ts_runtime/peer_tracker/mod.rs
1//! Peer delta update tracking.
2
3use std::{
4 collections::{HashMap, HashSet},
5 net::IpAddr,
6 sync::Arc,
7};
8
9use kameo::{
10 actor::ActorRef,
11 message::{Context, Message},
12 reply::ReplySender,
13};
14use tokio::sync::watch;
15use ts_control::{Node, UserId, UserProfile};
16use ts_transport::PeerId;
17
18use crate::{Error, env::Env, status::StatusNode};
19
20mod peer_db;
21
22pub use peer_db::PeerDb;
23
24/// Actor that tracks peer delta updates and emits new states.
25pub struct PeerTracker {
26 peer_db: PeerDb,
27 seen_state_update: bool,
28 pending_requests: Vec<Pending>,
29 /// Latest peer snapshot, published on every netmap update so embedders can watch for peer
30 /// changes ([`WatchNetmap`]).
31 peer_watch: watch::Sender<Vec<StatusNode>>,
32 /// Accumulated netmap user profiles (`MapResponse.UserProfiles`), keyed by user id, joined
33 /// against a node's [`Node::user_id`](ts_control::Node::user_id) to resolve the owning user's
34 /// login/display name for a [`WhoIs`](crate::status::WhoIs). Control sends these incrementally
35 /// (only new/changed profiles per response), so this map **accumulates** across updates rather
36 /// than being replaced — a peer upserted in one response may reference a profile delivered in an
37 /// earlier one.
38 user_profiles: HashMap<UserId, UserProfile>,
39 /// Tailnet-Lock (TKA) authority enforced at the peer-trust chokepoint, matching Go
40 /// `tkaFilterNetmapLocked`. Read on demand from a [`watch`] cell the control runner owns: when it
41 /// holds `Some` (a verified lock has been synced from control), enforcement is **active** — every
42 /// upserted peer must present a `key_signature` this authority authorizes, or it is dropped
43 /// (fail-closed), exactly as Go drops peers with a missing or failing signature. When it holds
44 /// `None` (no lock, or the lock was disabled) enforcement is **inactive** and every peer is
45 /// upserted, identical to pre-TKA behavior and to Go's `b.tka == nil` early return.
46 ///
47 /// A `watch::Receiver` (not the bus) is the transport on purpose: the authority is a single
48 /// security-critical state cell, and `watch` is last-write-wins, never-dropped, and ordered by
49 /// the control runner's own writes — so a disable (`None`) can never be reordered behind or
50 /// silently dropped before a stale `Some` (which a best-effort broadcast bus could do, leaving a
51 /// defunct lock enforcing forever). The control runner is the sole writer; we only ever read.
52 ///
53 /// The authority always passes through `VerifiedAumChain::verify` before the control runner
54 /// publishes it, so enforcement only engages on a chain we have cryptographically verified.
55 /// Connectivity now depends on `ts_tka` verifying genuinely-good signatures correctly (see
56 /// SECURITY.md). Self is structurally never filtered here (the self node never enters `peer_db` —
57 /// it is routed to the control runner's `self_node` cell), so a node cannot lock itself out of
58 /// its own netmap.
59 tka_authority: watch::Receiver<Option<Arc<ts_tka::Authority>>>,
60 env: Env,
61}
62
63impl PeerTracker {
64 fn peer_by_name_opt(&self, name: &str) -> Option<&Node> {
65 // Canonicalization (case + trailing dot) is handled inside the name index lookup.
66 self.peer_db.get(&name).map(|(_id, node)| node)
67 }
68
69 fn peer_by_tailnet_ip_opt(&self, ip: IpAddr) -> Option<&Node> {
70 self.peer_db.get(&ip).map(|(_id, node)| node)
71 }
72
73 /// Build the peer entries for a [`Status`](crate::Status) snapshot from the current peer db.
74 ///
75 /// Connectivity fields (`cur_addr`/`relay`) are left at their `from_node` defaults (`None`) here:
76 /// this is the live-watch/hot path and must stay magicsock-free and synchronous. The explicit
77 /// [`GetStatus`] snapshot enriches them ([`status_peers_with_ids`](Self::status_peers_with_ids)).
78 fn status_peers(&self) -> Vec<StatusNode> {
79 self.peer_db
80 .peers()
81 .values()
82 .map(StatusNode::from_node)
83 .collect()
84 }
85
86 /// Like [`status_peers`](Self::status_peers) but pairs each entry with its [`PeerId`], so the
87 /// caller can join per-peer connectivity (the direct manager's `best_addrs`, keyed by `PeerId`)
88 /// onto the `StatusNode` before returning it. Order is unspecified (a `HashMap` walk).
89 fn status_peers_with_ids(&self) -> Vec<(PeerId, StatusNode)> {
90 self.peer_db
91 .peers()
92 .iter()
93 .map(|(id, node)| (*id, StatusNode::from_node(node)))
94 .collect()
95 }
96
97 fn whois_opt(&self, addr: std::net::SocketAddr) -> Option<crate::status::WhoIs> {
98 let ip = crate::status::whois_addr(addr);
99 let node = self.peer_by_tailnet_ip_opt(ip).cloned()?;
100 // Join the node's owning user id against the accumulated UserProfiles table to resolve a
101 // login/display name. `None` when control sent no profile for that user (e.g. tagged nodes
102 // with no human owner, or a profile not yet delivered).
103 let user = self.resolve_user(node.user_id);
104 Some(crate::status::WhoIs::from_node_with_user(node, user))
105 }
106
107 /// Resolve a user id to its best display label from the accumulated profile table.
108 fn resolve_user(&self, user_id: UserId) -> Option<String> {
109 self.user_profiles
110 .get(&user_id)
111 .and_then(UserProfile::best_label)
112 }
113
114 /// Whether `node` may be admitted to the peer db under Tailnet Lock, matching Go
115 /// `tkaFilterNetmapLocked`'s per-peer verdict (drop unsigned / failed-signature peers).
116 ///
117 /// This consults the live [`tka_authority`](Self::tka_authority) cell on each call (one `borrow`,
118 /// held only for the duration of the verdict). For a `Full` resync — which checks every peer —
119 /// prefer [`tka_authority_snapshot`](Self::tka_authority_snapshot) +
120 /// [`tka_snapshot_admits`](Self::tka_snapshot_admits) to borrow once and verify each peer a single
121 /// time; this method is the convenience wrapper for the single-peer (`Delta`/patch) sites.
122 ///
123 /// Fail-closed and gated:
124 /// - No authority ⇒ no lock synced ⇒ always admit (Go's `b.tka == nil` early return; identical to
125 /// pre-TKA behavior).
126 /// - **Empty trusted-key state** ⇒ always admit (logged at `error!` — see
127 /// [`tka_snapshot_admits`](Self::tka_snapshot_admits) for the full rationale).
128 /// - Authority present + peer carries a `key_signature` the authority authorizes for the peer's
129 /// node key ⇒ admit.
130 /// - Authority present + signature missing or unauthorized/invalid ⇒ **drop** (Go drops peers
131 /// with a missing signature or failed `NodeKeyAuthorized` under tailnet lock).
132 fn tka_admits(&self, node: &Node) -> bool {
133 // Single-peer sites (`Delta`/patch) only need the admit bool; the rotation details are used
134 // exclusively by the cross-peer `Full` filter (rotation obsolescence is whole-netmap).
135 Self::tka_snapshot_admits(self.tka_authority.borrow().as_deref(), node).admitted
136 }
137
138 /// Borrow the current TKA authority once (cloning the cheap `Arc`) for a batch verdict. Returns
139 /// `None` when no lock is synced (admit-all). Used by the `Full` path so a netmap of N peers
140 /// reads the cell once and runs at most one signature verify per peer (not two).
141 fn tka_authority_snapshot(&self) -> Option<Arc<ts_tka::Authority>> {
142 self.tka_authority.borrow().clone()
143 }
144
145 /// The per-peer Tailnet-Lock verdict against an already-borrowed `authority` snapshot. Factored
146 /// out so both the single-peer [`tka_admits`](Self::tka_admits) and the `Full` batch path share
147 /// one verdict implementation (no divergence) while the batch path verifies each peer exactly
148 /// once.
149 ///
150 /// Returns whether the peer is admitted AND, for an admitted peer signed by a rotation chain, the
151 /// [`RotationDetails`](ts_tka::RotationDetails) of that chain — so the `Full` path can run the
152 /// cross-peer rotation filter (Go's `rotationTracker`) without a second verify per peer. A peer
153 /// that is dropped, unsigned, or signed by a non-rotation chain carries `rotation == None`.
154 ///
155 /// Never logs key/signature bytes — only the `stable_id` and the `TkaError` Display (static
156 /// descriptors). One documented parity gap remains vs Go (under-enforcement, in PARITY_ROADMAP):
157 /// no `UnsignedPeerAPIOnly` exemption (our node model lacks the field).
158 fn tka_snapshot_admits(authority: Option<&ts_tka::Authority>, node: &Node) -> TkaVerdict {
159 let Some(auth) = authority else {
160 return TkaVerdict::admit();
161 };
162
163 // Brick-guard: an authority with no trusted keys would drop every peer. A verified chain is
164 // structurally guaranteed ≥1 key (genesis rejects an empty key set, and the last key cannot
165 // be removed), so reaching here means a `ts_tka` invariant was violated — admit rather than
166 // black-hole the whole netmap, and log at `error!` because it signals a real bug, not an
167 // expected runtime input. This is OUR fail-safe, not a Go behavior. NOTE: it only catches the
168 // empty-keyset shape; a non-empty authority that authorizes none of the offered peers still
169 // (correctly) drops them — that is what a lock that revoked everyone means. The
170 // "authorized-zero-peers" isolation case is surfaced separately by the caller.
171 if auth.state().keys.is_empty() {
172 tracing::error!(
173 "TKA: authority has an empty trusted-key set (verified chains never do — likely a \
174 ts_tka bug); not enforcing (admitting all) to avoid isolating the node"
175 );
176 return TkaVerdict::admit();
177 }
178
179 if node.key_signature.is_empty() {
180 tracing::warn!(
181 stable_id = ?node.stable_id,
182 "TKA: dropping unsigned peer under tailnet lock"
183 );
184 return TkaVerdict::drop();
185 }
186
187 match auth.node_key_authorized_with_details(&node.node_key.to_bytes(), &node.key_signature)
188 {
189 Ok(rotation) => {
190 tracing::debug!(stable_id = ?node.stable_id, "TKA: peer node-key authorized");
191 TkaVerdict {
192 admitted: true,
193 rotation,
194 }
195 }
196 Err(e) => {
197 tracing::warn!(
198 stable_id = ?node.stable_id,
199 error = %e,
200 "TKA: dropping peer with unauthorized node key"
201 );
202 TkaVerdict::drop()
203 }
204 }
205 }
206}
207
208/// The outcome of a per-peer Tailnet-Lock check: whether the peer is admitted, plus (for an admitted
209/// peer signed by a rotation chain) the chain's [`RotationDetails`](ts_tka::RotationDetails) so the
210/// `Full` path can run the cross-peer rotation filter from the SAME verify pass (no second verify).
211struct TkaVerdict {
212 admitted: bool,
213 rotation: Option<ts_tka::RotationDetails>,
214}
215
216impl TkaVerdict {
217 /// Admitted, no rotation details (no lock / brick-guard / non-rotation signature).
218 fn admit() -> Self {
219 Self {
220 admitted: true,
221 rotation: None,
222 }
223 }
224 /// Dropped.
225 fn drop() -> Self {
226 Self {
227 admitted: false,
228 rotation: None,
229 }
230 }
231}
232
233/// Cross-peer rotation-obsolescence tracker, mirroring Go `ipnlocal.rotationTracker`. Fed the
234/// [`RotationDetails`](ts_tka::RotationDetails) of every admitted, rotation-signed peer in a `Full`
235/// netmap; [`obsolete_keys`](Self::obsolete_keys) then returns the node keys to drop on top of the
236/// per-peer verdict. Two rules (Go `tkaFilterNetmapLocked` + `rotationTracker.obsoleteKeys`):
237///
238/// 1. Every prior node key named in any rotation chain is obsolete (a newer chain rotated it away).
239/// 2. Among `Direct`-rooted chains sharing one wrapping pubkey (a clone signal), only the
240/// longest-chain peer survives; if the two longest are tied, ALL in that group are dropped (we
241/// cannot tell which is the latest, so reject for safety). `Credential`-rooted chains are exempt
242/// from rule 2 — several nodes can legitimately join under one reusable auth key (same wrapping
243/// pubkey), so sharing it is not a clone signal there. (Rule 1 still applies to them.)
244///
245/// Node keys are tracked as raw `Vec<u8>` (the verified 32-byte node-public bytes).
246#[derive(Default)]
247struct RotationTracker {
248 obsolete: HashSet<Vec<u8>>,
249 by_wrapping_key: HashMap<Vec<u8>, Vec<SigRotation>>,
250}
251
252/// One admitted peer's rotation entry within a wrapping-key group.
