Skip to content

Commit def505e

Browse files
brad-definedbrad-defined
committed
review comments
1 parent 508d9dd commit def505e

File tree

2 files changed

+33
-44
lines changed

2 files changed

+33
-44
lines changed

apiutil.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ func InsertConfigCert(config []byte, cert []byte) ([]byte, error) {
5252
return yaml.Marshal(y)
5353
}
5454

55-
// FetchConfigPrivateKey takes a Nebula YAML, finds and returns its contained Nebula PEM-formatted private key,
55+
// FetchConfigPrivateKeyAndCert takes a Nebula YAML, finds and returns its contained Nebula PEM-formatted private key,
5656
// the Nebula PEM-formatted host cert, or an error.
5757
func FetchConfigPrivateKeyAndCert(config []byte) ([]byte, []byte, error) {
5858
var y map[any]any

client.go

Lines changed: 32 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -304,22 +304,11 @@ func (c *Client) DoUpdate(ctx context.Context, creds keys.Credentials) ([]byte,
304304
if err != nil {
305305
return nil, nil, nil, nil, fmt.Errorf("failed to make API call to Defined Networking: %w", err)
306306
}
307-
resultWrapper := message.SignedResponseWrapper{}
308-
err = json.Unmarshal(resp, &resultWrapper)
309-
if err != nil {
310-
return nil, nil, nil, nil, fmt.Errorf("failed to unmarshal signed response wrapper: %s", err)
311-
}
312307

313308
// Verify the signature
314-
valid := false
315-
for _, caPubkey := range creds.TrustedKeys {
316-
if caPubkey.Verify(resultWrapper.Data.Message, resultWrapper.Data.Signature) {
317-
valid = true
318-
break
319-
}
320-
}
321-
if !valid {
322-
return nil, nil, nil, nil, fmt.Errorf("failed to verify signed API result")
309+
resultWrapper, err := verifySignature(resp, creds)
310+
if err != nil {
311+
return nil, nil, nil, nil, err
323312
}
324313

325314
// Consume the verified message
@@ -422,22 +411,11 @@ func (c *Client) DoConfigUpdate(ctx context.Context, creds keys.Credentials) ([]
422411
if err != nil {
423412
return nil, nil, nil, fmt.Errorf("failed to make API call to Defined Networking: %w", err)
424413
}
425-
resultWrapper := message.SignedResponseWrapper{}
426-
err = json.Unmarshal(resp, &resultWrapper)
427-
if err != nil {
428-
return nil, nil, nil, fmt.Errorf("failed to unmarshal signed response wrapper: %s", err)
429-
}
430414

431415
// Verify the signature
432-
valid := false
433-
for _, caPubkey := range creds.TrustedKeys {
434-
if caPubkey.Verify(resultWrapper.Data.Message, resultWrapper.Data.Signature) {
435-
valid = true
436-
break
437-
}
438-
}
439-
if !valid {
440-
return nil, nil, nil, fmt.Errorf("failed to verify signed API result")
416+
resultWrapper, err := verifySignature(resp, creds)
417+
if err != nil {
418+
return nil, nil, nil, err
441419
}
442420

443421
// Consume the verified message
@@ -487,6 +465,30 @@ func (c *Client) DoConfigUpdate(ctx context.Context, creds keys.Credentials) ([]
487465

488466
return result.Config, newCreds, meta, nil
489467
}
468+
469+
// verifySignature is a helper function that takes in an API call repsonse message and
470+
// ensures it is signed by a trusted key. It returns the JSON unmarshalled response section
471+
// if the message is valid JSON and the signature is trusted, otherwise it returns an error.
472+
func verifySignature(resp []byte, creds keys.Credentials) (message.SignedResponseWrapper, error) {
473+
resultWrapper := message.SignedResponseWrapper{}
474+
err := json.Unmarshal(resp, &resultWrapper)
475+
if err != nil {
476+
return message.SignedResponseWrapper{}, fmt.Errorf("failed to unmarshal signed response wrapper: %s", err)
477+
}
478+
479+
valid := false
480+
for _, caPubkey := range creds.TrustedKeys {
481+
if caPubkey.Verify(resultWrapper.Data.Message, resultWrapper.Data.Signature) {
482+
valid = true
483+
break
484+
}
485+
}
486+
if !valid {
487+
return message.SignedResponseWrapper{}, fmt.Errorf("failed to verify signed API result")
488+
}
489+
return resultWrapper, nil
490+
}
491+
490492
func (c *Client) CommandResponse(ctx context.Context, creds keys.Credentials, responseToken string, response any) error {
491493
value, err := json.Marshal(message.CommandResponseRequest{
492494
ResponseToken: responseToken,
@@ -522,22 +524,9 @@ func (c *Client) Reauthenticate(ctx context.Context, creds keys.Credentials) (*m
522524
return nil, err
523525
}
524526

525-
resultWrapper := message.SignedResponseWrapper{}
526-
err = json.Unmarshal(resp, &resultWrapper)
527+
resultWrapper, err := verifySignature(resp, creds)
527528
if err != nil {
528-
return nil, fmt.Errorf("failed to unmarshal signed response wrapper: %s", err)
529-
}
530-
531-
// Verify the signature
532-
valid := false
533-
for _, caPubkey := range creds.TrustedKeys {
534-
if caPubkey.Verify(resultWrapper.Data.Message, resultWrapper.Data.Signature) {
535-
valid = true
536-
break
537-
}
538-
}
539-
if !valid {
540-
return nil, fmt.Errorf("failed to verify signed API result")
529+
return nil, err
541530
}
542531

543532
var response message.ReauthenticateResponse

0 commit comments

Comments
 (0)