Merge pull request #1338 from openziti/edge-terminator-fixes

Edge terminator fixes

common/pb/edge_ctrl_pb/edge_ctrl.proto

@@ -28,6 +28,8 @@ enum ContentType {
   ValidateSessionsRequestType = 20213;
   HealthEventType = 20214;
   SigningCertAddedType = 20215;
+  CreateTerminatorV2RequestType = 20216;
+  CreateTerminatorV2ResponseType = 20217;
 
   EnrollType = 20300;
   EnrollmentCertsResponseType = 20301;
@@ -66,7 +68,7 @@ enum Header {
 message ServerHello {
   string version = 1;
   map<string, string> data = 2;
-  map<string,bytes> byteData = 3;
+  map<string, bytes> byteData = 3;
 }
 
 message Address {
@@ -148,7 +150,7 @@ message PostureSet {
 message PostureCheck {
   string id = 1;
   string type = 2;
-  map<string,bytes> data = 3;
+  map<string, bytes> data = 3;
 }
 
 message Session {
@@ -224,6 +226,29 @@ message CreateTerminatorRequest {
   bytes instanceSecret = 7;
 }
 
+message CreateTerminatorV2Request {
+  string address = 1;
+  string sessionToken = 2;
+  repeated string fingerprints = 3;
+  map<uint32, bytes> peerData = 4;
+  uint32 cost = 5;
+  TerminatorPrecedence precedence = 6;
+  string instanceId = 7;
+  bytes instanceSecret = 8;
+}
+
+enum CreateTerminatorResult {
+  Success = 0;
+  FailedIdConflict = 1;
+  FailedOther = 2;
+}
+
+message CreateTerminatorV2Response {
+  string terminatorId = 1;
+  CreateTerminatorResult result = 2;
+  string msg = 3;
+}
+
 message RemoveTerminatorRequest {
   string sessionToken = 1;
   repeated string fingerprints = 2;

common/pb/edge_ctrl_pb/messages.go

@@ -30,9 +30,6 @@ func (request *CreateTerminatorRequest) GetContentType() int32 {
 	return int32(ContentType_CreateTerminatorRequestType)
 }
 
-func (request *Error) GetContentType() int32 {
-	return int32(ContentType_ErrorType)
-}
 func (request *CreateTerminatorRequest) GetXtPrecedence() xt.Precedence {
 	if request.GetPrecedence() == TerminatorPrecedence_Failed {
 		return xt.Precedences.Failed
@@ -43,6 +40,28 @@ func (request *CreateTerminatorRequest) GetXtPrecedence() xt.Precedence {
 	return xt.Precedences.Default
 }
 
+func (request *CreateTerminatorV2Request) GetContentType() int32 {
+	return int32(ContentType_CreateTerminatorV2RequestType)
+}
+
+func (request *CreateTerminatorV2Request) GetXtPrecedence() xt.Precedence {
+	if request.GetPrecedence() == TerminatorPrecedence_Failed {
+		return xt.Precedences.Failed
+	}
+	if request.GetPrecedence() == TerminatorPrecedence_Required {
+		return xt.Precedences.Required
+	}
+	return xt.Precedences.Default
+}
+
+func (request *CreateTerminatorV2Response) GetContentType() int32 {
+	return int32(ContentType_CreateTerminatorV2ResponseType)
+}
+
+func (request *Error) GetContentType() int32 {
+	return int32(ContentType_ErrorType)
+}
+
 func (request *UpdateTerminatorRequest) GetContentType() int32 {
 	return int32(ContentType_UpdateTerminatorRequestType)
 }

