ts_runtime/peer_tracker/mod.rs
1//! Peer delta update tracking.
2
3use std::{
4 collections::{HashMap, HashSet},
5 net::IpAddr,
6 sync::Arc,
7};
8
9use kameo::{
10 actor::ActorRef,
11 message::{Context, Message},
12 reply::ReplySender,
13};
14use tokio::sync::watch;
15use ts_control::{Node, UserId, UserProfile};
16use ts_transport::PeerId;
17
18use crate::{Error, env::Env, status::StatusNode};
19
20mod peer_db;
21
22pub use peer_db::PeerDb;
23
24/// Actor that tracks peer delta updates and emits new states.
25pub struct PeerTracker {
26 peer_db: PeerDb,
27 seen_state_update: bool,
28 pending_requests: Vec<Pending>,
29 /// Latest peer snapshot, published on every netmap update so embedders can watch for peer
30 /// changes ([`WatchNetmap`]).
31 peer_watch: watch::Sender<Vec<StatusNode>>,
32 /// Accumulated netmap user profiles (`MapResponse.UserProfiles`), keyed by user id, joined
33 /// against a node's [`Node::user_id`](ts_control::Node::user_id) to resolve the owning user's
34 /// login/display name for a [`WhoIs`](crate::status::WhoIs). Control sends these incrementally
35 /// (only new/changed profiles per response), so this map **accumulates** across updates rather
36 /// than being replaced — a peer upserted in one response may reference a profile delivered in an
37 /// earlier one.
38 user_profiles: HashMap<UserId, UserProfile>,
39 /// Tailnet-Lock (TKA) authority enforced at the peer-trust chokepoint, matching Go
40 /// `tkaFilterNetmapLocked`. Read on demand from a [`watch`] cell the control runner owns: when it
41 /// holds `Some` (a verified lock has been synced from control), enforcement is **active** — every
42 /// upserted peer must present a `key_signature` this authority authorizes, or it is dropped
43 /// (fail-closed), exactly as Go drops peers with a missing or failing signature. When it holds
44 /// `None` (no lock, or the lock was disabled) enforcement is **inactive** and every peer is
45 /// upserted, identical to pre-TKA behavior and to Go's `b.tka == nil` early return.
46 ///
47 /// A `watch::Receiver` (not the bus) is the transport on purpose: the authority is a single
48 /// security-critical state cell, and `watch` is last-write-wins, never-dropped, and ordered by
49 /// the control runner's own writes — so a disable (`None`) can never be reordered behind or
50 /// silently dropped before a stale `Some` (which a best-effort broadcast bus could do, leaving a
51 /// defunct lock enforcing forever). The control runner is the sole writer; we only ever read.
52 ///
53 /// The authority always passes through `VerifiedAumChain::verify` before the control runner
54 /// publishes it, so enforcement only engages on a chain we have cryptographically verified.
55 /// Connectivity now depends on `ts_tka` verifying genuinely-good signatures correctly (see
56 /// SECURITY.md). Self is structurally never filtered here (the self node never enters `peer_db` —
57 /// it is routed to the control runner's `self_node` cell), so a node cannot lock itself out of
58 /// its own netmap.
59 tka_authority: watch::Receiver<Option<Arc<ts_tka::Authority>>>,
60 env: Env,
61}
62
63impl PeerTracker {
64 fn peer_by_name_opt(&self, name: &str) -> Option<&Node> {
65 // Canonicalization (case + trailing dot) is handled inside the name index lookup.
66 self.peer_db.get(&name).map(|(_id, node)| node)
67 }
68
69 fn peer_by_tailnet_ip_opt(&self, ip: IpAddr) -> Option<&Node> {
70 self.peer_db.get(&ip).map(|(_id, node)| node)
71 }
72
73 /// Build the peer entries for a [`Status`](crate::Status) snapshot from the current peer db.
74 ///
75 /// Connectivity fields (`cur_addr`/`relay`) are left at their `from_node` defaults (`None`) here:
76 /// this is the live-watch/hot path and must stay magicsock-free and synchronous. The explicit
77 /// [`GetStatus`] snapshot enriches them ([`status_peers_with_ids`](Self::status_peers_with_ids)).
78 fn status_peers(&self) -> Vec<StatusNode> {
79 self.peer_db
80 .peers()
81 .values()
82 .map(StatusNode::from_node)
83 .collect()
84 }
85
86 /// Like [`status_peers`](Self::status_peers) but pairs each entry with its [`PeerId`], so the
87 /// caller can join per-peer connectivity (the direct manager's `best_addrs`, keyed by `PeerId`)
88 /// onto the `StatusNode` before returning it. Order is unspecified (a `HashMap` walk).
89 fn status_peers_with_ids(&self) -> Vec<(PeerId, StatusNode)> {
90 self.peer_db
91 .peers()
92 .iter()
93 .map(|(id, node)| (*id, StatusNode::from_node(node)))
94 .collect()
95 }
96
97 fn whois_opt(&self, addr: std::net::SocketAddr) -> Option<crate::status::WhoIs> {
98 let ip = crate::status::whois_addr(addr);
99 let node = self.peer_by_tailnet_ip_opt(ip).cloned()?;
100 // Join the node's owning user id against the accumulated UserProfiles table to resolve a
101 // login/display name. `None` when control sent no profile for that user (e.g. tagged nodes
102 // with no human owner, or a profile not yet delivered).
103 let user = self.resolve_user(node.user_id);
104 Some(crate::status::WhoIs::from_node_with_user(node, user))
105 }
106
107 /// Resolve a user id to its best display label from the accumulated profile table.
108 fn resolve_user(&self, user_id: UserId) -> Option<String> {
109 self.user_profiles
110 .get(&user_id)
111 .and_then(UserProfile::best_label)
112 }
113
114 /// Whether `node` may be admitted to the peer db under Tailnet Lock, matching Go
115 /// `tkaFilterNetmapLocked`'s per-peer verdict (drop unsigned / failed-signature peers).
116 ///
117 /// This consults the live [`tka_authority`](Self::tka_authority) cell on each call (one `borrow`,
118 /// held only for the duration of the verdict). For a `Full` resync — which checks every peer —
119 /// prefer [`tka_authority_snapshot`](Self::tka_authority_snapshot) +
120 /// [`tka_snapshot_admits`](Self::tka_snapshot_admits) to borrow once and verify each peer a single
121 /// time; this method is the convenience wrapper for the single-peer (`Delta`/patch) sites.
122 ///
123 /// Fail-closed and gated:
124 /// - No authority ⇒ no lock synced ⇒ always admit (Go's `b.tka == nil` early return; identical to
125 /// pre-TKA behavior).
126 /// - **Empty trusted-key state** ⇒ always admit (logged at `error!` — see
127 /// [`tka_snapshot_admits`](Self::tka_snapshot_admits) for the full rationale).
128 /// - Authority present + peer carries a `key_signature` the authority authorizes for the peer's
129 /// node key ⇒ admit.
130 /// - Authority present + signature missing or unauthorized/invalid ⇒ **drop** (Go drops peers
131 /// with a missing signature or failed `NodeKeyAuthorized` under tailnet lock).
132 fn tka_admits(&self, node: &Node) -> bool {
133 // Single-peer sites (`Delta`/patch) only need the admit bool; the rotation details are used
134 // exclusively by the cross-peer `Full` filter (rotation obsolescence is whole-netmap).
135 Self::tka_snapshot_admits(self.tka_authority.borrow().as_deref(), node).admitted
136 }
137
138 /// Borrow the current TKA authority once (cloning the cheap `Arc`) for a batch verdict. Returns
139 /// `None` when no lock is synced (admit-all). Used by the `Full` path so a netmap of N peers
140 /// reads the cell once and runs at most one signature verify per peer (not two).
141 fn tka_authority_snapshot(&self) -> Option<Arc<ts_tka::Authority>> {
142 self.tka_authority.borrow().clone()
143 }
144
145 /// The per-peer Tailnet-Lock verdict against an already-borrowed `authority` snapshot. Factored
146 /// out so both the single-peer [`tka_admits`](Self::tka_admits) and the `Full` batch path share
147 /// one verdict implementation (no divergence) while the batch path verifies each peer exactly
148 /// once.
149 ///
150 /// Returns whether the peer is admitted AND, for an admitted peer signed by a rotation chain, the
151 /// [`RotationDetails`](ts_tka::RotationDetails) of that chain — so the `Full` path can run the
152 /// cross-peer rotation filter (Go's `rotationTracker`) without a second verify per peer. A peer
153 /// that is dropped, unsigned, or signed by a non-rotation chain carries `rotation == None`.
154 ///
155 /// Never logs key/signature bytes — only the `stable_id` and the `TkaError` Display (static
156 /// descriptors). One documented parity gap remains vs Go (under-enforcement, in PARITY_ROADMAP):
157 /// no `UnsignedPeerAPIOnly` exemption (our node model lacks the field).
158 fn tka_snapshot_admits(authority: Option<&ts_tka::Authority>, node: &Node) -> TkaVerdict {
159 let Some(auth) = authority else {
160 return TkaVerdict::admit();
161 };
162
163 // Brick-guard: an authority with no trusted keys would drop every peer. A verified chain is
164 // structurally guaranteed ≥1 key (genesis rejects an empty key set, and the last key cannot
165 // be removed), so reaching here means a `ts_tka` invariant was violated — admit rather than
166 // black-hole the whole netmap, and log at `error!` because it signals a real bug, not an
167 // expected runtime input. This is OUR fail-safe, not a Go behavior. NOTE: it only catches the
168 // empty-keyset shape; a non-empty authority that authorizes none of the offered peers still
169 // (correctly) drops them — that is what a lock that revoked everyone means. The
170 // "authorized-zero-peers" isolation case is surfaced separately by the caller.
171 if auth.state().keys.is_empty() {
172 tracing::error!(
173 "TKA: authority has an empty trusted-key set (verified chains never do — likely a \
174 ts_tka bug); not enforcing (admitting all) to avoid isolating the node"
175 );
176 return TkaVerdict::admit();
177 }
178
179 if node.key_signature.is_empty() {
180 tracing::warn!(
181 stable_id = ?node.stable_id,
182 "TKA: dropping unsigned peer under tailnet lock"
183 );
184 return TkaVerdict::drop();
185 }
186
187 match auth.node_key_authorized_with_details(&node.node_key.to_bytes(), &node.key_signature)
188 {
189 Ok(rotation) => {
190 tracing::debug!(stable_id = ?node.stable_id, "TKA: peer node-key authorized");
191 TkaVerdict {
192 admitted: true,
193 rotation,
194 }
195 }
196 Err(e) => {
197 tracing::warn!(
198 stable_id = ?node.stable_id,
199 error = %e,
200 "TKA: dropping peer with unauthorized node key"
201 );
202 TkaVerdict::drop()
203 }
204 }
205 }
206}
207
208/// The outcome of a per-peer Tailnet-Lock check: whether the peer is admitted, plus (for an admitted
209/// peer signed by a rotation chain) the chain's [`RotationDetails`](ts_tka::RotationDetails) so the
210/// `Full` path can run the cross-peer rotation filter from the SAME verify pass (no second verify).
211struct TkaVerdict {
212 admitted: bool,
213 rotation: Option<ts_tka::RotationDetails>,
214}
215
216impl TkaVerdict {
217 /// Admitted, no rotation details (no lock / brick-guard / non-rotation signature).
218 fn admit() -> Self {
219 Self {
220 admitted: true,
221 rotation: None,
222 }
223 }
224 /// Dropped.
225 fn drop() -> Self {
226 Self {
227 admitted: false,
228 rotation: None,
229 }
230 }
231}
232
233/// Cross-peer rotation-obsolescence tracker, mirroring Go `ipnlocal.rotationTracker`. Fed the
234/// [`RotationDetails`](ts_tka::RotationDetails) of every admitted, rotation-signed peer in a `Full`
235/// netmap; [`obsolete_keys`](Self::obsolete_keys) then returns the node keys to drop on top of the
236/// per-peer verdict. Two rules (Go `tkaFilterNetmapLocked` + `rotationTracker.obsoleteKeys`):
237///
238/// 1. Every prior node key named in any rotation chain is obsolete (a newer chain rotated it away).
239/// 2. Among `Direct`-rooted chains sharing one wrapping pubkey (a clone signal), only the
240/// longest-chain peer survives; if the two longest are tied, ALL in that group are dropped (we
241/// cannot tell which is the latest, so reject for safety). `Credential`-rooted chains are exempt
242/// from rule 2 — several nodes can legitimately join under one reusable auth key (same wrapping
243/// pubkey), so sharing it is not a clone signal there. (Rule 1 still applies to them.)
244///
245/// Node keys are tracked as raw `Vec<u8>` (the verified 32-byte node-public bytes).
246#[derive(Default)]
247struct RotationTracker {
248 obsolete: HashSet<Vec<u8>>,
249 by_wrapping_key: HashMap<Vec<u8>, Vec<SigRotation>>,
250}
251
252/// One admitted peer's rotation entry within a wrapping-key group.
