kyverno/pkg/engine/rbac/rbacValidation.go

package rbac

import (
	"reflect"

	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	utils "github.com/nirmata/kyverno/pkg/utils"
	authenticationv1 "k8s.io/api/authentication/v1"
	rbacv1 "k8s.io/api/rbac/v1"
)

const (
	//SaPrefix defines the prefix for service accounts
	SaPrefix = "system:serviceaccount:"
)

// MatchAdmissionInfo return true if the rule can be applied to the request
func MatchAdmissionInfo(rule kyverno.Rule, requestInfo kyverno.RequestInfo) bool {
	// when processing existing resource, it does not contain requestInfo
	// skip permission checking
	if reflect.DeepEqual(requestInfo, kyverno.RequestInfo{}) {
		return true
	}

	if !validateMatch(rule.MatchResources, requestInfo) {
		return false
	}

	return validateExclude(rule.ExcludeResources, requestInfo)
}

// match:
// 		roles: role1, role2
// 		clusterRoles: clusterRole1,clusterRole2
// 		subjects: subject1, subject2
// validateMatch return true if (role1 || role2) and (clusterRole1 || clusterRole2)
// and (subject1 || subject2) are found in requestInfo, OR operation for each list
func validateMatch(match kyverno.MatchResources, requestInfo kyverno.RequestInfo) bool {
	if len(match.Roles) > 0 {
		if !matchRoleRefs(match.Roles, requestInfo.Roles) {
			return false
		}
	}

	if len(match.ClusterRoles) > 0 {
		if !matchRoleRefs(match.ClusterRoles, requestInfo.ClusterRoles) {
			return false
		}
	}

	if len(match.Subjects) > 0 {
		if !matchSubjects(match.Subjects, requestInfo.AdmissionUserInfo) {
			return false
		}
	}
	return true
}

// exclude:
// 		roles: role1, role2
// 		clusterRoles: clusterRole1,clusterRole2
// 		subjects: subject1, subject2
// validateExclude return true if none of the above found in requestInfo
// otherwise return false immediately means rule should not be applied
func validateExclude(exclude kyverno.ExcludeResources, requestInfo kyverno.RequestInfo) bool {
	if len(exclude.Roles) > 0 {
		if matchRoleRefs(exclude.Roles, requestInfo.Roles) {
			return false
		}
	}

	if len(exclude.ClusterRoles) > 0 {
		if matchRoleRefs(exclude.ClusterRoles, requestInfo.ClusterRoles) {
			return false
		}
	}

	if len(exclude.Subjects) > 0 {
		if matchSubjects(exclude.Subjects, requestInfo.AdmissionUserInfo) {
			return false
		}
	}
	return true
}

// matchRoleRefs return true if one of ruleRoleRefs exist in resourceRoleRefs
func matchRoleRefs(ruleRoleRefs, resourceRoleRefs []string) bool {
	for _, ruleRoleRef := range ruleRoleRefs {
		if utils.ContainsString(resourceRoleRefs, ruleRoleRef) {
			return true
		}
	}
	return false
}

// matchSubjects return true if one of ruleSubjects exist in userInfo
func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	userGroups := append(userInfo.Groups, userInfo.Username)
	for _, subject := range ruleSubjects {
		switch subject.Kind {
		case "ServiceAccount":
			if len(userInfo.Username) <= len(SaPrefix) {
				continue
			}
			subjectServiceAccount := subject.Namespace + ":" + subject.Name
			if userInfo.Username[len(SaPrefix):] == subjectServiceAccount {
				return true
			}
		case "User", "Group":
			if utils.ContainsString(userGroups, subject.Name) {
				return true
			}
		}
	}

	return false
}
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`package rbac`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00
			`import (`
			`"reflect"`

update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`utils "github.com/nirmata/kyverno/pkg/utils"`
			`authenticationv1 "k8s.io/api/authentication/v1"`
			`rbacv1 "k8s.io/api/rbac/v1"`
			`)`

