def get_response(req, debug=False):
if debug:
print("REQUEST BODY => {}".format(req.json))
try:
body_dict = req.json['request']
username = body_dict['userInfo']['username']
groups = body_dict['userInfo']['groups']
if is_request_allowed(username, groups, admin_groups):
return responses.response_allow(req=body_dict)
else:
if body_dict['object'] is None:
kind = body_dict['oldObject']['kind']
else:
kind = body_dict['object']['kind']
operation = body_dict['operation']
return responses.response_deny(
req=body_dict,
msg="Regular user '{}' cannot {} kind '{}'.".format(
username, operation, kind))
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def get_response(req, debug=False):
try:
body_dict = req.json['request']
requester_group_memberships = []
if 'userInfo' in body_dict:
if 'groups' in body_dict['userInfo']:
requester_group_memberships = body_dict['userInfo']['groups']
else:
return responses.response_invalid()
if "dedicated-admins" in requester_group_memberships:
requested_ns = body_dict['namespace']
privileged_namespace_re = '(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$|^redhat-.*)'
# match will return a match object if the namespace matches the regex, or None if the namespace doesn't match the regex
if re.match(privileged_namespace_re, requested_ns) is not None:
DENIED_NAMESPACE.inc()
return responses.response_deny(
req=body_dict,
msg="You cannot update the privileged namespace {}.".
format(requested_ns))
else:
return responses.response_allow(req=body_dict)
else:
return responses.response_allow(req=body_dict)
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def get_response(req, debug=False):
try:
body_dict = req.json['request']
# If trying to delete a group, must get group name from oldObject instead of object
if body_dict['object'] is None:
group_name = body_dict['oldObject']['metadata']['name']
else:
group_name = body_dict['object']['metadata']['name']
userinfo = {}
if 'userInfo' in body_dict:
userinfo = body_dict['userInfo']
user_groups = []
if 'groups' in userinfo:
user_groups = userinfo['groups']
user_name = None
if 'username' in userinfo:
user_name = userinfo['username']
if user_name in ("kube:admin", "system:admin"):
# kube/system admin can do anything
if debug:
print("Performing action: {} in {} group for {}".format(
body_dict['operation'], group_name, userinfo['username']))
return responses.response_allow(req=body_dict)
if re.match(protected_group_regex, group_name) is not None:
# attempted operation on a protected group
if debug:
print("Performing action: {} in {} group".format(
body_dict['operation'], group_name))
if len(set(user_groups) & set(admin_groups)) > 0:
# user is a member of admin groups, this is allowed
response_body = responses.response_allow(
req=body_dict,
msg="{} group {}".format(body_dict['operation'],
group_name))
else:
# user is NOT a member of admin groups, this is denied
deny_msg = "User not authorized to {} group {}".format(
body_dict['operation'], group_name)
response_body = responses.response_deny(req=body_dict,
msg=deny_msg)
else:
# was not a protected group, so we can let it through
response_body = responses.response_allow(req=body_dict)
if debug:
print("Response body => {}".format(response_body))
return response_body
except Exception:
print("Exception when trying to access attributes. Request body: {}".
format(req.json))
print("Backtrace:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def handle_request():
# inc total group counter
TOTAL_GROUP.inc()
debug = os.getenv("DEBUG_GROUP_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except:
valid = False
if not valid:
# inc denied group counter
DENIED_GROUP.inc()
return responses.response_invalid()
try:
body_dict = request.json['request']
# If trying to delete a group, must get group name from oldObject instead of object
if body_dict['object'] is None:
group_name = body_dict['oldObject']['metadata']['name']
else:
group_name = body_dict['object']['metadata']['name']
userinfo = body_dict['userInfo']
if userinfo['username'] in ("kube:admin", "system:admin"):
# kube/system admin can do anything
if debug:
print("Performing action: {} in {} group for {}".format(body_dict['operation'], group_name, userinfo['username']))
return responses.response_allow(req=body_dict)
if group_name.startswith(group_prefix):
if debug:
print("Performing action: {} in {} group".format(body_dict['operation'], group_name))
if len(set(userinfo['groups']) & set(admin_groups)) > 0:
response_body = responses.response_allow(req=body_dict, msg="{} group {}".format(body_dict['operation'], group_name))
else:
deny_msg = "User not authorized to {} group {}".format(body_dict['operation'], group_name)
response_body = responses.response_deny(req=body_dict, msg=deny_msg)
else:
response_body = responses.response_allow(req=body_dict)
if debug:
print("Response body => {}".format(response_body))
return response_body
except Exception:
print("Exception when trying to access attributes. Request body: {}".format(request.json))
print("Backtrace:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def get_response(request, debug=False):
try:
body_dict = request.json['request']
# If trying to delete a user, must get user name from oldObject instead of object
if body_dict['object'] is None:
identity_name = body_dict['oldObject']['metadata']['name']
provider_name = body_dict['oldObject']['providerName']
else:
identity_name = body_dict['object']['metadata']['name']
provider_name = body_dict['object']['providerName']
userinfo = body_dict['userInfo']
if userinfo['username'] in (
"kube:admin", "system:admin",
"system:serviceaccount:openshift-authentication:oauth-openshift"
):
# kube/system admin can do anything
if debug:
print("Performing action: {} on identity {} by {}".format(
body_dict['operation'], identity_name,
userinfo['username']))
return responses.response_allow(req=body_dict)
if provider_name == identity_provider:
if debug:
print("Performing action: {} on {} identity".format(
body_dict['operation'], identity_name))
if len(set(userinfo['groups']) & set(admin_groups)) > 0:
response_body = responses.response_allow(
req=body_dict,
msg="{} identity {}".format(body_dict['operation'],
identity_name))
else:
deny_msg = "User not authorized to {} identity {}".format(
body_dict['operation'], identity_name)
response_body = responses.response_deny(req=body_dict,
msg=deny_msg)
DENIED_IDENTITY.inc()
else:
response_body = responses.response_allow(req=body_dict)
if debug:
print("Response body => {}".format(response_body))
return response_body
except Exception:
print("Exception when trying to access attributes. Request body: {}".
