mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 01:34:01 +00:00
Hooked up static token to node registration
This commit is contained in:
parent
dab0ad347c
commit
bbace4410e
|
@ -326,32 +326,45 @@ func (s *AuthServer) RegisterUsingToken(token, hostID string, role teleport.Role
|
|||
if err := role.Check(); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
// find the token:
|
||||
tok, err := s.Provisioner.GetToken(token)
|
||||
if err != nil {
|
||||
log.Warningf("[AUTH] Node `%v` cannot join: token error. %v", hostID, err)
|
||||
return nil, trace.Wrap(err)
|
||||
// check against static tokens first:
|
||||
foundStaticToken := false
|
||||
for _, st := range s.StaticTokens {
|
||||
if st.Value == token {
|
||||
if st.Roles.Include(role) {
|
||||
foundStaticToken = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
// check token's role:
|
||||
if !tok.Roles.Include(role) {
|
||||
return nil, trace.BadParameter("token.Role: role does not match")
|
||||
}
|
||||
// check token TTL:
|
||||
if tok.TTL > 0 {
|
||||
now := s.clock.Now().UTC()
|
||||
if tok.Created.Add(tok.TTL).Before(now) {
|
||||
err = s.DeleteToken(token)
|
||||
if err != nil {
|
||||
// look for the generated token in the token storage:
|
||||
if !foundStaticToken {
|
||||
tok, err := s.Provisioner.GetToken(token)
|
||||
if err != nil {
|
||||
log.Warningf("[AUTH] Node `%v` cannot join: token error. %v", hostID, err)
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
// check token's role:
|
||||
if !tok.Roles.Include(role) {
|
||||
return nil, trace.BadParameter("token.Role: role does not match")
|
||||
}
|
||||
// check token TTL:
|
||||
if tok.TTL > 0 {
|
||||
now := s.clock.Now().UTC()
|
||||
if tok.Created.Add(tok.TTL).Before(now) {
|
||||
err = s.DeleteToken(token)
|
||||
if err != nil {
|
||||
log.Error(err)
|
||||
}
|
||||
return nil, trace.Errorf("token expired")
|
||||
}
|
||||
// TTL==0? this is a single-use token: delete it
|
||||
} else {
|
||||
if err = s.DeleteToken(token); err != nil {
|
||||
log.Error(err)
|
||||
}
|
||||
return nil, trace.Errorf("token expired")
|
||||
}
|
||||
// TTL==0? this is a single-use token: delete it
|
||||
} else {
|
||||
if err = s.DeleteToken(token); err != nil {
|
||||
log.Error(err)
|
||||
}
|
||||
}
|
||||
|
||||
keys, err := s.GenerateServerKeys(hostID, teleport.Roles{role})
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
|
|
|
@ -156,6 +156,13 @@ func (s *AuthSuite) TestTokensCRUD(c *C) {
|
|||
// expired token should be gone now
|
||||
err = s.a.DeleteToken(multiUseToken)
|
||||
c.Assert(trace.IsNotFound(err), Equals, true, Commentf("%#v", err))
|
||||
|
||||
// lets use static tokens now
|
||||
s.a.StaticTokens = append(s.a.StaticTokens, StaticToken{Value: "static-token-value", Roles: teleport.Roles{teleport.RoleProxy}})
|
||||
_, err = s.a.RegisterUsingToken("static-token-value", "static.host", teleport.RoleProxy)
|
||||
c.Assert(err, IsNil)
|
||||
_, err = s.a.RegisterUsingToken("static-token-value", "wrong.role", teleport.RoleAuth)
|
||||
c.Assert(err, NotNil)
|
||||
}
|
||||
|
||||
func (s *AuthSuite) TestBadTokens(c *C) {
|
||||
|
|
|
@ -132,7 +132,7 @@ func main() {
|
|||
nodes := app.Command("nodes", "Issue invites for other nodes to join the cluster")
|
||||
nodeAdd := nodes.Command("add", "Generates an invitation token. Use it to add a new node to the Teleport cluster")
|
||||
nodeAdd.Flag("roles", "Comma-separated list of roles for the new node to assume [node]").Default("node").StringVar(&cmdNodes.roles)
|
||||
nodeAdd.Flag("ttl", "Time to live for a generated token [15m]").Default("15m").DurationVar(&cmdNodes.ttl)
|
||||
nodeAdd.Flag("ttl", "Time to live for a generated token").DurationVar(&cmdNodes.ttl)
|
||||
nodeAdd.Flag("count", "add count tokens and output JSON with the list").Hidden().Default("1").IntVar(&cmdNodes.count)
|
||||
nodeAdd.Flag("format", "output format, 'text' or 'json'").Hidden().Default("text").StringVar(&cmdNodes.format)
|
||||
nodeAdd.Alias(AddNodeHelp)
|
||||
|
@ -334,11 +334,6 @@ func (u *NodeCommand) Invite(client *auth.TunClient) error {
|
|||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
// parse --ttl flag
|
||||
if u.ttl == time.Duration(0) {
|
||||
u.ttl = defaults.MaxProvisioningTokenTTL
|
||||
}
|
||||
|
||||
var tokens []string
|
||||
for i := 0; i < u.count; i++ {
|
||||
token, err := client.GenerateToken(roles, u.ttl)
|
||||
|
|
|
@ -31,12 +31,12 @@ Examples:
|
|||
> tctl nodes add
|
||||
|
||||
Generates a token when can be used to add a regular SSH node to the cluster.
|
||||
The token will be valid for 15 minutes.
|
||||
The token genrated single-use token will be valid for 30 minutes.
|
||||
|
||||
> tctl nodes add --roles=node,proxy --ttl=1h
|
||||
|
||||
Generates a token when can be used to add an SSH node to the cluster which
|
||||
will also be a proxy node. The token can be used multiple times within an
|
||||
will also be a proxy node. This token can be used multiple times within an
|
||||
hour.
|
||||
`
|
||||
ListNodesHelp = `Notes:
|
||||
|
|
Loading…
Reference in a new issue