From 576ef5ea480bb4a3144c8a59c8c0059e7a7de965 Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian@hakman.dev>
Date: Sat, 15 Jul 2023 09:14:58 +0300
Subject: [PATCH] azure: Verify VM ID when registering nodes

---
 upup/pkg/fi/cloudup/azure/authenticator.go |  9 +++++++--
 upup/pkg/fi/cloudup/azure/verifier.go      | 13 ++++++++++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/upup/pkg/fi/cloudup/azure/authenticator.go b/upup/pkg/fi/cloudup/azure/authenticator.go
index 52e56987ba..132de76d91 100644
--- a/upup/pkg/fi/cloudup/azure/authenticator.go
+++ b/upup/pkg/fi/cloudup/azure/authenticator.go
@@ -43,23 +43,28 @@ func (h *azureAuthenticator) CreateToken(body []byte) (string, error) {
 		return "", fmt.Errorf("querying instance metadata: %w", err)
 	}
 
+	vmId := m.Compute.VMID
+	if vmId == "" {
+		return "", fmt.Errorf("missing virtual machine ID")
+	}
+
 	// The fully qualified VMSS VM resource ID format is:
 	// /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS_NAME/virtualMachines/VMSS_INDEX
 	r := strings.Split(m.Compute.ResourceID, "/")
 	if len(r) != 11 || r[7] != "virtualMachineScaleSets" || r[9] != "virtualMachines" {
 		return "", fmt.Errorf("unexpected resource ID format: %q", m.Compute.ResourceID)
 	}
-
 	vmssName := r[8]
 	vmssIndex := r[10]
 
-	return AzureAuthenticationTokenPrefix + vmssName + " " + vmssIndex, nil
+	return AzureAuthenticationTokenPrefix + vmId + " " + vmssName + " " + vmssIndex, nil
 }
 
 type instanceComputeMetadata struct {
 	ResourceGroupName string `json:"resourceGroupName"`
 	ResourceID        string `json:"resourceId"`
 	SubscriptionID    string `json:"subscriptionId"`
+	VMID              string `json:"vmId"`
 }
 
 type instanceMetadata struct {
diff --git a/upup/pkg/fi/cloudup/azure/verifier.go b/upup/pkg/fi/cloudup/azure/verifier.go
index 3b275e04ef..3ce31bd7b6 100644
--- a/upup/pkg/fi/cloudup/azure/verifier.go
+++ b/upup/pkg/fi/cloudup/azure/verifier.go
@@ -58,16 +58,23 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request
 	}
 
 	v := strings.Split(strings.TrimPrefix(token, AzureAuthenticationTokenPrefix), " ")
-	if len(v) != 2 {
+	if len(v) != 3 {
 		return nil, fmt.Errorf("incorrect token format")
 	}
-	vmssName := v[0]
-	vmssIndex := v[1]
+	vmId := v[0]
+	vmssName := v[1]
+	vmssIndex := v[2]
 
 	vm, err := a.client.vmsClient.Get(ctx, a.client.resourceGroup, vmssName, vmssIndex, "")
 	if err != nil {
 		return nil, fmt.Errorf("getting info for VMSS virtual machine %q #%s: %w", vmssName, vmssIndex, err)
 	}
+	if vm.VMID == nil {
+		return nil, fmt.Errorf("determining VMID for VMSS %q virtual machine #%s", vmssName, vmssIndex)
+	}
+	if vmId != *vm.VMID {
+		return nil, fmt.Errorf("matching VMID %q for VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex)
+	}
 	if vm.OsProfile == nil || *vm.OsProfile.ComputerName == "" {
 		return nil, fmt.Errorf("determining ComputerName for VMSS %q virtual machine #%s", vmssName, vmssIndex)
 	}