Adding support for bcrypt hashes

sebt3 · Dec 21, 2024 · 85b0439 · 85b0439
1 parent 9f279e7
commit 85b0439
Show file tree

Hide file tree

Showing 10 changed files with 181 additions and 22 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "kuberest"
-version = "1.1.4"
+version = "1.1.5"
 authors = ["Sébastien Huss <[email protected]>"]
 edition = "2021"
 default-run = "controller"
@@ -80,6 +80,7 @@ reqwest = { version = "0.12.4", features = ["rustls-tls"] }
 base64 = "0.22.1"
 rand = "0.8.5"
 argon2 = { version = "0.5.3", features = ["std"] }
+bcrypt = "0.16.0"
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"

diff --git a/charts/kuberest/Chart.yaml b/charts/kuberest/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: kuberest
 description: Allow to Control remote REST api endpoints from the confort of your cluster
 type: application
-version: "1.1.4"
-appVersion: "1.1.4"
+version: "1.1.5"
+appVersion: "1.1.5"
diff --git a/charts/kuberest/templates/rbac.yaml b/charts/kuberest/templates/rbac.yaml
@@ -49,3 +49,45 @@ roleRef:
   kind: ClusterRole
   name: {{ include "controller.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: 'true'
+  name: {{ include "controller.fullname" . }}:aggregate-to-view
+rules:
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints"]
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+  name: {{ include "controller.fullname" . }}:aggregate-to-edit
+rules:
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints"]
+  verbs:
+  - patch
+  - update
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+  name: {{ include "controller.fullname" . }}:aggregate-to-admin
+rules:
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints/status"]
+  verbs:
+  - update
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints"]
+  verbs:
+  - create
+  - delete
+  - deletecollection
diff --git a/deploy/operator/deployment.yaml b/deploy/operator/deployment.yaml
@@ -8,7 +8,7 @@ metadata:
   labels:
     app: kuberest
     app.kubernetes.io/name: kuberest
-    app.kubernetes.io/version: "1.1.4"
+    app.kubernetes.io/version: "1.1.5"
   namespace: default
 automountServiceAccountToken: true
 ---
@@ -33,6 +33,51 @@ rules:
     verbs: ["create"]
 ---
 # Source: kuberest/templates/rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: 'true'
+  name: kuberest:aggregate-to-view
+rules:
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints"]
+  verbs: ["get", "watch", "list"]
+---
+# Source: kuberest/templates/rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+  name: kuberest:aggregate-to-edit
+rules:
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints"]
+  verbs:
+  - patch
+  - update
+---
+# Source: kuberest/templates/rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+  name: kuberest:aggregate-to-admin
+rules:
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints/status"]
+  verbs:
+  - update
+- apiGroups: ["kuberest.solidite.fr"]
+  resources: ["restendpoints"]
+  verbs:
+  - create
+  - delete
+  - deletecollection
+---
+# Source: kuberest/templates/rbac.yaml
 # Binding the role to the account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -57,7 +102,7 @@ metadata:
   labels:
     app: kuberest
     app.kubernetes.io/name: kuberest
-    app.kubernetes.io/version: "1.1.4"
+    app.kubernetes.io/version: "1.1.5"
 spec:
   type: ClusterIP
   ports:
@@ -77,7 +122,7 @@ metadata:
   labels:
     app: kuberest
     app.kubernetes.io/name: kuberest
-    app.kubernetes.io/version: "1.1.4"
+    app.kubernetes.io/version: "1.1.5"
 spec:
   replicas: 1
   selector:
@@ -95,7 +140,7 @@ spec:
         {}
       containers:
       - name: kuberest
-        image: sebt3/kuberest:1.1.4
+        image: sebt3/kuberest:1.1.5
         imagePullPolicy: IfNotPresent
         securityContext:
           {}

