fixes #2723 - check router and controller advertised addresses compar…

…ed to configured certs on start
openziti · Feb 5, 2025 · 94ee830 · 94ee830
1 parent 15fd986
commit 94ee830
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 17 deletions.
diff --git a/controller/config/config.go b/controller/config/config.go
@@ -585,6 +585,14 @@ func LoadConfig(path string) (*Config, error) {
 						return nil, fmt.Errorf("error loading channel options for [ctrl/options] (%v)", err)
 					}
 				}
+				if value != nil {
+					m := value.(map[interface{}]interface{})
+					a := strings.TrimPrefix(m["advertiseAddress"].(string), "tls:")
+					v := controllerConfig.Id.ValidFor(strings.Split(a, ":")[0])
+					if v != nil {
+						pfxlog.Logger().Fatalf("provided value for ctrl/options/advertiseAddress is invalid (%v)", v)
+					}
+				}
 			}
 			if controllerConfig.Raft != nil && controllerConfig.Raft.AdvertiseAddress == nil {
 				return nil, errors.New("[ctrl/options/advertiseAddress] is required when raft is enabled")
@@ -720,6 +728,14 @@ func LoadConfig(path string) (*Config, error) {
 		}
 	}
 
+	bpValidation := validateBindPoints(cfgmap)
+	if len(bpValidation) > 0 {
+		for _, bp := range bpValidation {
+			pfxlog.Logger().Errorf("invalid address in bindPoint: %v", bp)
+		}
+		pfxlog.Logger().Fatal("bindPoints validation failed")
+	}
+
 	edgeConfig, err := LoadEdgeConfigFromMap(cfgmap)
 	if err != nil {
 		return nil, err
@@ -728,6 +744,46 @@ func LoadConfig(path string) (*Config, error) {
 
 	return controllerConfig, nil
 }
+func validateBindPoints(m map[interface{}]interface{}) []error {
+	var errs []error
+
+	if webList, ok := m["web"].([]interface{}); ok {
+		for _, entry := range webList {
+			if entryMap, ok := entry.(map[interface{}]interface{}); ok {
+				if bindPoints, found := entryMap["bindPoints"].([]interface{}); found {
+
+					if value, found := entryMap["identity"]; found {
+						subMap := value.(map[interface{}]interface{})
+						identityConfig, err1 := identity.NewConfigFromMapWithPathContext(subMap, "identity")
+
+						if err1 != nil {
+							errs = append(errs, err1)
+							continue
+						}
+						id2, err2 := identity.LoadIdentity(*identityConfig)
+						if err2 != nil {
+							errs = append(errs, err2)
+							continue
+						}
+
+						for _, bp := range bindPoints {
+							if bpMap, ok := bp.(map[interface{}]interface{}); ok {
+								if address, exists := bpMap["address"].(string); exists {
+									err3 := id2.ValidFor(strings.Split(address, ":")[0])
+									if err3 != nil {
+										errs = append(errs, err3)
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return errs
+}
 
 // isSelfSigned checks if the given certificate is self-signed.
 func isSelfSigned(cert *x509.Certificate) (bool, error) {

