Fall back to basic/bearer auth when node identity auth is rejected

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
k3s-io · Jul 3, 2023 · a5ebdbf · a5ebdbf
1 parent c7dec8e
commit a5ebdbf
Showing 1 changed file with 22 additions and 2 deletions.
diff --git a/pkg/clientaccess/token.go b/pkg/clientaccess/token.go
@@ -367,7 +367,7 @@ func getCACerts(u url.URL) ([]byte, error) {
 	return cacerts, nil
 }
 
-// get makes a request to a url using a provided client, username, and password,
+// get makes a request to a url using a provided client and credentials,
 // returning the response body.
 func get(u string, client *http.Client, username, password, token string) ([]byte, error) {
 	req, err := http.NewRequest(http.MethodGet, u, nil)
@@ -387,14 +387,34 @@ func get(u string, client *http.Client, username, password, token string) ([]byt
 	}
 	defer resp.Body.Close()
 
+	// If we got a 401 Unauthorized response when using client certs, try again without client cert auth.
+	// This allows us to fall back from node identity to token when the node resource is deleted.
+	if resp.StatusCode == 401 {
+		logrus.Infof("Got 401 Unauthorized response")
+		if transport, ok := client.Transport.(*http.Transport); ok {
+			logrus.Infof("Got client.Transport.TLSClientConfig=%#v", transport.TLSClientConfig)
+			if transport.TLSClientConfig != nil && len(transport.TLSClientConfig.Certificates) != 0 {
+				logrus.Infof("Retrying request without client certificate")
+				transport.TLSClientConfig.Certificates = []tls.Certificate{}
+				resp, err = client.Do(req)
+				if err != nil {
+					return nil, err
+				}
+				defer resp.Body.Close()
+			}
+		} else {
+			logrus.Warnf("Unable to convert client.Transport to *http.Transport")
+		}
+	}
+
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		return nil, fmt.Errorf("%s: %s", u, resp.Status)
 	}
 
 	return io.ReadAll(resp.Body)
 }
 
-// put makes a request to a url using a provided client, username, and password
+// put makes a request to a url using a provided client and credentials,
 // only an error is returned
 func put(u string, body []byte, client *http.Client, username, password, token string) error {
 	req, err := http.NewRequest(http.MethodPut, u, bytes.NewBuffer(body))