Dreaded_X/lldap-controller
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Massive refactor

Browse Source
This commit is contained in:
Dreaded_X 2025-03-16 05:18:42 +01:00
parent 0bbb2ca738
commit 5e8e8590f1
Signed by: Dreaded_X
GPG Key ID: FA5F485356B0D2D4
9 changed files with 755 additions and 1127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1213
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

5
Cargo.toml
View File

@ -17,8 +17,7 @@ anyhow = "1.0.97"
lldap_auth = { git = "https://github.com/lldap/lldap" }
rand = { version = "0.8.0" }
serde_json = "1.0.140"
surf = "2.3.2"
cynic = { workspace = true, features = ["http-surf"] }
cynic = { workspace = true, features = ["http-reqwest"] }
tokio = { version = "1.44.0", features = ["full"] }
kube = { version = "0.99.0", features = ["derive", "runtime"] }
k8s-openapi = { version = "0.24.0", features = ["v1_31"] }
@ -31,6 +30,8 @@ tracing = "0.1.41"
thiserror = "2.0.12"
chrono = "0.4.40"
passwords = "3.1.16"
async-trait = "0.1.88"
reqwest = "0.12.14"
[dev-dependencies]
insta = { workspace = true }

81
src/context.rs Normal file
View File

@ -0,0 +1,81 @@
use async_trait::async_trait;
use k8s_openapi::api::core::v1::Secret;
use kube::{
runtime::events::{Event, EventType, Recorder, Reporter},
Resource, ResourceExt,
};
use crate::lldap::LldapConfig;
pub struct Context {
pub client: kube::Client,
pub lldap_config: LldapConfig,
pub controller_name: String,
pub recorder: Recorder,
}
impl Context {
pub fn new(controller_name: &str, client: kube::Client, lldap_config: LldapConfig) -> Self {
let reporter: Reporter = controller_name.into();
let recorder = Recorder::new(client.clone(), reporter);
Self {
client,
lldap_config,
controller_name: controller_name.into(),
recorder,
}
}
}
#[async_trait]
pub trait ControllerEvents {
type Error;
async fn secret_created<T>(&self, obj: &T, secret: &Secret) -> Result<(), Self::Error>
where
T: Resource<DynamicType = ()> + Sync;
async fn user_created<T>(&self, obj: &T, username: &str) -> Result<(), Self::Error>
where
T: Resource<DynamicType = ()> + Sync;
}
#[async_trait]
impl ControllerEvents for Recorder {
type Error = kube::Error;
async fn secret_created<T>(&self, obj: &T, secret: &Secret) -> Result<(), Self::Error>
where
T: Resource<DynamicType = ()> + Sync,
{
self.publish(
&Event {
type_: EventType::Normal,
reason: "SecretCreated".into(),
note: Some(format!("Created secret '{}'", secret.name_any())),
action: "SecretCreated".into(),
secondary: Some(secret.object_ref(&())),
},
&obj.object_ref(&()),
)
.await
}
async fn user_created<T>(&self, obj: &T, username: &str) -> Result<(), Self::Error>
where
T: Resource<DynamicType = ()> + Sync,
{
self.publish(
&Event {
type_: EventType::Normal,
reason: "UserCreated".into(),
note: Some(format!("Created user '{username}'")),
action: "UserCreated".into(),
secondary: None,
},
&obj.object_ref(&()),
)
.await
}
}

1
src/error.rs Normal file
View File

@ -0,0 +1 @@
pub type Result<T, E = Error> = anyhow::Result<T, E>;

1
src/lib.rs
View File

@ -1,2 +1,3 @@
pub mod context;
pub mod lldap;
pub mod resources;

