Implemented JWT authentication

2023-10-01 19:01:35 +01:00 · 2023-10-01 19:01:35 +01:00 · 94afd68460
commit 94afd68460
parent c819bec63d
14 changed files with 659 additions and 20 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,5 +1,4 @@
 {
-    "editor.insertSpaces": true,
    "editor.tabSize": 4,
-    "editor.detectIndentation": false
+    "editor.detectIndentation": true
 }
--- a/cmd/wgmeshd/configuration.yaml
+++ b/cmd/wgmeshd/configuration.yaml
@ -0,0 +1,3 @@
+certificatePath: "../../cert/cert.pem"
+privateKeyPath: "../../cert/key.pem"
+skipCertVerification: true
--- a/cmd/wgmeshd/main.go
+++ b/cmd/wgmeshd/main.go
@ -4,8 +4,11 @@ import (
 	"log"
 	"net"

+	"github.com/tim-beatham/wgmesh/pkg/conf"
+	"github.com/tim-beatham/wgmesh/pkg/conn"
 	ctrlserver "github.com/tim-beatham/wgmesh/pkg/ctrlserver"
 	"github.com/tim-beatham/wgmesh/pkg/ipc"
+	"github.com/tim-beatham/wgmesh/pkg/middleware"
 	"github.com/tim-beatham/wgmesh/pkg/robin"
 	"github.com/tim-beatham/wgmesh/pkg/rpc"
 	wg "github.com/tim-beatham/wgmesh/pkg/wg"
@ -20,7 +23,21 @@ func main() {
 		log.Fatalf("Could not create interface %s\n", ifName)
 	}

-	ctrlServer := ctrlserver.NewCtrlServer(wgClient, "wgmesh")
+	conf, err := conf.ParseConfiguration("./configuration.yaml")
+
+	newConnParams := conn.NewConnectionsParams{
+		CertificatePath:      conf.CertificatePath,
+		PrivateKey:           conf.PrivateKeyPath,
+		SkipCertVerification: conf.SkipCertVerification,
+	}
+
+	conn, err := conn.NewConnection(&newConnParams)
+
+	if err != nil {
+		return
+	}
+
+	ctrlServer := ctrlserver.NewCtrlServer(wgClient, conn, "wgmesh")

 	log.Println("Running IPC Handler")

@ -28,7 +45,9 @@ func main() {
 	robinRpc := robin.NewRobinRpc(ctrlServer)

 	go ipc.RunIpcHandler(robinIpc)
-	grpc := rpc.NewRpcServer(*&robinRpc)
+
+	grpc := conn.Listen(ctrlServer.JwtManager.GetAuthInterceptor())
+	rpc.NewRpcServer(grpc, robinRpc, middleware.NewAuthProvider(ctrlServer))

