package controllers import ( "context" "errors" "fmt" "time" "git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/email" "git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash" "git.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/kube" "github.com/google/uuid" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" ) type Account struct { Controller ctrl.Manager Params AccountParams Data *AccountData Token string DevMode bool } type AccountParams struct { HashCost int16 } type AccountData struct { Username string Password string Email string UUID string } func (acc *Account) Create(ctx context.Context) error { client := acc.Controller.GetClient() acc.Data.UUID = uuid.New().String() passwordHash, err := hash.HashPassword(acc.Data.Password, int(acc.Params.HashCost)) if err != nil { return nil } namespace := &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: acc.Data.UUID, Labels: map[string]string{ "username": acc.Data.Username, "email-verified": "false", "managed-by": "softplayer", }, }, } if err := kube.Create(ctx, client, namespace, true); err != nil { return err } if err := client.Get(ctx, types.NamespacedName{ Name: acc.Data.UUID, }, namespace); err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } // Create a secret with the account data secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: acc.Data.Username, Namespace: "softplayer-accounts", }, StringData: map[string]string{ "uuid": acc.Data.UUID, "email": acc.Data.Email, "password": passwordHash, }, } if err := client.Create(ctx, kube.SetOwnerRef(ctx, client, secret, namespace)); err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } // Prepare RBAC resources for the account role := &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{Name: acc.Data.Username, Namespace: acc.Data.UUID}, Rules: []rbacv1.PolicyRule{{Verbs: []string{"get", "watch", "list", "create", "patch", "delete", "update"}, APIGroups: []string{""}, Resources: []string{"configmaps", "secrets"}}}, } if err := client.Create(ctx, role); err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } sa := &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: acc.Data.UUID, Namespace: acc.Data.UUID, }, } if err := client.Create(ctx, sa); err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } rb := &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: acc.Data.UUID, Namespace: acc.Data.UUID, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Name: acc.Data.UUID, Namespace: acc.Data.UUID, }, }, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "Role", Name: acc.Data.Username, }, } if err := client.Create(ctx, rb); err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID) saSec := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: tokenName, Namespace: acc.Data.UUID, Annotations: map[string]string{ "kubernetes.io/service-account.name": acc.Data.UUID, }, }, Type: "kubernetes.io/service-account-token", } if err := client.Create(ctx, saSec); err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } if err := kube.WaitUntilCreated(ctx, client, saSec, 10, time.Millisecond*50); err != nil { return err } acc.Token, err = acc.getToken(ctx, saSec) if err != nil { if err := client.Delete(ctx, namespace); err != nil { return err } return err } return nil } func (acc *Account) Login(ctx context.Context) error { client := acc.Controller.GetClient() sec := &corev1.Secret{} if err := client.Get(ctx, types.NamespacedName{ Namespace: "softplayer-accounts", Name: acc.Data.Username, }, sec); err != nil { return err } if err := hash.CheckPasswordHash(acc.Data.Password, string(sec.Data["password"])); err != nil { return err } acc.Data.UUID = string(sec.Data["uuid"]) tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID) saSec := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: tokenName, Namespace: acc.Data.UUID, Annotations: map[string]string{ "kubernetes.io/service-account.name": acc.Data.UUID, }, }, Type: "kubernetes.io/service-account-token", } var err error acc.Token, err = acc.getToken(ctx, saSec) if err != nil { return err } return nil } func (acc *Account) ResetPassword(ctx context.Context, emailConfig email.EmailConf) (string, error) { clientset, err := kubernetes.NewForConfig(acc.Controller.GetConfig()) if err != nil { return "", err } userdata, err := clientset.CoreV1().Secrets("softplayer-accounts").Get(ctx, acc.Data.Username, metav1.GetOptions{}) if err != nil { return "", err } if string(userdata.Data["email"]) != acc.Data.Email { return "", errors.New("user or email not found") } acc.Data.UUID = string(userdata.Data["uuid"]) secretName := "password-reset-code" number := encodeToString(6) secret := corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, }, StringData: map[string]string{ "code": number, }, } sec, err := clientset.CoreV1().Secrets(acc.Data.UUID).Create(ctx, &secret, metav1.CreateOptions{}) if !k8serrors.IsAlreadyExists(err) { return "", err } else if k8serrors.IsAlreadyExists(err) { timestamp := sec.CreationTimestamp.Time now := time.Now() if timestamp.Add(time.Minute).After(now) { return "", errors.New("you can send an email once per minute, please wait") } _, err := clientset.CoreV1().Secrets(acc.Data.UUID).Update(ctx, &secret, metav1.UpdateOptions{}) if err != nil { return "", err } } if !acc.DevMode { emailContent := "Subject: Softplayer verification code\r\n" + "\r\n" + fmt.Sprintf("Your verification code is %s", number) email := string(userdata.Data["email"]) if err := emailConfig.SendEmail(email, emailContent); err != nil { return "", err } } return number, nil } func (acc *Account) NewPassword(ctx context.Context, code string) error { clientset, err := kubernetes.NewForConfig(acc.Controller.GetConfig()) if err != nil { return err } userdata, err := clientset.CoreV1().Secrets("softplayer-accounts").Get(ctx, acc.Data.Username, metav1.GetOptions{}) if err != nil { return err } acc.Data.UUID = string(userdata.Data["uuid"]) secretName := "password-reset-code" sec, err := clientset.CoreV1().Secrets(acc.Data.UUID).Get(ctx, secretName, metav1.GetOptions{}) if err != nil { return err } if realCode, ok := sec.Data["code"]; ok { if string(realCode) != code { return errors.New("wrong code") } } else { return errors.New("secret not found") } passwordHash, err := hash.HashPassword(acc.Data.Password, int(acc.Params.HashCost)) if err != nil { return nil } userdata.Data["password"] = []byte(passwordHash) _, err = clientset.CoreV1().Secrets("softplayer-accounts").Update(ctx, userdata, metav1.UpdateOptions{}) if err != nil { return err } return nil } func (acc *Account) getToken(ctx context.Context, saSec *corev1.Secret) (string, error) { client := acc.Controller.GetClient() if err := client.Get(ctx, types.NamespacedName{ Namespace: acc.Data.UUID, Name: saSec.ObjectMeta.Name, }, saSec); err != nil { return "", err } return string(saSec.Data["token"]), nil }