diff --git a/go.mod b/go.mod
@@ -55,9 +55,9 @@ require (
 	github.com/openziti/agent v1.0.23
 	github.com/openziti/channel/v3 v3.0.26
 	github.com/openziti/cobra-to-md v1.0.1
-	github.com/openziti/edge-api v0.26.38
+	github.com/openziti/edge-api v0.26.39
 	github.com/openziti/foundation/v2 v2.0.56
-	github.com/openziti/identity v1.0.94
+	github.com/openziti/identity v1.0.95
 	github.com/openziti/jwks v1.0.6
 	github.com/openziti/metrics v1.2.65
 	github.com/openziti/runzmd v1.0.59
@@ -90,7 +90,7 @@ require (
 	golang.org/x/net v0.34.0
 	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sync v0.10.0
-	golang.org/x/sys v0.29.0
+	golang.org/x/sys v0.30.0
 	golang.org/x/text v0.21.0
 	google.golang.org/protobuf v1.36.4
 	gopkg.in/AlecAivazis/survey.v1 v1.8.8
@@ -150,7 +150,7 @@ require (
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-tty v0.0.3 // indirect
@@ -200,7 +200,7 @@ require (
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
 	golang.org/x/tools v0.28.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -499,8 +499,8 @@ github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVc
 github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
@@ -511,7 +511,6 @@ github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcME
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
@@ -595,12 +594,12 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ
 github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c=
 github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM=
 github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk=
-github.com/openziti/edge-api v0.26.38 h1:3xDWC5SFn3qUVR428TIBpRc2lrjVV7Gz0Rx4pQx0JSg=
-github.com/openziti/edge-api v0.26.38/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
+github.com/openziti/edge-api v0.26.39 h1:4hb1RqjgpaTJorvbWTL6f2QcjJDn4BXDbLwes8DpM2U=
+github.com/openziti/edge-api v0.26.39/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
 github.com/openziti/foundation/v2 v2.0.56 h1:YXqBmkrN0fYr3TqIlWZSZGluE2QpJxlA29Z6okZyQ5I=
 github.com/openziti/foundation/v2 v2.0.56/go.mod h1:f12R1pwEod348qONZr6esZgackX1ScLGDcEyPF2G5/w=
-github.com/openziti/identity v1.0.94 h1:nF4etu/5LmOlbT24lpSKq9p+90A9jeyLr5U23LemgD4=
-github.com/openziti/identity v1.0.94/go.mod h1:3VGYqa9E26zPPA8lJwE7eUPvRH2Oz8ZAd46cUCWKz/M=
+github.com/openziti/identity v1.0.95 h1:1IpYBCgmqmSscnGFHoadHSJPfmViqf7Xl6gvE7fLLmU=
+github.com/openziti/identity v1.0.95/go.mod h1:3VGYqa9E26zPPA8lJwE7eUPvRH2Oz8ZAd46cUCWKz/M=
 github.com/openziti/jwks v1.0.6 h1:PR+9OVaMO8oHEoVQmHqeUBExWwLWyODEGJQK2DXHaqE=
 github.com/openziti/jwks v1.0.6/go.mod h1:t4xxq8vlXGsPn29kiQVnZBBDDnEoOFqtJoHibkJunQQ=
 github.com/openziti/metrics v1.2.65 h1:Jhhbds+BUbywfspxcb9oyz9p9LI/oERT9lbeDpnNpmY=
@@ -1103,16 +1102,15 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/router/config.go b/router/config.go
@@ -880,6 +880,51 @@ func LoadConfigWithOptions(path string, loadIdentity bool) (*Config, error) {
 		return nil, err
 	}
 
+	var errs []error
+	// verify any advertised addresses are valid for the certificates provided
+	for _, c := range cfg.Ctrl.InitialEndpoints {
+		// should start with tls:
+		addy := strings.TrimPrefix(c.String(), "tls:")
+		addy = strings.Split(addy, ":")[0]
+		e := cfg.Id.ValidFor(addy)
+		if e != nil {
+			errs = append(errs, fmt.Errorf("invalid ctrl.endpoint: %s, error: %v", c.String(), e))
+		}
+	}
+
+	for _, c := range cfg.Link.Listeners {
+		a := c["advertise"]
+		if a != nil {
+			// should start with tls:
+			addy := strings.TrimPrefix(a.(string), "tls:")
+			addy = strings.Split(addy, ":")[0]
+			e := cfg.Id.ValidFor(addy)
+			if e != nil {
+				errs = append(errs, fmt.Errorf("invalid link.listeners.advertise: %s, error: %v", a.(string), e))
+			}
+		}
+	}
+
+	for _, c := range cfg.Listeners {
+		opts := c.options["options"]
+		if opts != nil {
+			optOpts := opts.(map[interface{}]interface{})
+			o := optOpts["advertise"]
+			if o != nil {
+				// should start with tls:
+				addy := strings.TrimPrefix(o.(string), "tls:")
+				addy = strings.Split(addy, ":")[0]
+				e := cfg.Id.ValidFor(addy)
+				if e != nil {
+					errs = append(errs, fmt.Errorf("invalid listeners.binding.advertise: %s, error: %v", o.(string), e))
+				}
+			}
+		}
+	}
+
+	if len(errs) > 0 {
+		pfxlog.Logger().Fatalf("one or more advertiese addresses are invalid: %v", errs)
+	}
 	return cfg, nil
 }