Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions pkg/apiserver/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -402,7 +402,7 @@ func (c completedConfig) New(ctx context.Context) (*UIServer, error) {

v1alpha1storage := map[string]rest.Storage{}
v1alpha1storage[scannerreportsapi.ResourceImages] = imagestorage.NewStorage(ctrlClient)
v1alpha1storage[scannerreportsapi.ResourceCVEReports] = reportstorage.NewStorage(ctrlClient)
v1alpha1storage[scannerreportsapi.ResourceCVEReports] = reportstorage.NewStorage(ctrlClient, rbacAuthorizer)
apiGroupInfo.VersionedResourcesStorageMap["v1alpha1"] = v1alpha1storage

if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {
Expand All @@ -413,7 +413,7 @@ func (c completedConfig) New(ctx context.Context) (*UIServer, error) {
apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(policyapi.GroupName, Scheme, metav1.ParameterCodec, Codecs)

v1alpha1storage := map[string]rest.Storage{}
v1alpha1storage[policyapi.ResourcePolicyReports] = policystorage.NewStorage(ctrlClient)
v1alpha1storage[policyapi.ResourcePolicyReports] = policystorage.NewStorage(ctrlClient, rbacAuthorizer)
apiGroupInfo.VersionedResourcesStorageMap["v1alpha1"] = v1alpha1storage

if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {
Expand All @@ -424,7 +424,7 @@ func (c completedConfig) New(ctx context.Context) (*UIServer, error) {
apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(costapi.GroupName, Scheme, metav1.ParameterCodec, Codecs)

v1alpha1storage := map[string]rest.Storage{}
v1alpha1storage[costapi.ResourceCostReports] = coststorage.NewStorage(ctrlClient)
v1alpha1storage[costapi.ResourceCostReports] = coststorage.NewStorage(ctrlClient, rbacAuthorizer)
apiGroupInfo.VersionedResourcesStorageMap["v1alpha1"] = v1alpha1storage

if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {
Expand Down
12 changes: 11 additions & 1 deletion pkg/registry/cost/reports/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"strings"

costapi "kubeops.dev/ui-server/apis/cost/v1alpha1"
"kubeops.dev/ui-server/pkg/shared"

gs "github.com/gorilla/schema"
"github.com/pkg/errors"
Expand All @@ -34,6 +35,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/registry/rest"
"sigs.k8s.io/controller-runtime/pkg/client"
)
Expand All @@ -45,6 +47,7 @@ var (

type Storage struct {
kc client.Client
a authorizer.Authorizer
}

var (
Expand All @@ -55,9 +58,10 @@ var (
_ rest.SingularNameProvider = &Storage{}
)

func NewStorage(kc client.Client) *Storage {
func NewStorage(kc client.Client, a authorizer.Authorizer) *Storage {
return &Storage{
kc: kc,
a: a,
}
}

Expand All @@ -82,6 +86,12 @@ func (r *Storage) Destroy() {}
func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.ValidateObjectFunc, _ *metav1.CreateOptions) (runtime.Object, error) {
in := obj.(*costapi.CostReport)

// The cost report aggregates spend across the whole cluster and has no single
// resource to scope to, so require cluster-wide read access.
if err := shared.Authorize(ctx, r.a, shared.ClusterReadAttributes()); err != nil {
return nil, err
}

once.Do(func() error {
var svcs core.ServiceList
err := r.kc.List(ctx, &svcs, client.MatchingLabels{
Expand Down
74 changes: 74 additions & 0 deletions pkg/registry/cost/reports/storage_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/*
Copyright AppsCode Inc. and Contributors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package reports

import (
"context"
"testing"

costapi "kubeops.dev/ui-server/apis/cost/v1alpha1"

apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
)

type fakeAuthorizer struct {
decision authorizer.Decision
got authorizer.Attributes
}

func (f *fakeAuthorizer) Authorize(_ context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
f.got = a
return f.decision, "because test", nil
}

func ctxWithUser() context.Context {
return apirequest.WithUser(context.Background(), &user.DefaultInfo{Name: "tester"})
}

