Bug 1815219: CO-876: allow defining Conditions in AWS CredentialsRequest #181
Conversation
|
/assign @JoelSpeed |
|
|
||
| // NotEquals appends NotEquals prefix to the condition | ||
| func (c AWSConditionType) NotEquals() AWSConditionType { | ||
| return c + "NotEquals" |
There was a problem hiding this comment.
Would a condition type of StringNotEquals unmarshal from JSON correctly?
There was a problem hiding this comment.
It totally will, as it will undergo only a raw encoding to internal golang structure, where the types are still raw strings.
| // String elements that restrict access based on comparing a key to a string value. | ||
| String AWSConditionType = "String" | ||
| // Numeric elements that restrict access based on comparing a key to an integer or decimal value. | ||
| Numeric AWSConditionType = "Numeric" | ||
| // Date elements that restrict access based on comparing a key to a date/time value. | ||
| Date AWSConditionType = "Date" | ||
| // Bool elements that restrict access based on comparing a key to "true" or "false." | ||
| Bool AWSConditionType = "Bool" | ||
| // Arn elements that restrict access based on comparing a key to an ARN. | ||
| Arn AWSConditionType = "Arn" | ||
| // Null check if a condition key is present at the time of authorization. | ||
| Null AWSConditionType = "Null" | ||
| // Binary elements that test key values that are in binary format. | ||
| Binary AWSConditionType = "Binary" | ||
| // IPAddress restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. | ||
| IPAddress AWSConditionType = "IpAddress" |
There was a problem hiding this comment.
Might be worth suffixing these with ConditionType? Eg StringConditionType to make it more obvious what they are for and also distinguish them from other potentially exported fields that could be added at a later date
There was a problem hiding this comment.
Yeah, makes sense. Will update it, that sounds more cannon.
|
/cc @joelddiaz Here is a PR for https://issues.redhat.com/browse/CO-876 |
| @@ -38,6 +38,8 @@ type StatementEntry struct { | |||
| Action []string `json:"action"` | |||
| // Resource specifies the object(s) this statement should apply to. (or "*" for all) | |||
| Resource string `json:"resource"` | |||
| // Condition specifies under which condition StatementEntry will apply | |||
| Condition AWSCondition `json:"condition,omitempty"` | |||
There was a problem hiding this comment.
Condition AWSCondition `json:"condition,omitempty"` -> Condition StatementEntryCondition `json:"condition,omitempty"`
| @@ -49,3 +51,71 @@ type AWSProviderStatus struct { | |||
| // Policy is the name of the policy attached to the user in AWS. | |||
| Policy string `json:"policy"` | |||
| } | |||
|
|
|||
| // AWSCondition - map of condition types, with associated key - value mapping | |||
| type AWSCondition map[AWSConditionType]AWSConditionKeyValue | |||
There was a problem hiding this comment.
| type AWSCondition map[AWSConditionType]AWSConditionKeyValue | |
| type StatementEntryCondition map[AWSIAMPolicyConditionType]AWSIAMPolicyConditionKeyValue |
| // AWSCondition - map of condition types, with associated key - value mapping | ||
| type AWSCondition map[AWSConditionType]AWSConditionKeyValue | ||
|
|
||
| // AWSConditionKeyValue - mapping of values for the chousen type |
There was a problem hiding this comment.
| // AWSConditionKeyValue - mapping of values for the chousen type | |
| // AWSConditionKeyValue - mapping of values for the chosen type |
| type AWSCondition map[AWSConditionType]AWSConditionKeyValue | ||
|
|
||
| // AWSConditionKeyValue - mapping of values for the chousen type | ||
| type AWSConditionKeyValue map[string]interface{} |
There was a problem hiding this comment.
| type AWSConditionKeyValue map[string]interface{} | |
| type AWSIAMPolicyConditionKeyValue map[string]interface{} |
| type AWSConditionKeyValue map[string]interface{} | ||
|
|
||
| // AWSConditionType provides condition operators to match the condition key and value in the policy against values in the request context | ||
| type AWSConditionType string |
There was a problem hiding this comment.
| type AWSConditionType string | |
| type AWSIAMPolicyConditionType string |
| return "Not" + c | ||
| } | ||
|
|
||
| // IgnoreCase appends IgnoreCase prefix to the condition |
There was a problem hiding this comment.
| // IgnoreCase appends IgnoreCase prefix to the condition | |
| // IgnoreCase appends IgnoreCase suffix to the condition |
| return c + "IgnoreCase" | ||
| } | ||
|
|
||
| // Equals appends Equals prefix to the condition |
There was a problem hiding this comment.
| // Equals appends Equals prefix to the condition | |
| // Equals appends Equals suffix to the condition |
| return c + "Equals" | ||
| } | ||
|
|
||
| // NotEquals appends NotEquals prefix to the condition |
There was a problem hiding this comment.
