provide a way to request escalating scopes

Author: deads2k

pkg/authorization/authorizer/scope/converter.go

@@ -140,43 +140,56 @@ func (clusterRoleEvaluator) Handles(scope string) bool {
 }
 
 func (e clusterRoleEvaluator) Validate(scope string) error {
-	_, _, err := e.getRoleNamespace(scope)
+	_, _, _, err := e.parseScope(scope)
 	return err
 }
 
-func (e clusterRoleEvaluator) getRoleNamespace(scope string) (string, string, error) {
+// parseScope parses the requested scope, determining the requested role name, namespace, and if
+// access to escalating objects is required.  It will return an error if it doesn't parse cleanly
+func (e clusterRoleEvaluator) parseScope(scope string) (string /*role name*/, string /*namespace*/, bool /*escalating*/, error) {
 	if !e.Handles(scope) {
-		return "", "", fmt.Errorf("bad format for scope %v", scope)
+		return "", "", false, fmt.Errorf("bad format for scope %v", scope)
 	}
+	escalating := false
+	if strings.HasSuffix(scope, ":!") {
+		escalating = true
+		// clip that last segment before parsing the rest
+		scope = scope[:strings.LastIndex(scope, ":")]
+	}
+
 	tokens := strings.SplitN(scope, ":", 2)
 	if len(tokens) != 2 {
-		return "", "", fmt.Errorf("bad format for scope %v", scope)
+		return "", "", false, fmt.Errorf("bad format for scope %v", scope)
 	}
 
 	// namespaces can't have colons, but roles can.  pick last.
 	lastColonIndex := strings.LastIndex(tokens[1], ":")
 	if lastColonIndex <= 0 || lastColonIndex == (len(tokens[1])-1) {
-		return "", "", fmt.Errorf("bad format for scope %v", scope)
+		return "", "", false, fmt.Errorf("bad format for scope %v", scope)
 	}
 
-	return tokens[1][0:lastColonIndex], tokens[1][lastColonIndex+1:], nil
+	return tokens[1][0:lastColonIndex], tokens[1][lastColonIndex+1:], escalating, nil
 }
 
 func (e clusterRoleEvaluator) Describe(scope string) string {
-	roleName, scopeNamespace, err := e.getRoleNamespace(scope)
+	roleName, scopeNamespace, escalating, err := e.parseScope(scope)
 	if err != nil {
 		return err.Error()
 	}
+	escalatingPhrase := "including any escalating resources like secrets"
+	if !escalating {
+		escalatingPhrase = "excluding any escalating resources like secrets"
+	}
 
 	if scopeNamespace == authorizationapi.ScopesAllNamespaces {
-		return roleName + " access in all projects"
+		return roleName + " access in all projects, " + escalatingPhrase
 	}
 
-	return roleName + " access in the " + scopeNamespace + " project"
+	return roleName + " access in the " + scopeNamespace + " project, " + escalatingPhrase
 }
 
 func (e clusterRoleEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter rulevalidation.ClusterPolicyGetter) ([]authorizationapi.PolicyRule, error) {
-	roleName, scopeNamespace, err := e.getRoleNamespace(scope)
+	roleName, scopeNamespace, escalating, err := e.parseScope(scope)
 	if err != nil {
 		return nil, err
 	}
@@ -198,21 +211,25 @@ func (e clusterRoleEvaluator) ResolveRules(scope, namespace string, clusterPolic
 
 	rules := []authorizationapi.PolicyRule{}
 	for _, rule := range role.Rules {
+		if escalating {
+			rules = append(rules, rule)
+			continue
+		}
+
 		// rules with unbounded access shouldn't be allowed in scopes.
 		if rule.Verbs.Has(authorizationapi.VerbAll) || rule.Resources.Has(authorizationapi.ResourceAll) || getAPIGroupSet(rule).Has(authorizationapi.APIGroupAll) {
 			continue
 		}
-
 		// rules that allow escalating resource access should be cleaned.
 		safeRule := removeEscalatingResources(rule)
-
 		rules = append(rules, safeRule)
 	}
 
