Merge pull request #1697 from tangledbytes/utkarsh/remove-password

Remove usage of create_auth and reset_password API

Author: tangledbytes

go.mod

@@ -138,7 +138,7 @@ require (
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-playground/validator/v10 v10.15.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect

pkg/backingstore/backingstore.go

@@ -944,7 +944,7 @@ func WaitReady(backStore *nbv1.BackingStore) bool {
 	log := util.Logger()
 	klient := util.KubeClient()
 
-	interval := time.Duration(3)
+	interval := time.Duration(30)
 
 	err := wait.PollUntilContextCancel(ctx, interval*time.Second, true, func(ctx context.Context) (bool, error) {
 		err := klient.Get(util.Context(), util.ObjectKey(backStore), backStore)

pkg/nb/api.go

@@ -22,7 +22,6 @@ type Client interface {
 	ListBucketsAPI(ListBucketsParams) (ListBucketsReply, error)
 	ListHostsAPI(ListHostsParams) (ListHostsReply, error)
 
-	CreateAuthAPI(CreateAuthParams) (CreateAuthReply, error)
 	CreateSystemAPI(CreateSystemParams) (CreateSystemReply, error)
 	CreateAccountAPI(CreateAccountParams) (CreateAccountReply, error)
 	CreateBucketAPI(CreateBucketParams) error
@@ -65,7 +64,6 @@ type Client interface {
 
 	GenerateAccountKeysAPI(GenerateAccountKeysParams) error
 	UpdateAccountKeysAPI(UpdateAccountKeysParams) error
-	ResetPasswordAPI(ResetPasswordParams) error
 }
 
 // ReadAuthAPI calls auth_api.read_auth()
@@ -167,17 +165,6 @@ func (c *RPCClient) ListHostsAPI(params ListHostsParams) (ListHostsReply, error)
 	return res.Reply, err
 }
 
-// CreateAuthAPI calls auth_api.create_auth()
-func (c *RPCClient) CreateAuthAPI(params CreateAuthParams) (CreateAuthReply, error) {
-	req := &RPCMessage{API: "auth_api", Method: "create_auth", Params: params}
-	res := &struct {
-		RPCMessage `json:",inline"`
-		Reply      CreateAuthReply `json:"reply"`
-	}{}
-	err := c.Call(req, res)
-	return res.Reply, err
-}
-
 // CreateSystemAPI calls system_api.create_system()
 func (c *RPCClient) CreateSystemAPI(params CreateSystemParams) (CreateSystemReply, error) {
 	req := &RPCMessage{API: "system_api", Method: "create_system", Params: params}
@@ -444,9 +431,3 @@ func (c *RPCClient) UpdateAccountKeysAPI(params UpdateAccountKeysParams) error {
 	req := &RPCMessage{API: "account_api", Method: "update_account_keys", Params: params}
 	return c.Call(req, nil)
 }
-
-// ResetPasswordAPI calls account_api.reset_password()
-func (c *RPCClient) ResetPasswordAPI(params ResetPasswordParams) error {
-	req := &RPCMessage{API: "account_api", Method: "reset_password", Params: params}
-	return c.Call(req, nil)
-}

pkg/nb/types.go

@@ -286,7 +286,7 @@ type ListAccountsReply struct {
 // ListBcuketsParams is the params to account_api.list_buckets()
 type ListBucketsParams struct {
 	ContinuationToken *string `json:"continuation_token,omitempty"`
-	MaxBuckets *int `json:"max_buckets,omitempty"`
+	MaxBuckets        *int    `json:"max_buckets,omitempty"`
 }
 
 // ListBucketsReply is the reply of bucket_api.list_buckets()
@@ -316,19 +316,6 @@ type HostInfo struct {
 	Name string `json:"name"`
 }
 
-// CreateAuthParams is the params of auth_api.create_auth()
-type CreateAuthParams struct {
-	System   string `json:"system"`
-	Role     string `json:"role"`
-	Email    string `json:"email"`
-	Password string `json:"password,omitempty"`
-}
-
-// CreateAuthReply is the reply of auth_api.create_auth()
-type CreateAuthReply struct {
-	Token string `json:"token"`
-}
-
 // CreateSystemParams is the params of system_api.create_system()
 type CreateSystemParams struct {
 	Name     string       `json:"name"`
@@ -439,13 +426,6 @@ type UpdateAccountKeysParams struct {
 	AccessKeys S3AccessKeys `json:"access_keys"`
 }
 
-// ResetPasswordParams is the params of account_api.reset_password()
-type ResetPasswordParams struct {
-	Email                string       `json:"email"`
-	VerificationPassword MaskedString `json:"verification_password"`
-	Password             MaskedString `json:"password"`
-}
-
 // BackingStoreInfo describes backingstore info
 type BackingStoreInfo struct {
 	// Name describes backingstore name
@@ -585,15 +565,15 @@ type DeleteNamespaceResourceParams struct {
 
