feat: accept join token in Provision payload

Philipp Sauter · Philipp Sauter · commit 8318a7e1747c · 2022-05-24T18:12:29.000+02:00
It's now possible to start the siderolink-agent with a join token
parameter. Clients are now required to submit that same token in Provision
requests or the request will fail.

Fixes #5592

Signed-off-by: Philipp Sauter &lt;philipp.sauter@siderolabs.com&gt;
diff --git a/api/siderolink/provision.pb.go b/api/siderolink/provision.pb.go
diff --git a/api/siderolink/provision.proto b/api/siderolink/provision.proto
@@ -16,6 +16,8 @@ message ProvisionRequest {
     string node_uuid = 1;
     // Wireguard public key (as string) of the node.
     string node_public_key = 2;
+    // Join token (as string) of the node.
+    optional string join_token = 3;
 }
 
 message ProvisionResponse {
diff --git a/api/siderolink/provision_vtproto.pb.go b/api/siderolink/provision_vtproto.pb.go
diff --git a/cmd/siderolink-agent/main.go b/cmd/siderolink-agent/main.go
@@ -20,6 +20,7 @@ import (
 func main() {
 	flag.StringVar(&sideroLinkFlags.wireguardEndpoint, "sidero-link-wireguard-endpoint", "172.20.0.1:51821", "advertised Wireguard endpoint")
 	flag.StringVar(&sideroLinkFlags.apiEndpoint, "sidero-link-api-endpoint", ":4000", "gRPC API endpoint for the SideroLink")
+	flag.StringVar(&sideroLinkFlags.joinToken, "sidero-link-join-token", "", "join token")
 	flag.StringVar(&eventSinkFlags.apiEndpoint, "event-sink-endpoint", ":8080", "gRPC API endpoint for the Event Sink")
 	flag.StringVar(&logReceiverFlags.endpoint, "log-receiver-endpoint", ":4001", "TCP log receiver endpoint")
 	flag.Parse()
diff --git a/cmd/siderolink-agent/siderolink.go b/cmd/siderolink-agent/siderolink.go
@@ -23,6 +23,7 @@ import (
 var sideroLinkFlags struct {
 	wireguardEndpoint string
 	apiEndpoint       string
+	joinToken         string
 }
 
 func sideroLink(ctx context.Context, eg *errgroup.Group, logger *zap.Logger) error {
@@ -56,6 +57,7 @@ func sideroLink(ctx context.Context, eg *errgroup.Group, logger *zap.Logger) err
 		ServerAddress:   serverAddr.IP(),
 		ServerEndpoint:  wireguardEndpoint,
 		ServerPublicKey: privateKey.PublicKey(),
+		JoinToken:       sideroLinkFlags.joinToken,
 	})
 
 	s := grpc.NewServer()
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -33,6 +33,7 @@ type Config struct {
 	NodePrefix      netaddr.IPPrefix
 	ServerAddress   netaddr.IP
 	ServerEndpoint  netaddr.IPPort
+	JoinToken       string
 	ServerPublicKey wgtypes.Key
 }
 
@@ -51,6 +52,10 @@ func (srv *Server) EventCh() <-chan wireguard.PeerEvent {
 
 // Provision the SideroLink.
 func (srv *Server) Provision(ctx context.Context, req *pb.ProvisionRequest) (*pb.ProvisionResponse, error) {
+	if srv.cfg.JoinToken != "" && (req.JoinToken == nil || *req.JoinToken != srv.cfg.JoinToken) {
+		return nil, status.Error(codes.PermissionDenied, "invalid join token")
+	}
+
 	// generated random address for the node
 	raw := srv.cfg.NodePrefix.IP().As16()
 	salt := make([]byte, 8)

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ message ProvisionRequest {`
`16`	`16`	`string node_uuid = 1;`
`17`	`17`	`// Wireguard public key (as string) of the node.`
`18`	`18`	`string node_public_key = 2;`
	`19`	`+ // Join token (as string) of the node.`
	`20`	`+ optional string join_token = 3;`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`message ProvisionResponse {`