From 8ef2ec091a9fe3ccc1d58db08e8d5b375d1ee9f3 Mon Sep 17 00:00:00 2001 From: Stephen Han Date: Tue, 6 Aug 2024 16:22:24 -0700 Subject: [PATCH] SSHOTCP-7294 Migrate the Slingshot 2.2.0 HPCM/Baremetal FM RBAC policy into CSM --- .../templates/policies/keycloak-admin.yaml | 17 +++++++++++++ .../cray-opa/tests/opa/hmn_test.rego.tpl | 2 ++ .../tests/opa/keycloak-admin_test.rego.tpl | 25 +++++++++++++++++++ 3 files changed, 44 insertions(+) diff --git a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml index 957e9d1..6252fea 100644 --- a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml +++ b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml @@ -129,6 +129,14 @@ data: regex.match(perm.path, original_path) } + # Slingshot Administrator Allow, only to Fabric Manager endpoints + allow { + parsed_kc_token.payload.resource_access["system-slingshot-client"].roles[_] == "slingshot-admin" + some perm in allowed_slingshot_admin_methods + perm.method = http_request.method + regex.match(perm.path, original_path) + } + # Check if there is an authorization header and split the type from token found_auth = {"type": a_type, "token": a_token} { [a_type, a_token] := split(http_request.headers.authorization, " ") @@ -181,5 +189,14 @@ data: {"method": "GET", "path": `^/apis/bos/v2/version$`} # GETs allow views on specific BOS version information ] + allowed_slingshot_admin_methods := [ + # Fabric Manager + {"method": "DELETE", "path": `^/apis/fabric-manager/.*$`}, + {"method": "GET", "path": `^/apis/fabric-manager/.*$`}, + {"method": "PATCH", "path": `^/apis/fabric-manager/.*$`}, + {"method": "POST", "path": `^/apis/fabric-manager/.*$`}, + {"method": "PUT", "path": `^/apis/fabric-manager/.*$`} + ] + {{- end }} {{- end }} diff --git a/kubernetes/cray-opa/tests/opa/hmn_test.rego.tpl b/kubernetes/cray-opa/tests/opa/hmn_test.rego.tpl index c7f0707..42a8ad1 100644 --- a/kubernetes/cray-opa/tests/opa/hmn_test.rego.tpl +++ b/kubernetes/cray-opa/tests/opa/hmn_test.rego.tpl @@ -1,3 +1,5 @@ +# -*- mode: rego -*- + # Copyright 2021-2023 Hewlett Packard Enterprise Development LP package istio.authz diff --git a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl index 60aa5d7..fb140a5 100644 --- a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl +++ b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl @@ -1,3 +1,5 @@ +# -*- mode: rego -*- + # Copyright 2021-2024 Hewlett Packard Enterprise Development LP package istio.authz @@ -383,3 +385,26 @@ test_spire_invalid_sub { allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": hmnfd_subscriptions_path, "headers": {"x-forwarded-access-token": spire_sub}}}}} allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": hmnfd_subscriptions_path, "headers": {"x-forwarded-access-token": spire_sub}}}}} } + + +# Slingshot Admin role +test_slingshot_admin { + + # Verify slingshot-admin role has access to only FM endpoints + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/fabric-manager/fabric/host-settings", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "DELETE", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PUT", "path": "/apis/fabric-manager/fabric/agents/x0c0r0b0", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + + # Verify slingshot-admin role has no access to non-FM endpoints + allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2", "headers": {"authorization": "Bearer {{ .slingshotAdminToken }}"}}}}} + } + +# Slingshot Guest role +test_slingshot_guest { + # Verify non slingshot-admin role has no access to non-FM endpoints + allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/fabric-manager/fabric/host-settings", "headers": {"authorization": "Bearer {{ .slingshotGuestToken }}"}}}}} + }