186
src/lldap.rs
View File

@ -1,49 +1,155 @@
use anyhow::{anyhow, Context};
use anyhow::Context;
use lldap_auth::opaque::AuthenticationError;
use lldap_auth::registration::ServerRegistrationStartResponse;
use lldap_auth::{opaque, registration};
use surf::Client;
use reqwest::header::{HeaderMap, HeaderValue, AUTHORIZATION};
use std::time::Duration;
use tracing::debug;
pub async fn change_password(client: &Client, user_id: &str, password: &str) -> anyhow::Result<()> {
let mut rng = rand::rngs::OsRng;
let registration_start_request =
opaque::client::registration::start_registration(password.as_bytes(), &mut rng)
.context("Could not initiate password change")?;
use cynic::http::{CynicReqwestError, ReqwestExt};
use cynic::{GraphQlError, GraphQlResponse, MutationBuilder, QueryBuilder};
use lldap_auth::login::{ClientSimpleLoginRequest, ServerLoginResponse};
use queries::{CreateUser, CreateUserVariables, ListUsers};
let start_request = registration::ClientRegistrationStartRequest {
username: user_id.into(),
registration_start_request: registration_start_request.message,
};
#[derive(thiserror::Error, Debug)]
pub enum Error {
#[error("{0}")]
Cynic(#[from] CynicReqwestError),
#[error("{0}")]
Reqwest(#[from] reqwest::Error),
#[error("{0}")]
Authentication(#[from] AuthenticationError),
#[error("{0}")]
GraphQl(#[from] GraphQlError),
}
let mut response = client
.post("/auth/opaque/register/start")
.body_json(&start_request)
.map_err(|e| anyhow!(e))?
.await
.map_err(|e| anyhow!(e))?;
pub type Result<T, E = Error> = std::result::Result<T, E>;
let response: registration::ServerRegistrationStartResponse =
response.body_json().await.map_err(|e| anyhow!(e))?;
let registration_finish = opaque::client::registration::finish_registration(
registration_start_request.state,
response.registration_response,
&mut rng,
)
.context("Error during password change")?;
let request = registration::ClientRegistrationFinishRequest {
server_data: response.server_data,
registration_upload: registration_finish.message,
};
let _response = client
.post("/auth/opaque/register/finish")
.body_json(&request)
.map_err(|e| anyhow!(e))?
.await
.map_err(|e| anyhow!(e))?;
debug!("Changed '{user_id}' password successfully");
fn check_graphql_errors<T>(response: &GraphQlResponse<T>) -> Result<()> {
if let Some(errors) = &response.errors {
if !errors.is_empty() {
Err(errors.first().expect("Should not be empty").clone())?;
}
}
Ok(())
}
pub struct LldapConfig {
username: String,
password: String,
url: String,
}
impl LldapConfig {
pub fn try_from_env() -> anyhow::Result<Self> {
Ok(Self {
username: std::env::var("LLDAP_USERNAME")
.context("Variable 'LLDAP_USERNAME' is not set or invalid")?,
password: std::env::var("LLDAP_PASSWORD")
.context("Variable 'LLDAP_PASSWORD' is not set or invalid")?,
url: std::env::var("LLDAP_URL")
.context("Variable 'LLDAP_URL' is not set or invalid")?,
})
}
pub async fn build_client(&self) -> Result<LldapClient> {
let timeout = Duration::from_secs(1);
let client = reqwest::ClientBuilder::new().timeout(timeout).build()?;
let response: ServerLoginResponse = client
.post(format!("{}/auth/simple/login", self.url))
.json(&ClientSimpleLoginRequest {
username: self.username.clone().into(),
password: self.password.clone(),
})
.send()
.await?
.json()
.await?;
let mut auth: HeaderValue = format!("Bearer {}", response.token)
.try_into()
.expect("Token comes from api and should be ascii");
auth.set_sensitive(true);
let mut headers = HeaderMap::new();
headers.insert(AUTHORIZATION, auth);
let client = reqwest::ClientBuilder::new()
.timeout(timeout)
.default_headers(headers)
.build()?;
Ok(LldapClient(client))
}
}
pub struct LldapClient(reqwest::Client);
impl LldapClient {
pub async fn list_users(&self) -> Result<impl Iterator<Item = String>> {
let operation = ListUsers::build(());
let response = self.0.post("/api/graphql").run_graphql(operation).await?;
check_graphql_errors(&response)?;
Ok(response
.data
.expect("Data should be valid if there are no error")
.users
.into_iter()
.map(|user| user.id))
}
pub async fn create_user(&self, username: &str) -> Result<()> {
let operation = CreateUser::build(CreateUserVariables { id: username });
// TODO: Check the response?
let response = self.0.post("/api/graphql").run_graphql(operation).await?;
check_graphql_errors(&response)
}
pub async fn update_password(&self, username: &str, password: &str) -> Result<()> {
let mut rng = rand::rngs::OsRng;
let registration_start_request =
opaque::client::registration::start_registration(password.as_bytes(), &mut rng)?;
let start_request = registration::ClientRegistrationStartRequest {
username: username.into(),
registration_start_request: registration_start_request.message,
};
let response: ServerRegistrationStartResponse = self
.0
.post("/auth/opaque/register/start")
.json(&start_request)
.send()
.await?
.json()
.await?;
let registration_finish = opaque::client::registration::finish_registration(
registration_start_request.state,
response.registration_response,
&mut rng,
)?;
let request = registration::ClientRegistrationFinishRequest {
server_data: response.server_data,
registration_upload: registration_finish.message,
};
let _response = self
.0
.post("/auth/opaque/register/finish")
.json(&request)
.send()
.await?;
debug!("Changed '{username}' password successfully");
Ok(())
}
}

