From d0daa5a398ec4a17499938c3c25ce1cf5058d1b9 Mon Sep 17 00:00:00 2001
From: Alex Chan <alexc@tailscale.com>
Date: Mon, 17 Nov 2025 17:12:05 +0000
Subject: [PATCH] tka: marshal AUMHash totext even if Tailnet Lock is omitted

We use `tka.AUMHash` in `netmap.NetworkMap`, and we serialise it as JSON
in the `/debug/netmap` C2N endpoint. If the binary omits Tailnet Lock support,
the debug endpoint returns an error because it's unable to marshal the
AUMHash.

This patch adds a sentinel value so this marshalling works, and we can
use the debug endpoint.

Updates https://github.com/tailscale/tailscale/issues/17115

Signed-off-by: Alex Chan <alexc@tailscale.com>

Change-Id: I51ec1491a74e9b9f49d1766abd89681049e09ce4
---
 tka/disabled_stub.go | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/tka/disabled_stub.go b/tka/disabled_stub.go
index 15bf12c33..4c4afa370 100644
--- a/tka/disabled_stub.go
+++ b/tka/disabled_stub.go
@@ -22,7 +22,24 @@ type Authority struct {
 
 func (*Authority) Head() AUMHash { return AUMHash{} }
 
-func (AUMHash) MarshalText() ([]byte, error) { return nil, errNoTailnetLock }
+// MarshalText returns a dummy value explaining that Tailnet Lock
+// is not compiled in to this binary.
+//
+// We need to be able to marshal AUMHash to text because it's included
+// in [netmap.NetworkMap], which gets serialised as JSON in the
+// c2n /debug/netmap endpoint.
+//
+// We provide a basic marshaller so that endpoint works correctly
+// with nodes that omit Tailnet Lock support, but we don't want the
+// base32 dependency used for the regular marshaller, and we don't
+// need unmarshalling support at time of writing (2025-11-18).
+func (h AUMHash) MarshalText() ([]byte, error) {
+	return []byte("<tailnet-lock-omitted>"), nil
+}
+
+func (h *AUMHash) UnmarshalText(text []byte) error {
+	return errors.New("tailnet lock is not supported by this binary")
+}
 
 type State struct{}
 
@@ -128,12 +145,6 @@ type NodeKeySignature struct {
 type DeeplinkValidationResult struct {
 }
 
-func (h *AUMHash) UnmarshalText(text []byte) error {
-	return errNoTailnetLock
-}
-
-var errNoTailnetLock = errors.New("tailnet lock is not enabled")
-
 func DecodeWrappedAuthkey(wrappedAuthKey string, logf logger.Logf) (authKey string, isWrapped bool, sig *NodeKeySignature, priv ed25519.PrivateKey) {
 	return wrappedAuthKey, false, nil, nil
 }