Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 8535cb5bc5437960430ff94d3ea7280ccf931340^! / . / metropolis / test / launch
commit8535cb5bc5437960430ff94d3ea7280ccf931340[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Wed Mar 29 14:15:08 2023 +0200
committerSerge Bazanski <serge@monogon.tech>Wed Mar 29 17:18:22 2023 +0000
tree57edb5cf064ad8b43aef52c1bbb974dd5cce7c26
parent30fd15406e2c9cba7391f6af96c775b313a115fa [diff]
m/n/core/rpc: implement node verification in authenticated connections

The current API of NewAuthenticatedCredentials is not easily extensible,
so switch over to such an API now.

This then adds a WantRemoteNode option which verifies that the remote
connection is established to a node with a given ID.

Change-Id: Ie9f6b33d8b032729181bae5591eba9856ea2f523
Reviewed-on: https://review.monogon.dev/c/monogon/+/1427
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/test/launch/cluster/cluster.go b/metropolis/test/launch/cluster/cluster.go
index bfeb877..c433780 100644
--- a/metropolis/test/launch/cluster/cluster.go
+++ b/metropolis/test/launch/cluster/cluster.go

@@ -182,7 +182,7 @@
 // instance within Cluster c, or nil together with an error.
 func (c *Cluster) CuratorClient() (*grpc.ClientConn, error) {
 	if c.authClient == nil {
-		authCreds := rpc.NewAuthenticatedCredentials(c.Owner, nil)
+		authCreds := rpc.NewAuthenticatedCredentials(c.Owner, rpc.WantInsecure())
 		r := resolver.New(c.ctxT, resolver.WithLogger(func(f string, args ...interface{}) {
 			launch.Log("Cluster: client resolver: %s", fmt.Sprintf(f, args...))
 		}))
@@ -589,7 +589,7 @@
 	launch.Log("Cluster: retrieved owner certificate.")
 
 	// Now connect authenticated and get the node ID.
-	creds := rpc.NewAuthenticatedCredentials(*cert, nil)
+	creds := rpc.NewAuthenticatedCredentials(*cert, rpc.WantInsecure())
 	authClient, err := grpc.Dial(remote, grpc.WithContextDialer(initDialer), grpc.WithTransportCredentials(creds))
 	if err != nil {
 		return nil, nil, fmt.Errorf("dialing with owner credentials failed: %w", err)