| // NotEquals appends NotEquals prefix to the condition | |
| // NotEquals appends NotEquals suffix to the condition |
| return c + "NotEquals" | ||
| } | ||
|
|
||
| // Like appends Like prefix to the condition |
There was a problem hiding this comment.
| // Like appends Like prefix to the condition | |
| // Like appends Like suffix to the condition |
| return c + "Like" | ||
| } | ||
|
|
||
| // NotLike appends NotLike prefix to the condition |
There was a problem hiding this comment.
| // NotLike appends NotLike prefix to the condition | |
| // NotLike appends NotLike suffix to the condition |
| return c + "NotLike" | ||
| } | ||
|
|
||
| // LessThan appends LessThan prefix to the condition |
There was a problem hiding this comment.
| // LessThan appends LessThan prefix to the condition | |
| // LessThan appends LessThan suffix to the condition |
| return c + "LessThan" | ||
| } | ||
|
|
||
| // GreaterThan appends GreaterThan prefix to the condition |
There was a problem hiding this comment.
| // GreaterThan appends GreaterThan prefix to the condition | |
| // GreaterThan appends GreaterThan suffix to the condition |
There was a problem hiding this comment.
Why all the defining of AWSCondition type constants and all the ConditionType modifiers? CCO doesn't really parse or populate these fields as they are simply passed on to the AWS IAM API calls. And these functions allow building invalid text (DateNotEqualsGreaterThan).
I would have done something more simple like:
type AWSIAMPolicyConditionKeyValue map[string]interface{}
and
type AWSIAMCondition map[string]AWSIAMPolicyConditionKeyValue
Many of the keys for conditions will end up with extra qualifiers when defining a set of conditions.
"Condition": {
"ForAllValues:DateNotEquals": {
"aws:EpochTime": "123"
},
"ForAllValues:StringEquals": {
"aws:PrincipalAccount": "abcd",
"aws:PrincipalArn": "12345"
},
"StringEquals": {
"aws:userid": "usera"
}
}
TL;DR: What is the benefit of adding all these formal definitions of the AWS IAM condition types? It feels like CCO will be out of step with AWS if/when new modifiers are added as valid condition modifiers.
|
@joelddiaz Sorry, looking at the PR now, I can't see a reason for presence of AWS IAM condition types, or it will actually be a total overhead for the scope of the PR. Agree with you, going to remove unnecessary parts and change naming. |
Danil-Grigorev
changed the title
|
@joelddiaz Tested this PR in my setup, works fine for any combination of conditions. I addressed concerns around constants, and decided to remove them, as it sounded clear that is not the thing needed for a static template provided externally. @JoelSpeed I hope this integration is enough to cover the needs for the conditions. In case the tests are still needed to display the usage, I have a sample part to update the PR on request, but aside from that the tests are of no use here. This PR is sufficient in it's stage, as it is only backfilling missing fields of supported template. |
|
I'm retitling to make sure this is tracked along with the BZ issue. Same need to be done with the upcoming counterpart PR for the machine API Operator. |
openshift-ci-robot
changed the title
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@Danil-Grigorev: This pull request references Bugzilla bug 1815219, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Danil-Grigorev
force-pushed
the
aws-conditions
branch
from
39ea1f5
to
e2f5f03
Compare
|
I've manually verified that this works with openshift/machine-api-operator#557 to create the expected policy on the user |
|
lgtm as well @joelddiaz @dgoodwin you folks good to merge? |
Danil-Grigorev
force-pushed
the
aws-conditions
branch
from
e2f5f03
to
03c7750
Compare
|
thanks @Danil-Grigorev ping @joelddiaz :) |
| Effect string | ||
| Action []string | ||
| Resource string | ||
| Condition minterv1.IAMPolicyCondition `json:",omitempty"` |
There was a problem hiding this comment.
Should this json tag be here? it looks like it shouldn't.
There was a problem hiding this comment.
No, it is necessary, as an empty condition in the template is not accepted by AWS validation
| @@ -38,6 +38,8 @@ type StatementEntry struct { | |||
| Action []string `json:"action"` | |||
| // Resource specifies the object(s) this statement should apply to. (or "*" for all) | |||
| Resource string `json:"resource"` | |||
| // Condition specifies under which condition StatementEntry will apply | |||
| Condition IAMPolicyCondition `json:"condition,omitempty"` | |||
There was a problem hiding this comment.
I'd prefer "iamPolicyCondition" or "policyCondition" to "condition" for the json key. Condition collides a little too much with typical status.conditions.
There was a problem hiding this comment.
Ok, fixing now.
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
Danil-Grigorev
force-pushed
the
aws-conditions
branch
from
03c7750
to
019d973
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, Danil-Grigorev, dgoodwin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@Danil-Grigorev: Some pull requests linked via external trackers have merged: openshift/cloud-credential-operator#181. The following pull requests linked via external trackers have not merged:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Added support for conditions in AWS provider
Allows to use the same form as JSON conditions to specify rules to apply - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html