253struct SigRotation {
254 node_key: Vec<u8>,
255 num_prev_keys: usize,
256}
257
258impl RotationTracker {
259 /// Record an admitted peer `node_key` and its rotation `details` (Go `addRotationDetails`).
260 fn add(&mut self, node_key: Vec<u8>, details: &ts_tka::RotationDetails) {
261 // Rule 1: every prior key is obsolete — applied for ALL chains (incl. credential-rooted),
262 // matching Go's ungated `obsolete.AddSlice(d.PrevNodeKeys)`.
263 self.obsolete.extend(details.prev_node_keys.iter().cloned());
264 // Rule 2 (clone-uniqueness) is gated to Direct-rooted chains only.
265 if details.initial_sig_kind != ts_tka::SigKind::Direct {
266 return;
267 }
268 self.by_wrapping_key
269 .entry(details.initial_wrapping_pubkey.clone())
270 .or_default()
271 .push(SigRotation {
272 node_key,
273 num_prev_keys: details.prev_node_keys.len(),
274 });
275 }
276
277 /// Compute the full obsolete node-key set (Go `rotationTracker.obsoleteKeys`). Processes each
278 /// wrapping-key group, mutating the shared `obsolete` set as it goes (so a key obsoleted by one
279 /// group is seen as obsolete by later groups via the `retain` below — Go's
280 /// `slices.DeleteFunc(... Contains)`). Group iteration order (a `HashMap` drain) is
281 /// nondeterministic, but the result is order-INDEPENDENT: this only ever *inserts* into
282 /// `obsolete` (never removes), and rule 1 already obsoleted every prior key before this loop, so
283 /// the final set is a union that does not depend on which group runs first (as in Go).
284 fn obsolete_keys(mut self) -> HashSet<Vec<u8>> {
285 // Drain only the group map so the loop can mutate `self.obsolete` without aliasing it; the
286 // shared `obsolete` set itself is NOT drained, preserving the cross-group visibility above.
287 let groups: Vec<Vec<SigRotation>> = self.by_wrapping_key.drain().map(|(_k, v)| v).collect();
288 for mut group in groups {
289 // Drop entries already obsoleted (rotated away) by another chain.
290 group.retain(|rd| !self.obsolete.contains(&rd.node_key));
291 if group.is_empty() {
292 continue;
293 }
294 // Longest chain (most prior keys) is the newest ⇒ the survivor; sort decreasing.
295 // `sort_by_key` is stable (like Go's `SortStableFunc`); `Reverse` gives descending order.
296 group.sort_by_key(|rd| core::cmp::Reverse(rd.num_prev_keys));
297 if group.len() >= 2 && group[0].num_prev_keys == group[1].num_prev_keys {
298 // Tie for longest ⇒ cannot disambiguate the latest ⇒ drop the WHOLE group.
299 tracing::warn!(
300 "TKA: multiple peers share a wrapping key with equal rotation depth; dropping all (cannot determine the latest)"
301 );
302 for rd in &group {
303 self.obsolete.insert(rd.node_key.clone());
304 }
305 } else {
306 // Only the longest-chain peer survives; the rest are obsolete.
307 for rd in &group[1..] {
308 self.obsolete.insert(rd.node_key.clone());
309 }
310 }
311 }
312 self.obsolete
313 }
314}
315
316impl kameo::Actor for PeerTracker {
317 /// `(env, tka_authority)`: the bus/keys env, plus the read end of the control runner's TKA
318 /// enforcement-authority cell (Go `tkaFilterNetmapLocked`). The control runner is the sole
319 /// writer; it publishes the verified `Authority` after a successful `/machine/tka/sync` and
320 /// `None` when the lock is disabled. A `watch` cell (not a bus message) so the latest value is
321 /// always readable on demand, never dropped, and never reordered (see the control runner's
322 /// `tka_authority` cell).
323 type Args = (Env, watch::Receiver<Option<Arc<ts_tka::Authority>>>);
324 type Error = Error;
325
326 async fn on_start(
327 (env, tka_authority): Self::Args,
328 slf: ActorRef<Self>,
329 ) -> Result<Self, Self::Error> {
330 env.subscribe::<Arc<ts_control::StateUpdate>>(&slf).await?;
331
332 let (peer_watch, _) = watch::channel(Vec::new());
333
334 Ok(Self {
335 peer_db: PeerDb::default(),
336 pending_requests: Default::default(),
337 seen_state_update: false,
338 peer_watch,
339 user_profiles: HashMap::new(),
340 // The cell starts `None` (no lock synced ⇒ enforcement inactive, admit all, matching
341 // Go's `b.tka == nil`); the control runner flips it to `Some` on the first sync.
342 tka_authority,
343 env,
344 })
345 }
346}
347
348enum Pending {
349 PeerByName(PeerByName, ReplySender<Option<Node>>),
350 AcceptedRoute(PeerByAcceptedRoute, ReplySender<Vec<Node>>),
351 TailnetIp(PeerByTailnetIp, ReplySender<Option<Node>>),
352 Status(ReplySender<Vec<(PeerId, StatusNode)>>),
353 WhoIs(Whois, ReplySender<Option<crate::status::WhoIs>>),
354}
355
356// For messages with arguments, a struct is generated with the args as fields. They aren't
357// documented, and we can't apply attributes directly to the fields. Hence, wrap in a module where
358// docs are turned off everywhere.
359#[allow(missing_docs)]
360mod msg_impl {
361 use std::net::IpAddr;
362
363 use kameo::prelude::DelegatedReply;
364
365 use super::*;
366
367 #[kameo::messages]
368 impl PeerTracker {
369 /// Lookup a peer by name.
370 ///
371 /// Waits until we've received at least one peer update from control.
372 #[message(ctx)]
373 pub async fn peer_by_name(
374 &mut self,
375 ctx: &mut Context<Self, DelegatedReply<Option<Node>>>,
376 name: String,
377 ) -> DelegatedReply<Option<Node>> {
378 let (deleg, sender) = ctx.reply_sender();
379 let Some(sender) = sender else { return deleg };
380
381 if !self.seen_state_update {
382 tracing::debug!(query = name, "no peer state seen yet, queueing request");
383
384 self.pending_requests
385 .push(Pending::PeerByName(PeerByName { name }, sender));
386
387 return deleg;
388 }
389
390 sender.send(self.peer_by_name_opt(&name).cloned());
391
392 deleg
393 }
394
395 /// Lookup all peers that accept packets addressed to the given IP.
396 ///
397 /// This includes the peer's tailnet address and any subnet routes it provides. Only
398 /// the peers with the most specific subnet route match that covers `ip` will be
399 /// returned.
400 ///
401 /// E.g., suppose:
402 ///
403 /// - We're querying for `10.1.2.3`
404 /// - `PeerA` and `PeerB` have accepted routes for `10.1.2.0/24`
405 /// - `PeerC` has an accepted route for `10.1.0.0/16`
406 ///
407 /// Only `PeerA` and `PeerB` will be returned, since they have the most specific
408 /// prefix match.
409 #[message(ctx)]
410 pub fn peer_by_accepted_route(
411 &mut self,
412 ctx: &mut Context<Self, DelegatedReply<Vec<Node>>>,
413 ip: IpAddr,
414 ) -> DelegatedReply<Vec<Node>> {
415 let (deleg, sender) = ctx.reply_sender();
416 let Some(sender) = sender else { return deleg };
417
418 if !self.seen_state_update {
419 tracing::debug!(query = %ip, "no peer state seen yet, queueing request");
420
421 self.pending_requests
422 .push(Pending::AcceptedRoute(PeerByAcceptedRoute { ip }, sender));
423
424 return deleg;
425 }
426
427 sender.send(
428 self.peer_db
429 .get_route(ip.into())
430 .map(|(_id, node)| node.clone())
431 .collect(),
432 );
433
434 deleg
435 }
436
437 /// Lookup the peer that has the given tailnet IP address.
438 #[message(ctx)]
439 pub fn peer_by_tailnet_ip(
440 &mut self,
441 ctx: &mut Context<Self, DelegatedReply<Option<Node>>>,
442 ip: IpAddr,
443 ) -> DelegatedReply<Option<Node>> {
444 let (deleg, sender) = ctx.reply_sender();
445 let Some(sender) = sender else { return deleg };
446
447 if !self.seen_state_update {
448 tracing::debug!(query = %ip, "no peer state seen yet, queueing request");
449
450 self.pending_requests
451 .push(Pending::TailnetIp(PeerByTailnetIp { ip }, sender));
452
453 return deleg;
454 }
455
456 sender.send(self.peer_by_tailnet_ip_opt(ip).cloned());
457
458 deleg
459 }
460
461 /// Build the peer entries of a [`Status`](crate::Status) snapshot, each paired with its
462 /// [`PeerId`] so [`Runtime::status`](crate::Runtime::status) can join per-peer connectivity
463 /// (`cur_addr`/`relay`) from the direct manager before returning. The self node is *not*
464 /// included here (it lives in the control runner); `Runtime::status` combines both and drops
465 /// the ids.
466 ///
467 /// Waits until we've received at least one peer update from control.
468 #[message(ctx)]
469 pub fn get_status(
470 &mut self,
471 ctx: &mut Context<Self, DelegatedReply<Vec<(PeerId, StatusNode)>>>,
472 ) -> DelegatedReply<Vec<(PeerId, StatusNode)>> {
473 let (deleg, sender) = ctx.reply_sender();
474 let Some(sender) = sender else { return deleg };
475
476 if !self.seen_state_update {
477 tracing::debug!("no peer state seen yet, queueing status request");
478 self.pending_requests.push(Pending::Status(sender));
479 return deleg;
480 }
481
482 sender.send(self.status_peers_with_ids());
483
484 deleg
485 }
486
487 /// Return every known peer's full domain [`Node`] (not the lossy [`StatusNode`]).
488 ///
489 /// Used by [`Runtime::file_targets`](crate::Runtime::file_targets), which needs the full node
490 /// (peerAPI address, owning user id, cap map) to compute Taildrop send targets. The self node
491 /// is not included (it lives in the control runner). Returns empty before the first netmap —
492 /// the natural "not connected yet" analog (an immediate answer, no queueing needed: callers
493 /// that need a populated list await `Running` first).
494 #[message]
495 pub fn all_peers(&self) -> Vec<Node> {
496 self.peer_db.peers().values().cloned().collect()
497 }
498
499 /// Resolve which node owns a tailnet source address.
500 ///
501 /// Maps the source IP of `addr` to the owning node via the tailnet-IP index, returning a
502 /// [`WhoIs`](crate::WhoIs). The port is ignored (a tailnet IP uniquely identifies a node).
503 ///
504 /// The resulting [`WhoIs`](crate::WhoIs) carries no user/login or capability data: this
505 /// fork's domain [`Node`] does not retain those wire fields. See the
506 /// [`status`](crate::status) module docs for the gap.
507 ///
508 /// Waits until we've received at least one peer update from control.
509 #[message(ctx)]
510 pub fn whois(
511 &mut self,
512 ctx: &mut Context<Self, DelegatedReply<Option<crate::status::WhoIs>>>,
513 addr: std::net::SocketAddr,
514 ) -> DelegatedReply<Option<crate::status::WhoIs>> {
515 let (deleg, sender) = ctx.reply_sender();
516 let Some(sender) = sender else { return deleg };
517
518 if !self.seen_state_update {
519 tracing::debug!(query = %addr, "no peer state seen yet, queueing whois request");
520 self.pending_requests
521 .push(Pending::WhoIs(Whois { addr }, sender));
522 return deleg;
523 }
524
525 sender.send(self.whois_opt(addr));
526
527 deleg
528 }
529
530 /// Subscribe to netmap peer-change events.
531 ///
532 /// Returns a [`watch::Receiver`] whose value is the current set of peer
533 /// [`StatusNode`]s, updated on every netmap state update from control. Embedders can await
534 /// changes via [`watch::Receiver::changed`] to react to peers joining, leaving, or changing.
535 ///
536 /// The receiver's initial value is the peer set at subscription time (empty before the
537 /// first netmap update). This is a peer-only view; combine with the self node from
538 /// [`Runtime::status`](crate::Runtime::status) when a full snapshot is needed.
539 #[message(derive(Clone))]
540 pub fn watch_netmap(&self) -> watch::Receiver<Vec<StatusNode>> {
541 self.peer_watch.subscribe()
542 }
543 }
544}
545
546pub use msg_impl::*;
547
548#[derive(Debug, Clone)]
549pub(crate) struct PeerState {
550 #[allow(unused)]
551 pub deletions: HashSet<PeerId>,
552 #[allow(unused)]
553 pub upserts: HashSet<PeerId>,
554 pub peers: Arc<PeerDb>,
555}
556
557impl Message<Arc<ts_control::StateUpdate>> for PeerTracker {
558 type Reply = ();
559
560 async fn handle(
561 &mut self,
562 msg: Arc<ts_control::StateUpdate>,
563 _ctx: &mut Context<Self, Self::Reply>,
564 ) {
565 // Accumulate user profiles first — control sends them incrementally and a response may
566 // carry profiles with no peer delta (or peers that reference a profile from an earlier
567 // response), so this must happen before the no-peer-update early return below.
