Fail to validate server tokens that use bootstrap id/secret format

Signed-off-by: Brad Davidson <[email protected]>
k3s-io · May 1, 2023 · f3b12e9 · f3b12e9
1 parent a3ddff2
commit f3b12e9
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/pkg/clientaccess/token.go b/pkg/clientaccess/token.go
@@ -165,11 +165,15 @@ func hashCA(b []byte) (string, error) {
 
 // ParseUsernamePassword returns the username and password portion of a token string,
 // along with a bool indicating if the token was successfully parsed.
+// Kubeadm-style tokens have ID/Secret not Username/Password and therefore will return false (invalid).
 func ParseUsernamePassword(token string) (string, string, bool) {
 	info, err := parseToken(token)
 	if err != nil {
 		return "", "", false
 	}
+	if info.ID != "" || info.Secret != "" {
+		return "", "", false
+	}
 	return info.Username, info.Password, true
 }
 

diff --git a/pkg/cluster/storage.go b/pkg/cluster/storage.go
@@ -271,7 +271,7 @@ func readTokenFromFile(serverToken, certs, dataDir string) (string, error) {
 func normalizeToken(token string) (string, error) {
 	_, password, ok := clientaccess.ParseUsernamePassword(token)
 	if !ok {
-		return password, errors.New("failed to normalize token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
+		return password, errors.New("failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD>")
 	}
 
 	return password, nil
@@ -286,7 +286,7 @@ func migrateOldTokens(ctx context.Context, bootstrapList []client.Value, storage
 	for _, bootstrapKV := range bootstrapList {
 		// checking for empty string bootstrap key
 		if string(bootstrapKV.Key) == emptyStringKey {
-			logrus.Warn("bootstrap data encrypted with empty string, deleting and resaving with token")
+			logrus.Warn("Bootstrap data encrypted with empty string, deleting and resaving with token")
 			if err := doMigrateToken(ctx, storageClient, bootstrapKV, "", emptyStringKey, token, tokenKey); err != nil {
 				return err
 			}

diff --git a/tests/e2e/startup/startup_test.go b/tests/e2e/startup/startup_test.go
@@ -246,6 +246,14 @@ var _ = Describe("Various Startup Configurations", Ordered, func() {
 			Expect(err).NotTo(HaveOccurred())
 		})
 	})
+	Context("Verify server fails to start with bootstrap token", func() {
+		It("Fails to start with a meaningful error", func() {
+			preferBundledYAML := "token: AAAAAA.BBBBBBBBBBBBBBBB"
+			err := StartK3sCluster(append(serverNodeNames, agentNodeNames...), preferBundledYAML, preferBundledYAML)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(ContainSubstring("failed to normalize server token"))
+		})
+	})
 })
 
 var failed bool