paritytech · emamihe · Jan 29, 2023 · Aug 12, 2023
@@ -0,0 +1,12 @@
+# Stage 1: Build
+FROM golang:alpine AS build
+WORKDIR /app
+COPY . .
+RUN go build -o main .
+
+# Stage 2: Run
+FROM alpine
+WORKDIR /app
+COPY --from=build /app/main /app/
+COPY --from=build /app/banner.txt /app/
+CMD ["/app/main"]
@@ -0,0 +1,47 @@
+package authorization
+
+import (
+	"context"
+	"io/ioutil"
+
+	"github.com/gin-gonic/gin"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+func AuthorizeAdmin(c *gin.Context) (bool, string) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		panic("Error getting in-cluster config")
+	}
+
+	userToken := c.GetHeader("Authorization")
+
+	clientSet, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		panic("Error creating client")
+	}
+
+	bytes, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	currentNamespace := string(bytes)
+
+	secrets, err := clientSet.CoreV1().Secrets(currentNamespace).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		panic("Error fetching secrets")
+	}
+
+	for _, secret := range secrets.Items {
+		if secret.Annotations["parity.io/role"] == "admin" {
+			token, ok := secret.Data["token"]
+			if ok {
+				if string(token) == userToken {
+					return true, secret.Name
+				}
+			} else {
+				continue
+			}
+		}
+	}
+	return false, "NO_OWNER"
+}
@@ -0,0 +1,47 @@
+package authorization
+
+import (
+	"context"
+	"io/ioutil"
+
+	"github.com/gin-gonic/gin"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+func AuthorizeUser(c *gin.Context) (bool, string) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		panic("Error getting in-cluster config")
+	}
+
+	userToken := c.GetHeader("Authorization")
+
+	clientSet, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		panic("Error creating client")
+	}
+
+	bytes, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	currentNamespace := string(bytes)
+
+	secrets, err := clientSet.CoreV1().Secrets(currentNamespace).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		panic("Error fetching secrets")
+	}
+
+	for _, secret := range secrets.Items {
+		if secret.Annotations["parity.io/role"] == "user" {
+			token, ok := secret.Data["token"]
+			if ok {
+				if string(token) == userToken {
+					return true, secret.Name
+				}
+			} else {
+				continue
+			}
+		}
+	}
+	return false, "NO_OWNER"
+}
@@ -0,0 +1,8 @@
+
+   _____          __  .__        _________                  .__              
+  /  _  \  __ ___/  |_|  |__    /   _____/ ______________  _|__| ____  ____  
+ /  /_\  \|  |  \   __\  |  \   \_____  \_/ __ \_  __ \  \/ /  |/ ___\/ __ \ 
+/    |    \  |  /|  | |   Y  \  /        \  ___/|  | \/\   /|  \  \__\  ___/ 
+\____|__  /____/ |__| |___|  / /_______  /\___  >__|    \_/ |__|\___  >___  >
+        \/                 \/          \/     \/                    \/    \/ 
+
@@ -0,0 +1,18 @@
+package cmd
+
+import (
+	"auth-service/controllers"
+
+	"github.com/gin-gonic/gin"
+)
+
+func Run() {
+	router := gin.Default()
+	router.GET("/v1/ns", controllers.GetAllNS)
+	router.POST("/v1/ns", controllers.CreateNS)
+	router.GET("/v1/ns/:namespace", controllers.GetNS)
+	router.DELETE("/v1/ns/:namespace", controllers.DeleteNS)
+	router.GET("/healthz", controllers.GetHealthz)
+
+	router.Run()
+}
@@ -0,0 +1,131 @@
+package controllers
+
+import (
+	"math/rand"
+	"time"
+
+	"github.com/gin-gonic/gin"
+
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+
+	"auth-service/authorization"
+)
+
+type annotation map[string]string
+
+func CreateNS(c *gin.Context) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		fmt.Println("Error getting in-cluster config:", err)
+		return
+	}
+
+	clientSet, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Println("Error creating client:", err)
+		return
+	}
+
