Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
4940c32c
Unverified
Commit
4940c32c
authored
Feb 14, 2017
by
Lucas Käldström
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Expose the constants in pkg/controller/bootstrap and add a validate token method
parent
8db5ca1f
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
46 additions
and
19 deletions
+46
-19
types.go
pkg/bootstrap/api/types.go
+9
-0
bootstrapsigner.go
pkg/controller/bootstrap/bootstrapsigner.go
+6
-12
bootstrapsigner_test.go
pkg/controller/bootstrap/bootstrapsigner_test.go
+4
-3
jws.go
pkg/controller/bootstrap/jws.go
+13
-4
jws_test.go
pkg/controller/bootstrap/jws_test.go
+14
-0
No files found.
pkg/bootstrap/api/types.go
View file @
4940c32c
...
...
@@ -45,4 +45,13 @@ const (
// sign configs as part of the bootstrap process. Value must be "true". Any
// other value is assumed to be false. Optional.
BootstrapTokenUsageSigningKey
=
"usage-bootstrap-signing"
// ConfigMapClusterInfo defines the name for the ConfigMap where the information how to connect and trust the cluster exist
ConfigMapClusterInfo
=
"cluster-info"
// KubeConfigKey defines at which key in the Data object of the ConfigMap the KubeConfig object is stored
KubeConfigKey
=
"kubeconfig"
// JWSSignatureKeyPrefix defines what key prefix the JWS-signed tokens have
JWSSignatureKeyPrefix
=
"jws-kubeconfig-"
)
pkg/controller/bootstrap/bootstrapsigner.go
View file @
4940c32c
...
...
@@ -38,12 +38,6 @@ import (
"k8s.io/kubernetes/pkg/util/metrics"
)
const
(
configMapClusterInfo
=
"cluster-info"
kubeConfigKey
=
"kubeconfig"
signaturePrefix
=
"jws-kubeconfig-"
)
// BootstrapSignerOptions contains options for the BootstrapSigner
type
BootstrapSignerOptions
struct
{
...
...
@@ -70,7 +64,7 @@ type BootstrapSignerOptions struct {
func
DefaultBootstrapSignerOptions
()
BootstrapSignerOptions
{
return
BootstrapSignerOptions
{
ConfigMapNamespace
:
api
.
NamespacePublic
,
ConfigMapName
:
c
onfigMapClusterInfo
,
ConfigMapName
:
bootstrapapi
.
C
onfigMapClusterInfo
,
TokenSecretNamespace
:
api
.
NamespaceSystem
,
}
}
...
...
@@ -191,17 +185,17 @@ func (e *BootstrapSigner) signConfigMap() {
}
// First capture the config we are signing
content
,
ok
:=
newCM
.
Data
[
k
ubeConfigKey
]
content
,
ok
:=
newCM
.
Data
[
bootstrapapi
.
K
ubeConfigKey
]
if
!
ok
{
glog
.
V
(
3
)
.
Infof
(
"No %s key in %s/%s ConfigMap"
,
k
ubeConfigKey
,
origCM
.
Namespace
,
origCM
.
Name
)
glog
.
V
(
3
)
.
Infof
(
"No %s key in %s/%s ConfigMap"
,
bootstrapapi
.
K
ubeConfigKey
,
origCM
.
Namespace
,
origCM
.
Name
)
return
}
// Next remove and save all existing signatures
sigs
:=
map
[
string
]
string
{}
for
key
,
value
:=
range
newCM
.
Data
{
if
strings
.
HasPrefix
(
key
,
signature
Prefix
)
{
tokenID
:=
strings
.
TrimPrefix
(
key
,
signature
Prefix
)
if
strings
.
HasPrefix
(
key
,
bootstrapapi
.
JWSSignatureKey
Prefix
)
{
tokenID
:=
strings
.
TrimPrefix
(
key
,
bootstrapapi
.
JWSSignatureKey
Prefix
)
sigs
[
tokenID
]
=
value
delete
(
newCM
.
Data
,
key
)
}
...
...
@@ -222,7 +216,7 @@ func (e *BootstrapSigner) signConfigMap() {
}
delete
(
sigs
,
tokenID
)
newCM
.
Data
[
signature
Prefix
+
tokenID
]
=
sig
newCM
.
Data
[
bootstrapapi
.
JWSSignatureKey
Prefix
+
tokenID
]
=
sig
}
// If we have signatures left over we know that some signatures were
...
...
pkg/controller/bootstrap/bootstrapsigner_test.go
View file @
4940c32c
...