 	lis, err := net.Listen("tcp", ":8080")
 	if err := grpc.Serve(lis); err != nil {
--- a/pkg/auth/jwt.go
+++ b/pkg/auth/jwt.go
@ -0,0 +1,121 @@
+package auth
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+)
+
+// JwtMesh contains all the sessions with the mesh network
+type JwtMesh struct {
+	meshId string
+	// nodes contains a set of nodes with the string being the jwt token
+	nodes map[string]interface{}
+}
+
+// JwtManager manages jwt tokens indicating a session
+// between this host and another within a specific mesh
+type JwtManager struct {
+	secretKey     string
+	tokenDuration time.Duration
+	// meshes contains all the meshes that we have sessions with
+	meshes map[string]*JwtMesh
+}
+
+// JwtNode represents a jwt node in the mesh network
+type JwtNode struct {
+	MeshId string `json:"meshId"`
+	Alias  string `json:"alias"`
+	jwt.RegisteredClaims
+}
+
+func NewJwtManager(secretKey string, tokenDuration time.Duration) *JwtManager {
+	meshes := make(map[string]*JwtMesh)
+	return &JwtManager{secretKey, tokenDuration, meshes}
+}
+
+func (m *JwtManager) CreateClaims(meshId string, alias string) (*string, error) {
+	node := JwtNode{
+		MeshId: meshId,
+		Alias:  alias,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(m.tokenDuration)),
+		},
+	}
+
+	mesh, contains := m.meshes[meshId]
+
+	if !contains {
+		return nil, errors.New("The specified mesh does not exist")
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodES256, node)
+	signedString, err := token.SignedString([]byte(m.secretKey))
+
+	if err != nil {
+		return nil, err
+	}
+
+	_, exists := mesh.nodes[signedString]
+
+	if exists {
+		return nil, errors.New("Node already exists")
+	}
+
+	mesh.nodes[signedString] = struct{}{}
+	return &signedString, nil
+}
+
+func (m *JwtManager) Verify(accessToken string) (*JwtNode, bool) {
+	token, err := jwt.ParseWithClaims(accessToken, &JwtNode{}, func(t *jwt.Token) (interface{}, error) {
+		return []byte(m.secretKey), nil
+	})
+
+	if err != nil {
+		return nil, false
+	}
+
+	if !token.Valid {
+		return nil, token.Valid
+	}
+
+	claims, ok := token.Claims.(*JwtNode)
+	return claims, ok
+}
+
+func (m *JwtManager) GetAuthInterceptor() grpc.UnaryServerInterceptor {
+	return func(
+		ctx context.Context,
+		req interface{},
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (interface{}, error) {
+		md, ok := metadata.FromIncomingContext(ctx)
+
+		if !ok {
+			return nil, status.Errorf(codes.Unauthenticated, "metadata is not provided")
+		}
+
+		values := md["authorization"]
+
+		if len(values) == 0 {
+			return nil, status.Errorf(codes.Unauthenticated, "authorization token is not provided")
+		}
+
+		acessToken := values[0]
+
+		_, valid := m.Verify(acessToken)
+
+		if !valid {
+			return nil, status.Errorf(codes.Unauthenticated, "Invalid access token: %s", acessToken)
+		}
+
+		return handler(ctx, req)
+	}
+}
--- a/pkg/conf/conf.go
+++ b/pkg/conf/conf.go
@ -0,0 +1,35 @@
+// conf defines configuration file parsing for golang
+package conf
+
+import (
+	"os"
+
+	logging "github.com/tim-beatham/wgmesh/pkg/log"
+	"gopkg.in/yaml.v3"
+)
+
+type WgMeshConfiguration struct {
+	CertificatePath      string `yaml:"certificatePath"`
+	PrivateKeyPath       string `yaml:"privateKeyPath"`
+	SkipCertVerification bool   `yaml:"skipCertVerification"`
+}
+
+func ParseConfiguration(filePath string) (*WgMeshConfiguration, error) {
+	var conf WgMeshConfiguration
+
+	yamlBytes, err := os.ReadFile(filePath)
+
+	if err != nil {
+		logging.ErrorLog.Printf("Read file error: %s\n", err.Error())
+		return nil, err
+	}
+
+	err = yaml.Unmarshal(yamlBytes, &conf)
+
+	if err != nil {
+		logging.ErrorLog.Printf("Unmarshal error: %s\n", err.Error())
+		return nil, err
+	}
+
+	return &conf, nil
+}
--- a/pkg/conn/conn.go
+++ b/pkg/conn/conn.go
@ -0,0 +1,81 @@
+// conn manages gRPC connections between peers.
+// Includes timers.
+package conn
+
+import (
+	"crypto/tls"
+
+	logging "github.com/tim-beatham/wgmesh/pkg/log"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+)
+
+// PeerConnection interfacing for a secure connection between
+// two peers.
+type PeerConnection interface {
+	Connect() error
+}
+
+type WgCtrlConnection struct {
+	serverConfig *tls.Config
+	clientConfig *tls.Config
+	conn         *grpc.ClientConn
+}
+
+type NewConnectionsParams struct {
+	CertificatePath      string
+	PrivateKey           string
+	SkipCertVerification bool
+}
+
+func NewConnection(params *NewConnectionsParams) (*WgCtrlConnection, error) {
+	cert, err := tls.LoadX509KeyPair(params.CertificatePath, params.PrivateKey)
+
+	if err != nil {
+		logging.ErrorLog.Printf("Failed to load key pair: %s\n", err.Error())
+		logging.ErrorLog.Printf("Certificate Path: %s\n", params.CertificatePath)
+		logging.ErrorLog.Printf("Private Key Path: %s\n", params.PrivateKey)
+		return nil, err
+	}
+
+	serverAuth := tls.RequireAndVerifyClientCert
+
+	if params.SkipCertVerification {
+		serverAuth = tls.RequireAnyClientCert
+	}
+
+	tlsConfig := &tls.Config{
+		ClientAuth:   serverAuth,
+		Certificates: []tls.Certificate{cert},
+	}
+
+	clientConfig := &tls.Config{
+		Certificates:       []tls.Certificate{cert},
+		InsecureSkipVerify: params.SkipCertVerification,
+	}
+
+	wgConnection := WgCtrlConnection{serverConfig: tlsConfig, clientConfig: clientConfig}
+
+	return &wgConnection, nil
+}
+
+// Connect: Connects to a new gRPC peer given the address of the other server
+func (c *WgCtrlConnection) Connect(server string) (*grpc.ClientConn, error) {
+	conn, err := grpc.Dial(server, grpc.WithTransportCredentials(credentials.NewTLS(c.clientConfig)))
+
+	if err != nil {
+		logging.ErrorLog.Printf("Could not connect: %s\n", err.Error())
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+// Listen: listens to incoming messages
+func (c *WgCtrlConnection) Listen(i grpc.UnaryServerInterceptor) *grpc.Server {
+	server := grpc.NewServer(
+		grpc.UnaryInterceptor(i),
+		grpc.Creds(credentials.NewTLS(c.serverConfig)),
+	)
+	return server
+}
--- a/pkg/ctrlserver/ctrlserver.go
+++ b/pkg/ctrlserver/ctrlserver.go
@ -8,7 +8,10 @@ package ctrlserver
 import (
 	"errors"
 	"net"
+	"time"

