From 88e7330ff10df29ced9429bfc86eb4c290be556a Mon Sep 17 00:00:00 2001
From: Alex Chan <alexc@tailscale.com>
Date: Wed, 1 Apr 2026 12:27:51 +0100
Subject: [PATCH] ipn,tka: improve Tailnet Lock logs

* Refer to "tailnet-lock" instead of "network-lock" in log messages
* Log keys as `tlpub:<hex>` rather than as Go structs

Updates tailscale/corp#39455
Updates tailscale/corp#37904

Change-Id: I644407d1eda029ee11027bcc949897aa4ba52787
Signed-off-by: Alex Chan <alexc@tailscale.com>
---
 ipn/ipnlocal/network-lock.go |  6 +++---
 ipn/localapi/tailnetlock.go  | 14 +++++++-------
 tka/builder.go               |  4 ++--
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go
index 276fde586..31be25211 100644
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -44,7 +44,7 @@
 
 var (
 	errMissingNetmap        = errors.New("missing netmap: verify that you are logged in")
-	errNetworkLockNotActive = errors.New("network-lock is not active")
+	errNetworkLockNotActive = errors.New("tailnet-lock is not active")
 
 	tkaCompactionDefaults = tka.CompactionOptions{
 		MinChain: 24,                  // Keep at minimum 24 AUMs since head.
@@ -806,7 +806,7 @@ func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []
 func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
 	defer func() {
 		if err != nil {
-			err = fmt.Errorf("modify network-lock keys: %w", err)
+			err = fmt.Errorf("modify tailnet-lock keys: %w", err)
 		}
 	}()
 
@@ -1126,7 +1126,7 @@ func (b *LocalBackend) NetworkLockWrapPreauthKey(preauthKey string, tkaKey key.N
 		return "", fmt.Errorf("signing failed: %w", err)
 	}
 
-	b.logf("Generated network-lock credential signature using %s", tkaKey.Public().CLIString())
+	b.logf("Generated tailnet-lock credential signature using %s", tkaKey.Public().CLIString())
 	return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil
 }
 
diff --git a/ipn/localapi/tailnetlock.go b/ipn/localapi/tailnetlock.go
index 445f70505..e2a2850cf 100644
--- a/ipn/localapi/tailnetlock.go
+++ b/ipn/localapi/tailnetlock.go
@@ -122,7 +122,7 @@ type initRequest struct {
 
 func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
-		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != httpm.POST {
@@ -141,7 +141,7 @@ type modifyRequest struct {
 	}
 
 	if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil {
-		http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
+		http.Error(w, "tailnet-lock modify failed: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
 	w.WriteHeader(204)
@@ -149,7 +149,7 @@ type modifyRequest struct {
 
 func (h *Handler) serveTKAWrapPreauthKey(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
-		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != httpm.POST {
@@ -212,7 +212,7 @@ type verifyRequest struct {
 
 func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
-		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != httpm.POST {
@@ -228,7 +228,7 @@ func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := h.b.NetworkLockDisable(secret); err != nil {
-		http.Error(w, "network-lock disable failed: "+err.Error(), http.StatusBadRequest)
+		http.Error(w, "tailnet-lock disable failed: "+err.Error(), http.StatusBadRequest)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
@@ -236,7 +236,7 @@ func (h *Handler) serveTKADisable(w http.ResponseWriter, r *http.Request) {
 
 func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
-		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
+		http.Error(w, "tailnet-lock modify access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != httpm.POST {
@@ -252,7 +252,7 @@ func (h *Handler) serveTKALocalDisable(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := h.b.NetworkLockForceLocalDisable(); err != nil {
-		http.Error(w, "network-lock local disable failed: "+err.Error(), http.StatusBadRequest)
+		http.Error(w, "tailnet-lock local disable failed: "+err.Error(), http.StatusBadRequest)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
diff --git a/tka/builder.go b/tka/builder.go
index 1e7b13015..131d54dde 100644
--- a/tka/builder.go
+++ b/tka/builder.go
@@ -67,11 +67,11 @@ func (b *UpdateBuilder) AddKey(key Key) error {
 	}
 
 	if _, err := b.state.GetKey(keyID); err == nil {
-		return fmt.Errorf("cannot add key %v: already exists", key)
+		return fmt.Errorf("cannot add key tlpub:%x: already exists", key.Public)
 	}
 
 	if len(b.state.Keys) >= maxKeys {
-		return fmt.Errorf("cannot add key %v: maximum number of keys reached", key)
+		return fmt.Errorf("cannot add key tlpub:%x: maximum number of keys reached", key.Public)
 	}
 
 	return b.mkUpdate(AUM{MessageKind: AUMAddKey, Key: &key})