From 74fbe8e9b59407f00edac5d938ffbcd4e0027e21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20D=C3=B6ll?= <sebastian@katallaxie.dev>
Date: Mon, 16 Dec 2024 17:30:50 +0000
Subject: [PATCH] wip: update sample user

---
 api/v1alpha1/nats_user_types.go               |  2 +-
 controllers/natsaccount_controller.go         | 29 +++++++-
 controllers/natsuser_controller.go            | 30 +++++++--
 examples/account.yaml                         | 34 ----------
 examples/sample_user.yaml                     | 67 +++++++++++++++++++
 examples/system_account.yaml                  | 28 ++++----
 .../templates/crds/natsusers.yaml             |  2 +
 .../crd/bases/natz.zeiss.com_natsusers.yaml   |  2 +
 8 files changed, 138 insertions(+), 56 deletions(-)
 delete mode 100644 examples/account.yaml
 create mode 100644 examples/sample_user.yaml

diff --git a/api/v1alpha1/nats_user_types.go b/api/v1alpha1/nats_user_types.go
index a888003..87a7f5d 100644
--- a/api/v1alpha1/nats_user_types.go
+++ b/api/v1alpha1/nats_user_types.go
@@ -46,7 +46,7 @@ type NatsUserSpec struct {
 	// PrivateKey is a reference to a secret that contains the private key
 	PrivateKey NatsKeyReference `json:"privateKey,omitempty"`
 	// SignerKeyRef is a reference to a secret that contains the account signing key
-	SignerKeyRef NatsKeyReference `json:"signerKeyRef,omitempty"`
+	SignerKeyRef NatsKeyReference `json:"signerKeyRef"`
 	// Permissions define the permissions for the user
 	Permissions Permissions `json:"permissions,omitempty"`
 	// Limits define the limits for the user
diff --git a/controllers/natsaccount_controller.go b/controllers/natsaccount_controller.go
index 9d673c8..fcfd58b 100644
--- a/controllers/natsaccount_controller.go
+++ b/controllers/natsaccount_controller.go
@@ -175,13 +175,38 @@ func (r *NatsAccountReconciler) reconcileAccount(ctx context.Context, account *n
 	}
 
 	token := jwt.NewAccountClaims(public)
+	token.Name = account.Name
 	token.Account = account.Spec.ToJWTAccount()
 
-	jwt, err := token.Encode(signerKp)
+	// for _, key := range account.Spec.SigningKeys {
+	// 	sk := &corev1.Secret{}
+	// 	skName := client.ObjectKey{
+	// 		Namespace: account.Namespace,
+	// 		Name:      key.Name,
+	// 	}
+
+	// 	if err := r.Get(ctx, skName, sk); err != nil {
+	// 		return err
+	// 	}
+
+	// 	skSigner, err := nkeys.FromSeed(sk.Data[OPERATOR_SEED_KEY])
+	// 	if err != nil {
+	// 		return err
+	// 	}
+
+	// 	pkSigner, err := skSigner.PublicKey()
+	// 	if err != nil {
+	// 		return err
+	// 	}
+
+	// 	token.SigningKeys.Add(pkSigner)
+	// }
+
+	t, err := token.Encode(signerKp)
 	if err != nil {
 		return err
 	}
-	account.Status.JWT = jwt
+	account.Status.JWT = t
 	account.Status.PublicKey = public
 
 	if !controllerutil.ContainsFinalizer(account, natsv1alpha1.FinalizerName) {
diff --git a/controllers/natsuser_controller.go b/controllers/natsuser_controller.go
index a3c5af5..f33e20c 100644
--- a/controllers/natsuser_controller.go
+++ b/controllers/natsuser_controller.go
@@ -117,6 +117,16 @@ func (r *NatsUserReconciler) reconcileResources(ctx context.Context, user *natsv
 }
 