242
src/main.rs
View File

@ -1,215 +1,20 @@
use std::{collections::BTreeMap, str::from_utf8, sync::Arc, time::Duration};
use std::{sync::Arc, time::Duration};
use cynic::{http::SurfExt, MutationBuilder, QueryBuilder};
use futures::StreamExt;
use k8s_openapi::api::core::v1::Secret;
use kube::{
api::{ObjectMeta, Patch, PatchParams, PostParams},
runtime::{
controller::Action,
events::{Event, EventType, Recorder, Reporter},
Controller,
},
Api, Client as KubeClient, Resource,
runtime::{controller::Action, Controller},
Api, Client as KubeClient,
};
use lldap_auth::login::{ClientSimpleLoginRequest, ServerLoginResponse};
use lldap_controller::{
lldap::change_password,
resources::{ServiceUser, ServiceUserStatus},
context::Context,
lldap::LldapConfig,
resources::{self, ServiceUser},
};
use passwords::PasswordGenerator;
use queries::{CreateUser, CreateUserVariables, ListUsers};
use serde_json::json;
use surf::{Client as SurfClient, Config, Url};
use tracing::{debug, info, instrument, warn};
use tracing::{debug, info, warn};
use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter, Registry};
#[derive(thiserror::Error, Debug)]
enum Error {
#[error("Failed to commit secret: {0}")]
Commit(#[source] kube::api::entry::CommitError),
#[error("{0}")]
Kube(#[source] kube::Error),
#[error("MissingObjectKey: {0}")]
MissingObjectKey(&'static str),
}
type Result<T, E = Error> = std::result::Result<T, E>;
struct LldapConfig {
username: String,
password: String,
url: String,
}
impl LldapConfig {
async fn client(&self) -> std::result::Result<SurfClient, surf::Error> {
let client: SurfClient = Config::new()
.set_base_url(Url::parse(&self.url)?)
.set_timeout(Some(Duration::from_secs(1)))
.try_into()?;
let response: ServerLoginResponse = client
.post("/auth/simple/login")
.body_json(&ClientSimpleLoginRequest {
username: self.username.clone().into(),
password: self.password.clone(),
})?
.recv_json()
.await?;
let client = client
.config()
.clone()
.add_header("Authorization", format!("Bearer {}", response.token))?
.try_into()?;
Ok(client)
}
}
struct Data {
client: KubeClient,
lldap: LldapConfig,
recorder: Recorder,
pg: PasswordGenerator,
}
const CONTROLLER_NAME: &str = "lldap.huizinga.dev";
#[instrument(skip(obj, ctx))]
async fn reconcile(obj: Arc<ServiceUser>, ctx: Arc<Data>) -> Result<Action> {
let name = obj
.metadata
.name
.clone()
.ok_or(Error::MissingObjectKey(".metadata.name"))?;
let secret_name = format!("{name}-lldap-credentials");
let namespace = obj
.metadata
.namespace
.clone()
.ok_or(Error::MissingObjectKey(".metadata.namespace"))?;
let username = format!("{name}.{namespace}");
let oref = obj.controller_owner_ref(&()).unwrap();
debug!(name, "reconcile request");
let client = &ctx.client;
let secrets = Api::<Secret>::namespaced(client.clone(), &namespace);
// TODO: Potentially issue: someone modifies the secret and removes the pass
let mut created = false;
let mut secret = secrets
.entry(&secret_name)
.await
.map_err(Error::Kube)?
.or_insert(|| {
debug!(name, secret_name, "Generating new secret");
let mut contents = BTreeMap::new();
contents.insert("username".into(), username.clone());
contents.insert("password".into(), ctx.pg.generate_one().unwrap());
created = true;
Secret {
metadata: ObjectMeta {
owner_references: Some(vec![oref]),
..Default::default()
},
string_data: Some(contents),
..Default::default()
}
});
secret
.commit(&PostParams {
dry_run: false,
field_manager: Some(CONTROLLER_NAME.into()),
