Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(tailnet): enforce valid agent and client addresses #12197

Merged
merged 5 commits into from
Mar 1, 2024
Merged

fix(tailnet): enforce valid agent and client addresses #12197

merged 5 commits into from
Mar 1, 2024

Conversation

coadler
Copy link
Member

@coadler coadler commented Feb 16, 2024
edited

This adds the ability for TunnelAuth to also authorize incoming wireguard node IPs, preventing agents from reporting anything other than their static IP generated from the agent ID.

@coadler Graphite App
Copy link
Member Author

coadler commented Feb 16, 2024
edited

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @coadler and the rest of your teammates on Graphite Graphite

@coadler coadler force-pushed the colin/fixtailnetenforcevalidagentandclientaddresses branch from 48d488b to 2491fa5 Compare February 16, 2024 23:28
@coadler coadler force-pushed the colin/fixtailnetenforcevalidagentandclientaddresses branch from 2491fa5 to 865dbfc Compare February 28, 2024 19:40
spikecurtis
spikecurtis reviewed Feb 29, 2024
View reviewed changes
tailnet/tunnel.go Outdated

type TunnelAuth interface {
Authorize(dst uuid.UUID) bool
AuthorizeIP(src uuid.UUID, ip netip.Prefix) bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably should rename this from TunnelAuth because it now covers more than tunnels. CoordReqAuth? Doesn't roll off the tongue...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, maybe we should refactor this to authorize the *proto.CoordinateRequest instead of having multiple methods --- will make it easier to do other kinds of authorization in future

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, i actually like that a lot better

tailnet/tunnel.go Outdated Show resolved Hide resolved
tailnet/coordinator_test.go Outdated Show resolved Hide resolved
@coadler coadler force-pushed the colin/fixtailnetenforcevalidagentandclientaddresses branch from 5c402f4 to d472478 Compare March 1, 2024 04:59
@coadler coadler requested a review from spikecurtis March 1, 2024 05:23
@coadler coadler merged commit e5d9114 into main Mar 1, 2024
24 checks passed
@coadler coadler deleted the colin/fixtailnetenforcevalidagentandclientaddresses branch March 1, 2024 15:02
@github-actions github-actions bot locked and limited conversation to collaborators Mar 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@spikecurtis spikecurtis spikecurtis approved these changes

@deansheather deansheather Awaiting requested review from deansheather

Assignees

@coadler coadler

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@coadler @spikecurtis