253struct SigRotation {
254 node_key: Vec<u8>,
255 num_prev_keys: usize,
256}
257
258impl RotationTracker {
259 /// Record an admitted peer `node_key` and its rotation `details` (Go `addRotationDetails`).
260 fn add(&mut self, node_key: Vec<u8>, details: &ts_tka::RotationDetails) {
261 // Rule 1: every prior key is obsolete — applied for ALL chains (incl. credential-rooted),
262 // matching Go's ungated `obsolete.AddSlice(d.PrevNodeKeys)`.
263 self.obsolete.extend(details.prev_node_keys.iter().cloned());
264 // Rule 2 (clone-uniqueness) is gated to Direct-rooted chains only.
265 if details.initial_sig_kind != ts_tka::SigKind::Direct {
266 return;
267 }
268 self.by_wrapping_key
269 .entry(details.initial_wrapping_pubkey.clone())
270 .or_default()
271 .push(SigRotation {
272 node_key,
273 num_prev_keys: details.prev_node_keys.len(),
274 });
275 }
276
277 /// Compute the full obsolete node-key set (Go `rotationTracker.obsoleteKeys`). Processes each
278 /// wrapping-key group, mutating the shared `obsolete` set as it goes (so a key obsoleted by one
279 /// group is seen as obsolete by later groups via the `retain` below — Go's
280 /// `slices.DeleteFunc(... Contains)`). Group iteration order (a `HashMap` drain) is
281 /// nondeterministic, but the result is order-INDEPENDENT: this only ever *inserts* into
282 /// `obsolete` (never removes), and rule 1 already obsoleted every prior key before this loop, so
283 /// the final set is a union that does not depend on which group runs first (as in Go).
284 fn obsolete_keys(mut self) -> HashSet<Vec<u8>> {
285 // Drain only the group map so the loop can mutate `self.obsolete` without aliasing it; the
286 // shared `obsolete` set itself is NOT drained, preserving the cross-group visibility above.
287 let groups: Vec<Vec<SigRotation>> = self.by_wrapping_key.drain().map(|(_k, v)| v).collect();
288 for mut group in groups {
289 // Drop entries already obsoleted (rotated away) by another chain.
290 group.retain(|rd| !self.obsolete.contains(&rd.node_key));
291 if group.is_empty() {
292 continue;
293 }
294 // Longest chain (most prior keys) is the newest ⇒ the survivor; sort decreasing.
295 // `sort_by_key` is stable (like Go's `SortStableFunc`); `Reverse` gives descending order.
296 group.sort_by_key(|rd| core::cmp::Reverse(rd.num_prev_keys));
297 if group.len() >= 2 && group[0].num_prev_keys == group[1].num_prev_keys {
298 // Tie for longest ⇒ cannot disambiguate the latest ⇒ drop the WHOLE group.
299 tracing::warn!(
300 "TKA: multiple peers share a wrapping key with equal rotation depth; dropping all (cannot determine the latest)"
301 );
302 for rd in &group {
303 self.obsolete.insert(rd.node_key.clone());
304 }
305 } else {
306 // Only the longest-chain peer survives; the rest are obsolete.
307 for rd in &group[1..] {
308 self.obsolete.insert(rd.node_key.clone());
309 }
310 }
311 }
312 self.obsolete
313 }
314}
315
316impl kameo::Actor for PeerTracker {
317 /// `(env, tka_authority)`: the bus/keys env, plus the read end of the control runner's TKA
318 /// enforcement-authority cell (Go `tkaFilterNetmapLocked`). The control runner is the sole
319 /// writer; it publishes the verified `Authority` after a successful `/machine/tka/sync` and
320 /// `None` when the lock is disabled. A `watch` cell (not a bus message) so the latest value is
321 /// always readable on demand, never dropped, and never reordered (see the control runner's
322 /// `tka_authority` cell).
323 type Args = (Env, watch::Receiver<Option<Arc<ts_tka::Authority>>>);
324 type Error = Error;
325
326 async fn on_start(
327 (env, tka_authority): Self::Args,
328 slf: ActorRef<Self>,
329 ) -> Result<Self, Self::Error> {
330 env.subscribe::<Arc<ts_control::StateUpdate>>(&slf).await?;
331
332 let (peer_watch, _) = watch::channel(Vec::new());
333
334 Ok(Self {
335 peer_db: PeerDb::default(),
336 pending_requests: Default::default(),
337 seen_state_update: false,
338 peer_watch,
339 user_profiles: HashMap::new(),
340 // The cell starts `None` (no lock synced ⇒ enforcement inactive, admit all, matching
341 // Go's `b.tka == nil`); the control runner flips it to `Some` on the first sync.
342 tka_authority,
343 env,
344 })
345 }
346}
347
348enum Pending {
349 PeerByName(PeerByName, ReplySender<Option<Node>>),
350 AcceptedRoute(PeerByAcceptedRoute, ReplySender<Vec<Node>>),
351 TailnetIp(PeerByTailnetIp, ReplySender<Option<Node>>),
352 Status(ReplySender<Vec<(PeerId, StatusNode)>>),
353 WhoIs(Whois, ReplySender<Option<crate::status::WhoIs>>),
354}
355
356// For messages with arguments, a struct is generated with the args as fields. They aren't
357// documented, and we can't apply attributes directly to the fields. Hence, wrap in a module where
358// docs are turned off everywhere.
359#[allow(missing_docs)]
360mod msg_impl {
361 use std::net::IpAddr;
362
363 use kameo::prelude::DelegatedReply;
364
365 use super::*;
366
367 #[kameo::messages]
368 impl PeerTracker {
369 /// Lookup a peer by name.
370 ///
371 /// Waits until we've received at least one peer update from control.
372 #[message(ctx)]
373 pub async fn peer_by_name(
374 &mut self,
375 ctx: &mut Context<Self, DelegatedReply<Option<Node>>>,
376 name: String,
377 ) -> DelegatedReply<Option<Node>> {
378 let (deleg, sender) = ctx.reply_sender();
379 let Some(sender) = sender else { return deleg };
380
381 if !self.seen_state_update {
382 tracing::debug!(query = name, "no peer state seen yet, queueing request");
383
384 self.pending_requests
385 .push(Pending::PeerByName(PeerByName { name }, sender));
386
387 return deleg;
388 }
389
390 sender.send(self.peer_by_name_opt(&name).cloned());
391
392 deleg
393 }
394
395 /// Lookup all peers that accept packets addressed to the given IP.
396 ///
397 /// This includes the peer's tailnet address and any subnet routes it provides. Only
398 /// the peers with the most specific subnet route match that covers `ip` will be
399 /// returned.
400 ///
401 /// E.g., suppose:
402 ///
403 /// - We're querying for `10.1.2.3`
404 /// - `PeerA` and `PeerB` have accepted routes for `10.1.2.0/24`
405 /// - `PeerC` has an accepted route for `10.1.0.0/16`
406 ///
407 /// Only `PeerA` and `PeerB` will be returned, since they have the most specific
408 /// prefix match.
409 #[message(ctx)]
410 pub fn peer_by_accepted_route(
411 &mut self,
412 ctx: &mut Context<Self, DelegatedReply<Vec<Node>>>,
413 ip: IpAddr,
414 ) -> DelegatedReply<Vec<Node>> {
415 let (deleg, sender) = ctx.reply_sender();
416 let Some(sender) = sender else { return deleg };
417
418 if !self.seen_state_update {
419 tracing::debug!(query = %ip, "no peer state seen yet, queueing request");
420
421 self.pending_requests
422 .push(Pending::AcceptedRoute(PeerByAcceptedRoute { ip }, sender));
423
424 return deleg;
425 }
426
427 sender.send(
428 self.peer_db
429 .get_route(ip.into())
430 .map(|(_id, node)| node.clone())
431 .collect(),
432 );
433
434 deleg
435 }
436
437 /// Lookup the peer that has the given tailnet IP address.
438 #[message(ctx)]
439 pub fn peer_by_tailnet_ip(
440 &mut self,
441 ctx: &mut Context<Self, DelegatedReply<Option<Node>>>,
442 ip: IpAddr,
443 ) -> DelegatedReply<Option<Node>> {
444 let (deleg, sender) = ctx.reply_sender();
445 let Some(sender) = sender else { return deleg };
446
447 if !self.seen_state_update {
448 tracing::debug!(query = %ip, "no peer state seen yet, queueing request");
449
450 self.pending_requests
451 .push(Pending::TailnetIp(PeerByTailnetIp { ip }, sender));
452
453 return deleg;
454 }
455
456 sender.send(self.peer_by_tailnet_ip_opt(ip).cloned());
457
458 deleg
459 }
460
461 /// Build the peer entries of a [`Status`](crate::Status) snapshot, each paired with its
462 /// [`PeerId`] so [`Runtime::status`](crate::Runtime::status) can join per-peer connectivity
463 /// (`cur_addr`/`relay`) from the direct manager before returning. The self node is *not*
464 /// included here (it lives in the control runner); `Runtime::status` combines both and drops
465 /// the ids.
466 ///
467 /// Waits until we've received at least one peer update from control.
468 #[message(ctx)]
469 pub fn get_status(
470 &mut self,
471 ctx: &mut Context<Self, DelegatedReply<Vec<(PeerId, StatusNode)>>>,
472 ) -> DelegatedReply<Vec<(PeerId, StatusNode)>> {
473 let (deleg, sender) = ctx.reply_sender();
474 let Some(sender) = sender else { return deleg };
475
476 if !self.seen_state_update {
477 tracing::debug!("no peer state seen yet, queueing status request");
478 self.pending_requests.push(Pending::Status(sender));
479 return deleg;
480 }
481
482 sender.send(self.status_peers_with_ids());
483
484 deleg
485 }
486
487 /// Return every known peer's full domain [`Node`] (not the lossy [`StatusNode`]).
488 ///
489 /// Used by [`Runtime::file_targets`](crate::Runtime::file_targets), which needs the full node
490 /// (peerAPI address, owning user id, cap map) to compute Taildrop send targets. The self node
491 /// is not included (it lives in the control runner). Returns empty before the first netmap —
492 /// the natural "not connected yet" analog (an immediate answer, no queueing needed: callers
493 /// that need a populated list await `Running` first).
494 #[message]
495 pub fn all_peers(&self) -> Vec<Node> {
496 self.peer_db.peers().values().cloned().collect()
497 }
498
499 /// Resolve which node owns a tailnet source address.
500 ///
501 /// Maps the source IP of `addr` to the owning node via the tailnet-IP index, returning a
502 /// [`WhoIs`](crate::WhoIs). The port is ignored (a tailnet IP uniquely identifies a node).
503 ///
504 /// The resulting [`WhoIs`](crate::WhoIs) carries no user/login or capability data: this
505 /// fork's domain [`Node`](ts_control::Node) does not retain those wire fields. See the
506 /// [`status`](crate::status) module docs for the gap.
507 ///
508 /// Waits until we've received at least one peer update from control.
509 #[message(ctx)]
510 pub fn whois(
511 &mut self,
512 ctx: &mut Context<Self, DelegatedReply<Option<crate::status::WhoIs>>>,
513 addr: std::net::SocketAddr,
514 ) -> DelegatedReply<Option<crate::status::WhoIs>> {
515 let (deleg, sender) = ctx.reply_sender();
516 let Some(sender) = sender else { return deleg };
517
518 if !self.seen_state_update {
519 tracing::debug!(query = %addr, "no peer state seen yet, queueing whois request");
520 self.pending_requests
521 .push(Pending::WhoIs(Whois { addr }, sender));
522 return deleg;
523 }
524
525 sender.send(self.whois_opt(addr));
526
527 deleg
528 }
529
530 /// Subscribe to netmap peer-change events.
531 ///
532 /// Returns a [`watch::Receiver`] whose value is the current set of peer
533 /// [`StatusNode`]s, updated on every netmap state update from control. Embedders can await
534 /// changes via [`watch::Receiver::changed`] to react to peers joining, leaving, or changing.
535 ///
536 /// The receiver's initial value is the peer set at subscription time (empty before the
537 /// first netmap update). This is a peer-only view; combine with the self node from
538 /// [`Runtime::status`](crate::Runtime::status) when a full snapshot is needed.
539 #[message(derive(Clone))]
540 pub fn watch_netmap(&self) -> watch::Receiver<Vec<StatusNode>> {
541 self.peer_watch.subscribe()
542 }
543 }
544}
545
546pub use msg_impl::*;
547
548#[derive(Debug, Clone)]
549pub(crate) struct PeerState {
550 #[allow(unused)]
551 pub deletions: HashSet<PeerId>,
552 #[allow(unused)]
553 pub upserts: HashSet<PeerId>,
554 pub peers: Arc<PeerDb>,
555}
556
557impl Message<Arc<ts_control::StateUpdate>> for PeerTracker {
558 type Reply = ();
559
560 async fn handle(
561 &mut self,
562 msg: Arc<ts_control::StateUpdate>,
563 _ctx: &mut Context<Self, Self::Reply>,
564 ) {
565 // Accumulate user profiles first — control sends them incrementally and a response may
566 // carry profiles with no peer delta (or peers that reference a profile from an earlier
567 // response), so this must happen before the no-peer-update early return below.