})
.await
.map_err(Error::Commit)?;
let secret = secret;
if created {
debug!(name, "Sending SecretCreated event");
// The reason this is here instead of inside the or_insert is that we
// want to send the event _after_ it successfully committed.
// Also or_insert is not async!
ctx.recorder
.publish(
&Event {
type_: EventType::Normal,
reason: "SecretCreated".into(),
note: Some(format!("Created secret '{secret_name}'")),
action: "SecretCreated".into(),
secondary: Some(secret.get().object_ref(&())),
},
&obj.object_ref(&()),
)
.await
.map_err(Error::Kube)?;
}
let lldap_client = ctx.lldap.client().await.unwrap();
let operation = ListUsers::build(());
let response = lldap_client
.post("/api/graphql")
.run_graphql(operation)
.await
.unwrap();
if !response
.data
.expect("Should get data")
.users
.iter()
.any(|user| user.id == username)
{
let operation = CreateUser::build(CreateUserVariables { id: &username });
lldap_client
.post("/api/graphql")
.run_graphql(operation)
.await
.unwrap();
ctx.recorder
.publish(
&Event {
type_: EventType::Normal,
reason: "UserCreated".into(),
note: Some(format!("Created user '{username}'")),
action: "UserCreated".into(),
secondary: None,
},
&obj.object_ref(&()),
)
.await
.map_err(Error::Kube)?;
}
let password = secret.get().data.as_ref().unwrap().get("password").unwrap();
let password = from_utf8(&password.0).unwrap();
change_password(&lldap_client, &username, password)
.await
.unwrap();
let service_users = Api::<ServiceUser>::namespaced(client.clone(), &namespace);
let status = json!({
"status": ServiceUserStatus { secret_created: secret.get().meta().creation_timestamp.as_ref().map(|ts| ts.0) }
});
service_users
.patch_status(&name, &PatchParams::default(), &Patch::Merge(&status))
.await
.map_err(Error::Kube)?;
Ok(Action::requeue(Duration::from_secs(3600)))
}
fn error_policy(_obj: Arc<ServiceUser>, err: &Error, _ctx: Arc<Data>) -> Action {
fn error_policy(_obj: Arc<ServiceUser>, err: &resources::Error, _ctx: Arc<Context>) -> Action {
warn!("error: {}", err);
Action::requeue(Duration::from_secs(5))
}
@ -219,27 +24,19 @@ async fn main() -> anyhow::Result<()> {
let logger = tracing_subscriber::fmt::layer().json();
let env_filter = EnvFilter::try_from_default_env()
.or_else(|_| EnvFilter::try_new("info"))
.unwrap();
.expect("Fallback should be valid");
Registry::default().with(logger).with(env_filter).init();
info!("Starting controller");
let lldap = LldapConfig {
username: std::env::var("LLDAP_USERNAME").unwrap(),
password: std::env::var("LLDAP_PASSWORD").unwrap(),
url: std::env::var("LLDAP_URL").unwrap(),
};
let client = KubeClient::try_default().await?;
let reporter: Reporter = CONTROLLER_NAME.into();
let recorder = Recorder::new(client.clone(), reporter);
let pg = PasswordGenerator::new()
.length(32)
.uppercase_letters(true)
.strict(true);
let data = Context::new(
"lldap.huizinga.dev",
client.clone(),
LldapConfig::try_from_env()?,
);
let service_users = Api::<ServiceUser>::all(client.clone());
let secrets = Api::<Secret>::all(client.clone());
@ -247,16 +44,7 @@ async fn main() -> anyhow::Result<()> {
Controller::new(service_users.clone(), Default::default())
.owns(secrets, Default::default())
.shutdown_on_signal()
.run(
reconcile,
error_policy,
Arc::new(Data {
client,
lldap,
recorder,
pg,
}),
)
.run(ServiceUser::reconcile, error_policy, Arc::new(data))
.for_each(|res| async move {
match res {
Ok(obj) => debug!("reconciled {:?}", obj.0.name),