+	"github.com/tim-beatham/wgmesh/pkg/auth"
+	"github.com/tim-beatham/wgmesh/pkg/conn"
 	"github.com/tim-beatham/wgmesh/pkg/lib"
 	"github.com/tim-beatham/wgmesh/pkg/wg"
 	"golang.zx2c4.com/wireguard/wgctrl"
@ -21,11 +24,13 @@ import (
 * wgClient: Represents the WireGuard control client.
 * ifName: WireGuard interface name
 */
-func NewCtrlServer(wgClient *wgctrl.Client, ifName string) *MeshCtrlServer {
+func NewCtrlServer(wgClient *wgctrl.Client, conn *conn.WgCtrlConnection, ifName string) *MeshCtrlServer {
 	ctrlServer := new(MeshCtrlServer)
 	ctrlServer.Meshes = make(map[string]Mesh)
 	ctrlServer.Client = wgClient
+	ctrlServer.Conn = conn
 	ctrlServer.IfName = ifName
+	ctrlServer.JwtManager = auth.NewJwtManager("bob123", 24*time.Hour)
 	return ctrlServer
 }

--- a/pkg/ctrlserver/ctrltypes.go
+++ b/pkg/ctrlserver/ctrltypes.go
@ -1,6 +1,8 @@
 package ctrlserver

 import (
+	"github.com/tim-beatham/wgmesh/pkg/auth"
+	"github.com/tim-beatham/wgmesh/pkg/conn"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
@ -25,7 +27,9 @@ type Mesh struct {
 * is running
 */
 type MeshCtrlServer struct {
-	Client *wgctrl.Client
-	Meshes map[string]Mesh
-	IfName string
+	Client     *wgctrl.Client
+	Meshes     map[string]Mesh
+	IfName     string
+	Conn       *conn.WgCtrlConnection
+	JwtManager *auth.JwtManager
 }
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@ -0,0 +1,34 @@
+package middleware
+
+import (
+	"context"
+	"errors"
+
+	"github.com/tim-beatham/wgmesh/pkg/ctrlserver"
+	"github.com/tim-beatham/wgmesh/pkg/rpc"
+)
+
+type AuthRpcProvider struct {
+	rpc.UnimplementedAuthenticationServer
+	server *ctrlserver.MeshCtrlServer
+}
+
+func (a *AuthRpcProvider) JoinMesh(ctx context.Context, in *rpc.JoinAuthMeshRequest) (*rpc.JoinAuthMeshReply, error) {
+	meshId := in.MeshId
+
+	if meshId == "" {
+		return nil, errors.New("Must specify the meshId")
+	}
+
+	token, err := a.server.JwtManager.CreateClaims(in.MeshId, "sharedSecret")
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &rpc.JoinAuthMeshReply{Success: true, Token: token}, nil
+}
+
+func NewAuthProvider(ctrlServer *ctrlserver.MeshCtrlServer) *AuthRpcProvider {
+	return &AuthRpcProvider{server: ctrlServer}
+}
--- a/pkg/robin/robin_requester.go
+++ b/pkg/robin/robin_requester.go
@ -15,8 +15,6 @@ import (
 	"github.com/tim-beatham/wgmesh/pkg/slaac"
 	"github.com/tim-beatham/wgmesh/pkg/wg"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
 )