+	authorized, owner := authorization.AuthorizeUser(c)
+	if !authorized {
+		c.JSON(401, gin.H{
+			"message": "Not Authorized",
+		})
+		return
+	}
+
+	namespaceName := gernerateNamespaceName()
+
+	ns := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        namespaceName,
+			Annotations: annotation{"parity.io/owner": owner},
+		},
+	}
+
+	app, err := clientSet.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
+	if err != nil {
+		fmt.Printf("Error creating namespace: %v", err)
+	} else {
+		fmt.Printf("Namespace %s created successfully", ns.Name)
+	}
+
+	sa, err := clientSet.CoreV1().ServiceAccounts(app.Name).Create(context.TODO(), &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "admin",
+			Namespace: namespaceName,
+		},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		panic(err)
+	}
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: sa.Name + "-token",
+			Annotations: map[string]string{
+				"kubernetes.io/service-account.name": sa.Name,
+			},
+		},
+		Type: corev1.SecretTypeServiceAccountToken,
+	}
+
+	_, err = clientSet.CoreV1().Secrets(namespaceName).Create(context.TODO(), secret, metav1.CreateOptions{})
+	if err != nil {
+		panic(err)
+	}
+
+	_, err = clientSet.RbacV1().RoleBindings(namespaceName).Create(context.TODO(), &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "admin",
+			Namespace: namespaceName,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "admin",
+				Namespace: namespaceName,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			Kind: "ClusterRole",
+			Name: "cluster-admin",
+		},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		panic(err)
+	}
+
+	adminSecret, err := clientSet.CoreV1().Secrets(namespaceName).Get(context.TODO(), secret.Name, metav1.GetOptions{})
+	if err != nil {
+		panic(err)
+	}
+
+	token := adminSecret.Data["token"]
+
+	c.JSON(200, gin.H{
+		"namespace": namespaceName,
+		"token":     string(token),
+		"message":   "Successfully created namespace " + namespaceName,
+	})
+
+	fmt.Println(app)
+}
+
+func gernerateNamespaceName() string {
+	rand.Seed(time.Now().UnixNano())
+	letterRunes := []rune("abcdefghijklmnopqrstuvwxyz0123456789")
+	b := make([]rune, 32)
+	for i := range b {
+		b[i] = letterRunes[rand.Intn(len(letterRunes))]
+	}
+	return "zombie-" + string(b)
+}
@@ -0,0 +1,79 @@
+package controllers
+
+import (
+	"auth-service/authorization"
+	"context"
+	"fmt"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/gin-gonic/gin"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+func DeleteNS(c *gin.Context) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		fmt.Println("Error getting in-cluster config:", err)
+		return
+	}
+
+	clientSet, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Println("Error creating client:", err)
+		return
+	}
+
+	authorized, owner := authorization.AuthorizeUser(c)
+	if !authorized {
+		c.JSON(401, gin.H{
+			"message": "Not Authorized",
+		})
+		return
+	}
+
+	namespace := c.Param("namespace")
+	if !strings.HasPrefix(namespace, "zombie-") {
+		c.JSON(404, gin.H{
+			"message": "Not found",
+		})
+		return
+	}
+
+	ns, err := clientSet.CoreV1().Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{})
+	if err != nil {
+		c.JSON(404, gin.H{
+			"message": "Not found",
+		})
+		return
+	}
+
+	nsActualOwner, ok := ns.Annotations["parity.io/owner"]
+	if !ok {
+		c.JSON(404, gin.H{
+			"message": "Not found",
+		})
+		return
+	}
+
+	if nsActualOwner != owner {
+		c.JSON(404, gin.H{
+			"message": "Not found",
+		})
+		return
+	}
+
+	err = clientSet.CoreV1().Namespaces().Delete(context.TODO(), namespace, metav1.DeleteOptions{})
+	if err != nil {
+		c.JSON(500, gin.H{
+			"message": err.Error(),
+		})
+		return
+	}
+
+	c.JSON(200, gin.H{
+		"message": "Namespace " + namespace + " deleted",
+	})
+}