kyverno/pkg/userinfo/roleRef.go

package userinfo

import (
	"fmt"
	"strings"

	"github.com/nirmata/kyverno/pkg/engine"
	"github.com/nirmata/kyverno/pkg/utils"
	v1beta1 "k8s.io/api/admission/v1beta1"
	authenticationv1 "k8s.io/api/authentication/v1"
	rbacv1 "k8s.io/api/rbac/v1"
	labels "k8s.io/apimachinery/pkg/labels"
	rbaclister "k8s.io/client-go/listers/rbac/v1"
	"sigs.k8s.io/controller-runtime/pkg/log"
)

const (
	clusterrolekind = "ClusterRole"
	rolekind        = "Role"
	SaPrefix        = "system:serviceaccount:"
)

var defaultSuffixs = []string{"system:", "kyverno:"}

//GetRoleRef gets the list of roles and cluster roles for the incoming api-request
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {
	keys := append(request.UserInfo.Groups, request.UserInfo.Username)
	if utils.SliceContains(keys, engine.ExcludeUserInfo...) {
		return
	}

	// rolebindings
	roleBindings, err := rbLister.List(labels.NewSelector())
	if err != nil {
		return roles, clusterRoles, fmt.Errorf("failed to list rolebindings: %v", err)
	}

	rs, crs, err := getRoleRefByRoleBindings(roleBindings, request.UserInfo)
	if err != nil {
		return roles, clusterRoles, err
	}
	roles = append(roles, rs...)
	clusterRoles = append(clusterRoles, crs...)

	// clusterrolebindings
	clusterroleBindings, err := crbLister.List(labels.NewSelector())
	if err != nil {
		return roles, clusterRoles, fmt.Errorf("failed to list clusterrolebindings: %v", err)
	}

	crs, err = getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo)
	if err != nil {
		return roles, clusterRoles, err
	}
	clusterRoles = append(clusterRoles, crs...)

	return roles, clusterRoles, nil
}

func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string, err error) {
	for _, rolebinding := range roleBindings {
		for _, subject := range rolebinding.Subjects {
			if !matchSubjectsMap(subject, userInfo) {
				continue
			}

			switch rolebinding.RoleRef.Kind {
			case rolekind:
				roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)
			case clusterrolekind:
				clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)
			}
		}
	}

	return roles, clusterRoles, nil
}

// RoleRef in ClusterRoleBindings can only reference a ClusterRole in the global namespace
func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) (clusterRoles []string, err error) {
	for _, clusterRoleBinding := range clusterroleBindings {
		for _, subject := range clusterRoleBinding.Subjects {
			if !matchSubjectsMap(subject, userInfo) {
				continue
			}

			if clusterRoleBinding.RoleRef.Kind == clusterrolekind {
				clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)
			}
		}
	}
	return clusterRoles, nil
}

// matchSubjectsMap checks if userInfo found in subject
// return true directly if found a match
// subject.kind can only be ServiceAccount, User and Group
func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	// ServiceAccount
	if strings.Contains(userInfo.Username, SaPrefix) {
		return matchServiceAccount(subject, userInfo)
	} else {
		// User or Group
		return matchUserOrGroup(subject, userInfo)
	}
}

// matchServiceAccount checks if userInfo sa matche the subject sa
// serviceaccount represents as saPrefix:namespace:name in userInfo
func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	subjectServiceAccount := subject.Namespace + ":" + subject.Name
	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
		return false
	}

	log.Log.V(3).Info(fmt.Sprintf("found a matched service account not match: %s", subjectServiceAccount))
	return true
}

// matchUserOrGroup checks if userInfo contains user or group info in a subject
func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	keys := append(userInfo.Groups, userInfo.Username)
	for _, key := range keys {
		if subject.Name == key {
			log.Log.V(3).Info(fmt.Sprintf("found a matched user/group '%v' in request userInfo: %v", subject.Name, keys))
			return true
		}
	}

	return false
}

//IsRoleAuthorize is role authorize or not
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest) (bool, error) {
	if strings.Contains(request.UserInfo.Username, SaPrefix) {
		roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request)
		if err != nil {
			return false, err
		}

		for _, e := range clusterRoles {
			if strings.Contains(e, "kyverno:") {
				return true, nil
			}
			role, err := crLister.Get(e)
			if err != nil {
				return false, err
			}
			labels := role.GetLabels()