 type RobinIpc struct {
@ -57,7 +55,7 @@ func (n *RobinIpc) ListMeshes(name string, reply *map[string]ctrlserver.Mesh) er
 }

 func updateMesh(n *RobinIpc, meshId string, endPoint string) error {
-	conn, err := grpc.Dial(endPoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	conn, err := n.Server.Conn.Connect(endPoint)

 	if err != nil {
 		return err
@ -105,7 +103,7 @@ func updateMesh(n *RobinIpc, meshId string, endPoint string) error {
 }

 func updatePeer(n *RobinIpc, node ctrlserver.MeshNode, wgHost string, meshId string) error {
-	conn, err := grpc.Dial(node.HostEndpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	conn, err := n.Server.Conn.Connect(node.HostEndpoint)

 	if err != nil {
 		return err
@ -159,7 +157,7 @@ func updatePeers(n *RobinIpc, meshId string, wgHost string, nodesToExclude []str
 }

 func (n *RobinIpc) JoinMesh(args ipc.JoinMeshArgs, reply *string) error {
-	conn, err := grpc.Dial(args.IpAdress+":8080", grpc.WithTransportCredentials(insecure.NewCredentials()))
+	conn, err := n.Server.Conn.Connect(args.IpAdress + ":8080")

 	if err != nil {
 		return err
--- a/pkg/rpc/authentication.pb.go
+++ b/pkg/rpc/authentication.pb.go
@ -0,0 +1,236 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v3.21.12
+// source: pkg/grpc/ctrlserver/authentication.proto
+
+package rpc
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type JoinAuthMeshRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MeshId       string `protobuf:"bytes,1,opt,name=meshId,proto3" json:"meshId,omitempty"`
+	SharedSecret string `protobuf:"bytes,2,opt,name=sharedSecret,proto3" json:"sharedSecret,omitempty"`
+}
+
+func (x *JoinAuthMeshRequest) Reset() {
+	*x = JoinAuthMeshRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *JoinAuthMeshRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*JoinAuthMeshRequest) ProtoMessage() {}
+
+func (x *JoinAuthMeshRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use JoinAuthMeshRequest.ProtoReflect.Descriptor instead.
+func (*JoinAuthMeshRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_grpc_ctrlserver_authentication_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *JoinAuthMeshRequest) GetMeshId() string {
+	if x != nil {
+		return x.MeshId
+	}
+	return ""
+}
+
+func (x *JoinAuthMeshRequest) GetSharedSecret() string {
+	if x != nil {
+		return x.SharedSecret
+	}
+	return ""
+}
+
+type JoinAuthMeshReply struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Success bool    `protobuf:"varint,1,opt,name=success,proto3" json:"success,omitempty"`
+	Token   *string `protobuf:"bytes,2,opt,name=token,proto3,oneof" json:"token,omitempty"`
+}
+
+func (x *JoinAuthMeshReply) Reset() {
+	*x = JoinAuthMeshReply{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *JoinAuthMeshReply) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*JoinAuthMeshReply) ProtoMessage() {}
+
+func (x *JoinAuthMeshReply) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use JoinAuthMeshReply.ProtoReflect.Descriptor instead.
+func (*JoinAuthMeshReply) Descriptor() ([]byte, []int) {
+	return file_pkg_grpc_ctrlserver_authentication_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *JoinAuthMeshReply) GetSuccess() bool {
+	if x != nil {
+		return x.Success
+	}
+	return false
+}
+
+func (x *JoinAuthMeshReply) GetToken() string {
+	if x != nil && x.Token != nil {
+		return *x.Token
+	}
+	return ""
+}
+
+var File_pkg_grpc_ctrlserver_authentication_proto protoreflect.FileDescriptor
+
+var file_pkg_grpc_ctrlserver_authentication_proto_rawDesc = []byte{
+	0x0a, 0x28, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x74, 0x72, 0x6c, 0x73,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x72, 0x70, 0x63, 0x74,
+	0x79, 0x70, 0x65, 0x73, 0x22, 0x51, 0x0a, 0x13, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x75, 0x74, 0x68,
+	0x4d, 0x65, 0x73, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x6d,
+	0x65, 0x73, 0x68, 0x49, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x73,
