tka: implement API surface for generating updates

Based on the builder pattern.

Signed-off-by: Tom DNetto <tom@tailscale.com>

tka/builder.go

@@ -0,0 +1,111 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tka
+
+import (
+	"fmt"
+)
+
+// UpdateBuilder implements a builder for changes to the tailnet
+// key authority.
+//
+// Finalize must be called to compute the update messages, which
+// must then be applied to all Authority objects using Inform().
+type UpdateBuilder struct {
+	a      *Authority
+	signer func(*AUM) error
+
+	state  State
+	parent AUMHash
+
+	out []AUM
+}
+
+func (b *UpdateBuilder) mkUpdate(update AUM) error {
+	prevHash := make([]byte, len(b.parent))
+	copy(prevHash, b.parent[:])
+	update.PrevAUMHash = prevHash
+
+	if b.signer != nil {
+		if err := b.signer(&update); err != nil {
+			return fmt.Errorf("signing failed: %v", err)
+		}
+	}
+	if err := update.StaticValidate(); err != nil {
+		return fmt.Errorf("generated update was invalid: %v", err)
+	}
+	state, err := b.state.applyVerifiedAUM(update)
+	if err != nil {
+		return fmt.Errorf("update cannot be applied: %v", err)
+	}
+
+	b.state = state
+	b.parent = update.Hash()
+	b.out = append(b.out, update)
+	return nil
+}
+
+// AddKey adds a new key to the authority.
+func (b *UpdateBuilder) AddKey(key Key) error {
+	if _, err := b.state.GetKey(key.ID()); err == nil {
+		return fmt.Errorf("cannot add key %v: already exists", key)
+	}
+	return b.mkUpdate(AUM{MessageKind: AUMAddKey, Key: &key})
+}
+
+// RemoveKey removes a key from the authority.
+func (b *UpdateBuilder) RemoveKey(keyID KeyID) error {
+	if _, err := b.state.GetKey(keyID); err != nil {
+		return fmt.Errorf("failed reading key %x: %v", keyID, err)
+	}
+	return b.mkUpdate(AUM{MessageKind: AUMRemoveKey, KeyID: keyID})
+}
+
+// SetKeyVote updates the number of votes of an existing key.
+func (b *UpdateBuilder) SetKeyVote(keyID KeyID, votes uint) error {
+	if _, err := b.state.GetKey(keyID); err != nil {
+		return fmt.Errorf("failed reading key %x: %v", keyID, err)
+	}
+	return b.mkUpdate(AUM{MessageKind: AUMUpdateKey, Votes: &votes, KeyID: keyID})
+}
+
+// SetKeyMeta updates key-value metadata stored against an existing key.
+//
+// TODO(tom): Provide an API to update specific values rather than the whole
+// map.
+func (b *UpdateBuilder) SetKeyMeta(keyID KeyID, meta map[string]string) error {
+	if _, err := b.state.GetKey(keyID); err != nil {
+		return fmt.Errorf("failed reading key %x: %v", keyID, err)
+	}
+	return b.mkUpdate(AUM{MessageKind: AUMUpdateKey, Meta: meta, KeyID: keyID})
+}
+
+// Finalize returns the set of update message to actuate the update.
+func (b *UpdateBuilder) Finalize() ([]AUM, error) {
+	if len(b.out) > 0 {
+		if parent, _ := b.out[0].Parent(); parent != b.a.Head() {
+			return nil, fmt.Errorf("updates no longer apply to head: based on %x but head is %x", parent, b.a.Head())
+		}
+	}
+	return b.out, nil
+}
+
+// NewUpdater returns a builder you can use to make changes to
+// the tailnet key authority.
+//
+// The provided signer function, if non-nil, is called with each update
+// to compute and apply signatures.
+//
+// Updates are specified by calling methods on the returned UpdatedBuilder.
+// Call Finalize() when you are done to obtain the specific update messages
+// which actuate the changes.
+func (a *Authority) NewUpdater(signer func(*AUM) error) *UpdateBuilder {
+	return &UpdateBuilder{
+		a:      a,
+		signer: signer,
+		parent: a.Head(),
+		state:  a.state,
+	}
+}