 func (r *NatsUserReconciler) reconcileCredentials(ctx context.Context, user *natsv1alpha1.NatsUser) error {
+	privateKey := &corev1.Secret{}
+	privateKeyName := client.ObjectKey{
+		Namespace: user.Namespace,
+		Name:      user.Spec.PrivateKey.Name,
+	}
+
+	if err := r.Get(ctx, privateKeyName, privateKey); err != nil {
+		return err
+	}
+
 	secret := &corev1.Secret{}
 	secretName := client.ObjectKey{
 		Namespace: user.Namespace,
@@ -132,7 +142,7 @@ func (r *NatsUserReconciler) reconcileCredentials(ctx context.Context, user *nat
 	secret.Type = natsv1alpha1.SecretUserCredentialsName
 	secret.Data = map[string][]byte{
 		"user.jwt":   []byte(user.Status.JWT),
-		"user.creds": []byte(fmt.Sprintf(ACCOUNT_TEMPLATE, user.Status.JWT, user.Spec.PrivateKey.Name)),
+		"user.creds": []byte(fmt.Sprintf(ACCOUNT_TEMPLATE, user.Status.JWT, privateKey.Data[OPERATOR_SEED_KEY])),
 	}
 
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, secret, func() error {
@@ -167,6 +177,16 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 		return err
 	}
 
+	// skAccount := &natsv1alpha1.NatsAccount{}
+	// skAccountName := client.ObjectKey{
+	// 	Namespace: user.Namespace,
+	// 	Name:      user.Spec.AccountRef.Name,
+	// }
+
+	// if err := r.Get(ctx, skAccountName, skAccount); err != nil {
+	// 	return err
+	// }
+
 	pk := &natsv1alpha1.NatsKey{}
 	pkName := client.ObjectKey{
 		Namespace: user.Namespace,
@@ -183,7 +203,7 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 		Name:      user.Spec.PrivateKey.Name,
 	}
 
-	if err := r.Get(ctx, pkSecretName, pkSecret); errors.IsNotFound(err) {
+	if err := r.Get(ctx, pkSecretName, pkSecret); err != nil {
 		return err
 	}
 
@@ -204,12 +224,14 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 
 	token := jwt.NewUserClaims(public)
 	token.User = user.Spec.ToNatsJWT()
+	// by default sigining key is the account public key
+	// token.IssuerAccount = skAccount.Status.PublicKey
 
-	jwt, err := token.Encode(signerKp)
+	t, err := token.Encode(signerKp)
 	if err != nil {
 		return err
 	}
-	user.Status.JWT = jwt
+	user.Status.JWT = t
 
