add regexp to check usernames passed into create user command to prevent special chars from being passed in

jmccormick2001 · jmccormick2001 · commit 5dfd4e9dced1 · 2019-02-22T16:02:54.000-05:00
diff --git a/apiserver/userservice/userimpl.go b/apiserver/userservice/userimpl.go
@@ -20,6 +20,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -61,7 +62,7 @@ var defaultPasswordLength = 8
 // pgo user --change-password=bob --db=userdb
 //  --expired=7 --selector=env=research --update-passwords=true
 //  --valid-days=30
-func User(request *msgs.UserRequest) msgs.UserResponse {
+func User(request *msgs.UserRequest, ns string) msgs.UserResponse {
 	var err error
 	resp := msgs.UserResponse{}
 	resp.Status.Code = msgs.Ok
@@ -93,7 +94,7 @@ func User(request *msgs.UserRequest) msgs.UserResponse {
 	//get the clusters list
 	clusterList := crv1.PgclusterList{}
 	err = kubeapi.GetpgclustersBySelector(apiserver.RESTClient,
-		&clusterList, sel, apiserver.Namespace)
+		&clusterList, sel, ns)
 	if err != nil {
 		resp.Status.Code = msgs.Error
 		resp.Status.Msg = err.Error()
@@ -109,15 +110,15 @@ func User(request *msgs.UserRequest) msgs.UserResponse {
 	for _, cluster := range clusterList.Items {
 		//selector := util.LABEL_PG_CLUSTER + "=" + cluster.Spec.Name + "," + util.LABEL_PRIMARY + "=true"
 		selector := util.LABEL_PG_CLUSTER + "=" + cluster.Spec.Name + "," + util.LABEL_SERVICE_NAME + "=" + cluster.Spec.Name
-		deployments, err := kubeapi.GetDeployments(apiserver.Clientset, selector, apiserver.Namespace)
+		deployments, err := kubeapi.GetDeployments(apiserver.Clientset, selector, ns)
 		if err != nil {
 			resp.Status.Code = msgs.Error
 			resp.Status.Msg = err.Error()
 			return resp
 		}
 
 		for _, d := range deployments.Items {
-			info := getPostgresUserInfo(apiserver.Namespace, d.ObjectMeta.Name)
+			info := getPostgresUserInfo(ns, d.ObjectMeta.Name)
 
 			if request.ChangePasswordForUser != "" {
 				msg := "changing password of user " + request.ChangePasswordForUser + " on " + d.ObjectMeta.Name
@@ -137,7 +138,7 @@ func User(request *msgs.UserRequest) msgs.UserResponse {
 				pgbouncer := cluster.Spec.UserLabels[util.LABEL_PGBOUNCER] == "true"
 				pgpool := cluster.Spec.UserLabels[util.LABEL_PGPOOL] == "true"
 
-				err = updatePassword(cluster.Spec.Name, info, request.ChangePasswordForUser, newPassword, newExpireDate, apiserver.Namespace, pgpool, pgbouncer, request.PasswordLength)
+				err = updatePassword(cluster.Spec.Name, info, request.ChangePasswordForUser, newPassword, newExpireDate, ns, pgpool, pgbouncer, request.PasswordLength)
 				if err != nil {
 					log.Error(err.Error())
 					resp.Status.Code = msgs.Error
@@ -158,7 +159,7 @@ func User(request *msgs.UserRequest) msgs.UserResponse {
 							newExpireDate := GeneratePasswordExpireDate(request.PasswordAgeDays)
 							pgbouncer := cluster.Spec.UserLabels[util.LABEL_PGBOUNCER] == "true"
 							pgpool := cluster.Spec.UserLabels[util.LABEL_PGPOOL] == "true"
-							err = updatePassword(cluster.Spec.Name, v.ConnDetails, v.Rolname, newPassword, newExpireDate, apiserver.Namespace, pgpool, pgbouncer, request.PasswordLength)
+							err = updatePassword(cluster.Spec.Name, v.ConnDetails, v.Rolname, newPassword, newExpireDate, ns, pgpool, pgbouncer, request.PasswordLength)
 							if err != nil {
 								log.Error("error in updating password")
 							}
@@ -275,15 +276,15 @@ func updatePassword(clusterName string, p connInfo, username, newPassword, passw
 	}
 
 	if pgbouncer {
-		err := reconfigurePgbouncer(clusterName)
+		err := reconfigurePgbouncer(clusterName, namespace)
 		if err != nil {
 			log.Error(err)
 			return err
 		}
 	}
 
 	if pgpool {
-		err := reconfigurePgpool(clusterName)
+		err := reconfigurePgpool(clusterName, namespace)
 		if err != nil {
 			log.Error(err)
 			return err
@@ -508,7 +509,7 @@ func deleteUser(namespace, clusterName string, info connInfo, user string, manag
 