// TestCreateDeniedWithoutClusterReadAccess verifies the cost report requires cluster-wide
// read access: a denied authorizer yields a Forbidden response, and the check asks for
// "get" on */*. Because the report has no single resource to scope to, the gate must run
// before any OpenCost call is attempted.
func TestCreateDeniedWithoutClusterReadAccess(t *testing.T) {
fa := &fakeAuthorizer{decision: authorizer.DecisionDeny}
kc := fake.NewClientBuilder().Build()
r := NewStorage(kc, fa)

_, err := r.Create(ctxWithUser(), &costapi.CostReport{}, nil, nil)
if !apierrors.IsForbidden(err) {
t.Fatalf("expected Forbidden, got %v", err)
}
if fa.got.GetVerb() != "get" || fa.got.GetAPIGroup() != "*" || fa.got.GetResource() != "*" {
t.Errorf("expected cluster-wide read (get */*), got verb=%q group=%q resource=%q",
fa.got.GetVerb(), fa.got.GetAPIGroup(), fa.got.GetResource())
}
}

func TestCreateMissingUserIsBadRequest(t *testing.T) {
fa := &fakeAuthorizer{decision: authorizer.DecisionAllow}
kc := fake.NewClientBuilder().Build()
r := NewStorage(kc, fa)

_, err := r.Create(context.Background(), &costapi.CostReport{}, nil, nil)
if !apierrors.IsBadRequest(err) {
t.Fatalf("expected BadRequest for missing user, got %v", err)
}
}
48 changes: 47 additions & 1 deletion pkg/registry/policy/reports/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,12 @@ import (
"kubeops.dev/ui-server/pkg/shared"

"gomodules.xyz/sets"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/registry/rest"
kmapi "kmodules.xyz/client-go/api/v1"
"kmodules.xyz/resource-metadata/apis/meta/v1alpha1"
Expand All @@ -41,6 +43,7 @@ import (

type Storage struct {
kc client.Client
a authorizer.Authorizer
}

var (
Expand All @@ -51,9 +54,10 @@ var (
_ rest.SingularNameProvider = &Storage{}
)

func NewStorage(kc client.Client) *Storage {
func NewStorage(kc client.Client, a authorizer.Authorizer) *Storage {
return &Storage{
kc: kc,
a: a,
}
}

Expand All @@ -75,9 +79,51 @@ func (r *Storage) New() runtime.Object {

func (r *Storage) Destroy() {}

// authorize ensures the caller may read the scope whose policy violations are reported:
// cluster scope requires cluster-wide read, namespace scope requires access to the
// namespace, and a resource scope requires get access to the referenced object.
func (r *Storage) authorize(ctx context.Context, req *policyapi.PolicyReportRequest) error {
if req == nil || shared.IsClusterRequest(&req.ObjectInfo) {
return shared.Authorize(ctx, r.a, shared.ClusterReadAttributes())
}
if shared.IsNamespaceRequest(&req.ObjectInfo) {
return shared.Authorize(ctx, r.a, authorizer.AttributesRecord{
Verb: "get",
Resource: "namespaces",
Name: req.Ref.Name,
})
}

rid := req.Resource
if rid.Kind == "" {
r2, err := kmapi.ExtractResourceID(r.kc.RESTMapper(), req.Resource)
if err != nil {
return err
}
rid = *r2
}
mapping, err := r.kc.RESTMapper().RESTMapping(schema.GroupKind{Group: rid.Group, Kind: rid.Kind})
if err != nil {
return apierrors.NewInternalError(err)
}
return shared.Authorize(ctx, r.a, authorizer.AttributesRecord{
Verb: "get",
APIGroup: mapping.Resource.Group,
Resource: mapping.Resource.Resource,
Namespace: req.Ref.Namespace,
Name: req.Ref.Name,
})
}

func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.ValidateObjectFunc, _ *metav1.CreateOptions) (runtime.Object, error) {
in := obj.(*policyapi.PolicyReport)

