-
Notifications
You must be signed in to change notification settings - Fork 55
/
auth.go
135 lines (114 loc) · 3.58 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// Package auth collects structures and functions around the
// generation and processing of credentials.
package auth
import (
"context"
"errors"
"sort"
"github.com/epinio/epinio/helpers/kubernetes"
"github.com/epinio/epinio/helpers/randstr"
"github.com/gin-gonic/gin"
"golang.org/x/crypto/bcrypt"
"k8s.io/apimachinery/pkg/labels"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// PasswordAuth wraps a set of password-based credentials
type PasswordAuth struct {
Username string
Password string
}
type SecretsSortable []corev1.Secret
func (a SecretsSortable) Len() int { return len(a) }
func (a SecretsSortable) Less(i, j int) bool {
time1 := a[i].ObjectMeta.CreationTimestamp
time2 := a[j].ObjectMeta.CreationTimestamp
return time1.Before(&time2)
}
func (a SecretsSortable) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
// Htpassword returns user+hash string suitable for use by Traefik's
// BasicAuth module.
func (auth *PasswordAuth) Htpassword() (string, error) {
hash, err := HashBcrypt(auth.Password)
if err != nil {
return "", err
}
return auth.Username + ":" + hash, nil
}
// HashBcrypt generates an Bcrypt hash for a password.
// See https://github.com/foomo/htpasswd for the origin of this code.
// MIT licensed, as per `blob/master/LICENSE.txt`
func HashBcrypt(password string) (hash string, err error) {
passwordBytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return
}
return string(passwordBytes), nil
}
// RandomPasswordAuth generates a random user+password
// combination. Both elements are random 16-character hex strings.
func RandomPasswordAuth() (*PasswordAuth, error) {
user, err := randstr.Hex16()
if err != nil {
return nil, err
}
password, err := randstr.Hex16()
if err != nil {
return nil, err
}
return &PasswordAuth{
Username: user,
Password: password,
}, nil
}
// GetFirstUserAccount returns the credentials of the oldest Epinio user.
// This should normally be the one created during installation unless someone
// deleted that.
func GetFirstUserAccount(ctx context.Context) (string, string, error) {
secrets, err := GetUserSecretsByAge(ctx)
if err != nil {
return "", "", err
}
if len(secrets) > 0 {
username := string(secrets[0].Data["username"])
password := string(secrets[0].Data["password"])
return username, password, nil
} else {
return "", "", errors.New("no user account found")
}
}
// GetUserAccounts returns all Epinio users as a gin.Accounts object to be
// passed to the BasicAuth middleware.
func GetUserAccounts(ctx context.Context) (*gin.Accounts, error) {
secrets, err := GetUserSecretsByAge(ctx)
if err != nil {
return nil, err
}
accounts := gin.Accounts{}
for _, secret := range secrets {
accounts[string(secret.Data["username"])] = string(secret.Data["password"])
}
return &accounts, nil
}
// GetUserSecretsByAge returns the user BasicAuth Secrets sorted from older to
// younger by creationTimestamp.
func GetUserSecretsByAge(ctx context.Context) ([]corev1.Secret, error) {
cluster, err := kubernetes.GetCluster(ctx)
if err != nil {
return nil, err
}
secretSelector := labels.Set(map[string]string{
kubernetes.EpinioAPISecretLabelKey: kubernetes.EpinioAPISecretLabelValue,
}).AsSelector().String()
// Find all user credential secrets
secretList, err := cluster.Kubectl.CoreV1().Secrets("epinio").List(ctx, metav1.ListOptions{
FieldSelector: "type=BasicAuth",
LabelSelector: secretSelector,
})
if err != nil {
return nil, err
}
// Now lets sort the list
sort.Sort(SecretsSortable(secretList.Items))
return secretList.Items, nil
}