New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1815219: CO-876: allow defining Conditions in AWS CredentialsRequest #181
Bug 1815219: CO-876: allow defining Conditions in AWS CredentialsRequest #181
Conversation
/assign @JoelSpeed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there are any tests covering this, would be good to update the test cases to give a couple of examples of using the Conditions in the tests
|
||
// NotEquals appends NotEquals prefix to the condition | ||
func (c AWSConditionType) NotEquals() AWSConditionType { | ||
return c + "NotEquals" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would a condition type of StringNotEquals
unmarshal from JSON correctly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It totally will, as it will undergo only a raw encoding to internal golang structure, where the types are still raw strings.
// String elements that restrict access based on comparing a key to a string value. | ||
String AWSConditionType = "String" | ||
// Numeric elements that restrict access based on comparing a key to an integer or decimal value. | ||
Numeric AWSConditionType = "Numeric" | ||
// Date elements that restrict access based on comparing a key to a date/time value. | ||
Date AWSConditionType = "Date" | ||
// Bool elements that restrict access based on comparing a key to "true" or "false." | ||
Bool AWSConditionType = "Bool" | ||
// Arn elements that restrict access based on comparing a key to an ARN. | ||
Arn AWSConditionType = "Arn" | ||
// Null check if a condition key is present at the time of authorization. | ||
Null AWSConditionType = "Null" | ||
// Binary elements that test key values that are in binary format. | ||
Binary AWSConditionType = "Binary" | ||
// IPAddress restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. | ||
IPAddress AWSConditionType = "IpAddress" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be worth suffixing these with ConditionType
? Eg StringConditionType
to make it more obvious what they are for and also distinguish them from other potentially exported fields that could be added at a later date
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, makes sense. Will update it, that sounds more cannon.
/cc @joelddiaz Here is a PR for https://issues.redhat.com/browse/CO-876 |
@@ -38,6 +38,8 @@ type StatementEntry struct { | |||
Action []string `json:"action"` | |||
// Resource specifies the object(s) this statement should apply to. (or "*" for all) | |||
Resource string `json:"resource"` | |||
// Condition specifies under which condition StatementEntry will apply | |||
Condition AWSCondition `json:"condition,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Condition AWSCondition `json:"condition,omitempty"`
-> Condition StatementEntryCondition `json:"condition,omitempty"`
@@ -49,3 +51,71 @@ type AWSProviderStatus struct { | |||
// Policy is the name of the policy attached to the user in AWS. | |||
Policy string `json:"policy"` | |||
} | |||
|
|||
// AWSCondition - map of condition types, with associated key - value mapping | |||
type AWSCondition map[AWSConditionType]AWSConditionKeyValue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
type AWSCondition map[AWSConditionType]AWSConditionKeyValue | |
type StatementEntryCondition map[AWSIAMPolicyConditionType]AWSIAMPolicyConditionKeyValue |
// AWSCondition - map of condition types, with associated key - value mapping | ||
type AWSCondition map[AWSConditionType]AWSConditionKeyValue | ||
|
||
// AWSConditionKeyValue - mapping of values for the chousen type |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// AWSConditionKeyValue - mapping of values for the chousen type | |
// AWSConditionKeyValue - mapping of values for the chosen type |
type AWSCondition map[AWSConditionType]AWSConditionKeyValue | ||
|
||
// AWSConditionKeyValue - mapping of values for the chousen type | ||
type AWSConditionKeyValue map[string]interface{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
type AWSConditionKeyValue map[string]interface{} | |
type AWSIAMPolicyConditionKeyValue map[string]interface{} |
type AWSConditionKeyValue map[string]interface{} | ||
|
||
// AWSConditionType provides condition operators to match the condition key and value in the policy against values in the request context | ||
type AWSConditionType string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
type AWSConditionType string | |
type AWSIAMPolicyConditionType string |
return "Not" + c | ||
} | ||
|
||
// IgnoreCase appends IgnoreCase prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// IgnoreCase appends IgnoreCase prefix to the condition | |
// IgnoreCase appends IgnoreCase suffix to the condition |
return c + "IgnoreCase" | ||
} | ||
|
||
// Equals appends Equals prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Equals appends Equals prefix to the condition | |
// Equals appends Equals suffix to the condition |
return c + "Equals" | ||
} | ||
|
||
// NotEquals appends NotEquals prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// NotEquals appends NotEquals prefix to the condition | |
// NotEquals appends NotEquals suffix to the condition |
return c + "NotEquals" | ||
} | ||
|
||
// Like appends Like prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Like appends Like prefix to the condition | |
// Like appends Like suffix to the condition |
return c + "Like" | ||
} | ||
|
||
// NotLike appends NotLike prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// NotLike appends NotLike prefix to the condition | |
// NotLike appends NotLike suffix to the condition |
return c + "NotLike" | ||
} | ||
|
||
// LessThan appends LessThan prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// LessThan appends LessThan prefix to the condition | |
// LessThan appends LessThan suffix to the condition |
return c + "LessThan" | ||
} | ||
|
||
// GreaterThan appends GreaterThan prefix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// GreaterThan appends GreaterThan prefix to the condition | |
// GreaterThan appends GreaterThan suffix to the condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why all the defining of AWSCondition type constants and all the ConditionType modifiers? CCO doesn't really parse or populate these fields as they are simply passed on to the AWS IAM API calls. And these functions allow building invalid text (DateNotEqualsGreaterThan
).
