feat: use COSI RD's sensitivity for RBAC

Refs #3421.

Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>

go.mod

@@ -3,6 +3,7 @@ module github.com/talos-systems/talos
 go 1.16
 
 replace (
+	// Use nested module.
 	github.com/talos-systems/talos/pkg/machinery => ./pkg/machinery
 
 	// forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes
@@ -28,7 +29,7 @@ require (
 	github.com/containernetworking/plugins v0.9.1
 	github.com/coreos/go-iptables v0.6.0
 	github.com/coreos/go-semver v0.3.0
-	github.com/cosi-project/runtime v0.0.0-20210611144007-85ab1ee09d8c
+	github.com/cosi-project/runtime v0.0.0-20210621171302-3698c5142954
 	github.com/docker/distribution v2.7.1+incompatible
 	github.com/docker/docker v20.10.7+incompatible
 	github.com/docker/go-connections v0.4.0

go.sum

@@ -305,8 +305,8 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/cosi-project/runtime v0.0.0-20210611144007-85ab1ee09d8c h1:MwjpJB4F5I71X7y8GD4vJ158gya+B88tc3g5uuJPohc=
-github.com/cosi-project/runtime v0.0.0-20210611144007-85ab1ee09d8c/go.mod h1:v/3MIWNuuOSdXXMl3QgCSwZrAk1fTOmQHEnTAfvDqP4=
+github.com/cosi-project/runtime v0.0.0-20210621171302-3698c5142954 h1:IvvTxWEugWa0kbkSELltW7idPl35CSZ7Q+M/yJ2tIFs=
+github.com/cosi-project/runtime v0.0.0-20210621171302-3698c5142954/go.mod h1:v/3MIWNuuOSdXXMl3QgCSwZrAk1fTOmQHEnTAfvDqP4=
 github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=

internal/app/machined/internal/server/v1alpha1/v1alpha1_resource.go

@@ -75,22 +75,22 @@ func (s *ResourceServer) resolveResourceKind(ctx context.Context, kind *resource
 	matched := []*meta.ResourceDefinition{}
 
 	for _, item := range registeredResources.Items {
-		resourceDefinition, ok := item.(*meta.ResourceDefinition)
+		rd, ok := item.(*meta.ResourceDefinition)
 		if !ok {
 			return nil, fmt.Errorf("unexpected resource definition type")
 		}
 
-		if strings.EqualFold(resourceDefinition.Metadata().ID(), kind.Type) {
-			matched = append(matched, resourceDefinition)
+		if strings.EqualFold(rd.Metadata().ID(), kind.Type) {
+			matched = append(matched, rd)
 
 			continue
 		}
 
-		spec := resourceDefinition.Spec().(meta.ResourceDefinitionSpec) //nolint:errcheck,forcetypeassert
+		spec := rd.Spec().(meta.ResourceDefinitionSpec) //nolint:errcheck,forcetypeassert
 
 		for _, alias := range spec.Aliases {
 			if strings.EqualFold(alias, kind.Type) {
-				matched = append(matched, resourceDefinition)
+				matched = append(matched, rd)
 
 				break
 			}
@@ -119,14 +119,19 @@ func (s *ResourceServer) resolveResourceKind(ctx context.Context, kind *resource
 	}
 }
 
-func (s *ResourceServer) checkReadAccess(ctx context.Context, kind *resourceKind) error {
+func (s *ResourceServer) checkReadAccess(ctx context.Context, kind *resourceKind, rd *meta.ResourceDefinition) error {
 	roles := authz.GetRoles(ctx)
+	spec := rd.Spec().(meta.ResourceDefinitionSpec) //nolint:errcheck,forcetypeassert
 
-	// TODO(rbac): check sensitivity levels once they are added to COSI
-	if strings.Contains(kind.Type, "secret") {
+	switch spec.Sensitivity {
+	case meta.Sensitive:
 		if !roles.Includes(role.Admin) {
 			return authz.ErrNotAuthorized
 		}
+	case meta.NonSensitive:
+		// nothing
+	default:
+		return fmt.Errorf("unexpected sensitivity %q", spec.Sensitivity)
 	}
 
 	registeredNamespaces, err := s.server.Controller.Runtime().State().V1Alpha2().Resources().List(ctx, resource.NewMetadata(meta.NamespaceName, meta.NamespaceType, "", resource.VersionUndefined))
@@ -145,17 +150,17 @@ func (s *ResourceServer) checkReadAccess(ctx context.Context, kind *resourceKind
 
 // Get implements resource.ResourceServiceServer interface.
 func (s *ResourceServer) Get(ctx context.Context, in *resourceapi.GetRequest) (*resourceapi.GetResponse, error) {
-	kind := resourceKind{
+	kind := &resourceKind{
 		Namespace: in.GetNamespace(),
 		Type:      in.GetType(),
 	}
 
-	resourceDefinition, err := s.resolveResourceKind(ctx, &kind)
+	rd, err := s.resolveResourceKind(ctx, kind)
 	if err != nil {
 		return nil, err
 	}
 
-	if err = s.checkReadAccess(ctx, &kind); err != nil {
+	if err = s.checkReadAccess(ctx, kind, rd); err != nil {
 		return nil, err
 	}
 
@@ -170,7 +175,7 @@ func (s *ResourceServer) Get(ctx context.Context, in *resourceapi.GetRequest) (*
 		return nil, err
 	}
 