// The policy report exposes constraint violations for the requested scope, so require
// the caller to be allowed to read that scope before returning it.
if err := r.authorize(ctx, in.Request); err != nil {
return nil, err
}

var (
scp scopeDetails
resourceGraph *v1alpha1.ResourceGraphResponse
Expand Down
121 changes: 121 additions & 0 deletions pkg/registry/policy/reports/storage_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
/*
Copyright AppsCode Inc. and Contributors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package reports

import (
"context"
"testing"

policyapi "kubeops.dev/ui-server/apis/policy/v1alpha1"

apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
kmapi "kmodules.xyz/client-go/api/v1"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
)

type fakeAuthorizer struct {
decision authorizer.Decision
got authorizer.Attributes
}

func (f *fakeAuthorizer) Authorize(_ context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
f.got = a
return f.decision, "because test", nil
}

func ctxWithUser() context.Context {
return apirequest.WithUser(context.Background(), &user.DefaultInfo{Name: "tester"})
}

func testMapper() meta.RESTMapper {
m := meta.NewDefaultRESTMapper([]schema.GroupVersion{{Group: "apps", Version: "v1"}})
m.Add(schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"}, meta.RESTScopeNamespace)
return m
}

// TestAuthorizeScopes verifies that each PolicyReport scope is gated against the expected
// access before any violation data is read. The authorizer denies, so Create returns
// Forbidden and we assert on the attributes it was asked about.
func TestAuthorizeScopes(t *testing.T) {
cases := []struct {
name string
req *policyapi.PolicyReportRequest
wantVerb string
wantAPIGroup string
wantResource string
wantNS string
wantName string
}{
{
name: "cluster",
req: nil,
wantVerb: "get",
wantAPIGroup: "*",
wantResource: "*",
},
{
name: "namespace",
req: &policyapi.PolicyReportRequest{ObjectInfo: kmapi.ObjectInfo{Resource: kmapi.ResourceID{Name: "namespaces"}, Ref: kmapi.ObjectReference{Name: "ns1"}}},
wantVerb: "get",
wantResource: "namespaces",
wantName: "ns1",
},
{
name: "resource",
req: &policyapi.PolicyReportRequest{ObjectInfo: kmapi.ObjectInfo{Resource: kmapi.ResourceID{Group: "apps", Kind: "Deployment"}, Ref: kmapi.ObjectReference{Namespace: "ns3", Name: "dep1"}}},
wantVerb: "get",
wantAPIGroup: "apps",
wantResource: "deployments",
wantNS: "ns3",
wantName: "dep1",
},
}

for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
fa := &fakeAuthorizer{decision: authorizer.DecisionDeny}
kc := fake.NewClientBuilder().WithRESTMapper(testMapper()).Build()
r := NewStorage(kc, fa)

in := &policyapi.PolicyReport{Request: tc.req}
_, err := r.Create(ctxWithUser(), in, nil, nil)
if !apierrors.IsForbidden(err) {
t.Fatalf("expected Forbidden, got %v", err)
}
if got := fa.got.GetVerb(); got != tc.wantVerb {
t.Errorf("verb: got %q want %q", got, tc.wantVerb)
}
if got := fa.got.GetAPIGroup(); got != tc.wantAPIGroup {
t.Errorf("apiGroup: got %q want %q", got, tc.wantAPIGroup)
}
if got := fa.got.GetResource(); got != tc.wantResource {
t.Errorf("resource: got %q want %q", got, tc.wantResource)
}
if got := fa.got.GetNamespace(); got != tc.wantNS {
t.Errorf("namespace: got %q want %q", got, tc.wantNS)
}
if got := fa.got.GetName(); got != tc.wantName {
t.Errorf("name: got %q want %q", got, tc.wantName)
}
})
}
}
Loading
Loading