a8eb047ee6
Re-add ServerExternalAddresses parameter in GenerateToken endpoint This reverts commit 5e156772f6a7fba5324eb6804ae4e93c091229a6 and adds extra functionality to support newer peering behaviors.
62 lines
1.4 KiB
Go
62 lines
1.4 KiB
Go
package peering
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"strconv"
|
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// validatePeeringToken ensures that the token has valid values.
|
|
func validatePeeringToken(tok *structs.PeeringToken) error {
|
|
// the CA values here should be valid x509 certs
|
|
for _, certStr := range tok.CA {
|
|
// TODO(peering): should we put these in a cert pool on the token?
|
|
// maybe there's a better place to do the parsing?
|
|
if _, err := connect.ParseCert(certStr); err != nil {
|
|
return fmt.Errorf("peering token invalid CA: %w", err)
|
|
}
|
|
}
|
|
|
|
if len(tok.ServerAddresses) == 0 && len(tok.ManualServerAddresses) == 0 {
|
|
return errPeeringTokenEmptyServerAddresses
|
|
}
|
|
validAddr := func(addr string) error {
|
|
_, portRaw, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
return &errPeeringInvalidServerAddress{addr}
|
|
}
|
|
|
|
port, err := strconv.Atoi(portRaw)
|
|
if err != nil {
|
|
return &errPeeringInvalidServerAddress{addr}
|
|
}
|
|
if port < 1 || port > 65535 {
|
|
return &errPeeringInvalidServerAddress{addr}
|
|
}
|
|
return nil
|
|
}
|
|
for _, addr := range tok.ManualServerAddresses {
|
|
if err := validAddr(addr); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
for _, addr := range tok.ServerAddresses {
|
|
if err := validAddr(addr); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if len(tok.CA) > 0 && tok.ServerName == "" {
|
|
return errPeeringTokenEmptyServerName
|
|
}
|
|
|
|
if tok.PeerID == "" {
|
|
return errPeeringTokenEmptyPeerID
|
|
}
|
|
|
|
return nil
|
|
}
|