 // CreateUser ...
 // pgo create user user1
-func CreateUser(request *msgs.CreateUserRequest) msgs.CreateUserResponse {
+func CreateUser(request *msgs.CreateUserRequest, ns string) msgs.CreateUserResponse {
 	var err error
 	resp := msgs.CreateUserResponse{}
 	resp.Status.Code = msgs.Ok
@@ -529,7 +530,7 @@ func CreateUser(request *msgs.CreateUserRequest) msgs.CreateUserResponse {
 
 	//get a list of all clusters
 	err = kubeapi.GetpgclustersBySelector(apiserver.RESTClient,
-		&clusterList, request.Selector, apiserver.Namespace)
+		&clusterList, request.Selector, ns)
 	if err != nil {
 		resp.Status.Code = msgs.Error
 		resp.Status.Msg = err.Error()
@@ -544,10 +545,17 @@ func CreateUser(request *msgs.CreateUserRequest) msgs.CreateUserResponse {
 
 	log.Debugf("createUser clusters found len is %d", len(clusterList.Items))
 
+	re := regexp.MustCompile("^[a-z0-9.-]*$")
+	if !re.MatchString(request.Name) {
+		resp.Status.Code = msgs.Error
+		resp.Status.Msg = "user name is required to be lowercase letters and numbers only."
+		return resp
+	}
+
 	for _, c := range clusterList.Items {
-		info := getPostgresUserInfo(apiserver.Namespace, c.Name)
+		info := getPostgresUserInfo(ns, c.Name)
 
-		err = addUser(request, apiserver.Namespace, c.Name, info)
+		err = addUser(request, ns, c.Name, info)
 		if err != nil {
 			resp.Status.Code = msgs.Error
 			resp.Status.Msg = err.Error()
@@ -570,7 +578,7 @@ func CreateUser(request *msgs.CreateUserRequest) msgs.CreateUserResponse {
 
 		pgbouncer := c.Spec.UserLabels[util.LABEL_PGBOUNCER] == "true"
 		pgpool := c.Spec.UserLabels[util.LABEL_PGPOOL] == "true"
-		err = updatePassword(c.Name, info, request.Name, newPassword, newExpireDate, apiserver.Namespace, pgpool, pgbouncer, request.PasswordLength)
+		err = updatePassword(c.Name, info, request.Name, newPassword, newExpireDate, ns, pgpool, pgbouncer, request.PasswordLength)
 		if err != nil {
 			log.Error(err.Error())
 			resp.Status.Code = msgs.Error
@@ -584,18 +592,19 @@ func CreateUser(request *msgs.CreateUserRequest) msgs.CreateUserResponse {
 }
 
 // DeleteUser ...
-func DeleteUser(name, selector string) msgs.DeleteUserResponse {
+func DeleteUser(name, selector, ns string) msgs.DeleteUserResponse {
 	var err error
 
 	response := msgs.DeleteUserResponse{}
 	response.Status = msgs.Status{Code: msgs.Ok, Msg: ""}
 	response.Results = make([]string, 0)
 
+	log.Debugf("DeleteUser called name=%s", name)
 	clusterList := crv1.PgclusterList{}
 
 	//get the clusters list
 	err = kubeapi.GetpgclustersBySelector(apiserver.RESTClient,
-		&clusterList, selector, apiserver.Namespace)
+		&clusterList, selector, ns)
 	if err != nil {
 		response.Status.Code = msgs.Error
 		response.Status.Msg = err.Error()
@@ -614,18 +623,20 @@ func DeleteUser(name, selector string) msgs.DeleteUserResponse {
 
 	for _, cluster := range clusterList.Items {
 		clusterName = cluster.Spec.Name
-		info := getPostgresUserInfo(apiserver.Namespace, clusterName)
+		info := getPostgresUserInfo(ns, clusterName)
 
 		secretName := clusterName + "-" + name + "-secret"
 
-		managed, err = isManaged(secretName)
+		managed, err = isManaged(secretName, ns)
 		if err != nil {
 			response.Status.Code = msgs.Error
 			response.Status.Msg = err.Error()
 			return response
 		}
 
-		err = deleteUser(apiserver.Namespace, clusterName, info, name, managed)
+		log.Debugf("DeleteUser %s managed %t", name, managed)
+
+		err = deleteUser(ns, clusterName, info, name, managed)
 		if err != nil {
 			log.Error(err)
 			response.Status.Code = msgs.Error
@@ -640,7 +651,7 @@ func DeleteUser(name, selector string) msgs.DeleteUserResponse {
 		//see if any pooler needs to be reconfigured
 		if managed {
 			if cluster.Spec.UserLabels[util.LABEL_PGBOUNCER] == "true" {
-				err := reconfigurePgbouncer(clusterName)
+				err := reconfigurePgbouncer(clusterName, ns)
 				if err != nil {
 					log.Error(err)
 					response.Status.Code = msgs.Error
@@ -649,7 +660,7 @@ func DeleteUser(name, selector string) msgs.DeleteUserResponse {
 				}
 			}
 			if cluster.Spec.UserLabels[util.LABEL_PGPOOL] == "true" {
-				err := reconfigurePgpool(clusterName)
+				err := reconfigurePgpool(clusterName, ns)
 				if err != nil {
 					log.Error(err)
 					response.Status.Code = msgs.Error
@@ -665,8 +676,8 @@ func DeleteUser(name, selector string) msgs.DeleteUserResponse {
 
