From 2bbedd20018125973f01c3e6f73ea025a356efad Mon Sep 17 00:00:00 2001 From: Tom DNetto Date: Fri, 7 Jul 2023 08:39:35 -0700 Subject: [PATCH] ipn: rename CapTailnetLockAlpha -> CapTailnetLock Updates tailscale/corp#8568 Signed-off-by: Tom DNetto --- ipn/ipnlocal/local.go | 2 +- ipn/ipnlocal/network-lock.go | 19 ++++--------------- ipn/ipnlocal/network-lock_test.go | 30 +++++++----------------------- tailcfg/tailcfg.go | 10 ++++------ 4 files changed, 16 insertions(+), 45 deletions(-) diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 8cbbfa81b..86a550a05 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -1013,7 +1013,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) { // Perform all reconfiguration based on the netmap here. if st.NetMap != nil { - b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha) + b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLock) b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil { diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go index b2d09b627..f201e418c 100644 --- a/ipn/ipnlocal/network-lock.go +++ b/ipn/ipnlocal/network-lock.go @@ -20,7 +20,6 @@ import ( "path/filepath" "time" - "tailscale.com/envknob" "tailscale.com/health" "tailscale.com/ipn" "tailscale.com/ipn/ipnstate" @@ -53,20 +52,12 @@ type tkaState struct { filtered []ipnstate.TKAFilteredPeer } -// permitTKAInitLocked returns true if tailnet lock initialization may -// occur. -// b.mu must be held. -func (b *LocalBackend) permitTKAInitLocked() bool { - return envknob.UseWIPCode() || b.capTailnetLock -} - // tkaFilterNetmapLocked checks the signatures on each node key, dropping // nodes from the netmap whose signature does not verify. // // b.mu must be held. func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) { - // TODO(tom): Remove this guard for 1.35 and later. - if b.tka == nil && !b.permitTKAInitLocked() { + if b.tka == nil && !b.capTailnetLock { health.SetTKAHealth(nil) return } @@ -153,8 +144,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie b.mu.Lock() // take mu to protect access to synchronized fields. defer b.mu.Unlock() - // TODO(tom): Remove this guard for 1.35 and later. - if b.tka == nil && !b.permitTKAInitLocked() { + if b.tka == nil && !b.capTailnetLock { return nil } @@ -483,10 +473,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt var nlPriv key.NLPrivate b.mu.Lock() - // TODO(tom): Remove this guard for 1.35 and later. - if !b.permitTKAInitLocked() { + if !b.capTailnetLock { b.mu.Unlock() - return errors.New("this feature is not yet complete, a later release may support this functionality") + return errors.New("not permitted to enable tailnet lock") } if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() { diff --git a/ipn/ipnlocal/network-lock_test.go b/ipn/ipnlocal/network-lock_test.go index b2ad44694..98e4acf2f 100644 --- a/ipn/ipnlocal/network-lock_test.go +++ b/ipn/ipnlocal/network-lock_test.go @@ -17,7 +17,6 @@ import ( "github.com/google/go-cmp/cmp" "tailscale.com/control/controlclient" - "tailscale.com/envknob" "tailscale.com/hostinfo" "tailscale.com/ipn" "tailscale.com/ipn/store/mem" @@ -66,8 +65,6 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, } func TestTKAEnablementFlow(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") nodePriv := key.NewNode() // Make a fake TKA authority, getting a usable genesis AUM which @@ -150,12 +147,13 @@ func TestTKAEnablementFlow(t *testing.T) { }, }).View())) b := LocalBackend{ - varRoot: temp, - cc: cc, - ccAuto: cc, - logf: t.Logf, - pm: pm, - store: pm.Store(), + capTailnetLock: true, + varRoot: temp, + cc: cc, + ccAuto: cc, + logf: t.Logf, + pm: pm, + store: pm.Store(), } err = b.tkaSyncIfNeeded(&netmap.NetworkMap{ @@ -174,8 +172,6 @@ func TestTKAEnablementFlow(t *testing.T) { } func TestTKADisablementFlow(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") nodePriv := key.NewNode() // Make a fake TKA authority, to seed local state. @@ -297,9 +293,6 @@ func TestTKADisablementFlow(t *testing.T) { } func TestTKASync(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") - someKeyPriv := key.NewNLPrivate() someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1} @@ -538,9 +531,6 @@ func TestTKASync(t *testing.T) { } func TestTKAFilterNetmap(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") - nlPriv := key.NewNLPrivate() nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2} storage := &tka.Mem{} @@ -597,8 +587,6 @@ func TestTKAFilterNetmap(t *testing.T) { } func TestTKADisable(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") nodePriv := key.NewNode() // Make a fake TKA authority, to seed local state. @@ -692,8 +680,6 @@ func TestTKADisable(t *testing.T) { } func TestTKASign(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") nodePriv := key.NewNode() toSign := key.NewNode() nlPriv := key.NewNLPrivate() @@ -780,8 +766,6 @@ func TestTKASign(t *testing.T) { } func TestTKAForceDisable(t *testing.T) { - envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1") - defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "") nodePriv := key.NewNode() // Make a fake TKA authority, to seed local state. diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index 89a8953c9..3859a3564 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -100,7 +100,8 @@ type CapabilityVersion int // - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction // - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events // - 63: 2023-06-08: Client understands SSHAction.AllowRemotePortForwarding. -const CurrentCapabilityVersion CapabilityVersion = 63 +// - 64: 2023-07-11: Client understands s/CapabilityTailnetLockAlpha/CapabilityTailnetLock +const CurrentCapabilityVersion CapabilityVersion = 64 type StableID string @@ -1850,11 +1851,8 @@ const ( // of connections to the default network interface on Darwin nodes. CapabilityDebugDisableBindConnToInterface = "https://tailscale.com/cap/debug-disable-bind-conn-to-interface" - // CapabilityTailnetLockAlpha indicates the node is in the tailnet lock alpha, - // and initialization of tailnet lock may proceed. - // - // TODO(tom): Remove this for 1.35 and later. - CapabilityTailnetLockAlpha = "https://tailscale.com/cap/tailnet-lock-alpha" + // CapabilityTailnetLock indicates the node may initialize tailnet lock. + CapabilityTailnetLock = "https://tailscale.com/cap/tailnet-lock" // Inter-node capabilities as specified in the MapResponse.PacketFilter[].CapGrants.