Skip to content

Commit

Permalink
Enforce serverside secret id match
Browse files Browse the repository at this point in the history
  • Loading branch information
@dadgar
dadgar committed Aug 19, 2016
1 parent 1cafd04 commit 915f885
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 8 deletions.
30 changes: 22 additions & 8 deletions nomad/node_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,15 @@ func (n *Node) Register(args *structs.NodeRegisterRequest, reply *structs.NodeUp
if len(args.Node.Attributes) == 0 {
return fmt.Errorf("missing attributes for client registration")
}
if args.Node.SecretID == "" {
// COMPAT: Remove after 0.6
// Need to check if this node is <0.4.x since SecretID is new in 0.5
if pre, err := nodePreSecretID(args.Node); err != nil {
return err
} else if !pre {
return fmt.Errorf("missing node secret ID for client registration")
}

// COMPAT: Remove after 0.6
// Need to check if this node is <0.4.x since SecretID is new in 0.5
pre, err := nodePreSecretID(args.Node)
if err != nil {
return err
}
if args.Node.SecretID == "" && !pre {
return fmt.Errorf("missing node secret ID for client registration")
}

// Default the status if none is given
Expand Down Expand Up @@ -97,6 +98,19 @@ func (n *Node) Register(args *structs.NodeRegisterRequest, reply *structs.NodeUp
return err
}

have := ""
if originalNode != nil {
have = originalNode.SecretID
}
n.srv.logger.Printf("Incoming: %q; Have %q", args.Node.SecretID, have)

// Check if the SecretID has been tampered with
if !pre && originalNode != nil {
if args.Node.SecretID != originalNode.SecretID {
return fmt.Errorf("node secret ID does not match. Not registering node.")
}
}

// Commit this update via Raft
_, index, err := n.srv.raftApply(structs.NodeRegisterRequestType, args)
if err != nil {
Expand Down
27 changes: 27 additions & 0 deletions nomad/node_endpoint_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,33 @@ func TestClientEndpoint_Register_NoSecret(t *testing.T) {
}
}

func TestClientEndpoint_Register_SecretMismatch(t *testing.T) {
s1 := testServer(t, nil)
defer s1.Shutdown()
codec := rpcClient(t, s1)
testutil.WaitForLeader(t, s1.RPC)

// Create the register request
node := mock.Node()
req := &structs.NodeRegisterRequest{
Node: node,
WriteRequest: structs.WriteRequest{Region: "global"},
}

// Fetch the response
var resp structs.GenericResponse
if err := msgpackrpc.CallWithCodec(codec, "Node.Register", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}

// Update the nodes SecretID
node.SecretID = structs.GenerateUUID()
err := msgpackrpc.CallWithCodec(codec, "Node.Register", req, &resp)
if err == nil || !strings.Contains(err.Error(), "Not registering") {
t.Fatalf("Expecting error regarding mismatching secret id", err)
}
}

func TestClientEndpoint_Deregister(t *testing.T) {
s1 := testServer(t, nil)
defer s1.Shutdown()
Expand Down

0 comments on commit 915f885

Please sign in to comment.