568 for profile in &msg.user_profiles {
569 self.user_profiles.insert(profile.id, profile.clone());
570 }
571
572 // Apply the standalone online/last-seen delta maps (channels C/D, `MapResponse.OnlineChange`
573 // / `PeerSeenChange`). These arrive keyed by control node id and may ride a response that
574 // carries NO `peer_update` (a bare online flip is the common case), so they must be applied
575 // *before* the no-peer-update early return — otherwise online status freezes at the last
576 // full-node/patch value. Each entry only ever *sets* a value (never back to unknown).
577 // Wall clock for a `PeerSeenChange: true` (Go uses `clock.Now()`). chrono is built without
578 // its `clock` feature in this workspace, so derive it from `SystemTime` the same way the
579 // control runner / ssh-policy paths do (unix secs → `DateTime::from_timestamp`).
580 let now = std::time::SystemTime::now()
581 .duration_since(std::time::UNIX_EPOCH)
582 .ok()
583 .and_then(|d| chrono::DateTime::from_timestamp(d.as_secs() as i64, d.subsec_nanos()))
584 .unwrap_or_default();
585 let liveness_changed =
586 self.apply_liveness_changes(&msg.online_change, &msg.peer_seen_change, now);
587
588 if msg.peer_update.is_none() && msg.peer_patches.is_empty() {
589 // No peer set or patch this response. If a liveness delta still mutated the netmap,
590 // publish the refreshed snapshot so watchers (and `GetStatus`) see the new online state.
591 if liveness_changed {
592 self.service_pending_requests();
593 self.peer_watch.send_replace(self.status_peers());
594 if let Err(e) = self
595 .env
596 .publish(Arc::new(PeerState {
597 upserts: HashSet::default(),
598 deletions: HashSet::default(),
599 peers: Arc::new(self.peer_db.clone()),
600 }))
601 .await
602 {
603 tracing::error!(error = %e, "publishing liveness-only peer state update");
604 }
605 }
606 return;
607 }
608
609 // Apply the whole-node peer set (if any) FIRST, then the field-level patches on top —
610 // mirroring Go's `controlclient` order (`Peers*` then `PeersChangedPatch`). A response may
611 // carry either, both, or (with a liveness-only delta) neither. Merge the upsert/deletion sets
612 // so the published `PeerState` reflects every node touched by both passes; a node both
613 // upserted by the set and patched stays in `upserts` (the patch removes it from `deletions`).
614 let (mut upserts, mut deletions) = msg
615 .peer_update
616 .as_ref()
617 .map(|u| self.apply_peer_update(u))
618 .unwrap_or_default();
619
620 if !msg.peer_patches.is_empty() {
621 let (patch_upserts, patch_deletions) = self.apply_peer_patches(&msg.peer_patches);
622 // A patch can evict a node the set just upserted (TKA rejection after key rotation), or
623 // re-admit/patch one not in the set — reconcile so each id lands in exactly one set.
624 for id in &patch_upserts {
625 deletions.remove(id);
626 }
627 for id in &patch_deletions {
628 upserts.remove(id);
629 }
630 upserts.extend(patch_upserts);
631 deletions.extend(patch_deletions);
632 }
633
634 tracing::debug!(
635 n_upsert = upserts.len(),
636 n_delete = deletions.len(),
637 peer_count = self.peer_db.peers().len(),
638 "new peer state"
639 );
640
641 self.service_pending_requests();
642
643 // Publish the latest peer snapshot to netmap watchers. `send_replace` keeps the receiver's
644 // value current even when there are no subscribers, so a late subscriber sees fresh state.
645 self.peer_watch.send_replace(self.status_peers());
646
647 if let Err(e) = self
648 .env
649 .publish(Arc::new(PeerState {
650 upserts,
651 deletions,
652 peers: Arc::new(self.peer_db.clone()),
653 }))
654 .await
655 {
656 tracing::error!(error = %e, "publishing peer state update");
657 }
658 }
659}
660
661/// Ask the peer tracker to re-broadcast its current peer snapshot on the bus, without any peer
662/// change. Sent after a runtime preference change so the route updater and source filter (both
663/// `Arc<PeerState>` subscribers) re-resolve against the new value immediately, rather than waiting
664/// for the next netmap update: `Device::set_exit_node` (new exit-node selector) and
665/// `Device::set_accept_routes` (new accept-routes flag) both send it.
666#[derive(Debug, Clone, Copy)]
667pub struct RepublishState;
668
669impl Message<RepublishState> for PeerTracker {
670 type Reply = ();
671
672 async fn handle(&mut self, _msg: RepublishState, _ctx: &mut Context<Self, Self::Reply>) {
673 // An empty upsert/deletion set: this is a re-broadcast of the unchanged peer set, not a
674 // delta. Subscribers recompute their routes/filters against the current peers and the
675 // (just-updated) runtime preferences (exit-node selector, accept-routes flag).
676 if let Err(e) = self
677 .env
678 .publish(Arc::new(PeerState {
679 upserts: HashSet::default(),
680 deletions: HashSet::default(),
681 peers: Arc::new(self.peer_db.clone()),
682 }))
683 .await
684 {
685 tracing::error!(error = %e, "re-publishing peer state after a runtime preference change");
686 }
687 }
688}
689
690impl PeerTracker {
691 /// Apply a single [`PeerUpdate`](ts_control::PeerUpdate) to the peer db, enforcing the
692 /// Tailnet-Lock peer-trust chokepoint ([`tka_admits`](Self::tka_admits)) at every upsert site.
693 ///
694 /// This is the **single source of truth** for the peer-trust enforcement loop: the actor's
695 /// netmap [`handle`](Message::handle) calls it, and so do the TKA enforcement tests, so the two
696 /// real upsert sites (`Full` and `Delta { upsert }`) cannot diverge from what is tested.
697 ///
698 /// Returns `(upserts, deletions)` — the [`PeerId`]s touched — for downstream bookkeeping.
699 fn apply_peer_update(
700 &mut self,
701 peer_update: &ts_control::PeerUpdate,
702 ) -> (HashSet<PeerId>, HashSet<PeerId>) {
703 let mut upserts = HashSet::default();
704 let mut deletions = HashSet::default();
705
706 match peer_update {
707 ts_control::PeerUpdate::Full(new_nodes) => {
708 tracing::trace!("full peer update");
709
710 // Borrow the authority ONCE for the whole batch and verify each peer EXACTLY once
711 // (Go runs `tkaFilterNetmapLocked` once over the assembled netmap; an earlier draft
712 // verified every peer twice — once for `retained_ids`, once in the upsert loop —
713 // doubling the ed25519 cost on the hot resync path). The per-node verdict vector
714 // `admits` is computed once and drives both the `retain` (evict revoked peers, keyed
715 // by stable_id) and the upsert loop (skip rejected peers, by the node's OWN verdict).
716 // Keeping a per-node verdict (not just a stable_id set) means a node whose own
717 // signature fails is never admitted on the strength of a different node that happens
718 // to share its stable_id — matching the old per-node re-verify for that degenerate
719 // (malformed-control) input.
720 //
721 // Revocation evicts: a peer re-included with a now-invalid/missing signature under an
722 // active authority fails its verdict, so it is excluded from `retained_ids` and
723 // `retain` drops the stale (previously-admitted) entry. With no authority the snapshot
724 // is `None`, so every node passes — byte-for-byte the pre-TKA behavior (no regression).
725 let authority = self.tka_authority_snapshot();
726 let verdicts = new_nodes
727 .iter()
728 .map(|node| Self::tka_snapshot_admits(authority.as_deref(), node))
729 .collect::<Vec<_>>();
730
731 // Cross-peer rotation filter (Go `rotationTracker`): from the SAME verify pass above,
732 // feed every admitted, rotation-signed peer's details to the tracker, then drop any
733 // peer presenting a node key a newer rotation has superseded (or a tied clone). This
734 // is whole-netmap by nature — one peer's chain obsoletes another's key — so it lives
735 // here, not in the per-peer verdict, matching Go's single pass over `nm.Peers`.
736 let mut rotation = RotationTracker::default();
737 for (node, verdict) in new_nodes.iter().zip(&verdicts) {
738 if verdict.admitted
739 && let Some(details) = &verdict.rotation
740 {
741 rotation.add(node.node_key.to_bytes().to_vec(), details);
742 }
743 }
744 let obsolete = rotation.obsolete_keys();
745
746 // Final per-node keep verdict: admitted by the per-peer check AND not rotation-obsolete.
747 // Drives both the `retain` (evict) and the upsert loop, so a node whose own signature
748 // fails — or whose key was rotated away — is never admitted on the strength of a
749 // stable_id twin.
750 let keep = new_nodes
751 .iter()
752 .zip(&verdicts)
753 .map(|(node, v)| {
754 // `contains` takes `&[u8]` (HashSet<Vec<u8>> borrows as a slice) — no alloc.
755 v.admitted && !obsolete.contains(&node.node_key.to_bytes()[..])
756 })
757 .collect::<Vec<bool>>();
758
759 // `retained_ids` is the set of stable_ids that survive (drives `retain` to evict the
760 // rest). It must agree with what the upsert loop below will leave in the db. Control
761 // should never send two distinct nodes with the same `stable_id` in one `Full`, but if
762 // it does, `peer_db.upsert` is last-writer-wins on `stable_id`, so the db ends holding
763 // the LAST kept node for that id. Build `retained_ids` from kept nodes only — a
764 // stable_id is retained iff at least one of its (possibly duplicate) nodes is kept, so
765 // the upsert loop's last-kept node lands and `retain` never evicts a just-upserted id.
766 let retained_ids = new_nodes
767 .iter()
768 .zip(keep.iter().copied())
769 .filter(|(_, k)| *k)
770 .map(|(node, _)| &node.stable_id)
771 .collect::<HashSet<_>>();
772
773 // Isolation diagnostic: an ACTIVE lock that authorized none of the offered peers
774 // leaves this node with no peers — surface it loudly so a self-lockout (vs an attack)
775 // is diagnosable. `authority.is_some()` means a real keyed lock (the empty-keyset
776 // brick-guard admits-all, so it never reaches here with zero retained).
777 if authority.is_some() && !new_nodes.is_empty() && retained_ids.is_empty() {
778 tracing::error!(
779 offered = new_nodes.len(),
780 "TKA: active lock authorized ZERO of the offered peers; node is isolated \
781 (verify the lock state, or disable tailnet lock to recover)"
782 );
783 }
784
785 self.peer_db.retain(|id, peer| {
786 let retain = retained_ids.contains(&peer.stable_id);
787
788 if !retain {
789 deletions.insert(id);
790 }
791
792 retain
793 });
794
795 for (node, k) in new_nodes.iter().zip(keep.iter().copied()) {
796 if !k {
797 continue; // fail-CLOSED: rejected by tailnet lock or rotation-obsolete (above)
798 }
799 let peer_id = self.peer_db.upsert(node);
800 upserts.insert(peer_id);
801 }
802 }
803
804 ts_control::PeerUpdate::Delta { remove, upsert } => {
805 tracing::trace!("delta peer update");
806
807 for peer in upsert {
808 if !self.tka_admits(peer) {
809 // fail-CLOSED: do not upsert a peer rejected by tailnet lock. If the peer is
810 // ALREADY in the db (a delta re-upserting an existing peer whose signature is
811 // now invalid — e.g. revoked between syncs), evict the stale entry rather than
812 // leaving an unverified peer admitted; Go re-filters the whole netmap each map
813 // response, so a now-unsigned peer would not survive there either.
814 if let Some((id, _)) = self.peer_db.remove(&peer.stable_id) {
815 tracing::warn!(
816 stable_id = ?peer.stable_id,
817 "TKA: delta re-upsert rejected; evicting now-unauthorized peer"
818 );
819 deletions.insert(id);
820 }
821 continue;
822 }
823 let id = self.peer_db.upsert(peer);
824
825 upserts.insert(id);
826 }
827
828 for peer in remove {
829 let Some((id, _node)) = self.peer_db.remove(peer) else {
830 // A benign, expected race: the peer may already be gone (dropped in a prior
831 // `Full`, or fail-closed by TKA — whose now-"unknown" ids commonly reappear in
832 // a trailing `peers_removed`). Go treats an unknown removal as a no-op; log at
833 // debug, not error, to avoid false-alarm noise on a healthy node (matches the
834 // unknown-node handling in `apply_peer_patches`).
835 tracing::debug!(
836 control_node_id = peer,
837 "removed peer was unknown; ignoring"
838 );
839 continue;
840 };
841
842 deletions.insert(id);
843 }
844 }
845 }
846
847 (upserts, deletions)
848 }
849
850 /// Apply field-level peer patches (`MapResponse.PeersChangedPatch`), returning the upserted /
851 /// deleted [`PeerId`]s.
