From 81af61ae7d8227575ee978a72be8a0e6d782ae1c Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 8 Jul 2022 15:58:57 -0400 Subject: [PATCH] Add client next protos to KMS connection info (#2246) This builds on the previous change in the nodeenrollment library to allow KMS connections to store incoming ALPN NextProto information. --- go.mod | 2 +- go.sum | 4 ++-- internal/daemon/controller/intercepting_listener.go | 3 ++- internal/daemon/controller/worker_tls_config.go | 12 +++++++++--- 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index e156162a06..02973bb8e3 100644 --- a/go.mod +++ b/go.mod @@ -92,7 +92,7 @@ require github.com/hashicorp/go-dbw v0.0.0-20220412153211-c470aec9369f // this i require ( github.com/DATA-DOG/go-sqlmock v1.5.0 github.com/hashicorp/go-kms-wrapping/extras/kms/v2 v2.0.0-20220515130442-cac0b5ac133b - github.com/hashicorp/nodeenrollment v0.1.6 + github.com/hashicorp/nodeenrollment v0.1.7 ) require ( diff --git a/go.sum b/go.sum index 36a04f8e98..48faf1bdfe 100644 --- a/go.sum +++ b/go.sum @@ -740,8 +740,8 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/nodeenrollment v0.1.6 h1:TAOpvU7y28vRB1Nk7pzfUPuJxX07SwBZwTJQgPQQbPI= -github.com/hashicorp/nodeenrollment v0.1.6/go.mod h1:LIPKi+g0g/vl3xhpbzugCalHSxX1PMeqnatkAsxRgyM= +github.com/hashicorp/nodeenrollment v0.1.7 h1:t6BD0DXzIXwPdcmR15M3YLttQPgnJYq0D8w+v3k/Nd0= +github.com/hashicorp/nodeenrollment v0.1.7/go.mod h1:LIPKi+g0g/vl3xhpbzugCalHSxX1PMeqnatkAsxRgyM= github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO2aRM= github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw= github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= diff --git a/internal/daemon/controller/intercepting_listener.go b/internal/daemon/controller/intercepting_listener.go index a479a1fb3d..3ae9831b7c 100644 --- a/internal/daemon/controller/intercepting_listener.go +++ b/internal/daemon/controller/intercepting_listener.go @@ -127,8 +127,9 @@ func (m *interceptingListener) Accept() (net.Conn, error) { } workerInfo := workerInfoRaw.(*workerAuthEntry) workerInfo.conn = tlsConn + m.c.workerAuthCache.Delete(string(nonce)) event.WriteSysEvent(ctx, op, "worker successfully authed", "name", workerInfo.Name, "description", workerInfo.Description, "proxy_address", workerInfo.ProxyAddress) - return tlsConn, nil + return protocol.NewConn(tlsConn, workerInfo.clientNextProtos), nil default: return nil, newTempError(errors.New("unable to authenticate incoming connection")) diff --git a/internal/daemon/controller/worker_tls_config.go b/internal/daemon/controller/worker_tls_config.go index fce4d02f28..cbbaaf5d2d 100644 --- a/internal/daemon/controller/worker_tls_config.go +++ b/internal/daemon/controller/worker_tls_config.go @@ -19,7 +19,8 @@ import ( type workerAuthEntry struct { *base.WorkerAuthInfo - conn net.Conn + conn net.Conn + clientNextProtos []string } // validateWorkerTls is called by the Go TLS stack with client info. It calls @@ -44,9 +45,14 @@ func (c Controller) validateWorkerTls(hello *tls.ClientHelloInfo) (*tls.Config, // nonce unique constraint, which is by far the more important // thing to validate (although there are DB-level tests for that // too). - c.workerAuthCache.Store(workerInfo.ConnectionNonce, &workerAuthEntry{ + authEntry := &workerAuthEntry{ WorkerAuthInfo: workerInfo, - }) + } + if len(hello.SupportedProtos) > 0 { + authEntry.clientNextProtos = make([]string, len(hello.SupportedProtos)) + copy(authEntry.clientNextProtos, hello.SupportedProtos) + } + c.workerAuthCache.Store(workerInfo.ConnectionNonce, authEntry) } return tlsConf, err }