storagenode/contact: add authentication for PingNode endpoint

Currently, if a node has untrusted a satellite, the satellite can still
successfully ping the node. If a node decide to untrust a satellite, the
satellite should also mark it as conact failed

Change-Id: Idf80fa00d9849205533dd3e5b3b775b5b9686705

storagenode/contact/contact_test.go

@@ -4,13 +4,17 @@
 package contact_test
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 
+	"storj.io/common/identity/testidentity"
 	"storj.io/common/pb"
+	"storj.io/common/rpc/rpcpeer"
 	"storj.io/common/testcontext"
 	"storj.io/storj/private/testplanet"
 )
@@ -102,6 +106,34 @@ func TestServicePingSatellites(t *testing.T) {
 	})
 }
 
+func TestEndpointPingNode_UnTrust(t *testing.T) {
+	testplanet.Run(t, testplanet.Config{
+		SatelliteCount: 1, StorageNodeCount: 1, UplinkCount: 0,
+	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
+		node := planet.StorageNodes[0]
+		node.Contact.Chore.Pause(ctx)
+
+		// make sure a trusted satellite is able to ping node
+		info, err := planet.Satellites[0].Overlay.Service.Get(ctx, node.ID())
+		require.NoError(t, err)
+		require.Equal(t, node.ID(), info.Id)
+
+		// an untrusted peer shouldn't be able to ping node successfully
+		ident, err := testidentity.NewTestIdentity(ctx)
+		require.NoError(t, err)
+
+		state := tls.ConnectionState{
+			PeerCertificates: []*x509.Certificate{ident.Leaf, ident.CA},
+		}
+		peerCtx := rpcpeer.NewContext(ctx, &rpcpeer.Peer{
+			Addr:  node.Server.Addr(),
+			State: state,
+		})
+		_, err = node.Contact.Endpoint.PingNode(peerCtx, &pb.ContactPingRequest{})
+		require.Error(t, err)
+	})
+}
+
 func TestLocalAndUpdateSelf(t *testing.T) {
 	testplanet.Run(t, testplanet.Config{
 		SatelliteCount: 1, StorageNodeCount: 1, UplinkCount: 0,

storagenode/contact/endpoint.go

@@ -14,6 +14,7 @@ import (
 	"storj.io/common/pb"
 	"storj.io/common/rpc/rpcpeer"
 	"storj.io/common/rpc/rpcstatus"
+	"storj.io/storj/storagenode/trust"
 )
 
 // Endpoint implements the contact service Endpoints.
@@ -23,6 +24,8 @@ type Endpoint struct {
 	pb.DRPCContactUnimplementedServer
 	log       *zap.Logger
 	pingStats *PingStats
+
+	trust *trust.Pool
 }
 
 // PingStats contains information regarding when the node was last pinged.
@@ -32,10 +35,11 @@ type PingStats struct {
 }
 
 // NewEndpoint returns a new contact service endpoint.
-func NewEndpoint(log *zap.Logger, pingStats *PingStats) *Endpoint {
+func NewEndpoint(log *zap.Logger, trust *trust.Pool, pingStats *PingStats) *Endpoint {
 	return &Endpoint{
 		log:       log,
 		pingStats: pingStats,
+		trust:     trust,
 	}
 }
 
@@ -50,6 +54,10 @@ func (endpoint *Endpoint) PingNode(ctx context.Context, req *pb.ContactPingReque
 	if err != nil {
 		return nil, rpcstatus.Error(rpcstatus.Unauthenticated, err.Error())
 	}
+	if err := endpoint.trust.VerifySatelliteID(ctx, peerID.ID); err != nil {
+		return nil, rpcstatus.Error(rpcstatus.Unauthenticated, err.Error())
+	}
+
 	endpoint.log.Debug("pinged", zap.Stringer("by", peerID.ID), zap.Stringer("srcAddr", peer.Addr))
 	endpoint.pingStats.WasPinged(time.Now())
 	return &pb.ContactPingResponse{}, nil

storagenode/peer.go

@@ -420,7 +420,7 @@ func New(log *zap.Logger, full *identity.FullIdentity, db DB, revocationDB exten
 			Close: peer.Contact.Chore.Close,
 		})
 
-		peer.Contact.Endpoint = contact.NewEndpoint(peer.Log.Named("contact:endpoint"), peer.Contact.PingStats)
+		peer.Contact.Endpoint = contact.NewEndpoint(peer.Log.Named("contact:endpoint"), peer.Storage2.Trust, peer.Contact.PingStats)
 		if err := pb.DRPCRegisterContact(peer.Server.DRPC(), peer.Contact.Endpoint); err != nil {
 			return nil, errs.Combine(err, peer.Close())
 		}