852 ///
853 /// This is a SEPARATE channel from [`apply_peer_update`](Self::apply_peer_update): Go's
854 /// `controlclient` applies the whole-node `Peers*` set first and then `PeersChangedPatch`, so a
855 /// response that carries both has the peer set applied first (by the caller) and these patches
856 /// applied second, on top of the freshly-synced nodes. A patch only mutates a peer already in the
857 /// netmap; an unknown node id is ignored (the wire contract — a patch never creates a node).
858 fn apply_peer_patches(
859 &mut self,
860 patches: &[ts_control::PeerChange],
861 ) -> (HashSet<PeerId>, HashSet<PeerId>) {
862 let mut upserts = HashSet::default();
863 let mut deletions = HashSet::default();
864
865 tracing::trace!(n = patches.len(), "peer patch update");
866
867 for patch in patches {
868 // Clone the current node, apply the present fields, and re-upsert through the same path
869 // as a delta so indexes/routes stay consistent.
870 let Some((_id, existing)) = self.peer_db.get(&patch.id) else {
871 tracing::debug!(
872 control_node_id = patch.id,
873 "peer patch for unknown node; ignoring"
874 );
875 continue;
876 };
877
878 let mut node = existing.clone();
879 if let Some(endpoints) = &patch.underlay_addresses {
880 node.underlay_addresses = endpoints.clone();
881 }
882 if let Some(derp) = patch.derp_region {
883 node.derp_region = Some(derp);
884 }
885 if let Some(cap) = patch.cap {
886 node.cap = cap;
887 }
888 if let Some(cap_map) = &patch.cap_map {
889 node.cap_map = cap_map.clone();
890 }
891 if let Some(disco_key) = patch.disco_key {
892 node.disco_key = Some(disco_key);
893 }
894 if let Some(expiry) = patch.node_key_expiry {
895 node.node_key_expiry = Some(expiry);
896 }
897 // Online/last-seen liveness deltas (`PeerChange.Online`/`LastSeen`) — the dominant
898 // channel by which peer online transitions arrive mid-session. A patch only ever *sets*
899 // a value (never patches back to unknown), so apply when present.
900 if let Some(online) = patch.online {
901 node.online = Some(online);
902 }
903 if let Some(last_seen) = patch.last_seen {
904 node.last_seen = Some(last_seen);
905 }
906 // Key rotation: a patch may swap the node key (and its TKA signature). Apply both
907 // together so the trust gate below verifies the new signature against the new key, never
908 // a mismatched pair.
909 if let Some(node_key) = patch.node_key {
910 node.node_key = node_key;
911 }
912 if let Some(sig) = &patch.key_signature {
913 node.key_signature = sig.clone();
914 }
915
916 // Re-run the tailnet-lock gate on the patched node: a patch that rotates the key must
917 // satisfy the active authority, exactly like a `Delta` upsert, or it would be a
918 // trust-enforcement bypass. fail-CLOSED — if the patched node is no longer admitted,
919 // evict it rather than keep the stale (now-unverified) entry.
920 if !self.tka_admits(&node) {
921 if let Some((id, _)) = self.peer_db.remove(&patch.id) {
922 tracing::warn!(
923 control_node_id = patch.id,
924 "peer patch rejected by tailnet lock; evicting peer"
925 );
926 deletions.insert(id);
927 }
928 continue;
929 }
930
931 let id = self.peer_db.upsert(&node);
932 upserts.insert(id);
933 }
934
935 (upserts, deletions)
936 }
937
938 /// Apply the standalone online/last-seen delta maps (`MapResponse.OnlineChange` /
939 /// `PeerSeenChange`, channels C/D) onto the retained netmap. Returns `true` if any node was
940 /// actually mutated (so the caller knows whether to re-publish).
941 ///
942 /// Mirrors Go `controlclient/map.go:updatePeersStateFromResponse` (the two channels are
943 /// semantically DISTINCT and must not be conflated):
944 /// - `OnlineChange` (channel C) is the sole driver of a peer's `online` flag (`mut.Online = v`).
945 /// - `PeerSeenChange` (channel D) is the sole driver of `last_seen`: `true ⇒ LastSeen = now`,
946 /// `false ⇒ LastSeen = nil` (cleared). It NEVER touches `online` — "not seen recently" is not
947 /// the same as "offline", which only `OnlineChange` asserts.
948 ///
949 /// Each entry is keyed by control node id and applies to a peer already in the netmap; an unknown
950 /// node id is ignored (these maps never create a node). `now` is the wall-clock timestamp for a
951 /// `PeerSeenChange: true` (Go uses `clock.Now()`); the caller passes it so this stays a pure
952 /// function of its inputs. Returns `true` if any node was actually mutated.
953 fn apply_liveness_changes(
954 &mut self,
955 online_change: &std::collections::BTreeMap<ts_control::NodeId, bool>,
956 peer_seen_change: &std::collections::BTreeMap<ts_control::NodeId, bool>,
957 now: chrono::DateTime<chrono::Utc>,
958 ) -> bool {
959 let mut changed = false;
960
961 // Channel C — direct online flips (the only writer of `online`).
962 for (&node_id, &online) in online_change {
963 if let Some((_pid, existing)) = self.peer_db.get(&node_id)
964 && existing.online != Some(online)
965 {
966 let mut node = existing.clone();
967 node.online = Some(online);
968 self.peer_db.upsert(&node);
969 changed = true;
970 }
971 }
972
973 // Channel D — peer-seen flips (the only writer of `last_seen`; never touches `online`).
974 // `true` ⇒ last-seen is now; `false` ⇒ last-seen cleared (Go map.go:820-830).
975 for (&node_id, &seen) in peer_seen_change {
976 let new_last_seen = if seen { Some(now) } else { None };
977 if let Some((_pid, existing)) = self.peer_db.get(&node_id)
978 && existing.last_seen != new_last_seen
979 {
980 let mut node = existing.clone();
981 node.last_seen = new_last_seen;
982 self.peer_db.upsert(&node);
983 changed = true;
984 }
985 }
986
987 changed
988 }
989
990 /// Test-only constructor: build a [`PeerTracker`] with a chosen initial TKA authority without
991 /// going through the actor `on_start` path. Returns the tracker plus the **`watch::Sender`** for
992 /// its enforcement-authority cell, so a test can drive the exact enable/disable transitions the
993 /// control runner drives at runtime (`tx.send_replace(Some(..))` ⇒ enforce, `tx.send_replace(None)`
994 /// ⇒ clear). The initial `Some` exercises the fail-closed chokepoint
995 /// ([`tka_admits`](Self::tka_admits)); `None` is the no-lock admit-all path. The returned sender
996 /// must be kept alive for the tracker to read updated values.
997 #[cfg(test)]
998 fn for_test(
999 env: Env,
1000 tka_authority: Option<ts_tka::Authority>,
1001 ) -> (Self, watch::Sender<Option<Arc<ts_tka::Authority>>>) {
1002 let (peer_watch, _) = watch::channel(Vec::new());
1003 let (tka_tx, tka_rx) = watch::channel(tka_authority.map(Arc::new));
1004 let tracker = Self {
1005 peer_db: PeerDb::default(),
1006 seen_state_update: false,
1007 pending_requests: Vec::new(),
1008 peer_watch,
1009 user_profiles: HashMap::new(),
1010 tka_authority: tka_rx,
1011 env,
1012 };
1013 (tracker, tka_tx)
1014 }
1015
1016 fn service_pending_requests(&mut self) {
1017 if self.seen_state_update {
1018 return;
1019 }
1020
1021 self.seen_state_update = true;
1022
1023 if !self.pending_requests.is_empty() {
1024 tracing::debug!(
1025 n_pending = self.pending_requests.len(),
1026 "state update received, servicing pending requests"
1027 );
1028 }
1029
1030 for req in core::mem::take(&mut self.pending_requests) {
1031 match req {
1032 Pending::PeerByName(PeerByName { name }, reply) => {
1033 reply.send(self.peer_by_name_opt(&name).cloned());
1034 }
1035 Pending::TailnetIp(PeerByTailnetIp { ip }, reply) => {
1036 reply.send(self.peer_by_tailnet_ip_opt(ip).cloned());
1037 }
1038 Pending::AcceptedRoute(PeerByAcceptedRoute { ip }, reply) => {
1039 reply.send(
1040 self.peer_db
1041 .get_route(ip.into())
1042 .map(|(_id, node)| node.clone())
1043 .collect(),
1044 );
1045 }
1046 Pending::Status(reply) => {
1047 reply.send(self.status_peers_with_ids());
1048 }
1049 Pending::WhoIs(Whois { addr }, reply) => {
1050 reply.send(self.whois_opt(addr));
1051 }
1052 }
1053 }
1054 }
1055}
1056
1057#[cfg(test)]
1058mod tka_tests {
1059 //! Tailnet-Lock (TKA) enforcement tests for the peer-trust chokepoint.
1060 //!
1061 //! These exercise [`PeerTracker::tka_admits`] and the `tka_admits ⇒ upsert` loop the netmap
1062 //! handler runs. The test [`ts_tka::Authority`] is built with [`ts_tka::Authority::from_state`]
1063 //! over a known Ed25519 trusted key, and the signed node-key signature CBOR is produced through
1064 //! `ts_tka`'s public `cbor` encoder + `aum_hash` (the exact same canonical bytes `ts_tka`'s own
1065 //! `direct_signature_verifies_end_to_end` test signs, with no new crypto vectors invented and no
1066 //! private `ts_tka` API used).
1067
1068 use ed25519_dalek::{Signer, SigningKey};
1069 use ts_control::{Node, StableNodeId, TailnetAddress};
1070 use ts_tka::{
1071 AumHash, Authority, Key, KeyKind, State,
1072 cbor::{self, Value},
1073 };
1074
1075 use super::*;
1076
1077 /// `SigKind::Direct` wire value (Go `SigKind`; `ts_tka::SigKind::Direct = 1`).
1078 const SIG_KIND_DIRECT: u64 = 1;
1079
1080 /// The 32-byte node key used across the signed-peer fixtures.
1081 const NODE_KEY_BYTES: [u8; 32] = [7u8; 32];
1082
1083 /// Build a real [`Env`] for the tracker. Only the bus/keys/shutdown plumbing matters here; the
1084 /// TKA gate reads neither, so the forwarding preferences are all benign defaults.
1085 fn test_env() -> Env {
1086 let (_shutdown_tx, shutdown_rx) = watch::channel(false);
1087 Env::new(
1088 ts_keys::NodeState::generate(),
1089 shutdown_rx,
1090 crate::env::ForwarderConfig {
1091 accept_routes: false,
1092 accept_dns: true,
1093 exit_node: None,
1094 forward_routes: Vec::new(),
1095 forward_tcp_ports: Vec::new(),
1096 forward_udp_ports: Vec::new(),
1097 forward_all_ports: false,
1098 forward_exit_egress: false,
1099 block_incoming: false,
1100 exit_proxy: None,
1101 peerapi_port: None,
1102 taildrop_dir: None,
1103 enable_ipv6: false,
1104 persistent_keepalive_interval: None,
1105 ingress_active: std::sync::Arc::new(std::sync::atomic::AtomicBool::new(false)),
1106 },
1107 )
1108 }
1109
1110 /// A minimal peer [`Node`] carrying `node_key` and the given `key_signature`.
1111 fn peer_node(stable_id: &str, node_key: [u8; 32], key_signature: Vec<u8>) -> Node {
1112 Node {
1113 id: 1,
1114 stable_id: StableNodeId(stable_id.to_string()),
1115 hostname: stable_id.to_string(),
1116 user_id: 0,
1117 tailnet: Some("ts.net".to_string()),
1118 tags: Vec::new(),
1119 tailnet_address: TailnetAddress {
1120 ipv4: "100.64.0.1/32".parse().unwrap(),
1121 ipv6: "fd7a:115c:a1e0::1/128".parse().unwrap(),
1122 },
1123 node_key: node_key.into(),
1124 node_key_expiry: None,
1125 online: None,
1126 last_seen: None,
1127 key_signature,
1128 machine_key: None,
1129 disco_key: None,
1130 accepted_routes: Vec::new(),
1131 underlay_addresses: Vec::new(),
1132 derp_region: None,
1133 cap: Default::default(),
1134 cap_map: Default::default(),
1135 peerapi_port: None,
1136 peerapi_dns_proxy: false,
1137 is_wireguard_only: false,
1138 exit_node_dns_resolvers: Vec::new(),
1139 peer_relay: false,
1140 service_vips: Default::default(),
1141 }
1142 }
1143
1144 /// Encode a `Direct` [`ts_tka::NodeKeySignature`] CBOR exactly as `ts_tka`'s private `to_cbor`
1145 /// does (int-map keys: 1=kind, 2=pubkey, 3=key_id, 4=signature; empty byte fields omitted),
1146 /// using only the crate's *public* `cbor` encoder. `signature` of `None` produces the
1147 /// signing-digest preimage (the `SigHash` form).
