zhouyuhuan
/
Cloudpods


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393
							// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package identity

import (
	"fmt"
	"time"

	"yunion.io/x/jsonutils"
	"yunion.io/x/pkg/util/printutils"

	api "yunion.io/x/onecloud/pkg/apis/identity"
	"yunion.io/x/onecloud/pkg/mcclient"
	modules "yunion.io/x/onecloud/pkg/mcclient/modules/identity"
)

func init() {
	type CredentialListOptions struct {
		Scope      string `help:"scope" choices:"project|domain|system"`
		Type       string `help:"credential type" choices:"totp|recovery_secret|aksk|enc_key|container_image"`
		User       string `help:"filter by user"`
		UserDomain string `help:"the domain of user"`
	}
	R(&CredentialListOptions{}, "credential-list", "List all credentials", func(s *mcclient.ClientSession, args *CredentialListOptions) error {
		query := jsonutils.NewDict()
		if len(args.Type) > 0 {
			query.Add(jsonutils.NewString(args.Type), "type")
		}
		if len(args.Scope) > 0 {
			query.Add(jsonutils.NewString(args.Scope), "scope")
		}
		if len(args.User) > 0 {
			if len(args.UserDomain) > 0 {
				query.Add(jsonutils.NewString(args.UserDomain), "domain_id")
			}
			query.Add(jsonutils.NewString(args.User), "user_id")
		}
		results, err := modules.Credentials.List(s, query)
		if err != nil {
			return err
		}
		printList(results, nil)
		return nil
	})

	type CredentialTOTPOptions struct {
		USER       string `help:"User"`
		UserDomain string `help:"domain of user"`
	}
	R(&CredentialTOTPOptions{}, "credential-create-totp", "Create totp credential", func(s *mcclient.ClientSession, args *CredentialTOTPOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.USER, args.UserDomain)
		if err != nil {
			return err
		}
		secret, err := modules.Credentials.CreateTotpSecret(s, uid)
		if err != nil {
			return err
		}
		fmt.Println("secret:", secret)
		return nil
	})

	R(&CredentialTOTPOptions{}, "credential-get-totp", "Get totp credential for user", func(s *mcclient.ClientSession, args *CredentialTOTPOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.USER, args.UserDomain)
		if err != nil {
			return err
		}
		secret, err := modules.Credentials.GetTotpSecret(s, uid)
		if err != nil {
			return err
		}
		fmt.Println("secret:", secret)
		return nil
	})

	R(&CredentialTOTPOptions{}, "credential-remove-totp", "Remove totp credential for user", func(s *mcclient.ClientSession, args *CredentialTOTPOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.USER, args.UserDomain)
		if err != nil {
			return err
		}
		err = modules.Credentials.RemoveTotpSecrets(s, uid)
		if err != nil {
			return err
		}
		fmt.Println("success")
		return nil
	})

	type CredentialCreateRecoverySecretsOptions struct {
		USER       string   `help:"User"`
		UserDomain string   `help:"domain of user"`
		Question   []string `help:"questions"`
		Answer     []string `help:"answers"`
	}
	R(&CredentialCreateRecoverySecretsOptions{}, "credential-save-recovery-secrets", "save recovery secrets for user", func(s *mcclient.ClientSession, args *CredentialCreateRecoverySecretsOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.USER, args.UserDomain)
		if err != nil {
			return err
		}
		if len(args.Question) == 0 || len(args.Answer) == 0 {
			return fmt.Errorf("no recovery secrets provided")
		}
		if len(args.Question) != len(args.Answer) {
			return fmt.Errorf("number of questions and answers does not match")
		}
		secrets := make([]modules.SRecoverySecret, len(args.Question))
		for i := range args.Question {
			secrets[i] = modules.SRecoverySecret{
				Question: args.Question[i],
				Answer:   args.Answer[i],
			}
		}
		err = modules.Credentials.SaveRecoverySecrets(s, uid, secrets)
		if err != nil {
			return err
		}
		fmt.Println("success")
		return nil
	})

