softplayer-backend/internal/controllers/accounts.go

package controllers

import (
	"context"
	"errors"
	"fmt"

	"github.com/google/uuid"
	"golang.org/x/crypto/bcrypt"
	corev1 "k8s.io/api/core/v1"
	rbacv1 "k8s.io/api/rbac/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/types"
	ctrl "sigs.k8s.io/controller-runtime"
)

type Account struct {
	Controller ctrl.Manager
	Data       *AccountData
	Kubeconfig string
}

type AccountData struct {
	Username string
	Password string
	Email    string
	UUID     string
}

func HashPassword(password string) (string, error) {
	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
	return string(bytes), err
}

func CheckPasswordHash(password, hash string) bool {
    err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
    return err == nil
}

func (acc *Account) Create(ctx context.Context) error {
	client := acc.Controller.GetClient()
	acc.Data.UUID = uuid.New().String()
	passwordHash, err := HashPassword(acc.Data.Password)
	if err != nil {
		return nil
	}
	namespace := corev1.Namespace{
		ObjectMeta: metav1.ObjectMeta{
			Name: acc.Data.UUID,
		},
	}
	if err := client.Create(ctx, &namespace); err != nil {
		return err
	}
	if err := client.Get(ctx, types.NamespacedName{
		Name:      acc.Data.UUID,
	}, &namespace); err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}
	// Create a secret with the account data
	secret := corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name:                       acc.Data.Username,
			Namespace: "softplayer-accounts",
			OwnerReferences:            []metav1.OwnerReference{
				metav1.OwnerReference{
					APIVersion:         "v1",
					Kind:               "Namespace",
					Name:               acc.Data.UUID,
					UID:                namespace.UID,
				},
			},
		},
		StringData: map[string]string{
			"uuid":     acc.Data.UUID,
			"email":    acc.Data.Email,
			"password": passwordHash,
		},
	}
	if err := client.Create(ctx, &secret); err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}
	// Create a namespace to be managed by the account
	role := &rbacv1.Role{
		ObjectMeta: metav1.ObjectMeta{Name: acc.Data.Username, Namespace: acc.Data.UUID},
		Rules:      []rbacv1.PolicyRule{{Verbs: []string{"get", "watch", "list", "create", "patch", "delete"}, APIGroups: []string{""}, Resources: []string{"configmaps", "secrets"}}},
	}
	if err := client.Create(ctx, role); err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}


	sa := &corev1.ServiceAccount{
		ObjectMeta:                   metav1.ObjectMeta{
			Name: acc.Data.UUID,
			Namespace: acc.Data.UUID,
		},
	}
	rb := &rbacv1.RoleBinding{
		ObjectMeta: metav1.ObjectMeta{
			Name:                       acc.Data.UUID,
			Namespace:                  acc.Data.UUID,
		},
		Subjects:   []rbacv1.Subject{
			rbacv1.Subject{
				Kind:      "ServiceAccount",
				Name:      acc.Data.UUID,
				Namespace: acc.Data.UUID,
			},
		},
		RoleRef:    rbacv1.RoleRef{
			APIGroup: "rbac.authorization.k8s.io",
			Kind:     "Role",
			Name:     acc.Data.Username,
		},
	}

	if err := client.Create(ctx, rb); err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}

	if err := client.Create(ctx, sa); err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}

	tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)
	saSec := &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name:                       tokenName,
			Namespace: acc.Data.UUID,
			Annotations: map[string]string{
				"kubernetes.io/service-account.name": acc.Data.UUID,
			},
		},
		Type:       "kubernetes.io/service-account-token",
	}

	if err := client.Create(ctx, saSec); err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}

	acc.Kubeconfig, err = acc.getToken(ctx, saSec)
	if err != nil {
		if err := client.Delete(ctx, &namespace); err != nil {
			return err
		}
		return err
	}
	return nil
}

func (acc *Account) Login (ctx context.Context) error {
	client := acc.Controller.GetClient()
	sec := &corev1.Secret{}
	if err := client.Get(ctx, types.NamespacedName{
		Namespace: "softplayer-accounts",
		Name:      acc.Data.Username,
	}, sec); err != nil {
		return err
	}
	if !CheckPasswordHash(acc.Data.Password, string(sec.Data["password"])){
		err := errors.New("wrong password")
		return err
	}
	acc.Data.UUID = string(sec.Data["uuid"])
	tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)
	saSec := &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name:                       tokenName,
			Namespace: acc.Data.UUID,
			Annotations: map[string]string{
				"kubernetes.io/service-account.name": acc.Data.UUID,
			},
		},
		Type:       "kubernetes.io/service-account-token",
	}
	var err error
	acc.Kubeconfig, err = acc.getToken(ctx, saSec)
	if err != nil{ 
	return err
	}
	return nil
}

func (acc *Account) getToken (ctx context.Context, saSec *corev1.Secret) (string, error) {
	client := acc.Controller.GetClient()
	if err := client.Get(ctx, types.NamespacedName{
		Namespace: acc.Data.UUID,
		Name:     saSec.ObjectMeta.Name,
	}, saSec); err != nil {
		return "", err
	}
	return string(saSec.Data["token"]), nil
}
Init commit 2024-03-19 15:49:29 +00:00			`package controllers`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`

			`"github.com/google/uuid"`
			`"golang.org/x/crypto/bcrypt"`
			`corev1 "k8s.io/api/core/v1"`
			`rbacv1 "k8s.io/api/rbac/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/types"`
			`ctrl "sigs.k8s.io/controller-runtime"`
			`)`