			if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
				return true, nil
			}
		}
		for _, e := range roles {
			roleData := strings.Split(e, ":")
			role, err := rLister.Roles(roleData[0]).Get(roleData[1])
			if err != nil {
				return false, err
			}
			labels := role.GetLabels()
			if !strings.Contains(e, "kyverno:") {
				if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
					return true, nil
				}
			}
		}
		return true, nil
	}
	// User or Group
	excludeDevelopmentRole := []string{"minikube-user", "kubernetes-admin"}
	for _, e := range excludeDevelopmentRole {
		if strings.Contains(request.UserInfo.Username, e) {
			return false, nil
		}
	}
	var matchedRoles []bool
	for _, e := range request.UserInfo.Groups {
		for _, defaultSuffix := range defaultSuffixs {
			if strings.Contains(e, defaultSuffix) {
				matchedRoles = append(matchedRoles, true)
				break
			}
		}
	}
	if len(matchedRoles) == len(request.UserInfo.Groups) {
		return true, nil
	}

	return false, nil
}
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`package userinfo`

			`import (`
			`"fmt"`
bug fixes 2020-07-10 15:23:07 -07:00			`"strings"`

- fix pending delete for denying deletion rule - revert timeoutHandler - update log level 2020-05-19 00:14:23 -07:00			`"github.com/nirmata/kyverno/pkg/engine"`
PR fixes 2020-05-19 13:04:06 -07:00			`"github.com/nirmata/kyverno/pkg/utils"`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`authenticationv1 "k8s.io/api/authentication/v1"`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`rbacv1 "k8s.io/api/rbac/v1"`
			`labels "k8s.io/apimachinery/pkg/labels"`
			`rbaclister "k8s.io/client-go/listers/rbac/v1"`
refactor logging 2020-03-17 16:25:34 -07:00			`"sigs.k8s.io/controller-runtime/pkg/log"`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`)`

correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`const (`
			`clusterrolekind = "ClusterRole"`
			`rolekind = "Role"`
644 fixing compilation issue 2020-02-09 19:15:39 +05:30			`SaPrefix = "system:serviceaccount:"`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`)`

bug fixes 2020-07-10 15:23:07 -07:00			`var defaultSuffixs = []string{"system:", "kyverno:"}`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`//GetRoleRef gets the list of roles and cluster roles for the incoming api-request`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {`
- fix pending delete for denying deletion rule - revert timeoutHandler - update log level 2020-05-19 00:14:23 -07:00			`keys := append(request.UserInfo.Groups, request.UserInfo.Username)`
PR fixes 2020-05-19 13:04:06 -07:00			`if utils.SliceContains(keys, engine.ExcludeUserInfo...) {`
- fix pending delete for denying deletion rule - revert timeoutHandler - update log level 2020-05-19 00:14:23 -07:00			`return`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`// rolebindings`
			`roleBindings, err := rbLister.List(labels.NewSelector())`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if err != nil {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`return roles, clusterRoles, fmt.Errorf("failed to list rolebindings: %v", err)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`rs, crs, err := getRoleRefByRoleBindings(roleBindings, request.UserInfo)`
			`if err != nil {`
			`return roles, clusterRoles, err`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`roles = append(roles, rs...)`
			`clusterRoles = append(clusterRoles, crs...)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00
			`// clusterrolebindings`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`clusterroleBindings, err := crbLister.List(labels.NewSelector())`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if err != nil {`
			`return roles, clusterRoles, fmt.Errorf("failed to list clusterrolebindings: %v", err)`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`crs, err = getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if err != nil {`
			`return roles, clusterRoles, err`
			`}`
			`clusterRoles = append(clusterRoles, crs...)`

			`return roles, clusterRoles, nil`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string, err error) {`
			`for _, rolebinding := range roleBindings {`
			`for _, subject := range rolebinding.Subjects {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if !matchSubjectsMap(subject, userInfo) {`
			`continue`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`switch rolebinding.RoleRef.Kind {`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`case rolekind:`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`case clusterrolekind:`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`
			`}`

			`return roles, clusterRoles, nil`
			`}`

			`// RoleRef in ClusterRoleBindings can only reference a ClusterRole in the global namespace`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) (clusterRoles []string, err error) {`
			`for _, clusterRoleBinding := range clusterroleBindings {`
			`for _, subject := range clusterRoleBinding.Subjects {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if !matchSubjectsMap(subject, userInfo) {`
			`continue`
			`}`

correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`if clusterRoleBinding.RoleRef.Kind == clusterrolekind {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`
			`}`
			`return clusterRoles, nil`
			`}`

