diff --git a/tka/builder.go b/tka/builder.go new file mode 100644 index 000000000..da062995b --- /dev/null +++ b/tka/builder.go @@ -0,0 +1,111 @@ +// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tka + +import ( + "fmt" +) + +// UpdateBuilder implements a builder for changes to the tailnet +// key authority. +// +// Finalize must be called to compute the update messages, which +// must then be applied to all Authority objects using Inform(). +type UpdateBuilder struct { + a *Authority + signer func(*AUM) error + + state State + parent AUMHash + + out []AUM +} + +func (b *UpdateBuilder) mkUpdate(update AUM) error { + prevHash := make([]byte, len(b.parent)) + copy(prevHash, b.parent[:]) + update.PrevAUMHash = prevHash + + if b.signer != nil { + if err := b.signer(&update); err != nil { + return fmt.Errorf("signing failed: %v", err) + } + } + if err := update.StaticValidate(); err != nil { + return fmt.Errorf("generated update was invalid: %v", err) + } + state, err := b.state.applyVerifiedAUM(update) + if err != nil { + return fmt.Errorf("update cannot be applied: %v", err) + } + + b.state = state + b.parent = update.Hash() + b.out = append(b.out, update) + return nil +} + +// AddKey adds a new key to the authority. +func (b *UpdateBuilder) AddKey(key Key) error { + if _, err := b.state.GetKey(key.ID()); err == nil { + return fmt.Errorf("cannot add key %v: already exists", key) + } + return b.mkUpdate(AUM{MessageKind: AUMAddKey, Key: &key}) +} + +// RemoveKey removes a key from the authority. +func (b *UpdateBuilder) RemoveKey(keyID KeyID) error { + if _, err := b.state.GetKey(keyID); err != nil { + return fmt.Errorf("failed reading key %x: %v", keyID, err) + } + return b.mkUpdate(AUM{MessageKind: AUMRemoveKey, KeyID: keyID}) +} + +// SetKeyVote updates the number of votes of an existing key. +func (b *UpdateBuilder) SetKeyVote(keyID KeyID, votes uint) error { + if _, err := b.state.GetKey(keyID); err != nil { + return fmt.Errorf("failed reading key %x: %v", keyID, err) + } + return b.mkUpdate(AUM{MessageKind: AUMUpdateKey, Votes: &votes, KeyID: keyID}) +} + +// SetKeyMeta updates key-value metadata stored against an existing key. +// +// TODO(tom): Provide an API to update specific values rather than the whole +// map. +func (b *UpdateBuilder) SetKeyMeta(keyID KeyID, meta map[string]string) error { + if _, err := b.state.GetKey(keyID); err != nil { + return fmt.Errorf("failed reading key %x: %v", keyID, err) + } + return b.mkUpdate(AUM{MessageKind: AUMUpdateKey, Meta: meta, KeyID: keyID}) +} + +// Finalize returns the set of update message to actuate the update. +func (b *UpdateBuilder) Finalize() ([]AUM, error) { + if len(b.out) > 0 { + if parent, _ := b.out[0].Parent(); parent != b.a.Head() { + return nil, fmt.Errorf("updates no longer apply to head: based on %x but head is %x", parent, b.a.Head()) + } + } + return b.out, nil +} + +// NewUpdater returns a builder you can use to make changes to +// the tailnet key authority. +// +// The provided signer function, if non-nil, is called with each update +// to compute and apply signatures. +// +// Updates are specified by calling methods on the returned UpdatedBuilder. +// Call Finalize() when you are done to obtain the specific update messages +// which actuate the changes. +func (a *Authority) NewUpdater(signer func(*AUM) error) *UpdateBuilder { + return &UpdateBuilder{ + a: a, + signer: signer, + parent: a.Head(), + state: a.state, + } +} diff --git a/tka/builder_test.go b/tka/builder_test.go new file mode 100644 index 000000000..5f7aeb66f --- /dev/null +++ b/tka/builder_test.go @@ -0,0 +1,210 @@ +// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tka + +import ( + "testing" + + "github.com/google/go-cmp/cmp" +) + +func TestAuthorityBuilderAddKey(t *testing.T) { + pub, priv := testingKey25519(t, 1) + key := Key{Kind: Key25519, Public: pub, Votes: 2} + + a, _, err := Create(&Mem{}, State{ + Keys: []Key{key}, + DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})}, + }, priv) + if err != nil { + t.Fatalf("Create() failed: %v", err) + } + + pub2, _ := testingKey25519(t, 2) + key2 := Key{Kind: Key25519, Public: pub2, Votes: 1} + + b := a.NewUpdater(func(update *AUM) error { + update.sign25519(priv) + return nil + }) + if err := b.AddKey(key2); err != nil { + t.Fatalf("AddKey(%v) failed: %v", key2, err) + } + updates, err := b.Finalize() + if err != nil { + t.Fatalf("Finalize() failed: %v", err) + } + + // See if the update is valid by applying it to the authority + // + checking if the new key is there. + if err := a.Inform(updates); err != nil { + t.Fatalf("could not apply generated updates: %v", err) + } + if _, err := a.state.GetKey(key2.ID()); err != nil { + t.Errorf("could not read new key: %v", err) + } +} + +func TestAuthorityBuilderRemoveKey(t *testing.T) { + pub, priv := testingKey25519(t, 1) + key := Key{Kind: Key25519, Public: pub, Votes: 2} + pub2, _ := testingKey25519(t, 2) + key2 := Key{Kind: Key25519, Public: pub2, Votes: 1} + + a, _, err := Create(&Mem{}, State{ + Keys: []Key{key, key2}, + DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})}, + }, priv) + if err != nil { + t.Fatalf("Create() failed: %v", err) + } + + b := a.NewUpdater(func(update *AUM) error { + update.sign25519(priv) + return nil + }) + if err := b.RemoveKey(key2.ID()); err != nil { + t.Fatalf("RemoveKey(%v) failed: %v", key2, err) + } + updates, err := b.Finalize() + if err != nil { + t.Fatalf("Finalize() failed: %v", err) + } + + // See if the update is valid by applying it to the authority + // + checking if the key has been removed. + if err := a.Inform(updates); err != nil { + t.Fatalf("could not apply generated updates: %v", err) + } + if _, err := a.state.GetKey(key2.ID()); err != ErrNoSuchKey { + t.Errorf("GetKey(key2).err = %v, want %v", err, ErrNoSuchKey) + } +} + +func TestAuthorityBuilderSetKeyVote(t *testing.T) { + pub, priv := testingKey25519(t, 1) + key := Key{Kind: Key25519, Public: pub, Votes: 2} + + a, _, err := Create(&Mem{}, State{ + Keys: []Key{key}, + DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})}, + }, priv) + if err != nil { + t.Fatalf("Create() failed: %v", err) + } + + b := a.NewUpdater(func(update *AUM) error { + update.sign25519(priv) + return nil + }) + if err := b.SetKeyVote(key.ID(), 5); err != nil { + t.Fatalf("SetKeyVote(%v) failed: %v", key.ID(), err) + } + updates, err := b.Finalize() + if err != nil { + t.Fatalf("Finalize() failed: %v", err) + } + + // See if the update is valid by applying it to the authority + // + checking if the update is there. + if err := a.Inform(updates); err != nil { + t.Fatalf("could not apply generated updates: %v", err) + } + k, err := a.state.GetKey(key.ID()) + if err != nil { + t.Fatal(err) + } + if got, want := k.Votes, uint(5); got != want { + t.Errorf("key.Votes = %d, want %d", got, want) + } +} + +func TestAuthorityBuilderSetKeyMeta(t *testing.T) { + pub, priv := testingKey25519(t, 1) + key := Key{Kind: Key25519, Public: pub, Votes: 2, Meta: map[string]string{"a": "b"}} + + a, _, err := Create(&Mem{}, State{ + Keys: []Key{key}, + DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})}, + }, priv) + if err != nil { + t.Fatalf("Create() failed: %v", err) + } + + b := a.NewUpdater(func(update *AUM) error { + update.sign25519(priv) + return nil + }) + if err := b.SetKeyMeta(key.ID(), map[string]string{"b": "c"}); err != nil { + t.Fatalf("SetKeyMeta(%v) failed: %v", key, err) + } + updates, err := b.Finalize() + if err != nil { + t.Fatalf("Finalize() failed: %v", err) + } + + // See if the update is valid by applying it to the authority + // + checking if the update is there. + if err := a.Inform(updates); err != nil { + t.Fatalf("could not apply generated updates: %v", err) + } + k, err := a.state.GetKey(key.ID()) + if err != nil { + t.Fatal(err) + } + if diff := cmp.Diff(map[string]string{"b": "c"}, k.Meta); diff != "" { + t.Errorf("updated meta differs (-want, +got):\n%s", diff) + } +} + +func TestAuthorityBuilderMultiple(t *testing.T) { + pub, priv := testingKey25519(t, 1) + key := Key{Kind: Key25519, Public: pub, Votes: 2} + + a, _, err := Create(&Mem{}, State{ + Keys: []Key{key}, + DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})}, + }, priv) + if err != nil { + t.Fatalf("Create() failed: %v", err) + } + + pub2, _ := testingKey25519(t, 2) + key2 := Key{Kind: Key25519, Public: pub2, Votes: 1} + + b := a.NewUpdater(func(update *AUM) error { + update.sign25519(priv) + return nil + }) + if err := b.AddKey(key2); err != nil { + t.Fatalf("AddKey(%v) failed: %v", key2, err) + } + if err := b.SetKeyVote(key2.ID(), 42); err != nil { + t.Fatalf("SetKeyVote(%v) failed: %v", key2, err) + } + if err := b.RemoveKey(key.ID()); err != nil { + t.Fatalf("RemoveKey(%v) failed: %v", key, err) + } + updates, err := b.Finalize() + if err != nil { + t.Fatalf("Finalize() failed: %v", err) + } + + // See if the update is valid by applying it to the authority + // + checking if the update is there. + if err := a.Inform(updates); err != nil { + t.Fatalf("could not apply generated updates: %v", err) + } + k, err := a.state.GetKey(key2.ID()) + if err != nil { + t.Fatal(err) + } + if got, want := k.Votes, uint(42); got != want { + t.Errorf("key.Votes = %d, want %d", got, want) + } + if _, err := a.state.GetKey(key.ID()); err != ErrNoSuchKey { + t.Errorf("GetKey(key).err = %v, want %v", err, ErrNoSuchKey) + } +}