Feature/change user password (#463)

* Change password in a database for a user
* Add unit tests
* Change password for user when hash secret has changed
* Add integration test for changing root password
* Add disclaimer
* Change comment
* Run unit test for whole pkg/deployment/...
* Check password in the database
* Fix nil receiver
* Fix removing root secret password
* Fix unit test definition in Makefile
* Don't validate non-existing users' secrets

Author: informalict

Makefile

@@ -308,8 +308,7 @@ run-unit-tests: $(SOURCES)
 		$(REPOPATH)/pkg/apis/deployment/v1alpha \
 		$(REPOPATH)/pkg/apis/replication/v1alpha \
 		$(REPOPATH)/pkg/apis/storage/v1alpha \
-		$(REPOPATH)/pkg/deployment/reconcile \
-		$(REPOPATH)/pkg/deployment/resources \
+		$(REPOPATH)/pkg/deployment/... \
 		$(REPOPATH)/pkg/storage \
 		$(REPOPATH)/pkg/util/k8sutil \
 		$(REPOPATH)/pkg/util/k8sutil/test \

pkg/apis/deployment/v1alpha/secret_hashes.go

@@ -34,6 +34,8 @@ type SecretHashes struct {
 	TLSCA string `json:"tls-ca,omitempty"`
 	// SyncTLSCA contains the hash of the sync.tls.caSecretName secret
 	SyncTLSCA string `json:"sync-tls-ca,omitempty"`
+	// User's map contains hashes for each user
+	Users map[string]string `json:"users,omitempty"`
 }
 
 // Equal compares two SecretHashes
@@ -47,5 +49,40 @@ func (sh *SecretHashes) Equal(other *SecretHashes) bool {
 	return sh.AuthJWT == other.AuthJWT &&
 		sh.RocksDBEncryptionKey == other.RocksDBEncryptionKey &&
 		sh.TLSCA == other.TLSCA &&
-		sh.SyncTLSCA == other.SyncTLSCA
+		sh.SyncTLSCA == other.SyncTLSCA &&
+		isStringMapEqual(sh.Users, other.Users)
+}
+
+// NewEmptySecretHashes creates new empty structure
+func NewEmptySecretHashes() *SecretHashes {
+	sh := &SecretHashes{}
+	sh.Users = make(map[string]string)
+	return sh
+}
+
+func isStringMapEqual(first map[string]string, second map[string]string) bool {
+	if first == nil && second == nil {
+		return true
+	}
+
+	if first == nil || second == nil {
+		return false
+	}
+
+	if len(first) != len(second) {
+		return false
+	}
+
+	for key, valueF := range first {
+		valueS, ok := second[key]
+		if !ok {
+			return false
+		}
+
+		if valueF != valueS {
+			return false
+		}
+	}
+
+	return true
 }