	R(&CredentialTOTPOptions{}, "credential-get-recovery-secrets", "Get totp credential for user", func(s *mcclient.ClientSession, args *CredentialTOTPOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.USER, args.UserDomain)
		if err != nil {
			return err
		}
		secret, err := modules.Credentials.GetRecoverySecrets(s, uid)
		if err != nil {
			return err
		}
		fmt.Println("secret:", secret)
		return nil
	})

	R(&CredentialTOTPOptions{}, "credential-remove-recovery-secrets", "Remove totp credential for user", func(s *mcclient.ClientSession, args *CredentialTOTPOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.USER, args.UserDomain)
		if err != nil {
			return err
		}
		err = modules.Credentials.RemoveRecoverySecrets(s, uid)
		if err != nil {
			return err
		}
		fmt.Println("success")
		return nil
	})

	type CredentialAkSkOptions struct {
		User          string `help:"User"`
		UserDomain    string `help:"domain of user"`
		Project       string `help:"Project"`
		ProjectDomain string `help:"domain of user"`
	}
	R(&CredentialAkSkOptions{}, "credential-create-aksk", "Create AccessKey/Secret credential", func(s *mcclient.ClientSession, args *CredentialAkSkOptions) error {
		var uid string
		var pid string
		var err error
		if len(args.User) > 0 {
			uid, err = modules.UsersV3.FetchId(s, args.User, args.UserDomain)
			if err != nil {
				return err
			}
		}
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		secret, err := modules.Credentials.CreateAccessKeySecret(s, uid, pid, time.Time{})
		if err != nil {
			return err
		}
		result := jsonutils.Marshal(secret)
		result.(*jsonutils.JSONDict).Add(jsonutils.NewString(secret.KeyId), "access_key")
		printObject(result)
		return nil
	})

	R(&CredentialAkSkOptions{}, "credential-get-aksk", "Get AccessKey/Secret credential for user and project", func(s *mcclient.ClientSession, args *CredentialAkSkOptions) error {
		var uid string
		var err error
		if len(args.User) > 0 {
			uid, err = modules.UsersV3.FetchId(s, args.User, args.UserDomain)
			if err != nil {
				return err
			}
		}
		var pid string
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		secrets, err := modules.Credentials.GetAccessKeySecrets(s, uid, pid)
		if err != nil {
			return err
		}
		result := printutils.ListResult{}
		result.Data = make([]jsonutils.JSONObject, len(secrets))
		for i := range secrets {
			result.Data[i] = jsonutils.Marshal(secrets[i])
			result.Data[i].(*jsonutils.JSONDict).Add(jsonutils.NewString(secrets[i].KeyId), "key_id")
			result.Data[i].(*jsonutils.JSONDict).Add(jsonutils.NewString(secrets[i].ProjectId), "project_id")
			result.Data[i].(*jsonutils.JSONDict).Add(jsonutils.NewTimeString(secrets[i].TimeStamp), "time_stamp")
		}
		printList(&result, nil)
		return nil
	})

	R(&CredentialAkSkOptions{}, "credential-remove-aksk", "Remove AccessKey/Secret credential for user and project", func(s *mcclient.ClientSession, args *CredentialAkSkOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.User, args.UserDomain)
		if err != nil {
			return err
		}
		var pid string
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		err = modules.Credentials.RemoveAccessKeySecrets(s, uid, pid)
		if err != nil {
			return err
		}
		fmt.Println("success")
		return nil
	})

	type OIDCCredentialOptions struct {
		User          string `help:"User"`
		UserDomain    string `help:"domain of user"`
		Project       string `help:"Project"`
		ProjectDomain string `help:"domain of user"`
	}

	type OIDCCredentialCreateOptions struct {
		RedirectUri string `help:"redirect URL"`
		OIDCCredentialOptions
	}
	R(&OIDCCredentialCreateOptions{}, "credential-create-oidc", "Create OpenID Connection Credential", func(s *mcclient.ClientSession, args *OIDCCredentialCreateOptions) error {
		var uid string
		var pid string
		var err error
		if len(args.User) > 0 {
			uid, err = modules.UsersV3.FetchId(s, args.User, args.UserDomain)
			if err != nil {
				return err
			}
		}
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		secret, err := modules.Credentials.CreateOIDCSecret(s, uid, pid, args.RedirectUri)
		if err != nil {
			return err
		}
		printObject(jsonutils.Marshal(&secret))
		return nil
	})