 	return rules, nil
 }
 
-// removeEscalatingResources has coarse logic for now.  It is possible to rewrite one rule into many for the finest grain control
+// removeEscalatingResources inspects a PolicyRule and removes any references to escalating resources.
+// It has coarse logic for now.  It is possible to rewrite one rule into many for the finest grain control
 // but removing the entire matching resource regardless of verb or secondary group is cheaper, easier, and errs on the side removing
 // too much, not too little
 func removeEscalatingResources(in authorizationapi.PolicyRule) authorizationapi.PolicyRule {

pkg/authorization/authorizer/scope/converter_test.go

@@ -251,6 +251,17 @@ func TestEscalationProtection(t *testing.T) {
 			expectedRules: []authorizationapi.PolicyRule{authorizationapi.DiscoveryRule, {APIGroups: []string{"", "and-foo"}, Resources: sets.NewString("pods")}},
 			scopes:        []string{ClusterRoleIndicator + "admin:*"},
 		},
+		{
+			name: "allow the escalation",
+			clusterRoles: []authorizationapi.ClusterRole{
+				{
+					ObjectMeta: kapi.ObjectMeta{Name: "admin"},
+					Rules:      []authorizationapi.PolicyRule{{APIGroups: []string{""}, Resources: sets.NewString("pods", "secrets")}},
+				},
+			},
+			expectedRules: []authorizationapi.PolicyRule{authorizationapi.DiscoveryRule, {APIGroups: []string{""}, Resources: sets.NewString("pods", "secrets")}},
+			scopes:        []string{ClusterRoleIndicator + "admin:*:!"},
+		},
 	}
 
 	for _, tc := range testCases {

test/integration/scopes_test.go

@@ -7,6 +7,7 @@ import (
 
 	kapi "k8s.io/kubernetes/pkg/api"
 	kapierrors "k8s.io/kubernetes/pkg/api/errors"
+	kclient "k8s.io/kubernetes/pkg/client/unversioned"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 
 	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
@@ -92,3 +93,83 @@ func TestScopedTokens(t *testing.T) {
 		t.Fatalf("missing error: %v got user %#v", err, impersonatedUser)
 	}
 }
+
+func TestScopeEscalations(t *testing.T) {
+	testutil.RequireEtcd(t)
+	_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	projectName := "hammer-project"
+	userName := "harold"
+	haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, userName)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if _, err := haroldClient.Builds(projectName).List(kapi.ListOptions{}); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	haroldUser, err := haroldClient.Users().Get("~")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	nonEscalatingEditToken := &oauthapi.OAuthAccessToken{
+		ObjectMeta: kapi.ObjectMeta{Name: "non-escalating-edit-plus-some-padding-here-to-make-the-limit"},
+		ClientName: "any-client",
+		ExpiresIn:  200,
+		Scopes:     []string{scope.ClusterRoleIndicator + "edit:*"},
+		UserName:   userName,
+		UserUID:    string(haroldUser.UID),
+	}
+	if _, err := clusterAdminClient.OAuthAccessTokens().Create(nonEscalatingEditToken); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	nonEscalatingEditConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
+	nonEscalatingEditConfig.BearerToken = nonEscalatingEditToken.Name
+	nonEscalatingEditClient, err := kclient.New(&nonEscalatingEditConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if _, err := nonEscalatingEditClient.Secrets(projectName).List(kapi.ListOptions{}); !kapierrors.IsForbidden(err) {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	escalatingEditToken := &oauthapi.OAuthAccessToken{
+		ObjectMeta: kapi.ObjectMeta{Name: "escalating-edit-plus-some-padding-here-to-make-the-limit"},
+		ClientName: "any-client",
+		ExpiresIn:  200,
+		Scopes:     []string{scope.ClusterRoleIndicator + "edit:*:!"},
+		UserName:   userName,
+		UserUID:    string(haroldUser.UID),
+	}
+	if _, err := clusterAdminClient.OAuthAccessTokens().Create(escalatingEditToken); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	escalatingEditConfig := clientcmd.AnonymousClientConfig(clusterAdminClientConfig)
+	escalatingEditConfig.BearerToken = escalatingEditToken.Name
+	escalatingEditClient, err := kclient.New(&escalatingEditConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if _, err := escalatingEditClient.Secrets(projectName).List(kapi.ListOptions{}); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}