-
Notifications
You must be signed in to change notification settings - Fork 88
/
user.go
144 lines (121 loc) · 4.03 KB
/
user.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
package user
import (
"context"
"fmt"
"os"
"strconv"
"sync"
"time"
"github.com/pkg/errors"
usertypes "github.com/replicatedhq/kots/kotsadm/pkg/user/types"
"github.com/replicatedhq/kots/pkg/logger"
"golang.org/x/crypto/bcrypt"
kuberneteserrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"sigs.k8s.io/controller-runtime/pkg/client/config"
)
var (
loginMutex sync.Mutex
passwordSecretName = "kotsadm-password"
ErrInvalidPassword = errors.New("invalid password")
ErrTooManyAttempts = errors.New("too many attempts")
)
func LogIn(password string) (*usertypes.User, error) {
cfg, err := config.GetConfig()
if err != nil {
return nil, errors.Wrap(err, "failed to get cluster config")
}
clientset, err := kubernetes.NewForConfig(cfg)
if err != nil {
return nil, errors.Wrap(err, "failed to create kubernetes clientset")
}
var shaBytes []byte
passwordSecret, err := clientset.CoreV1().Secrets(os.Getenv("POD_NAMESPACE")).Get(context.TODO(), passwordSecretName, metav1.GetOptions{})
if err != nil {
// either no existing password secret or unable to get it
// so instead we fallback to the environment variable
shaBytes = []byte(os.Getenv("SHARED_PASSWORD_BCRYPT"))
} else {
if passwordSecret.Labels == nil {
passwordSecret.Labels = map[string]string{}
}
numAttempts, _ := strconv.Atoi(passwordSecret.Labels["numAttempts"])
if numAttempts > 10 {
return nil, ErrTooManyAttempts
}
shaBytes = passwordSecret.Data["passwordBcrypt"]
}
if err := bcrypt.CompareHashAndPassword(shaBytes, []byte(password)); err != nil {
if err == bcrypt.ErrMismatchedHashAndPassword {
if err := flagInvalidPassword(clientset); err != nil {
logger.Infof("failed to flag failed login: %v", err)
}
return nil, ErrInvalidPassword
}
return nil, errors.Wrap(err, "failed to compare password")
}
if err := flagSuccessfulLogin(clientset); err != nil {
logger.Error(errors.Wrap(err, "failed to flag successful login"))
}
return &usertypes.User{
ID: "000000",
}, nil
}
func flagSuccessfulLogin(clientset kubernetes.Interface) error {
loginMutex.Lock()
defer loginMutex.Unlock()
for i := 0; ; i++ {
secret, err := clientset.CoreV1().Secrets(os.Getenv("POD_NAMESPACE")).Get(context.TODO(), passwordSecretName, metav1.GetOptions{})
if err != nil {
if kuberneteserrors.IsNotFound(err) {
return nil
}
return errors.Wrap(err, "failed to get password secret")
}
if secret.Labels == nil {
secret.Labels = map[string]string{}
}
secret.Labels["lastLogin"] = fmt.Sprintf("%d", time.Now().Unix())
secret.Labels["numAttempts"] = "0"
if _, err := clientset.CoreV1().Secrets(os.Getenv("POD_NAMESPACE")).Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
if kuberneteserrors.IsConflict(err) {
if i > 2 {
return errors.New("failed to update password secret due to conflicts")
}
continue
}
return errors.Wrap(err, "failed to update password secret")
}
return nil
}
}
func flagInvalidPassword(clientset kubernetes.Interface) error {
loginMutex.Lock()
defer loginMutex.Unlock()
for i := 0; ; i++ {
secret, err := clientset.CoreV1().Secrets(os.Getenv("POD_NAMESPACE")).Get(context.TODO(), passwordSecretName, metav1.GetOptions{})
if err != nil {
if kuberneteserrors.IsNotFound(err) {
return nil
}
return errors.Wrap(err, "failed to get password secret")
}
if secret.Labels == nil {
secret.Labels = map[string]string{}
}
secret.Labels["lastFailure"] = fmt.Sprintf("%d", time.Now().Unix())
numAttempts, _ := strconv.Atoi(secret.Labels["numAttempts"])
secret.Labels["numAttempts"] = strconv.Itoa(numAttempts + 1)
if _, err := clientset.CoreV1().Secrets(os.Getenv("POD_NAMESPACE")).Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
if kuberneteserrors.IsConflict(err) {
if i > 2 {
return errors.New("failed to update password secret due to conflicts")
}
continue
}
return errors.Wrap(err, "failed to update password secret")
}
return nil
}
}