Use tailscale key types instead of strings (#1609)

* upgrade tailscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * make Node object use actualy tailscale key types This commit changes the Node struct to have both a field for strings to store the keys in the database and a dedicated Key for each type of key. The keys are populated and stored with Gorm hooks to ensure the data is stored in the db. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use key types throughout the code Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * make sure machinekey is concistently used Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use machine key in auth url Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix web register Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * use key type in notifier Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * fix relogin with webauth Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-11-19 22:37:04 +01:00 · 2023-11-19 22:37:04 +01:00 · ed4e19996b
commit ed4e19996b
parent c0fd06e3f5
22 changed files with 550 additions and 471 deletions
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@ -368,17 +368,6 @@ func (m *Mapper) marshalMapResponse(
 ) ([]byte, error) {
 	atomic.AddUint64(&m.seq, 1)

-	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText([]byte(node.MachineKey))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot parse client key")
-
-		return nil, err
-	}
-
 	jsonBody, err := json.Marshal(resp)
 	if err != nil {
 		log.Error().
@ -426,11 +415,11 @@ func (m *Mapper) marshalMapResponse(
 	if compression == util.ZstdCompression {
 		respBody = zstdEncode(jsonBody)
 		if !m.isNoise { // if legacy protocol
-			respBody = m.privateKey2019.SealTo(machineKey, respBody)
+			respBody = m.privateKey2019.SealTo(node.MachineKey, respBody)
 		}
 	} else {
 		if !m.isNoise { // if legacy protocol
-			respBody = m.privateKey2019.SealTo(machineKey, jsonBody)
+			respBody = m.privateKey2019.SealTo(node.MachineKey, jsonBody)
 		} else {
 			respBody = jsonBody
 		}
--- a/hscontrol/mapper/mapper_test.go
+++ b/hscontrol/mapper/mapper_test.go
@ -166,10 +166,16 @@ func Test_fullMapResponse(t *testing.T) {
 	expire := time.Date(2500, time.November, 11, 23, 0, 0, 0, time.UTC)

 	mini := &types.Node{
-		ID:          0,
-		MachineKey:  "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		NodeKey:     "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		DiscoKey:    "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		ID: 0,
+		MachineKey: mustMK(
+			"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		),
+		NodeKey: mustNK(
+			"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		),
+		DiscoKey: mustDK(
+			"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		),
 		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.1")},
 		Hostname:    "mini",
 		GivenName:   "mini",
@ -226,7 +232,6 @@ func Test_fullMapResponse(t *testing.T) {
 			netip.MustParsePrefix("0.0.0.0/0"),
 			netip.MustParsePrefix("192.168.0.0/24"),
 		},
-		Endpoints:         []string{},
 		DERP:              "127.3.3.40:0",
 		Hostinfo:          hiview(tailcfg.Hostinfo{}),
 		Created:           created,
@ -244,10 +249,16 @@ func Test_fullMapResponse(t *testing.T) {
 	}

 	peer1 := &types.Node{
-		ID:          1,
-		MachineKey:  "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		NodeKey:     "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		DiscoKey:    "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		ID: 1,
+		MachineKey: mustMK(
+			"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		),
+		NodeKey: mustNK(
+			"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		),
+		DiscoKey: mustDK(
+			"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		),
 		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.2")},
 		Hostname:    "peer1",
 		GivenName:   "peer1",
@ -278,7 +289,6 @@ func Test_fullMapResponse(t *testing.T) {
 		),
 		Addresses:         []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
 		AllowedIPs:        []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
-		Endpoints:         []string{},
 		DERP:              "127.3.3.40:0",
 		Hostinfo:          hiview(tailcfg.Hostinfo{}),
 		Created:           created,
@ -296,10 +306,16 @@ func Test_fullMapResponse(t *testing.T) {
 	}