1148 fn direct_sig_cbor(node_key: &[u8], key_id: &[u8], signature: Option<&[u8]>) -> Vec<u8> {
1149 let mut pairs = alloc_pairs(node_key, key_id);
1150 if let Some(sig) = signature {
1151 pairs.push((4, Some(Value::Bytes(sig.to_vec()))));
1152 }
1153 cbor::int_map(pairs).to_vec()
1154 }
1155
1156 fn alloc_pairs(node_key: &[u8], key_id: &[u8]) -> Vec<(u64, Option<Value>)> {
1157 vec![
1158 (1, Some(Value::Uint(SIG_KIND_DIRECT))),
1159 (2, Some(Value::Bytes(node_key.to_vec()))),
1160 (3, Some(Value::Bytes(key_id.to_vec()))),
1161 ]
1162 }
1163
1164 /// Build a TKA [`Authority`] that trusts `signing.verifying_key()`, plus a valid `Direct`
1165 /// node-key signature CBOR authorizing [`NODE_KEY_BYTES`] under it.
1166 fn authority_and_valid_sig() -> (Authority, Vec<u8>) {
1167 // A fixed, known Ed25519 trusted key (mirrors ts_tka's own end-to-end test seed).
1168 let signing = SigningKey::from_bytes(&[42u8; 32]);
1169 let trusted_pub = signing.verifying_key().to_bytes().to_vec();
1170
1171 let authority = Authority::from_state(
1172 AumHash([0; 32]),
1173 State {
1174 keys: vec![Key {
1175 kind: KeyKind::Ed25519,
1176 votes: 1,
1177 public: trusted_pub.clone(),
1178 }],
1179 },
1180 );
1181
1182 // SigHash preimage = canonical CBOR with the signature field omitted; sign its blake2s hash.
1183 let preimage = direct_sig_cbor(&NODE_KEY_BYTES, &trusted_pub, None);
1184 let sig_hash = ts_tka::aum_hash(&preimage).0;
1185 let signature = signing.sign(&sig_hash).to_bytes().to_vec();
1186
1187 let signed_cbor = direct_sig_cbor(&NODE_KEY_BYTES, &trusted_pub, Some(&signature));
1188 // Sanity: the authority accepts the signature we just built (same path the gate uses).
1189 assert!(
1190 authority
1191 .node_key_authorized(&NODE_KEY_BYTES, &signed_cbor)
1192 .is_ok()
1193 );
1194
1195 (authority, signed_cbor)
1196 }
1197
1198 #[tokio::test]
1199 async fn tka_inactive_upserts_all_peers() {
1200 // No authority ⇒ enforcement inactive ⇒ both a signed and an unsigned peer are admitted.
1201 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1202
1203 let signed = peer_node("signed", [1u8; 32], vec![0xde, 0xad, 0xbe, 0xef]);
1204 let unsigned = peer_node("unsigned", [2u8; 32], vec![]);
1205
1206 assert!(tracker.tka_admits(&signed));
1207 assert!(tracker.tka_admits(&unsigned));
1208
1209 tracker.peer_db.upsert(&signed);
1210 tracker.peer_db.upsert(&unsigned);
1211 assert_eq!(tracker.peer_db.peers().len(), 2);
1212 }
1213
1214 #[tokio::test]
1215 async fn tka_active_rejects_unsigned_peer() {
1216 // Authority present + peer presents no signature ⇒ rejected (fail-closed), not in peer_db.
1217 let (authority, _sig) = authority_and_valid_sig();
1218 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1219
1220 let unsigned = peer_node("unsigned", NODE_KEY_BYTES, vec![]);
1221 assert!(!tracker.tka_admits(&unsigned));
1222
1223 // Mirror the handler's `if !tka_admits { continue }` loop.
1224 if tracker.tka_admits(&unsigned) {
1225 tracker.peer_db.upsert(&unsigned);
1226 }
1227 assert_eq!(tracker.peer_db.peers().len(), 0);
1228 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1229 }
1230
1231 #[tokio::test]
1232 async fn tka_active_rejects_bad_signature() {
1233 // Authority present + a signature that fails to verify ⇒ rejected, not in peer_db.
1234 let (authority, mut sig) = authority_and_valid_sig();
1235 // Tamper the last byte (the trailing signature byte) so verification fails.
1236 let last = sig.len() - 1;
1237 sig[last] ^= 0xff;
1238
1239 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1240 let bad = peer_node("bad", NODE_KEY_BYTES, sig);
1241 assert!(!tracker.tka_admits(&bad));
1242
1243 if tracker.tka_admits(&bad) {
1244 tracker.peer_db.upsert(&bad);
1245 }
1246 assert_eq!(tracker.peer_db.peers().len(), 0);
1247 }
1248
1249 #[tokio::test]
1250 async fn tka_active_admits_authorized_peer() {
1251 // Authority present + correctly-signed node key ⇒ admitted and upserted.
1252 let (authority, sig) = authority_and_valid_sig();
1253 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1254
1255 let good = peer_node("good", NODE_KEY_BYTES, sig);
1256 assert!(tracker.tka_admits(&good));
1257
1258 if tracker.tka_admits(&good) {
1259 tracker.peer_db.upsert(&good);
1260 }
1261 assert_eq!(tracker.peer_db.peers().len(), 1);
1262 assert!(tracker.peer_db.get(&good.node_key).is_some());
1263 }
1264
1265 // ---------------------------------------------------------------------------------------------
1266 // Tests that drive REAL `PeerUpdate`s through the shared handler body
1267 // ([`PeerTracker::apply_peer_update`], the single source of truth the actor's netmap `handle`
1268 // also calls), so the two real upsert sites (`Full` and `Delta { upsert }`) are exercised via
1269 // the actual enforcement path — not by hand-mirroring `if !tka_admits { continue }`.
1270 // ---------------------------------------------------------------------------------------------
1271
1272 #[tokio::test]
1273 async fn tka_active_delta_upsert_rejects_unauthorized() {
1274 // Drive a real `Delta { upsert }` whose peer carries no signature. The Delta upsert site
1275 // must reject it under an active authority ⇒ not present in peer_db after the handler runs.
1276 let (authority, _sig) = authority_and_valid_sig();
1277 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1278
1279 let unsigned = peer_node("unsigned", NODE_KEY_BYTES, vec![]);
1280 let update = ts_control::PeerUpdate::Delta {
1281 upsert: vec![unsigned.clone()],
1282 remove: Vec::new(),
1283 };
1284
1285 tracker.apply_peer_update(&update);
1286
1287 assert_eq!(tracker.peer_db.peers().len(), 0);
1288 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1289 }
1290
1291 #[tokio::test]
1292 async fn tka_active_delta_upsert_admits_authorized() {
1293 // Drive a real `Delta { upsert }` with a correctly-signed peer ⇒ present in peer_db.
1294 let (authority, sig) = authority_and_valid_sig();
1295 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1296
1297 let good = peer_node("good", NODE_KEY_BYTES, sig);
1298 let update = ts_control::PeerUpdate::Delta {
1299 upsert: vec![good.clone()],
1300 remove: Vec::new(),
1301 };
1302
1303 tracker.apply_peer_update(&update);
1304
1305 assert_eq!(tracker.peer_db.peers().len(), 1);
1306 assert!(tracker.peer_db.get(&good.node_key).is_some());
1307 }
1308
1309 #[tokio::test]
1310 async fn tka_active_full_admits_only_authorized_in_mixed_batch() {
1311 // Drive a real `Full` carrying a MIX of authorized + unauthorized peers. Only the
1312 // correctly-signed peer survives the Full upsert site; the unsigned and bad-sig peers are
1313 // dropped fail-closed.
1314 let (authority, sig) = authority_and_valid_sig();
1315 // A bad-sig variant of the same authorized signature (tamper the trailing byte).
1316 let mut bad_sig = sig.clone();
1317 let last = bad_sig.len() - 1;
1318 bad_sig[last] ^= 0xff;
1319
1320 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1321
1322 // Only the authorized peer carries NODE_KEY_BYTES (the key the authority signed); the
1323 // rejected peers use distinct node keys so the survivor is unambiguous.
1324 let good = peer_node("good", NODE_KEY_BYTES, sig);
1325 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1326 let bad = peer_node("bad", [9u8; 32], bad_sig);
1327
1328 let update =
1329 ts_control::PeerUpdate::Full(vec![good.clone(), unsigned.clone(), bad.clone()]);
1330
1331 tracker.apply_peer_update(&update);
1332
1333 assert_eq!(tracker.peer_db.peers().len(), 1);
1334 assert!(tracker.peer_db.get(&good.node_key).is_some());
1335 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1336 assert!(tracker.peer_db.get(&bad.node_key).is_none());
1337 }
1338
1339 /// End-to-end through the REAL enforcement-authority transport (the `watch` cell the control
1340 /// runner writes), not a direct field poke: writing `Some(authority)` flips enforcement on so a
1341 /// mixed batch drops the unsigned/bad peers, and a subsequent `None` (lock disabled) clears
1342 /// enforcement so a peer DROPPED while enforced is re-admitted. Exercises the exact `borrow`-based
1343 /// read path `tka_admits` uses — a broken receiver wiring would pass every for_test-field test but
1344 /// fail here.
1345 #[tokio::test]
1346 async fn tka_authority_watch_enables_then_clears_enforcement() {
1347 let (authority, sig) = authority_and_valid_sig();
1348 let mut bad_sig = sig.clone();
1349 let last = bad_sig.len() - 1;
1350 bad_sig[last] ^= 0xff;
1351
1352 let (mut tracker, tka_tx) = PeerTracker::for_test(test_env(), None);
1353
1354 // 1) No authority yet ⇒ admit-all (Go b.tka == nil).
1355 let good = peer_node("good", NODE_KEY_BYTES, sig.clone());
1356 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1357 let bad = peer_node("bad", [9u8; 32], bad_sig);
1358 let batch = ts_control::PeerUpdate::Full(vec![good.clone(), unsigned.clone(), bad.clone()]);
1359 tracker.apply_peer_update(&batch);
1360 assert_eq!(tracker.peer_db.peers().len(), 3, "no lock ⇒ admit all");
1361
1362 // 2) Publish the verified authority over the watch cell (exactly what the control runner does
1363 // on a successful sync) ⇒ enforcement ON. A re-applied Full now drops unsigned + bad.
1364 tka_tx.send_replace(Some(Arc::new(authority)));
1365 tracker.apply_peer_update(&batch);
1366 assert_eq!(
1367 tracker.peer_db.peers().len(),
1368 1,
1369 "lock active ⇒ only the signed peer survives"
1370 );
1371 assert!(tracker.peer_db.get(&good.node_key).is_some());
1372 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1373 assert!(tracker.peer_db.get(&bad.node_key).is_none());
1374
1375 // 3) Lock disabled (None) ⇒ enforcement cleared ⇒ a peer that was DROPPED while enforced is
1376 // re-admitted by a fresh netmap. Assert the specific previously-dropped key returns (not
1377 // merely a count), so this proves the drop→clear→re-admit transition, not "admit-all-fresh".
1378 tka_tx.send_replace(None);
1379 tracker.apply_peer_update(&batch);
1380 assert_eq!(
1381 tracker.peer_db.peers().len(),
1382 3,
1383 "lock disabled ⇒ admit all again"
1384 );
1385 assert!(
1386 tracker.peer_db.get(&unsigned.node_key).is_some(),
1387 "the peer dropped under enforcement must come back once the lock is cleared"
1388 );
1389 assert!(tracker.peer_db.get(&bad.node_key).is_some());
1390 }
1391
1392 /// Degenerate input: two DISTINCT nodes sharing one `stable_id` in a single `Full`, one with a
1393 /// valid signature and one unsigned, under an active lock. Each node is judged by its OWN verdict
1394 /// (the per-node `admits` vector), so the unsigned node is never admitted on the strength of its
1395 /// signed twin. The single-verify `Full` refactor keeps this per-node semantics (a stable_id-set
1396 /// alone would have admitted whichever node was upserted last). Malformed control input; asserted
1397 /// only to lock the verdict-per-node behavior against regression.
1398 #[tokio::test]
1399 async fn tka_full_duplicate_stable_id_judges_each_node_on_its_own_signature() {
1400 let (authority, sig) = authority_and_valid_sig();
1401 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1402
1403 // Both carry stable_id "dup"; the signed one authorizes NODE_KEY_BYTES, the other is unsigned
1404 // and uses a different node key. Order them unsigned-last so a last-writer-wins stable_id set
1405 // would (wrongly) leave the unsigned node's key in the db.
1406 let signed = peer_node("dup", NODE_KEY_BYTES, sig);
1407 let unsigned = peer_node("dup", [8u8; 32], vec![]);
1408 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1409 signed.clone(),
1410 unsigned.clone(),
1411 ]));
1412
1413 // The unsigned node's own verdict failed, so its key must NOT be present, regardless of the
1414 // shared stable_id. (The signed twin retained the stable_id; the db holds the signed key.)
