Merge pull request #12 from crobby/migrationreview

Update based on review comments
rancher · Aug 7, 2023 · b9d4487 · b9d4487
2 parents 17250da + 0efbb02
commit b9d4487
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 52 deletions.
diff --git a/pkg/agent/clean/active_directory.go b/pkg/agent/clean/active_directory.go
@@ -13,6 +13,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/rancher/rancher/pkg/auth/providers/activedirectory"
+
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 
@@ -41,15 +43,10 @@ const (
 	migratePrtbsOperation     = "migrate-ad-prtbs"
 	activeDirectoryPrefix     = "activedirectory_user://"
 	localPrefix               = "local://"
-	StatusConfigMapName       = "ad-guid-migration"
-	StatusConfigMapNamespace  = "cattle-system"
-	StatusMigrationField      = "ad-guid-migration-status"
-	StatusMigrationFinished   = "Finished"
-	StatusMigrationRunning    = "Running"
-	StatusLoginDisabled       = "login is disabled while migration is running"
 	adGUIDMigrationLabel      = "ad-guid-migration"
 	adGUIDMigrationAnnotation = "ad-guid-migration-data"
 	migratedLabelValue        = "migrated"
+	migrationPreviousName     = "ad-guid-previous-name"
 )
 
 type migrateUserWorkUnit struct {
@@ -90,13 +87,6 @@ func (e LdapConnectionPermanentlyFailed) Error() string {
 	return "ldap search failed to connect after exhausting maximum retry attempts"
 }
 
-type LoginDisabledError struct{}
-
-// Error provides a string representation of an LdapErrorNotFound
-func (e LoginDisabledError) Error() string {
-	return StatusLoginDisabled
-}
-
 func scaledContext(restConfig *restclient.Config) (*config.ScaledContext, error) {
 	sc, err := config.NewScaledContext(*restConfig, nil)
 	if err != nil {
@@ -298,7 +288,7 @@ func UnmigrateAdGUIDUsersOnce(sc *config.ScaledContext) error {
 	migrationConfigMap, _ := sc.Core.ConfigMaps("cattle-system").GetNamespaced("cattle-system", "ad-guid-migration", metav1.GetOptions{})
 	if migrationConfigMap != nil {
 		migrationStatus := migrationConfigMap.Data["ad-guid-migration-status"]
-		if migrationStatus == StatusMigrationFinished {
+		if migrationStatus == activedirectory.StatusMigrationFinished {
 			logrus.Debugf("[%v] ad-guid migration has already been completed, refusing to run again at startup", migrateAdUserOperation)
 			return nil
 		}
@@ -330,7 +320,7 @@ func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMi
 	}
 	defer lConn.Close()
 
-	err = updateMigrationStatus(sc, StatusMigrationField, StatusMigrationRunning)
+	err = updateMigrationStatus(sc, activedirectory.StatusMigrationField, activedirectory.StatusMigrationRunning)
 	if err != nil {
 		return fmt.Errorf("unable to update migration status configmap: %v", err)
 	}
@@ -440,7 +430,7 @@ func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMi
 		}
 	}
 
