Merge pull request #13415 from enj/enj/i/covers_attribute_restrictions

Merged by openshift-bot

Author: OpenShift Bot

pkg/authorization/authorizer/scope/converter.go

@@ -177,7 +177,6 @@ func (userEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter c
 	case UserAccessCheck:
 		return []authorizationapi.PolicyRule{
 			authorizationapi.NewRule("create").Groups(kauthorizationapi.GroupName).Resources("selfsubjectaccessreviews").RuleOrDie(),
-			{Verbs: sets.NewString("create"), APIGroups: []string{authorizationapi.GroupName, authorizationapi.LegacyGroupName}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
 			authorizationapi.NewRule("create").Groups(authorizationapi.GroupName, authorizationapi.LegacyGroupName).Resources("selfsubjectrulesreviews").RuleOrDie(),
 		}, nil
 	case UserListScopedProjects:

pkg/authorization/authorizer/scope/converter_test.go

@@ -45,12 +45,12 @@ func TestUserEvaluator(t *testing.T) {
 		{
 			name:     "access",
 			scopes:   []string{UserAccessCheck},
-			numRules: 4,
+			numRules: 3,
 		},
 		{
 			name:     "both",
 			scopes:   []string{UserInfo, UserAccessCheck},
-			numRules: 5,
+			numRules: 4,
 		},
 		{
 			name:     "list--scoped-projects",

pkg/authorization/rulevalidation/policy_comparator.go

@@ -47,11 +47,16 @@ func Covers(ownerRules, servantRules []authorizationapi.PolicyRule) (bool, []aut
 func BreakdownRule(rule authorizationapi.PolicyRule) []authorizationapi.PolicyRule {
 	subrules := []authorizationapi.PolicyRule{}
 
+	// A rule with an attribute restriction is ignored and thus is the same as having no rule at all
+	if rule.AttributeRestrictions != nil {
+		return subrules
+	}
+
 	for _, group := range rule.APIGroups {
 		subrules = append(subrules, breakdownRuleForGroup(group, rule)...)
 	}
 
-	// if no groups are present, then the default group is assumed.  Buidl the subrules, then strip the groups
+	// if no groups are present, then the default group is assumed.  Build the subrules, then strip the groups
 	if len(rule.APIGroups) == 0 {
 		for _, subrule := range breakdownRuleForGroup("", rule) {
 			subrule.APIGroups = nil
@@ -91,6 +96,11 @@ func breakdownRuleForGroup(group string, rule authorizationapi.PolicyRule) []aut
 // ruleCovers determines whether the ownerRule (which may have multiple verbs, resources, and resourceNames) covers
 // the subrule (which may only contain at most one verb, resource, and resourceName)
 func ruleCovers(ownerRule, subrule authorizationapi.PolicyRule) bool {
+	// A rule with an attribute restriction is ignored and thus it can never cover another rule
+	if ownerRule.AttributeRestrictions != nil {
+		return false
+	}
+
 	allResources := authorizationapi.NormalizeResources(ownerRule.Resources)
 
 	ownerGroups := sets.NewString(ownerRule.APIGroups...)

pkg/authorization/rulevalidation/policy_comparator_test.go

@@ -411,6 +411,118 @@ func TestMixedResourceNonResourceUncovered(t *testing.T) {
 	}.test(t)
 }
 
+func TestAttributeRestrictionsCovering(t *testing.T) {
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+		},
+
+		expectedCovered:        true,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds")},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+		},
+
+		expectedCovered:        true,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+			{Verbs: sets.NewString("update"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+		},
+		servantRules: []authorizationapi.PolicyRule{},
+
+		expectedCovered:        true,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+			{Verbs: sets.NewString("update"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+		},
+
+		expectedCovered:        true,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("pods")},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+			{Verbs: sets.NewString("update"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.ClusterRole{}},
+			{Verbs: sets.NewString("impersonate"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.ClusterPolicyBinding{}},
+		},
+
+		expectedCovered:        true,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString(authorizationapi.VerbAll), Resources: sets.NewString(authorizationapi.ResourceAll), AttributeRestrictions: &authorizationapi.Role{}},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+			{Verbs: sets.NewString("update"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.ClusterRole{}},
+			{Verbs: sets.NewString("impersonate"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.ClusterPolicyBinding{}},
+		},
+
+		expectedCovered:        true,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds")},
+		},
+
+		expectedCovered: false,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("create"), Resources: sets.NewString("builds")},
+		},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds"), AttributeRestrictions: &authorizationapi.Role{}},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds")},
+		},
+
+		expectedCovered: false,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds")},
+		},
+	}.test(t)
+	escalationTest{
+		ownerRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString(authorizationapi.VerbAll), Resources: sets.NewString(authorizationapi.ResourceAll), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
+		},
+		servantRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds")},
+		},
+
+		expectedCovered: false,
+		expectedUncoveredRules: []authorizationapi.PolicyRule{
+			{Verbs: sets.NewString("delete"), Resources: sets.NewString("builds")},
+		},
+	}.test(t)
+}
+
 func (test escalationTest) test(t *testing.T) {
 	actualCovered, actualUncoveredRules := Covers(test.ownerRules, test.servantRules)
 

pkg/cmd/server/bootstrappolicy/policy.go

@@ -476,7 +476,6 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				authorizationapi.NewRule("list").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
 				authorizationapi.NewRule("list", "watch").Groups(projectGroup, legacyProjectGroup).Resources("projects").RuleOrDie(),
 				authorizationapi.NewRule("create").Groups(authzGroup, legacyAuthzGroup).Resources("selfsubjectrulesreviews").RuleOrDie(),
-				{Verbs: sets.NewString("create"), APIGroups: []string{authzGroup, legacyAuthzGroup}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
 				authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews").RuleOrDie(),
 			},
 		},
@@ -489,7 +488,6 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 			},
 			Rules: []authorizationapi.PolicyRule{
 				authorizationapi.NewRule("create").Groups(authzGroup, legacyAuthzGroup).Resources("selfsubjectrulesreviews").RuleOrDie(),
-				{Verbs: sets.NewString("create"), APIGroups: []string{authzGroup, legacyAuthzGroup}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
 				authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews").RuleOrDie(),
 			},
 		},

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -1630,17 +1630,6 @@ items:
     - selfsubjectrulesreviews
     verbs:
     - create
-  - apiGroups:
-    - authorization.openshift.io
-    - ""
-    attributeRestrictions:
-      apiVersion: authorization.openshift.io/v1
-      kind: IsPersonalSubjectAccessReview
-    resources:
-    - localsubjectaccessreviews
-    - subjectaccessreviews
-    verbs:
-    - create
   - apiGroups:
     - authorization.k8s.io
     attributeRestrictions: null
@@ -1664,17 +1653,6 @@ items:
     - selfsubjectrulesreviews
     verbs:
     - create
-  - apiGroups:
-    - authorization.openshift.io
-    - ""
-    attributeRestrictions:
-      apiVersion: authorization.openshift.io/v1
-      kind: IsPersonalSubjectAccessReview
-    resources:
-    - localsubjectaccessreviews
-    - subjectaccessreviews
-    verbs:
-    - create
   - apiGroups:
     - authorization.k8s.io
     attributeRestrictions: null