Add group check for cluster-admin

opendatahub-io · Aug 30, 2022 · bb61b85 · bb61b85
1 parent cb81337
commit bb61b85
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/backend/src/utils/adminUtils.ts b/backend/src/utils/adminUtils.ts
@@ -4,7 +4,7 @@ import {
   V1ClusterRoleBindingList,
 } from '@kubernetes/client-node';
 import { KubeFastifyInstance } from '../types';
-import { getAdminGroups, getAllowedGroups, getGroup } from './groupsUtils';
+import { getAdminGroups, getAllGroupsByUser, getAllowedGroups, getGroup } from './groupsUtils';
 import { flatten, uniq } from 'lodash';
 
 const SYSTEM_AUTHENTICATED = 'system:authenticated';
@@ -91,11 +91,17 @@ export const isUserAllowed = async (
   }
 };
 
-const checkRoleBindings = (roleBindings: V1ClusterRoleBindingList, username: string): boolean => {
+const checkRoleBindings = (
+  roleBindings: V1ClusterRoleBindingList,
+  username: string,
+  groups: string[],
+): boolean => {
   return (
     roleBindings.items.filter(
       (role: V1ClusterRoleBinding): boolean =>
-        role.subjects?.some((subject) => subject.name === username) &&
+        role.subjects?.some(
+          (subject) => subject.name === username || groups.includes(subject.name),
+        ) &&
         role.roleRef.kind === 'ClusterRole' &&
         role.roleRef.name === 'cluster-admin',
     ).length !== 0
@@ -110,8 +116,9 @@ export const isUserClusterRole = async (
   try {
     const clusterrolebinding = await fastify.kube.rbac.listClusterRoleBinding();
     const rolebinding = await fastify.kube.rbac.listNamespacedRoleBinding(namespace);
-    const isAdminClusterRoleBinding = checkRoleBindings(clusterrolebinding.body, username);
-    const isAdminRoleBinding = checkRoleBindings(rolebinding.body, username);
+    const groups = await getAllGroupsByUser(fastify.kube.customObjectsApi, username);
+    const isAdminClusterRoleBinding = checkRoleBindings(clusterrolebinding.body, username, groups);
+    const isAdminRoleBinding = checkRoleBindings(rolebinding.body, username, groups);
     return isAdminClusterRoleBinding || isAdminRoleBinding;
   } catch (e) {
     fastify.log.error(`Failed to list rolebindings for user, ${e}`);

diff --git a/backend/src/utils/groupsUtils.ts b/backend/src/utils/groupsUtils.ts
@@ -85,3 +85,20 @@ export const getAllGroups = async (customObjectsApi: CustomObjectsApi): Promise<
     throw new Error(`Failed to list groups.`);
   }
 };
+
+export const getAllGroupsByUser = async (
+  customObjectsApi: CustomObjectsApi,
+  username: string,
+): Promise<string[]> => {
+  try {
+    const adminGroupResponse = await customObjectsApi.listClusterCustomObject(
+      'user.openshift.io',
+      'v1',
+      'groups',
+    );
+    const groups = adminGroupResponse.body as GroupCustomObject;
+    return groups.items.filter((x) => x.users.includes(username)).map((x) => x.metadata.name);
+  } catch (e) {
+    throw new Error(`Failed to list groups filtered by username.`);
+  }
+};