softplayer-backend/internal/controllers/accounts.go

316 lines
7.8 KiB
Go
Raw Normal View History

2024-03-19 15:49:29 +00:00
package controllers
import (
"context"
2024-05-21 22:00:31 +00:00
"errors"
2024-03-19 15:49:29 +00:00
"fmt"
"time"
2024-03-19 15:49:29 +00:00
2024-05-21 22:00:31 +00:00
"git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/email"
2024-03-21 17:39:32 +00:00
"git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
2024-03-21 20:10:56 +00:00
"git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/kube"
2024-03-19 15:49:29 +00:00
"github.com/google/uuid"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
2024-05-21 22:00:31 +00:00
k8serrors "k8s.io/apimachinery/pkg/api/errors"
2024-03-19 15:49:29 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2024-05-21 22:00:31 +00:00
"k8s.io/client-go/kubernetes"
2024-03-19 15:49:29 +00:00
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
)
type Account struct {
Controller ctrl.Manager
2024-03-21 17:39:32 +00:00
Params AccountParams
2024-03-19 15:49:29 +00:00
Data *AccountData
2024-03-21 17:39:32 +00:00
Token string
2024-05-21 22:00:31 +00:00
DevMode bool
2024-03-19 15:49:29 +00:00
}
type AccountParams struct {
HashCost int16
}
2024-03-21 17:39:32 +00:00
2024-03-19 15:49:29 +00:00
type AccountData struct {
Username string
Password string
Email string
UUID string
}
func (acc *Account) Create(ctx context.Context) error {
client := acc.Controller.GetClient()
acc.Data.UUID = uuid.New().String()
2024-03-21 20:10:56 +00:00
2024-03-21 17:39:32 +00:00
passwordHash, err := hash.HashPassword(acc.Data.Password, int(acc.Params.HashCost))
2024-03-19 15:49:29 +00:00
if err != nil {
return nil
}
2024-03-21 17:39:32 +00:00
2024-03-21 20:10:56 +00:00
namespace := &corev1.Namespace{
2024-03-19 15:49:29 +00:00
ObjectMeta: metav1.ObjectMeta{
Name: acc.Data.UUID,
2024-03-21 20:10:56 +00:00
Labels: map[string]string{
2024-04-03 18:05:23 +00:00
"username": acc.Data.Username,
2024-03-21 20:10:56 +00:00
"email-verified": "false",
2024-04-15 13:45:05 +00:00
"managed-by": "softplayer",
2024-03-21 20:10:56 +00:00
},
2024-03-19 15:49:29 +00:00
},
}
2024-04-03 18:05:23 +00:00
if err := kube.Create(ctx, client, namespace, true); err != nil {
return err
}
2024-03-19 15:49:29 +00:00
if err := client.Get(ctx, types.NamespacedName{
2024-03-21 17:39:32 +00:00
Name: acc.Data.UUID,
2024-03-21 20:10:56 +00:00
}, namespace); err != nil {
if err := client.Delete(ctx, namespace); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
return err
}
2024-03-21 20:10:56 +00:00
2024-03-19 15:49:29 +00:00
// Create a secret with the account data
2024-03-21 20:10:56 +00:00
secret := &corev1.Secret{
2024-03-19 15:49:29 +00:00
ObjectMeta: metav1.ObjectMeta{
2024-03-21 17:39:32 +00:00
Name: acc.Data.Username,
2024-03-19 15:49:29 +00:00
Namespace: "softplayer-accounts",
},
StringData: map[string]string{
"uuid": acc.Data.UUID,
"email": acc.Data.Email,
2024-03-19 15:49:29 +00:00
"password": passwordHash,
},
}
2024-03-21 20:10:56 +00:00
if err := client.Create(ctx, kube.SetOwnerRef(ctx, client, secret, namespace)); err != nil {
if err := client.Delete(ctx, namespace); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
return err
}
2024-04-03 18:05:23 +00:00
2024-03-21 20:10:56 +00:00
// Prepare RBAC resources for the account
2024-03-19 15:49:29 +00:00
role := &rbacv1.Role{
ObjectMeta: metav1.ObjectMeta{Name: acc.Data.Username, Namespace: acc.Data.UUID},
