add iam crd

Signed-off-by: hongming <talonwan@yunify.com>

pkg/models/iam/im/im.go

@@ -19,76 +19,20 @@ package im
 
 import (
 	"github.com/pkg/errors"
-	"kubesphere.io/kubesphere/pkg/api/iam"
-	"kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 )
 
 type IdentityManagementInterface interface {
-	CreateUser(user *iam.User) (*iam.User, error)
+	CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error)
 	DeleteUser(username string) error
-	ModifyUser(user *iam.User) (*iam.User, error)
-	DescribeUser(username string) (*iam.User, error)
-	Authenticate(username, password string) (*iam.User, error)
-}
-
-type imOperator struct {
-	ldapClient ldap.Interface
+	ModifyUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error)
+	DescribeUser(username string) (*iamv1alpha2.User, error)
+	Authenticate(username, password string) (*iamv1alpha2.User, error)
 }
 
 var (
-	AuthRateLimitExceeded = errors.New("user auth rate limit exceeded")
-	UserAlreadyExists     = errors.New("user already exists")
-	UserNotExists         = errors.New("user not exists")
+	AuthRateLimitExceeded       = errors.New("user auth rate limit exceeded")
+	AuthFailedIncorrectPassword = errors.New("incorrect password")
+	UserAlreadyExists           = errors.New("user already exists")
+	UserNotExists               = errors.New("user not exists")
 )
-
-func NewLDAPOperator(ldapClient ldap.Interface) IdentityManagementInterface {
-	return &imOperator{
-		ldapClient: ldapClient,
-	}
-
-}
-
-func (im *imOperator) ModifyUser(user *iam.User) (*iam.User, error) {
-
-	err := im.ldapClient.Update(user)
-
-	if err != nil {
-		return nil, err
-	}
-
-	return im.ldapClient.Get(user.Name)
-}
-
-func (im *imOperator) Authenticate(username, password string) (*iam.User, error) {
-
-	user, err := im.ldapClient.Get(username)
-
-	if err != nil {
-		return nil, err
-	}
-
-	err = im.ldapClient.Authenticate(user.Name, password)
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
-
-func (im *imOperator) DescribeUser(username string) (*iam.User, error) {
-	return im.ldapClient.Get(username)
-}
-
-func (im *imOperator) DeleteUser(username string) error {
-	return im.ldapClient.Delete(username)
-}
-
-func (im *imOperator) CreateUser(user *iam.User) (*iam.User, error) {
-	err := im.ldapClient.Create(user)
-
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}

pkg/models/iam/im/im_operator.go

@@ -0,0 +1,85 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package im
+
+import (
+	"golang.org/x/crypto/bcrypt"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	kubesphereclient "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
+)
+
+func NewOperator(ksClient kubesphereclient.Interface, informer informers.SharedInformerFactory) IdentityManagementInterface {
+
+	return &defaultIMOperator{
+		ksClient: ksClient,
+		informer: informer,
+	}
+
+}
+
+type defaultIMOperator struct {
+	ksClient kubesphereclient.Interface
+	informer informers.SharedInformerFactory
+}
+
+func (im *defaultIMOperator) ModifyUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+	return im.ksClient.IamV1alpha2().Users().Update(user)
+}
+
+func (im *defaultIMOperator) Authenticate(username, password string) (*iamv1alpha2.User, error) {
+
+	user, err := im.ksClient.IamV1alpha2().Users().Get(username, metav1.GetOptions{})
+
+	if err != nil {
+		return nil, err
+	}
+	if checkPasswordHash(password, user.Spec.EncryptedPassword) {
+		return user, nil
+	}
+	return nil, AuthFailedIncorrectPassword
+}
+
+func checkPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}
+
+func (im *defaultIMOperator) DescribeUser(username string) (*iamv1alpha2.User, error) {
+	user, err := im.ksClient.IamV1alpha2().Users().Get(username, metav1.GetOptions{})
+
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func (im *defaultIMOperator) DeleteUser(username string) error {
+	return im.ksClient.IamV1alpha2().Users().Delete(username, metav1.NewDeleteOptions(0))
+}
+
+func (im *defaultIMOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+	user, err := im.ksClient.IamV1alpha2().Users().Create(user)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}

pkg/models/iam/im/im_test.go

@@ -17,3 +17,25 @@
  */
 
 package im
+
+import (
+	"golang.org/x/crypto/bcrypt"
+	"testing"
+)
+
+func TestEncryptPassword(t *testing.T) {
+	password := "P@88w0rd"
+	encryptedPassword, err := hashPassword(password)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !checkPasswordHash(password, encryptedPassword) {
+		t.Fatal(err)
+	}
+	t.Log(encryptedPassword)
+}
+
+func hashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
+	return string(bytes), err
+}

pkg/models/iam/im/ldap_operator.go

@@ -0,0 +1,80 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package im
+
+import (
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/simple/client/ldap"
+)
+
+type ldapOperator struct {
+	ldapClient ldap.Interface
+}
+
+func NewLDAPOperator(ldapClient ldap.Interface) IdentityManagementInterface {
+	return &ldapOperator{
+		ldapClient: ldapClient,
+	}
+
+}
+
+func (im *ldapOperator) ModifyUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+
+	err := im.ldapClient.Update(user)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return im.ldapClient.Get(user.Name)
+}
+
+func (im *ldapOperator) Authenticate(username, password string) (*iamv1alpha2.User, error) {
+
+	user, err := im.ldapClient.Get(username)
+
+	if err != nil {
+		return nil, err
+	}
+
+	err = im.ldapClient.Authenticate(user.Name, password)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+func (im *ldapOperator) DescribeUser(username string) (*iamv1alpha2.User, error) {
+	return im.ldapClient.Get(username)
+}
+
+func (im *ldapOperator) DeleteUser(username string) error {
+	return im.ldapClient.Delete(username)
+}
+
+func (im *ldapOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+	err := im.ldapClient.Create(user)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}