			`type Account struct {`
			`Controller ctrl.Manager`
			`Data *AccountData`
			`Kubeconfig string`
			`}`

			`type AccountData struct {`
			`Username string`
			`Password string`
			`Email string`
			`UUID string`
			`}`

			`func HashPassword(password string) (string, error) {`
			`bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)`
			`return string(bytes), err`
			`}`

			`func CheckPasswordHash(password, hash string) bool {`
			`err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))`
			`return err == nil`
			`}`

			`func (acc *Account) Create(ctx context.Context) error {`
			`client := acc.Controller.GetClient()`
			`acc.Data.UUID = uuid.New().String()`
			`passwordHash, err := HashPassword(acc.Data.Password)`
			`if err != nil {`
			`return nil`
			`}`
			`namespace := corev1.Namespace{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: acc.Data.UUID,`
			`},`
			`}`
			`if err := client.Create(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`if err := client.Get(ctx, types.NamespacedName{`
			`Name: acc.Data.UUID,`
			`}, &namespace); err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`
			`// Create a secret with the account data`
			`secret := corev1.Secret{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: acc.Data.Username,`
			`Namespace: "softplayer-accounts",`
			`OwnerReferences: []metav1.OwnerReference{`
			`metav1.OwnerReference{`
			`APIVersion: "v1",`
			`Kind: "Namespace",`
			`Name: acc.Data.UUID,`
			`UID: namespace.UID,`
			`},`
			`},`
			`},`
			`StringData: map[string]string{`
			`"uuid": acc.Data.UUID,`
			`"email": acc.Data.Email,`
			`"password": passwordHash,`
			`},`
			`}`
			`if err := client.Create(ctx, &secret); err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`
			`// Create a namespace to be managed by the account`
			`role := &rbacv1.Role{`
			`ObjectMeta: metav1.ObjectMeta{Name: acc.Data.Username, Namespace: acc.Data.UUID},`
			`Rules: []rbacv1.PolicyRule{{Verbs: []string{"get", "watch", "list", "create", "patch", "delete"}, APIGroups: []string{""}, Resources: []string{"configmaps", "secrets"}}},`
			`}`
			`if err := client.Create(ctx, role); err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`


			`sa := &corev1.ServiceAccount{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: acc.Data.UUID,`
			`Namespace: acc.Data.UUID,`
			`},`
			`}`
			`rb := &rbacv1.RoleBinding{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: acc.Data.UUID,`
			`Namespace: acc.Data.UUID,`
			`},`
			`Subjects: []rbacv1.Subject{`
			`rbacv1.Subject{`
			`Kind: "ServiceAccount",`
			`Name: acc.Data.UUID,`
			`Namespace: acc.Data.UUID,`
			`},`
			`},`
			`RoleRef: rbacv1.RoleRef{`
			`APIGroup: "rbac.authorization.k8s.io",`
			`Kind: "Role",`
			`Name: acc.Data.Username,`
			`},`
			`}`

			`if err := client.Create(ctx, rb); err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`

			`if err := client.Create(ctx, sa); err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`

			`tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)`
			`saSec := &corev1.Secret{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: tokenName,`
			`Namespace: acc.Data.UUID,`
			`Annotations: map[string]string{`
			`"kubernetes.io/service-account.name": acc.Data.UUID,`
			`},`
			`},`
			`Type: "kubernetes.io/service-account-token",`
			`}`

			`if err := client.Create(ctx, saSec); err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`

			`acc.Kubeconfig, err = acc.getToken(ctx, saSec)`
			`if err != nil {`
			`if err := client.Delete(ctx, &namespace); err != nil {`
			`return err`
			`}`
			`return err`
			`}`
			`return nil`
			`}`

			`func (acc *Account) Login (ctx context.Context) error {`
			`client := acc.Controller.GetClient()`
			`sec := &corev1.Secret{}`
			`if err := client.Get(ctx, types.NamespacedName{`
			`Namespace: "softplayer-accounts",`
			`Name: acc.Data.Username,`
			`}, sec); err != nil {`
			`return err`
			`}`
			`if !CheckPasswordHash(acc.Data.Password, string(sec.Data["password"])){`
			`err := errors.New("wrong password")`
			`return err`
			`}`
			`acc.Data.UUID = string(sec.Data["uuid"])`
			`tokenName := fmt.Sprintf("sa-%s", acc.Data.UUID)`
			`saSec := &corev1.Secret{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: tokenName,`
			`Namespace: acc.Data.UUID,`
			`Annotations: map[string]string{`
			`"kubernetes.io/service-account.name": acc.Data.UUID,`
			`},`
			`},`
			`Type: "kubernetes.io/service-account-token",`
			`}`
			`var err error`
			`acc.Kubeconfig, err = acc.getToken(ctx, saSec)`
			`if err != nil{`
			`return err`
			`}`
			`return nil`
			`}`

			`func (acc Account) getToken (ctx context.Context, saSec corev1.Secret) (string, error) {`
			`client := acc.Controller.GetClient()`
			`if err := client.Get(ctx, types.NamespacedName{`
			`Namespace: acc.Data.UUID,`
			`Name: saSec.ObjectMeta.Name,`
			`}, saSec); err != nil {`
			`return "", err`
			`}`
			`return string(saSec.Data["token"]), nil`
			`}`