			`const (`
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`//SaPrefix defines the prefix for service accounts`
add unit test 2019-11-11 09:56:53 -08:00			`SaPrefix = "system:serviceaccount:"`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`)`

linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`// MatchAdmissionInfo return true if the rule can be applied to the request`
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`func MatchAdmissionInfo(rule kyverno.Rule, requestInfo kyverno.RequestInfo) bool {`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`// when processing existing resource, it does not contain requestInfo`
			`// skip permission checking`
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`if reflect.DeepEqual(requestInfo, kyverno.RequestInfo{}) {`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`return true`
			`}`

			`if !validateMatch(rule.MatchResources, requestInfo) {`
			`return false`
			`}`

			`return validateExclude(rule.ExcludeResources, requestInfo)`
			`}`

			`// match:`
			`// roles: role1, role2`
			`// clusterRoles: clusterRole1,clusterRole2`
			`// subjects: subject1, subject2`
			`// validateMatch return true if (role1 \|\| role2) and (clusterRole1 \|\| clusterRole2)`
			`// and (subject1 \|\| subject2) are found in requestInfo, OR operation for each list`
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`func validateMatch(match kyverno.MatchResources, requestInfo kyverno.RequestInfo) bool {`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`if len(match.Roles) > 0 {`
			`if !matchRoleRefs(match.Roles, requestInfo.Roles) {`
			`return false`
			`}`
			`}`

			`if len(match.ClusterRoles) > 0 {`
			`if !matchRoleRefs(match.ClusterRoles, requestInfo.ClusterRoles) {`
			`return false`
			`}`
			`}`

			`if len(match.Subjects) > 0 {`
			`if !matchSubjects(match.Subjects, requestInfo.AdmissionUserInfo) {`
			`return false`
			`}`
			`}`
			`return true`
			`}`

			`// exclude:`
			`// roles: role1, role2`
			`// clusterRoles: clusterRole1,clusterRole2`
			`// subjects: subject1, subject2`
			`// validateExclude return true if none of the above found in requestInfo`
			`// otherwise return false immediately means rule should not be applied`
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`func validateExclude(exclude kyverno.ExcludeResources, requestInfo kyverno.RequestInfo) bool {`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`if len(exclude.Roles) > 0 {`
			`if matchRoleRefs(exclude.Roles, requestInfo.Roles) {`
			`return false`
			`}`
			`}`

			`if len(exclude.ClusterRoles) > 0 {`
			`if matchRoleRefs(exclude.ClusterRoles, requestInfo.ClusterRoles) {`
			`return false`
			`}`
			`}`

			`if len(exclude.Subjects) > 0 {`
			`if matchSubjects(exclude.Subjects, requestInfo.AdmissionUserInfo) {`
			`return false`
			`}`
			`}`
			`return true`
			`}`

			`// matchRoleRefs return true if one of ruleRoleRefs exist in resourceRoleRefs`
			`func matchRoleRefs(ruleRoleRefs, resourceRoleRefs []string) bool {`
			`for _, ruleRoleRef := range ruleRoleRefs {`
			`if utils.ContainsString(resourceRoleRefs, ruleRoleRef) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`// matchSubjects return true if one of ruleSubjects exist in userInfo`
			`func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
			`userGroups := append(userInfo.Groups, userInfo.Username)`
			`for _, subject := range ruleSubjects {`
			`switch subject.Kind {`
			`case "ServiceAccount":`
add unit test 2019-11-11 14:29:36 -08:00			`if len(userInfo.Username) <= len(SaPrefix) {`
			`continue`
			`}`
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`subjectServiceAccount := subject.Namespace + ":" + subject.Name`
			`if userInfo.Username[len(SaPrefix):] == subjectServiceAccount {`
			`return true`
			`}`
			`case "User", "Group":`
			`if utils.ContainsString(userGroups, subject.Name) {`
			`return true`
			`}`
			`}`
			`}`
add unit test 2019-11-11 14:29:36 -08:00
match rbac info when process a rule 2019-11-08 18:58:09 -08:00			`return false`
			`}`