-	err = updateMigrationStatus(sc, StatusMigrationField, StatusMigrationFinished)
+	err = updateMigrationStatus(sc, activedirectory.StatusMigrationField, activedirectory.StatusMigrationFinished)
 	if err != nil {
 		return fmt.Errorf("unable to update migration status configmap: %v", err)
 	}
@@ -648,17 +638,16 @@ func migrateTokens(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryR
 			if err != nil {
 				logrus.Errorf("[%v] token %s no longer exists: %v", migrateTokensOperation, userToken.Name, err)
 			}
-			if userToken.Annotations == nil {
-				userToken.Annotations = make(map[string]string)
+			if latestToken.Annotations == nil {
+				latestToken.Annotations = make(map[string]string)
 			}
-			userToken.Annotations[adGUIDMigrationAnnotation] = workunit.guid
-			if userToken.Labels == nil {
-				userToken.Labels = make(map[string]string)
+			latestToken.Annotations[adGUIDMigrationAnnotation] = workunit.guid
+			if latestToken.Labels == nil {
+				latestToken.Labels = make(map[string]string)
 			}
-			userToken.Labels[adGUIDMigrationLabel] = migratedLabelValue
-			userToken.UserPrincipal.Name = dnPrincipalID
-			userToken.SetResourceVersion(latestToken.ResourceVersion)
-			_, err = tokenInterface.Update(&userToken)
+			latestToken.Labels[adGUIDMigrationLabel] = migratedLabelValue
+			latestToken.UserPrincipal.Name = dnPrincipalID
+			_, err = tokenInterface.Update(latestToken)
 			if err != nil {
 				return fmt.Errorf("[%v] unable to update token: %w", migrateTokensOperation, err)
 			}
@@ -674,17 +663,16 @@ func migrateTokens(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryR
 			if err != nil {
 				logrus.Errorf("[%v] token %s no longer exists: %v", migrateTokensOperation, userToken.Name, err)
 			}
-			if userToken.Annotations == nil {
-				userToken.Annotations = make(map[string]string)
+			if latestToken.Annotations == nil {
+				latestToken.Annotations = make(map[string]string)
 			}
-			userToken.Annotations[adGUIDMigrationAnnotation] = workunit.guid
-			if userToken.Labels == nil {
-				userToken.Labels = make(map[string]string)
+			latestToken.Annotations[adGUIDMigrationAnnotation] = workunit.guid
+			if latestToken.Labels == nil {
+				latestToken.Labels = make(map[string]string)
 			}
-			userToken.Labels[adGUIDMigrationLabel] = migratedLabelValue
-			userToken.UserPrincipal.Name = localPrincipalID
-			userToken.SetResourceVersion(latestToken.ResourceVersion)
-			_, err = tokenInterface.Update(&userToken)
+			latestToken.Labels[adGUIDMigrationLabel] = migratedLabelValue
+			latestToken.UserPrincipal.Name = localPrincipalID
+			_, err = tokenInterface.Update(latestToken)
 			if err != nil {
 				return fmt.Errorf("[%v] unable to update token: %w", migrateTokensOperation, err)
 			}
@@ -790,6 +778,7 @@ func migrateCRTBs(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryRu
 			if newLabels == nil {
 				newLabels = make(map[string]string)
 			}
+			newLabels[migrationPreviousName] = oldCrtb.Name
 			newLabels[adGUIDMigrationLabel] = migratedLabelValue
 			newCrtb := &v3.ClusterRoleTemplateBinding{
 				ObjectMeta: metav1.ObjectMeta{
@@ -830,6 +819,7 @@ func migrateCRTBs(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryRu
 			if newLabels == nil {
 				newLabels = make(map[string]string)
 			}
+			newLabels[migrationPreviousName] = oldCrtb.Name
 			newLabels[adGUIDMigrationLabel] = migratedLabelValue
 			newCrtb := &v3.ClusterRoleTemplateBinding{
 				ObjectMeta: metav1.ObjectMeta{
@@ -874,6 +864,7 @@ func migratePRTBs(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryRu
 			if newLabels == nil {
 				newLabels = make(map[string]string)
 			}
+			newLabels[migrationPreviousName] = oldPrtb.Name
 			newLabels[adGUIDMigrationLabel] = migratedLabelValue
 			newPrtb := &v3.ProjectRoleTemplateBinding{
 				ObjectMeta: metav1.ObjectMeta{
@@ -914,6 +905,7 @@ func migratePRTBs(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryRu
 			if newLabels == nil {
 				newLabels = make(map[string]string)
 			}
+			newLabels[migrationPreviousName] = oldPrtb.Name
 			newLabels[adGUIDMigrationLabel] = migratedLabelValue
 			newPrtb := &v3.ProjectRoleTemplateBinding{
 				ObjectMeta: metav1.ObjectMeta{
@@ -942,26 +934,26 @@ func migratePRTBs(workunit *migrateUserWorkUnit, sc *config.ScaledContext, dryRu
 }
 
 func updateMigrationStatus(sc *config.ScaledContext, status string, value string) error {
-	cm, err := sc.Core.ConfigMaps(StatusConfigMapNamespace).Get(StatusConfigMapName, metav1.GetOptions{})
+	cm, err := sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).Get(activedirectory.StatusConfigMapName, metav1.GetOptions{})
 	if err != nil {
 		// Create a new ConfigMap if it doesn't exist
 		if !apierrors.IsNotFound(err) {
 			return err
 		}
 		cm = &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      StatusConfigMapName,
-				Namespace: StatusConfigMapNamespace,
+				Name:      activedirectory.StatusConfigMapName,
+				Namespace: activedirectory.StatusConfigMapNamespace,
 			},
 		}
 	}
 