+	0x68, 0x49, 0x64, 0x12, 0x22, 0x0a, 0x0c, 0x73, 0x68, 0x61, 0x72, 0x65, 0x64, 0x53, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x68, 0x61, 0x72, 0x65,
+	0x64, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x22, 0x52, 0x0a, 0x11, 0x4a, 0x6f, 0x69, 0x6e, 0x41,
+	0x75, 0x74, 0x68, 0x4d, 0x65, 0x73, 0x68, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x18, 0x0a, 0x07,
+	0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x73,
+	0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x19, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x88, 0x01,
+	0x01, 0x42, 0x08, 0x0a, 0x06, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x32, 0x5a, 0x0a, 0x0e, 0x41,
+	0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x48, 0x0a,
+	0x08, 0x4a, 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x73, 0x68, 0x12, 0x1d, 0x2e, 0x72, 0x70, 0x63, 0x74,
+	0x79, 0x70, 0x65, 0x73, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x73,
+	0x68, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x72, 0x70, 0x63, 0x74, 0x79,
+	0x70, 0x65, 0x73, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x73, 0x68,
+	0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x70, 0x6b, 0x67, 0x2f, 0x72,
+	0x70, 0x63, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_pkg_grpc_ctrlserver_authentication_proto_rawDescOnce sync.Once
+	file_pkg_grpc_ctrlserver_authentication_proto_rawDescData = file_pkg_grpc_ctrlserver_authentication_proto_rawDesc
+)
+
+func file_pkg_grpc_ctrlserver_authentication_proto_rawDescGZIP() []byte {
+	file_pkg_grpc_ctrlserver_authentication_proto_rawDescOnce.Do(func() {
+		file_pkg_grpc_ctrlserver_authentication_proto_rawDescData = protoimpl.X.CompressGZIP(file_pkg_grpc_ctrlserver_authentication_proto_rawDescData)
+	})
+	return file_pkg_grpc_ctrlserver_authentication_proto_rawDescData
+}
+
+var file_pkg_grpc_ctrlserver_authentication_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_pkg_grpc_ctrlserver_authentication_proto_goTypes = []interface{}{
+	(*JoinAuthMeshRequest)(nil), // 0: rpctypes.JoinAuthMeshRequest
+	(*JoinAuthMeshReply)(nil),   // 1: rpctypes.JoinAuthMeshReply
+}
+var file_pkg_grpc_ctrlserver_authentication_proto_depIdxs = []int32{
+	0, // 0: rpctypes.Authentication.JoinMesh:input_type -> rpctypes.JoinAuthMeshRequest
+	1, // 1: rpctypes.Authentication.JoinMesh:output_type -> rpctypes.JoinAuthMeshReply
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_pkg_grpc_ctrlserver_authentication_proto_init() }
+func file_pkg_grpc_ctrlserver_authentication_proto_init() {
+	if File_pkg_grpc_ctrlserver_authentication_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*JoinAuthMeshRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*JoinAuthMeshReply); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	file_pkg_grpc_ctrlserver_authentication_proto_msgTypes[1].OneofWrappers = []interface{}{}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_pkg_grpc_ctrlserver_authentication_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_pkg_grpc_ctrlserver_authentication_proto_goTypes,
+		DependencyIndexes: file_pkg_grpc_ctrlserver_authentication_proto_depIdxs,
+		MessageInfos:      file_pkg_grpc_ctrlserver_authentication_proto_msgTypes,
+	}.Build()
+	File_pkg_grpc_ctrlserver_authentication_proto = out.File
+	file_pkg_grpc_ctrlserver_authentication_proto_rawDesc = nil
+	file_pkg_grpc_ctrlserver_authentication_proto_goTypes = nil
+	file_pkg_grpc_ctrlserver_authentication_proto_depIdxs = nil
+}
--- a/pkg/rpc/authentication_grpc.pb.go
+++ b/pkg/rpc/authentication_grpc.pb.go
@ -0,0 +1,105 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             v3.21.12
+// source: pkg/grpc/ctrlserver/authentication.proto
+
+package rpc
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// AuthenticationClient is the client API for Authentication service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type AuthenticationClient interface {