pkg/apis/deployment/v1alpha/secret_hashes_test.go

@@ -0,0 +1,164 @@
+//
+// DISCLAIMER
+//
+// Copyright 2019 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author [email protected]
+//
+
+package v1alpha
+
+import (
+	"github.com/magiconair/properties/assert"
+
+	"testing"
+)
+
+func TestSecretHashes_Equal(t *testing.T) {
+	// Arrange
+	sh := SecretHashes{}
+	testCases := []struct {
+		Name        string
+		CompareFrom *SecretHashes
+		CompareTo   *SecretHashes
+		Expected    bool
+	}{
+		{
+			Name:        "Parameter can not be nil",
+			CompareFrom: &SecretHashes{},
+			Expected:    false,
+		},
+		{
+			Name:        "The addresses are the same",
+			CompareFrom: &sh,
+			CompareTo:   &sh,
+			Expected:    true,
+		},
+		{
+			Name: "JWT token is different",
+			CompareFrom: &SecretHashes{
+				AuthJWT: "1",
+			},
+			CompareTo: &SecretHashes{
+				AuthJWT: "2",
+			},
+			Expected: false,
+		},
+		{
+			Name: "Users are different",
+			CompareFrom: &SecretHashes{
+				Users: map[string]string{
+					"root": "",
+				},
+			},
+			CompareTo: &SecretHashes{},
+			Expected:  false,
+		},
+		{
+			Name: "User's table size is different",
+			CompareFrom: &SecretHashes{
+				Users: map[string]string{
+					"root": "",
+				},
+			},
+			CompareTo: &SecretHashes{
+				Users: map[string]string{
+					"root": "",
+					"user": "",
+				},
+			},
+			Expected: false,
+		},
+		{
+			Name: "User's table has got different users",
+			CompareFrom: &SecretHashes{
+				Users: map[string]string{
+					"root": "",
+				},
+			},
+			CompareTo: &SecretHashes{
+				Users: map[string]string{
+					"user": "",
+				},
+			},
+			Expected: false,
+		},
+		{
+			Name: "User's table has got different hashes for users",
+			CompareFrom: &SecretHashes{
+				Users: map[string]string{
+					"root": "123",
+				},
+			},
+			CompareTo: &SecretHashes{
+				Users: map[string]string{
+					"root": "1234",
+				},
+			},
+			Expected: false,
+		},
+		{
+			Name: "Secret hashes are the same",
+			CompareFrom: &SecretHashes{
+				AuthJWT:              "1",
+				RocksDBEncryptionKey: "2",
+				TLSCA:                "3",
+				SyncTLSCA:            "4",
+				Users: map[string]string{
+					"root": "123",
+				},
+			},
+			CompareTo: &SecretHashes{
+				AuthJWT:              "1",
+				RocksDBEncryptionKey: "2",
+				TLSCA:                "3",
+				SyncTLSCA:            "4",
+				Users: map[string]string{
+					"root": "123",
+				},
+			},
+			Expected: true,
+		},
+		{
+			Name: "Secret hashes are the same without users",
+			CompareFrom: &SecretHashes{
+				AuthJWT:              "1",
+				RocksDBEncryptionKey: "2",
+				TLSCA:                "3",
+				SyncTLSCA:            "4",
+			},
+			CompareTo: &SecretHashes{
+				AuthJWT:              "1",
+				RocksDBEncryptionKey: "2",
+				TLSCA:                "3",
+				SyncTLSCA:            "4",
+			},
+			Expected: true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		//nolint:scopelint
+		t.Run(testCase.Name, func(t *testing.T) {
+			// Act
+			expected := testCase.CompareFrom.Equal(testCase.CompareTo)
+
+			// Assert
+			assert.Equal(t, testCase.Expected, expected)
+		})
+	}
+}

pkg/apis/deployment/v1alpha/zz_generated.deepcopy.go

@@ -32,13 +32,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	driver "github.com/arangodb/go-driver"
-
-	"github.com/arangodb/kube-arangodb/pkg/util/constants"
-)
-
-const (
-	rootUserName = "root"
+	"github.com/arangodb/go-driver"
 )
 
 // EnsureBootstrap executes the bootstrap once as soon as the deployment becomes ready
@@ -81,7 +75,9 @@ func (d *Deployment) ensureUserPasswordSecret(secrets k8sutil.SecretInterface, u
 	if auth, err := secrets.Get(secretName, metav1.GetOptions{}); k8sutil.IsNotFound(err) {
 		// Create new one
 		tokenData := make([]byte, 32)
-		rand.Read(tokenData)
+		if _, err = rand.Read(tokenData); err != nil {
+			return "", err
+		}
 		token := hex.EncodeToString(tokenData)
 		owner := d.GetAPIObject().AsOwner()
 
@@ -91,12 +87,9 @@ func (d *Deployment) ensureUserPasswordSecret(secrets k8sutil.SecretInterface, u
 
 		return token, nil
 	} else if err == nil {
-		user, ok := auth.Data[constants.SecretUsername]
-		if ok && string(user) == username {
-			pass, ok := auth.Data[constants.SecretPassword]
-			if ok {
-				return string(pass), nil
-			}
+		user, pass, err := k8sutil.GetSecretAuthCredentials(auth)
+		if err == nil && user == username {
+			return pass, nil
 		}
 		return "", fmt.Errorf("invalid secret format in secret %s", secretName)
 	} else {

pkg/deployment/bootstrap.go

@@ -24,7 +24,7 @@ package deployment
 
 import (
 	"k8s.io/api/core/v1"
-	v1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"