consul/agent/rpc/peering/validate.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package peering

import (
	"errors"
	"fmt"
	"net"
	"regexp"
	"strconv"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/structs"
)

// matches valid DNS labels according to RFC 1123, should be at most 63
// characters according to the RFC. This does not allow uppercase letters, unlike
// node / service validation. All lowercase is enforced to reduce potential issues
// relating to case-mismatch throughout the codebase (state-store lookups,
// envoy listeners, etc).
var validPeeringName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]{0,61}[a-z0-9])?$`)

// validatePeerName returns an error if the peer name does not match
// the expected format. Returns nil on valid names.
func validatePeerName(name string) error {
	if !validPeeringName.MatchString(name) {
		return errors.New("a valid peering name must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character")
	}
	return nil
}

// validatePeeringToken ensures that the token has valid values.
func validatePeeringToken(tok *structs.PeeringToken) error {
	// the CA values here should be valid x509 certs
	for _, certStr := range tok.CA {
		// TODO(peering): should we put these in a cert pool on the token?
		// maybe there's a better place to do the parsing?
		if _, err := connect.ParseCert(certStr); err != nil {
			return fmt.Errorf("peering token invalid CA: %w", err)
		}
	}

	if len(tok.ServerAddresses) == 0 && len(tok.ManualServerAddresses) == 0 {
		return errPeeringTokenEmptyServerAddresses
	}
	validAddr := func(addr string) error {
		_, portRaw, err := net.SplitHostPort(addr)
		if err != nil {
			return &errPeeringInvalidServerAddress{addr}
		}

		port, err := strconv.Atoi(portRaw)
		if err != nil {
			return &errPeeringInvalidServerAddress{addr}
		}
		if port < 1 || port > 65535 {
			return &errPeeringInvalidServerAddress{addr}
		}
		return nil
	}
	for _, addr := range tok.ManualServerAddresses {
		if err := validAddr(addr); err != nil {
			return err
		}
	}
	for _, addr := range tok.ServerAddresses {
		if err := validAddr(addr); err != nil {
			return err
		}
	}

	if len(tok.CA) > 0 && tok.ServerName == "" {
		return errPeeringTokenEmptyServerName
	}

	if tok.PeerID == "" {
		return errPeeringTokenEmptyPeerID
	}

	return nil
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`package peering`

			`import (`
Enforce lowercase peer names. (#15697) Enforce lowercase peer names. Prior to this change peer names could be mixed case. This can cause issues, as peer names are used as DNS labels in various locations. It also caused issues with envoy configuration. 2023-01-13 20:20:28 +00:00			`"errors"`
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`"fmt"`
			`"net"`
Enforce lowercase peer names. (#15697) Enforce lowercase peer names. Prior to this change peer names could be mixed case. This can cause issues, as peer names are used as DNS labels in various locations. It also caused issues with envoy configuration. 2023-01-13 20:20:28 +00:00			`"regexp"`
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`"strconv"`

			`"github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/agent/structs"`
			`)`

Enforce lowercase peer names. (#15697) Enforce lowercase peer names. Prior to this change peer names could be mixed case. This can cause issues, as peer names are used as DNS labels in various locations. It also caused issues with envoy configuration. 2023-01-13 20:20:28 +00:00			`// matches valid DNS labels according to RFC 1123, should be at most 63`
			`// characters according to the RFC. This does not allow uppercase letters, unlike`
			`// node / service validation. All lowercase is enforced to reduce potential issues`
			`// relating to case-mismatch throughout the codebase (state-store lookups,`
			`// envoy listeners, etc).`
			var validPeeringName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]{0,61}[a-z0-9])?$`)

			`// validatePeerName returns an error if the peer name does not match`
			`// the expected format. Returns nil on valid names.`
			`func validatePeerName(name string) error {`
			`if !validPeeringName.MatchString(name) {`
			`return errors.New("a valid peering name must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character")`
			`}`
			`return nil`
			`}`

peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`// validatePeeringToken ensures that the token has valid values.`
			`func validatePeeringToken(tok *structs.PeeringToken) error {`
			`// the CA values here should be valid x509 certs`
			`for _, certStr := range tok.CA {`
			`// TODO(peering): should we put these in a cert pool on the token?`
			`// maybe there's a better place to do the parsing?`
			`if _, err := connect.ParseCert(certStr); err != nil {`
			`return fmt.Errorf("peering token invalid CA: %w", err)`
			`}`
			`}`

Bring back parameter ServerExternalAddresses in GenerateToken endpoint (#15267) Re-add ServerExternalAddresses parameter in GenerateToken endpoint This reverts commit 5e156772f6a7fba5324eb6804ae4e93c091229a6 and adds extra functionality to support newer peering behaviors. 2022-11-08 20:55:18 +00:00			`if len(tok.ServerAddresses) == 0 && len(tok.ManualServerAddresses) == 0 {`
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`return errPeeringTokenEmptyServerAddresses`
			`}`
Bring back parameter ServerExternalAddresses in GenerateToken endpoint (#15267) Re-add ServerExternalAddresses parameter in GenerateToken endpoint This reverts commit 5e156772f6a7fba5324eb6804ae4e93c091229a6 and adds extra functionality to support newer peering behaviors. 2022-11-08 20:55:18 +00:00			`validAddr := func(addr string) error {`
peering: remove validation that forces peering token server addresses to be an IP, allow hostname based addresses (#13874) 2022-07-25 23:33:47 +00:00			`_, portRaw, err := net.SplitHostPort(addr)`
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`if err != nil {`
			`return &errPeeringInvalidServerAddress{addr}`
			`}`

			`port, err := strconv.Atoi(portRaw)`
			`if err != nil {`
			`return &errPeeringInvalidServerAddress{addr}`
			`}`
			`if port < 1 \|\| port > 65535 {`
			`return &errPeeringInvalidServerAddress{addr}`
			`}`
Bring back parameter ServerExternalAddresses in GenerateToken endpoint (#15267) Re-add ServerExternalAddresses parameter in GenerateToken endpoint This reverts commit 5e156772f6a7fba5324eb6804ae4e93c091229a6 and adds extra functionality to support newer peering behaviors. 2022-11-08 20:55:18 +00:00			`return nil`
			`}`
			`for _, addr := range tok.ManualServerAddresses {`
			`if err := validAddr(addr); err != nil {`
			`return err`
			`}`
			`}`
			`for _, addr := range tok.ServerAddresses {`
			`if err := validAddr(addr); err != nil {`
			`return err`
			`}`
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`}`

Use internal server certificate for peering TLS A previous commit introduced an internally-managed server certificate to use for peering-related purposes. Now the peering token has been updated to match that behavior: - The server name matches the structure of the server cert - The CA PEMs correspond to the Connect CA Note that if Conect is disabled, and by extension the Connect CA, we fall back to the previous behavior of returning the manually configured certs and local server SNI. Several tests were updated to use the gRPC TLS port since they enable Connect by default. This means that the peering token will embed the Connect CA, and the dialer will expect a TLS listener. 2022-09-29 03:27:11 +00:00			`if len(tok.CA) > 0 && tok.ServerName == "" {`
peering: initial sync (#12842) - Add endpoints related to peering: read, list, generate token, initiate peering - Update node/service/check table indexing to account for peers - Foundational changes for pushing service updates to a peer - Plumb peer name through Health.ServiceNodes path see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679, ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663, ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634, ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555 Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: freddygv <freddy@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Evan Culver <eculver@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> 2022-04-21 22:34:40 +00:00			`return errPeeringTokenEmptyServerName`
			`}`

			`if tok.PeerID == "" {`
			`return errPeeringTokenEmptyPeerID`
			`}`

			`return nil`
			`}`