Skip to content

Commit

Permalink
Fail to validate server tokens that use bootstrap id/secret format
Browse files Browse the repository at this point in the history
Signed-off-by: Brad Davidson <[email protected]>
  • Loading branch information
brandond committed May 5, 2023
1 parent 7175ebe commit cf9ebb3
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 2 deletions.
4 changes: 4 additions & 0 deletions pkg/clientaccess/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,11 +165,15 @@ func hashCA(b []byte) (string, error) {

// ParseUsernamePassword returns the username and password portion of a token string,
// along with a bool indicating if the token was successfully parsed.
// Kubeadm-style tokens have ID/Secret not Username/Password and therefore will return false (invalid).
func ParseUsernamePassword(token string) (string, string, bool) {
info, err := parseToken(token)
if err != nil {
return "", "", false
}
if info.BootstrapTokenString != nil {
return "", "", false
}
return info.Username, info.Password, true
}

Expand Down
1 change: 1 addition & 0 deletions pkg/clientaccess/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,7 @@ func Test_UnitUserPass(t *testing.T) {
{"K10XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX::username:password", "username", "password", true},
{"password", "", "password", true},
{"K10X::x", "", "", false},
{"aaaaaa.bbbbbbbbbbbbbbbb", "", "", false},
}

for _, testCase := range testCases {
Expand Down
4 changes: 2 additions & 2 deletions pkg/cluster/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ func readTokenFromFile(serverToken, certs, dataDir string) (string, error) {
func normalizeToken(token string) (string, error) {
_, password, ok := clientaccess.ParseUsernamePassword(token)
if !ok {
return password, errors.New("failed to normalize token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
return password, errors.New("failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
}

return password, nil
Expand All @@ -286,7 +286,7 @@ func migrateOldTokens(ctx context.Context, bootstrapList []client.Value, storage
for _, bootstrapKV := range bootstrapList {
// checking for empty string bootstrap key
if string(bootstrapKV.Key) == emptyStringKey {
logrus.Warn("bootstrap data encrypted with empty string, deleting and resaving with token")
logrus.Warn("Bootstrap data encrypted with empty string, deleting and resaving with token")
if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil {
return err
}
Expand Down
12 changes: 12 additions & 0 deletions tests/e2e/startup/startup_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,18 @@ var _ = Describe("Various Startup Configurations", Ordered, func() {
Expect(err).NotTo(HaveOccurred())
})
})
Context("Verify server fails to start with bootstrap token", func() {
It("Fails to start with a meaningful error", func() {
tokenYAML := "token: aaaaaa.bbbbbbbbbbbbbbbb"
err := StartK3sCluster(append(serverNodeNames, agentNodeNames...), tokenYAML, tokenYAML)
Expect(err).To(HaveOccurred())
Expect(err).To(ContainSubstring("failed to normalize server token"))
})
It("Kills the cluster", func() {
err := KillK3sCluster(append(serverNodeNames, agentNodeNames...))
Expect(err).NotTo(HaveOccurred())
})
})
})

var failed bool
Expand Down

0 comments on commit cf9ebb3

Please sign in to comment.