-	protoD, err := marshalResource(resourceDefinition)
+	protoD, err := marshalResource(rd)
 	if err != nil {
 		return nil, err
 	}
@@ -192,17 +197,17 @@ func (s *ResourceServer) Get(ctx context.Context, in *resourceapi.GetRequest) (*
 
 // List implements resource.ResourceServiceServer interface.
 func (s *ResourceServer) List(in *resourceapi.ListRequest, srv resourceapi.ResourceService_ListServer) error {
-	kind := resourceKind{
+	kind := &resourceKind{
 		Namespace: in.GetNamespace(),
 		Type:      in.GetType(),
 	}
 
-	resourceDefinition, err := s.resolveResourceKind(srv.Context(), &kind)
+	rd, err := s.resolveResourceKind(srv.Context(), kind)
 	if err != nil {
 		return err
 	}
 
-	if err = s.checkReadAccess(srv.Context(), &kind); err != nil {
+	if err = s.checkReadAccess(srv.Context(), kind, rd); err != nil {
 		return err
 	}
 
@@ -213,7 +218,7 @@ func (s *ResourceServer) List(in *resourceapi.ListRequest, srv resourceapi.Resou
 		return err
 	}
 
-	protoD, err := marshalResource(resourceDefinition)
+	protoD, err := marshalResource(rd)
 	if err != nil {
 		return err
 	}
@@ -244,23 +249,23 @@ func (s *ResourceServer) List(in *resourceapi.ListRequest, srv resourceapi.Resou
 //
 //nolint:gocyclo
 func (s *ResourceServer) Watch(in *resourceapi.WatchRequest, srv resourceapi.ResourceService_WatchServer) error {
-	kind := resourceKind{
+	kind := &resourceKind{
 		Namespace: in.GetNamespace(),
 		Type:      in.GetType(),
 	}
 
-	resourceDefinition, err := s.resolveResourceKind(srv.Context(), &kind)
+	rd, err := s.resolveResourceKind(srv.Context(), kind)
 	if err != nil {
 		return err
 	}
 
-	if err = s.checkReadAccess(srv.Context(), &kind); err != nil {
+	if err = s.checkReadAccess(srv.Context(), kind, rd); err != nil {
 		return err
 	}
 
 	resources := s.server.Controller.Runtime().State().V1Alpha2().Resources()
 
-	protoD, err := marshalResource(resourceDefinition)
+	protoD, err := marshalResource(rd)
 	if err != nil {
 		return err
 	}

pkg/machinery/go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/containerd/go-cni v1.0.2
 	github.com/containernetworking/cni v0.8.1 // indirect; security fix in 0.8.1
-	github.com/cosi-project/runtime v0.0.0-20210611144007-85ab1ee09d8c
+	github.com/cosi-project/runtime v0.0.0-20210621171302-3698c5142954
 	github.com/dustin/go-humanize v1.0.0
 	github.com/evanphx/json-patch v4.11.0+incompatible
 	github.com/ghodss/yaml v1.0.0

pkg/machinery/go.sum

@@ -17,8 +17,8 @@ github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb
 github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
 github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
 github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/cosi-project/runtime v0.0.0-20210611144007-85ab1ee09d8c h1:MwjpJB4F5I71X7y8GD4vJ158gya+B88tc3g5uuJPohc=
-github.com/cosi-project/runtime v0.0.0-20210611144007-85ab1ee09d8c/go.mod h1:v/3MIWNuuOSdXXMl3QgCSwZrAk1fTOmQHEnTAfvDqP4=
+github.com/cosi-project/runtime v0.0.0-20210621171302-3698c5142954 h1:IvvTxWEugWa0kbkSELltW7idPl35CSZ7Q+M/yJ2tIFs=
+github.com/cosi-project/runtime v0.0.0-20210621171302-3698c5142954/go.mod h1:v/3MIWNuuOSdXXMl3QgCSwZrAk1fTOmQHEnTAfvDqP4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

pkg/resources/config/machine_config.go

@@ -90,6 +90,7 @@ func (r *MachineConfig) ResourceDefinition() meta.ResourceDefinitionSpec {
 		Type:             MachineConfigType,
 		Aliases:          []resource.Type{},
 		DefaultNamespace: NamespaceName,
+		Sensitivity:      meta.Sensitive,
 	}
 }
 

pkg/resources/secrets/etcd.go

@@ -71,6 +71,7 @@ func (r *Etcd) ResourceDefinition() meta.ResourceDefinitionSpec {
 		Type:             EtcdType,
 		Aliases:          []resource.Type{},
 		DefaultNamespace: NamespaceName,
+		Sensitivity:      meta.Sensitive,
 	}
 }
 

pkg/resources/secrets/kubernetes.go

@@ -77,6 +77,7 @@ func (r *Kubernetes) ResourceDefinition() meta.ResourceDefinitionSpec {
 		Type:             KubernetesType,
 		Aliases:          []resource.Type{},
 		DefaultNamespace: NamespaceName,
+		Sensitivity:      meta.Sensitive,
 	}
 }
 

pkg/resources/secrets/root.go

@@ -111,6 +111,7 @@ func (r *Root) ResourceDefinition() meta.ResourceDefinitionSpec {
 		Type:             RootType,
 		Aliases:          []resource.Type{"rootSecret", "rootSecrets"},
 		DefaultNamespace: NamespaceName,
+		Sensitivity:      meta.Sensitive,
 	}
 }