controller/handler_edge_ctrl/create_terminator_v2.go

@@ -0,0 +1,219 @@
+/*
+	Copyright NetFoundry Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+	https://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+package handler_edge_ctrl
+
+import (
+	"fmt"
+	"github.com/michaelquigley/pfxlog"
+	"github.com/openziti/channel/v2"
+	"github.com/openziti/channel/v2/protobufs"
+	"github.com/openziti/fabric/controller/models"
+	"github.com/openziti/fabric/controller/network"
+	"github.com/openziti/ziti/common"
+	"github.com/openziti/ziti/common/pb/edge_ctrl_pb"
+	"github.com/openziti/ziti/controller/env"
+	"github.com/openziti/ziti/controller/model"
+	"github.com/openziti/ziti/controller/persistence"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/proto"
+	"math"
+)
+
+type createTerminatorV2Handler struct {
+	baseRequestHandler
+}
+
+func NewCreateTerminatorV2Handler(appEnv *env.AppEnv, ch channel.Channel) channel.TypedReceiveHandler {
+	return &createTerminatorV2Handler{
+		baseRequestHandler{
+			ch:     ch,
+			appEnv: appEnv,
+		},
+	}
+}
+
+func (self *createTerminatorV2Handler) ContentType() int32 {
+	return int32(edge_ctrl_pb.ContentType_CreateTerminatorV2RequestType)
+}
+
+func (self *createTerminatorV2Handler) Label() string {
+	return "create.terminator"
+}
+
+func (self *createTerminatorV2Handler) HandleReceive(msg *channel.Message, ch channel.Channel) {
+	req := &edge_ctrl_pb.CreateTerminatorV2Request{}
+	if err := proto.Unmarshal(msg.Body, req); err != nil {
+		pfxlog.ContextLogger(ch.Label()).WithError(err).Error("could not unmarshal CreateTerminatorV2Request")
+		return
+	}
+
+	ctx := &CreateTerminatorV2RequestContext{
+		baseSessionRequestContext: baseSessionRequestContext{handler: self, msg: msg},
+		req:                       req,
+	}
+
+	go self.CreateTerminatorV2(ctx)
+}
+
+func (self *createTerminatorV2Handler) CreateTerminatorV2(ctx *CreateTerminatorV2RequestContext) {
+	logger := pfxlog.ContextLogger(self.ch.Label()).
+		WithField("routerId", self.ch.Id()).
+		WithField("token", ctx.req.SessionToken).
+		WithField("terminatorId", ctx.req.Address)
+
+	if !ctx.loadRouter() {
+		return
+	}
+	ctx.loadSession(ctx.req.SessionToken)
+	ctx.checkSessionType(persistence.SessionTypeBind)
+	ctx.checkSessionFingerprints(ctx.req.Fingerprints)
+	ctx.verifyEdgeRouterAccess()
+	ctx.loadService()
+
+	if ctx.err != nil {
+		self.returnError(ctx, edge_ctrl_pb.CreateTerminatorResult_FailedOther, ctx.err, logger)
+		return
+	}
+
+	logger = logger.WithField("serviceId", ctx.service.Id).WithField("service", ctx.service.Name)
+
+	if ctx.req.Cost > math.MaxUint16 {
+		ctx.err = invalidCost(fmt.Sprintf("invalid cost %v. cost must be between 0 and %v inclusive", ctx.req.Cost, math.MaxUint16))
+		self.returnError(ctx, edge_ctrl_pb.CreateTerminatorResult_FailedOther, ctx.err, logger)
+		return
+	}
+
+	terminator, _ := self.getNetwork().Terminators.Read(ctx.req.Address)
+	if terminator != nil {
+		if ctx.err = ctx.validateExistingTerminator(terminator, logger); ctx.err != nil {
+			self.returnError(ctx, edge_ctrl_pb.CreateTerminatorResult_FailedIdConflict, ctx.err, logger)
+			return
+		}
+	} else {
+		terminator = &network.Terminator{
+			BaseEntity: models.BaseEntity{
+				Id:       ctx.req.Address,
+				IsSystem: true,
+			},
+			Service:        ctx.session.ServiceId,
+			Router:         ctx.sourceRouter.Id,
+			Binding:        common.EdgeBinding,
+			Address:        ctx.req.Address,
+			InstanceId:     ctx.req.InstanceId,
+			InstanceSecret: ctx.req.InstanceSecret,
+			PeerData:       ctx.req.PeerData,
+			Precedence:     ctx.req.GetXtPrecedence(),
+			Cost:           uint16(ctx.req.Cost),
+			HostId:         ctx.session.IdentityId,
+		}
+
+		cmd := &model.CreateEdgeTerminatorCmd{
+			Env:     self.appEnv,