tka/builder_test.go

@@ -0,0 +1,210 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tka
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestAuthorityBuilderAddKey(t *testing.T) {
+	pub, priv := testingKey25519(t, 1)
+	key := Key{Kind: Key25519, Public: pub, Votes: 2}
+
+	a, _, err := Create(&Mem{}, State{
+		Keys:               []Key{key},
+		DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})},
+	}, priv)
+	if err != nil {
+		t.Fatalf("Create() failed: %v", err)
+	}
+
+	pub2, _ := testingKey25519(t, 2)
+	key2 := Key{Kind: Key25519, Public: pub2, Votes: 1}
+
+	b := a.NewUpdater(func(update *AUM) error {
+		update.sign25519(priv)
+		return nil
+	})
+	if err := b.AddKey(key2); err != nil {
+		t.Fatalf("AddKey(%v) failed: %v", key2, err)
+	}
+	updates, err := b.Finalize()
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+
+	// See if the update is valid by applying it to the authority
+	// + checking if the new key is there.
+	if err := a.Inform(updates); err != nil {
+		t.Fatalf("could not apply generated updates: %v", err)
+	}
+	if _, err := a.state.GetKey(key2.ID()); err != nil {
+		t.Errorf("could not read new key: %v", err)
+	}
+}
+
+func TestAuthorityBuilderRemoveKey(t *testing.T) {
+	pub, priv := testingKey25519(t, 1)
+	key := Key{Kind: Key25519, Public: pub, Votes: 2}
+	pub2, _ := testingKey25519(t, 2)
+	key2 := Key{Kind: Key25519, Public: pub2, Votes: 1}
+
+	a, _, err := Create(&Mem{}, State{
+		Keys:               []Key{key, key2},
+		DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})},
+	}, priv)
+	if err != nil {
+		t.Fatalf("Create() failed: %v", err)
+	}
+
+	b := a.NewUpdater(func(update *AUM) error {
+		update.sign25519(priv)
+		return nil
+	})
+	if err := b.RemoveKey(key2.ID()); err != nil {
+		t.Fatalf("RemoveKey(%v) failed: %v", key2, err)
+	}
+	updates, err := b.Finalize()
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+
+	// See if the update is valid by applying it to the authority
+	// + checking if the key has been removed.
+	if err := a.Inform(updates); err != nil {
+		t.Fatalf("could not apply generated updates: %v", err)
+	}
+	if _, err := a.state.GetKey(key2.ID()); err != ErrNoSuchKey {
+		t.Errorf("GetKey(key2).err = %v, want %v", err, ErrNoSuchKey)
+	}
+}
+
+func TestAuthorityBuilderSetKeyVote(t *testing.T) {
+	pub, priv := testingKey25519(t, 1)
+	key := Key{Kind: Key25519, Public: pub, Votes: 2}
+
+	a, _, err := Create(&Mem{}, State{
+		Keys:               []Key{key},
+		DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})},
+	}, priv)
+	if err != nil {
+		t.Fatalf("Create() failed: %v", err)
+	}
+
+	b := a.NewUpdater(func(update *AUM) error {
+		update.sign25519(priv)
+		return nil
+	})
+	if err := b.SetKeyVote(key.ID(), 5); err != nil {
+		t.Fatalf("SetKeyVote(%v) failed: %v", key.ID(), err)
+	}
+	updates, err := b.Finalize()
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+
+	// See if the update is valid by applying it to the authority
+	// + checking if the update is there.
+	if err := a.Inform(updates); err != nil {
+		t.Fatalf("could not apply generated updates: %v", err)
+	}
+	k, err := a.state.GetKey(key.ID())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got, want := k.Votes, uint(5); got != want {
+		t.Errorf("key.Votes = %d, want %d", got, want)
+	}
+}
+
+func TestAuthorityBuilderSetKeyMeta(t *testing.T) {
+	pub, priv := testingKey25519(t, 1)
+	key := Key{Kind: Key25519, Public: pub, Votes: 2, Meta: map[string]string{"a": "b"}}
+
+	a, _, err := Create(&Mem{}, State{
+		Keys:               []Key{key},
+		DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})},
+	}, priv)
+	if err != nil {
+		t.Fatalf("Create() failed: %v", err)
+	}
+
+	b := a.NewUpdater(func(update *AUM) error {
+		update.sign25519(priv)
+		return nil
+	})
+	if err := b.SetKeyMeta(key.ID(), map[string]string{"b": "c"}); err != nil {
+		t.Fatalf("SetKeyMeta(%v) failed: %v", key, err)
+	}
+	updates, err := b.Finalize()
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+
+	// See if the update is valid by applying it to the authority
+	// + checking if the update is there.
+	if err := a.Inform(updates); err != nil {
+		t.Fatalf("could not apply generated updates: %v", err)
+	}
+	k, err := a.state.GetKey(key.ID())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := cmp.Diff(map[string]string{"b": "c"}, k.Meta); diff != "" {
+		t.Errorf("updated meta differs (-want, +got):\n%s", diff)
+	}
+}
+
+func TestAuthorityBuilderMultiple(t *testing.T) {
+	pub, priv := testingKey25519(t, 1)
+	key := Key{Kind: Key25519, Public: pub, Votes: 2}
+
+	a, _, err := Create(&Mem{}, State{
+		Keys:               []Key{key},
+		DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})},
+	}, priv)
+	if err != nil {
+		t.Fatalf("Create() failed: %v", err)
+	}
+
+	pub2, _ := testingKey25519(t, 2)
+	key2 := Key{Kind: Key25519, Public: pub2, Votes: 1}
+
+	b := a.NewUpdater(func(update *AUM) error {
+		update.sign25519(priv)
+		return nil
+	})
+	if err := b.AddKey(key2); err != nil {
+		t.Fatalf("AddKey(%v) failed: %v", key2, err)
+	}
+	if err := b.SetKeyVote(key2.ID(), 42); err != nil {
+		t.Fatalf("SetKeyVote(%v) failed: %v", key2, err)
+	}
+	if err := b.RemoveKey(key.ID()); err != nil {
+		t.Fatalf("RemoveKey(%v) failed: %v", key, err)
+	}
+	updates, err := b.Finalize()
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+
+	// See if the update is valid by applying it to the authority
+	// + checking if the update is there.
+	if err := a.Inform(updates); err != nil {
+		t.Fatalf("could not apply generated updates: %v", err)
+	}
+	k, err := a.state.GetKey(key2.ID())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got, want := k.Votes, uint(42); got != want {
+		t.Errorf("key.Votes = %d, want %d", got, want)
+	}
+	if _, err := a.state.GetKey(key.ID()); err != ErrNoSuchKey {
+		t.Errorf("GetKey(key).err = %v, want %v", err, ErrNoSuchKey)
+	}
+}