Merge pull request #282 from 0x90-n/support-for-experimental-reg-overrides

Support for experimental reg overrides

Author: 0x90-n

cmd/registration-server/main.go

@@ -33,20 +33,25 @@ type regServer interface {
 
 // config defines the variables and options from the toml config file
 type config struct {
-	DNSListenAddr      string   `toml:"dns_listen_addr"`
-	Domain             string   `toml:"domain"`
-	DNSPrivkeyPath     string   `toml:"dns_private_key_path"`
-	APIPort            uint16   `toml:"api_port"`
-	ZMQAuthVerbose     bool     `toml:"zmq_auth_verbose"`
-	ZMQAuthType        string   `toml:"zmq_auth_type"`
-	ZMQPort            uint16   `toml:"zmq_port"`
-	ZMQBindAddr        string   `toml:"zmq_bind_addr"`
-	ZMQPrivateKeyPath  string   `toml:"zmq_privkey_path"`
-	StationPublicKeys  []string `toml:"station_pubkeys"`
-	ClientConfPath     string   `toml:"clientconf_path"`
-	latestClientConf   *pb.ClientConf
-	LogLevel           string `toml:"log_level"`
-	LogMetricsInterval uint16 `toml:"log_metrics_interval"`
+	DNSListenAddr             string   `toml:"dns_listen_addr"`
+	Domain                    string   `toml:"domain"`
+	DNSPrivkeyPath            string   `toml:"dns_private_key_path"`
+	APIPort                   uint16   `toml:"api_port"`
+	ZMQAuthVerbose            bool     `toml:"zmq_auth_verbose"`
+	ZMQAuthType               string   `toml:"zmq_auth_type"`
+	ZMQPort                   uint16   `toml:"zmq_port"`
+	ZMQBindAddr               string   `toml:"zmq_bind_addr"`
+	ZMQPrivateKeyPath         string   `toml:"zmq_privkey_path"`
+	StationPublicKeys         []string `toml:"station_pubkeys"`
+	ClientConfPath            string   `toml:"clientconf_path"`
+	latestClientConf          *pb.ClientConf
+	LogLevel                  string                `toml:"log_level"`
+	LogMetricsInterval        uint16                `toml:"log_metrics_interval"`
+	EnforceSubnetOverrides    bool                  `toml:"enforce_subnet_overrides"`
+	PrcntMinRegsToOverride    float64               `toml:"prcnt_min_regs_to_override"`
+	PrcntPrefixRegsToOverride float64               `toml:"prcnt_prefix_regs_to_override"`
+	OverrideSubnets           []regprocessor.Subnet `toml:"override_subnet"`
+	ExclusionsFromOverride    []regprocessor.Subnet `toml:"excluded_subnet_from_overrides"`
 }
 
 var defaultTransports = map[pb.TransportType]lib.Transport{
@@ -192,9 +197,9 @@ func main() {
 
 	switch conf.ZMQAuthType {
 	case "CURVE":
-		processor, err = regprocessor.NewRegProcessor(conf.ZMQBindAddr, conf.ZMQPort, zmqPrivkey, conf.ZMQAuthVerbose, conf.StationPublicKeys, metrics)
+		processor, err = regprocessor.NewRegProcessor(conf.ZMQBindAddr, conf.ZMQPort, zmqPrivkey, conf.ZMQAuthVerbose, conf.StationPublicKeys, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinRegsToOverride, conf.PrcntPrefixRegsToOverride)
 	case "NULL":
-		processor, err = regprocessor.NewRegProcessorNoAuth(conf.ZMQBindAddr, conf.ZMQPort, metrics)
+		processor, err = regprocessor.NewRegProcessorNoAuth(conf.ZMQBindAddr, conf.ZMQPort, metrics, conf.EnforceSubnetOverrides, conf.OverrideSubnets, conf.ExclusionsFromOverride, conf.PrcntMinRegsToOverride, conf.PrcntPrefixRegsToOverride)
 	default:
 		log.Fatalf("Unknown ZMQ auth type: %s", conf.ZMQAuthType)
 	}

cmd/registration-server/reg_config.toml

@@ -45,3 +45,32 @@ bidirectional_api_generation = 957
 
 # Path on disk to the latest ClientConfig file that the station should use
 clientconf_path = "/var/lib/conjure/ClientConf"
+
+# Whether to apply the below subnet overrides to clients bidirectional api registrations
+enforce_subnet_overrides = true
+
+# Percentage of bidirectional api registrations to override per transport
+prcnt_min_regs_to_override = 100
+prcnt_prefix_regs_to_override = 100
+
+# Subnets to use when overriding clients bidirectional api registrations
+[[override_subnet]]
+cidr = "X.X.X.X/32"
+weight = 10.7
+port = 443
+transport = "Min_Transport"
+
+[[override_subnet]]
+cidr = "X.X.X.X/24"
+weight = 10
+port = 80
+transport = "Prefix_Transport"
+prefix_id = 1
+
+# Subnets to refrain from overriding when clients bidirectional api registrations pick a v4 phantom inside them
+[[excluded_subnet_from_overrides]]
+cidr = "X.X.X.X/25"
+# For future features that can exclude subnets according to weight, port, or transport
+weight = 28.7
+port = 80
+transport = "Min_Transport"

pkg/regserver/regprocessor/auth_test.go

@@ -134,7 +134,7 @@ func TestZMQAuth(t *testing.T) {
 	// messages that we expect the station to hear. in production this will be new registrations,
 	// here we don't care about the message contents.
 	go func() {
-		regProcessor, err := newRegProcessor(zmqBindAddr, zmqPort, []byte(zmq.Z85decode(serverPrivkeyZ85)), true, stationPublicKeys)
+		regProcessor, err := newRegProcessor(zmqBindAddr, zmqPort, []byte(zmq.Z85decode(serverPrivkeyZ85)), true, stationPublicKeys, false, nil, nil, 0.0, 0.0)
 		require.Nil(t, err)
 		defer regProcessor.Close()
 		errStation := regProcessor.AddTransport(pb.TransportType_Min, min.Transport{})