Skip to content
This repository has been archived by the owner on Mar 11, 2021. It is now read-only.

Commit

Permalink
Also check for wildcard rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@ebaron
ebaron committed Aug 20, 2018
1 parent b3dcc97 commit fe78458
Show file tree
Hide file tree
Showing 5 changed files with 25,532 additions and 26 deletions.
67 changes: 41 additions & 26 deletions kubernetes/deployments_access.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ type KubeAccessControl interface {

// Actions on a resource type that are required by one of our API methods
type requestedAccess struct {
resource qualifiedResource
resource *qualifiedResource
verbs []string
}

Expand All @@ -51,25 +51,40 @@ type qualifiedResource struct {
// Only handle rules that aren't qualified by resource name or URL
type simpleAccessRule map[string]struct{}

// Wildcard which can imply all API groups or all resources
const rulesReviewWildcard = "*"

// Qualified resource for all API groups and all resources
var allResAllGroup = &qualifiedResource{rulesReviewWildcard, rulesReviewWildcard}

// Checks the subject rules review for the desired actions on resources
func (rulesMap accessRules) isAuthorized(reqs []*requestedAccess) bool {
for _, req := range reqs {
// Look up rules for resource type
rules, pres := rulesMap[req.resource]
if !pres {
return false
}
// Check rules for resource type and also check wildcard variations
res := req.resource
allRes := &qualifiedResource{res.apiGroup, rulesReviewWildcard}
allGroup := &qualifiedResource{rulesReviewWildcard, res.resourceType}

// Check if all requested actions are permitted
for _, verb := range req.verbs {
_, pres := rules[verb]
if !pres {
if !containsVerb(rulesMap, res, verb) &&
!containsVerb(rulesMap, allResAllGroup, verb) &&
!containsVerb(rulesMap, allRes, verb) &&
!containsVerb(rulesMap, allGroup, verb) {
return false
}
}
}
return true
}

func containsVerb(rulesMap accessRules, res *qualifiedResource, verb string) bool {
// Look up rules for resource type
rule := rulesMap[*res]
_, pres := rule[verb]
return pres
}

// CanGetSpace returns whether the user is authorized to call KubeClientInterface.GetSpace
func (kc *kubeClient) CanGetSpace() (bool, error) {
// Also need access to build configs and builds in user namespace
Expand Down Expand Up @@ -117,11 +132,11 @@ func (kc *kubeClient) CanGetApplication() (bool, error) {
}

var getDeploymentRules = []*requestedAccess{
{qualifiedResource{"", "deploymentconfigs"}, []string{verbGet}},
{qualifiedResource{"", "replicationcontrollers"}, []string{verbList}},
{qualifiedResource{"", "pods"}, []string{verbList}},
{qualifiedResource{"", "services"}, []string{verbList}},
{qualifiedResource{"", "routes"}, []string{verbList}},
{&qualifiedResource{"", "deploymentconfigs"}, []string{verbGet}},
{&qualifiedResource{"", "replicationcontrollers"}, []string{verbList}},
{&qualifiedResource{"", "pods"}, []string{verbList}},
{&qualifiedResource{"", "services"}, []string{verbList}},
{&qualifiedResource{"", "routes"}, []string{verbList}},
}

// CanGetDeployment returns whether the user is authorized to call KubeClientInterface.GetDeployment
Expand All @@ -130,9 +145,9 @@ func (kc *kubeClient) CanGetDeployment(envName string) (bool, error) {
}

var scaleDeploymentRules = []*requestedAccess{
{qualifiedResource{"", "deploymentconfigs"}, []string{verbGet}},
{qualifiedResource{"", "deploymentconfigs/scale"}, []string{verbGet}},
{qualifiedResource{"", "deploymentconfigs/scale"}, []string{verbUpdate}},
{&qualifiedResource{"", "deploymentconfigs"}, []string{verbGet}},
{&qualifiedResource{"", "deploymentconfigs/scale"}, []string{verbGet}},
{&qualifiedResource{"", "deploymentconfigs/scale"}, []string{verbUpdate}},
}