+			Entity:  terminator,
+			Context: ctx.newChangeContext(),
+		}
+
+		if err := self.appEnv.GetHostController().GetNetwork().Managers.Command.Dispatch(cmd); err != nil {
+			// terminator might have been created while we were trying to create.
+			if terminator, _ = self.getNetwork().Terminators.Read(ctx.req.Address); terminator != nil {
+				if validateError := ctx.validateExistingTerminator(terminator, logger); validateError != nil {
+					self.returnError(ctx, edge_ctrl_pb.CreateTerminatorResult_FailedIdConflict, validateError, logger)
+					return
+				}
+			} else {
+				self.returnError(ctx, edge_ctrl_pb.CreateTerminatorResult_FailedOther, err, logger)
+				return
+			}
+		} else {
+			logger.WithField("terminator", terminator.Id).Info("created terminator")
+		}
+	}
+
+	response := &edge_ctrl_pb.CreateTerminatorV2Response{
+		TerminatorId: terminator.Id,
+		Result:       edge_ctrl_pb.CreateTerminatorResult_Success,
+	}
+
+	body, err := proto.Marshal(response)
+	if err != nil {
+		logger.WithError(err).Error("failed to marshal CreateTunnelTerminatorResponse")
+		return
+	}
+
+	responseMsg := channel.NewMessage(response.GetContentType(), body)
+	responseMsg.ReplyTo(ctx.msg)
+	if err = self.ch.Send(responseMsg); err != nil {
+		logger.WithError(err).Error("failed to send CreateTunnelTerminatorResponse")
+	}
+
+	logger.Info("completed create tunnel terminator operation")
+}
+
+func (self *createTerminatorV2Handler) returnError(ctx *CreateTerminatorV2RequestContext, resultType edge_ctrl_pb.CreateTerminatorResult, err error, logger *logrus.Entry) {
+	response := &edge_ctrl_pb.CreateTerminatorV2Response{
+		TerminatorId: ctx.req.Address,
+		Result:       resultType,
+		Msg:          err.Error(),
+	}
+
+	if sendErr := protobufs.MarshalTyped(response).ReplyTo(ctx.msg).Send(self.ch); sendErr != nil {
+		logger.WithError(err).WithField("sendError", sendErr).Error("failed to send error response")
+	} else {
+		logger.WithError(err).Error("responded with error")
+	}
+}
+
+type CreateTerminatorV2RequestContext struct {
+	baseSessionRequestContext
+	req *edge_ctrl_pb.CreateTerminatorV2Request
+}
+
+func (self *CreateTerminatorV2RequestContext) GetSessionToken() string {
+	return self.req.SessionToken
+}
+
+func (self *CreateTerminatorV2RequestContext) validateExistingTerminator(terminator *network.Terminator, log *logrus.Entry) controllerError {
+	if terminator.Binding != common.EdgeBinding {
+		log.WithField("binding", common.EdgeBinding).
+			WithField("conflictingBinding", terminator.Binding).
+			Error("selected terminator address conflicts with a terminator for a different binding")
+		return internalError(errors.New("selected id conflicts with terminator for different binding"))
+	}
+
+	if terminator.Service != self.session.ServiceId {
+		log.WithField("conflictingService", terminator.Service).
+			Error("selected terminator address conflicts with a terminator for a different service")
+		return internalError(errors.New("selected id conflicts with terminator for different service"))
+	}
+
+	if terminator.Router != self.sourceRouter.Id {
+		log.WithField("conflictingRouter", terminator.Router).
+			Error("selected terminator address conflicts with a terminator for a different router")
+		return internalError(errors.New("selected id conflicts with terminator for different router"))
+	}
+
+	if terminator.HostId != self.session.IdentityId {
+		log.WithField("identityId", self.session.IdentityId).
+			WithField("conflictingIdentity", terminator.HostId).
+			Error("selected terminator address conflicts with a terminator for a different identity")
+		return internalError(errors.New("selected id conflicts with terminator for different identity"))
+	}
+
+	log.Info("terminator already exists")
+	return nil
+}

