feat: accept join token in Provision payload

It's now possible to start the siderolink-agent with a join token parameter. Clients are now required to submit that same token in Provision requests or the request will fail. Fixes #5592 Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
siderolabs · May 24, 2022 · 8318a7e · 8318a7e
1 parent b38c192
commit 8318a7e
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 29 deletions.
diff --git a/api/siderolink/provision.pb.go b/api/siderolink/provision.pb.go
diff --git a/api/siderolink/provision.proto b/api/siderolink/provision.proto
@@ -16,6 +16,8 @@ message ProvisionRequest {
     string node_uuid = 1;
     // Wireguard public key (as string) of the node.
     string node_public_key = 2;
+    // Join token (as string) of the node.
+    optional string join_token = 3;
 }
 
 message ProvisionResponse {

diff --git a/api/siderolink/provision_vtproto.pb.go b/api/siderolink/provision_vtproto.pb.go
diff --git a/cmd/siderolink-agent/main.go b/cmd/siderolink-agent/main.go
@@ -20,6 +20,7 @@ import (
 func main() {
 	flag.StringVar(&sideroLinkFlags.wireguardEndpoint, "sidero-link-wireguard-endpoint", "172.20.0.1:51821", "advertised Wireguard endpoint")
 	flag.StringVar(&sideroLinkFlags.apiEndpoint, "sidero-link-api-endpoint", ":4000", "gRPC API endpoint for the SideroLink")
+	flag.StringVar(&sideroLinkFlags.joinToken, "sidero-link-join-token", "", "join token")
 	flag.StringVar(&eventSinkFlags.apiEndpoint, "event-sink-endpoint", ":8080", "gRPC API endpoint for the Event Sink")
 	flag.StringVar(&logReceiverFlags.endpoint, "log-receiver-endpoint", ":4001", "TCP log receiver endpoint")
 	flag.Parse()

diff --git a/cmd/siderolink-agent/siderolink.go b/cmd/siderolink-agent/siderolink.go
@@ -23,6 +23,7 @@ import (
 var sideroLinkFlags struct {
 	wireguardEndpoint string
 	apiEndpoint       string
+	joinToken         string
 }
 
 func sideroLink(ctx context.Context, eg *errgroup.Group, logger *zap.Logger) error {
@@ -56,6 +57,7 @@ func sideroLink(ctx context.Context, eg *errgroup.Group, logger *zap.Logger) err
 		ServerAddress:   serverAddr.IP(),
 		ServerEndpoint:  wireguardEndpoint,
 		ServerPublicKey: privateKey.PublicKey(),
+		JoinToken:       sideroLinkFlags.joinToken,
 	})
 
 	s := grpc.NewServer()

diff --git a/internal/server/server.go b/internal/server/server.go
@@ -33,6 +33,7 @@ type Config struct {
 	NodePrefix      netaddr.IPPrefix
 	ServerAddress   netaddr.IP
 	ServerEndpoint  netaddr.IPPort
+	JoinToken       string
 	ServerPublicKey wgtypes.Key
 }
 
@@ -51,6 +52,10 @@ func (srv *Server) EventCh() <-chan wireguard.PeerEvent {
 
 // Provision the SideroLink.
 func (srv *Server) Provision(ctx context.Context, req *pb.ProvisionRequest) (*pb.ProvisionResponse, error) {
+	if srv.cfg.JoinToken != "" && (req.JoinToken == nil || *req.JoinToken != srv.cfg.JoinToken) {
+		return nil, status.Error(codes.PermissionDenied, "invalid join token")
+	}
+
 	// generated random address for the node
 	raw := srv.cfg.NodePrefix.IP().As16()
 	salt := make([]byte, 8)