 }
 
-func isManaged(secretName string) (bool, error) {
-	_, found, err := kubeapi.GetSecret(apiserver.Clientset, secretName, apiserver.Namespace)
+func isManaged(secretName, ns string) (bool, error) {
+	_, found, err := kubeapi.GetSecret(apiserver.Clientset, secretName, ns)
 	if !found {
 		return false, nil
 	}
@@ -682,7 +693,7 @@ func isManaged(secretName string) (bool, error) {
 }
 
 // ShowUser ...
-func ShowUser(name, selector, expired string) msgs.ShowUserResponse {
+func ShowUser(name, selector, expired, ns string) msgs.ShowUserResponse {
 	var err error
 
 	response := msgs.ShowUserResponse{}
@@ -700,7 +711,7 @@ func ShowUser(name, selector, expired string) msgs.ShowUserResponse {
 
 	//get a list of all clusters
 	err = kubeapi.GetpgclustersBySelector(apiserver.RESTClient,
-		&clusterList, selector, apiserver.Namespace)
+		&clusterList, selector, ns)
 	if err != nil {
 		response.Status.Code = msgs.Error
 		response.Status.Msg = err.Error()
@@ -732,15 +743,15 @@ func ShowUser(name, selector, expired string) msgs.ShowUserResponse {
 		if expired != "" {
 			//selector := util.LABEL_PG_CLUSTER + "=" + c.Spec.Name + "," + util.LABEL_PRIMARY + "=true"
 			selector := util.LABEL_PG_CLUSTER + "=" + c.Spec.Name + "," + util.LABEL_SERVICE_NAME + "=" + c.Spec.Name
-			deployments, err := kubeapi.GetDeployments(apiserver.Clientset, selector, apiserver.Namespace)
+			deployments, err := kubeapi.GetDeployments(apiserver.Clientset, selector, ns)
 			if err != nil {
 				response.Status.Code = msgs.Error
 				response.Status.Msg = err.Error()
 				return response
 			}
 
 			for _, d := range deployments.Items {
-				info := getPostgresUserInfo(apiserver.Namespace, d.ObjectMeta.Name)
+				info := getPostgresUserInfo(ns, d.ObjectMeta.Name)
 				if expired != "" {
 					results := callDB(info, d.ObjectMeta.Name, expired)
 					if len(results) > 0 {
@@ -777,9 +788,10 @@ func deleteUserSecret(clientset *kubernetes.Clientset, clustername, username, na
 	return err
 }
 
-func reconfigurePgbouncer(clusterName string) error {
+func reconfigurePgbouncer(clusterName, ns string) error {
 	var err error
 	spec := crv1.PgtaskSpec{}
+	spec.Namespace = ns
 	spec.Name = util.LABEL_PGBOUNCER_TASK_RECONFIGURE + "-" + clusterName
 	spec.TaskType = crv1.PgtaskReconfigurePgbouncer
 	spec.StorageSpec = crv1.PgStorageSpec{}
@@ -797,18 +809,18 @@ func reconfigurePgbouncer(clusterName string) error {
 	newInstance.ObjectMeta.Labels[util.LABEL_PG_CLUSTER] = clusterName
 	newInstance.ObjectMeta.Labels[util.LABEL_PGBOUNCER_TASK_RECONFIGURE] = "true"
 
-	err = kubeapi.Createpgtask(apiserver.RESTClient,
-		newInstance, apiserver.Namespace)
+	err = kubeapi.Createpgtask(apiserver.RESTClient, newInstance, ns)
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	return err
 }
 
-func reconfigurePgpool(clusterName string) error {
+func reconfigurePgpool(clusterName, ns string) error {
 	var err error
 	spec := crv1.PgtaskSpec{}
+	spec.Namespace = ns
 	spec.Name = util.LABEL_PGPOOL_TASK_RECONFIGURE + "-" + clusterName
 	spec.TaskType = crv1.PgtaskReconfigurePgpool
 	spec.StorageSpec = crv1.PgStorageSpec{}
@@ -827,7 +839,7 @@ func reconfigurePgpool(clusterName string) error {
 	newInstance.ObjectMeta.Labels[util.LABEL_PGPOOL_TASK_RECONFIGURE] = "true"
 
 	err = kubeapi.Createpgtask(apiserver.RESTClient,
-		newInstance, apiserver.Namespace)
+		newInstance, ns)
 	if err != nil {
 		log.Error(err)
 		return err