143
src/resources.rs
View File

@ -1,7 +1,36 @@
use std::collections::BTreeMap;
use std::str::from_utf8;
use std::sync::Arc;
use std::time::Duration;
use chrono::{DateTime, Utc};
use kube::CustomResource;
use k8s_openapi::api::core::v1::Secret;
use k8s_openapi::apimachinery::pkg::apis::meta::v1::OwnerReference;
use kube::api::{ObjectMeta, Patch, PatchParams, PostParams};
use kube::runtime::controller::Action;
use kube::{Api, CustomResource, Resource};
use passwords::PasswordGenerator;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use serde_json::json;
use tracing::{debug, instrument};
use crate::context::{Context, ControllerEvents};
use crate::lldap;
#[derive(thiserror::Error, Debug)]
pub enum Error {
#[error("Failed to commit: {0}")]
Commit(#[from] kube::api::entry::CommitError),
#[error("Kube api error: {0}")]
Kube(#[from] kube::Error),
#[error("LLDAP error: {0}")]
Lldap(#[from] lldap::Error),
#[error("MissingObjectKey: {0}")]
MissingObjectKey(&'static str),
}
pub type Result<T, E = Error> = std::result::Result<T, E>;
#[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
#[kube(
@ -15,8 +44,8 @@ use serde::{Deserialize, Serialize};
shortname = "lsu",
doc = "Custom resource for managing Service Users inside of LLDAP",
printcolumn = r#"{"name":"Manager", "type":"boolean", "description":"Can the service user manage passwords", "jsonPath":".spec.passwordManager"}"#,
printcolumn = r#"{"name":"Age", "type":"date", "jsonPath":".metadata.creationTimestamp"}"#,
printcolumn = r#"{"name":"Secret", "type":"date", "description":"Secret creation timestamp", "jsonPath":".status.secret_created"}"#
printcolumn = r#"{"name":"Password", "type":"date", "description":"Secret creation timestamp", "jsonPath":".status.secretCreated"}"#,
printcolumn = r#"{"name":"Age", "type":"date", "jsonPath":".metadata.creationTimestamp"}"#
)]
#[serde(rename_all = "camelCase")]
pub struct ServiceUserSpec {
@ -27,10 +56,118 @@ pub struct ServiceUserSpec {
}
#[derive(Deserialize, Serialize, Clone, Default, Debug, JsonSchema)]
#[serde(rename_all = "camelCase")]
pub struct ServiceUserStatus {
pub secret_created: Option<DateTime<Utc>>,
}
fn new_secret(username: &str, oref: OwnerReference) -> Secret {
let pg = PasswordGenerator::new()
.length(32)
.uppercase_letters(true)
.strict(true);
let mut contents = BTreeMap::new();
contents.insert("username".into(), username.into());
contents.insert(
"password".into(),
pg.generate_one().expect("Settings should be valid"),
);
Secret {
metadata: ObjectMeta {
owner_references: Some(vec![oref]),
..Default::default()
},
string_data: Some(contents),
..Default::default()
}
}
impl ServiceUser {
#[instrument(skip(self, ctx))]
pub async fn reconcile(self: Arc<Self>, ctx: Arc<Context>) -> Result<Action> {
