MCPcopy Create free account
hub / github.com/coder/coder / Authorize

Method Authorize

tailnet/tunnel.go:68–87  ·  view source on GitHub ↗
(_ context.Context, req *proto.CoordinateRequest)

Source from the content-addressed store, hash-verified

66}
67
68func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.CoordinateRequest) error {
69 if tun := req.GetAddTunnel(); tun != nil {
70 return xerrors.New("agents cannot open tunnels")
71 }
72
73 if upd := req.GetUpdateSelf(); upd != nil {
74 // Both Addresses and AllowedIPs are installed into the WireGuard peer
75 // config and drive routing, so an agent may only advertise prefixes
76 // derived from its own UUID. Without this an agent could claim a victim
77 // agent's IP and have traffic routed to it.
78 if err := a.authorizeNodePrefixes(upd.Node.Addresses); err != nil {
79 return xerrors.Errorf("Addresses: %w", err)
80 }
81 if err := a.authorizeNodePrefixes(upd.Node.AllowedIps); err != nil {
82 return xerrors.Errorf("AllowedIps: %w", err)
83 }
84 }
85
86 return nil
87}
88
89// authorizeNodePrefixes verifies that every prefix is a /128 address derived
90// from the agent's own UUID (or the legacy workspace agent IP).

Callers

nothing calls this directly

Calls 5

authorizeNodePrefixesMethod · 0.95
GetAddTunnelMethod · 0.80
GetUpdateSelfMethod · 0.80
NewMethod · 0.65
ErrorfMethod · 0.45

Tested by

no test coverage detected