568 for profile in &msg.user_profiles {
569 self.user_profiles.insert(profile.id, profile.clone());
570 }
571
572 // Apply the standalone online/last-seen delta maps (channels C/D, `MapResponse.OnlineChange`
573 // / `PeerSeenChange`). These arrive keyed by control node id and may ride a response that
574 // carries NO `peer_update` (a bare online flip is the common case), so they must be applied
575 // *before* the no-peer-update early return — otherwise online status freezes at the last
576 // full-node/patch value. Each entry only ever *sets* a value (never back to unknown).
577 // Wall clock for a `PeerSeenChange: true` (Go uses `clock.Now()`). chrono is built without
578 // its `clock` feature in this workspace, so derive it from `SystemTime` the same way the
579 // control runner / ssh-policy paths do (unix secs → `DateTime::from_timestamp`).
580 let now = std::time::SystemTime::now()
581 .duration_since(std::time::UNIX_EPOCH)
582 .ok()
583 .and_then(|d| chrono::DateTime::from_timestamp(d.as_secs() as i64, d.subsec_nanos()))
584 .unwrap_or_default();
585 let liveness_changed =
586 self.apply_liveness_changes(&msg.online_change, &msg.peer_seen_change, now);
587
588 if msg.peer_update.is_none() && msg.peer_patches.is_empty() {
589 // No peer set or patch this response. If a liveness delta still mutated the netmap,
590 // publish the refreshed snapshot so watchers (and `GetStatus`) see the new online state.
591 if liveness_changed {
592 self.service_pending_requests();
593 self.peer_watch.send_replace(self.status_peers());
594 if let Err(e) = self
595 .env
596 .publish(Arc::new(PeerState {
597 upserts: HashSet::default(),
598 deletions: HashSet::default(),
599 peers: Arc::new(self.peer_db.clone()),
600 }))
601 .await
602 {
603 tracing::error!(error = %e, "publishing liveness-only peer state update");
604 }
605 }
606 return;
607 }
608
609 // Apply the whole-node peer set (if any) FIRST, then the field-level patches on top —
610 // mirroring Go's `controlclient` order (`Peers*` then `PeersChangedPatch`). A response may
611 // carry either, both, or (with a liveness-only delta) neither. Merge the upsert/deletion sets
612 // so the published `PeerState` reflects every node touched by both passes; a node both
613 // upserted by the set and patched stays in `upserts` (the patch removes it from `deletions`).
614 let (mut upserts, mut deletions) = msg
615 .peer_update
616 .as_ref()
617 .map(|u| self.apply_peer_update(u))
618 .unwrap_or_default();
619
620 if !msg.peer_patches.is_empty() {
621 let (patch_upserts, patch_deletions) = self.apply_peer_patches(&msg.peer_patches);
622 // A patch can evict a node the set just upserted (TKA rejection after key rotation), or
623 // re-admit/patch one not in the set — reconcile so each id lands in exactly one set.
624 for id in &patch_upserts {
625 deletions.remove(id);
626 }
627 for id in &patch_deletions {
628 upserts.remove(id);
629 }
630 upserts.extend(patch_upserts);
631 deletions.extend(patch_deletions);
632 }
633
634 tracing::debug!(
635 n_upsert = upserts.len(),
636 n_delete = deletions.len(),
637 peer_count = self.peer_db.peers().len(),
638 "new peer state"
639 );
640
641 self.service_pending_requests();
642
643 // Publish the latest peer snapshot to netmap watchers. `send_replace` keeps the receiver's
644 // value current even when there are no subscribers, so a late subscriber sees fresh state.
645 self.peer_watch.send_replace(self.status_peers());
646
647 if let Err(e) = self
648 .env
649 .publish(Arc::new(PeerState {
650 upserts,
651 deletions,
652 peers: Arc::new(self.peer_db.clone()),
653 }))
654 .await
655 {
656 tracing::error!(error = %e, "publishing peer state update");
657 }
658 }
659}
660
661/// Ask the peer tracker to re-broadcast its current peer snapshot on the bus, without any peer
662/// change. Sent after a runtime preference change so the route updater and source filter (both
663/// `Arc<PeerState>` subscribers) re-resolve against the new value immediately, rather than waiting
664/// for the next netmap update: `Device::set_exit_node` (new exit-node selector) and
665/// `Device::set_accept_routes` (new accept-routes flag) both send it.
666#[derive(Debug, Clone, Copy)]
667pub struct RepublishState;
668
669impl Message<RepublishState> for PeerTracker {
670 type Reply = ();
671
672 async fn handle(&mut self, _msg: RepublishState, _ctx: &mut Context<Self, Self::Reply>) {
673 // An empty upsert/deletion set: this is a re-broadcast of the unchanged peer set, not a
674 // delta. Subscribers recompute their routes/filters against the current peers and the
675 // (just-updated) runtime preferences (exit-node selector, accept-routes flag).
676 if let Err(e) = self
677 .env
678 .publish(Arc::new(PeerState {
679 upserts: HashSet::default(),
680 deletions: HashSet::default(),
681 peers: Arc::new(self.peer_db.clone()),
682 }))
683 .await
684 {
685 tracing::error!(error = %e, "re-publishing peer state after a runtime preference change");
686 }
687 }
688}
689
690impl PeerTracker {
691 /// Apply a single [`PeerUpdate`](ts_control::PeerUpdate) to the peer db, enforcing the
692 /// Tailnet-Lock peer-trust chokepoint ([`tka_admits`](Self::tka_admits)) at every upsert site.
693 ///
694 /// This is the **single source of truth** for the peer-trust enforcement loop: the actor's
695 /// netmap [`handle`](Message::handle) calls it, and so do the TKA enforcement tests, so the two
696 /// real upsert sites (`Full` and `Delta { upsert }`) cannot diverge from what is tested.
697 ///
698 /// Returns `(upserts, deletions)` — the [`PeerId`]s touched — for downstream bookkeeping.
699 fn apply_peer_update(
700 &mut self,
701 peer_update: &ts_control::PeerUpdate,
702 ) -> (HashSet<PeerId>, HashSet<PeerId>) {
703 let mut upserts = HashSet::default();
704 let mut deletions = HashSet::default();
705
706 match peer_update {
707 ts_control::PeerUpdate::Full(new_nodes) => {
708 tracing::trace!("full peer update");
709
710 // Borrow the authority ONCE for the whole batch and verify each peer EXACTLY once
711 // (Go runs `tkaFilterNetmapLocked` once over the assembled netmap; an earlier draft
712 // verified every peer twice — once for `retained_ids`, once in the upsert loop —
713 // doubling the ed25519 cost on the hot resync path). The per-node verdict vector
714 // `admits` is computed once and drives both the `retain` (evict revoked peers, keyed
715 // by stable_id) and the upsert loop (skip rejected peers, by the node's OWN verdict).
716 // Keeping a per-node verdict (not just a stable_id set) means a node whose own
717 // signature fails is never admitted on the strength of a different node that happens
718 // to share its stable_id — matching the old per-node re-verify for that degenerate
719 // (malformed-control) input.
720 //
721 // Revocation evicts: a peer re-included with a now-invalid/missing signature under an
722 // active authority fails its verdict, so it is excluded from `retained_ids` and
723 // `retain` drops the stale (previously-admitted) entry. With no authority the snapshot
724 // is `None`, so every node passes — byte-for-byte the pre-TKA behavior (no regression).
725 let authority = self.tka_authority_snapshot();
726 let verdicts = new_nodes
727 .iter()
728 .map(|node| Self::tka_snapshot_admits(authority.as_deref(), node))
729 .collect::<Vec<_>>();
730
731 // Cross-peer rotation filter (Go `rotationTracker`): from the SAME verify pass above,
732 // feed every admitted, rotation-signed peer's details to the tracker, then drop any
733 // peer presenting a node key a newer rotation has superseded (or a tied clone). This
734 // is whole-netmap by nature — one peer's chain obsoletes another's key — so it lives
735 // here, not in the per-peer verdict, matching Go's single pass over `nm.Peers`.
736 let mut rotation = RotationTracker::default();
737 for (node, verdict) in new_nodes.iter().zip(&verdicts) {
738 if verdict.admitted
739 && let Some(details) = &verdict.rotation
740 {
741 rotation.add(node.node_key.to_bytes().to_vec(), details);
742 }
743 }
744 let obsolete = rotation.obsolete_keys();
745
746 // Final per-node keep verdict: admitted by the per-peer check AND not rotation-obsolete.
747 // Drives both the `retain` (evict) and the upsert loop, so a node whose own signature
748 // fails — or whose key was rotated away — is never admitted on the strength of a
749 // stable_id twin.
750 let keep = new_nodes
751 .iter()
752 .zip(&verdicts)
753 .map(|(node, v)| {
754 // `contains` takes `&[u8]` (HashSet<Vec<u8>> borrows as a slice) — no alloc.
755 v.admitted && !obsolete.contains(&node.node_key.to_bytes()[..])
756 })
757 .collect::<Vec<bool>>();
758
759 // `retained_ids` is the set of stable_ids that survive (drives `retain` to evict the
760 // rest). It must agree with what the upsert loop below will leave in the db. Control
761 // should never send two distinct nodes with the same `stable_id` in one `Full`, but if
762 // it does, `peer_db.upsert` is last-writer-wins on `stable_id`, so the db ends holding
763 // the LAST kept node for that id. Build `retained_ids` from kept nodes only — a
764 // stable_id is retained iff at least one of its (possibly duplicate) nodes is kept, so
765 // the upsert loop's last-kept node lands and `retain` never evicts a just-upserted id.
766 let retained_ids = new_nodes
767 .iter()
768 .zip(keep.iter().copied())
769 .filter(|(_, k)| *k)
770 .map(|(node, _)| &node.stable_id)
771 .collect::<HashSet<_>>();
772
773 // Isolation diagnostic: an ACTIVE lock that authorized none of the offered peers
774 // leaves this node with no peers — surface it loudly so a self-lockout (vs an attack)
775 // is diagnosable. `authority.is_some()` means a real keyed lock (the empty-keyset
776 // brick-guard admits-all, so it never reaches here with zero retained).
777 if authority.is_some() && !new_nodes.is_empty() && retained_ids.is_empty() {
778 tracing::error!(
779 offered = new_nodes.len(),
780 "TKA: active lock authorized ZERO of the offered peers; node is isolated \
781 (verify the lock state, or disable tailnet lock to recover)"
782 );
783 }
784
785 self.peer_db.retain(|id, peer| {
786 let retain = retained_ids.contains(&peer.stable_id);
787
788 if !retain {
789 deletions.insert(id);
790 }
791
792 retain
793 });
794
795 for (node, k) in new_nodes.iter().zip(keep.iter().copied()) {
796 if !k {
797 continue; // fail-CLOSED: rejected by tailnet lock or rotation-obsolete (above)
798 }
799 let peer_id = self.peer_db.upsert(node);
800 upserts.insert(peer_id);
801 }
802 }
803
804 ts_control::PeerUpdate::Delta { remove, upsert } => {
805 tracing::trace!("delta peer update");
806
807 for peer in upsert {
808 if !self.tka_admits(peer) {
809 // fail-CLOSED: do not upsert a peer rejected by tailnet lock. If the peer is
810 // ALREADY in the db (a delta re-upserting an existing peer whose signature is
811 // now invalid — e.g. revoked between syncs), evict the stale entry rather than
812 // leaving an unverified peer admitted; Go re-filters the whole netmap each map
813 // response, so a now-unsigned peer would not survive there either.
814 if let Some((id, _)) = self.peer_db.remove(&peer.stable_id) {
815 tracing::warn!(
816 stable_id = ?peer.stable_id,
817 "TKA: delta re-upsert rejected; evicting now-unauthorized peer"
818 );
819 deletions.insert(id);
820 }
821 continue;
822 }
823 let id = self.peer_db.upsert(peer);
824
825 upserts.insert(id);
826 }
827
828 for peer in remove {
829 let Some((id, _node)) = self.peer_db.remove(peer) else {
830 // A benign, expected race: the peer may already be gone (dropped in a prior
831 // `Full`, or fail-closed by TKA — whose now-"unknown" ids commonly reappear in
832 // a trailing `peers_removed`). Go treats an unknown removal as a no-op; log at
833 // debug, not error, to avoid false-alarm noise on a healthy node (matches the
834 // unknown-node handling in `apply_peer_patches`).
835 tracing::debug!(
836 control_node_id = peer,
837 "removed peer was unknown; ignoring"
838 );
839 continue;
840 };
841
842 deletions.insert(id);
843 }
844 }
845 }
846
847 (upserts, deletions)
848 }
849
850 /// Apply field-level peer patches (`MapResponse.PeersChangedPatch`), returning the upserted /
851 /// deleted [`PeerId`]s.
