test: assert NodeKey hijack is rejected on re-auth

TestReAuthWithDifferentMachineKey asserted that a second machine claiming an existing NodeKey succeeds, but that hijack (now rejected by f8f08cf7) poisoned the NodeKey index and DoS'd the original node — the test only checked the hijacker's node, never the original's survival. Assert the registration is rejected and the original node survives intact.
This commit is contained in:
Kristoffer Dalby
2026-06-07 13:36:01 +00:00
committed by Kristoffer Dalby
parent 9fc88e308f
commit 0121083b53
+13 -5
View File
@@ -1008,16 +1008,24 @@ func TestReAuthWithDifferentMachineKey(t *testing.T) {
Expiry: time.Now().Add(24 * time.Hour),
}
resp2, err := app.handleRegisterWithAuthKey(regReq2, machineKey2.Public())
require.NoError(t, err)
require.True(t, resp2.MachineAuthorized)
// A NodeKey is bound 1:1 to a MachineKey (getAndValidateNode enforces
// this at poll time). A different machine claiming an existing NodeKey is
// a hijack: it would poison the NodeStore NodeKey index so the original
// node fails the poll-time MachineKey check and is denied service.
// Registration now rejects it (see f8f08cf7). Real Tailscale clients
// never reuse a NodeKey across machine keys, so no legitimate flow is
// affected.
_, err = app.handleRegisterWithAuthKey(regReq2, machineKey2.Public())
require.Error(t, err,
"a different machine claiming an existing NodeKey must be rejected")
// Verify the node still exists and has tags
// Note: Depending on implementation, this might be the same node or a new node
// The original node is unaffected: still present, tagged, same identity.
node2, found := app.state.GetNodeByNodeKey(nodeKey.Public())
require.True(t, found)
assert.True(t, node2.IsTagged())
assert.ElementsMatch(t, tags, node2.Tags().AsSlice())
assert.Equal(t, node1.ID(), node2.ID(),
"original node must survive; the hijacking registration was rejected")
}
// TestUntaggedAuthKeyZeroExpiryGetsDefault tests that when node.expiry is configured