 	if !controllerutil.HasControllerReference(user) {
 		if err := controllerutil.SetControllerReference(user, pk, r.Scheme); err != nil {
diff --git a/examples/account.yaml b/examples/account.yaml
deleted file mode 100644
index 5443ada..0000000
--- a/examples/account.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: natz.zeiss.com/v1alpha1
-kind: NatsKey
-metadata:
-  name: natsaccount-sample-private-key
-spec:
-  type: Operator
----
-apiVersion: natz.zeiss.com/v1alpha1
-kind: NatsKey
-metadata:
-  name: natsaccount-demo-signing-key
-spec:
-  type: Operator
----
-apiVersion: natz.zeiss.com/v1alpha1
-kind: NatsAccount
-metadata:
-  name: knative-eventing-account
-spec:
-  operatorSigningKeyRef:
-    name: natsoperator-sample
-  allowedUserNamespaces:
-    - knative-eventing
-  imports: []
-  exports: []
-  limits:
-    disk_storage: -1
-    streams: -1
-    conn: -1
-    imports: -1
-    exports: -1
-    subs: -1
-    payload: -1
-    data: -1
diff --git a/examples/sample_user.yaml b/examples/sample_user.yaml
new file mode 100644
index 0000000..1497a8f
--- /dev/null
+++ b/examples/sample_user.yaml
@@ -0,0 +1,67 @@
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsKey
+metadata:
+  name: natsaccount-sample-private-key
+spec:
+  type: Account
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsKey
+metadata:
+  name: natsaccount-demo-signing-key
+spec:
+  type: Account
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsAccount
+metadata:
+  name: natsaccount-sample
+spec:
+  signerKeyRef:
+    name: natsoperator-sample-private-key
+  privateKey:
+    name: natsaccount-sample-private-key
+  signingKeys:
+    - name: natsaccount-demo-signing-key
+  imports: []
+  exports: []
+  limits:
+    conn: -1
+    imports: -1
+    exports: -1
+    subs: -1
+    payload: -1
+    data: -1
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsKey
+metadata:
+  name: natsuser-sample-private-key
+spec:
+  type: User
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsUser
+metadata:
+  name: natsuser-sample
+spec:
+  privateKey:
+    name: natsuser-sample-private-key
+  signerKeyRef:
+    name: natsaccount-sample-private-key
+  permissions:
+    sub:
+      allow:
+        - "app.input.>"
+        - "app.process.data"
+    pub:
+      allow:
+        - "app.output.>"
+    resp:
+      # Allow request/reply
+      max: 1
+      ttl: -1
+  limits:
+    payload: -1
+    subs: -1
+    data: -1
diff --git a/examples/system_account.yaml b/examples/system_account.yaml
index 6cac275..06e1bc2 100644
--- a/examples/system_account.yaml
+++ b/examples/system_account.yaml
@@ -17,26 +17,24 @@ kind: NatsAccount
 metadata:
   name: natsoperator-system
 spec:
+  name: SYS
   signerKeyRef:
-    name: natsoperator-sample-private-key
+    name: natsoperator-system-private-key
   privateKey:
     name: natsoperator-system-private-key
   signingKeys:
     - name: natsoperator-system-signing-key
-  exports:
-    - name: account-monitoring-services
-      subject: $SYS.REQ.ACCOUNT.*.*
-      type: 2
-      response_type: Stream
-      account_token_position: 4
-      description: "Request account specific monitoring services for: SUBSZ, CONNZ, LEAFZ, JSZ and INFO"
-      info_url: "https://docs.nats.io/nats-server/configuration/sys_accounts"
-    - name: account-monitoring-streams
-      subject: $SYS.ACCOUNT.*.>"
-      type: 1
-      account_token_position: 3
-      description: "Account specific monitoring stream"
-      info_url: "https://docs.nats.io/nats-server/configuration/sys_accounts"
+  pub:
+    allow:
+      - $SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP
+      - $SYS.REQ.CLAIMS.UPDATE
+    sub:
+      allow:
+        - $SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP
+    resp:
+      max: -1
+      ttl: -1
+export:
   limits:
     exports: -1
     imports: -1
diff --git a/helm/charts/natz-operator/templates/crds/natsusers.yaml b/helm/charts/natz-operator/templates/crds/natsusers.yaml
index 49f5b28..d8b2498 100644
--- a/helm/charts/natz-operator/templates/crds/natsusers.yaml
+++ b/helm/charts/natz-operator/templates/crds/natsusers.yaml
@@ -152,6 +152,8 @@ spec:
                 required:
                 - name
                 type: object
+            required:
+            - signerKeyRef
             type: object
           status:
             description: NatsUserStatus defines the observed state of NatsUser
diff --git a/manifests/crd/bases/natz.zeiss.com_natsusers.yaml b/manifests/crd/bases/natz.zeiss.com_natsusers.yaml
index 49f5b28..d8b2498 100644
--- a/manifests/crd/bases/natz.zeiss.com_natsusers.yaml
+++ b/manifests/crd/bases/natz.zeiss.com_natsusers.yaml
@@ -152,6 +152,8 @@ spec:
                 required:
                 - name
                 type: object
+            required:
+            - signerKeyRef
             type: object
           status:
             description: NatsUserStatus defines the observed state of NatsUser