 	peer2 := &types.Node{
-		ID:          2,
-		MachineKey:  "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		NodeKey:     "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		DiscoKey:    "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		ID: 2,
+		MachineKey: mustMK(
+			"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		),
+		NodeKey: mustNK(
+			"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		),
+		DiscoKey: mustDK(
+			"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		),
 		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.3")},
 		Hostname:    "peer2",
 		GivenName:   "peer2",
--- a/hscontrol/mapper/tail.go
+++ b/hscontrol/mapper/tail.go
@ -52,21 +52,6 @@ func tailNode(
 	baseDomain string,
 	randomClientPort bool,
 ) (*tailcfg.Node, error) {
-	nodeKey, err := node.NodePublicKey()
-	if err != nil {
-		return nil, err
-	}
-
-	machineKey, err := node.MachinePublicKey()
-	if err != nil {
-		return nil, err
-	}
-
-	discoKey, err := node.DiscoPublicKey()
-	if err != nil {
-		return nil, err
-	}
-
 	addrs := node.IPAddresses.Prefixes()

 	allowedIPs := append(
@ -112,6 +97,11 @@ func tailNode(
 	tags, _ := pol.TagsOfNode(node)
 	tags = lo.Uniq(append(tags, node.ForcedTags...))

+	endpoints, err := node.EndpointsToAddrPort()
+	if err != nil {
+		return nil, err
+	}
+
 	tNode := tailcfg.Node{
 		ID: tailcfg.NodeID(node.ID), // this is the actual ID
 		StableID: tailcfg.StableNodeID(
@ -121,14 +111,14 @@ func tailNode(

 		User: tailcfg.UserID(node.UserID),

-		Key:       nodeKey,
+		Key:       node.NodeKey,
 		KeyExpiry: keyExpiry,

-		Machine:    machineKey,
-		DiscoKey:   discoKey,
+		Machine:    node.MachineKey,
+		DiscoKey:   node.DiscoKey,
 		Addresses:  addrs,
 		AllowedIPs: allowedIPs,
-		Endpoints:  node.Endpoints,
+		Endpoints:  endpoints,
 		DERP:       derp,
 		Hostinfo:   hostInfo.View(),
 		Created:    node.CreatedAt,
--- a/hscontrol/mapper/tail_test.go
+++ b/hscontrol/mapper/tail_test.go
@ -58,16 +58,36 @@ func TestTailNode(t *testing.T) {
 			pol:        &policy.ACLPolicy{},
 			dnsConfig:  &tailcfg.DNSConfig{},
 			baseDomain: "",
-			want:       nil,
-			wantErr:    true,
+			want: &tailcfg.Node{
+				StableID:          "0",
+				Addresses:         []netip.Prefix{},
+				AllowedIPs:        []netip.Prefix{},
+				DERP:              "127.3.3.40:0",
+				Hostinfo:          hiview(tailcfg.Hostinfo{}),
+				Tags:              []string{},
+				PrimaryRoutes:     []netip.Prefix{},
+				Online:            new(bool),
+				MachineAuthorized: true,
+				Capabilities: []tailcfg.NodeCapability{
+					"https://tailscale.com/cap/file-sharing", "https://tailscale.com/cap/is-admin",
+					"https://tailscale.com/cap/ssh", "debug-disable-upnp",
+				},
+			},
+			wantErr: false,
 		},
 		{
 			name: "minimal-node",
 			node: &types.Node{
-				ID:         0,
-				MachineKey: "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-				NodeKey:    "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-				DiscoKey:   "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+				ID: 0,
+				MachineKey: mustMK(
+					"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+				),
+				NodeKey: mustNK(
+					"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+				),
+				DiscoKey: mustDK(
+					"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+				),
 				IPAddresses: []netip.Addr{
 					netip.MustParseAddr("100.64.0.1"),
 				},
@ -133,10 +153,9 @@ func TestTailNode(t *testing.T) {
 					netip.MustParsePrefix("0.0.0.0/0"),
 					netip.MustParsePrefix("192.168.0.0/24"),
 				},
-				Endpoints: []string{},
-				DERP:      "127.3.3.40:0",
-				Hostinfo:  hiview(tailcfg.Hostinfo{}),
-				Created:   created,
+				DERP:     "127.3.3.40:0",
+				Hostinfo: hiview(tailcfg.Hostinfo{}),
+				Created:  created,

 				Tags: []string{},