Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check peer certs #2545

Merged
merged 1 commit into from
Nov 18, 2024
+26 −3
Merged

Check peer certs #2545

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 26 additions & 3 deletions controller/raft/mesh/mesh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ func (self *impl) GetOrConnectPeer(address string, timeout time.Duration) (*Peer

peer.Channel = binding.GetChannel()

if err = self.checkClusterIds(peer.Channel); err != nil {
if err = self.validateConnection(peer.Channel); err != nil {
return err
}

Expand Down Expand Up @@ -510,6 +510,14 @@ func (self *impl) GetOrConnectPeer(address string, timeout time.Duration) (*Peer
return peer, nil
}

func (self *impl) validateConnection(ch channel.Channel) error {
if err := self.checkClusterIds(ch); err != nil {
return err
}

return self.checkCerts(ch)
}

func (self *impl) checkClusterIds(ch channel.Channel) error {
clusterId := string(ch.Underlay().Headers()[ClusterIdHeader])
if clusterId != "" && self.env.GetClusterId() != "" && clusterId != self.env.GetClusterId() {
Expand All @@ -518,6 +526,21 @@ func (self *impl) checkClusterIds(ch channel.Channel) error {
return nil
}

func (self *impl) checkCerts(ch channel.Channel) error {
certs := ch.Underlay().Certificates()
if len(certs) == 0 {
return errors.New("unable to validate peer connection, no certs presented")
}

for _, cert := range ch.Underlay().Certificates() {
if _, err := self.env.GetNodeId().CaPool().VerifyToRoot(cert); err == nil {
return nil
}
}

return errors.New("unable to validate peer connection, no certs presented matched the CA for this node")
}

func (self *impl) GetPeerInfo(address string, timeout time.Duration) (raft.ServerID, raft.ServerAddress, error) {
log := pfxlog.Logger().WithField("address", address)
addr, err := transport.ParseAddress(address)
Expand Down Expand Up @@ -560,7 +583,7 @@ func (self *impl) GetPeerInfo(address string, timeout time.Duration) (raft.Serve
return err
}

if err = self.checkClusterIds(binding.GetChannel()); err != nil {
if err = self.validateConnection(binding.GetChannel()); err != nil {
return err
}

Expand Down Expand Up @@ -794,7 +817,7 @@ func (self *impl) AcceptUnderlay(underlay channel.Underlay) error {
}
}

if err = self.checkClusterIds(peer.Channel); err != nil {
if err = self.validateConnection(peer.Channel); err != nil {
return err
}

Expand Down
Loading