 	cm.Data = map[string]string{status: value}
 
-	if _, err := sc.Core.ConfigMaps(StatusConfigMapNamespace).Update(cm); err != nil {
+	if _, err := sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).Update(cm); err != nil {
 		// If the ConfigMap does not exist, create it
 		if apierrors.IsNotFound(err) {
-			_, err = sc.Core.ConfigMaps(StatusConfigMapNamespace).Create(cm)
+			_, err = sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).Create(cm)
 			if err != nil {
 				return fmt.Errorf("[%v] unable to create migration status configmap: %v", migrateAdUserOperation, err)
 			}

diff --git a/pkg/auth/providers/activedirectory/activedirectory_provider.go b/pkg/auth/providers/activedirectory/activedirectory_provider.go
@@ -24,11 +24,17 @@ import (
 )
 
 const (
-	Name              = "activedirectory"
-	UserScope         = Name + "_user"
-	GroupScope        = Name + "_group"
-	ObjectClass       = "objectClass"
-	MemberOfAttribute = "memberOf"
+	Name                     = "activedirectory"
+	UserScope                = Name + "_user"
+	GroupScope               = Name + "_group"
+	ObjectClass              = "objectClass"
+	MemberOfAttribute        = "memberOf"
+	StatusConfigMapName      = "ad-guid-migration"
+	StatusConfigMapNamespace = "cattle-system"
+	StatusMigrationField     = "ad-guid-migration-status"
+	StatusMigrationFinished  = "Finished"
+	StatusMigrationRunning   = "Running"
+	StatusLoginDisabled      = "login is disabled while migration is running"
 )
 
 var scopes = []string{UserScope, GroupScope}
@@ -80,10 +86,14 @@ func (p *adProvider) AuthenticateUser(ctx context.Context, input interface{}) (v
 		return v3.Principal{}, nil, "", errors.New("unexpected input type")
 	}
 
-	migrationConfigMap, _ := p.configMaps.GetNamespaced("cattle-system", "ad-guid-migration", metav1.GetOptions{})
-	migrationStatus := migrationConfigMap.Data["ad-guid-migration-status"]
-	if migrationStatus == "Running" {
-		return v3.Principal{}, nil, "Unable to perform login while migration is running", fmt.Errorf("login is disabled while migration is running")
+	migrationConfigMap, err := p.configMaps.GetNamespaced(StatusConfigMapNamespace, StatusConfigMapName, metav1.GetOptions{})
+	if err != nil {
+		logrus.Infof("ad-guid-migration configmap does not exist, allowing logins by default: %v", err)
+	} else {
+		migrationStatus := migrationConfigMap.Data[StatusMigrationField]
+		if migrationStatus == StatusMigrationRunning {
+			return v3.Principal{}, nil, "Unable to perform login while migration is running", LoginDisabledError{}
+		}
 	}
 
 	config, caPool, err := p.getActiveDirectoryConfig()
@@ -247,6 +257,13 @@ func (p *adProvider) GetUserExtraAttributes(userPrincipal v3.Principal) map[stri
 	return extras
 }
 
+type LoginDisabledError struct{}
+
+// Error provides a string representation of an LdapErrorNotFound
+func (e LoginDisabledError) Error() string {
+	return StatusLoginDisabled
+}
+
 // IsDisabledProvider checks if the Azure Active Directory provider is currently disabled in Rancher.
 func (p *adProvider) IsDisabledProvider() (bool, error) {
 	adConfig, _, err := p.getActiveDirectoryConfig()
@@ -255,3 +272,8 @@ func (p *adProvider) IsDisabledProvider() (bool, error) {
 	}
 	return !adConfig.Enabled, nil
 }
+
+// IsStatusLoginDisabledError will return true when the login is disabled due to a migration in process.
+func IsStatusLoginDisabledError(err error) bool {
+	return err.Error() == StatusLoginDisabled
+}
diff --git a/pkg/auth/providers/publicapi/login.go b/pkg/auth/providers/publicapi/login.go
@@ -10,8 +10,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/rancher/rancher/pkg/agent/clean"
-
 	"github.com/rancher/norman/httperror"
 	"github.com/rancher/norman/types"
 	v32 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
@@ -78,8 +76,8 @@ func (h *loginHandler) login(actionName string, action *types.Action, request *t
 		if httperror.IsAPIError(err) {
 			return err
 		}
-		if err.Error() == clean.StatusLoginDisabled {
-			return httperror.WrapAPIError(err, httperror.ClusterUnavailable, clean.StatusLoginDisabled)
+		if activedirectory.IsStatusLoginDisabledError(err) {
+			return httperror.WrapAPIError(err, httperror.ClusterUnavailable, activedirectory.StatusLoginDisabled)
 		}
 		return httperror.WrapAPIError(err, httperror.ServerError, "Server error while authenticating")
 	}