2024-05-02 11:46:01 +00:00
Rules: []rbacv1.PolicyRule{{Verbs: []string{"get", "watch", "list", "create", "patch", "delete", "update"}, APIGroups: []string{""}, Resources: []string{"configmaps", "secrets"}}},
2024-03-19 15:49:29 +00:00
}
2024-03-21 20:10:56 +00:00
2024-03-19 15:49:29 +00:00
if err := client.Create(ctx, role); err != nil {
2024-03-21 20:10:56 +00:00
if err := client.Delete(ctx, namespace); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
return err
}
sa := &corev1.ServiceAccount{
2024-03-21 17:39:32 +00:00
ObjectMeta: metav1.ObjectMeta{
Name: acc.Data.UUID,
2024-03-19 15:49:29 +00:00
Namespace: acc.Data.UUID,
},
}
2024-04-03 18:05:23 +00:00
2024-03-21 20:10:56 +00:00
if err := client.Create(ctx, sa); err != nil {
if err := client.Delete(ctx, namespace); err != nil {
return err
}
return err
}
2024-03-19 15:49:29 +00:00
rb := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
2024-03-21 17:39:32 +00:00
Name: acc.Data.UUID,
Namespace: acc.Data.UUID,
2024-03-19 15:49:29 +00:00
},
2024-03-21 17:39:32 +00:00
Subjects: []rbacv1.Subject{
2024-05-02 11:02:38 +00:00
{
2024-03-19 15:49:29 +00:00
Kind: "ServiceAccount",
Name: acc.Data.UUID,
Namespace: acc.Data.UUID,
},
},
2024-03-21 17:39:32 +00:00
RoleRef: rbacv1.RoleRef{
2024-03-19 15:49:29 +00:00
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: acc.Data.Username,
},
}
if err := client.Create(ctx, rb); err != nil {
2024-03-21 20:10:56 +00:00
if err := client.Delete(ctx, namespace); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
return err
}
tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)
saSec := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
2024-03-21 17:39:32 +00:00
Name: tokenName,
2024-03-19 15:49:29 +00:00
Namespace: acc.Data.UUID,
Annotations: map[string]string{
"kubernetes.io/service-account.name": acc.Data.UUID,
},
},
2024-03-21 17:39:32 +00:00
Type: "kubernetes.io/service-account-token",
2024-03-19 15:49:29 +00:00
}
if err := client.Create(ctx, saSec); err != nil {
2024-03-21 20:10:56 +00:00
if err := client.Delete(ctx, namespace); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
return err
}
2024-03-21 20:10:56 +00:00
if err := kube.WaitUntilCreated(ctx, client, saSec, 10, time.Millisecond*50); err != nil {
return err
}
2024-03-19 15:49:29 +00:00
acc.Token, err = acc.getToken(ctx, saSec)
2024-03-19 15:49:29 +00:00
if err != nil {
2024-03-21 20:10:56 +00:00
if err := client.Delete(ctx, namespace); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
return err
}
return nil
}
2024-03-21 17:39:32 +00:00
func (acc *Account) Login(ctx context.Context) error {
2024-03-19 15:49:29 +00:00
client := acc.Controller.GetClient()
sec := &corev1.Secret{}
2024-03-21 20:10:56 +00:00
2024-03-19 15:49:29 +00:00
if err := client.Get(ctx, types.NamespacedName{
Namespace: "softplayer-accounts",
Name: acc.Data.Username,
}, sec); err != nil {
return err
}
2024-03-21 20:10:56 +00:00
if err := hash.CheckPasswordHash(acc.Data.Password, string(sec.Data["password"])); err != nil {
2024-03-19 15:49:29 +00:00
return err
}
2024-03-21 20:10:56 +00:00
acc.Data.UUID = string(sec.Data["uuid"])
2024-03-19 15:49:29 +00:00
tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)
saSec := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
2024-03-21 17:39:32 +00:00
Name: tokenName,
2024-03-19 15:49:29 +00:00
Namespace: acc.Data.UUID,
