2019-08-30 18:33:25 +00:00
|
|
|
/*
|
|
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package util
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"crypto/rand"
|
|
|
|
"fmt"
|
|
|
|
"regexp"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
|
|
"k8s.io/cluster-bootstrap/token/api"
|
|
|
|
)
|
|
|
|
|
2019-09-27 21:51:53 +00:00
|
|
|
// TODO(dixudx): refactor this to util/secrets and util/tokens
|
|
|
|
|
2019-08-30 18:33:25 +00:00
|
|
|
// validBootstrapTokenChars defines the characters a bootstrap token can consist of
|
|
|
|
const validBootstrapTokenChars = "0123456789abcdefghijklmnopqrstuvwxyz"
|
|
|
|
|
|
|
|
var (
|
|
|
|
// BootstrapTokenRegexp is a compiled regular expression of TokenRegexpString
|
|
|
|
BootstrapTokenRegexp = regexp.MustCompile(api.BootstrapTokenPattern)
|
|
|
|
// BootstrapTokenIDRegexp is a compiled regular expression of TokenIDRegexpString
|
|
|
|
BootstrapTokenIDRegexp = regexp.MustCompile(api.BootstrapTokenIDPattern)
|
|
|
|
// BootstrapGroupRegexp is a compiled regular expression of BootstrapGroupPattern
|
|
|
|
BootstrapGroupRegexp = regexp.MustCompile(api.BootstrapGroupPattern)
|
|
|
|
)
|
|
|
|
|
|
|
|
// GenerateBootstrapToken generates a new, random Bootstrap Token.
|
|
|
|
func GenerateBootstrapToken() (string, error) {
|
|
|
|
tokenID, err := randBytes(api.BootstrapTokenIDBytes)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenSecret, err := randBytes(api.BootstrapTokenSecretBytes)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return TokenFromIDAndSecret(tokenID, tokenSecret), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// randBytes returns a random string consisting of the characters in
|
|
|
|
// validBootstrapTokenChars, with the length customized by the parameter
|
|
|
|
func randBytes(length int) (string, error) {
|
|
|
|
// len("0123456789abcdefghijklmnopqrstuvwxyz") = 36 which doesn't evenly divide
|
|
|
|
// the possible values of a byte: 256 mod 36 = 4. Discard any random bytes we
|
|
|
|
// read that are >= 252 so the bytes we evenly divide the character set.
|
|
|
|
const maxByteValue = 252
|
|
|
|
|
|
|
|
var (
|
|
|
|
b byte
|
|
|
|
err error
|
|
|
|
token = make([]byte, length)
|
|
|
|
)
|
|
|
|
|
|
|
|
reader := bufio.NewReaderSize(rand.Reader, length*2)
|
|
|
|
for i := range token {
|
|
|
|
for {
|
|
|
|
if b, err = reader.ReadByte(); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
if b < maxByteValue {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
token[i] = validBootstrapTokenChars[int(b)%len(validBootstrapTokenChars)]
|
|
|
|
}
|
|
|
|
|
|
|
|
return string(token), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// TokenFromIDAndSecret returns the full token which is of the form "{id}.{secret}"
|
|
|
|
func TokenFromIDAndSecret(id, secret string) string {
|
|
|
|
return fmt.Sprintf("%s.%s", id, secret)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsValidBootstrapToken returns whether the given string is valid as a Bootstrap Token and
|
|
|
|
// in other words satisfies the BootstrapTokenRegexp
|
|
|
|
func IsValidBootstrapToken(token string) bool {
|
|
|
|
return BootstrapTokenRegexp.MatchString(token)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsValidBootstrapTokenID returns whether the given string is valid as a Bootstrap Token ID and
|
|
|
|
// in other words satisfies the BootstrapTokenIDRegexp
|
|
|
|
func IsValidBootstrapTokenID(tokenID string) bool {
|
|
|
|
return BootstrapTokenIDRegexp.MatchString(tokenID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// BootstrapTokenSecretName returns the expected name for the Secret storing the
|
|
|
|
// Bootstrap Token in the Kubernetes API.
|
|
|
|
func BootstrapTokenSecretName(tokenID string) string {
|
|
|
|
return fmt.Sprintf("%s%s", api.BootstrapTokenSecretPrefix, tokenID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ValidateBootstrapGroupName checks if the provided group name is a valid
|
|
|
|
// bootstrap group name. Returns nil if valid or a validation error if invalid.
|
2019-09-27 21:51:53 +00:00
|
|
|
// TODO(dixudx): should be moved to util/secrets
|
2019-08-30 18:33:25 +00:00
|
|
|
func ValidateBootstrapGroupName(name string) error {
|
|
|
|
if BootstrapGroupRegexp.Match([]byte(name)) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return fmt.Errorf("bootstrap group %q is invalid (must match %s)", name, api.BootstrapGroupPattern)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ValidateUsages validates that the passed in string are valid usage strings for bootstrap tokens.
|
|
|
|
func ValidateUsages(usages []string) error {
|
|
|
|
validUsages := sets.NewString(api.KnownTokenUsages...)
|
|
|
|
invalidUsages := sets.NewString()
|
|
|
|
for _, usage := range usages {
|
|
|
|
if !validUsages.Has(usage) {
|
|
|
|
invalidUsages.Insert(usage)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(invalidUsages) > 0 {
|
|
|
|
return fmt.Errorf("invalid bootstrap token usage string: %s, valid usage options: %s", strings.Join(invalidUsages.List(), ","), strings.Join(api.KnownTokenUsages, ","))
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|