			`// matchSubjectsMap checks if userInfo found in subject`
			`// return true directly if found a match`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`// subject.kind can only be ServiceAccount, User and Group`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`// ServiceAccount`
644 circle ci changes 2020-02-09 19:28:51 +05:30			`if strings.Contains(userInfo.Username, SaPrefix) {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return matchServiceAccount(subject, userInfo)`
644 circle ci changes 2020-02-09 19:56:38 +05:30			`} else {`
			`// User or Group`
			`return matchUserOrGroup(subject, userInfo)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`

			`// matchServiceAccount checks if userInfo sa matche the subject sa`
			`// serviceaccount represents as saPrefix:namespace:name in userInfo`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
			`subjectServiceAccount := subject.Namespace + ":" + subject.Name`
644 fixing compilation issue 2020-02-09 19:15:39 +05:30			`if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return false`
			`}`

PR fixes 2020-05-19 13:04:06 -07:00			`log.Log.V(3).Info(fmt.Sprintf("found a matched service account not match: %s", subjectServiceAccount))`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return true`
			`}`

			`// matchUserOrGroup checks if userInfo contains user or group info in a subject`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`keys := append(userInfo.Groups, userInfo.Username)`
			`for _, key := range keys {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`if subject.Name == key {`
PR fixes 2020-05-19 13:04:06 -07:00			`log.Log.V(3).Info(fmt.Sprintf("found a matched user/group '%v' in request userInfo: %v", subject.Name, keys))`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return true`
			`}`
			`}`

			`return false`
			`}`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00
			`//IsRoleAuthorize is role authorize or not`
bug fixes 2020-07-10 15:23:07 -07:00			`func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest) (bool, error) {`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`if strings.Contains(request.UserInfo.Username, SaPrefix) {`
bug fixes 2020-07-10 15:23:07 -07:00			`roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request)`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`if err != nil {`
			`return false, err`
			`}`
validation added 2020-07-10 12:27:31 -07:00
bug fixes 2020-07-10 15:23:07 -07:00			`for _, e := range clusterRoles {`
			`if strings.Contains(e, "kyverno:") {`
			`return true, nil`
code fixes 2020-07-10 16:59:17 -07:00			`}`
			`role, err := crLister.Get(e)`
			`if err != nil {`
			`return false, err`
			`}`
			`labels := role.GetLabels()`
bug fixes 2020-07-10 15:23:07 -07:00
code fixes 2020-07-10 16:59:17 -07:00			`if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {`
			`return true, nil`
bug fixes 2020-07-10 15:23:07 -07:00			`}`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`}`
bug fixes 2020-07-10 15:23:07 -07:00			`for _, e := range roles {`
			`roleData := strings.Split(e, ":")`
			`role, err := rLister.Roles(roleData[0]).Get(roleData[1])`
			`if err != nil {`
			`return false, err`
			`}`
			`labels := role.GetLabels()`
			`if !strings.Contains(e, "kyverno:") {`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {`
			`return true, nil`
			`}`
bug fixes 2020-07-10 15:23:07 -07:00			`}`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`}`
fix bug (#987) 2020-07-14 09:22:08 -07:00			`return true, nil`
code fixes 2020-07-10 16:59:17 -07:00			`}`
			`// User or Group`
			`excludeDevelopmentRole := []string{"minikube-user", "kubernetes-admin"}`
			`for _, e := range excludeDevelopmentRole {`
			`if strings.Contains(request.UserInfo.Username, e) {`
			`return false, nil`
validation added 2020-07-10 12:27:31 -07:00			`}`
code fixes 2020-07-10 16:59:17 -07:00			`}`
			`var matchedRoles []bool`
			`for _, e := range request.UserInfo.Groups {`
			`for _, defaultSuffix := range defaultSuffixs {`
			`if strings.Contains(e, defaultSuffix) {`
			`matchedRoles = append(matchedRoles, true)`
			`break`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`}`
			`}`
code fixes 2020-07-10 16:59:17 -07:00			`}`
			`if len(matchedRoles) == len(request.UserInfo.Groups) {`
			`return true, nil`
validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00			`}`

bug fixes 2020-07-10 15:23:07 -07:00			`return false, nil`
			`}`