Added check for empty peeringsni in restrictPeeringEndpoints (#15239)
Add check for empty peeringSNI in restrictPeeringEndpoints Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
This commit is contained in:
parent
0a3dbb1c6e
commit
befefe42ee
|
@ -66,6 +66,10 @@ func (a *AuthInterceptor) InterceptStream(
|
|||
// present a mutual TLS certificate, and is allowed to bypass the `tls.grpc.verify_incoming`
|
||||
// check as a special case. See the `tlsutil.Configurator` for this bypass.
|
||||
func restrictPeeringEndpoints(authInfo credentials.AuthInfo, peeringSNI string, endpoint string) error {
|
||||
// No peering connection has been configured
|
||||
if peeringSNI == "" {
|
||||
return nil
|
||||
}
|
||||
// This indicates a plaintext connection.
|
||||
if authInfo == nil {
|
||||
return nil
|
||||
|
@ -75,6 +79,7 @@ func restrictPeeringEndpoints(authInfo credentials.AuthInfo, peeringSNI string,
|
|||
if !ok {
|
||||
return status.Error(codes.Unauthenticated, "invalid transport credentials")
|
||||
}
|
||||
|
||||
if tlsAuth.State.ServerName == peeringSNI {
|
||||
// Prevent any calls, except those in the PeerStreamService
|
||||
if !strings.HasPrefix(endpoint, AllowedPeerEndpointPrefix) {
|
||||
|
|
|
@ -30,9 +30,16 @@ func TestGRPCMiddleware_restrictPeeringEndpoints(t *testing.T) {
|
|||
endpoint: "/hashicorp.consul.internal.peerstream.PeerStreamService/SomeEndpoint",
|
||||
},
|
||||
{
|
||||
name: "deny_invalid_credentials",
|
||||
authInfo: invalidAuthInfo{},
|
||||
expectErr: "invalid transport credentials",
|
||||
name: "peering_not_enabled",
|
||||
authInfo: nil,
|
||||
peeringSNI: "",
|
||||
endpoint: "/hashicorp.consul.internal.peerstream.PeerStreamService/SomeEndpoint",
|
||||
},
|
||||
{
|
||||
name: "deny_invalid_credentials",
|
||||
authInfo: invalidAuthInfo{},
|
||||
peeringSNI: "expected-server-sni",
|
||||
expectErr: "invalid transport credentials",
|
||||
},
|
||||
{
|
||||
name: "peering_sni_with_invalid_endpoint",
|
||||
|
@ -72,6 +79,7 @@ func TestGRPCMiddleware_restrictPeeringEndpoints(t *testing.T) {
|
|||
if tc.expectErr == "" {
|
||||
require.NoError(t, err)
|
||||
} else {
|
||||
require.NotNil(t, err)
|
||||
require.Contains(t, err.Error(), tc.expectErr)
|
||||
}
|
||||
})
|
||||
|
|
Loading…
Reference in New Issue