a21e5799f7
A previous commit introduced an internally-managed server certificate to use for peering-related purposes. Now the peering token has been updated to match that behavior: - The server name matches the structure of the server cert - The CA PEMs correspond to the Connect CA Note that if Conect is disabled, and by extension the Connect CA, we fall back to the previous behavior of returning the manually configured certs and local server SNI. Several tests were updated to use the gRPC TLS port since they enable Connect by default. This means that the peering token will embed the Connect CA, and the dialer will expect a TLS listener.
51 lines
1.2 KiB
Go
51 lines
1.2 KiB
Go
package peering
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"strconv"
|
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// validatePeeringToken ensures that the token has valid values.
|
|
func validatePeeringToken(tok *structs.PeeringToken) error {
|
|
// the CA values here should be valid x509 certs
|
|
for _, certStr := range tok.CA {
|
|
// TODO(peering): should we put these in a cert pool on the token?
|
|
// maybe there's a better place to do the parsing?
|
|
if _, err := connect.ParseCert(certStr); err != nil {
|
|
return fmt.Errorf("peering token invalid CA: %w", err)
|
|
}
|
|
}
|
|
|
|
if len(tok.ServerAddresses) == 0 {
|
|
return errPeeringTokenEmptyServerAddresses
|
|
}
|
|
for _, addr := range tok.ServerAddresses {
|
|
_, portRaw, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
return &errPeeringInvalidServerAddress{addr}
|
|
}
|
|
|
|
port, err := strconv.Atoi(portRaw)
|
|
if err != nil {
|
|
return &errPeeringInvalidServerAddress{addr}
|
|
}
|
|
if port < 1 || port > 65535 {
|
|
return &errPeeringInvalidServerAddress{addr}
|
|
}
|
|
}
|
|
|
|
if len(tok.CA) > 0 && tok.ServerName == "" {
|
|
return errPeeringTokenEmptyServerName
|
|
}
|
|
|
|
if tok.PeerID == "" {
|
|
return errPeeringTokenEmptyPeerID
|
|
}
|
|
|
|
return nil
|
|
}
|