(_ context.Context, req *proto.CoordinateRequest)
| 66 | } |
| 67 | |
| 68 | func (a AgentCoordinateeAuth) Authorize(_ context.Context, req *proto.CoordinateRequest) error { |
| 69 | if tun := req.GetAddTunnel(); tun != nil { |
| 70 | return xerrors.New("agents cannot open tunnels") |
| 71 | } |
| 72 | |
| 73 | if upd := req.GetUpdateSelf(); upd != nil { |
| 74 | // Both Addresses and AllowedIPs are installed into the WireGuard peer |
| 75 | // config and drive routing, so an agent may only advertise prefixes |
| 76 | // derived from its own UUID. Without this an agent could claim a victim |
| 77 | // agent's IP and have traffic routed to it. |
| 78 | if err := a.authorizeNodePrefixes(upd.Node.Addresses); err != nil { |
| 79 | return xerrors.Errorf("Addresses: %w", err) |
| 80 | } |
| 81 | if err := a.authorizeNodePrefixes(upd.Node.AllowedIps); err != nil { |
| 82 | return xerrors.Errorf("AllowedIps: %w", err) |
| 83 | } |
| 84 | } |
| 85 | |
| 86 | return nil |
| 87 | } |
| 88 | |
| 89 | // authorizeNodePrefixes verifies that every prefix is a /128 address derived |
| 90 | // from the agent's own UUID (or the legacy workspace agent IP). |
nothing calls this directly
no test coverage detected