Skip to content

Commit

Permalink
DVS-2961: Allow SLS calls to generate DVS node map (#104)
Browse files Browse the repository at this point in the history
-Added policies for SLS under DVS to allow the dvs_generate_map
script to use the data from SLS to generate the node map.

-Updated the tests for SLS to ensure access is available to the
path /apis/sls/v1/networks. Cleaned up comments for current spire
tests under APIs used by DVS, matching current keycloak tests.

-Tested the change by editing the opa-policy-ingressgateway-spire
config map and restarting pods. Verified that the SLS data is
sent via the API when using a new valid token.

Co-authored-by: David Ibarra <david.ibarra@hpe.com>
  • Loading branch information
DavidIbarr and David Ibarra authored Jan 11, 2024
1 parent 12195f4 commit 99e098f
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 9 deletions.
2 changes: 1 addition & 1 deletion kubernetes/cray-opa/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
#
apiVersion: v2
name: cray-opa
version: 1.33.2
version: 1.33.3
description: Cray Open Policy Agent
keywords:
- opa
Expand Down
10 changes: 7 additions & 3 deletions kubernetes/cray-opa/templates/policies/spire.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- /*
Copyright 2021-2023 Hewlett Packard Enterprise Development LP
Copyright 2021-2024 Hewlett Packard Enterprise Development LP
*/ -}}
{{- range $name, $options := .Values.ingresses }}
{{- if $options.policies.spire }}
Expand Down Expand Up @@ -80,11 +80,15 @@ data:
# These pass xnames via POST. This will be removed once the v2 API is being used.
{"method": "POST", "path": `^/apis/hmnfd/hmi/v1/subscribe$`},

#SMD -> GET everything, DVS needs SoftwareStatus. REVOKED permission to update BulkSoftwareStatus
# SMD -> GET everything, DVS needs SoftwareStatus. REVOKED permission to update BulkSoftwareStatus
{"method": "GET", "path": `^/apis/smd/hsm/v2/.*$`},
{"method": "HEAD", "path": `^/apis/smd/hsm/v2/.*$`},

#HMNFD -> subscribe only, cannot create state change notifications
# SLS -> GET - node map IP addresses
{"method": "GET", "path": `^/apis/sls/v1/.*$`},
{"method": "HEAD", "path": `^/apis/sls/v1/.*$`},

# HMNFD -> subscribe only, cannot create state change notifications
{"method": "GET", "path": `^/apis/hmnfd/hmi/v1/subscriptions$`},
{"method": "HEAD", "path": `^/apis/hmnfd/hmi/v1/subscriptions$`},
{"method": "PATCH", "path": `^/apis/hmnfd/hmi/v1/subscribe$`},
Expand Down
25 changes: 20 additions & 5 deletions kubernetes/cray-opa/tests/opa/spire_test.rego.tpl
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2021-2023 Hewlett Packard Enterprise Development LP
# Copyright 2021-2024 Hewlett Packard Enterprise Development LP

package istio.authz
## HOW TO DO UNIT TESTING
Expand All @@ -13,9 +13,11 @@ cos_config_mock_path = "/apis/v2/cos/mock"
hbtb_heartbeat_path = "/apis/hbtd/hmi/v1/heartbeat"
nmd_mock_path = "/apis/v2/nmd/status"
smd_statecomponents_path = "/apis/smd/hsm/v2/State/Components"
smd_ethernetinterfaces_path = "/apis/smd/hsm/v2/Inventory/EthernetInterfaces"
smd_softwarestatus_compute_path = "/apis/smd/hsm/v2/State/Components/x1/SoftwareStatus"
smd_softwarestatus_ncn_path = "/apis/smd/hsm/v2/State/Components/ncnw001/SoftwareStatus"
smd_softwarestatus_invalid_path = "/apis/smd/hsm/v2/State/Components/invalid/SoftwareStatus"
sls_networks_path = "/apis/sls/v1/networks"
hmnfd_subscribe_path = "/apis/hmnfd/hmi/v1/subscribe"
hmnfd_subscriptions_path = "/apis/hmnfd/hmi/v1/subscriptions"
pals_mock_path = "/apis/pals/v1/mock"
Expand Down Expand Up @@ -46,11 +48,22 @@ spire_correct_ncn_sub(sub) {

allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": nmd_mock_path, "headers": {"authorization": sub}}}}}

# SMD - Allowed
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": smd_ethernetinterfaces_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": smd_ethernetinterfaces_path, "headers": {"authorization": sub}}}}}

not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": smd_softwarestatus_ncn_path, "headers": {"authorization": sub}}}}}

# Validate that DVS can access SoftwareStatus
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": "/apis/smd/hsm/v2/State/Components/ncnw001/SoftwareStatus", "headers": {"authorization": sub}}}}}

# SLS - Allowed
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": sls_networks_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": sls_networks_path, "headers": {"authorization": sub}}}}}

# HMNFD - Allowed
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": hmnfd_subscribe_path, "headers": {"authorization": sub}}}}}
Expand All @@ -69,10 +82,6 @@ spire_correct_ncn_sub(sub) {

# Validate that only CFS can access
allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": cfs_ncn_mock_path, "headers": {"authorization": sub}}}}}

# Validate that DVS can access SoftwareStatus
# not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": "/apis/smd/hsm/v2/State/Components/ncnw001/SoftwareStatus", "headers": {"authorization": sub}}}}}

}

spire_correct_compute_sub(sub) {
Expand All @@ -87,11 +96,17 @@ spire_correct_compute_sub(sub) {
allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": nmd_mock_path, "headers": {"authorization": sub}}}}}
allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "POST", "path": nmd_mock_path, "headers": {"authorization": sub}}}}}

# SMD - Allowed
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": smd_statecomponents_path, "headers": {"authorization": sub}}}}}

not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": smd_softwarestatus_compute_path, "headers": {"authorization": sub}}}}}

# SLS - Allowed
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": sls_networks_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": sls_networks_path, "headers": {"authorization": sub}}}}}

# HMNFD - Allowed
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": hmnfd_subscriptions_path, "headers": {"authorization": sub}}}}}
not allow.http_status with input as {"attributes": {"request": {"http": {"method": "PATCH", "path": hmnfd_subscribe_path, "headers": {"authorization": sub}}}}}
Expand Down

0 comments on commit 99e098f

Please sign in to comment.