Merge pull request #151 from squat/improve-public-key-validation

pkg/k8s/apis/kilo/v1alpha1/types.go: add public key validation
2021-04-30 22:08:38 +02:00 · 2021-04-30 22:08:38 +02:00 · 298a772d68
commit 298a772d68
parent 166094b5ad 64ea86436f
1 changed files with 7 additions and 3 deletions
--- a/pkg/k8s/apis/kilo/v1alpha1/types.go
+++ b/pkg/k8s/apis/kilo/v1alpha1/types.go
@ -15,6 +15,7 @@
 package v1alpha1
 import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -133,7 +134,7 @@ func (p *Peer) Copy() *Peer {
 func (p *Peer) Validate() error {
 	for _, ip := range p.Spec.AllowedIPs {
 		if _, n, err := net.ParseCIDR(ip); err != nil {
-			return fmt.Errorf("failed to parse %q as a valid IP address: %v", ip, err)
+			return fmt.Errorf("failed to parse %q as a valid IP address: %w", ip, err)
 		} else if n == nil {
 			return fmt.Errorf("got invalid IP address for %q", ip)
 		}
@ -157,8 +158,11 @@ func (p *Peer) Validate() error {
 	if p.Spec.PersistentKeepalive < 0 {
 		return fmt.Errorf("persistent keepalive must be greater than or equal to zero; got %q", p.Spec.PersistentKeepalive)
 	}
-	if len(p.Spec.PublicKey) == 0 {
+	if b, err := base64.StdEncoding.DecodeString(p.Spec.PublicKey); err != nil {
-		return errors.New("public keys cannot be empty")
+		return fmt.Errorf("WireGuard public key is not base64 encoded: %w", err)
 		// Since WireGuard is using Curve25519 for the key exchange, the key length of 256 bits should not change in the near future.
 	} else if len(b) != 32 {
 		return errors.New("WireGuard public key has invalid length")
 	}
 	return nil
 }