mirrors/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-06 18:01:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

ipn/ipnlocal: remove the always-true CanSupportNetworkLock()

Browse Source 
Now that we support using an in-memory backend for TKA state (#17946),
this function always returns `nil` – we can always support Network Lock.
We don't need it any more.

Plus, clean up a couple of errant TODOs from that PR.

Updates tailscale/corp#33599

Change-Id: Ief93bb9adebb82b9ad1b3e406d1ae9d2fa234877
Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
Alex Chan 2025-11-19 13:57:14 +00:00 committed by Alex Chan
parent 6ac4356bce
commit 976bf24f5e
1 changed files with 0 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ipn/ipnlocal/network-lock.go
View File

@ -300,10 +300,6 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
return nil return nil
} }
if err := b.CanSupportNetworkLock(); err != nil {
return err
}
isEnabled := b.tka != nil isEnabled := b.tka != nil
wantEnabled := nm.TKAEnabled wantEnabled := nm.TKAEnabled
@ -488,10 +484,6 @@ func (b *LocalBackend) chonkPathLocked() string {
// //
// b.mu must be held. // b.mu must be held.
func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM, persist persist.PersistView) error { func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM, persist persist.PersistView) error {
if err := b.CanSupportNetworkLock(); err != nil {
return err
}
var genesis tka.AUM var genesis tka.AUM
if err := genesis.Unserialize(g); err != nil { if err := genesis.Unserialize(g); err != nil {
return fmt.Errorf("reading genesis: %v", err) return fmt.Errorf("reading genesis: %v", err)
@ -537,20 +529,6 @@ func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM, per
return nil return nil
} }
// CanSupportNetworkLock returns nil if tailscaled is able to operate
// a local tailnet key authority (and hence enforce network lock).
func (b *LocalBackend) CanSupportNetworkLock() error {
if b.tka != nil {
// If the TKA is being used, it is supported.
return nil
}
// There's a var root (aka --statedir), so if network lock gets
// initialized we have somewhere to store our AUMs. That's all
// we need.
return nil
}
// NetworkLockStatus returns a structure describing the state of the // NetworkLockStatus returns a structure describing the state of the
// tailnet key authority, if any. // tailnet key authority, if any.
func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus { func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
@ -664,12 +642,7 @@ func tkaStateFromPeer(p tailcfg.NodeView) ipnstate.TKAPeer {
// needing signatures is returned as a response. // needing signatures is returned as a response.
// The Finish RPC submits signatures for all these nodes, at which point // The Finish RPC submits signatures for all these nodes, at which point
// Control has everything it needs to atomically enable network lock. // Control has everything it needs to atomically enable network lock.
// TODO(alexc): Only with persistent backend
func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byte, supportDisablement []byte) error { func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byte, supportDisablement []byte) error {
if err := b.CanSupportNetworkLock(); err != nil {
return err
}
var ourNodeKey key.NodePublic var ourNodeKey key.NodePublic
var nlPriv key.NLPrivate var nlPriv key.NLPrivate
@ -794,7 +767,6 @@ func (b *LocalBackend) NetworkLockForceLocalDisable() error {
// NetworkLockSign signs the given node-key and submits it to the control plane. // NetworkLockSign signs the given node-key and submits it to the control plane.
// rotationPublic, if specified, must be an ed25519 public key. // rotationPublic, if specified, must be an ed25519 public key.
// TODO(alexc): in-memory only
func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []byte) error { func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []byte) error {
ourNodeKey, sig, err := func(nodeKey key.NodePublic, rotationPublic []byte) (key.NodePublic, tka.NodeKeySignature, error) { ourNodeKey, sig, err := func(nodeKey key.NodePublic, rotationPublic []byte) (key.NodePublic, tka.NodeKeySignature, error) {
b.mu.Lock() b.mu.Lock()