Merge pull request #2545 from openziti/check-peer-certs

Check peer certs
openziti · Nov 18, 2024 · 01d8122 · 01d8122
2 parents 215fd0c + e6834cd
commit 01d8122
Showing 1 changed file with 26 additions and 3 deletions.
diff --git a/controller/raft/mesh/mesh.go b/controller/raft/mesh/mesh.go
@@ -460,7 +460,7 @@ func (self *impl) GetOrConnectPeer(address string, timeout time.Duration) (*Peer
 
 		peer.Channel = binding.GetChannel()
 
-		if err = self.checkClusterIds(peer.Channel); err != nil {
+		if err = self.validateConnection(peer.Channel); err != nil {
 			return err
 		}
 
@@ -510,6 +510,14 @@ func (self *impl) GetOrConnectPeer(address string, timeout time.Duration) (*Peer
 	return peer, nil
 }
 
+func (self *impl) validateConnection(ch channel.Channel) error {
+	if err := self.checkClusterIds(ch); err != nil {
+		return err
+	}
+
+	return self.checkCerts(ch)
+}
+
 func (self *impl) checkClusterIds(ch channel.Channel) error {
 	clusterId := string(ch.Underlay().Headers()[ClusterIdHeader])
 	if clusterId != "" && self.env.GetClusterId() != "" && clusterId != self.env.GetClusterId() {
@@ -518,6 +526,21 @@ func (self *impl) checkClusterIds(ch channel.Channel) error {
 	return nil
 }
 
+func (self *impl) checkCerts(ch channel.Channel) error {
+	certs := ch.Underlay().Certificates()
+	if len(certs) == 0 {
+		return errors.New("unable to validate peer connection, no certs presented")
+	}
+
+	for _, cert := range ch.Underlay().Certificates() {
+		if _, err := self.env.GetNodeId().CaPool().VerifyToRoot(cert); err == nil {
+			return nil
+		}
+	}
+
+	return errors.New("unable to validate peer connection, no certs presented matched the CA for this node")
+}
+
 func (self *impl) GetPeerInfo(address string, timeout time.Duration) (raft.ServerID, raft.ServerAddress, error) {
 	log := pfxlog.Logger().WithField("address", address)
 	addr, err := transport.ParseAddress(address)
@@ -560,7 +583,7 @@ func (self *impl) GetPeerInfo(address string, timeout time.Duration) (raft.Serve
 			return err
 		}
 
-		if err = self.checkClusterIds(binding.GetChannel()); err != nil {
+		if err = self.validateConnection(binding.GetChannel()); err != nil {
 			return err
 		}
 
@@ -794,7 +817,7 @@ func (self *impl) AcceptUnderlay(underlay channel.Underlay) error {
 			}
 		}
 
-		if err = self.checkClusterIds(peer.Channel); err != nil {
+		if err = self.validateConnection(peer.Channel); err != nil {
 			return err
 		}