1415 assert!(
1416 tracker.peer_db.get(&unsigned.node_key).is_none(),
1417 "a node whose own signature fails must not be admitted via a stable_id twin"
1418 );
1419 assert!(tracker.peer_db.get(&signed.node_key).is_some());
1420 }
1421
1422 /// Full-path consistency under two KEPT nodes sharing a `stable_id`: `peer_db.upsert` is
1423 /// last-writer-wins on `stable_id`, so the db ends holding exactly one node for that id (the last
1424 /// kept), and `retain` never evicts that just-upserted id (`retained_ids` contains the shared id
1425 /// because at least one of its nodes was kept). No lock here, so both nodes are "kept". This pins
1426 /// the published-state invariant the whole-surface audit flagged: `retain` and the upsert loop
1427 /// agree on the surviving stable_id. Malformed control input; asserted for robustness.
1428 #[tokio::test]
1429 async fn tka_full_duplicate_stable_id_both_kept_is_consistent() {
1430 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1431 let first = peer_node("dup", [1u8; 32], vec![]);
1432 let last = peer_node("dup", [2u8; 32], vec![]);
1433 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1434 first.clone(),
1435 last.clone(),
1436 ]));
1437
1438 // Exactly one db entry for the shared stable_id, holding the LAST node (upsert is
1439 // last-writer-wins on stable_id); the first node's key was transparently superseded.
1440 assert_eq!(
1441 tracker.peer_db.peers().len(),
1442 1,
1443 "one entry for the shared stable_id"
1444 );
1445 assert!(
1446 tracker.peer_db.get(&last.node_key).is_some(),
1447 "the db holds the last-upserted node for the shared id"
1448 );
1449 assert!(
1450 tracker.peer_db.get(&first.node_key).is_none(),
1451 "the first node's key was superseded by the last at the shared id"
1452 );
1453 }
1454
1455 /// A peer admitted in one `Full`, then in a later `Full` presenting a key that a co-resident
1456 /// peer's rotation chain has rotated away, is EVICTED — the cross-peer rotation filter applies on
1457 /// every resync, not only at first admission. Exercises the rotation filter through two
1458 /// sequential `Full` updates with real signing.
1459 #[tokio::test]
1460 async fn tka_full_rotation_obsolete_evicts_on_resync() {
1461 use ed25519_dalek::SigningKey;
1462 use ts_tka::NodeKeySignature;
1463
1464 let trusted = SigningKey::from_bytes(&[42u8; 32]);
1465 let trusted_pub = trusted.verifying_key().to_bytes().to_vec();
1466 let authority = Authority::from_state(
1467 AumHash([0; 32]),
1468 State {
1469 keys: vec![Key {
1470 kind: KeyKind::Ed25519,
1471 votes: 1,
1472 public: trusted_pub.clone(),
1473 }],
1474 },
1475 );
1476 let pivot = SigningKey::from_bytes(&[9u8; 32]);
1477 let pivot_pub: [u8; 32] = pivot.verifying_key().to_bytes();
1478
1479 // First Full: the soon-to-be-stale peer presents the pivot key with a valid Direct sig.
1480 let stale_sig = NodeKeySignature::sign_direct(&pivot_pub, &trusted).serialize();
1481 let stale_peer = peer_node("stale", pivot_pub, stale_sig);
1482 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1483 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![stale_peer.clone()]));
1484 assert!(
1485 tracker.peer_db.get(&stale_peer.node_key).is_some(),
1486 "the stale peer is admitted while no rotation has superseded it yet"
1487 );
1488
1489 // Second Full: a freshly-rotated peer (whose chain rotated AWAY the pivot key) joins, and the
1490 // stale peer is re-included. The rotation filter now obsoletes the pivot key ⇒ stale evicted.
1491 let new_key = [4u8; 32];
1492 let new_sig = NodeKeySignature::sign_rotation(&new_key, &trusted, &pivot).serialize();
1493 let new_peer = peer_node("rotated", new_key, new_sig);
1494 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1495 new_peer.clone(),
1496 stale_peer.clone(),
1497 ]));
1498 assert!(
1499 tracker.peer_db.get(&new_peer.node_key).is_some(),
1500 "the freshly-rotated peer is admitted"
1501 );
1502 assert!(
1503 tracker.peer_db.get(&stale_peer.node_key).is_none(),
1504 "the stale peer is EVICTED on the resync once a rotation supersedes its key"
1505 );
1506 }
1507
1508 /// The empty-trusted-key-state brick-guard: an authority with no keys must NOT drop the whole
1509 /// netmap (a `ts_tka` invariant violation / replayer edge). A verified chain always carries ≥1
1510 /// key, so this never weakens a genuine lock — it only prevents a black-hole. Uses ≥2 peers
1511 /// (one signed, one unsigned) to prove it admits **all**, not accidentally just one.
1512 #[tokio::test]
1513 async fn tka_empty_keyset_authority_admits_all() {
1514 use ts_tka::{AumHash, Authority, State};
1515 let empty_auth = Authority::from_state(AumHash([0u8; 32]), State { keys: Vec::new() });
1516 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(empty_auth));
1517 let signed = peer_node("signed", [7u8; 32], vec![0xde, 0xad]);
1518 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1519 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1520 signed.clone(),
1521 unsigned.clone(),
1522 ]));
1523 assert_eq!(
1524 tracker.peer_db.peers().len(),
1525 2,
1526 "an empty-keyset authority must admit ALL peers (brick-guard), not enforce"
1527 );
1528 }
1529
1530 /// Signature-replay / `NodeKeyMismatch`: a structurally-valid signature that authorizes
1531 /// `NODE_KEY_BYTES` must NOT admit a DIFFERENT node key carrying that same signature blob. This is
1532 /// the highest-value bypass — if the sig↔node-key binding in `verify_signature` were dropped, this
1533 /// is the only test that would catch it (the other "bad" peers only flip a byte ⇒ `BadSignature`).
1534 #[tokio::test]
1535 async fn tka_active_rejects_valid_sig_for_wrong_node_key() {
1536 let (authority, sig) = authority_and_valid_sig();
1537 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1538
1539 // The signature authorizes NODE_KEY_BYTES; attach it to an imposter with a different key.
1540 let imposter = peer_node("imposter", [0x55u8; 32], sig);
1541 assert!(
1542 !tracker.tka_admits(&imposter),
1543 "a signature bound to one node key must not authorize a different node key"
1544 );
1545 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![imposter.clone()]));
1546 assert!(tracker.peer_db.get(&imposter.node_key).is_none());
1547 }
1548
1549 /// `UntrustedKey`: a signature produced by a well-formed Ed25519 key that is NOT in the
1550 /// authority's trusted-key state must be rejected — distinct from a tampered-byte `BadSignature`.
1551 #[tokio::test]
1552 async fn tka_active_rejects_sig_from_untrusted_key() {
1553 use ed25519_dalek::{Signer, SigningKey};
1554 let (authority, _sig) = authority_and_valid_sig();
1555 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1556
1557 // Sign a valid CBOR with a DIFFERENT key (not the one the authority trusts). The key_id in
1558 // the signature names this untrusted key, so `get_key` misses ⇒ UntrustedKey.
1559 let rogue = SigningKey::from_bytes(&[99u8; 32]);
1560 let rogue_pub = rogue.verifying_key().to_bytes().to_vec();
1561 let preimage = direct_sig_cbor(&NODE_KEY_BYTES, &rogue_pub, None);
1562 let sig_hash = ts_tka::aum_hash(&preimage).0;
1563 let signature = rogue.sign(&sig_hash).to_bytes().to_vec();
1564 let rogue_cbor = direct_sig_cbor(&NODE_KEY_BYTES, &rogue_pub, Some(&signature));
1565
1566 let peer = peer_node("rogue-signed", NODE_KEY_BYTES, rogue_cbor);
1567 assert!(
1568 !tracker.tka_admits(&peer),
1569 "a signature from a key outside the trusted set must be rejected"
1570 );
1571 // Drive the real upsert path too (match the sibling replay test's depth): an untrusted-key
1572 // signature must keep the peer out of the db, not merely fail the verdict in isolation.
1573 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer.clone()]));
1574 assert!(tracker.peer_db.get(&peer.node_key).is_none());
1575 }
1576
1577 /// Bus-enable analogue for `Delta`: enforcement engaged via the watch cell must also gate a
1578 /// `Delta { upsert }` (not only `Full`). Closes the "authority arrived over the transport AND the
1579 /// next update is a Delta" combination.
1580 #[tokio::test]
1581 async fn tka_watch_enable_enforces_delta_upsert() {
1582 let (authority, sig) = authority_and_valid_sig();
1583 let (mut tracker, tka_tx) = PeerTracker::for_test(test_env(), None);
1584 tka_tx.send_replace(Some(Arc::new(authority)));
1585
1586 let good = peer_node("good", NODE_KEY_BYTES, sig);
1587 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1588 tracker.apply_peer_update(&ts_control::PeerUpdate::Delta {
1589 remove: vec![],
1590 upsert: vec![good.clone(), unsigned.clone()],
1591 });
1592 assert!(tracker.peer_db.get(&good.node_key).is_some());
1593 assert!(
1594 tracker.peer_db.get(&unsigned.node_key).is_none(),
1595 "delta upsert under an active lock must drop the unsigned peer"
1596 );
1597 }
1598
1599 /// A `Delta` re-upsert of an ALREADY-ADMITTED peer whose signature is now invalid must EVICT the
1600 /// stale entry (revocation-via-delta), not leave it admitted. Go re-filters the whole netmap each
1601 /// response, so a now-unsigned peer would not survive there either.
1602 #[tokio::test]
1603 async fn tka_delta_reupsert_with_invalid_sig_evicts_existing() {
1604 let (authority, sig) = authority_and_valid_sig();
1605 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1606
1607 // Admit the signed peer.
1608 let good = peer_node("good", NODE_KEY_BYTES, sig.clone());
1609 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![good.clone()]));
1610 assert!(tracker.peer_db.get(&good.node_key).is_some());
1611
1612 // Re-upsert the SAME stable_id (now with no signature) via a delta ⇒ evicted, not retained.
1613 let revoked = peer_node("good", NODE_KEY_BYTES, vec![]);
1614 tracker.apply_peer_update(&ts_control::PeerUpdate::Delta {
1615 remove: vec![],
1616 upsert: vec![revoked],
1617 });
1618 assert!(
1619 tracker.peer_db.get(&good.node_key).is_none(),
1620 "a delta re-upsert that fails the lock must evict the previously-admitted peer"
1621 );
1622 }
1623
1624 #[tokio::test]
1625 async fn tka_full_resync_revocation_behavior() {
1626 // Revocation-on-resync: admit a peer, then re-include the SAME stable_id in a `Full` with a
1627 // now-invalid signature. Per the Logic review finding, the pre-fix `retain` kept the stale
1628 // (previously-admitted) entry because membership was decided purely by stable_id.
1629 //
1630 // FIXED (not merely documented): the `Full` `retain` now keys on `tka_admits`-passing
1631 // stable_ids, so a peer whose re-included signature no longer verifies under the active
1632 // authority is EVICTED. This test asserts eviction. The inactive (authority=None) path is
1633 // provably unchanged — `tka_admits` always returns `true` there, so the retained set equals
1634 // the set of re-included stable_ids exactly (see `tka_inactive_full_resync_keeps_*`).
1635 let (authority, sig) = authority_and_valid_sig();
1636 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1637
1638 // 1) Admit the peer with a valid signature via a real `Full`.
1639 let good = peer_node("revoked", NODE_KEY_BYTES, sig.clone());
1640 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![good.clone()]));
1641 assert_eq!(tracker.peer_db.peers().len(), 1);
1642 assert!(tracker.peer_db.get(&good.node_key).is_some());
1643
1644 // 2) Re-sync the SAME stable_id, but with a now-invalid signature (tamper trailing byte).
1645 let mut bad_sig = sig;
1646 let last = bad_sig.len() - 1;
1647 bad_sig[last] ^= 0xff;
1648 let revoked = peer_node("revoked", NODE_KEY_BYTES, bad_sig);
1649 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![revoked.clone()]));
1650
1651 // Eviction: the stale entry is dropped because its re-included signature fails the gate.
1652 assert_eq!(tracker.peer_db.peers().len(), 0);
1653 assert!(tracker.peer_db.get(&revoked.node_key).is_none());
1654 }
1655
1656 #[tokio::test]
1657 async fn tka_inactive_full_resync_keeps_reincluded_peer() {
1658 // Guard the inactive (authority=None) path against the revocation fix: with no authority,
1659 // a peer re-included in a `Full` survives regardless of its signature bytes — byte-for-byte
1660 // pre-TKA behavior, proving the `Full` `retain` change does not regress the always-taken
1661 // branch this wave.