852 ///
853 /// This is a SEPARATE channel from [`apply_peer_update`](Self::apply_peer_update): Go's
854 /// `controlclient` applies the whole-node `Peers*` set first and then `PeersChangedPatch`, so a
855 /// response that carries both has the peer set applied first (by the caller) and these patches
856 /// applied second, on top of the freshly-synced nodes. A patch only mutates a peer already in the
857 /// netmap; an unknown node id is ignored (the wire contract — a patch never creates a node).
858 fn apply_peer_patches(
859 &mut self,
860 patches: &[ts_control::PeerChange],
861 ) -> (HashSet<PeerId>, HashSet<PeerId>) {
862 let mut upserts = HashSet::default();
863 let mut deletions = HashSet::default();
864
865 tracing::trace!(n = patches.len(), "peer patch update");
866
867 for patch in patches {
868 // Clone the current node, apply the present fields, and re-upsert through the same path
869 // as a delta so indexes/routes stay consistent.
870 let Some((_id, existing)) = self.peer_db.get(&patch.id) else {
871 tracing::debug!(
872 control_node_id = patch.id,
873 "peer patch for unknown node; ignoring"
874 );
875 continue;
876 };
877
878 let mut node = existing.clone();
879 if let Some(endpoints) = &patch.underlay_addresses {
880 node.underlay_addresses = endpoints.clone();
881 }
882 if let Some(derp) = patch.derp_region {
883 node.derp_region = Some(derp);
884 }
885 if let Some(cap) = patch.cap {
886 node.cap = cap;
887 }
888 if let Some(cap_map) = &patch.cap_map {
889 node.cap_map = cap_map.clone();
890 }
891 if let Some(disco_key) = patch.disco_key {
892 node.disco_key = Some(disco_key);
893 }
894 if let Some(expiry) = patch.node_key_expiry {
895 node.node_key_expiry = Some(expiry);
896 }
897 // Online/last-seen liveness deltas (`PeerChange.Online`/`LastSeen`) — the dominant
898 // channel by which peer online transitions arrive mid-session. A patch only ever *sets*
899 // a value (never patches back to unknown), so apply when present.
900 if let Some(online) = patch.online {
901 node.online = Some(online);
902 }
903 if let Some(last_seen) = patch.last_seen {
904 node.last_seen = Some(last_seen);
905 }
906 // Key rotation: a patch may swap the node key (and its TKA signature). Apply both
907 // together so the trust gate below verifies the new signature against the new key, never
908 // a mismatched pair.
909 if let Some(node_key) = patch.node_key {
910 node.node_key = node_key;
911 }
912 if let Some(sig) = &patch.key_signature {
913 node.key_signature = sig.clone();
914 }
915
916 // Re-run the tailnet-lock gate on the patched node: a patch that rotates the key must
917 // satisfy the active authority, exactly like a `Delta` upsert, or it would be a
918 // trust-enforcement bypass. fail-CLOSED — if the patched node is no longer admitted,
919 // evict it rather than keep the stale (now-unverified) entry.
920 if !self.tka_admits(&node) {
921 if let Some((id, _)) = self.peer_db.remove(&patch.id) {
922 tracing::warn!(
923 control_node_id = patch.id,
924 "peer patch rejected by tailnet lock; evicting peer"
925 );
926 deletions.insert(id);
927 }
928 continue;
929 }
930
931 let id = self.peer_db.upsert(&node);
932 upserts.insert(id);
933 }
934
935 (upserts, deletions)
936 }
937
938 /// Apply the standalone online/last-seen delta maps (`MapResponse.OnlineChange` /
939 /// `PeerSeenChange`, channels C/D) onto the retained netmap. Returns `true` if any node was
940 /// actually mutated (so the caller knows whether to re-publish).
941 ///
942 /// Mirrors Go `controlclient/map.go:updatePeersStateFromResponse` (the two channels are
943 /// semantically DISTINCT and must not be conflated):
944 /// - `OnlineChange` (channel C) is the sole driver of a peer's `online` flag (`mut.Online = v`).
945 /// - `PeerSeenChange` (channel D) is the sole driver of `last_seen`: `true ⇒ LastSeen = now`,
946 /// `false ⇒ LastSeen = nil` (cleared). It NEVER touches `online` — "not seen recently" is not
947 /// the same as "offline", which only `OnlineChange` asserts.
948 ///
949 /// Each entry is keyed by control node id and applies to a peer already in the netmap; an unknown
950 /// node id is ignored (these maps never create a node). `now` is the wall-clock timestamp for a
951 /// `PeerSeenChange: true` (Go uses `clock.Now()`); the caller passes it so this stays a pure
952 /// function of its inputs. Returns `true` if any node was actually mutated.
953 fn apply_liveness_changes(
954 &mut self,
955 online_change: &std::collections::BTreeMap<ts_control::NodeId, bool>,
956 peer_seen_change: &std::collections::BTreeMap<ts_control::NodeId, bool>,
957 now: chrono::DateTime<chrono::Utc>,
958 ) -> bool {
959 let mut changed = false;
960
961 // Channel C — direct online flips (the only writer of `online`).
962 for (&node_id, &online) in online_change {
963 if let Some((_pid, existing)) = self.peer_db.get(&node_id)
964 && existing.online != Some(online)
965 {
966 let mut node = existing.clone();
967 node.online = Some(online);
968 self.peer_db.upsert(&node);
969 changed = true;
970 }
971 }
972
973 // Channel D — peer-seen flips (the only writer of `last_seen`; never touches `online`).
974 // `true` ⇒ last-seen is now; `false` ⇒ last-seen cleared (Go map.go:820-830).
975 for (&node_id, &seen) in peer_seen_change {
976 let new_last_seen = if seen { Some(now) } else { None };
977 if let Some((_pid, existing)) = self.peer_db.get(&node_id)
978 && existing.last_seen != new_last_seen
979 {
980 let mut node = existing.clone();
981 node.last_seen = new_last_seen;
982 self.peer_db.upsert(&node);
983 changed = true;
984 }
985 }
986
987 changed
988 }
989
990 /// Test-only constructor: build a [`PeerTracker`] with a chosen initial TKA authority without
991 /// going through the actor `on_start` path. Returns the tracker plus the **`watch::Sender`** for
992 /// its enforcement-authority cell, so a test can drive the exact enable/disable transitions the
993 /// control runner drives at runtime (`tx.send_replace(Some(..))` ⇒ enforce, `tx.send_replace(None)`
994 /// ⇒ clear). The initial `Some` exercises the fail-closed chokepoint
995 /// ([`tka_admits`](Self::tka_admits)); `None` is the no-lock admit-all path. The returned sender
996 /// must be kept alive for the tracker to read updated values.
997 #[cfg(test)]
998 fn for_test(
999 env: Env,
1000 tka_authority: Option<ts_tka::Authority>,
1001 ) -> (Self, watch::Sender<Option<Arc<ts_tka::Authority>>>) {
1002 let (peer_watch, _) = watch::channel(Vec::new());
1003 let (tka_tx, tka_rx) = watch::channel(tka_authority.map(Arc::new));
1004 let tracker = Self {
1005 peer_db: PeerDb::default(),
1006 seen_state_update: false,
1007 pending_requests: Vec::new(),
1008 peer_watch,
1009 user_profiles: HashMap::new(),
1010 tka_authority: tka_rx,
1011 env,
1012 };
1013 (tracker, tka_tx)
1014 }
1015
1016 fn service_pending_requests(&mut self) {
1017 if self.seen_state_update {
1018 return;
1019 }
1020
1021 self.seen_state_update = true;
1022
1023 if !self.pending_requests.is_empty() {
1024 tracing::debug!(
1025 n_pending = self.pending_requests.len(),
1026 "state update received, servicing pending requests"
1027 );
1028 }
1029
1030 for req in core::mem::take(&mut self.pending_requests) {
1031 match req {
1032 Pending::PeerByName(PeerByName { name }, reply) => {
1033 reply.send(self.peer_by_name_opt(&name).cloned());
1034 }
1035 Pending::TailnetIp(PeerByTailnetIp { ip }, reply) => {
1036 reply.send(self.peer_by_tailnet_ip_opt(ip).cloned());
1037 }
1038 Pending::AcceptedRoute(PeerByAcceptedRoute { ip }, reply) => {
1039 reply.send(
1040 self.peer_db
1041 .get_route(ip.into())
1042 .map(|(_id, node)| node.clone())
1043 .collect(),
1044 );
1045 }
1046 Pending::Status(reply) => {
1047 reply.send(self.status_peers_with_ids());
1048 }
1049 Pending::WhoIs(Whois { addr }, reply) => {
1050 reply.send(self.whois_opt(addr));
1051 }
1052 }
1053 }
1054 }
1055}
1056
1057#[cfg(test)]
1058mod tka_tests {
1059 //! Tailnet-Lock (TKA) enforcement tests for the peer-trust chokepoint.
1060 //!
1061 //! These exercise [`PeerTracker::tka_admits`] and the `tka_admits ⇒ upsert` loop the netmap
1062 //! handler runs. The test [`ts_tka::Authority`] is built with [`ts_tka::Authority::from_state`]
1063 //! over a known Ed25519 trusted key, and the signed node-key signature CBOR is produced through
1064 //! `ts_tka`'s public `cbor` encoder + `aum_hash` (the exact same canonical bytes `ts_tka`'s own
1065 //! `direct_signature_verifies_end_to_end` test signs, with no new crypto vectors invented and no
1066 //! private `ts_tka` API used).
1067
1068 use ed25519_dalek::{Signer, SigningKey};
1069 use ts_control::{Node, StableNodeId, TailnetAddress};
1070 use ts_tka::{
1071 AumHash, Authority, Key, KeyKind, State,
1072 cbor::{self, Value},
1073 };
1074
1075 use super::*;
1076
1077 /// `SigKind::Direct` wire value (Go `SigKind`; `ts_tka::SigKind::Direct = 1`).
1078 const SIG_KIND_DIRECT: u64 = 1;
1079
1080 /// The 32-byte node key used across the signed-peer fixtures.
1081 const NODE_KEY_BYTES: [u8; 32] = [7u8; 32];
1082
1083 /// Build a real [`Env`] for the tracker. Only the bus/keys/shutdown plumbing matters here; the
1084 /// TKA gate reads neither, so the forwarding preferences are all benign defaults.
1085 fn test_env() -> Env {
1086 let (_shutdown_tx, shutdown_rx) = watch::channel(false);
1087 Env::new(
1088 ts_keys::NodeState::generate(),
1089 shutdown_rx,
1090 crate::env::ForwarderConfig {
1091 accept_routes: false,
1092 accept_dns: true,
1093 exit_node: None,
1094 forward_routes: Vec::new(),
1095 forward_tcp_ports: Vec::new(),
1096 forward_udp_ports: Vec::new(),
1097 forward_all_ports: false,
1098 forward_exit_egress: false,
1099 block_incoming: false,
1100 exit_proxy: None,
1101 peerapi_port: None,
1102 taildrop_dir: None,
1103 enable_ipv6: false,
1104 wireguard_listen_port: None,
1105 network_monitor: false,
1106 persistent_keepalive_interval: None,
1107 ingress_active: std::sync::Arc::new(std::sync::atomic::AtomicBool::new(false)),
1108 },
1109 )
1110 }
1111
1112 /// A minimal peer [`Node`] carrying `node_key` and the given `key_signature`.
1113 fn peer_node(stable_id: &str, node_key: [u8; 32], key_signature: Vec<u8>) -> Node {
1114 Node {
1115 id: 1,
1116 stable_id: StableNodeId(stable_id.to_string()),
1117 hostname: stable_id.to_string(),
1118 user_id: 0,
1119 tailnet: Some("ts.net".to_string()),
1120 tags: Vec::new(),
1121 tailnet_address: TailnetAddress {
1122 ipv4: "100.64.0.1/32".parse().unwrap(),
1123 ipv6: "fd7a:115c:a1e0::1/128".parse().unwrap(),
1124 },
1125 node_key: node_key.into(),
1126 node_key_expiry: None,
1127 online: None,
1128 last_seen: None,
1129 key_signature,
1130 machine_key: None,
1131 disco_key: None,
1132 accepted_routes: Vec::new(),
1133 underlay_addresses: Vec::new(),
1134 derp_region: None,
1135 cap: Default::default(),
1136 cap_map: Default::default(),
1137 peerapi_port: None,
1138 peerapi_dns_proxy: false,
1139 is_wireguard_only: false,
1140 exit_node_dns_resolvers: Vec::new(),
1141 peer_relay: false,
1142 ssh_host_keys: Vec::new(),
1143 service_vips: Default::default(),
1144 }
1145 }
1146
1147 /// Encode a `Direct` [`ts_tka::NodeKeySignature`] CBOR exactly as `ts_tka`'s private `to_cbor`
1148 /// does (int-map keys: 1=kind, 2=pubkey, 3=key_id, 4=signature; empty byte fields omitted),
1149 /// using only the crate's *public* `cbor` encoder. `signature` of `None` produces the
1150 /// signing-digest preimage (the `SigHash` form).
