diff --git a/tools/bootstrap/token/api/OWNERS b/tools/bootstrap/token/OWNERS similarity index 100% rename from tools/bootstrap/token/api/OWNERS rename to tools/bootstrap/token/OWNERS diff --git a/tools/bootstrap/token/api/doc.go b/tools/bootstrap/token/api/doc.go index b9910c35aa..249e0a059a 100644 --- a/tools/bootstrap/token/api/doc.go +++ b/tools/bootstrap/token/api/doc.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Package api (pkg/bootstrap/token/api) contains constants and types needed for +// Package api (k8s.io/client-go/tools/bootstrap/token/api) contains constants and types needed for // bootstrap tokens as maintained by the BootstrapSigner and TokenCleaner -// controllers (in pkg/controller/bootstrap) +// controllers (in k8s.io/kubernetes/pkg/controller/bootstrap) package api // import "k8s.io/client-go/tools/bootstrap/token/api" diff --git a/tools/bootstrap/token/api/types.go b/tools/bootstrap/token/api/types.go index c30814c0e2..3bea78b176 100644 --- a/tools/bootstrap/token/api/types.go +++ b/tools/bootstrap/token/api/types.go @@ -86,14 +86,26 @@ const ( // authenticate as. The full username given is "system:bootstrap:". BootstrapUserPrefix = "system:bootstrap:" - // BootstrapGroupPattern is the valid regex pattern that all groups - // assigned to a bootstrap token by BootstrapTokenExtraGroupsKey must match. - // See also ValidateBootstrapGroupName(). - BootstrapGroupPattern = "system:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]" - // BootstrapDefaultGroup is the default group for bootstrapping bearer // tokens (in addition to any groups from BootstrapTokenExtraGroupsKey). BootstrapDefaultGroup = "system:bootstrappers" + + // BootstrapGroupPattern is the valid regex pattern that all groups + // assigned to a bootstrap token by BootstrapTokenExtraGroupsKey must match. + // See also util.ValidateBootstrapGroupName() + BootstrapGroupPattern = `\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\z` + + // BootstrapTokenPattern defines the {id}.{secret} regular expression pattern + BootstrapTokenPattern = `\A([a-z0-9]{6})\.([a-z0-9]{16})\z` + + // BootstrapTokenIDPattern defines token's id regular expression pattern + BootstrapTokenIDPattern = `\A([a-z0-9]{6})\z` + + // BootstrapTokenIDBytes defines the number of bytes used for the Bootstrap Token's ID field + BootstrapTokenIDBytes = 6 + + // BootstrapTokenSecretBytes defines the number of bytes used the Bootstrap Token's Secret field + BootstrapTokenSecretBytes = 16 ) // KnownTokenUsages specifies the known functions a token will get. diff --git a/tools/bootstrap/token/util/helpers.go b/tools/bootstrap/token/util/helpers.go index d28fd28f2e..bb1fbeb658 100644 --- a/tools/bootstrap/token/util/helpers.go +++ b/tools/bootstrap/token/util/helpers.go @@ -17,20 +17,101 @@ limitations under the License. package util import ( + "bufio" + "crypto/rand" "fmt" - "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/client-go/tools/bootstrap/token/api" "regexp" "strings" + + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/client-go/tools/bootstrap/token/api" +) + +// validBootstrapTokenChars defines the characters a bootstrap token can consist of +const validBootstrapTokenChars = "0123456789abcdefghijklmnopqrstuvwxyz" + +var ( + // BootstrapTokenRegexp is a compiled regular expression of TokenRegexpString + BootstrapTokenRegexp = regexp.MustCompile(api.BootstrapTokenPattern) + // BootstrapTokenIDRegexp is a compiled regular expression of TokenIDRegexpString + BootstrapTokenIDRegexp = regexp.MustCompile(api.BootstrapTokenIDPattern) + // BootstrapGroupRegexp is a compiled regular expression of BootstrapGroupPattern + BootstrapGroupRegexp = regexp.MustCompile(api.BootstrapGroupPattern) ) -var