cmd/tsconnect: pop CTA to make everything work with tailnet lock

Signed-off-by: Tom DNetto <tom@tailscale.com>
2023-03-03 13:28:23 -08:00 · 2023-03-03 13:28:23 -08:00 · 2263d9c44b
parent 387b68fe11
commit 2263d9c44b
5 changed files with 28 additions and 5 deletions
--- a/cmd/tsconnect/src/app/app.tsx
+++ b/cmd/tsconnect/src/app/app.tsx
@ -43,8 +43,26 @@ class App extends Component<{}, AppState> {
      )
    }

+    const lockedOut = netMap?.lockedOut
+    let lockedOutInstructions
+    if (lockedOut) {
+      lockedOutInstructions = (
+        <div class="container mx-auto px-4 text-center space-y-4">
+          <p>This instance of Tailscale Connect needs to be signed, due to
+            {" "}<a href="https://tailscale.com/kb/1226/tailnet-lock/" class="link">tailnet lock</a>{" "}
+            being enabled on this domain.
+          </p>
+
+          <p>
+            Run the following command on a device with a trusted tailnet lock key:
+            <pre>tailscale lock sign {netMap.self.nodeKey}</pre>
+          </p>
+        </div>
+      )
+    }
+
    let ssh
-    if (ipn && ipnState === "Running" && netMap) {
+    if (ipn && ipnState === "Running" && netMap && !lockedOut) {
      ssh = <SSH netMap={netMap} ipn={ipn} />
    }

@ -55,6 +73,7 @@ class App extends Component<{}, AppState> {
        <div class="flex-grow flex flex-col justify-center overflow-hidden">
          {urlDisplay}
          {machineAuthInstructions}
+          {lockedOutInstructions}
          {ssh}
        </div>
      </>
--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@ -60,11 +60,11 @@ function SSHSession({
 function NoSSHPeers() {
  return (
    <div class="container mx-auto px-4 text-center">
-      None of your machines have
+      None of your machines have{" "}
      <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link">
        Tailscale SSH
      </a>
-      enabled. Give it a try!
+      {" "}enabled. Give it a try!
    </div>
  )
 }
--- a/cmd/tsconnect/src/types/wasm_js.d.ts
+++ b/cmd/tsconnect/src/types/wasm_js.d.ts
@ -63,6 +63,7 @@ declare global {
  type IPNNetMap = {
    self: IPNNetMapSelfNode
    peers: IPNNetMapPeerNode[]
+    lockedOut: boolean
  }

  type IPNNetMapNode = {
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@ -272,6 +272,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 						TailscaleSSHEnabled: p.Hostinfo.TailscaleSSHEnabled(),
 					}
 				}),
+				LockedOut: nm.TKAEnabled && len(nm.SelfNode.KeySignature) == 0,
 			}
 			if jsonNetMap, err := json.Marshal(jsNetMap); err == nil {
 				jsCallbacks.Call("notifyNetMap", string(jsonNetMap))
@ -521,8 +522,9 @@ func (w termWriter) Write(p []byte) (n int, err error) {
 }

 type jsNetMap struct {
-	Self  jsNetMapSelfNode   `json:"self"`
-	Peers []jsNetMapPeerNode `json:"peers"`
+	Self      jsNetMapSelfNode   `json:"self"`
+	Peers     []jsNetMapPeerNode `json:"peers"`
+	LockedOut bool               `json:"lockedOut"`
 }

 type jsNetMapNode struct {
--- a/flake.nix
+++ b/flake.nix
@ -108,6 +108,7 @@
          graphviz
          perl
          go_1_20
+          yarn
        ];
      };
    };