1662 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1663
1664 let peer = peer_node("p", NODE_KEY_BYTES, vec![0xde, 0xad]);
1665 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer.clone()]));
1666 assert_eq!(tracker.peer_db.peers().len(), 1);
1667
1668 // Re-sync the same stable_id with garbage signature bytes; inactive enforcement keeps it.
1669 let resynced = peer_node("p", NODE_KEY_BYTES, vec![0x00]);
1670 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![resynced.clone()]));
1671 assert_eq!(tracker.peer_db.peers().len(), 1);
1672 assert!(tracker.peer_db.get(&resynced.node_key).is_some());
1673 }
1674
1675 /// A `Patch` for a peer already in the netmap merges only the fields it carries — here new UDP
1676 /// endpoints and a new home DERP — leaving the rest of the node intact. This is the fix for
1677 /// dropped `peers_changed_patch`: without it the netmap keeps stale endpoints and the peer can
1678 /// never re-handshake after it moves.
1679 #[tokio::test]
1680 async fn patch_merges_endpoints_and_derp_into_existing_peer() {
1681 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1682
1683 // Seed a peer (id == 1, per `peer_node`) with no endpoints / no DERP.
1684 let peer = peer_node("mover", [1u8; 32], vec![]);
1685 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer.clone()]));
1686 let (_pid, before) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1687 assert!(before.underlay_addresses.is_empty());
1688 assert!(before.derp_region.is_none());
1689
1690 // Patch in fresh reachability (the idle-peer-reconnect case).
1691 let new_ep: std::net::SocketAddr = "203.0.113.7:41641".parse().unwrap();
1692 let patch = ts_control::PeerChange {
1693 id: 1,
1694 derp_region: Some(ts_derp::RegionId(core::num::NonZeroU32::new(5).unwrap())),
1695 cap: None,
1696 cap_map: None,
1697 underlay_addresses: Some(vec![new_ep]),
1698 node_key: None,
1699 key_signature: None,
1700 disco_key: None,
1701 node_key_expiry: None,
1702 online: None,
1703 last_seen: None,
1704 };
1705 let (upserts, deletions) = tracker.apply_peer_patches(std::slice::from_ref(&patch));
1706
1707 assert_eq!(upserts.len(), 1);
1708 assert_eq!(deletions.len(), 0);
1709 // Same peer, now carrying the patched endpoint + DERP; node key untouched.
1710 assert_eq!(tracker.peer_db.peers().len(), 1);
1711 let (_pid, after) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1712 assert_eq!(after.underlay_addresses, vec![new_ep]);
1713 assert_eq!(
1714 after.derp_region,
1715 Some(ts_derp::RegionId(core::num::NonZeroU32::new(5).unwrap()))
1716 );
1717 assert_eq!(after.node_key, peer.node_key);
1718 }
1719
1720 /// Regression for `tsr-5u0`: when a whole-node set (`Delta`/`Full`) and a patch co-occur in one
1721 /// response, the patch is applied *on top of* the node the set just upserted — mirroring the
1722 /// handler's apply-order (peer set first, then `peer_patches`). Before the fix the patch shared
1723 /// the single `peer_update` slot and the co-occurring set silently dropped it, so a peer brought
1724 /// in by the delta kept stale (empty) reachability.
1725 #[tokio::test]
1726 async fn patch_applies_on_top_of_co_occurring_delta() {
1727 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1728
1729 // The whole-node delta upserts a brand-new peer (id == 1) with no reachability.
1730 let peer = peer_node("mover", [1u8; 32], vec![]);
1731 let (set_upserts, _) = tracker.apply_peer_update(&ts_control::PeerUpdate::Delta {
1732 upsert: vec![peer.clone()],
1733 remove: vec![],
1734 });
1735 assert_eq!(set_upserts.len(), 1, "delta upserts the new peer");
1736
1737 // The patch from the SAME response then sets that peer's endpoints + DERP. This is exactly
1738 // the consumer order the handler runs (apply_peer_update then apply_peer_patches).
1739 let new_ep: std::net::SocketAddr = "203.0.113.7:41641".parse().unwrap();
1740 let patch = ts_control::PeerChange {
1741 id: 1,
1742 derp_region: Some(ts_derp::RegionId(core::num::NonZeroU32::new(7).unwrap())),
1743 cap: None,
1744 cap_map: None,
1745 underlay_addresses: Some(vec![new_ep]),
1746 node_key: None,
1747 key_signature: None,
1748 disco_key: None,
1749 node_key_expiry: None,
1750 online: None,
1751 last_seen: None,
1752 };
1753 let (patch_upserts, patch_deletions) =
1754 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1755
1756 assert_eq!(
1757 patch_upserts.len(),
1758 1,
1759 "patch re-upserts the just-added peer"
1760 );
1761 assert_eq!(patch_deletions.len(), 0);
1762 // The peer added by the delta now carries the patched reachability — the patch was NOT lost.
1763 let (_pid, after) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1764 assert_eq!(after.underlay_addresses, vec![new_ep]);
1765 assert_eq!(
1766 after.derp_region,
1767 Some(ts_derp::RegionId(core::num::NonZeroU32::new(7).unwrap()))
1768 );
1769 }
1770
1771 /// A `Patch` whose node id is not in the current netmap is ignored (the wire contract: a patch
1772 /// never creates a node). No upsert, no deletion, peer set unchanged.
1773 #[tokio::test]
1774 async fn patch_for_unknown_node_is_ignored() {
1775 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1776 let known = peer_node("known", [1u8; 32], vec![]); // id == 1
1777 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![known]));
1778
1779 let patch = ts_control::PeerChange {
1780 id: 999, // not in the netmap
1781 derp_region: None,
1782 cap: None,
1783 cap_map: None,
1784 underlay_addresses: Some(vec!["198.51.100.9:1".parse().unwrap()]),
1785 node_key: None,
1786 key_signature: None,
1787 disco_key: None,
1788 node_key_expiry: None,
1789 online: None,
1790 last_seen: None,
1791 };
1792 let (upserts, deletions) = tracker.apply_peer_patches(std::slice::from_ref(&patch));
1793
1794 assert_eq!(upserts.len(), 0);
1795 assert_eq!(deletions.len(), 0);
1796 assert_eq!(tracker.peer_db.peers().len(), 1);
1797 assert!(tracker.peer_db.get(&(999 as ts_control::NodeId)).is_none());
1798 }
1799
1800 /// An expiry-only `Patch` updates `node_key_expiry` on the matching peer (Go
1801 /// `PeerChange.KeyExpiry`), rather than being silently dropped until the next full resync.
1802 #[tokio::test]
1803 async fn patch_updates_node_key_expiry() {
1804 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1805 let peer = peer_node("expiring", [1u8; 32], vec![]); // id == 1, node_key_expiry: None
1806 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
1807
1808 let expiry = "2027-01-01T00:00:00Z"
1809 .parse::<chrono::DateTime<chrono::Utc>>()
1810 .unwrap();
1811 let patch = ts_control::PeerChange {
1812 id: 1,
1813 derp_region: None,
1814 cap: None,
1815 cap_map: None,
1816 underlay_addresses: None,
1817 node_key: None,
1818 key_signature: None,
1819 disco_key: None,
1820 node_key_expiry: Some(expiry),
1821 online: None,
1822 last_seen: None,
1823 };
1824 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1825
1826 let (_pid, after) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1827 assert_eq!(after.node_key_expiry, Some(expiry));
1828 }
1829
1830 /// Channel B: a `PeerChange.online` patch flips a peer's online state without a full node.
1831 #[tokio::test]
1832 async fn patch_updates_online() {
1833 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1834 let peer = peer_node("p", [1u8; 32], vec![]); // id == 1, online: None
1835 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
1836 assert_eq!(
1837 tracker
1838 .peer_db
1839 .get(&(1 as ts_control::NodeId))
1840 .unwrap()
1841 .1
1842 .online,
1843 None
1844 );
1845
1846 let mut patch = ts_control::PeerChange {
1847 id: 1,
1848 derp_region: None,
1849 cap: None,
1850 cap_map: None,
1851 underlay_addresses: None,
1852 node_key: None,
1853 key_signature: None,
1854 disco_key: None,
1855 node_key_expiry: None,
1856 online: Some(true),
1857 last_seen: None,
1858 };
1859 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1860 assert_eq!(
1861 tracker
1862 .peer_db
1863 .get(&(1 as ts_control::NodeId))
1864 .unwrap()
1865 .1
1866 .online,
1867 Some(true),
1868 "PeerChange.online=Some(true) marks the peer online"
1869 );
1870
1871 // A subsequent patch flips it offline.
1872 patch.online = Some(false);
1873 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1874 assert_eq!(
1875 tracker
1876 .peer_db
1877 .get(&(1 as ts_control::NodeId))
1878 .unwrap()
1879 .1
1880 .online,
1881 Some(false)
1882 );
1883 }
1884
1885 /// Channel C/D (Go `map.go:updatePeersStateFromResponse`): `online_change` is the sole driver of
1886 /// `online`; `peer_seen_change` is the sole driver of `last_seen` (true ⇒ now, false ⇒ cleared)
1887 /// and must NEVER touch `online`. Both apply to a peer already in the netmap and ignore unknown
1888 /// ids. This pins the fix for the prior bug where channel D wrote `online=false` (conflating
1889 /// "not seen recently" with "offline" — distinct signals in Go).
1890 #[tokio::test]
1891 async fn liveness_change_maps_apply_online() {
1892 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1893 let peer = peer_node("p", [1u8; 32], vec![]); // id == 1
1894 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
1895 // A fixed timestamp (chrono is built without its `clock` feature, so no `Utc::now()`).
1896 let now = chrono::DateTime::from_timestamp(1_700_000_000, 0).unwrap();
1897
1898 // Channel C: online_change sets online=true.
1899 let mut online_change = std::collections::BTreeMap::new();
1900 online_change.insert(1 as ts_control::NodeId, true);
1901 online_change.insert(999 as ts_control::NodeId, true); // unknown id — ignored
1902 let changed = tracker.apply_liveness_changes(&online_change, &Default::default(), now);
1903 assert!(changed);
1904 assert_eq!(
1905 tracker
1906 .peer_db
1907 .get(&(1 as ts_control::NodeId))
1908 .unwrap()
1909 .1
1910 .online,
1911 Some(true)
1912 );
1913
1914 // Channel D: peer_seen_change=true sets last_seen=now and leaves online UNTOUCHED.
1915 let mut seen_true = std::collections::BTreeMap::new();
1916 seen_true.insert(1 as ts_control::NodeId, true);
1917 let changed = tracker.apply_liveness_changes(&Default::default(), &seen_true, now);
1918 assert!(changed);
1919 {
1920 let (_id, node) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1921 assert_eq!(
1922 node.last_seen,
1923 Some(now),
1924 "peer_seen_change=true sets last_seen=now"
1925 );
1926 assert_eq!(
1927 node.online,
1928 Some(true),
1929 "channel D must NOT touch online (still true from channel C)"
1930 );
1931 }
1932
1933 // Channel D: peer_seen_change=false clears last_seen, still leaving online untouched.
1934 let mut seen_false = std::collections::BTreeMap::new();
1935 seen_false.insert(1 as ts_control::NodeId, false);
1936 let changed = tracker.apply_liveness_changes(&Default::default(), &seen_false, now);
1937 assert!(changed);
1938 {
1939 let (_id, node) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1940 assert_eq!(
1941 node.last_seen, None,
1942 "peer_seen_change=false clears last_seen"
1943 );
1944 assert_eq!(node.online, Some(true), "channel D must NOT mark offline");
1945 }
1946 assert_eq!(
1947 tracker.peer_db.peers().len(),
1948 1,
1949 "the node is retained, not removed"
1950 );
1951
1952 // No-op when nothing matches / changes.
1953 assert!(!tracker.apply_liveness_changes(&Default::default(), &Default::default(), now));
1954 }
1955
1956 /// Security: a `Patch` that rotates the node key must re-satisfy the tailnet-lock authority,
1957 /// exactly like a `Delta` upsert. A key-rotation patch whose new signature does NOT verify
1958 /// evicts the peer (fail-closed) rather than leaving a now-unverified entry — closing what would
1959 /// otherwise be a trust-enforcement bypass via the patch path.
1960 #[tokio::test]
1961 async fn patch_key_rotation_failing_tka_evicts_peer() {
1962 let (authority, sig) = authority_and_valid_sig();
1963 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1964
1965 // Admit a correctly-signed peer (id == 1).
1966 let good = peer_node("rotator", NODE_KEY_BYTES, sig.clone());
1967 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![good.clone()]));
1968 assert_eq!(tracker.peer_db.peers().len(), 1);
1969
1970 // Patch a new node key whose signature is garbage under the active authority.