// CanScaleDeployment returns whether the user is authorized to call KubeClientInterface.ScaleDeployment
Expand All @@ -141,9 +156,9 @@ func (kc *kubeClient) CanScaleDeployment(envName string) (bool, error) {
}

var deleteDeploymentRules = []*requestedAccess{
{qualifiedResource{"", "services"}, []string{verbList, verbDelete}},
{qualifiedResource{"", "routes"}, []string{verbList, verbDelete}},
{qualifiedResource{"", "deploymentconfigs"}, []string{verbGet, verbDelete}},
{&qualifiedResource{"", "services"}, []string{verbList, verbDelete}},
{&qualifiedResource{"", "routes"}, []string{verbList, verbDelete}},
{&qualifiedResource{"", "deploymentconfigs"}, []string{verbGet, verbDelete}},
}

// CanDeleteDeployment returns whether the user is authorized to call KubeClientInterface.DeleteDeployment
Expand All @@ -152,9 +167,9 @@ func (kc *kubeClient) CanDeleteDeployment(envName string) (bool, error) {
}

var getDeploymentStatsRules = []*requestedAccess{
{qualifiedResource{"", "deploymentconfigs"}, []string{verbGet}},
{qualifiedResource{"", "replicationcontrollers"}, []string{verbList}},
{qualifiedResource{"", "pods"}, []string{verbList}},
{&qualifiedResource{"", "deploymentconfigs"}, []string{verbGet}},
{&qualifiedResource{"", "replicationcontrollers"}, []string{verbList}},
{&qualifiedResource{"", "pods"}, []string{verbList}},
}

// CanGetDeploymentStats returns whether the user is authorized to call KubeClientInterface.GetDeploymentStats
Expand Down Expand Up @@ -182,12 +197,12 @@ func (kc *kubeClient) checkAuthorizedWithBuilds(envName string, reqs []*requeste
const environmentTypeUser = "user"

var getBuildConfigsAndBuildsRules = []*requestedAccess{
{qualifiedResource{"", "buildconfigs"}, []string{verbList}},
{qualifiedResource{"", "builds"}, []string{verbList}},
{&qualifiedResource{"", "buildconfigs"}, []string{verbList}},
{&qualifiedResource{"", "builds"}, []string{verbList}},
}

var getBuildsRules = []*requestedAccess{
{qualifiedResource{"", "builds"}, []string{verbList}},
{&qualifiedResource{"", "builds"}, []string{verbList}},
}

func (kc *kubeClient) checkAuthorizedInEnv(reqs []*requestedAccess, envName string) (bool, error) {
Expand All @@ -200,7 +215,7 @@ func (kc *kubeClient) checkAuthorizedInEnv(reqs []*requestedAccess, envName stri
}

var getEnvironmentRules = []*requestedAccess{
{qualifiedResource{"", "resourcequotas"}, []string{verbList}},
{&qualifiedResource{"", "resourcequotas"}, []string{verbList}},
}

// CanGetEnvironments returns whether the user is authorized to call KubeClientInterface.GetEnvironments
Expand Down
18 changes: 18 additions & 0 deletions kubernetes/deployments_access_blackbox_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,24 @@ func TestCanGetDeployment(t *testing.T) {
cassetteName: "can-i",
expectedResult: true,
},
{
testName: "All Resource",
envName: "run",
cassetteName: "can-i-all-resource",
expectedResult: true,
},
{
testName: "All Groups",
envName: "run",
cassetteName: "can-i-all-groups",
expectedResult: true,
},
{
testName: "All Groups & Resources",
envName: "run",
cassetteName: "can-i-all-groups-resource",
expectedResult: true,
},
{
testName: "No Builds",
envName: "run",
Expand Down
Loading

0 comments on commit fe78458

Please sign in to comment.