open-consul/agent/rpc/peering/validate.go

63 lines
1.5 KiB
Go

package peering
import (
"fmt"
"net"
"strconv"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
// TODO: replace this with net/netip when we upgrade to go1.18
"inet.af/netaddr"
)
// validatePeeringToken ensures that the token has valid values.
func validatePeeringToken(tok *structs.PeeringToken) error {
if len(tok.CA) == 0 {
return errPeeringTokenEmptyCA
}
// the CA values here should be valid x509 certs
for _, certStr := range tok.CA {
// TODO(peering): should we put these in a cert pool on the token?
// maybe there's a better place to do the parsing?
if _, err := connect.ParseCert(certStr); err != nil {
return fmt.Errorf("peering token invalid CA: %w", err)
}
}
if len(tok.ServerAddresses) == 0 {
return errPeeringTokenEmptyServerAddresses
}
for _, addr := range tok.ServerAddresses {
host, portRaw, err := net.SplitHostPort(addr)
if err != nil {
return &errPeeringInvalidServerAddress{addr}
}
port, err := strconv.Atoi(portRaw)
if err != nil {
return &errPeeringInvalidServerAddress{addr}
}
if port < 1 || port > 65535 {
return &errPeeringInvalidServerAddress{addr}
}
if _, err := netaddr.ParseIP(host); err != nil {
return &errPeeringInvalidServerAddress{addr}
}
}
// TODO(peering): validate name matches SNI?
// TODO(peering): validate name well formed?
if tok.ServerName == "" {
return errPeeringTokenEmptyServerName
}
if tok.PeerID == "" {
return errPeeringTokenEmptyPeerID
}
return nil
}