Commit 7f50b40c authored by Brad Davidson's avatar Brad Davidson Committed by Brad Davidson

Fall back to basic/bearer auth when node identity auth is rejected

parent ce3443dd
...@@ -140,6 +140,20 @@ func getNodeNamedCrt(nodeName string, nodeIPs []net.IP, nodePasswordFile string) ...@@ -140,6 +140,20 @@ func getNodeNamedCrt(nodeName string, nodeIPs []net.IP, nodePasswordFile string)
} }
defer resp.Body.Close() defer resp.Body.Close()
// If we got a 401 Unauthorized response when using client certs, try again without client cert auth.
// This allows us to fall back from node identity to token when the node resource is deleted.
if resp.StatusCode == http.StatusUnauthorized {
if transport, ok := client.Transport.(*http.Transport); ok && transport.TLSClientConfig != nil && len(transport.TLSClientConfig.Certificates) != 0 {
logrus.Infof("Node authorization rejected, retrying without client certificate authentication")
transport.TLSClientConfig.Certificates = []tls.Certificate{}
resp, err = client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
}
}
if resp.StatusCode == http.StatusForbidden { if resp.StatusCode == http.StatusForbidden {
return nil, fmt.Errorf("Node password rejected, duplicate hostname or contents of '%s' may not match server node-passwd entry, try enabling a unique node name with the --with-node-id flag", nodePasswordFile) return nil, fmt.Errorf("Node password rejected, duplicate hostname or contents of '%s' may not match server node-passwd entry, try enabling a unique node name with the --with-node-id flag", nodePasswordFile)
} }
......
...@@ -367,7 +367,7 @@ func getCACerts(u url.URL) ([]byte, error) { ...@@ -367,7 +367,7 @@ func getCACerts(u url.URL) ([]byte, error) {
return cacerts, nil return cacerts, nil
} }
// get makes a request to a url using a provided client, username, and password, // get makes a request to a url using a provided client and credentials,
// returning the response body. // returning the response body.
func get(u string, client *http.Client, username, password, token string) ([]byte, error) { func get(u string, client *http.Client, username, password, token string) ([]byte, error) {
req, err := http.NewRequest(http.MethodGet, u, nil) req, err := http.NewRequest(http.MethodGet, u, nil)
...@@ -394,7 +394,7 @@ func get(u string, client *http.Client, username, password, token string) ([]byt ...@@ -394,7 +394,7 @@ func get(u string, client *http.Client, username, password, token string) ([]byt
return io.ReadAll(resp.Body) return io.ReadAll(resp.Body)
} }
// put makes a request to a url using a provided client, username, and password // put makes a request to a url using a provided client and credentials,
// only an error is returned // only an error is returned
func put(u string, body []byte, client *http.Client, username, password, token string) error { func put(u string, body []byte, client *http.Client, username, password, token string) error {
req, err := http.NewRequest(http.MethodPut, u, bytes.NewBuffer(body)) req, err := http.NewRequest(http.MethodPut, u, bytes.NewBuffer(body))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment