Only return public addresses in Wireguard peer API (#27273)

* Only return public addresses in Wireguard peer API * Only add public IP WG peers in config server
author: Valerij Fredriksen <freva@users.noreply.github.com> 2023-06-05 12:54:40 +0200
committer: GitHub <noreply@github.com> 2023-06-05 12:54:40 +0200
commit: 4864d94e48919a8cb734191ab90b80738e843d08 (patch)
tree: f39afd8a79d5e8b8d1b3aad5585f071fa8b3ea10 /node-repository
parent: 377812082b5b87d15e2053dfb0eb838ba3b198f0 (diff)
3 files changed, 22 insertions, 14 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodesResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodesResponse.java
index bc6f9c9cca1..ff814af7390 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodesResponse.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/NodesResponse.java
@@ -246,7 +246,7 @@ class NodesResponse extends SlimeJsonResponse {
         return Optional.empty();
     }
 
-    static void ipAddressesToSlime(Set<String> ipAddresses, Cursor array) {
+    static void ipAddressesToSlime(Collection<String> ipAddresses, Cursor array) {
         ipAddresses.forEach(array::addString);
     }
 
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/WireguardResponse.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/WireguardResponse.java
index 11be80de990..76c709da97f 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/WireguardResponse.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/WireguardResponse.java
@@ -7,8 +7,10 @@ import com.yahoo.slime.Cursor;
 import com.yahoo.vespa.hosted.provision.Node;
 import com.yahoo.vespa.hosted.provision.NodeList;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
+import com.yahoo.vespa.hosted.provision.node.IP;
 
-import java.util.Set;
+import java.net.InetAddress;
+import java.util.List;
 
 /**
  * A response containing the wireguard peer config for each configserver that has a public key.
@@ -25,18 +27,25 @@ public class WireguardResponse extends SlimeJsonResponse {
                 .list(Node.State.active)
                 .nodeType(NodeType.config);
 
-        configservers.stream()
-                .filter(node -> node.wireguardPubKey().isPresent())
-                .forEach(configserver -> addConfigserver(cfgArray.addObject(),
-                                                         configserver.hostname(),
-                                                         configserver.wireguardPubKey().get(),
-                                                         configserver.ipConfig().primary()));
+        for (Node cfg : configservers) {
+            if (cfg.wireguardPubKey().isEmpty()) return;
+            List<String> ipAddresses = cfg.ipConfig().primary().stream()
+                    .filter(WireguardResponse::isPublicIp)
+                    .toList();
+            if (ipAddresses.isEmpty()) return;
+
+            addConfigserver(cfgArray.addObject(), cfg.hostname(), cfg.wireguardPubKey().get(), ipAddresses);
+        }
     }
 
-    private void addConfigserver(Cursor cfgEntry, String hostname, WireguardKey key, Set<String> ipAddresses) {
+    private void addConfigserver(Cursor cfgEntry, String hostname, WireguardKey key, List<String> ipAddresses) {
         cfgEntry.setString("hostname", hostname);
         cfgEntry.setString("wireguardPubkey", key.value());
         NodesResponse.ipAddressesToSlime(ipAddresses, cfgEntry.setArray("ipAddresses"));
     }
 
+    private static boolean isPublicIp(String ipAddress) {
+        InetAddress address = IP.parse(ipAddress);
+        return !address.isLoopbackAddress() && !address.isLinkLocalAddress() && !address.isSiteLocalAddress();
+    }
 }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/wireguard.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/wireguard.json
index 660b92d92ba..5369229bd75 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/wireguard.json
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/responses/wireguard.json
@@ -1,10 +1,9 @@
 {
-  "configservers":
-  [
+  "configservers": [
     {
-      "hostname":"cfg1.yahoo.com",
-      "wireguardPubkey":"lololololololololololololololololololololoo=",
-      "ipAddresses":["127.0.201.1","::201:1"]
+      "hostname": "cfg1.yahoo.com",
+      "wireguardPubkey": "lololololololololololololololololololololoo=",
+      "ipAddresses": ["::201:1"]
     }
   ]
 }
author	Valerij Fredriksen <freva@users.noreply.github.com>	2023-06-05 12:54:40 +0200
committer	GitHub <noreply@github.com>	2023-06-05 12:54:40 +0200
commit	4864d94e48919a8cb734191ab90b80738e843d08 (patch)
tree	f39afd8a79d5e8b8d1b3aad5585f071fa8b3ea10 /node-repository
parent	377812082b5b87d15e2053dfb0eb838ba3b198f0 (diff)