I would have done something more simple like:
type AWSIAMPolicyConditionKeyValue map[string]interface{}
and
type AWSIAMCondition map[string]AWSIAMPolicyConditionKeyValue
Many of the keys for conditions will end up with extra qualifiers when defining a set of conditions.
"Condition": {
"ForAllValues:DateNotEquals": {
"aws:EpochTime": "123"
},
"ForAllValues:StringEquals": {
"aws:PrincipalAccount": "abcd",
"aws:PrincipalArn": "12345"
},
"StringEquals": {
"aws:userid": "usera"
}
}
TL;DR: What is the benefit of adding all these formal definitions of the AWS IAM condition types? It feels like CCO will be out of step with AWS if/when new modifiers are added as valid condition modifiers.
@joelddiaz Sorry, looking at the PR now, I can't see a reason for presence of AWS IAM condition types, or it will actually be a total overhead for the scope of the PR. Agree with you, going to remove unnecessary parts and change naming. |
@joelddiaz Tested this PR in my setup, works fine for any combination of conditions. I addressed concerns around constants, and decided to remove them, as it sounded clear that is not the thing needed for a static template provided externally. @JoelSpeed I hope this integration is enough to cover the needs for the conditions. In case the tests are still needed to display the usage, I have a sample part to update the PR on request, but aside from that the tests are of no use here. This PR is sufficient in it's stage, as it is only backfilling missing fields of supported template. |
I'm retitling to make sure this is tracked along with the BZ issue. Same need to be done with the upcoming counterpart PR for the machine API Operator. |
@Danil-Grigorev: This pull request references Bugzilla bug 1815219, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
39ea1f5
to
e2f5f03
Compare
I've manually verified that this works with openshift/machine-api-operator#557 to create the expected policy on the user |
lgtm as well @joelddiaz @dgoodwin you folks good to merge? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks good. can you please squash the committs? then we can get this merged
e2f5f03
to
03c7750
Compare
thanks @Danil-Grigorev ping @joelddiaz :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks good to me.
@dgoodwin maybe a second set of eyes here before we merge this..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just two nits.
Effect string | ||
Action []string | ||
Resource string | ||
Condition minterv1.IAMPolicyCondition `json:",omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this json tag be here? it looks like it shouldn't.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it is necessary, as an empty condition in the template is not accepted by AWS validation
@@ -38,6 +38,8 @@ type StatementEntry struct { | |||
Action []string `json:"action"` | |||
// Resource specifies the object(s) this statement should apply to. (or "*" for all) | |||
Resource string `json:"resource"` | |||
// Condition specifies under which condition StatementEntry will apply | |||
Condition IAMPolicyCondition `json:"condition,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer "iamPolicyCondition" or "policyCondition" to "condition" for the json key. Condition collides a little too much with typical status.conditions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, fixing now.
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
03c7750
to
019d973
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, Danil-Grigorev, dgoodwin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
@Danil-Grigorev: Some pull requests linked via external trackers have merged: openshift/cloud-credential-operator#181. The following pull requests linked via external trackers have not merged:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Added support for conditions in AWS provider
Allows to use the same form as JSON conditions to specify rules to apply - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html