kube-apiserver: add a bootstrap token authenticator for TLS bootstrapping

2017-02-16 14:40:55 -08:00
parent 7a06e41f93
commit a0df658b20
11 changed files with 526 additions and 10 deletions
--- a/plugin/pkg/auth/BUILD
+++ b/plugin/pkg/auth/BUILD
@@ -24,6 +24,7 @@ filegroup(
    name = "all-srcs",
    srcs = [
        ":package-srcs",
+        "//plugin/pkg/auth/authenticator/token/bootstrap:all-srcs",
        "//plugin/pkg/auth/authorizer:all-srcs",
    ],
    tags = ["automanaged"],
--- a/plugin/pkg/auth/authenticator/token/bootstrap/BUILD
+++ b/plugin/pkg/auth/authenticator/token/bootstrap/BUILD
@@ -0,0 +1,52 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["bootstrap_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/bootstrap/api:go_default_library",
+        "//vendor:k8s.io/apimachinery/pkg/api/errors",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apimachinery/pkg/labels",
+        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
+        "//vendor:k8s.io/apiserver/pkg/authentication/user",
+    ],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["bootstrap.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/bootstrap/api:go_default_library",
+        "//pkg/client/listers/core/internalversion:go_default_library",
+        "//vendor:github.com/golang/glog",
+        "//vendor:k8s.io/apimachinery/pkg/api/errors",
+        "//vendor:k8s.io/apiserver/pkg/authentication/user",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
--- a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go
+++ b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go
@@ -0,0 +1,168 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package bootstrap provides a token authenticator for TLS bootstrap secrets.
+*/
+package bootstrap
+
+import (
+	"fmt"
+	"regexp"
+	"time"
+
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/kubernetes/pkg/api"
+	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
+	"k8s.io/kubernetes/pkg/client/listers/core/internalversion"
+)
+
+// TODO: A few methods in this package is copied from other sources. Either
+// because the existing functionality isn't exported or because it is in a
+// package that shouldn't be directly imported by this packages.
+
+// NewTokenAuthenticator initializes a bootstrap token authenticator.
+//
+// Lister is expected to be for the "kube-system" namespace.
+func NewTokenAuthenticator(lister internalversion.SecretNamespaceLister) *TokenAuthenticator {
+	return &TokenAuthenticator{lister}
+}
+
+// TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.
+type TokenAuthenticator struct {
+	lister internalversion.SecretNamespaceLister
+}
+
+// AuthenticateToken tries to match the provided token to a bootstrap token secret
+// in a given namespace. If found, it authenticates the token in the
+// "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username.
+//
+// All secrets must be of type "bootstrap.kubernetes.io/token". An example secret:
+//
+//     apiVersion: v1
+//     kind: Secret
+//     metadata:
+//       # Name MUST be of form "bootstrap-token-( token id )".
+//       name: bootstrap-token-( token id )
+//       namespace: kube-system
+//     # Only secrets of this type will be evaluated.
+//     type: bootstrap.kubernetes.io/token
+//     data:
+//       token-secret: ( private part of token )
+//       token-id: ( token id )
+//       # Required key usage.
+//       usage-bootstrap-authentication: true
+//       # May also contain an expiry.
+//
+// Tokens are expected to be of the form:
+//
+//     ( token-id ).( token-secret )
+//
+func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, error) {
+	tokenID, tokenSecret, err := parseToken(token)
+	if err != nil {
+		// Token isn't of the correct form, ignore it.
+		return nil, false, nil
+	}
+
+	secretName := bootstrapapi.BootstrapTokenSecretPrefix + tokenID
+	secret, err := t.lister.Get(secretName)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return nil, false, nil
+		}
+		return nil, false, err
+	}
+
+	if string(secret.Type) != string(bootstrapapi.SecretTypeBootstrapToken) || secret.Data == nil {
+		return nil, false, nil
+	}
+
+	ts := getSecretString(secret, bootstrapapi.BootstrapTokenSecretKey)
+	if ts != tokenSecret {
+		return nil, false, nil
+	}
+
+	id := getSecretString(secret, bootstrapapi.BootstrapTokenIDKey)
+	if id != tokenID {
+		return nil, false, nil
+	}
+
+	if isSecretExpired(secret) {
+		return nil, false, nil
+	}
+
+	if getSecretString(secret, bootstrapapi.BootstrapTokenUsageAuthentication) != "true" {
+		glog.V(3).Infof("Bearer token matching bootstrap Secret %s/%s not marked %s=true.",
+			secret.Namespace, secret.Name, bootstrapapi.BootstrapTokenUsageAuthentication)
+		return nil, false, nil
+	}
+
+	return &user.DefaultInfo{
+		Name:   bootstrapapi.BootstrapUserPrefix + string(id),
+		Groups: []string{bootstrapapi.BootstrapGroup},
+	}, true, nil
+}
+
+// Copied from k8s.io/kubernetes/pkg/bootstrap/api
+func getSecretString(secret *api.Secret, key string) string {
+	if secret.Data == nil {
+		return ""
+	}
+	if val, ok := secret.Data[key]; ok {
+		return string(val)
+	}
+	return ""
+}
+
+// Copied from k8s.io/kubernetes/pkg/bootstrap/api
+func isSecretExpired(secret *api.Secret) bool {
+	expiration := getSecretString(secret, bootstrapapi.BootstrapTokenExpirationKey)
+	if len(expiration) > 0 {
+		expTime, err2 := time.Parse(time.RFC3339, expiration)
+		if err2 != nil {
+			glog.V(3).Infof("Unparseable expiration time (%s) in %s/%s Secret: %v. Treating as expired.",
+				expiration, secret.Namespace, secret.Name, err2)
+			return true
+		}
+		if time.Now().After(expTime) {
+			glog.V(3).Infof("Expired bootstrap token in %s/%s Secret: %v",
+				secret.Namespace, secret.Name, expiration)
+			return true
+		}
+	}
+	return false
+}
+
+// Copied from kubernetes/cmd/kubeadm/app/util/token
+
+var (
+	tokenRegexpString = "^([a-z0-9]{6})\\.([a-z0-9]{16})$"
+	tokenRegexp       = regexp.MustCompile(tokenRegexpString)
+)
+
+// parseToken tries and parse a valid token from a string.
