985b356f..492197ccb 100644
--- a/cmd/tsconnect/src/types/wasm_js.d.ts
+++ b/cmd/tsconnect/src/types/wasm_js.d.ts
@@ -63,6 +63,7 @@ declare global {
   type IPNNetMap = {
     self: IPNNetMapSelfNode
     peers: IPNNetMapPeerNode[]
+    lockedOut: boolean
   }
 
   type IPNNetMapNode = {
diff --git a/cmd/tsconnect/wasm/wasm_js.go b/cmd/tsconnect/wasm/wasm_js.go
index 2a27ca421..f1bd1c55d 100644
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -272,6 +272,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 						TailscaleSSHEnabled: p.Hostinfo.TailscaleSSHEnabled(),
 					}
 				}),
+				LockedOut: nm.TKAEnabled && len(nm.SelfNode.KeySignature) == 0,
 			}
 			if jsonNetMap, err := json.Marshal(jsNetMap); err == nil {
 				jsCallbacks.Call("notifyNetMap", string(jsonNetMap))
@@ -521,8 +522,9 @@ func (w termWriter) Write(p []byte) (n int, err error) {
 }
 
 type jsNetMap struct {
-	Self  jsNetMapSelfNode   `json:"self"`
-	Peers []jsNetMapPeerNode `json:"peers"`
+	Self      jsNetMapSelfNode   `json:"self"`
+	Peers     []jsNetMapPeerNode `json:"peers"`
+	LockedOut bool               `json:"lockedOut"`
 }
 
 type jsNetMapNode struct {
diff --git a/flake.nix b/flake.nix
index f5d4ee66c..2da7bb6fd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -108,6 +108,7 @@
           graphviz
           perl
           go_1_20
+          yarn
         ];
       };
     };