1151 fn direct_sig_cbor(node_key: &[u8], key_id: &[u8], signature: Option<&[u8]>) -> Vec<u8> {
1152 let mut pairs = alloc_pairs(node_key, key_id);
1153 if let Some(sig) = signature {
1154 pairs.push((4, Some(Value::Bytes(sig.to_vec()))));
1155 }
1156 cbor::int_map(pairs).to_vec()
1157 }
1158
1159 fn alloc_pairs(node_key: &[u8], key_id: &[u8]) -> Vec<(u64, Option<Value>)> {
1160 vec![
1161 (1, Some(Value::Uint(SIG_KIND_DIRECT))),
1162 (2, Some(Value::Bytes(node_key.to_vec()))),
1163 (3, Some(Value::Bytes(key_id.to_vec()))),
1164 ]
1165 }
1166
1167 /// Build a TKA [`Authority`] that trusts `signing.verifying_key()`, plus a valid `Direct`
1168 /// node-key signature CBOR authorizing [`NODE_KEY_BYTES`] under it.
1169 fn authority_and_valid_sig() -> (Authority, Vec<u8>) {
1170 // A fixed, known Ed25519 trusted key (mirrors ts_tka's own end-to-end test seed).
1171 let signing = SigningKey::from_bytes(&[42u8; 32]);
1172 let trusted_pub = signing.verifying_key().to_bytes().to_vec();
1173
1174 let authority = Authority::from_state(
1175 AumHash([0; 32]),
1176 State {
1177 keys: vec![Key {
1178 kind: KeyKind::Ed25519,
1179 votes: 1,
1180 public: trusted_pub.clone(),
1181 }],
1182 },
1183 );
1184
1185 // SigHash preimage = canonical CBOR with the signature field omitted; sign its blake2s hash.
1186 let preimage = direct_sig_cbor(&NODE_KEY_BYTES, &trusted_pub, None);
1187 let sig_hash = ts_tka::aum_hash(&preimage).0;
1188 let signature = signing.sign(&sig_hash).to_bytes().to_vec();
1189
1190 let signed_cbor = direct_sig_cbor(&NODE_KEY_BYTES, &trusted_pub, Some(&signature));
1191 // Sanity: the authority accepts the signature we just built (same path the gate uses).
1192 assert!(
1193 authority
1194 .node_key_authorized(&NODE_KEY_BYTES, &signed_cbor)
1195 .is_ok()
1196 );
1197
1198 (authority, signed_cbor)
1199 }
1200
1201 #[tokio::test]
1202 async fn tka_inactive_upserts_all_peers() {
1203 // No authority ⇒ enforcement inactive ⇒ both a signed and an unsigned peer are admitted.
1204 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1205
1206 let signed = peer_node("signed", [1u8; 32], vec![0xde, 0xad, 0xbe, 0xef]);
1207 let unsigned = peer_node("unsigned", [2u8; 32], vec![]);
1208
1209 assert!(tracker.tka_admits(&signed));
1210 assert!(tracker.tka_admits(&unsigned));
1211
1212 tracker.peer_db.upsert(&signed);
1213 tracker.peer_db.upsert(&unsigned);
1214 assert_eq!(tracker.peer_db.peers().len(), 2);
1215 }
1216
1217 #[tokio::test]
1218 async fn tka_active_rejects_unsigned_peer() {
1219 // Authority present + peer presents no signature ⇒ rejected (fail-closed), not in peer_db.
1220 let (authority, _sig) = authority_and_valid_sig();
1221 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1222
1223 let unsigned = peer_node("unsigned", NODE_KEY_BYTES, vec![]);
1224 assert!(!tracker.tka_admits(&unsigned));
1225
1226 // Mirror the handler's `if !tka_admits { continue }` loop.
1227 if tracker.tka_admits(&unsigned) {
1228 tracker.peer_db.upsert(&unsigned);
1229 }
1230 assert_eq!(tracker.peer_db.peers().len(), 0);
1231 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1232 }
1233
1234 #[tokio::test]
1235 async fn tka_active_rejects_bad_signature() {
1236 // Authority present + a signature that fails to verify ⇒ rejected, not in peer_db.
1237 let (authority, mut sig) = authority_and_valid_sig();
1238 // Tamper the last byte (the trailing signature byte) so verification fails.
1239 let last = sig.len() - 1;
1240 sig[last] ^= 0xff;
1241
1242 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1243 let bad = peer_node("bad", NODE_KEY_BYTES, sig);
1244 assert!(!tracker.tka_admits(&bad));
1245
1246 if tracker.tka_admits(&bad) {
1247 tracker.peer_db.upsert(&bad);
1248 }
1249 assert_eq!(tracker.peer_db.peers().len(), 0);
1250 }
1251
1252 #[tokio::test]
1253 async fn tka_active_admits_authorized_peer() {
1254 // Authority present + correctly-signed node key ⇒ admitted and upserted.
1255 let (authority, sig) = authority_and_valid_sig();
1256 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1257
1258 let good = peer_node("good", NODE_KEY_BYTES, sig);
1259 assert!(tracker.tka_admits(&good));
1260
1261 if tracker.tka_admits(&good) {
1262 tracker.peer_db.upsert(&good);
1263 }
1264 assert_eq!(tracker.peer_db.peers().len(), 1);
1265 assert!(tracker.peer_db.get(&good.node_key).is_some());
1266 }
1267
1268 // ---------------------------------------------------------------------------------------------
1269 // Tests that drive REAL `PeerUpdate`s through the shared handler body
1270 // ([`PeerTracker::apply_peer_update`], the single source of truth the actor's netmap `handle`
1271 // also calls), so the two real upsert sites (`Full` and `Delta { upsert }`) are exercised via
1272 // the actual enforcement path — not by hand-mirroring `if !tka_admits { continue }`.
1273 // ---------------------------------------------------------------------------------------------
1274
1275 #[tokio::test]
1276 async fn tka_active_delta_upsert_rejects_unauthorized() {
1277 // Drive a real `Delta { upsert }` whose peer carries no signature. The Delta upsert site
1278 // must reject it under an active authority ⇒ not present in peer_db after the handler runs.
1279 let (authority, _sig) = authority_and_valid_sig();
1280 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1281
1282 let unsigned = peer_node("unsigned", NODE_KEY_BYTES, vec![]);
1283 let update = ts_control::PeerUpdate::Delta {
1284 upsert: vec![unsigned.clone()],
1285 remove: Vec::new(),
1286 };
1287
1288 tracker.apply_peer_update(&update);
1289
1290 assert_eq!(tracker.peer_db.peers().len(), 0);
1291 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1292 }
1293
1294 #[tokio::test]
1295 async fn tka_active_delta_upsert_admits_authorized() {
1296 // Drive a real `Delta { upsert }` with a correctly-signed peer ⇒ present in peer_db.
1297 let (authority, sig) = authority_and_valid_sig();
1298 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1299
1300 let good = peer_node("good", NODE_KEY_BYTES, sig);
1301 let update = ts_control::PeerUpdate::Delta {
1302 upsert: vec![good.clone()],
1303 remove: Vec::new(),
1304 };
1305
1306 tracker.apply_peer_update(&update);
1307
1308 assert_eq!(tracker.peer_db.peers().len(), 1);
1309 assert!(tracker.peer_db.get(&good.node_key).is_some());
1310 }
1311
1312 #[tokio::test]
1313 async fn tka_active_full_admits_only_authorized_in_mixed_batch() {
1314 // Drive a real `Full` carrying a MIX of authorized + unauthorized peers. Only the
1315 // correctly-signed peer survives the Full upsert site; the unsigned and bad-sig peers are
1316 // dropped fail-closed.
1317 let (authority, sig) = authority_and_valid_sig();
1318 // A bad-sig variant of the same authorized signature (tamper the trailing byte).
1319 let mut bad_sig = sig.clone();
1320 let last = bad_sig.len() - 1;
1321 bad_sig[last] ^= 0xff;
1322
1323 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1324
1325 // Only the authorized peer carries NODE_KEY_BYTES (the key the authority signed); the
1326 // rejected peers use distinct node keys so the survivor is unambiguous.
1327 let good = peer_node("good", NODE_KEY_BYTES, sig);
1328 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1329 let bad = peer_node("bad", [9u8; 32], bad_sig);
1330
1331 let update =
1332 ts_control::PeerUpdate::Full(vec![good.clone(), unsigned.clone(), bad.clone()]);
1333
1334 tracker.apply_peer_update(&update);
1335
1336 assert_eq!(tracker.peer_db.peers().len(), 1);
1337 assert!(tracker.peer_db.get(&good.node_key).is_some());
1338 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1339 assert!(tracker.peer_db.get(&bad.node_key).is_none());
1340 }
1341
1342 /// End-to-end through the REAL enforcement-authority transport (the `watch` cell the control
1343 /// runner writes), not a direct field poke: writing `Some(authority)` flips enforcement on so a
1344 /// mixed batch drops the unsigned/bad peers, and a subsequent `None` (lock disabled) clears
1345 /// enforcement so a peer DROPPED while enforced is re-admitted. Exercises the exact `borrow`-based
1346 /// read path `tka_admits` uses — a broken receiver wiring would pass every for_test-field test but
1347 /// fail here.
1348 #[tokio::test]
1349 async fn tka_authority_watch_enables_then_clears_enforcement() {
1350 let (authority, sig) = authority_and_valid_sig();
1351 let mut bad_sig = sig.clone();
1352 let last = bad_sig.len() - 1;
1353 bad_sig[last] ^= 0xff;
1354
1355 let (mut tracker, tka_tx) = PeerTracker::for_test(test_env(), None);
1356
1357 // 1) No authority yet ⇒ admit-all (Go b.tka == nil).
1358 let good = peer_node("good", NODE_KEY_BYTES, sig.clone());
1359 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1360 let bad = peer_node("bad", [9u8; 32], bad_sig);
1361 let batch = ts_control::PeerUpdate::Full(vec![good.clone(), unsigned.clone(), bad.clone()]);
1362 tracker.apply_peer_update(&batch);
1363 assert_eq!(tracker.peer_db.peers().len(), 3, "no lock ⇒ admit all");
1364
1365 // 2) Publish the verified authority over the watch cell (exactly what the control runner does
1366 // on a successful sync) ⇒ enforcement ON. A re-applied Full now drops unsigned + bad.
1367 tka_tx.send_replace(Some(Arc::new(authority)));
1368 tracker.apply_peer_update(&batch);
1369 assert_eq!(
1370 tracker.peer_db.peers().len(),
1371 1,
1372 "lock active ⇒ only the signed peer survives"
1373 );
1374 assert!(tracker.peer_db.get(&good.node_key).is_some());
1375 assert!(tracker.peer_db.get(&unsigned.node_key).is_none());
1376 assert!(tracker.peer_db.get(&bad.node_key).is_none());
1377
1378 // 3) Lock disabled (None) ⇒ enforcement cleared ⇒ a peer that was DROPPED while enforced is
1379 // re-admitted by a fresh netmap. Assert the specific previously-dropped key returns (not
1380 // merely a count), so this proves the drop→clear→re-admit transition, not "admit-all-fresh".
1381 tka_tx.send_replace(None);
1382 tracker.apply_peer_update(&batch);
1383 assert_eq!(
1384 tracker.peer_db.peers().len(),
1385 3,
1386 "lock disabled ⇒ admit all again"
1387 );
1388 assert!(
1389 tracker.peer_db.get(&unsigned.node_key).is_some(),
1390 "the peer dropped under enforcement must come back once the lock is cleared"
1391 );
1392 assert!(tracker.peer_db.get(&bad.node_key).is_some());
1393 }
1394
1395 /// Degenerate input: two DISTINCT nodes sharing one `stable_id` in a single `Full`, one with a
1396 /// valid signature and one unsigned, under an active lock. Each node is judged by its OWN verdict
1397 /// (the per-node `admits` vector), so the unsigned node is never admitted on the strength of its
1398 /// signed twin. The single-verify `Full` refactor keeps this per-node semantics (a stable_id-set
1399 /// alone would have admitted whichever node was upserted last). Malformed control input; asserted
1400 /// only to lock the verdict-per-node behavior against regression.
1401 #[tokio::test]
1402 async fn tka_full_duplicate_stable_id_judges_each_node_on_its_own_signature() {
1403 let (authority, sig) = authority_and_valid_sig();
1404 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1405
1406 // Both carry stable_id "dup"; the signed one authorizes NODE_KEY_BYTES, the other is unsigned
1407 // and uses a different node key. Order them unsigned-last so a last-writer-wins stable_id set
1408 // would (wrongly) leave the unsigned node's key in the db.
1409 let signed = peer_node("dup", NODE_KEY_BYTES, sig);
1410 let unsigned = peer_node("dup", [8u8; 32], vec![]);
1411 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1412 signed.clone(),
1413 unsigned.clone(),
1414 ]));
1415
1416 // The unsigned node's own verdict failed, so its key must NOT be present, regardless of the
1417 // shared stable_id. (The signed twin retained the stable_id; the db holds the signed key.)
