wip - Use token-auth-file

k3s-io · Aug 12, 2020 · 274e74d · 274e74d
1 parent c056c5c
commit 274e74d
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 38 deletions.
diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go
@@ -70,8 +70,8 @@ func getNodeNamedCrt(nodeName, nodePasswordFile string) HTTPRequester {
 			return nil, err
 		}
 
-		if username != "" {
-			req.SetBasicAuth(username, password)
+		if password != "" {
+			req.Header.Set("Authorization", "Bearer "+password)
 		}
 
 		req.Header.Set(version.Program+"-Node-Name", nodeName)

diff --git a/pkg/clientaccess/clientaccess.go b/pkg/clientaccess/clientaccess.go
@@ -260,8 +260,8 @@ func get(u string, client *http.Client, username, password string) ([]byte, erro
 		return nil, err
 	}
 
-	if username != "" {
-		req.SetBasicAuth(username, password)
+	if password != "" {
+		req.Header.Set("Authorization", "Bearer "+password)
 	}
 
 	resp, err := client.Do(req)

diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
@@ -73,6 +73,8 @@ users:
     client-certificate: {{.ClientCert}}
     client-key: {{.ClientKey}}
 `))
+	agentRole  = version.Program + ":agent"
+	serverRole = version.Program + ":server"
 )
 
 const (
@@ -195,7 +197,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["service-account-key-file"] = runtime.ServiceKey
 	argsMap["service-account-issuer"] = version.Program
 	argsMap["api-audiences"] = "unknown"
-	argsMap["basic-auth-file"] = runtime.PasswdFile
+	argsMap["token-auth-file"] = runtime.PasswdFile
 	argsMap["kubelet-certificate-authority"] = runtime.ServerCA
 	argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
 	argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey
@@ -339,7 +341,7 @@ func prepare(ctx context.Context, config *config.Control, runtime *config.Contro
 		return err
 	}
 
-	if err := genUsers(config, runtime); err != nil {
+	if err := genUserTokens(config, runtime); err != nil {
 		return err
 	}
 
@@ -403,15 +405,6 @@ func genEncryptedNetworkInfo(controlConfig *config.Control, runtime *config.Cont
 	return nil
 }
 
-func migratePassword(p *passwd.Passwd) error {
-	server, _ := p.Pass("server")
-	node, _ := p.Pass("node")
-	if server == "" && node != "" {
-		return p.EnsureUser("server", version.Program+":server", node)
-	}
-	return nil
-}
-
 func getServerPass(passwd *passwd.Passwd, config *config.Control) (string, error) {
 	var (
 		err error
@@ -421,48 +414,64 @@ func getServerPass(passwd *passwd.Passwd, config *config.Control) (string, error
 	if serverPass == "" {
 		serverPass, _ = passwd.Pass("server")
 	}
+	if _, pass, ok := clientaccess.ParseUsernamePassword(serverPass); ok {
+		serverPass = pass
+	}
 	if serverPass == "" {
 		serverPass, err = token.Random(16)
 		if err != nil {
 			return "", err
 		}
 	}
-
 	return serverPass, nil
 }
 
-func getNodePass(config *config.Control, serverPass string) string {
-	if config.AgentToken == "" {
-		if _, passwd, ok := clientaccess.ParseUsernamePassword(serverPass); ok {
-			return passwd
+func getNodePass(passwd *passwd.Passwd, config *config.Control, serverPass string) (string, error) {
+	var (
+		err error
+	)
+
+	nodePass := config.AgentToken
+	if nodePass == "" {
+		nodePass, _ = passwd.Pass("node")
+	}
+	if _, pass, ok := clientaccess.ParseUsernamePassword(nodePass); ok {
+		nodePass = pass
+	}
+	if nodePass == "" || nodePass == serverPass {
+		nodePass, err = token.Random(16)
+		if err != nil {
+			return "", err
 		}
-		return serverPass
 	}
-	return config.AgentToken
+	return nodePass, nil
 }
 
