-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(tailnet): enforce valid agent and client addresses #12197
fix(tailnet): enforce valid agent and client addresses #12197
Conversation
This stack of pull requests is managed by Graphite. Learn more about stacking. |
48d488b
to
2491fa5
Compare
2491fa5
to
865dbfc
Compare
tailnet/tunnel.go
Outdated
|
||
type TunnelAuth interface { | ||
Authorize(dst uuid.UUID) bool | ||
AuthorizeIP(src uuid.UUID, ip netip.Prefix) bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably should rename this from TunnelAuth
because it now covers more than tunnels. CoordReqAuth
? Doesn't roll off the tongue...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, maybe we should refactor this to authorize the *proto.CoordinateRequest
instead of having multiple methods --- will make it easier to do other kinds of authorization in future
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, i actually like that a lot better
5c402f4
to
d472478
Compare
This adds the ability for
TunnelAuth
to also authorize incoming wireguard node IPs, preventing agents from reporting anything other than their static IP generated from the agent ID.