1418 assert!(
1419 tracker.peer_db.get(&unsigned.node_key).is_none(),
1420 "a node whose own signature fails must not be admitted via a stable_id twin"
1421 );
1422 assert!(tracker.peer_db.get(&signed.node_key).is_some());
1423 }
1424
1425 /// Full-path consistency under two KEPT nodes sharing a `stable_id`: `peer_db.upsert` is
1426 /// last-writer-wins on `stable_id`, so the db ends holding exactly one node for that id (the last
1427 /// kept), and `retain` never evicts that just-upserted id (`retained_ids` contains the shared id
1428 /// because at least one of its nodes was kept). No lock here, so both nodes are "kept". This pins
1429 /// the published-state invariant the whole-surface audit flagged: `retain` and the upsert loop
1430 /// agree on the surviving stable_id. Malformed control input; asserted for robustness.
1431 #[tokio::test]
1432 async fn tka_full_duplicate_stable_id_both_kept_is_consistent() {
1433 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1434 let first = peer_node("dup", [1u8; 32], vec![]);
1435 let last = peer_node("dup", [2u8; 32], vec![]);
1436 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1437 first.clone(),
1438 last.clone(),
1439 ]));
1440
1441 // Exactly one db entry for the shared stable_id, holding the LAST node (upsert is
1442 // last-writer-wins on stable_id); the first node's key was transparently superseded.
1443 assert_eq!(
1444 tracker.peer_db.peers().len(),
1445 1,
1446 "one entry for the shared stable_id"
1447 );
1448 assert!(
1449 tracker.peer_db.get(&last.node_key).is_some(),
1450 "the db holds the last-upserted node for the shared id"
1451 );
1452 assert!(
1453 tracker.peer_db.get(&first.node_key).is_none(),
1454 "the first node's key was superseded by the last at the shared id"
1455 );
1456 }
1457
1458 /// A peer admitted in one `Full`, then in a later `Full` presenting a key that a co-resident
1459 /// peer's rotation chain has rotated away, is EVICTED — the cross-peer rotation filter applies on
1460 /// every resync, not only at first admission. Exercises the rotation filter through two
1461 /// sequential `Full` updates with real signing.
1462 #[tokio::test]
1463 async fn tka_full_rotation_obsolete_evicts_on_resync() {
1464 use ed25519_dalek::SigningKey;
1465 use ts_tka::NodeKeySignature;
1466
1467 let trusted = SigningKey::from_bytes(&[42u8; 32]);
1468 let trusted_pub = trusted.verifying_key().to_bytes().to_vec();
1469 let authority = Authority::from_state(
1470 AumHash([0; 32]),
1471 State {
1472 keys: vec![Key {
1473 kind: KeyKind::Ed25519,
1474 votes: 1,
1475 public: trusted_pub.clone(),
1476 }],
1477 },
1478 );
1479 let pivot = SigningKey::from_bytes(&[9u8; 32]);
1480 let pivot_pub: [u8; 32] = pivot.verifying_key().to_bytes();
1481
1482 // First Full: the soon-to-be-stale peer presents the pivot key with a valid Direct sig.
1483 let stale_sig = NodeKeySignature::sign_direct(&pivot_pub, &trusted).serialize();
1484 let stale_peer = peer_node("stale", pivot_pub, stale_sig);
1485 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1486 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![stale_peer.clone()]));
1487 assert!(
1488 tracker.peer_db.get(&stale_peer.node_key).is_some(),
1489 "the stale peer is admitted while no rotation has superseded it yet"
1490 );
1491
1492 // Second Full: a freshly-rotated peer (whose chain rotated AWAY the pivot key) joins, and the
1493 // stale peer is re-included. The rotation filter now obsoletes the pivot key ⇒ stale evicted.
1494 let new_key = [4u8; 32];
1495 let new_sig = NodeKeySignature::sign_rotation(&new_key, &trusted, &pivot).serialize();
1496 let new_peer = peer_node("rotated", new_key, new_sig);
1497 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1498 new_peer.clone(),
1499 stale_peer.clone(),
1500 ]));
1501 assert!(
1502 tracker.peer_db.get(&new_peer.node_key).is_some(),
1503 "the freshly-rotated peer is admitted"
1504 );
1505 assert!(
1506 tracker.peer_db.get(&stale_peer.node_key).is_none(),
1507 "the stale peer is EVICTED on the resync once a rotation supersedes its key"
1508 );
1509 }
1510
1511 /// The empty-trusted-key-state brick-guard: an authority with no keys must NOT drop the whole
1512 /// netmap (a `ts_tka` invariant violation / replayer edge). A verified chain always carries ≥1
1513 /// key, so this never weakens a genuine lock — it only prevents a black-hole. Uses ≥2 peers
1514 /// (one signed, one unsigned) to prove it admits **all**, not accidentally just one.
1515 #[tokio::test]
1516 async fn tka_empty_keyset_authority_admits_all() {
1517 use ts_tka::{AumHash, Authority, State};
1518 let empty_auth = Authority::from_state(AumHash([0u8; 32]), State { keys: Vec::new() });
1519 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(empty_auth));
1520 let signed = peer_node("signed", [7u8; 32], vec![0xde, 0xad]);
1521 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1522 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
1523 signed.clone(),
1524 unsigned.clone(),
1525 ]));
1526 assert_eq!(
1527 tracker.peer_db.peers().len(),
1528 2,
1529 "an empty-keyset authority must admit ALL peers (brick-guard), not enforce"
1530 );
1531 }
1532
1533 /// Signature-replay / `NodeKeyMismatch`: a structurally-valid signature that authorizes
1534 /// `NODE_KEY_BYTES` must NOT admit a DIFFERENT node key carrying that same signature blob. This is
1535 /// the highest-value bypass — if the sig↔node-key binding in `verify_signature` were dropped, this
1536 /// is the only test that would catch it (the other "bad" peers only flip a byte ⇒ `BadSignature`).
1537 #[tokio::test]
1538 async fn tka_active_rejects_valid_sig_for_wrong_node_key() {
1539 let (authority, sig) = authority_and_valid_sig();
1540 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1541
1542 // The signature authorizes NODE_KEY_BYTES; attach it to an imposter with a different key.
1543 let imposter = peer_node("imposter", [0x55u8; 32], sig);
1544 assert!(
1545 !tracker.tka_admits(&imposter),
1546 "a signature bound to one node key must not authorize a different node key"
1547 );
1548 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![imposter.clone()]));
1549 assert!(tracker.peer_db.get(&imposter.node_key).is_none());
1550 }
1551
1552 /// `UntrustedKey`: a signature produced by a well-formed Ed25519 key that is NOT in the
1553 /// authority's trusted-key state must be rejected — distinct from a tampered-byte `BadSignature`.
1554 #[tokio::test]
1555 async fn tka_active_rejects_sig_from_untrusted_key() {
1556 use ed25519_dalek::{Signer, SigningKey};
1557 let (authority, _sig) = authority_and_valid_sig();
1558 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1559
1560 // Sign a valid CBOR with a DIFFERENT key (not the one the authority trusts). The key_id in
1561 // the signature names this untrusted key, so `get_key` misses ⇒ UntrustedKey.
1562 let rogue = SigningKey::from_bytes(&[99u8; 32]);
1563 let rogue_pub = rogue.verifying_key().to_bytes().to_vec();
1564 let preimage = direct_sig_cbor(&NODE_KEY_BYTES, &rogue_pub, None);
1565 let sig_hash = ts_tka::aum_hash(&preimage).0;
1566 let signature = rogue.sign(&sig_hash).to_bytes().to_vec();
1567 let rogue_cbor = direct_sig_cbor(&NODE_KEY_BYTES, &rogue_pub, Some(&signature));
1568
1569 let peer = peer_node("rogue-signed", NODE_KEY_BYTES, rogue_cbor);
1570 assert!(
1571 !tracker.tka_admits(&peer),
1572 "a signature from a key outside the trusted set must be rejected"
1573 );
1574 // Drive the real upsert path too (match the sibling replay test's depth): an untrusted-key
1575 // signature must keep the peer out of the db, not merely fail the verdict in isolation.
1576 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer.clone()]));
1577 assert!(tracker.peer_db.get(&peer.node_key).is_none());
1578 }
1579
1580 /// Bus-enable analogue for `Delta`: enforcement engaged via the watch cell must also gate a
1581 /// `Delta { upsert }` (not only `Full`). Closes the "authority arrived over the transport AND the
1582 /// next update is a Delta" combination.
1583 #[tokio::test]
1584 async fn tka_watch_enable_enforces_delta_upsert() {
1585 let (authority, sig) = authority_and_valid_sig();
1586 let (mut tracker, tka_tx) = PeerTracker::for_test(test_env(), None);
1587 tka_tx.send_replace(Some(Arc::new(authority)));
1588
1589 let good = peer_node("good", NODE_KEY_BYTES, sig);
1590 let unsigned = peer_node("unsigned", [8u8; 32], vec![]);
1591 tracker.apply_peer_update(&ts_control::PeerUpdate::Delta {
1592 remove: vec![],
1593 upsert: vec![good.clone(), unsigned.clone()],
1594 });
1595 assert!(tracker.peer_db.get(&good.node_key).is_some());
1596 assert!(
1597 tracker.peer_db.get(&unsigned.node_key).is_none(),
1598 "delta upsert under an active lock must drop the unsigned peer"
1599 );
1600 }
1601
1602 /// A `Delta` re-upsert of an ALREADY-ADMITTED peer whose signature is now invalid must EVICT the
1603 /// stale entry (revocation-via-delta), not leave it admitted. Go re-filters the whole netmap each
1604 /// response, so a now-unsigned peer would not survive there either.
1605 #[tokio::test]
1606 async fn tka_delta_reupsert_with_invalid_sig_evicts_existing() {
1607 let (authority, sig) = authority_and_valid_sig();
1608 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1609
1610 // Admit the signed peer.
1611 let good = peer_node("good", NODE_KEY_BYTES, sig.clone());
1612 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![good.clone()]));
1613 assert!(tracker.peer_db.get(&good.node_key).is_some());
1614
1615 // Re-upsert the SAME stable_id (now with no signature) via a delta ⇒ evicted, not retained.
1616 let revoked = peer_node("good", NODE_KEY_BYTES, vec![]);
1617 tracker.apply_peer_update(&ts_control::PeerUpdate::Delta {
1618 remove: vec![],
1619 upsert: vec![revoked],
1620 });
1621 assert!(
1622 tracker.peer_db.get(&good.node_key).is_none(),
1623 "a delta re-upsert that fails the lock must evict the previously-admitted peer"
1624 );
1625 }
1626
1627 #[tokio::test]
1628 async fn tka_full_resync_revocation_behavior() {
1629 // Revocation-on-resync: admit a peer, then re-include the SAME stable_id in a `Full` with a
1630 // now-invalid signature. Per the Logic review finding, the pre-fix `retain` kept the stale
1631 // (previously-admitted) entry because membership was decided purely by stable_id.
1632 //
1633 // FIXED (not merely documented): the `Full` `retain` now keys on `tka_admits`-passing
1634 // stable_ids, so a peer whose re-included signature no longer verifies under the active
1635 // authority is EVICTED. This test asserts eviction. The inactive (authority=None) path is
1636 // provably unchanged — `tka_admits` always returns `true` there, so the retained set equals
1637 // the set of re-included stable_ids exactly (see `tka_inactive_full_resync_keeps_*`).
1638 let (authority, sig) = authority_and_valid_sig();
1639 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1640
1641 // 1) Admit the peer with a valid signature via a real `Full`.
1642 let good = peer_node("revoked", NODE_KEY_BYTES, sig.clone());
1643 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![good.clone()]));
1644 assert_eq!(tracker.peer_db.peers().len(), 1);
1645 assert!(tracker.peer_db.get(&good.node_key).is_some());
1646
1647 // 2) Re-sync the SAME stable_id, but with a now-invalid signature (tamper trailing byte).
1648 let mut bad_sig = sig;
1649 let last = bad_sig.len() - 1;
1650 bad_sig[last] ^= 0xff;
1651 let revoked = peer_node("revoked", NODE_KEY_BYTES, bad_sig);
1652 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![revoked.clone()]));
1653
1654 // Eviction: the stale entry is dropped because its re-included signature fails the gate.
1655 assert_eq!(tracker.peer_db.peers().len(), 0);
1656 assert!(tracker.peer_db.get(&revoked.node_key).is_none());
1657 }
1658
1659 #[tokio::test]
1660 async fn tka_inactive_full_resync_keeps_reincluded_peer() {
1661 // Guard the inactive (authority=None) path against the revocation fix: with no authority,
1662 // a peer re-included in a `Full` survives regardless of its signature bytes — byte-for-byte
1663 // pre-TKA behavior, proving the `Full` `retain` change does not regress the always-taken
1664 // branch this wave.
1665 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1666
1667 let peer = peer_node("p", NODE_KEY_BYTES, vec![0xde, 0xad]);
1668 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer.clone()]));
1669 assert_eq!(tracker.peer_db.peers().len(), 1);
1670
1671 // Re-sync the same stable_id with garbage signature bytes; inactive enforcement keeps it.