diff --git a/src/handlebarshandler.rs b/src/handlebarshandler.rs
@@ -1,4 +1,8 @@
-use crate::{hasheshandlers::Argon, passwordhandler::Passwords, Error, Result, RhaiRes};
+use crate::{
+    hasheshandlers::{self, Argon},
+    passwordhandler::Passwords,
+    Error, Result, RhaiRes,
+};
 use base64::{engine::general_purpose::STANDARD, Engine as _};
 use handlebars::{handlebars_helper, Handlebars};
 use handlebars_misc_helpers::new_hbs;
@@ -33,6 +37,13 @@ handlebars_helper!(argon_hash: |password:Value| Argon::new().hash(password.as_st
     warn!("handlebars::argon_hash failed to convert to string with: {e:?}");
     String::new()
 }));
+handlebars_helper!(bcrypt_hash: |password:Value| hasheshandlers::bcrypt_hash(password.as_str().unwrap_or_else(|| {
+    warn!("handlebars::bcrypt_hash received a non-string password: {:?}",password);
+    ""
+}).to_string()).unwrap_or_else(|e| {
+    warn!("handlebars::bcrypt_hash failed to convert to string with: {e:?}");
+    String::new()
+}));
 handlebars_helper!(gen_password: |len:u32| Passwords::new().generate(len, 6, 2, 2));
 handlebars_helper!(gen_password_alphanum:  |len:u32| Passwords::new().generate(len, 8, 2, 0));
 
@@ -48,6 +59,7 @@ impl HandleBars<'_> {
         engine.register_helper("base64_encode", Box::new(base64_encode));
         engine.register_helper("header_basic", Box::new(header_basic));
         engine.register_helper("argon_hash", Box::new(argon_hash));
+        engine.register_helper("bcrypt_hash", Box::new(bcrypt_hash));
         engine.register_helper("gen_password", Box::new(gen_password));
         engine.register_helper("gen_password_alphanum", Box::new(gen_password_alphanum));
         // TODO: add more helpers

diff --git a/src/hasheshandlers.rs b/src/hasheshandlers.rs
@@ -3,6 +3,7 @@ use argon2::{
     password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
     Argon2,
 };
+use bcrypt::{hash, DEFAULT_COST};
 
 #[derive(Clone, Debug)]
 pub struct Argon {
@@ -36,3 +37,7 @@ impl Argon {
         self.hash(password).map_err(rhai_err)
     }
 }
+
+pub fn bcrypt_hash(password: String) -> Result<String> {
+    hash(&password, DEFAULT_COST).map_err(Error::BcryptError)
+}
diff --git a/src/lib.rs b/src/lib.rs
@@ -36,6 +36,9 @@ pub enum Error {
     #[error("Argon2 password_hash error {0}")]
     Argon2hash(#[from] argon2::password_hash::Error),
 
+    #[error("Bcrypt hash error {0}")]
+    BcryptError(#[from] bcrypt::BcryptError),
+
     #[error("Unsupported method")]
     UnsupportedMethod,
 

diff --git a/src/restendpoint.rs b/src/restendpoint.rs
@@ -1012,9 +1012,11 @@ impl RestEndPoint {
                     )
                     .unwrap_or_else(|e| {
                         conditions.push(ApplicationCondition::write_failed(&format!(
-                            "Templating write.{}.{}.values raised {e:?}",
+                            "Templating write.{}.{}.values \n{}\nusing values: \n{}\nraised {e:?}",
                             group.name.clone(),
-                            item.name
+                            item.name,
+                            item.values.as_str(),
+                            serde_yaml::to_string(&values).unwrap_or_default()
                         )));
                         json!({})
                     });
@@ -1583,7 +1585,10 @@ impl RestEndPoint {
         } else if self.spec.teardown.is_none() {
             // no teardown script, only prepare client if there are some write to delete
             let status = self.status.clone().unwrap();
-            do_prepare_client = status.owned_target.is_empty();
+            do_prepare_client = !status.owned_target.is_empty();
+        }
+        if !do_prepare_client {
+            tracing::info!("Skipping to prepare the client");
         }
         let mut rhai = Script::new();
         rhai.ctx.set_or_push("hbs", hbs.clone());

diff --git a/src/rhaihandler.rs b/src/rhaihandler.rs
@@ -30,6 +30,9 @@ impl Script {
             .register_fn("log_info", |s: ImmutableString| tracing::info!("{s}"))
             .register_fn("log_warn", |s: ImmutableString| tracing::warn!("{s}"))
             .register_fn("log_error", |s: ImmutableString| tracing::error!("{s}"))
+            .register_fn("bcrypt_hash", |s: ImmutableString| {
+                crate::hasheshandlers::bcrypt_hash(s.to_string()).map_err(rhai_err)
+            })
             .register_fn("gen_password", |len: u32| -> String {
                 Passwords::new().generate(len, 6, 2, 2)
             })