controller/handler_edge_ctrl/create_tunnel_terminator.go

@@ -26,6 +26,7 @@ import (
 	"github.com/openziti/ziti/controller/persistence"
 	"github.com/openziti/fabric/controller/models"
 	"github.com/openziti/fabric/controller/network"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/protobuf/proto"
 	"math"
@@ -105,7 +106,10 @@ func (self *createTunnelTerminatorHandler) CreateTerminator(ctx *CreateTunnelTer
 
 	terminator, _ := self.getNetwork().Terminators.Read(ctx.req.Address)
 	if terminator != nil {
-		logger.Info("terminator already exists")
+		if err := ctx.validateExistingTerminator(terminator, logger); err != nil {
+			self.returnError(ctx, err)
+			return
+		}
 	} else {
 		terminator = &network.Terminator{
 			BaseEntity: models.BaseEntity{
@@ -125,12 +129,13 @@ func (self *createTunnelTerminatorHandler) CreateTerminator(ctx *CreateTunnelTer
 		}
 
 		n := self.appEnv.GetHostController().GetNetwork()
-		err := n.Terminators.Create(terminator, ctx.newTunnelChangeContext())
-		if err != nil {
+		if err := n.Terminators.Create(terminator, ctx.newTunnelChangeContext()); err != nil {
 			// terminator might have been created while we were trying to create.
-			terminator, _ = self.getNetwork().Terminators.Read(ctx.req.Address)
-			if terminator != nil {
-				logger.Info("terminator already exists")
+			if terminator, _ = self.getNetwork().Terminators.Read(ctx.req.Address); terminator != nil {
+				if validateError := ctx.validateExistingTerminator(terminator, logger); validateError != nil {
+					self.returnError(ctx, validateError)
+					return
+				}
 			} else {
 				self.returnError(ctx, internalError(err))
 				return
@@ -174,3 +179,34 @@ type CreateTunnelTerminatorRequestContext struct {
 	baseTunnelRequestContext
 	req *edge_ctrl_pb.CreateTunnelTerminatorRequest
 }
+
+func (self *CreateTunnelTerminatorRequestContext) validateExistingTerminator(terminator *network.Terminator, log *logrus.Entry) controllerError {
+	if terminator.Binding != common.TunnelBinding {
+		log.WithField("binding", common.TunnelBinding).
+			WithField("conflictingBinding", terminator.Binding).
+			Error("selected terminator address conflicts with a terminator for a different binding")
+		return internalError(errors.New("selected id conflicts with terminator for different binding"))
+	}
+
+	if terminator.Service != self.session.ServiceId {
+		log.WithField("conflictingService", terminator.Service).
+			Error("selected terminator address conflicts with a terminator for a different service")
+		return internalError(errors.New("selected id conflicts with terminator for different service"))
+	}
+
+	if terminator.Router != self.sourceRouter.Id {
+		log.WithField("conflictingRouter", terminator.Router).
+			Error("selected terminator address conflicts with a terminator for a different router")
+		return internalError(errors.New("selected id conflicts with terminator for different router"))
+	}
+
+	if terminator.HostId != self.session.IdentityId {
+		log.WithField("identityId", self.session.IdentityId).
+			WithField("conflictingIdentity", terminator.HostId).
+			Error("selected terminator address conflicts with a terminator for a different identity")
+		return internalError(errors.New("selected id conflicts with terminator for different identity"))
+	}
+
+	log.Info("terminator already exists")
+	return nil
+}