1672 let resynced = peer_node("p", NODE_KEY_BYTES, vec![0x00]);
1673 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![resynced.clone()]));
1674 assert_eq!(tracker.peer_db.peers().len(), 1);
1675 assert!(tracker.peer_db.get(&resynced.node_key).is_some());
1676 }
1677
1678 /// A `Patch` for a peer already in the netmap merges only the fields it carries — here new UDP
1679 /// endpoints and a new home DERP — leaving the rest of the node intact. This is the fix for
1680 /// dropped `peers_changed_patch`: without it the netmap keeps stale endpoints and the peer can
1681 /// never re-handshake after it moves.
1682 #[tokio::test]
1683 async fn patch_merges_endpoints_and_derp_into_existing_peer() {
1684 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1685
1686 // Seed a peer (id == 1, per `peer_node`) with no endpoints / no DERP.
1687 let peer = peer_node("mover", [1u8; 32], vec![]);
1688 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer.clone()]));
1689 let (_pid, before) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1690 assert!(before.underlay_addresses.is_empty());
1691 assert!(before.derp_region.is_none());
1692
1693 // Patch in fresh reachability (the idle-peer-reconnect case).
1694 let new_ep: std::net::SocketAddr = "203.0.113.7:41641".parse().unwrap();
1695 let patch = ts_control::PeerChange {
1696 id: 1,
1697 derp_region: Some(ts_derp::RegionId(core::num::NonZeroU32::new(5).unwrap())),
1698 cap: None,
1699 cap_map: None,
1700 underlay_addresses: Some(vec![new_ep]),
1701 node_key: None,
1702 key_signature: None,
1703 disco_key: None,
1704 node_key_expiry: None,
1705 online: None,
1706 last_seen: None,
1707 };
1708 let (upserts, deletions) = tracker.apply_peer_patches(std::slice::from_ref(&patch));
1709
1710 assert_eq!(upserts.len(), 1);
1711 assert_eq!(deletions.len(), 0);
1712 // Same peer, now carrying the patched endpoint + DERP; node key untouched.
1713 assert_eq!(tracker.peer_db.peers().len(), 1);
1714 let (_pid, after) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1715 assert_eq!(after.underlay_addresses, vec![new_ep]);
1716 assert_eq!(
1717 after.derp_region,
1718 Some(ts_derp::RegionId(core::num::NonZeroU32::new(5).unwrap()))
1719 );
1720 assert_eq!(after.node_key, peer.node_key);
1721 }
1722
1723 /// Regression for `tsr-5u0`: when a whole-node set (`Delta`/`Full`) and a patch co-occur in one
1724 /// response, the patch is applied *on top of* the node the set just upserted — mirroring the
1725 /// handler's apply-order (peer set first, then `peer_patches`). Before the fix the patch shared
1726 /// the single `peer_update` slot and the co-occurring set silently dropped it, so a peer brought
1727 /// in by the delta kept stale (empty) reachability.
1728 #[tokio::test]
1729 async fn patch_applies_on_top_of_co_occurring_delta() {
1730 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1731
1732 // The whole-node delta upserts a brand-new peer (id == 1) with no reachability.
1733 let peer = peer_node("mover", [1u8; 32], vec![]);
1734 let (set_upserts, _) = tracker.apply_peer_update(&ts_control::PeerUpdate::Delta {
1735 upsert: vec![peer.clone()],
1736 remove: vec![],
1737 });
1738 assert_eq!(set_upserts.len(), 1, "delta upserts the new peer");
1739
1740 // The patch from the SAME response then sets that peer's endpoints + DERP. This is exactly
1741 // the consumer order the handler runs (apply_peer_update then apply_peer_patches).
1742 let new_ep: std::net::SocketAddr = "203.0.113.7:41641".parse().unwrap();
1743 let patch = ts_control::PeerChange {
1744 id: 1,
1745 derp_region: Some(ts_derp::RegionId(core::num::NonZeroU32::new(7).unwrap())),
1746 cap: None,
1747 cap_map: None,
1748 underlay_addresses: Some(vec![new_ep]),
1749 node_key: None,
1750 key_signature: None,
1751 disco_key: None,
1752 node_key_expiry: None,
1753 online: None,
1754 last_seen: None,
1755 };
1756 let (patch_upserts, patch_deletions) =
1757 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1758
1759 assert_eq!(
1760 patch_upserts.len(),
1761 1,
1762 "patch re-upserts the just-added peer"
1763 );
1764 assert_eq!(patch_deletions.len(), 0);
1765 // The peer added by the delta now carries the patched reachability — the patch was NOT lost.
1766 let (_pid, after) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1767 assert_eq!(after.underlay_addresses, vec![new_ep]);
1768 assert_eq!(
1769 after.derp_region,
1770 Some(ts_derp::RegionId(core::num::NonZeroU32::new(7).unwrap()))
1771 );
1772 }
1773
1774 /// A `Patch` whose node id is not in the current netmap is ignored (the wire contract: a patch
1775 /// never creates a node). No upsert, no deletion, peer set unchanged.
1776 #[tokio::test]
1777 async fn patch_for_unknown_node_is_ignored() {
1778 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1779 let known = peer_node("known", [1u8; 32], vec![]); // id == 1
1780 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![known]));
1781
1782 let patch = ts_control::PeerChange {
1783 id: 999, // not in the netmap
1784 derp_region: None,
1785 cap: None,
1786 cap_map: None,
1787 underlay_addresses: Some(vec!["198.51.100.9:1".parse().unwrap()]),
1788 node_key: None,
1789 key_signature: None,
1790 disco_key: None,
1791 node_key_expiry: None,
1792 online: None,
1793 last_seen: None,
1794 };
1795 let (upserts, deletions) = tracker.apply_peer_patches(std::slice::from_ref(&patch));
1796
1797 assert_eq!(upserts.len(), 0);
1798 assert_eq!(deletions.len(), 0);
1799 assert_eq!(tracker.peer_db.peers().len(), 1);
1800 assert!(tracker.peer_db.get(&(999 as ts_control::NodeId)).is_none());
1801 }
1802
1803 /// An expiry-only `Patch` updates `node_key_expiry` on the matching peer (Go
1804 /// `PeerChange.KeyExpiry`), rather than being silently dropped until the next full resync.
1805 #[tokio::test]
1806 async fn patch_updates_node_key_expiry() {
1807 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1808 let peer = peer_node("expiring", [1u8; 32], vec![]); // id == 1, node_key_expiry: None
1809 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
1810
1811 let expiry = "2027-01-01T00:00:00Z"
1812 .parse::<chrono::DateTime<chrono::Utc>>()
1813 .unwrap();
1814 let patch = ts_control::PeerChange {
1815 id: 1,
1816 derp_region: None,
1817 cap: None,
1818 cap_map: None,
1819 underlay_addresses: None,
1820 node_key: None,
1821 key_signature: None,
1822 disco_key: None,
1823 node_key_expiry: Some(expiry),
1824 online: None,
1825 last_seen: None,
1826 };
1827 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1828
1829 let (_pid, after) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1830 assert_eq!(after.node_key_expiry, Some(expiry));
1831 }
1832
1833 /// Channel B: a `PeerChange.online` patch flips a peer's online state without a full node.
1834 #[tokio::test]
1835 async fn patch_updates_online() {
1836 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1837 let peer = peer_node("p", [1u8; 32], vec![]); // id == 1, online: None
1838 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
1839 assert_eq!(
1840 tracker
1841 .peer_db
1842 .get(&(1 as ts_control::NodeId))
1843 .unwrap()
1844 .1
1845 .online,
1846 None
1847 );
1848
1849 let mut patch = ts_control::PeerChange {
1850 id: 1,
1851 derp_region: None,
1852 cap: None,
1853 cap_map: None,
1854 underlay_addresses: None,
1855 node_key: None,
1856 key_signature: None,
1857 disco_key: None,
1858 node_key_expiry: None,
1859 online: Some(true),
1860 last_seen: None,
1861 };
1862 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1863 assert_eq!(
1864 tracker
1865 .peer_db
1866 .get(&(1 as ts_control::NodeId))
1867 .unwrap()
1868 .1
1869 .online,
1870 Some(true),
1871 "PeerChange.online=Some(true) marks the peer online"
1872 );
1873
1874 // A subsequent patch flips it offline.
1875 patch.online = Some(false);
1876 tracker.apply_peer_patches(std::slice::from_ref(&patch));
1877 assert_eq!(
1878 tracker
1879 .peer_db
1880 .get(&(1 as ts_control::NodeId))
1881 .unwrap()
1882 .1
1883 .online,
1884 Some(false)
1885 );
1886 }
1887
1888 /// Channel C/D (Go `map.go:updatePeersStateFromResponse`): `online_change` is the sole driver of
1889 /// `online`; `peer_seen_change` is the sole driver of `last_seen` (true ⇒ now, false ⇒ cleared)
1890 /// and must NEVER touch `online`. Both apply to a peer already in the netmap and ignore unknown
1891 /// ids. This pins the fix for the prior bug where channel D wrote `online=false` (conflating
1892 /// "not seen recently" with "offline" — distinct signals in Go).
1893 #[tokio::test]
1894 async fn liveness_change_maps_apply_online() {
1895 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
1896 let peer = peer_node("p", [1u8; 32], vec![]); // id == 1
1897 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
1898 // A fixed timestamp (chrono is built without its `clock` feature, so no `Utc::now()`).
1899 let now = chrono::DateTime::from_timestamp(1_700_000_000, 0).unwrap();
1900
1901 // Channel C: online_change sets online=true.
1902 let mut online_change = std::collections::BTreeMap::new();
1903 online_change.insert(1 as ts_control::NodeId, true);
1904 online_change.insert(999 as ts_control::NodeId, true); // unknown id — ignored
1905 let changed = tracker.apply_liveness_changes(&online_change, &Default::default(), now);
1906 assert!(changed);
1907 assert_eq!(
1908 tracker
1909 .peer_db
1910 .get(&(1 as ts_control::NodeId))
1911 .unwrap()
1912 .1
1913 .online,
1914 Some(true)
1915 );
1916
1917 // Channel D: peer_seen_change=true sets last_seen=now and leaves online UNTOUCHED.
1918 let mut seen_true = std::collections::BTreeMap::new();
1919 seen_true.insert(1 as ts_control::NodeId, true);
1920 let changed = tracker.apply_liveness_changes(&Default::default(), &seen_true, now);
1921 assert!(changed);
1922 {
1923 let (_id, node) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1924 assert_eq!(
1925 node.last_seen,
1926 Some(now),
1927 "peer_seen_change=true sets last_seen=now"
1928 );
1929 assert_eq!(
1930 node.online,
1931 Some(true),
1932 "channel D must NOT touch online (still true from channel C)"
1933 );
1934 }
1935
1936 // Channel D: peer_seen_change=false clears last_seen, still leaving online untouched.
1937 let mut seen_false = std::collections::BTreeMap::new();
1938 seen_false.insert(1 as ts_control::NodeId, false);
1939 let changed = tracker.apply_liveness_changes(&Default::default(), &seen_false, now);
1940 assert!(changed);
1941 {
1942 let (_id, node) = tracker.peer_db.get(&(1 as ts_control::NodeId)).unwrap();
1943 assert_eq!(
1944 node.last_seen, None,
1945 "peer_seen_change=false clears last_seen"
1946 );
1947 assert_eq!(node.online, Some(true), "channel D must NOT mark offline");
1948 }
1949 assert_eq!(
1950 tracker.peer_db.peers().len(),
1951 1,
1952 "the node is retained, not removed"
1953 );
1954
1955 // No-op when nothing matches / changes.
1956 assert!(!tracker.apply_liveness_changes(&Default::default(), &Default::default(), now));
1957 }
1958
1959 /// Security: a `Patch` that rotates the node key must re-satisfy the tailnet-lock authority,
1960 /// exactly like a `Delta` upsert. A key-rotation patch whose new signature does NOT verify
1961 /// evicts the peer (fail-closed) rather than leaving a now-unverified entry — closing what would
1962 /// otherwise be a trust-enforcement bypass via the patch path.
1963 #[tokio::test]
1964 async fn patch_key_rotation_failing_tka_evicts_peer() {
1965 let (authority, sig) = authority_and_valid_sig();
1966 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
1967
1968 // Admit a correctly-signed peer (id == 1).
1969 let good = peer_node("rotator", NODE_KEY_BYTES, sig.clone());
1970 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![good.clone()]));
1971 assert_eq!(tracker.peer_db.peers().len(), 1);
1972
1973 // Patch a new node key whose signature is garbage under the active authority.