...
@@ -27,6 +27,7 @@ import (
"k8s.io/client-go/pkg/api"
"k8s.io/client-go/pkg/api/v1"
core
"k8s.io/client-go/testing"
bootstrapapi
"k8s.io/kubernetes/pkg/bootstrap/api"
)
func
init
()
{
...
...
@@ -43,15 +44,15 @@ func newConfigMap(tokenID, signature string) *v1.ConfigMap {
ret
:=
&
v1
.
ConfigMap
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Namespace
:
metav1
.
NamespacePublic
,
Name
:
c
onfigMapClusterInfo
,
Name
:
bootstrapapi
.
C
onfigMapClusterInfo
,
ResourceVersion
:
"1"
,
},
Data
:
map
[
string
]
string
{
k
ubeConfigKey
:
"payload"
,
bootstrapapi
.
K
ubeConfigKey
:
"payload"
,
},
}
if
len
(
tokenID
)
>
0
{
ret
.
Data
[
signature
Prefix
+
tokenID
]
=
signature
ret
.
Data
[
bootstrapapi
.
JWSSignatureKey
Prefix
+
tokenID
]
=
signature
}
return
ret
}
...
...
pkg/controller/bootstrap/jws.go
View file @
4940c32c
...
...
@@ -34,17 +34,17 @@ func computeDetachedSig(content, tokenID, tokenSecret string) (string, error) {
signer
,
err
:=
jose
.
NewSigner
(
jose
.
HS256
,
jwk
)
if
err
!=
nil
{
return
""
,
nil
return
""
,
fmt
.
Errorf
(
"can't make a HS256 signer from the given token: %v"
,
err
)
}
jws
,
err
:=
signer
.
Sign
([]
byte
(
content
))
if
err
!=
nil
{
return
""
,
nil
return
""
,
fmt
.
Errorf
(
"can't HS256-sign the given token: %v"
,
err
)
}
fullSig
,
err
:=
jws
.
CompactSerialize
()
if
err
!=
nil
{
return
""
,
nil
return
""
,
fmt
.
Errorf
(
"can't serialize the given token: %v"
,
err
)
}
return
stripContent
(
fullSig
)
}
...
...
@@ -57,8 +57,17 @@ func computeDetachedSig(content, tokenID, tokenSecret string) (string, error) {
func
stripContent
(
fullSig
string
)
(
string
,
error
)
{
parts
:=
strings
.
Split
(
fullSig
,
"."
)
if
len
(
parts
)
!=
3
{
return
""
,
fmt
.
Errorf
(
"
C
ompact JWS format must have three parts"
)
return
""
,
fmt
.
Errorf
(
"
c
ompact JWS format must have three parts"
)
}
return
parts
[
0
]
+
".."
+
parts
[
2
],
nil
}
// DetachedTokenIsValid checks whether a given detached JWS-encoded token matches JWS output of the given content and token
func
DetachedTokenIsValid
(
detachedToken
,
content
,
tokenID
,
tokenSecret
string
)
bool
{
newToken
,
err
:=
computeDetachedSig
(
content
,
tokenID
,
tokenSecret
)
if
err
!=
nil
{
return
false
}
return
detachedToken
==
newToken
}
pkg/controller/bootstrap/jws_test.go
View file @
4940c32c
...
...
@@ -51,3 +51,17 @@ func TestComputeDetachedSig(t *testing.T) {
t
.
Errorf
(
"Wrong signature. Got: %v"
,
sig
)
}
}
func
TestDetachedTokenIsValid
(
t
*
testing
.
T
)
{
// Valid detached JWS token and valid inputs should succeed
sig
:=
"eyJhbGciOiJIUzI1NiIsImtpZCI6Impvc2h1YSJ9..VShe2taLd-YTrmWuRkcL_8QTNDHYxQIEBsAYYiIj1_8"
if
!
DetachedTokenIsValid
(
sig
,
content
,
id
,
secret
)
{
t
.
Errorf
(
"Content %q and token
\"
%s:%s
\"
should equal signature: %q"
,
content
,
id
,
secret
,
sig
)
}
// Invalid detached JWS token and valid inputs should fail
sig2
:=
sig
+
"foo"
if
DetachedTokenIsValid
(
sig2
,
content
,
id
,
secret
)
{
t
.
Errorf
(
"Content %q and token
\"
%s:%s
\"
should not equal signature: %q"
,
content
,
id
,
secret
,
sig
)
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment