2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 18:39:22 +00:00
|
|
|
|
2022-10-28 20:34:41 +00:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/tlsutil"
|
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
|
"google.golang.org/grpc/peer"
|
|
|
|
|
"google.golang.org/grpc/status"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const AllowedPeerEndpointPrefix = "/hashicorp.consul.internal.peerstream.PeerStreamService/"
|
|
|
|
|
|
|
|
|
|
// AuthInterceptor provides gRPC interceptors for restricting endpoint access based
|
|
|
|
|
// on SNI. If the connection is plaintext, this filter will not activate, and the
|
|
|
|
|
// connection will be allowed to proceed.
|
|
|
|
|
type AuthInterceptor struct {
|
|
|
|
|
TLS *tlsutil.Configurator
|
|
|
|
|
Logger Logger
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// InterceptUnary prevents non-streaming gRPC calls from calling certain endpoints,
|
|
|
|
|
// based on the SNI information.
|
|
|
|
|
func (a *AuthInterceptor) InterceptUnary(
|
|
|
|
|
ctx context.Context,
|
|
|
|
|
req interface{},
|
|
|
|
|
info *grpc.UnaryServerInfo,
|
|
|
|
|
handler grpc.UnaryHandler,
|
|
|
|
|
) (interface{}, error) {
|
|
|
|
|
p, ok := peer.FromContext(ctx)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("unable to fetch peer info from grpc context")
|
|
|
|
|
}
|
|
|
|
|
err := restrictPeeringEndpoints(p.AuthInfo, a.TLS.PeeringServerName(), info.FullMethod)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return handler(ctx, req)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// InterceptUnary prevents streaming gRPC calls from calling certain endpoints,
|
|
|
|
|
// based on the SNI information.
|
|
|
|
|
func (a *AuthInterceptor) InterceptStream(
|
|
|
|
|
srv interface{},
|
|
|
|
|
ss grpc.ServerStream,
|
|
|
|
|
info *grpc.StreamServerInfo,
|
|
|
|
|
handler grpc.StreamHandler,
|
|
|
|
|
) error {
|
|
|
|
|
p, ok := peer.FromContext(ss.Context())
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("unable to fetch peer info from grpc context")
|
|
|
|
|
}
|
|
|
|
|
err := restrictPeeringEndpoints(p.AuthInfo, a.TLS.PeeringServerName(), info.FullMethod)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return handler(srv, ss)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// restrictPeeringEndpoints will return an error if a peering TLS connection attempts to call
|
|
|
|
|
// a non-peering endpoint. This is necessary, because the peer streaming workflow does not
|
|
|
|
|
// present a mutual TLS certificate, and is allowed to bypass the `tls.grpc.verify_incoming`
|
|
|
|
|
// check as a special case. See the `tlsutil.Configurator` for this bypass.
|
|
|
|
|
func restrictPeeringEndpoints(authInfo credentials.AuthInfo, peeringSNI string, endpoint string) error {
|
2022-11-02 22:20:52 +00:00
|
|
|
// No peering connection has been configured
|
|
|
|
|
if peeringSNI == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2022-10-28 20:34:41 +00:00
|
|
|
// This indicates a plaintext connection.
|
|
|
|
|
if authInfo == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
// Otherwise attempt to check the AuthInfo for TLS credentials.
|
|
|
|
|
tlsAuth, ok := authInfo.(credentials.TLSInfo)
|
|
|
|
|
if !ok {
|
|
|
|
|
return status.Error(codes.Unauthenticated, "invalid transport credentials")
|
|
|
|
|
}
|
2022-11-02 22:20:52 +00:00
|
|
|
|
2022-10-28 20:34:41 +00:00
|
|
|
if tlsAuth.State.ServerName == peeringSNI {
|
|
|
|
|
// Prevent any calls, except those in the PeerStreamService
|
|
|
|
|
if !strings.HasPrefix(endpoint, AllowedPeerEndpointPrefix) {
|
|
|
|
|
return status.Error(codes.PermissionDenied, "invalid permissions to the specified endpoint")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