1974 let patch = ts_control::PeerChange {
1975 id: 1,
1976 derp_region: None,
1977 cap: None,
1978 cap_map: None,
1979 underlay_addresses: None,
1980 node_key: Some([0x33u8; 32].into()),
1981 key_signature: Some(vec![0x00, 0x01, 0x02]),
1982 disco_key: None,
1983 node_key_expiry: None,
1984 online: None,
1985 last_seen: None,
1986 };
1987 let (upserts, deletions) = tracker.apply_peer_patches(std::slice::from_ref(&patch));
1988
1989 assert_eq!(upserts.len(), 0);
1990 assert_eq!(deletions.len(), 1);
1991 assert_eq!(tracker.peer_db.peers().len(), 0);
1992 }
1993
1994 /// A node's `user_id` joins against the accumulated UserProfiles table to resolve the owning
1995 /// user's login name in `WhoIs.user`. With no matching profile, `user` is `None` (the
1996 /// pre-existing behavior); once a profile arrives, the same node resolves to its login. This
1997 /// proves the accumulate-then-join path the netmap handler builds.
1998 fn profile(id: ts_control::UserId, login: &str) -> ts_control::UserProfile {
1999 ts_control::UserProfile {
2000 id,
2001 login_name: login.to_string(),
2002 display_name: None,
2003 }
2004 }
2005
2006 #[tokio::test]
2007 async fn whois_resolves_user_from_accumulated_profiles() {
2008 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), None);
2009
2010 // A peer owned by user id 42 at 100.64.0.1 (the peer_node fixture's address).
2011 let mut peer = peer_node("p", NODE_KEY_BYTES, Vec::new());
2012 peer.user_id = 42;
2013 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![peer]));
2014 let addr = "100.64.0.1:0".parse().unwrap();
2015
2016 // No profile yet: the node resolves but its owner is unknown.
2017 let who = tracker.whois_opt(addr).expect("peer is known");
2018 assert_eq!(who.user, None);
2019
2020 // Profile for a DIFFERENT user must not match.
2021 tracker
2022 .user_profiles
2023 .insert(7, profile(7, "someone-else@example.com"));
2024 assert_eq!(tracker.whois_opt(addr).unwrap().user, None);
2025
2026 // The owning user's profile arrives (as the netmap handler would accumulate it): now the
2027 // login resolves.
2028 tracker
2029 .user_profiles
2030 .insert(42, profile(42, "alice@example.com"));
2031 assert_eq!(
2032 tracker.whois_opt(addr).unwrap().user,
2033 Some("alice@example.com".to_string())
2034 );
2035 }
2036
2037 /// `UserProfile::best_label` prefers the login name, falling back to display name, else `None`.
2038 #[test]
2039 fn user_profile_best_label_prefers_login() {
2040 assert_eq!(
2041 profile(1, "alice@example.com").best_label(),
2042 Some("alice@example.com".to_string())
2043 );
2044 let display_only = ts_control::UserProfile {
2045 id: 2,
2046 login_name: String::new(),
2047 display_name: Some("Bob".to_string()),
2048 };
2049 assert_eq!(display_only.best_label(), Some("Bob".to_string()));
2050 let empty = ts_control::UserProfile {
2051 id: 3,
2052 login_name: String::new(),
2053 display_name: None,
2054 };
2055 assert_eq!(empty.best_label(), None);
2056 }
2057
2058 // ----- tsr-jo1: RotationTracker (Go ipnlocal.rotationTracker.obsoleteKeys) -----
2059
2060 /// A `RotationDetails` for a `Direct`-rooted chain with the given prior keys + wrapping key.
2061 fn rot_details(
2062 prev: &[&[u8]],
2063 wrapping: &[u8],
2064 kind: ts_tka::SigKind,
2065 ) -> ts_tka::RotationDetails {
2066 ts_tka::RotationDetails {
2067 prev_node_keys: prev.iter().map(|p| p.to_vec()).collect(),
2068 initial_sig_kind: kind,
2069 initial_wrapping_pubkey: wrapping.to_vec(),
2070 }
2071 }
2072
2073 /// Rule 1: every prior node key named by any rotation chain is obsolete, regardless of the
2074 /// chain's root kind (Go's ungated `obsolete.AddSlice(d.PrevNodeKeys)`).
2075 #[test]
2076 fn rotation_tracker_prev_keys_always_obsolete() {
2077 let mut t = RotationTracker::default();
2078 // A Direct-rooted chain that rotated away OLD1, and a Credential-rooted one that rotated OLD2.
2079 t.add(
2080 b"newA".to_vec(),
2081 &rot_details(&[b"OLD1"], b"wrapA", ts_tka::SigKind::Direct),
2082 );
2083 t.add(
2084 b"newB".to_vec(),
2085 &rot_details(&[b"OLD2"], b"wrapB", ts_tka::SigKind::Credential),
2086 );
2087 let obsolete = t.obsolete_keys();
2088 assert!(
2089 obsolete.contains(b"OLD1".as_slice()),
2090 "Direct chain's prior key obsolete"
2091 );
2092 assert!(
2093 obsolete.contains(b"OLD2".as_slice()),
2094 "Credential chain's prior key obsolete too (rule 1 is ungated)"
2095 );
2096 // The current keys themselves are not obsolete (only one peer per wrapping key here).
2097 assert!(!obsolete.contains(b"newA".as_slice()));
2098 assert!(!obsolete.contains(b"newB".as_slice()));
2099 }
2100
2101 /// Rule 2: among `Direct`-rooted chains sharing a wrapping key, only the longest survives; the
2102 /// shorter (older) clone's key is obsolete.
2103 #[test]
2104 fn rotation_tracker_unequal_chain_keeps_longest() {
2105 let mut t = RotationTracker::default();
2106 // Same wrapping key; "long" has 2 prior keys, "short" has 1 ⇒ "short" is the older clone.
2107 t.add(
2108 b"long".to_vec(),
2109 &rot_details(&[b"p1", b"p2"], b"wrap", ts_tka::SigKind::Direct),
2110 );
2111 t.add(
2112 b"short".to_vec(),
2113 &rot_details(&[b"q1"], b"wrap", ts_tka::SigKind::Direct),
2114 );
2115 let obsolete = t.obsolete_keys();
2116 assert!(
2117 obsolete.contains(b"short".as_slice()),
2118 "the shorter-chain clone is obsolete"
2119 );
2120 assert!(
2121 !obsolete.contains(b"long".as_slice()),
2122 "the longest-chain peer survives"
2123 );
2124 }
2125
2126 /// Rule 2 tie: two `Direct`-rooted chains sharing a wrapping key with EQUAL chain length cannot
2127 /// be disambiguated ⇒ BOTH are dropped (Go's safety branch).
2128 #[test]
2129 fn rotation_tracker_equal_chain_drops_both() {
2130 let mut t = RotationTracker::default();
2131 t.add(
2132 b"cloneA".to_vec(),
2133 &rot_details(&[b"p1"], b"wrap", ts_tka::SigKind::Direct),
2134 );
2135 t.add(
2136 b"cloneB".to_vec(),
2137 &rot_details(&[b"p2"], b"wrap", ts_tka::SigKind::Direct),
2138 );
2139 let obsolete = t.obsolete_keys();
2140 assert!(
2141 obsolete.contains(b"cloneA".as_slice()),
2142 "tied clone A dropped"
2143 );
2144 assert!(
2145 obsolete.contains(b"cloneB".as_slice()),
2146 "tied clone B dropped"
2147 );
2148 }
2149
2150 /// `Credential`-rooted chains sharing a wrapping key are EXEMPT from rule 2 (reusable-authkey
2151 /// carve-out): both are kept even with equal chain length.
2152 #[test]
2153 fn rotation_tracker_credential_root_clones_both_kept() {
2154 let mut t = RotationTracker::default();
2155 t.add(
2156 b"credA".to_vec(),
2157 &rot_details(&[b"p1"], b"wrap", ts_tka::SigKind::Credential),
2158 );
2159 t.add(
2160 b"credB".to_vec(),
2161 &rot_details(&[b"p2"], b"wrap", ts_tka::SigKind::Credential),
2162 );
2163 let obsolete = t.obsolete_keys();
2164 assert!(
2165 !obsolete.contains(b"credA".as_slice()),
2166 "credential-rooted clone A kept"
2167 );
2168 assert!(
2169 !obsolete.contains(b"credB".as_slice()),
2170 "credential-rooted clone B kept"
2171 );
2172 }
2173
2174 /// A peer that another chain already rotated away does not also act as a surviving clone: it is
2175 /// removed from its wrapping-key group before the longest-survivor pick (Go's `DeleteFunc`).
2176 #[test]
2177 fn rotation_tracker_already_obsolete_peer_not_a_survivor() {
2178 let mut t = RotationTracker::default();
2179 // "victim" is rotated away by "rotator" (different wrapping key), AND shares wrapping key
2180 // "w" with "other". Because "victim" is already obsolete, only "other" is in play for "w" and
2181 // survives (no spurious tie-drop of "other").
2182 t.add(
2183 b"rotator".to_vec(),
2184 &rot_details(&[b"victim"], b"wRot", ts_tka::SigKind::Direct),
2185 );
2186 t.add(
2187 b"victim".to_vec(),
2188 &rot_details(&[b"x"], b"w", ts_tka::SigKind::Direct),
2189 );
2190 t.add(
2191 b"other".to_vec(),
2192 &rot_details(&[b"y"], b"w", ts_tka::SigKind::Direct),
2193 );
2194 let obsolete = t.obsolete_keys();
2195 assert!(
2196 obsolete.contains(b"victim".as_slice()),
2197 "victim rotated away by rotator"
2198 );
2199 assert!(
2200 !obsolete.contains(b"other".as_slice()),
2201 "other survives — victim was removed from the group before the tie check"
2202 );
2203 }
2204
2205 /// Empty tracker (no rotation-signed peers) ⇒ no obsolete keys (the non-rotation netmap path).
2206 #[test]
2207 fn rotation_tracker_empty_is_noop() {
2208 let t = RotationTracker::default();
2209 assert!(t.obsolete_keys().is_empty());
2210 }
2211
2212 /// End-to-end through the real `Full` path: a peer presenting a freshly-rotated key (a Rotation
2213 /// chain) is admitted, while a second peer still presenting the rotated-AWAY pivot key — even with
2214 /// that key's own still-valid Direct signature — is DROPPED by the cross-peer rotation filter.
2215 /// This is the gap closed here: Go `tkaFilterNetmapLocked` drops the stale clone; we used to admit
2216 /// it. Uses real `ts_tka` signing (`sign_direct` + `sign_rotation`) so the whole
2217 /// verify → details → filter pipeline runs.
2218 ///
2219 /// Construction: the trusted key signs an inner `Direct` over the PIVOT keypair's public key; the
2220 /// pivot key then signs an outer `Rotation` authorizing `new_key`. That chain's `prev_node_keys`
2221 /// names the pivot pubkey — so a peer presenting the pivot pubkey as its node key is the
2222 /// rotated-away key the filter must drop.
2223 #[tokio::test]
2224 async fn tka_full_drops_rotated_away_key_e2e() {
2225 use ed25519_dalek::SigningKey;
2226 use ts_tka::NodeKeySignature;
2227
2228 let trusted = SigningKey::from_bytes(&[42u8; 32]);
2229 let trusted_pub = trusted.verifying_key().to_bytes().to_vec();
2230 let authority = Authority::from_state(
2231 AumHash([0; 32]),
2232 State {
2233 keys: vec![Key {
2234 kind: KeyKind::Ed25519,
2235 votes: 1,
2236 public: trusted_pub.clone(),
2237 }],
2238 },
2239 );
2240
2241 // The rotation pivot: a keypair whose public key the inner Direct authorizes and whose
2242 // private key signs the outer rotation wrap. This pivot pubkey IS the key being rotated away.
2243 let pivot = SigningKey::from_bytes(&[9u8; 32]);
2244 let pivot_pub: [u8; 32] = pivot.verifying_key().to_bytes();
2245
2246 let new_key = [4u8; 32]; // the freshly-rotated node key
2247
2248 // Fresh peer: a Rotation chain authorizing `new_key`, inner Direct over the pivot signed by
2249 // trusted, outer wrap signed by the pivot. Its prev_node_keys names `pivot_pub`.
2250 let new_sig = NodeKeySignature::sign_rotation(&new_key, &trusted, &pivot).serialize();
2251 let new_peer = peer_node("rotated", new_key, new_sig);
2252
2253 // Stale peer: still presents the pivot pubkey (the rotated-away key) with its own valid
2254 // Direct signature — valid in isolation, but obsoleted by the fresh peer's rotation chain.
2255 let stale_sig = NodeKeySignature::sign_direct(&pivot_pub, &trusted).serialize();
2256 let stale_peer = peer_node("stale", pivot_pub, stale_sig);
2257
2258 let (mut tracker, _tka_tx) = PeerTracker::for_test(test_env(), Some(authority));
2259 tracker.apply_peer_update(&ts_control::PeerUpdate::Full(vec![
2260 new_peer.clone(),
2261 stale_peer.clone(),
2262 ]));
2263
2264 assert!(
2265 tracker.peer_db.get(&new_peer.node_key).is_some(),
2266 "the freshly-rotated peer is admitted"
2267 );
2268 assert!(
2269 tracker.peer_db.get(&stale_peer.node_key).is_none(),
2270 "the peer presenting the rotated-away key is dropped (Go tkaFilterNetmapLocked)"
2271 );
2272 }
2273}