From 42855d219bc1b51a97c38e0e51c8b2442ab3b56b Mon Sep 17 00:00:00 2001
From: Tom DNetto <tom@tailscale.com>
Date: Mon, 14 Nov 2022 12:09:12 -0800
Subject: [PATCH] ipn/ipnlocal: fix checks for node-key presence in TKA logic

Found by tests in another repo. TKA code wasn't always checking enough to be sure a node-key was set for the current state.

Signed-off-by: Tom DNetto <tom@tailscale.com>
---
 ipn/ipnlocal/network-lock.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/ipn/ipnlocal/network-lock.go b/ipn/ipnlocal/network-lock.go
index cbe742f90..7e1095ad1 100644
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -330,7 +330,7 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 	defer b.mu.Unlock()
 
 	var nodeKey *key.NodePublic
-	if p := b.pm.CurrentPrefs(); p.Valid() {
+	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist() != nil && !p.Persist().PrivateNodeKey.IsZero() {
 		nkp := p.Persist().PublicNodeKey()
 		nodeKey = &nkp
 	}
@@ -388,7 +388,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
 
 	var ourNodeKey key.NodePublic
 	b.mu.Lock()
-	if p := b.pm.CurrentPrefs(); p.Valid() {
+	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist() != nil && !p.Persist().PrivateNodeKey.IsZero() {
 		ourNodeKey = p.Persist().PublicNodeKey()
 	}
 	b.mu.Unlock()
@@ -516,6 +516,14 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
+	var ourNodeKey key.NodePublic
+	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist() != nil && !p.Persist().PrivateNodeKey.IsZero() {
+		ourNodeKey = p.Persist().PublicNodeKey()
+	}
+	if ourNodeKey.IsZero() {
+		return errors.New("no node-key: is tailscale logged in?")
+	}
+
 	if err := b.CanSupportNetworkLock(); err != nil {
 		return err
 	}
@@ -545,7 +553,6 @@ func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err err
 		return nil
 	}
 
-	ourNodeKey := b.pm.CurrentPrefs().Persist().PublicNodeKey()
 	head := b.tka.authority.Head()
 	b.mu.Unlock()
 	resp, err := b.tkaDoSyncSend(ourNodeKey, head, aums, true)
@@ -580,7 +587,7 @@ func (b *LocalBackend) NetworkLockDisable(secret []byte) error {
 	)
 
 	b.mu.Lock()
-	if p := b.pm.CurrentPrefs(); p.Valid() {
+	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist() != nil && !p.Persist().PrivateNodeKey.IsZero() {
 		ourNodeKey = p.Persist().PublicNodeKey()
 	}
 	if b.tka == nil {