Merge pull request #33 from joelddiaz/static-passthrough

move to static list of passthrough creds

Gopkg.toml

@@ -1,7 +1,6 @@
 required = [
     "github.com/aws/aws-sdk-go",
     "github.com/emicklei/go-restful",
-    "github.com/jteeuwen/go-bindata",
     "github.com/onsi/ginkgo", # for test framework
     "github.com/onsi/gomega", # for test matchers
     "github.com/stretchr/testify/assert",

Makefile

@@ -54,8 +54,6 @@ vet:
 # Generate code
 generate:
 	go generate ./pkg/... ./cmd/...
-	# generate static assets
-	hack/update-bindata.sh
 
 # Build the image with buildah
 .PHONY: buildah-build

pkg/controller/utils/utils.go

@@ -7,7 +7,6 @@ import (
 
 	ccv1beta1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1beta1"
 	ccaws "github.com/openshift/cloud-credential-operator/pkg/aws"
-	"github.com/openshift/cloud-credential-operator/pkg/controller/assets"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/iam"
@@ -19,7 +18,7 @@ import (
 // credMintingActions is a list of AWS verbs needed to run in the mode where the
 // cloud-credential-operator can mint new creds to satisfy CredentialRequest CRDs
 var (
-	CredMintingActions = []string{
+	credMintingActions = []string{
 		"iam:CreateAccessKey",
 		"iam:CreateUser",
 		"iam:DeleteAccessKey",
@@ -33,6 +32,66 @@ var (
 		"iam:SimulatePrincipalPolicy", // needed so we can verify the above list of course
 	}
 
+	credPassthroughActions = []string{
+		// so we can query whether we have the below list of creds
+		"iam:GetUser",
+		"iam:SimulatePrincipalPolicy",
+
+		// openshift-ingress
+		"elasticloadbalancing:DescribeLoadBalancers",
+		"route53:ListHostedZones",
+		"route53:ChangeResourceRecordSets",
+		"tag:GetResources",
+
+		// openshift-image-registry
+		"s3:CreateBucket",
+		"s3:DeleteBucket",
+		"s3:PutBucketTagging",
+		"s3:GetBucketTagging",
+		"s3:PutEncryptionConfiguration",
+		"s3:GetEncryptionConfiguration",
+		"s3:PutLifecycleConfiguration",
+		"s3:GetLifecycleConfiguration",
+		"s3:GetBucketLocation",
+		"s3:ListBucket",
+		"s3:HeadBucket",
+		"s3:GetObject",
+		"s3:PutObject",
+		"s3:DeleteObject",
+		"s3:ListBucketMultipartUploads",
+		"s3:AbortMultipartUpload",
+
+		// openshift-cluster-api
+		"ec2:DescribeImages",
+		"ec2:DescribeVpcs",
+		"ec2:DescribeSubnets",
+		"ec2:DescribeAvailabilityZones",
+		"ec2:DescribeSecurityGroups",
+		"ec2:RunInstances",
+		"ec2:DescribeInstances",
+		"ec2:TerminateInstances",
+		"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+		"elasticloadbalancing:DescribeLoadBalancers",
+		"elasticloadbalancing:DescribeTargetGroups",
+		"elasticloadbalancing:RegisterTargets",
+		"ec2:DescribeVpcs",
+		"ec2:DescribeSubnets",
+		"ec2:DescribeAvailabilityZones",
+		"ec2:DescribeSecurityGroups",
+		"ec2:RunInstances",
+		"ec2:DescribeInstances",
+		"ec2:TerminateInstances",
+		"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+		"elasticloadbalancing:DescribeLoadBalancers",
+		"elasticloadbalancing:DescribeTargetGroups",
+		"elasticloadbalancing:RegisterTargets",
+
+		// iam-ro
+		"iam:GetUser",
+		"iam:GetUserPolicy",
+		"iam:ListAccessKeys",
+	}
+
 	credentailRequestScheme = runtime.NewScheme()
 	credentialRequestCodec  = serializer.NewCodecFactory(credentailRequestScheme)
 )
@@ -45,7 +104,7 @@ func init() {
 
 // CheckCloudCredCreation will see whether we have enough permissions to create new sub-creds
 func CheckCloudCredCreation(awsClient ccaws.Client, logger log.FieldLogger) (bool, error) {
-	return CheckPermissionsAgainstActions(awsClient, CredMintingActions, logger)
+	return CheckPermissionsAgainstActions(awsClient, credMintingActions, logger)
 }
 
 // CheckPermissionsUsingQueryClient will use queryClient to query whether the credentials in targetClient can perform the actions
@@ -113,28 +172,11 @@ func CheckPermissionsAgainstActions(awsClient ccaws.Client, actionList []string,
 }
 
 // CheckCloudCredPassthrough will see if the provided creds are good enough to pass through
-// to other components as-is based on the generated list of permissions needed from the static
-// manifests in the repo
+// to other components as-is based on the static list of permissions needed by the various
+// users of CredentialsRequests
+// TODO: move away from static list (to dynamic passthrough validation?)
 func CheckCloudCredPassthrough(awsClient ccaws.Client, logger log.FieldLogger) (bool, error) {
-	statementList := []ccv1beta1.StatementEntry{}
-
-	// Read in the static assets containing all the needed CredentialRequests/permissions
-	assetList := assets.AssetNames()
-	for _, oneAsset := range assetList {
-		crBytes, err := assets.Asset(oneAsset)
-		if err != nil {
-			return false, fmt.Errorf("error parsing CredentialRequest object: %v", err)
-		}
-
-		statements, err := getCredentialRequestStatements(crBytes)
-		if err != nil {
-			return false, fmt.Errorf("error processing CredentialRequest: %v", err)
-		}
-
-		statementList = append(statementList, statements...)
-	}
-
-	return CheckPermissionsAgainstStatementList(awsClient, statementList, logger)
+	return CheckPermissionsAgainstActions(awsClient, credPassthroughActions, logger)
 }
 
 func readCredentialRequest(cr []byte) (*ccv1beta1.CredentialsRequest, error) {