Skip to content

Commit

Permalink
azure: Verify VM ID when registering nodes
Browse files Browse the repository at this point in the history
  • Loading branch information
@hakman
hakman committed Jul 15, 2023
1 parent 15b44ba commit 576ef5e
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 5 deletions.
9 changes: 7 additions & 2 deletions upup/pkg/fi/cloudup/azure/authenticator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,23 +43,28 @@ func (h *azureAuthenticator) CreateToken(body []byte) (string, error) {
return "", fmt.Errorf("querying instance metadata: %w", err)
}

vmId := m.Compute.VMID
if vmId == "" {
return "", fmt.Errorf("missing virtual machine ID")
}

// The fully qualified VMSS VM resource ID format is:
// /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS_NAME/virtualMachines/VMSS_INDEX
r := strings.Split(m.Compute.ResourceID, "/")
if len(r) != 11 || r[7] != "virtualMachineScaleSets" || r[9] != "virtualMachines" {
return "", fmt.Errorf("unexpected resource ID format: %q", m.Compute.ResourceID)
}

vmssName := r[8]
vmssIndex := r[10]

return AzureAuthenticationTokenPrefix + vmssName + " " + vmssIndex, nil
return AzureAuthenticationTokenPrefix + vmId + " " + vmssName + " " + vmssIndex, nil
}

type instanceComputeMetadata struct {
ResourceGroupName string `json:"resourceGroupName"`
ResourceID string `json:"resourceId"`
SubscriptionID string `json:"subscriptionId"`
VMID string `json:"vmId"`
}

type instanceMetadata struct {
Expand Down
13 changes: 10 additions & 3 deletions upup/pkg/fi/cloudup/azure/verifier.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,23 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request
}

v := strings.Split(strings.TrimPrefix(token, AzureAuthenticationTokenPrefix), " ")
if len(v) != 2 {
if len(v) != 3 {
return nil, fmt.Errorf("incorrect token format")
}
vmssName := v[0]
vmssIndex := v[1]
vmId := v[0]
vmssName := v[1]
vmssIndex := v[2]

vm, err := a.client.vmsClient.Get(ctx, a.client.resourceGroup, vmssName, vmssIndex, "")
if err != nil {
return nil, fmt.Errorf("getting info for VMSS virtual machine %q #%s: %w", vmssName, vmssIndex, err)
}
if vm.VMID == nil {
return nil, fmt.Errorf("determining VMID for VMSS %q virtual machine #%s", vmssName, vmssIndex)
}
if vmId != *vm.VMID {
return nil, fmt.Errorf("matching VMID %q for VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex)
}
if vm.OsProfile == nil || *vm.OsProfile.ComputerName == "" {
return nil, fmt.Errorf("determining ComputerName for VMSS %q virtual machine #%s", vmssName, vmssIndex)
}
Expand Down

0 comments on commit 576ef5e

Please sign in to comment.