 // UpdateAccountParams is the params of account_api.update_account_s3_access()
 type UpdateAccountParams struct {
-	Name                *string                  `json:"username,omitempty"`
-	Email               string                   `json:"email"`
-	NewEmail            *string                  `json:"new_email,omitempty"`
-	AllowedIPs          *[]struct {
-		Start   string `json:"start"`
-		End     string `json:"end"`
+	Name       *string `json:"username,omitempty"`
+	Email      string  `json:"email"`
+	NewEmail   *string `json:"new_email,omitempty"`
+	AllowedIPs *[]struct {
+		Start string `json:"start"`
+		End   string `json:"end"`
 	} `json:"ips,omitempty"`
-	RoleConfig          interface{}              `json:"role_config,omitempty"`
-	RemoveRoleConfig    bool                     `json:"remove_role_config,omitempty"`
+	RoleConfig       interface{} `json:"role_config,omitempty"`
+	RemoveRoleConfig bool        `json:"remove_role_config,omitempty"`
 }
 
 // UpdateAccountS3AccessParams is the params of account_api.update_account_s3_access()

pkg/noobaaaccount/noobaaaccount.go

@@ -37,7 +37,6 @@ func Cmd() *cobra.Command {
 		CmdUpdate(),
 		CmdRegenerate(),
 		CmdCredentials(),
-		CmdPasswd(),
 		CmdDelete(),
 		CmdStatus(),
 		CmdList(),
@@ -105,28 +104,6 @@ func CmdCredentials() *cobra.Command {
 	return cmd
 }
 
-// CmdPasswd returns a CLI command
-func CmdPasswd() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:   "passwd <noobaa-account-name>",
-		Short: "reset password for noobaa account",
-		Run:   RunPasswd,
-	}
-	cmd.Flags().String(
-		"old-password", "",
-		`Old Password for authentication - the best practice is to **omit this flag**, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history`,
-	)
-	cmd.Flags().String(
-		"new-password", "",
-		`New Password for authentication - the best practice is to **omit this flag**, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history`,
-	)
-	cmd.Flags().String(
-		"retype-new-password", "",
-		`Retype new Password for authentication - the best practice is to **omit this flag**, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history`,
-	)
-	return cmd
-}
-
 // CmdDelete returns a CLI command
 func CmdDelete() *cobra.Command {
 	cmd := &cobra.Command{
@@ -285,8 +262,16 @@ func RunUpdate(cmd *cobra.Command, args []string) {
 	noobaaAccount.Name = name
 	noobaaAccount.Namespace = options.Namespace
 
-	isResourceBackingStore := checkResourceBackingStore(newDefaultResource)
-	isResourceNamespaceStore := checkResourceNamespaceStore(newDefaultResource)
+	sysClient, err := system.Connect(true)
+	if err != nil {
+		log.Fatalf("❌ failed to run RPC call: %s", err)
+	}
+
+	_, err = sysClient.NBClient.ReadPoolAPI(nb.ReadPoolParams{Name: newDefaultResource})
+	isResourceBackingStore := err == nil
+
+	_, err = sysClient.NBClient.ReadNamespaceResourceAPI(nb.ReadNamespaceResourceParams{Name: newDefaultResource})
+	isResourceNamespaceStore := err == nil
 
 	if isResourceBackingStore && isResourceNamespaceStore {
 		log.Fatalf(`❌  got BackingStore and NamespaceStore %q in namespace %q`,
@@ -436,53 +421,6 @@ func RunCredentials(cmd *cobra.Command, args []string) {
 	}
 }
 
-// RunPasswd runs a CLI command
-func RunPasswd(cmd *cobra.Command, args []string) {
-	log := util.Logger()
-
-	if len(args) != 1 || args[0] == "" {
-		log.Fatalf(`❌ Missing expected arguments: <noobaa-account-name> %s`, cmd.UsageString())
-	}
-
-	name := args[0]
-
-	oldPassword := util.GetFlagStringOrPromptPassword(cmd, "old-password")
-	newPassword := util.GetFlagStringOrPromptPassword(cmd, "new-password")
-	retypeNewPassword := util.GetFlagStringOrPromptPassword(cmd, "retype-new-password")
-
-	secret := util.KubeObject(bundle.File_deploy_internal_secret_empty_yaml).(*corev1.Secret)
-
-	if name == "admin@noobaa.io" {
-		secret.Name = "noobaa-admin"
-	} else {
-		secret.Name = fmt.Sprintf("noobaa-account-%s", name)
-	}
-	secret.Namespace = options.Namespace
-	if !util.KubeCheck(secret) {
-		log.Fatalf(`❌  Could not find secret: %s, will not reset password`, secret.Name)
-	}
-
-	if oldPassword != secret.StringData["password"] {
-		log.Fatalf(`❌  Password is incorrect, aborting.`)
-	}
-
-	err := ResetPassword(name, oldPassword, newPassword, retypeNewPassword)
-	if err != nil {
-		log.Fatalf(`❌ Could not reset password for %q: %v`, name, err)
-	}
-
-	secret.StringData = map[string]string{}
-	secret.StringData["password"] = newPassword
-
-	//If we will not be able to update the secret we will print the credentials as they allready been changed by the RPC
-	if !util.KubeUpdate(secret) {
-		log.Fatalf(`❌  Failed to update the secret %s with the new password, please write it down.`, secret.Name)
-	}
-
-	log.Printf("✅ Successfully reset the password for the account %q", name)
-
-}
-
 // RunDelete runs a CLI command
 func RunDelete(cmd *cobra.Command, args []string) {
 
