Added check for empty peeringsni in restrictPeeringEndpoints (#15239)

Add check for empty peeringSNI in restrictPeeringEndpoints

Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
This commit is contained in:
sarahalsmiller 2022-11-02 17:20:52 -05:00 committed by GitHub
parent 0a3dbb1c6e
commit befefe42ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 3 deletions

View File

@ -66,6 +66,10 @@ func (a *AuthInterceptor) InterceptStream(
// present a mutual TLS certificate, and is allowed to bypass the `tls.grpc.verify_incoming`
// check as a special case. See the `tlsutil.Configurator` for this bypass.
func restrictPeeringEndpoints(authInfo credentials.AuthInfo, peeringSNI string, endpoint string) error {
// No peering connection has been configured
if peeringSNI == "" {
return nil
}
// This indicates a plaintext connection.
if authInfo == nil {
return nil
@ -75,6 +79,7 @@ func restrictPeeringEndpoints(authInfo credentials.AuthInfo, peeringSNI string,
if !ok {
return status.Error(codes.Unauthenticated, "invalid transport credentials")
}
if tlsAuth.State.ServerName == peeringSNI {
// Prevent any calls, except those in the PeerStreamService
if !strings.HasPrefix(endpoint, AllowedPeerEndpointPrefix) {

View File

@ -29,9 +29,16 @@ func TestGRPCMiddleware_restrictPeeringEndpoints(t *testing.T) {
peeringSNI: "expected-server-sni",
endpoint: "/hashicorp.consul.internal.peerstream.PeerStreamService/SomeEndpoint",
},
{
name: "peering_not_enabled",
authInfo: nil,
peeringSNI: "",
endpoint: "/hashicorp.consul.internal.peerstream.PeerStreamService/SomeEndpoint",
},
{
name: "deny_invalid_credentials",
authInfo: invalidAuthInfo{},
peeringSNI: "expected-server-sni",
expectErr: "invalid transport credentials",
},
{
@ -72,6 +79,7 @@ func TestGRPCMiddleware_restrictPeeringEndpoints(t *testing.T) {
if tc.expectErr == "" {
require.NoError(t, err)
} else {
require.NotNil(t, err)
require.Contains(t, err.Error(), tc.expectErr)
}
})