mirror of https://github.com/k3s-io/k3s
Fail to validate server tokens that use bootstrap id/secret format
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>pull/7442/head
parent
7175ebe2be
commit
cf9ebb3259
|
@ -165,11 +165,15 @@ func hashCA(b []byte) (string, error) {
|
|||
|
||||
// ParseUsernamePassword returns the username and password portion of a token string,
|
||||
// along with a bool indicating if the token was successfully parsed.
|
||||
// Kubeadm-style tokens have ID/Secret not Username/Password and therefore will return false (invalid).
|
||||
func ParseUsernamePassword(token string) (string, string, bool) {
|
||||
info, err := parseToken(token)
|
||||
if err != nil {
|
||||
return "", "", false
|
||||
}
|
||||
if info.BootstrapTokenString != nil {
|
||||
return "", "", false
|
||||
}
|
||||
return info.Username, info.Password, true
|
||||
}
|
||||
|
||||
|
|
|
@ -294,6 +294,7 @@ func Test_UnitUserPass(t *testing.T) {
|
|||
{"K10XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::username:password", "username", "password", true},
|
||||
{"password", "", "password", true},
|
||||
{"K10X::x", "", "", false},
|
||||
{"aaaaaa.bbbbbbbbbbbbbbbb", "", "", false},
|
||||
}
|
||||
|
||||
for _, testCase := range testCases {
|
||||
|
|
|
@ -271,7 +271,7 @@ func readTokenFromFile(serverToken, certs, dataDir string) (string, error) {
|
|||
func normalizeToken(token string) (string, error) {
|
||||
_, password, ok := clientaccess.ParseUsernamePassword(token)
|
||||
if !ok {
|
||||
return password, errors.New("failed to normalize token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
|
||||
return password, errors.New("failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
|
||||
}
|
||||
|
||||
return password, nil
|
||||
|
@ -286,7 +286,7 @@ func migrateOldTokens(ctx context.Context, bootstrapList []client.Value, storage
|
|||
for _, bootstrapKV := range bootstrapList {
|
||||
// checking for empty string bootstrap key
|
||||
if string(bootstrapKV.Key) == emptyStringKey {
|
||||
logrus.Warn("bootstrap data encrypted with empty string, deleting and resaving with token")
|
||||
logrus.Warn("Bootstrap data encrypted with empty string, deleting and resaving with token")
|
||||
if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -252,6 +252,18 @@ var _ = Describe("Various Startup Configurations", Ordered, func() {
|
|||
Expect(err).NotTo(HaveOccurred())
|
||||
})
|
||||
})
|
||||
Context("Verify server fails to start with bootstrap token", func() {
|
||||
It("Fails to start with a meaningful error", func() {
|
||||
tokenYAML := "token: aaaaaa.bbbbbbbbbbbbbbbb"
|
||||
err := StartK3sCluster(append(serverNodeNames, agentNodeNames...), tokenYAML, tokenYAML)
|
||||
Expect(err).To(HaveOccurred())
|
||||
Expect(err).To(ContainSubstring("failed to normalize server token"))
|
||||
})
|
||||
It("Kills the cluster", func() {
|
||||
err := KillK3sCluster(append(serverNodeNames, agentNodeNames...))
|
||||
Expect(err).NotTo(HaveOccurred())
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
var failed bool
|
||||
|
|
Loading…
Reference in New Issue