	R(&OIDCCredentialOptions{}, "credential-get-oidc", "Get OpenID Connect credential for user and project", func(s *mcclient.ClientSession, args *OIDCCredentialOptions) error {
		var uid string
		var err error
		if len(args.User) > 0 {
			uid, err = modules.UsersV3.FetchId(s, args.User, args.UserDomain)
			if err != nil {
				return err
			}
		}
		var pid string
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		secrets, err := modules.Credentials.GetOIDCSecret(s, uid, pid)
		if err != nil {
			return err
		}
		result := printutils.ListResult{}
		result.Data = make([]jsonutils.JSONObject, len(secrets))
		for i := range secrets {
			result.Data[i] = jsonutils.Marshal(secrets[i])
		}
		printList(&result, nil)
		return nil
	})

	R(&OIDCCredentialOptions{}, "credential-remove-oidc", "Remove OpenID Connect credential for user and project", func(s *mcclient.ClientSession, args *OIDCCredentialOptions) error {
		uid, err := modules.UsersV3.FetchId(s, args.User, args.UserDomain)
		if err != nil {
			return err
		}
		var pid string
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		err = modules.Credentials.RemoveOIDCSecrets(s, uid, pid)
		if err != nil {
			return err
		}
		fmt.Println("success")
		return nil
	})

	type CredentialDeleteOptions struct {
		ID string `help:"ID of credentail"`
	}
	R(&CredentialDeleteOptions{}, "credential-delete", "Delete credential", func(s *mcclient.ClientSession, args *CredentialDeleteOptions) error {
		result, err := modules.Credentials.Delete(s, args.ID, nil)
		if err != nil {
			return err
		}
		printObject(result)
		return nil
	})

	type CredentialUpdateOptions struct {
		ID      string `help:"ID of credentail"`
		Enable  bool   `help:"Enable credential"`
		Disable bool   `help:"Disable credential"`
		Name    string `help:"new name of credential"`
		Desc    string `help:"new description of credential"`
	}
	R(&CredentialUpdateOptions{}, "credential-update", "Enable/disable credential", func(s *mcclient.ClientSession, args *CredentialUpdateOptions) error {
		params := jsonutils.NewDict()
		if args.Enable {
			params.Add(jsonutils.JSONTrue, "enabled")
		} else if args.Disable {
			params.Add(jsonutils.JSONFalse, "enabled")
		}
		if args.Name != "" {
			params.Add(jsonutils.NewString(args.Name), "name")
		}
		if args.Desc != "" {
			params.Add(jsonutils.NewString(args.Desc), "description")
		}
		result, err := modules.Credentials.Update(s, args.ID, params)
		if err != nil {
			return err
		}
		printObject(result)
		return nil
	})

	type CredentialContainerImageOptions struct {
		NAME          string `help:"container image credential name"`
		USER          string `help:"container image credential user"`
		PASSWORD      string `help:"container image credential password"`
		Project       string `help:"Project"`
		ProjectDomain string `help:"domain of user"`
	}
	R(&CredentialContainerImageOptions{}, "credential-create-container-image", "Create container image crendential", func(s *mcclient.ClientSession, args *CredentialContainerImageOptions) error {
		var pid string
		var err error
		if len(args.Project) > 0 {
			pid, err = modules.Projects.FetchId(s, args.Project, args.ProjectDomain)
			if err != nil {
				return err
			}
		}
		obj, err := modules.Credentials.CreateContainerImageSecret(s, pid, args.NAME, &api.CredentialContainerImageBlob{
			Username: args.USER,
			Password: args.PASSWORD,
		})
		if err != nil {
			return err
		}
		printObject(obj)
		return nil
	})
}