Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / de82150a3be691178d8113e50c65e052b6739e19^! / .
commitde82150a3be691178d8113e50c65e052b6739e19[log] [tgz]
authorMateusz Zalega <mateusz@monogon.tech>Fri Apr 29 16:37:17 2022 +0200
committerMateusz Zalega <mateusz@monogon.tech>Tue May 03 12:11:19 2022 +0000
tree945df1463e04b093a472979a4f23c2d9aaa87ec3
parent0246f5eb3a48f8a521ab20d776b923fcf0af6e1c [diff]
m/n/c/cluster: sanitize ClusterDirectory

This change enforces the suggested ClusterDirectory usage described in
metropolis/proto/common/common.proto.

See also: https://review.monogon.dev/c/monogon/+/662

Change-Id: If00edcc078b6dccc80990fc95e9a1c87d945d74e
Reviewed-on: https://review.monogon.dev/c/monogon/+/669
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>

diff --git a/metropolis/node/core/cluster/cluster.go b/metropolis/node/core/cluster/cluster.go
index 1de24f3..4df489d 100644
--- a/metropolis/node/core/cluster/cluster.go
+++ b/metropolis/node/core/cluster/cluster.go

@@ -42,7 +42,6 @@
 
 	"source.monogon.dev/metropolis/node"
 	"source.monogon.dev/metropolis/node/core/consensus"
-	"source.monogon.dev/metropolis/node/core/identity"
 	"source.monogon.dev/metropolis/node/core/localstorage"
 	"source.monogon.dev/metropolis/node/core/network"
 	"source.monogon.dev/metropolis/node/core/roleserve"
@@ -257,12 +256,11 @@
 // logClusterDirectory verbosely logs the whole Cluster Directory passed to it.
 func logClusterDirectory(ctx context.Context, cd *cpb.ClusterDirectory) {
 	for _, node := range cd.Nodes {
-		id := identity.NodeID(node.PublicKey)
 		var addresses []string
 		for _, add := range node.Addresses {
 			addresses = append(addresses, add.Host)
 		}
-		supervisor.Logger(ctx).Infof("    Node ID: %s, Addresses: %s", id, strings.Join(addresses, ","))
+		supervisor.Logger(ctx).Infof("    Addresses: %s", strings.Join(addresses, ","))
 	}
 }
 

diff --git a/metropolis/node/core/cluster/cluster_register.go b/metropolis/node/core/cluster/cluster_register.go
index c348c32..f2ccbff 100644
--- a/metropolis/node/core/cluster/cluster_register.go
+++ b/metropolis/node/core/cluster/cluster_register.go

@@ -59,6 +59,14 @@
 		}
 	}
 
+	// Strip the initial ClusterDirectory of any node public keys that might have
+	// been included, as it can't be relied on beyond providing cluster endpoint
+	// addresses, considering its untrusted origin (ESP). This explicitly enforces
+	// suggested usage described in ClusterDirectory's protofile.
+	for i, _ := range register.ClusterDirectory.Nodes {
+		register.ClusterDirectory.Nodes[i].PublicKey = nil
+	}
+
 	// Validation passed, let's take the state lock and start working on registering
 	// us into the cluster.