-
Notifications
You must be signed in to change notification settings - Fork 17
/
authorisation_webhook.go
151 lines (123 loc) · 4.9 KB
/
authorisation_webhook.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package console
import (
"context"
"fmt"
"net/http"
"reflect"
"time"
workloadsv1alpha1 "github.com/gocardless/theatre/pkg/apis/workloads/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
apiTypes "k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission/builder"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission/types"
kitlog "github.com/go-kit/kit/log"
multierror "github.com/hashicorp/go-multierror"
"github.com/pkg/errors"
rbacutils "github.com/gocardless/theatre/pkg/rbac"
)
func NewAuthorisationWebhook(logger kitlog.Logger, mgr manager.Manager, opts ...func(*admission.Handler)) (*admission.Webhook, error) {
var handler admission.Handler
handler = &consoleAuthorisation{
logger: kitlog.With(logger, "component", "ConsoleAuthorisationWebhook"),
client: mgr.GetClient(),
decoder: serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer(),
}
for _, opt := range opts {
opt(&handler)
}
return builder.NewWebhookBuilder().
Name("console-authorisation.crd.gocardless.com").
Validating().
Operations(admissionregistrationv1beta1.Update).
ForType(&workloadsv1alpha1.ConsoleAuthorisation{}).
Handlers(handler).
WithManager(mgr).
Build()
}
type consoleAuthorisation struct {
logger kitlog.Logger
client client.Client
decoder runtime.Decoder
}
func (c *consoleAuthorisation) Handle(ctx context.Context, req types.Request) types.Response {
logger := kitlog.With(c.logger, "uuid", string(req.AdmissionRequest.UID))
logger.Log("event", "request.start")
defer func(start time.Time) {
logger.Log("event", "request.end", "duration", time.Now().Sub(start).Seconds())
}(time.Now())
// request console authorisation object
updatedAuth := &workloadsv1alpha1.ConsoleAuthorisation{}
if err := runtime.DecodeInto(c.decoder, req.AdmissionRequest.Object.Raw, updatedAuth); err != nil {
admission.ErrorResponse(http.StatusBadRequest, err)
}
// existing console authorisation object
existingAuth := &workloadsv1alpha1.ConsoleAuthorisation{}
if err := runtime.DecodeInto(c.decoder, req.AdmissionRequest.OldObject.Raw, existingAuth); err != nil {
admission.ErrorResponse(http.StatusBadRequest, err)
}
// user making the request
user := req.AdmissionRequest.UserInfo.Username
csl, err := c.getConsole(ctx, existingAuth.Spec.ConsoleRef.Name, existingAuth.Namespace)
if err != nil {
return admission.ValidationResponse(false, fmt.Sprintf("failed to retrieve console for the authorisation: %v", err))
}
update := &consoleAuthorisationUpdate{
existingAuth: existingAuth,
updatedAuth: updatedAuth,
user: user,
owner: csl.Spec.User,
}
if err := update.Validate(); err != nil {
logger.Log("event", "authorisation.failure", "error", err)
return admission.ValidationResponse(false, fmt.Sprintf("the console authorisation spec is invalid: %v", err))
}
logger.Log("event", "authorisation.success")
return admission.ValidationResponse(true, "")
}
func (c *consoleAuthorisation) getConsole(ctx context.Context, name, namespace string) (*workloadsv1alpha1.Console, error) {
namespacedName := apiTypes.NamespacedName{
Name: name,
Namespace: namespace,
}
csl := &workloadsv1alpha1.Console{}
return csl, c.client.Get(ctx, namespacedName, csl)
}
type consoleAuthorisationUpdate struct {
existingAuth *workloadsv1alpha1.ConsoleAuthorisation
updatedAuth *workloadsv1alpha1.ConsoleAuthorisation
user string
owner string
}
func (u *consoleAuthorisationUpdate) Validate() error {
var err error
// check immutable fields haven't been updated
if !reflect.DeepEqual(u.updatedAuth.Spec.ConsoleRef, u.existingAuth.Spec.ConsoleRef) {
err = multierror.Append(err, errors.New("the spec.consoleRef field is immutable"))
}
// check no existing authorisation subjects have been modified and that a single subject has been added
add := rbacutils.Diff(u.updatedAuth.Spec.Authorisations, u.existingAuth.Spec.Authorisations)
remove := rbacutils.Diff(u.existingAuth.Spec.Authorisations, u.updatedAuth.Spec.Authorisations)
if len(add) > 1 || len(remove) != 0 {
err = multierror.Append(err, errors.New("the spec.authorisations field can only be appended to (with one subject) per update"))
}
// check the user is only adding themselves to the list of authorisers
for _, s := range add {
if s.Name != u.user {
err = multierror.Append(err, errors.New("only the current user can be added as an authoriser"))
break
}
}
// check the owner of the console isn't adding themselves to the list of authorisers
for _, s := range add {
if s.Name == u.owner {
err = multierror.Append(err, errors.New("an authoriser cannot authorise their own console"))
break
}
}
return err
}