2024-03-19 15:49:29 +00:00
|
|
|
package controllers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
2024-03-19 16:20:32 +00:00
|
|
|
"time"
|
2024-03-19 15:49:29 +00:00
|
|
|
|
2024-03-21 17:39:32 +00:00
|
|
|
"git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
|
2024-03-21 20:10:56 +00:00
|
|
|
"git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/kube"
|
2024-03-19 15:49:29 +00:00
|
|
|
"github.com/google/uuid"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2024-03-19 16:20:32 +00:00
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
"k8s.io/apimachinery/pkg/types"
|
|
|
|
ctrl "sigs.k8s.io/controller-runtime"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Account struct {
|
|
|
|
Controller ctrl.Manager
|
2024-03-21 17:39:32 +00:00
|
|
|
Params AccountParams
|
2024-03-19 15:49:29 +00:00
|
|
|
Data *AccountData
|
2024-03-21 17:39:32 +00:00
|
|
|
Token string
|
2024-03-19 15:49:29 +00:00
|
|
|
}
|
|
|
|
|
2024-03-19 16:20:32 +00:00
|
|
|
type AccountParams struct {
|
|
|
|
HashCost int16
|
|
|
|
}
|
2024-03-21 17:39:32 +00:00
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
type AccountData struct {
|
|
|
|
Username string
|
|
|
|
Password string
|
|
|
|
Email string
|
|
|
|
UUID string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (acc *Account) Create(ctx context.Context) error {
|
|
|
|
client := acc.Controller.GetClient()
|
|
|
|
acc.Data.UUID = uuid.New().String()
|
2024-03-21 20:10:56 +00:00
|
|
|
|
2024-03-21 17:39:32 +00:00
|
|
|
passwordHash, err := hash.HashPassword(acc.Data.Password, int(acc.Params.HashCost))
|
2024-03-19 15:49:29 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil
|
|
|
|
}
|
2024-03-21 17:39:32 +00:00
|
|
|
|
2024-03-21 20:10:56 +00:00
|
|
|
namespace := &corev1.Namespace{
|
2024-03-19 15:49:29 +00:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: acc.Data.UUID,
|
2024-03-21 20:10:56 +00:00
|
|
|
Labels: map[string]string{
|
2024-04-03 18:05:23 +00:00
|
|
|
"username": acc.Data.Username,
|
2024-03-21 20:10:56 +00:00
|
|
|
"email-verified": "false",
|
2024-04-15 13:45:05 +00:00
|
|
|
"managed-by": "softplayer",
|
2024-03-21 20:10:56 +00:00
|
|
|
},
|
2024-03-19 15:49:29 +00:00
|
|
|
},
|
|
|
|
}
|
2024-04-03 18:05:23 +00:00
|
|
|
|
|
|
|
if err := kube.Create(ctx, client, namespace, true); err != nil {
|
2024-03-19 16:20:32 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
if err := client.Get(ctx, types.NamespacedName{
|
2024-03-21 17:39:32 +00:00
|
|
|
Name: acc.Data.UUID,
|
2024-03-21 20:10:56 +00:00
|
|
|
}, namespace); err != nil {
|
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
2024-03-21 20:10:56 +00:00
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
// Create a secret with the account data
|
2024-03-21 20:10:56 +00:00
|
|
|
secret := &corev1.Secret{
|
2024-03-19 15:49:29 +00:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2024-03-21 17:39:32 +00:00
|
|
|
Name: acc.Data.Username,
|
2024-03-19 15:49:29 +00:00
|
|
|
Namespace: "softplayer-accounts",
|
2024-04-30 15:39:11 +00:00
|
|
|
Labels: map[string]string{
|
|
|
|
"softplayer.net/email": acc.Data.Email,
|
|
|
|
"softplayer.net/uuid": acc.Data.UUID,
|
|
|
|
},
|
2024-03-19 15:49:29 +00:00
|
|
|
},
|
|
|
|
StringData: map[string]string{
|
|
|
|
"password": passwordHash,
|
|
|
|
},
|
|
|
|
}
|
2024-03-21 20:10:56 +00:00
|
|
|
|
|
|
|
if err := client.Create(ctx, kube.SetOwnerRef(ctx, client, secret, namespace)); err != nil {
|
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
2024-04-03 18:05:23 +00:00
|
|
|
|
2024-03-21 20:10:56 +00:00
|
|
|
// Prepare RBAC resources for the account
|
2024-03-19 15:49:29 +00:00
|
|
|
role := &rbacv1.Role{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{Name: acc.Data.Username, Namespace: acc.Data.UUID},
|
|
|
|
Rules: []rbacv1.PolicyRule{{Verbs: []string{"get", "watch", "list", "create", "patch", "delete"}, APIGroups: []string{""}, Resources: []string{"configmaps", "secrets"}}},
|
|
|
|
}
|
2024-03-21 20:10:56 +00:00
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
if err := client.Create(ctx, role); err != nil {
|
2024-03-21 20:10:56 +00:00
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
sa := &corev1.ServiceAccount{
|
2024-03-21 17:39:32 +00:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: acc.Data.UUID,
|
2024-03-19 15:49:29 +00:00
|
|
|
Namespace: acc.Data.UUID,
|
|
|
|
},
|
|
|
|
}
|
2024-04-03 18:05:23 +00:00
|
|
|
|
2024-03-21 20:10:56 +00:00
|
|
|
if err := client.Create(ctx, sa); err != nil {
|
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
rb := &rbacv1.RoleBinding{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2024-03-21 17:39:32 +00:00
|
|
|
Name: acc.Data.UUID,
|
|
|
|
Namespace: acc.Data.UUID,
|
2024-03-19 15:49:29 +00:00
|
|
|
},
|
2024-03-21 17:39:32 +00:00
|
|
|
Subjects: []rbacv1.Subject{
|
2024-03-19 15:49:29 +00:00
|
|
|
rbacv1.Subject{
|
|
|
|
Kind: "ServiceAccount",
|
|
|
|
Name: acc.Data.UUID,
|
|
|
|
Namespace: acc.Data.UUID,
|
|
|
|
},
|
|
|
|
},
|
2024-03-21 17:39:32 +00:00
|
|
|
RoleRef: rbacv1.RoleRef{
|
2024-03-19 15:49:29 +00:00
|
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
|
|
Kind: "Role",
|
|
|
|
Name: acc.Data.Username,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := client.Create(ctx, rb); err != nil {
|
2024-03-21 20:10:56 +00:00
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)
|
|
|
|
saSec := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2024-03-21 17:39:32 +00:00
|
|
|
Name: tokenName,
|
2024-03-19 15:49:29 +00:00
|
|
|
Namespace: acc.Data.UUID,
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"kubernetes.io/service-account.name": acc.Data.UUID,
|
|
|
|
},
|
|
|
|
},
|
2024-03-21 17:39:32 +00:00
|
|
|
Type: "kubernetes.io/service-account-token",
|
2024-03-19 15:49:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err := client.Create(ctx, saSec); err != nil {
|
2024-03-21 20:10:56 +00:00
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
2024-03-21 20:10:56 +00:00
|
|
|
if err := kube.WaitUntilCreated(ctx, client, saSec, 10, time.Millisecond*50); err != nil {
|
2024-03-19 16:20:32 +00:00
|
|
|
return err
|
|
|
|
}
|
2024-03-19 15:49:29 +00:00
|
|
|
|
2024-03-19 16:20:32 +00:00
|
|
|
acc.Token, err = acc.getToken(ctx, saSec)
|
2024-03-19 15:49:29 +00:00
|
|
|
if err != nil {
|
2024-03-21 20:10:56 +00:00
|
|
|
if err := client.Delete(ctx, namespace); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-03-21 17:39:32 +00:00
|
|
|
func (acc *Account) Login(ctx context.Context) error {
|
2024-03-19 15:49:29 +00:00
|
|
|
client := acc.Controller.GetClient()
|
|
|
|
sec := &corev1.Secret{}
|
2024-03-21 20:10:56 +00:00
|
|
|
|
2024-03-19 15:49:29 +00:00
|
|
|
if err := client.Get(ctx, types.NamespacedName{
|
|
|
|
Namespace: "softplayer-accounts",
|
|
|
|
Name: acc.Data.Username,
|
|
|
|
}, sec); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2024-03-21 20:10:56 +00:00
|
|
|
|
|
|
|
if err := hash.CheckPasswordHash(acc.Data.Password, string(sec.Data["password"])); err != nil {
|
2024-03-19 15:49:29 +00:00
|
|
|
return err
|
|
|
|
}
|
2024-03-21 20:10:56 +00:00
|
|
|
|
2024-04-30 15:39:11 +00:00
|
|
|
acc.Data.UUID = string(sec.ObjectMeta.Labels["uuid"])
|
2024-03-19 15:49:29 +00:00
|
|
|
tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)
|
|
|
|
saSec := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2024-03-21 17:39:32 +00:00
|
|
|
Name: tokenName,
|
2024-03-19 15:49:29 +00:00
|
|
|
Namespace: acc.Data.UUID,
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"kubernetes.io/service-account.name": acc.Data.UUID,
|
|
|
|
},
|
|
|
|
},
|
2024-03-21 17:39:32 +00:00
|
|
|
Type: "kubernetes.io/service-account-token",
|
2024-03-19 15:49:29 +00:00
|
|
|
}
|
|
|
|
var err error
|
2024-03-19 16:20:32 +00:00
|
|
|
acc.Token, err = acc.getToken(ctx, saSec)
|
2024-03-21 17:39:32 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
2024-03-19 15:49:29 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-03-21 17:39:32 +00:00
|
|
|
func (acc *Account) getToken(ctx context.Context, saSec *corev1.Secret) (string, error) {
|
2024-03-19 15:49:29 +00:00
|
|
|
client := acc.Controller.GetClient()
|
|
|
|
if err := client.Get(ctx, types.NamespacedName{
|
|
|
|
Namespace: acc.Data.UUID,
|
2024-03-21 17:39:32 +00:00
|
|
|
Name: saSec.ObjectMeta.Name,
|
2024-03-19 15:49:29 +00:00
|
|
|
}, saSec); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return string(saSec.Data["token"]), nil
|
|
|
|
}
|