1971 let patch = ts_control::PeerChange {
1972 id: 1,
1973 derp_region: None,
1974 cap: None,
1975 cap_map: None,
1976 underlay_addresses: None,
1977 node_key: Some([0x33u8; 32].into()),
1978 key_signature: Some(vec![0x00, 0x01, 0x02]),
1979 disco_key: None,
1980 node_key_expiry: None,
1981 online: None,
1982 last_seen: None,
1983 };
1984 let (upserts, deletions) = tracker.apply_peer_patches(std::slice::from_ref(&patch));
1985
1986 assert_eq!(upserts.len(), 0);
1987 assert_eq!(deletions.len(), 1);
1988 assert_eq!(tracker.peer_db.peers().len(), 0);
1989 }
1990
1991 /// A node's `user_id` joins against the accumulated UserProfiles table to resolve the owning
1992 /// user's login name in `WhoIs.user`. With no matching profile, `user` is `None` (the
1993 /// pre-existing behavior); once a profile arrives, the same node resolves to its login. This
1994 /// proves the accumulate-then-join path the netmap handler builds.
1995 fn profile(id: ts_control::UserId, login: &str) -> ts_control::UserProfile {
1996 ts_control::UserProfile {
1997 id,
1998 login_name: login.to_string(),
1999 display_name: None,
2000 }
2001 }
2002
2003 #[tokio::test]
2004 async fn whois_resolves_user_from_accumulated_profiles() {
2005 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
2006
2007 // A peer owned by user id 42 at 100.64.0.1 (the peer_node fixture's address).
2008 let mut peer = peer_node("p", NODE_KEY_BYTES, Vec::new());
2009 peer.user_id = 42;
2010 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
2011 let addr = "100.64.0.1:0".parse().unwrap();
2012
2013 // No profile yet: the node resolves but its owner is unknown.
2014 let who = tracker.whois_opt(addr).expect("peer is known");
2015 assert_eq!(who.user, None);
2016
2017 // Profile for a DIFFERENT user must not match.
2018 tracker
2019 .user_profiles
2020 .insert(7, profile(7, "someone-else@example.com"));
2021 assert_eq!(tracker.whois_opt(addr).unwrap().user, None);
2022
2023 // The owning user's profile arrives (as the netmap handler would accumulate it): now the
2024 // login resolves.
2025 tracker
2026 .user_profiles
2027 .insert(42, profile(42, "alice@example.com"));
2028 assert_eq!(
2029 tracker.whois_opt(addr).unwrap().user,
2030 Some("alice@example.com".to_string())
2031 );
2032 }
2033
2034 /// `UserProfile::best_label` prefers the login name, falling back to display name, else `None`.
2035 #[test]
2036 fn user_profile_best_label_prefers_login() {
2037 assert_eq!(
2038 profile(1, "alice@example.com").best_label(),
2039 Some("alice@example.com".to_string())
2040 );
2041 let display_only = ts_control::UserProfile {
2042 id: 2,
2043 login_name: String::new(),
2044 display_name: Some("Bob".to_string()),
2045 };
2046 assert_eq!(display_only.best_label(), Some("Bob".to_string()));
2047 let empty = ts_control::UserProfile {
2048 id: 3,
2049 login_name: String::new(),
2050 display_name: None,
2051 };
2052 assert_eq!(empty.best_label(), None);
2053 }
2054
2055 // ----- tsr-jo1: RotationTracker (Go ipnlocal.rotationTracker.obsoleteKeys) -----
2056
2057 /// A `RotationDetails` for a `Direct`-rooted chain with the given prior keys + wrapping key.
2058 fn rot_details(
2059 prev: &[&[u8]],
2060 wrapping: &[u8],
2061 kind: ts_tka::SigKind,
2062 ) -> ts_tka::RotationDetails {
2063 ts_tka::RotationDetails {
2064 prev_node_keys: prev.iter().map(|p| p.to_vec()).collect(),
2065 initial_sig_kind: kind,
2066 initial_wrapping_pubkey: wrapping.to_vec(),
2067 }
2068 }
2069
2070 /// Rule 1: every prior node key named by any rotation chain is obsolete, regardless of the
2071 /// chain's root kind (Go's ungated `obsolete.AddSlice(d.PrevNodeKeys)`).
2072 #[test]
2073 fn rotation_tracker_prev_keys_always_obsolete() {
2074 let mut t = RotationTracker::default();
2075 // A Direct-rooted chain that rotated away OLD1, and a Credential-rooted one that rotated OLD2.
2076 t.add(
2077 b"newA".to_vec(),
2078 &rot_details(&[b"OLD1"], b"wrapA", ts_tka::SigKind::Direct),
2079 );
2080 t.add(
2081 b"newB".to_vec(),
2082 &rot_details(&[b"OLD2"], b"wrapB", ts_tka::SigKind::Credential),
2083 );
2084 let obsolete = t.obsolete_keys();
2085 assert!(
2086 obsolete.contains(b"OLD1".as_slice()),
2087 "Direct chain's prior key obsolete"
2088 );
2089 assert!(
2090 obsolete.contains(b"OLD2".as_slice()),
2091 "Credential chain's prior key obsolete too (rule 1 is ungated)"
2092 );
2093 // The current keys themselves are not obsolete (only one peer per wrapping key here).
2094 assert!(!obsolete.contains(b"newA".as_slice()));
2095 assert!(!obsolete.contains(b"newB".as_slice()));
2096 }
2097
2098 /// Rule 2: among `Direct`-rooted chains sharing a wrapping key, only the longest survives; the
2099 /// shorter (older) clone's key is obsolete.
2100 #[test]
2101 fn rotation_tracker_unequal_chain_keeps_longest() {
2102 let mut t = RotationTracker::default();
2103 // Same wrapping key; "long" has 2 prior keys, "short" has 1 ⇒ "short" is the older clone.
2104 t.add(
2105 b"long".to_vec(),
2106 &rot_details(&[b"p1", b"p2"], b"wrap", ts_tka::SigKind::Direct),
2107 );
2108 t.add(
2109 b"short".to_vec(),
2110 &rot_details(&[b"q1"], b"wrap", ts_tka::SigKind::Direct),
2111 );
2112 let obsolete = t.obsolete_keys();
2113 assert!(
2114 obsolete.contains(b"short".as_slice()),
2115 "the shorter-chain clone is obsolete"
2116 );
2117 assert!(
2118 !obsolete.contains(b"long".as_slice()),
2119 "the longest-chain peer survives"
2120 );
2121 }
2122
2123 /// Rule 2 tie: two `Direct`-rooted chains sharing a wrapping key with EQUAL chain length cannot
2124 /// be disambiguated ⇒ BOTH are dropped (Go's safety branch).
2125 #[test]
2126 fn rotation_tracker_equal_chain_drops_both() {
2127 let mut t = RotationTracker::default();
2128 t.add(
2129 b"cloneA".to_vec(),
2130 &rot_details(&[b"p1"], b"wrap", ts_tka::SigKind::Direct),
2131 );
2132 t.add(
2133 b"cloneB".to_vec(),
2134 &rot_details(&[b"p2"], b"wrap", ts_tka::SigKind::Direct),
2135 );
2136 let obsolete = t.obsolete_keys();
2137 assert!(
2138 obsolete.contains(b"cloneA".as_slice()),
2139 "tied clone A dropped"
2140 );
2141 assert!(
2142 obsolete.contains(b"cloneB".as_slice()),
2143 "tied clone B dropped"
2144 );
2145 }
2146
2147 /// `Credential`-rooted chains sharing a wrapping key are EXEMPT from rule 2 (reusable-authkey
2148 /// carve-out): both are kept even with equal chain length.
2149 #[test]
2150 fn rotation_tracker_credential_root_clones_both_kept() {
2151 let mut t = RotationTracker::default();
2152 t.add(
2153 b"credA".to_vec(),
2154 &rot_details(&[b"p1"], b"wrap", ts_tka::SigKind::Credential),
2155 );
2156 t.add(
2157 b"credB".to_vec(),
2158 &rot_details(&[b"p2"], b"wrap", ts_tka::SigKind::Credential),
2159 );
2160 let obsolete = t.obsolete_keys();
2161 assert!(
2162 !obsolete.contains(b"credA".as_slice()),
2163 "credential-rooted clone A kept"
2164 );
2165 assert!(
2166 !obsolete.contains(b"credB".as_slice()),
2167 "credential-rooted clone B kept"
2168 );
2169 }
2170
2171 /// A peer that another chain already rotated away does not also act as a surviving clone: it is
2172 /// removed from its wrapping-key group before the longest-survivor pick (Go's `DeleteFunc`).
2173 #[test]
2174 fn rotation_tracker_already_obsolete_peer_not_a_survivor() {
2175 let mut t = RotationTracker::default();
2176 // "victim" is rotated away by "rotator" (different wrapping key), AND shares wrapping key
2177 // "w" with "other". Because "victim" is already obsolete, only "other" is in play for "w" and
2178 // survives (no spurious tie-drop of "other").
2179 t.add(
2180 b"rotator".to_vec(),
2181 &rot_details(&[b"victim"], b"wRot", ts_tka::SigKind::Direct),
2182 );
2183 t.add(
2184 b"victim".to_vec(),
2185 &rot_details(&[b"x"], b"w", ts_tka::SigKind::Direct),
2186 );
2187 t.add(
2188 b"other".to_vec(),
2189 &rot_details(&[b"y"], b"w", ts_tka::SigKind::Direct),
2190 );
2191 let obsolete = t.obsolete_keys();
2192 assert!(
2193 obsolete.contains(b"victim".as_slice()),
2194 "victim rotated away by rotator"
2195 );
2196 assert!(
2197 !obsolete.contains(b"other".as_slice()),
2198 "other survives — victim was removed from the group before the tie check"
2199 );
2200 }
2201
2202 /// Empty tracker (no rotation-signed peers) ⇒ no obsolete keys (the non-rotation netmap path).
2203 #[test]
2204 fn rotation_tracker_empty_is_noop() {
2205 let t = RotationTracker::default();
2206 assert!(t.obsolete_keys().is_empty());
2207 }
2208
2209 /// End-to-end through the real `Full` path: a peer presenting a freshly-rotated key (a Rotation
2210 /// chain) is admitted, while a second peer still presenting the rotated-AWAY pivot key — even with
2211 /// that key's own still-valid Direct signature — is DROPPED by the cross-peer rotation filter.
2212 /// This is the gap closed here: Go `tkaFilterNetmapLocked` drops the stale clone; we used to admit
2213 /// it. Uses real `ts_tka` signing (`sign_direct` + `sign_rotation`) so the whole
2214 /// verify → details → filter pipeline runs.
2215 ///
2216 /// Construction: the trusted key signs an inner `Direct` over the PIVOT keypair's public key; the
2217 /// pivot key then signs an outer `Rotation` authorizing `new_key`. That chain's `prev_node_keys`
2218 /// names the pivot pubkey — so a peer presenting the pivot pubkey as its node key is the
2219 /// rotated-away key the filter must drop.
2220 #[tokio::test]
2221 async fn tka_full_drops_rotated_away_key_e2e() {
2222 use ed25519_dalek::SigningKey;
2223 use ts_tka::NodeKeySignature;
2224
2225 let trusted = SigningKey::from_bytes(&[42u8; 32]);
2226 let trusted_pub = trusted.verifying_key().to_bytes().to_vec();
2227 let authority = Authority::from_state(
2228 AumHash([0; 32]),
2229 State {
2230 keys: vec![Key {
2231 kind: KeyKind::Ed25519,
2232 votes: 1,
2233 public: trusted_pub.clone(),
2234 }],
2235 },
2236 );
2237
2238 // The rotation pivot: a keypair whose public key the inner Direct authorizes and whose
2239 // private key signs the outer rotation wrap. This pivot pubkey IS the key being rotated away.
2240 let pivot = SigningKey::from_bytes(&[9u8; 32]);
2241 let pivot_pub: [u8; 32] = pivot.verifying_key().to_bytes();
2242
2243 let new_key = [4u8; 32]; // the freshly-rotated node key
2244
2245 // Fresh peer: a Rotation chain authorizing `new_key`, inner Direct over the pivot signed by
2246 // trusted, outer wrap signed by the pivot. Its prev_node_keys names `pivot_pub`.
2247 let new_sig = NodeKeySignature::sign_rotation(&new_key, &trusted, &pivot).serialize();
2248 let new_peer = peer_node("rotated", new_key, new_sig);
2249
2250 // Stale peer: still presents the pivot pubkey (the rotated-away key) with its own valid
2251 // Direct signature — valid in isolation, but obsoleted by the fresh peer's rotation chain.
2252 let stale_sig = NodeKeySignature::sign_direct(&pivot_pub, &trusted).serialize();
2253 let stale_peer = peer_node("stale", pivot_pub, stale_sig);
2254
2255 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
2256 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
2257 new_peer.clone(),
2258 stale_peer.clone(),
2259 ]));
2260
2261 assert!(
2262 tracker.peer_db.get(&new_peer.node_key).is_some(),
2263 "the freshly-rotated peer is admitted"
2264 );
2265 assert!(
2266 tracker.peer_db.get(&stale_peer.node_key).is_none(),
2267 "the peer presenting the rotated-away key is dropped (Go tkaFilterNetmapLocked)"
2268 );
2269 }
2270}