From abcb7ec1cef3a3624ee4266b3ab9ac086bcc8ea1 Mon Sep 17 00:00:00 2001
From: Tom DNetto <tom@tailscale.com>
Date: Wed, 28 Jun 2023 14:36:01 -0700
Subject: [PATCH] cmd/tailscale: warn if node is locked out on bringup

Updates https://github.com/tailscale/corp/issues/12718
Signed-off-by: Tom DNetto <tom@tailscale.com>
---
 cmd/tailscale/cli/up.go       | 3 ++-
 health/healthmsg/healthmsg.go | 1 +
 ipn/ipnlocal/network-lock.go  | 3 ++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/cmd/tailscale/cli/up.go b/cmd/tailscale/cli/up.go
index 48b11ec3a..581ea4406 100644
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -725,7 +725,8 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 // the health check, rather than just a string.
 func upWorthyWarning(s string) bool {
 	return strings.Contains(s, healthmsg.TailscaleSSHOnBut) ||
-		strings.Contains(s, healthmsg.WarnAcceptRoutesOff)
+		strings.Contains(s, healthmsg.WarnAcceptRoutesOff) ||
+		strings.Contains(s, healthmsg.LockedOut)
 }
 
 func checkUpWarnings(ctx context.Context) {
diff --git a/health/healthmsg/healthmsg.go b/health/healthmsg/healthmsg.go
index b0064547a..e2915a195 100644
--- a/health/healthmsg/healthmsg.go
+++ b/health/healthmsg/healthmsg.go
@@ -10,4 +10,5 @@ package healthmsg
 const (
 	WarnAcceptRoutesOff = "Some peers are advertising routes but --accept-routes is false"
 	TailscaleSSHOnBut   = "Tailscale SSH enabled, but " // + ... something from caller
+	LockedOut           = "this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out"
 )
diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go
index f201e418c..eb26263e2 100644
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"tailscale.com/health"
+	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -115,7 +116,7 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
 
 	// Check that we ourselves are not locked out, report a health issue if so.
 	if nm.SelfNode != nil && b.tka.authority.NodeKeyAuthorized(nm.SelfNode.Key, nm.SelfNode.KeySignature) != nil {
-		health.SetTKAHealth(errors.New("this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out"))
+		health.SetTKAHealth(errors.New(healthmsg.LockedOut))
 	} else {
 		health.SetTKAHealth(nil)
 	}