let name = self
.metadata
.name
.clone()
.ok_or(Error::MissingObjectKey(".metadata.name"))?;
let namespace = self
.metadata
.namespace
.clone()
.ok_or(Error::MissingObjectKey(".metadata.namespace"))?;
let oref = self
.controller_owner_ref(&())
.expect("Field should populated by apiserver");
debug!(name, "reconcile request");
let secret_name = format!("{name}-lldap-credentials");
let username = format!("{name}.{namespace}");
let client = &ctx.client;
let secrets = Api::<Secret>::namespaced(client.clone(), &namespace);
// TODO: Potentially issue: someone modifies the secret and removes the pass
let mut created = false;
let mut secret = secrets
.entry(&secret_name)
.await?
.and_modify(|_| {
debug!(name, secret_name, "Secret already exists");
})
.or_insert(|| {
created = true;
debug!(name, secret_name, "Generating new secret");
new_secret(&username, oref)
});
secret
.commit(&PostParams {
dry_run: false,
field_manager: Some(ctx.controller_name.clone()),
})
.await?;
let secret = secret;
if created {
// The reason this is here instead of inside the or_insert is that we
// want to send the event _after_ it successfully committed.
// Also or_insert is not async!
ctx.recorder
.secret_created(self.as_ref(), secret.get())
.await?;
}
let lldap_client = ctx.lldap_config.build_client().await?;
if lldap_client.list_users().await?.any(|id| id == username) {
debug!(name, username, "User already exists");
} else {
debug!(name, username, "Creating new user");
lldap_client.create_user(&username).await?;
ctx.recorder.user_created(self.as_ref(), &username).await?;
}
let password = secret.get().data.as_ref().unwrap().get("password").unwrap();
let password = from_utf8(&password.0).unwrap();
lldap_client.update_password(&username, password).await?;
let service_users = Api::<ServiceUser>::namespaced(client.clone(), &namespace);
let status = json!({
"status": ServiceUserStatus { secret_created: secret.get().meta().creation_timestamp.as_ref().map(|ts| ts.0) }
});
service_users
.patch_status(&name, &PatchParams::default(), &Patch::Merge(&status))
.await?;
Ok(Action::requeue(Duration::from_secs(3600)))
}
}
#[cfg(test)]
mod tests {
use super::*;

10
src/snapshots/lldap_controller__resources__tests__service_user_crd_output.snap
View File

@ -22,13 +22,13 @@ spec:
jsonPath: ".spec.passwordManager"
name: Manager
type: boolean
- description: Secret creation timestamp
jsonPath: ".status.secretCreated"
name: Password
type: date
- jsonPath: ".metadata.creationTimestamp"
name: Age
type: date
- description: Secret creation timestamp
jsonPath: ".status.secret_created"
name: Secret
type: date
name: v1
schema:
openAPIV3Schema:
@ -48,7 +48,7 @@ spec:
status:
nullable: true
properties:
secret_created:
secretCreated:
format: date-time
nullable: true
type: string