mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Fail to validate server tokens that use bootstrap id/secret format
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
parent
7175ebe2be
commit
cf9ebb3259
@ -165,11 +165,15 @@ func hashCA(b []byte) (string, error) {
|
|||||||
|
|
||||||
// ParseUsernamePassword returns the username and password portion of a token string,
|
// ParseUsernamePassword returns the username and password portion of a token string,
|
||||||
// along with a bool indicating if the token was successfully parsed.
|
// along with a bool indicating if the token was successfully parsed.
|
||||||
|
// Kubeadm-style tokens have ID/Secret not Username/Password and therefore will return false (invalid).
|
||||||
func ParseUsernamePassword(token string) (string, string, bool) {
|
func ParseUsernamePassword(token string) (string, string, bool) {
|
||||||
info, err := parseToken(token)
|
info, err := parseToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", "", false
|
return "", "", false
|
||||||
}
|
}
|
||||||
|
if info.BootstrapTokenString != nil {
|
||||||
|
return "", "", false
|
||||||
|
}
|
||||||
return info.Username, info.Password, true
|
return info.Username, info.Password, true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -294,6 +294,7 @@ func Test_UnitUserPass(t *testing.T) {
|
|||||||
{"K10XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::username:password", "username", "password", true},
|
{"K10XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::username:password", "username", "password", true},
|
||||||
{"password", "", "password", true},
|
{"password", "", "password", true},
|
||||||
{"K10X::x", "", "", false},
|
{"K10X::x", "", "", false},
|
||||||
|
{"aaaaaa.bbbbbbbbbbbbbbbb", "", "", false},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, testCase := range testCases {
|
for _, testCase := range testCases {
|
||||||
|
@ -271,7 +271,7 @@ func readTokenFromFile(serverToken, certs, dataDir string) (string, error) {
|
|||||||
func normalizeToken(token string) (string, error) {
|
func normalizeToken(token string) (string, error) {
|
||||||
_, password, ok := clientaccess.ParseUsernamePassword(token)
|
_, password, ok := clientaccess.ParseUsernamePassword(token)
|
||||||
if !ok {
|
if !ok {
|
||||||
return password, errors.New("failed to normalize token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
|
return password, errors.New("failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
|
||||||
}
|
}
|
||||||
|
|
||||||
return password, nil
|
return password, nil
|
||||||
@ -286,7 +286,7 @@ func migrateOldTokens(ctx context.Context, bootstrapList []client.Value, storage
|
|||||||
for _, bootstrapKV := range bootstrapList {
|
for _, bootstrapKV := range bootstrapList {
|
||||||
// checking for empty string bootstrap key
|
// checking for empty string bootstrap key
|
||||||
if string(bootstrapKV.Key) == emptyStringKey {
|
if string(bootstrapKV.Key) == emptyStringKey {
|
||||||
logrus.Warn("bootstrap data encrypted with empty string, deleting and resaving with token")
|
logrus.Warn("Bootstrap data encrypted with empty string, deleting and resaving with token")
|
||||||
if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil {
|
if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -252,6 +252,18 @@ var _ = Describe("Various Startup Configurations", Ordered, func() {
|
|||||||
Expect(err).NotTo(HaveOccurred())
|
Expect(err).NotTo(HaveOccurred())
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
Context("Verify server fails to start with bootstrap token", func() {
|
||||||
|
It("Fails to start with a meaningful error", func() {
|
||||||
|
tokenYAML := "token: aaaaaa.bbbbbbbbbbbbbbbb"
|
||||||
|
err := StartK3sCluster(append(serverNodeNames, agentNodeNames...), tokenYAML, tokenYAML)
|
||||||
|
Expect(err).To(HaveOccurred())
|
||||||
|
Expect(err).To(ContainSubstring("failed to normalize server token"))
|
||||||
|
})
|
||||||
|
It("Kills the cluster", func() {
|
||||||
|
err := KillK3sCluster(append(serverNodeNames, agentNodeNames...))
|
||||||
|
Expect(err).NotTo(HaveOccurred())
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
var failed bool
|
var failed bool
|
||||||
|
Loading…
Reference in New Issue
Block a user