consul/agent/rpc/peering/validate.go
Derek Menteer b64972d486
Bring back parameter ServerExternalAddresses in GenerateToken endpoint (#15267)
Re-add ServerExternalAddresses parameter in GenerateToken endpoint

This reverts commit 5e156772f6a7fba5324eb6804ae4e93c091229a6
and adds extra functionality to support newer peering behaviors.
2022-11-08 14:55:18 -06:00

62 lines
1.4 KiB
Go

package peering
import (
"fmt"
"net"
"strconv"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
)
// validatePeeringToken ensures that the token has valid values.
func validatePeeringToken(tok *structs.PeeringToken) error {
// the CA values here should be valid x509 certs
for _, certStr := range tok.CA {
// TODO(peering): should we put these in a cert pool on the token?
// maybe there's a better place to do the parsing?
if _, err := connect.ParseCert(certStr); err != nil {
return fmt.Errorf("peering token invalid CA: %w", err)
}
}
if len(tok.ServerAddresses) == 0 && len(tok.ManualServerAddresses) == 0 {
return errPeeringTokenEmptyServerAddresses
}
validAddr := func(addr string) error {
_, portRaw, err := net.SplitHostPort(addr)
if err != nil {
return &errPeeringInvalidServerAddress{addr}
}
port, err := strconv.Atoi(portRaw)
if err != nil {
return &errPeeringInvalidServerAddress{addr}
}
if port < 1 || port > 65535 {
return &errPeeringInvalidServerAddress{addr}
}
return nil
}
for _, addr := range tok.ManualServerAddresses {
if err := validAddr(addr); err != nil {
return err
}
}
for _, addr := range tok.ServerAddresses {
if err := validAddr(addr); err != nil {
return err
}
}
if len(tok.CA) > 0 && tok.ServerName == "" {
return errPeeringTokenEmptyServerName
}
if tok.PeerID == "" {
return errPeeringTokenEmptyPeerID
}
return nil
}