bootstrapGroupRegexp = regexp.MustCompile(`\A` + api.BootstrapGroupPattern + `\z`) +// GenerateBootstrapToken generates a new, random Bootstrap Token. +func GenerateBootstrapToken() (string, error) { + tokenID, err := randBytes(api.BootstrapTokenIDBytes) + if err != nil { + return "", err + } + + tokenSecret, err := randBytes(api.BootstrapTokenSecretBytes) + if err != nil { + return "", err + } + + return TokenFromIDAndSecret(tokenID, tokenSecret), nil +} + +// randBytes returns a random string consisting of the characters in +// validBootstrapTokenChars, with the length customized by the parameter +func randBytes(length int) (string, error) { + // len("0123456789abcdefghijklmnopqrstuvwxyz") = 36 which doesn't evenly divide + // the possible values of a byte: 256 mod 36 = 4. Discard any random bytes we + // read that are >= 252 so the bytes we evenly divide the character set. + const maxByteValue = 252 + + var ( + b byte + err error + token = make([]byte, length) + ) + + reader := bufio.NewReaderSize(rand.Reader, length*2) + for i := range token { + for { + if b, err = reader.ReadByte(); err != nil { + return "", err + } + if b < maxByteValue { + break + } + } + + token[i] = validBootstrapTokenChars[int(b)%len(validBootstrapTokenChars)] + } + + return string(token), nil +} + +// TokenFromIDAndSecret returns the full token which is of the form "{id}.{secret}" +func TokenFromIDAndSecret(id, secret string) string { + return fmt.Sprintf("%s.%s", id, secret) +} + +// IsValidBootstrapToken returns whether the given string is valid as a Bootstrap Token and +// in other words satisfies the BootstrapTokenRegexp +func IsValidBootstrapToken(token string) bool { + return BootstrapTokenRegexp.MatchString(token) +} + +// IsValidBootstrapTokenID returns whether the given string is valid as a Bootstrap Token ID and +// in other words satisfies the BootstrapTokenIDRegexp +func IsValidBootstrapTokenID(tokenID string) bool { + return BootstrapTokenIDRegexp.MatchString(tokenID) +} + +// BootstrapTokenSecretName returns the expected name for the Secret storing the +// Bootstrap Token in the Kubernetes API. +func BootstrapTokenSecretName(tokenID string) string { + return fmt.Sprintf("%s%s", api.BootstrapTokenSecretPrefix, tokenID) +} // ValidateBootstrapGroupName checks if the provided group name is a valid // bootstrap group name. Returns nil if valid or a validation error if invalid. -// TODO(mattmoyer): this validation should migrate out to client-go (see https://github.com/kubernetes/client-go/issues/114) func ValidateBootstrapGroupName(name string) error { - if bootstrapGroupRegexp.Match([]byte(name)) { + if BootstrapGroupRegexp.Match([]byte(name)) { return nil } return fmt.Errorf("bootstrap group %q is invalid (must match %s)", name, api.BootstrapGroupPattern) @@ -46,7 +127,7 @@ func ValidateUsages(usages []string) error { } } if len(invalidUsages) > 0 { - return fmt.Errorf("invalide bootstrap token usage string: %s, valid usage options: %s", strings.Join(invalidUsages.List(), ","), strings.Join(api.KnownTokenUsages, ",")) + return fmt.Errorf("invalid bootstrap token usage string: %s, valid usage options: %s", strings.Join(invalidUsages.List(), ","), strings.Join(api.KnownTokenUsages, ",")) } return nil } diff --git a/tools/bootstrap/token/util/helpers_test.go b/tools/bootstrap/token/util/helpers_test.go index 915bf75402..a1fe6092ff 100644 --- a/tools/bootstrap/token/util/helpers_test.go +++ b/tools/bootstrap/token/util/helpers_test.go @@ -21,6 +21,143 @@ import ( "testing" ) +func TestGenerateBootstrapToken(t *testing.T) { + token, err := GenerateBootstrapToken() + if err != nil { + t.Fatalf("GenerateBootstrapToken returned an