mirror/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2026-04-03 14:13:12 -04:00
Code Issues Packages Projects Releases Wiki Activity

ipn,tka: improve Tailnet Lock logs

Browse Source 
* Refer to "tailnet-lock" instead of "network-lock" in log messages
* Log keys as `tlpub:<hex>` rather than as Go structs

Updates tailscale/corp#39455
Updates tailscale/corp#37904

Change-Id: I644407d1eda029ee11027bcc949897aa4ba52787
Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
Alex Chan
2026-04-01 12:27:51 +01:00
committed by Alex Chan
parent 1e2fdfd745
commit 88e7330ff1
3 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ipn/ipnlocal/network-lock.go
View File

@@ -44,7 +44,7 @@
var (
errMissingNetmap = errors.New("missing netmap: verify that you are logged in")
errNetworkLockNotActive = errors.New("network-lock is not active")
errNetworkLockNotActive = errors.New("tailnet-lock is not active")
tkaCompactionDefaults = tka.CompactionOptions{
MinChain: 24, // Keep at minimum 24 AUMs since head.
@@ -806,7 +806,7 @@ func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []
func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
defer func() {
if err != nil {
err = fmt.Errorf("modify network-lock keys: %w", err)
err = fmt.Errorf("modify tailnet-lock keys: %w", err)
}
}()
@@ -1126,7 +1126,7 @@ func (b *LocalBackend) NetworkLockWrapPreauthKey(preauthKey string, tkaKey key.N
return "", fmt.Errorf("signing failed: %w", err)
}
b.logf("Generated network-lock credential signature using %s", tkaKey.Public().CLIString())
b.logf("Generated tailnet-lock credential signature using %s", tkaKey.Public().CLIString())
return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil
}

14
ipn/localapi/tailnetlock.go
View File

@@ -122,7 +122,7 @@ type initRequest struct {
func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden)
http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return
}
if r.Method != httpm.POST {
@@ -141,7 +141,7 @@ type modifyRequest struct {
}
if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil {
http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
http.Error(w, "tailnet-lock modify failed: "+err.Error(), http.StatusInternalServerError)
return
}
w.WriteHeader(204)
@@ -149,7 +149,7 @@ type modifyRequest struct {
func (h *Handler) serveTKAWrapPreauthKey(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden)
http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return
}
if r.Method != httpm.POST {
@@ -212,7 +212,7 @@ type verifyRequest struct {
func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden)
http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return
}
if r.Method != httpm.POST {
@@ -228,7 +228,7 @@ func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
}
if err := h.b.NetworkLockDisable(secret); err != nil {
http.Error(w, "network-lock disable failed: "+err.Error(), http.StatusBadRequest)
http.Error(w, "tailnet-lock disable failed: "+err.Error(), http.StatusBadRequest)
return
}
w.WriteHeader(http.StatusOK)
@@ -236,7 +236,7 @@ func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) {
if !h.PermitWrite {
http.Error(w, "network-lock modify access denied", http.StatusForbidden)
http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
return
}
if r.Method != httpm.POST {
@@ -252,7 +252,7 @@ func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) {
}
if err := h.b.NetworkLockForceLocalDisable(); err != nil {
http.Error(w, "network-lock local disable failed: "+err.Error(), http.StatusBadRequest)
http.Error(w, "tailnet-lock local disable failed: "+err.Error(), http.StatusBadRequest)
return
}
w.WriteHeader(http.StatusOK)

4
tka/builder.go
View File

@@ -67,11 +67,11 @@ func (b *UpdateBuilder) AddKey(key Key) error {
}
if _, err := b.state.GetKey(keyID); err == nil {
return fmt.Errorf("cannot add key %v: already exists", key)
return fmt.Errorf("cannot add key tlpub:%x: already exists", key.Public)
}
if len(b.state.Keys) >= maxKeys {
return fmt.Errorf("cannot add key %v: maximum number of keys reached", key)
return fmt.Errorf("cannot add key tlpub:%x: maximum number of keys reached", key.Public)
}
return b.mkUpdate(AUM{MessageKind: AUMAddKey, Key: &key})