+	JoinMesh(ctx context.Context, in *JoinAuthMeshRequest, opts ...grpc.CallOption) (*JoinAuthMeshReply, error)
+}
+
+type authenticationClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewAuthenticationClient(cc grpc.ClientConnInterface) AuthenticationClient {
+	return &authenticationClient{cc}
+}
+
+func (c *authenticationClient) JoinMesh(ctx context.Context, in *JoinAuthMeshRequest, opts ...grpc.CallOption) (*JoinAuthMeshReply, error) {
+	out := new(JoinAuthMeshReply)
+	err := c.cc.Invoke(ctx, "/rpctypes.Authentication/JoinMesh", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// AuthenticationServer is the server API for Authentication service.
+// All implementations must embed UnimplementedAuthenticationServer
+// for forward compatibility
+type AuthenticationServer interface {
+	JoinMesh(context.Context, *JoinAuthMeshRequest) (*JoinAuthMeshReply, error)
+	mustEmbedUnimplementedAuthenticationServer()
+}
+
+// UnimplementedAuthenticationServer must be embedded to have forward compatible implementations.
+type UnimplementedAuthenticationServer struct {
+}
+
+func (UnimplementedAuthenticationServer) JoinMesh(context.Context, *JoinAuthMeshRequest) (*JoinAuthMeshReply, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method JoinMesh not implemented")
+}
+func (UnimplementedAuthenticationServer) mustEmbedUnimplementedAuthenticationServer() {}
+
+// UnsafeAuthenticationServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to AuthenticationServer will
+// result in compilation errors.
+type UnsafeAuthenticationServer interface {
+	mustEmbedUnimplementedAuthenticationServer()
+}
+
+func RegisterAuthenticationServer(s grpc.ServiceRegistrar, srv AuthenticationServer) {
+	s.RegisterService(&Authentication_ServiceDesc, srv)
+}
+
+func _Authentication_JoinMesh_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(JoinAuthMeshRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthenticationServer).JoinMesh(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/rpctypes.Authentication/JoinMesh",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthenticationServer).JoinMesh(ctx, req.(*JoinAuthMeshRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// Authentication_ServiceDesc is the grpc.ServiceDesc for Authentication service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Authentication_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "rpctypes.Authentication",
+	HandlerType: (*AuthenticationServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "JoinMesh",
+			Handler:    _Authentication_JoinMesh_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "pkg/grpc/ctrlserver/authentication.proto",
+}
--- a/pkg/rpc/ctrlserver.pb.go
+++ b/pkg/rpc/ctrlserver.pb.go
@ -372,9 +372,8 @@ var file_pkg_grpc_ctrlserver_ctrlserver_proto_rawDesc = []byte{
 	0x65, 0x73, 0x68, 0x12, 0x19, 0x2e, 0x72, 0x70, 0x63, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x4a,
 	0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x73, 0x68, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17,
 	0x2e, 0x72, 0x70, 0x63, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x4d, 0x65,
-	0x73, 0x68, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x14, 0x5a, 0x12, 0x70, 0x6b, 0x67,
-	0x2f, 0x63, 0x74, 0x72, 0x6c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x72, 0x70, 0x63, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x73, 0x68, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x70, 0x6b, 0x67,
+	0x2f, 0x72, 0x70, 0x63, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/pkg/rpc/rpc.go
+++ b/pkg/rpc/rpc.go
@ -2,8 +2,8 @@ package rpc

 import grpc "google.golang.org/grpc"

-func NewRpcServer(server MeshCtrlServerServer) *grpc.Server {
-	grpc := grpc.NewServer()
-	RegisterMeshCtrlServerServer(grpc, server)
-	return grpc
+func NewRpcServer(rpcServer *grpc.Server, server MeshCtrlServerServer, auth AuthenticationServer) *grpc.Server {
+	RegisterMeshCtrlServerServer(rpcServer, server)
+	RegisterAuthenticationServer(rpcServer, auth)
+	return rpcServer
 }