unexpected error: %+v", err) + } + if !IsValidBootstrapToken(token) { + t.Errorf("GenerateBootstrapToken didn't generate a valid token: %q", token) + } +} + +func TestRandBytes(t *testing.T) { + var randTest = []int{ + 0, + 1, + 2, + 3, + 100, + } + + for _, rt := range randTest { + actual, err := randBytes(rt) + if err != nil { + t.Errorf("failed randBytes: %v", err) + } + if len(actual) != rt { + t.Errorf("failed randBytes:\n\texpected: %d\n\t actual: %d\n", rt, len(actual)) + } + } +} + +func TestTokenFromIDAndSecret(t *testing.T) { + var tests = []struct { + id string + secret string + expected string + }{ + {"foo", "bar", "foo.bar"}, // should use default + {"abcdef", "abcdef0123456789", "abcdef.abcdef0123456789"}, + {"h", "b", "h.b"}, + } + for _, rt := range tests { + actual := TokenFromIDAndSecret(rt.id, rt.secret) + if actual != rt.expected { + t.Errorf( + "failed TokenFromIDAndSecret:\n\texpected: %s\n\t actual: %s", + rt.expected, + actual, + ) + } + } +} + +func TestIsValidBootstrapToken(t *testing.T) { + var tests = []struct { + token string + expected bool + }{ + {token: "", expected: false}, + {token: ".", expected: false}, + {token: "1234567890123456789012", expected: false}, // invalid parcel size + {token: "12345.1234567890123456", expected: false}, // invalid parcel size + {token: ".1234567890123456", expected: false}, // invalid parcel size + {token: "123456.", expected: false}, // invalid parcel size + {token: "123456:1234567890.123456", expected: false}, // invalid separation + {token: "abcdef:1234567890123456", expected: false}, // invalid separation + {token: "Abcdef.1234567890123456", expected: false}, // invalid token id + {token: "123456.AABBCCDDEEFFGGHH", expected: false}, // invalid token secret + {token: "123456.AABBCCD-EEFFGGHH", expected: false}, // invalid character + {token: "abc*ef.1234567890123456", expected: false}, // invalid character + {token: "abcdef.1234567890123456", expected: true}, + {token: "123456.aabbccddeeffgghh", expected: true}, + {token: "ABCDEF.abcdef0123456789", expected: false}, + {token: "abcdef.abcdef0123456789", expected: true}, + {token: "123456.1234560123456789", expected: true}, + } + for _, rt := range tests { + actual := IsValidBootstrapToken(rt.token) + if actual != rt.expected { + t.Errorf( + "failed IsValidBootstrapToken for the token %q\n\texpected: %t\n\t actual: %t", + rt.token, + rt.expected, + actual, + ) + } + } +} + +func TestIsValidBootstrapTokenID(t *testing.T) { + var tests = []struct { + tokenID string + expected bool + }{ + {tokenID: "", expected: false}, + {tokenID: "1234567890123456789012", expected: false}, + {tokenID: "12345", expected: false}, + {tokenID: "Abcdef", expected: false}, + {tokenID: "ABCDEF", expected: false}, + {tokenID: "abcdef.", expected: false}, + {tokenID: "abcdef", expected: true}, + {tokenID: "123456", expected: true}, + } + for _, rt := range tests { + actual := IsValidBootstrapTokenID(rt.tokenID) + if actual != rt.expected { + t.Errorf( + "failed IsValidBootstrapTokenID for the token %q\n\texpected: %t\n\t actual: %t", + rt.tokenID, + rt.expected, + actual, + ) + } + } +} + +func TestBootstrapTokenSecretName(t *testing.T) { + var tests = []struct { + tokenID string + expected string + }{ + {"foo", "bootstrap-token-foo"}, + {"bar", "bootstrap-token-bar"}, + {"", "bootstrap-token-"}, + {"abcdef", "bootstrap-token-abcdef"}, + } + for _, rt := range tests { + actual := BootstrapTokenSecretName(rt.tokenID) + if actual != rt.expected { + t.Errorf( + "failed BootstrapTokenSecretName:\n\texpected: %s\n\t actual: %s", + rt.expected, + actual, + ) + } + } +} + func TestValidateBootstrapGroupName(t *testing.T) { tests := []struct { name string