Fail to validate server tokens that use bootstrap id/secret format

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
Brad Davidson 2023-05-01 21:17:30 +00:00 committed by Brad Davidson
parent 7175ebe2be
commit cf9ebb3259
4 changed files with 19 additions and 2 deletions

View File

@ -165,11 +165,15 @@ func hashCA(b []byte) (string, error) {
// ParseUsernamePassword returns the username and password portion of a token string, // ParseUsernamePassword returns the username and password portion of a token string,
// along with a bool indicating if the token was successfully parsed. // along with a bool indicating if the token was successfully parsed.
// Kubeadm-style tokens have ID/Secret not Username/Password and therefore will return false (invalid).
func ParseUsernamePassword(token string) (string, string, bool) { func ParseUsernamePassword(token string) (string, string, bool) {
info, err := parseToken(token) info, err := parseToken(token)
if err != nil { if err != nil {
return "", "", false return "", "", false
} }
if info.BootstrapTokenString != nil {
return "", "", false
}
return info.Username, info.Password, true return info.Username, info.Password, true
} }

View File

@ -294,6 +294,7 @@ func Test_UnitUserPass(t *testing.T) {
{"K10XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::username:password", "username", "password", true}, {"K10XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::username:password", "username", "password", true},
{"password", "", "password", true}, {"password", "", "password", true},
{"K10X::x", "", "", false}, {"K10X::x", "", "", false},
{"aaaaaa.bbbbbbbbbbbbbbbb", "", "", false},
} }
for _, testCase := range testCases { for _, testCase := range testCases {

View File

@ -271,7 +271,7 @@ func readTokenFromFile(serverToken, certs, dataDir string) (string, error) {
func normalizeToken(token string) (string, error) { func normalizeToken(token string) (string, error) {
_, password, ok := clientaccess.ParseUsernamePassword(token) _, password, ok := clientaccess.ParseUsernamePassword(token)
if !ok { if !ok {
return password, errors.New("failed to normalize token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>") return password, errors.New("failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
} }
return password, nil return password, nil
@ -286,7 +286,7 @@ func migrateOldTokens(ctx context.Context, bootstrapList []client.Value, storage
for _, bootstrapKV := range bootstrapList { for _, bootstrapKV := range bootstrapList {
// checking for empty string bootstrap key // checking for empty string bootstrap key
if string(bootstrapKV.Key) == emptyStringKey { if string(bootstrapKV.Key) == emptyStringKey {
logrus.Warn("bootstrap data encrypted with empty string, deleting and resaving with token") logrus.Warn("Bootstrap data encrypted with empty string, deleting and resaving with token")
if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil { if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil {
return err return err
} }

View File

@ -252,6 +252,18 @@ var _ = Describe("Various Startup Configurations", Ordered, func() {
Expect(err).NotTo(HaveOccurred()) Expect(err).NotTo(HaveOccurred())
}) })
}) })
Context("Verify server fails to start with bootstrap token", func() {
It("Fails to start with a meaningful error", func() {
tokenYAML := "token: aaaaaa.bbbbbbbbbbbbbbbb"
err := StartK3sCluster(append(serverNodeNames, agentNodeNames...), tokenYAML, tokenYAML)
Expect(err).To(HaveOccurred())
Expect(err).To(ContainSubstring("failed to normalize server token"))
})
It("Kills the cluster", func() {
err := KillK3sCluster(append(serverNodeNames, agentNodeNames...))
Expect(err).NotTo(HaveOccurred())
})
})
}) })
var failed bool var failed bool