Skip to content

Commit

Permalink
Move fleetworkspace validation to GlobalRoleResolver
Browse files Browse the repository at this point in the history
  • Loading branch information
raulcabello committed Apr 11, 2024
1 parent 109fe53 commit 006c813
Show file tree
Hide file tree
Showing 14 changed files with 102 additions and 336 deletions.
2 changes: 1 addition & 1 deletion docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ Rules without verbs, resources, or apigroups are not permitted. The `rules` incl

Escalation checks are bypassed if a user has the `escalate` verb on the GlobalRole that they are attempting to update or create. This can also be given through a wildcard permission (i.e. the `*` verb also gives `escalate`).

Users can only change GlobalRoles with rights less than or equal to those they currently possess. This is to prevent privilege escalation. This includes the rules in the RoleTemplates referred to in `inheritedClusterRoles`.
Users can only change GlobalRoles with rights less than or equal to those they currently possess. This is to prevent privilege escalation. This includes the rules in the RoleTemplates referred to in `inheritedClusterRoles` and the rules in `inheritedFleetWorkspacePermissions`.

Users can only grant rules in the `NamespacedRules` field with rights less than or equal to those they currently possess. This works on a per namespace basis, meaning that the user must have the permission
in the namespace specified. The `Rules` field apply to every namespace, which means a user can create `NamespacedRules` in any namespace that are equal to or less than the `Rules` they currently possess.
Expand Down
37 changes: 11 additions & 26 deletions pkg/auth/globalrole.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,32 +41,7 @@ func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.Pol
return gr.Rules
}

// FleetWorkspaceRulesFromRole finds all rules which apply to all fleet workspaces except fleet-local.
func (g *GlobalRoleResolver) FleetWorkspaceRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule {
// no rules on a nil role
if gr == nil {
return nil
}
return gr.InheritedFleetWorkspacePermissions.ResourceRules
}

// FleetWorkspaceRulesFromRole finds all rules which apply to all fleet workspaces except fleet-local.
func (g *GlobalRoleResolver) FleetWorkspaceVerbsRuleFromRole(gr *v3.GlobalRole, workspaceNames []string) []rbacv1.PolicyRule {
if gr == nil {
return nil
}

return []rbacv1.PolicyRule{
{
Verbs: gr.InheritedFleetWorkspacePermissions.WorkspaceVerbs,
APIGroups: []string{"management.cattle.io"},
Resources: []string{"fleetworkspaces"},
ResourceNames: workspaceNames,
},
}
}

// ClusterRulesFromRole finds all rules which this gr gives on downstream clusters.
// ClusterRulesFromRole finds all rules which this gr gives on downstream clusters and fleet workspaces except local.
func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.PolicyRule, error) {
if gr == nil {
return nil, nil
Expand All @@ -90,6 +65,16 @@ func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.P
}
rules = append(rules, templateRules...)
}
if gr.InheritedFleetWorkspacePermissions.ResourceRules != nil {
rules = append(rules, gr.InheritedFleetWorkspacePermissions.ResourceRules...)
}
if gr.InheritedFleetWorkspacePermissions.WorkspaceVerbs != nil {
rules = append(rules, rbacv1.PolicyRule{
Verbs: gr.InheritedFleetWorkspacePermissions.WorkspaceVerbs,
APIGroups: []string{"management.cattle.io"},
Resources: []string{"fleetworkspaces"},
})
}
return rules, nil
}

Expand Down
1 change: 0 additions & 1 deletion pkg/codegen/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ func main() {
v3.Node{},
v3.Project{},
v3.ClusterProxyConfig{},
v3.FleetWorkspace{},
},
},
"provisioning.cattle.io": {
Expand Down
208 changes: 0 additions & 208 deletions pkg/generated/controllers/management.cattle.io/v3/fleetworkspace.go

This file was deleted.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Rules without verbs, resources, or apigroups are not permitted. The `rules` incl

Escalation checks are bypassed if a user has the `escalate` verb on the GlobalRole that they are attempting to update or create. This can also be given through a wildcard permission (i.e. the `*` verb also gives `escalate`).

Users can only change GlobalRoles with rights less than or equal to those they currently possess. This is to prevent privilege escalation. This includes the rules in the RoleTemplates referred to in `inheritedClusterRoles`.
Users can only change GlobalRoles with rights less than or equal to those they currently possess. This is to prevent privilege escalation. This includes the rules in the RoleTemplates referred to in `inheritedClusterRoles` and the rules in `inheritedFleetWorkspacePermissions`.

Users can only grant rules in the `NamespacedRules` field with rights less than or equal to those they currently possess. This works on a per namespace basis, meaning that the user must have the permission
in the namespace specified. The `Rules` field apply to every namespace, which means a user can create `NamespacedRules` in any namespace that are equal to or less than the `Rules` they currently possess.
Expand Down
Loading

0 comments on commit 006c813

Please sign in to comment.