-func genUsers(config *config.Control, runtime *config.ControlRuntime) error {
+func genUserTokens(config *config.Control, runtime *config.ControlRuntime) error {
 	passwd, err := passwd.Read(runtime.PasswdFile)
 	if err != nil {
 		return err
 	}
 
-	if err := migratePassword(passwd); err != nil {
+	serverPass, err := getServerPass(passwd, config)
+	if err != nil {
 		return err
 	}
 
-	serverPass, err := getServerPass(passwd, config)
+	nodePass, err := getNodePass(passwd, config, serverPass)
 	if err != nil {
 		return err
 	}
 
-	nodePass := getNodePass(config, serverPass)
+	if err := passwd.Set(nodePass, "node", agentRole); err != nil {
+		return err
+	}
 
-	if err := passwd.EnsureUser("node", version.Program+":agent", nodePass); err != nil {
+	if err := passwd.Set(serverPass, "server", serverRole, agentRole); err != nil {
 		return err
 	}
 
-	if err := passwd.EnsureUser("server", version.Program+":server", serverPass); err != nil {
+	if err := passwd.EnsureUniqueTokens(); err != nil {
 		return err
 	}
 

diff --git a/pkg/passwd/passwd.go b/pkg/passwd/passwd.go
@@ -12,8 +12,8 @@ import (
 )
 
 type entry struct {
-	pass string
-	role string
+	pass  string
+	roles string
 }
 
 type Passwd struct {
@@ -52,7 +52,7 @@ func Read(file string) (*Passwd, error) {
 			pass: record[0],
 		}
 		if len(record) > 3 {
-			e.role = record[3]
+			e.roles = record[3]
 		}
 		result.names[record[1]] = e
 	}
@@ -68,22 +68,34 @@ func (p *Passwd) Check(name, pass string) (matches bool, exists bool) {
 	return e.pass == pass, true
 }
 
-func (p *Passwd) EnsureUser(name, role, passwd string) error {
+func (p *Passwd) EnsureUniqueTokens() error {
+	var tokens = map[string]bool{}
+	for name, e := range p.names {
+		if tokens[e.pass] {
+			return fmt.Errorf("token duplicate found for user %s", name)
+		}
+		tokens[e.pass] = true
+	}
+	return nil
+}
+
+func (p *Passwd) Set(passwd, name string, roleSlice ...string) error {
 	tokenPrefix := "::" + name + ":"
 	idx := strings.Index(passwd, tokenPrefix)
 	if idx > 0 && strings.HasPrefix(passwd, "K10") {
 		passwd = passwd[idx+len(tokenPrefix):]
 	}
+	roles := strings.Join(roleSlice, ",")
 
 	if e, ok := p.names[name]; ok {
 		if passwd != "" && e.pass != passwd {
 			p.changed = true
 			e.pass = passwd
 		}
 
-		if e.role != role {
+		if e.roles != roles {
 			p.changed = true
-			e.role = role
+			e.roles = roles
 		}
 
 		p.names[name] = e
@@ -100,8 +112,8 @@ func (p *Passwd) EnsureUser(name, role, passwd string) error {
 
 	p.changed = true
 	p.names[name] = entry{
-		pass: passwd,
-		role: role,
+		pass:  passwd,
+		roles: roles,
 	}
 
 	return nil
@@ -126,7 +138,7 @@ func (p *Passwd) Write(passwdFile string) error {
 			e.pass,
 			name,
 			name,
-			e.role,
+			e.roles,
 		})
 	}
 

diff --git a/pkg/server/router.go b/pkg/server/router.go
@@ -283,6 +283,6 @@ func ensureNodePassword(passwdFile, nodeName, pass string) error {
 		return nil
 	}
 	// If user doesn't exist we save this password for future validation
-	passwd.EnsureUser(nodeName, "", pass)
+	passwd.Set(pass, nodeName)
 	return passwd.Write(passwdFile)
 }