@@ -877,47 +815,6 @@ func ValidateAccessKeys(accessKeys nb.S3AccessKeys) {
 	}
 }
 
-// ResetPassword reset noobaa account password
-func ResetPassword(name string, oldPassword string, newPassword string, retypeNewPassword string) error {
-	sysClient, err := system.Connect(true)
-	if err != nil {
-		return err
-	}
-
-	PasswordResstrictions(oldPassword, newPassword, retypeNewPassword)
-
-	err = sysClient.NBClient.ResetPasswordAPI(nb.ResetPasswordParams{
-		Email:                name,
-		VerificationPassword: nb.MaskedString(oldPassword),
-		Password:             nb.MaskedString(newPassword),
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// PasswordResstrictions checks for all kind of password restrictions
-func PasswordResstrictions(oldPassword string, newPassword string, retypeNewPassword string) {
-	log := util.Logger()
-
-	//Checking that we did not get the same password as the old one
-	if newPassword == oldPassword {
-		log.Fatalf(`❌  The password cannot match the old password, aborting.`)
-	}
-
-	//Checking that we got the same password twice
-	if newPassword != retypeNewPassword {
-		log.Fatalf(`❌  The password and is not matching the retype, aborting.`)
-	}
-
-	//TODO... This is the place for adding more restrictions
-	// length of password
-	// charecters
-
-}
-
 // checkResourceBackingStore checks if a resourceName exists and if BackingStore
 func checkResourceBackingStore(resourceName string) bool {
 	// check that a backing store exists

pkg/noobaaaccount/reconciler.go

@@ -361,19 +361,25 @@ func (r *Reconciler) CreateNooBaaAccount() error {
 	if exists {
 		if strings.ToLower(annotationValue) == strTrue {
 			// create join secret conatining auth token for remote noobaa account
-			res, err := r.NBClient.CreateAuthAPI(nb.CreateAuthParams{
-				System: r.NooBaa.Name,
-				Role:   "operator",
-				Email:  options.OperatorAccountEmail,
-			})
+			secretServer := util.KubeObject(bundle.File_deploy_internal_secret_empty_yaml).(*corev1.Secret)
+			secretServer.Namespace = r.Request.Namespace
+			secretServer.Name = options.SystemName
+			if !util.KubeCheck(secretServer) {
+				return fmt.Errorf("cannot create an auth token for remote operator - server secret not found")
+			}
+
+			token, err := util.MakeAuthToken(map[string]any{
+				"system": r.NooBaa.Name,
+				"role":   "operator",
+				"email":  options.OperatorAccountEmail,
+			}, []byte(secretServer.StringData["jwt"]))
 			if err != nil {
 				return fmt.Errorf("cannot create an auth token for remote operator, error: %v", err)
 			}
 			accessKeys := accountInfo.AccessKeys[0]
-			r.Secret.StringData["auth_token"] = res.Token
+			r.Secret.StringData["auth_token"] = token
 			r.Secret.StringData["AWS_ACCESS_KEY_ID"] = string(accessKeys.AccessKey)
 			r.Secret.StringData["AWS_SECRET_ACCESS_KEY"] = string(accessKeys.SecretKey)
-
 		}
 	} else {
 		var accessKeys nb.S3AccessKeys

pkg/options/options.go

@@ -30,7 +30,7 @@ const (
 	// ContainerImageRepo is the repo of the default image url
 	ContainerImageRepo = "noobaa-core"
 	// ContainerImageTag is the tag of the default image url
-	ContainerImageTag = "master-20250521"
+	ContainerImageTag = "master-20250911"
 	// ContainerImageSemverLowerBound is the lower bound for supported image versions
 	ContainerImageSemverLowerBound = "5.0.0"
 	// ContainerImageSemverUpperBound is the upper bound for supported image versions