From 87c5ad4c2c0e108e0c66cdb95f75ae5a5da72e31 Mon Sep 17 00:00:00 2001
From: James Tucker <james@tailscale.com>
Date: Mon, 17 Jun 2024 15:56:46 -0700
Subject: [PATCH] derp: add a verifyClients check to the consistency check

Only implemented for the local tailscaled variant for now.

Updates tailscale/corp#20844

Signed-off-by: James Tucker <james@tailscale.com>
---
 derp/derp_server.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/derp/derp_server.go b/derp/derp_server.go
index a032a4731..eb4528e72 100644
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -1955,12 +1955,37 @@ func (s *Server) ConsistencyCheck() error {
 			s.curClients.Value(),
 			len(s.clients)))
 	}
+
+	if s.verifyClientsLocalTailscaled {
+		if err := s.checkVerifyClientsLocalTailscaled(); err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+
 	if len(errs) == 0 {
 		return nil
 	}
 	return errors.New(strings.Join(errs, ", "))
 }
 
+// checkVerifyClientsLocalTailscaled checks that a verifyClients call can be made successfully for the derper hosts own node key.
+func (s *Server) checkVerifyClientsLocalTailscaled() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	status, err := localClient.StatusWithoutPeers(ctx)
+	if err != nil {
+		return fmt.Errorf("localClient.Status: %w", err)
+	}
+	info := &clientInfo{
+		IsProber: true,
+	}
+	clientIP := netip.IPv6Loopback()
+	if err := s.verifyClient(ctx, status.Self.PublicKey, info, clientIP); err != nil {
+		return fmt.Errorf("verifyClient for self nodekey: %w", err)
+	}
+	return nil
+}
+
 const minTimeBetweenLogs = 2 * time.Second
 
 // BytesSentRecv records the number of bytes that have been sent since the last traffic check