+// A token ID and token secret are returned in case of success, an error otherwise.
+func parseToken(s string) (string, string, error) {
+	split := tokenRegexp.FindStringSubmatch(s)
+	if len(split) != 3 {
+		return "", "", fmt.Errorf("token [%q] was not of form [%q]", s, tokenRegexpString)
+	}
+	return split[1], split[2], nil
+}
--- a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go
+++ b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go
@@ -0,0 +1,228 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package bootstrap
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/kubernetes/pkg/api"
+	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
+)
+
+type lister struct {
+	secrets []*api.Secret
+}
+
+func (l *lister) List(selector labels.Selector) (ret []*api.Secret, err error) {
+	return l.secrets, nil
+}
+
+func (l *lister) Get(name string) (*api.Secret, error) {
+	for _, s := range l.secrets {
+		if s.Name == name {
+			return s, nil
+		}
+	}
+	return nil, errors.NewNotFound(schema.GroupResource{}, name)
+}
+
+const (
+	tokenID     = "foobar"           // 6 letters
+	tokenSecret = "circumnavigation" // 16 letters
+)
+
+func TestTokenAuthenticator(t *testing.T) {
+	tests := []struct {
+		name string
+
+		secrets []*api.Secret
+		token   string
+
+		wantNotFound bool
+		wantUser     *user.DefaultInfo
+	}{
+		{
+			name: "valid token",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token: tokenID + "." + tokenSecret,
+			wantUser: &user.DefaultInfo{
+				Name:   "system:bootstrap:" + tokenID,
+				Groups: []string{"system:bootstrappers"},
+			},
+		},
+		{
+			name: "invalid secret name",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "bad-name",
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token:        tokenID + "." + tokenSecret,
+			wantNotFound: true,
+		},
+		{
+			name: "no usage",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:     []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey: []byte(tokenSecret),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token:        tokenID + "." + tokenSecret,
+			wantNotFound: true,
+		},
+		{
+			name: "wrong token",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token:        "barfoo" + "." + tokenSecret,
+			wantNotFound: true,
+		},
+		{
+			name: "expired token",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+						bootstrapapi.BootstrapTokenExpirationKey:       []byte("2009-11-10T23:00:00Z"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token:        tokenID + "." + tokenSecret,
+			wantNotFound: true,
+		},
+		{
+			name: "not expired token",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+						bootstrapapi.BootstrapTokenExpirationKey:       []byte("2109-11-10T23:00:00Z"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token: tokenID + "." + tokenSecret,
+			wantUser: &user.DefaultInfo{
+				Name:   "system:bootstrap:" + tokenID,
+				Groups: []string{"system:bootstrappers"},
+			},
+		},
+		{
+			name: "token id wrong length",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: bootstrapapi.BootstrapTokenSecretPrefix + "foo",
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte("foo"),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			// Token ID must be 6 characters.
+			token:        "foo" + "." + tokenSecret,
+			wantNotFound: true,
+		},
+	}
+
+	for _, test := range tests {
+		func() {
+			a := NewTokenAuthenticator(&lister{test.secrets})
+			u, found, err := a.AuthenticateToken(test.token)
+			if err != nil {
+				t.Errorf("test %q returned an error: %v", test.name, err)
+				return
+			}
+
+			if !found {
+				if !test.wantNotFound {
+					t.Errorf("test %q expected to get user", test.name)
+				}
+				return
+			}
+
+			if test.wantNotFound {
+				t.Errorf("test %q expected to not get a user", test.name)
+				return
+			}
+
+			gotUser := u.(*user.DefaultInfo)
+
+			if !reflect.DeepEqual(gotUser, test.wantUser) {
+				t.Errorf("test %q want user=%#v, got=%#v", test.name, test.wantUser, gotUser)
+			}
+		}()
+	}
+}