Annotations: map[string]string{
"kubernetes.io/service-account.name": acc.Data.UUID,
},
},
2024-03-21 17:39:32 +00:00
Type: "kubernetes.io/service-account-token",
2024-03-19 15:49:29 +00:00
}
var err error
acc.Token, err = acc.getToken(ctx, saSec)
2024-03-21 17:39:32 +00:00
if err != nil {
return err
2024-03-19 15:49:29 +00:00
}
return nil
}
2024-05-21 22:00:31 +00:00
func (acc *Account) ResetPassword(ctx context.Context, emailConfig email.EmailConf) (string, error) {
clientset, err := kubernetes.NewForConfig(acc.Controller.GetConfig())
if err != nil {
return "", err
}
userdata, err := clientset.CoreV1().Secrets("softplayer-accounts").Get(ctx, acc.Data.Username, metav1.GetOptions{})
if err != nil {
return "", err
}
if string(userdata.Data["email"]) != acc.Data.Email {
return "", errors.New("user or email not found")
}
acc.Data.UUID = string(userdata.Data["uuid"])
secretName := "password-reset-code"
number := encodeToString(6)
secret := corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
},
StringData: map[string]string{
"code": number,
},
}
sec, err := clientset.CoreV1().Secrets(acc.Data.UUID).Create(ctx, &secret, metav1.CreateOptions{})
if !k8serrors.IsAlreadyExists(err) {
return "", err
} else if k8serrors.IsAlreadyExists(err) {
timestamp := sec.CreationTimestamp.Time
now := time.Now()
2024-05-22 07:55:10 +00:00
if timestamp.Add(time.Minute).After(now) {
return "", errors.New("you can send an email once per minute, please wait")
}
_, err := clientset.CoreV1().Secrets(acc.Data.UUID).Update(ctx, &secret, metav1.UpdateOptions{})
if err != nil {
return "", err
2024-05-21 22:00:31 +00:00
}
}
if !acc.DevMode {
emailContent := "Subject: Softplayer verification code\r\n" + "\r\n" + fmt.Sprintf("Your verification code is %s", number)
email := string(userdata.Data["email"])
if err := emailConfig.SendEmail(email, emailContent); err != nil {
return "", err
}
}
return number, nil
}
2024-05-22 08:42:17 +00:00
func (acc *Account) NewPassword(ctx context.Context, code string) error {
clientset, err := kubernetes.NewForConfig(acc.Controller.GetConfig())
if err != nil {
return err
}
userdata, err := clientset.CoreV1().Secrets("softplayer-accounts").Get(ctx, acc.Data.Username, metav1.GetOptions{})
if err != nil {
return err
}
acc.Data.UUID = string(userdata.Data["uuid"])
secretName := "password-reset-code"
sec, err := clientset.CoreV1().Secrets(acc.Data.UUID).Get(ctx, secretName, metav1.GetOptions{})
if err != nil {
return err
}
if realCode, ok := sec.Data["code"]; ok {
if string(realCode) != code {
return errors.New("wrong code")
}
} else {
return errors.New("secret not found")
}
passwordHash, err := hash.HashPassword(acc.Data.Password, int(acc.Params.HashCost))
if err != nil {
return nil
}
userdata.Data["password"] = []byte(passwordHash)
2024-05-22 08:50:01 +00:00
_, err = clientset.CoreV1().Secrets("softplayer-accounts").Update(ctx, userdata, metav1.UpdateOptions{})
2024-05-22 08:42:17 +00:00
if err != nil {
return err
}
return nil
}
2024-03-21 17:39:32 +00:00
func (acc *Account) getToken(ctx context.Context, saSec *corev1.Secret) (string, error) {
2024-03-19 15:49:29 +00:00
client := acc.Controller.GetClient()
if err := client.Get(ctx, types.NamespacedName{
Namespace: acc.Data.UUID,
2024-03-21 17:39:32 +00:00
Name: saSec.ObjectMeta.Name,
2024-03-19 15:49:29 +00:00
}, saSec); err != nil {
return "", err
}
return string(saSec.Data["token"]), nil
}