format(request.json))
print("Backtrace:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def get_response(req, debug=False):
try:
body_dict = req.json['request']
userinfo = body_dict['userInfo']
requester_group_memberships = userinfo['groups']
privileged_namespace_re = '(^kube.*|^openshift.*|^default$|^redhat.*)'
requested_ns = body_dict['namespace']
cluster_admin_users = ["kube:admin", "system:admin"]
# check to see if requester is a serviceAccount in a privileged NS
# if so, SA can edit any namespace
# re.match will return a match object if the namespace matches the regex,
# or None if the string doesn't match the regex
privileged_serviceaccount_re = '^system:serviceaccounts:(kube.*|openshift.*|default|redhat.*)'
for group in requester_group_memberships:
if re.match(privileged_serviceaccount_re, group) is not None:
return responses.response_allow(req=body_dict)
# check to see if user in layered-sre-cluster-admins group
# if so, user can edit privileged namespaces matching '^redhat.*'
if (re.match('^redhat.*', requested_ns) is not None and
"layered-sre-cluster-admins" in requester_group_memberships):
return responses.response_allow(req=body_dict)
# check to see if the NS is privileged. if it is, we only want SRE,
# kube:admin, and system:admin editing it
if re.match(privileged_namespace_re, requested_ns) is not None:
if ("osd-sre-admins" in requester_group_memberships
or "osd-sre-cluster-admins" in requester_group_memberships
or userinfo['username'] in cluster_admin_users):
return responses.response_allow(req=body_dict)
else:
DENIED_NAMESPACE.inc()
return responses.response_deny(
req=body_dict,
msg="You cannot update the privileged namespace {}.".
format(requested_ns))
# if we're here, the requested NS is not a privileged NS, and webhook can
# allow RBAC to handle whether user is permitted to edit NS or not
return responses.response_allow(req=body_dict)
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
DENIED_NAMESPACE.inc()
return responses.response_invalid()
def handle_request():
# inc total subscription counter
TOTAL_SUBSCRIPTION.inc()
debug = os.getenv("DEBUG_SUBSCRIPTION_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except Exception:
valid = False
if not valid:
# inc denied subscription counter
DENIED_SUBSCRIPTION.inc()
return responses.response_invalid()
try:
body_dict = request.json['request']
requester_group_memberships = body_dict['userInfo']['groups']
if "dedicated-admins" in requester_group_memberships:
if body_dict['object']['spec'][
'sourceNamespace'] not in valid_source_namespaces:
return responses.response_deny(
req=body_dict,
msg="You cannot manage Subscriptions that target {}.".
format(body_dict['object']['spec']['sourceNamespace']))
else:
return responses.response_allow(req=body_dict)
else:
return responses.response_allow(req=body_dict)
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def handle_request():
# inc total namespace counter
TOTAL_NAMESPACE.inc()
debug = os.getenv("DEBUG_NAMESPACE_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except Exception:
valid = False
if not valid:
# inc denied namespace counter
DENIED_NAMESPACE.inc()
return responses.response_invalid()
try:
body_dict = request.json['request']
requester_group_memberships = body_dict['userInfo']['groups']
if "dedicated-admins" in requester_group_memberships:
requested_ns = body_dict['namespace']
privileged_namespace_re = '(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$|^redhat-.*)'
# match will return a match object if the namespace matches the regex, or None if the namespace doesn't match the regex
if re.match(privileged_namespace_re, requested_ns) is not None:
return responses.response_deny(req=body_dict, msg="You cannot update the privileged namespace {}.".format(requested_ns))
else:
return responses.response_allow(req=body_dict)
else:
return responses.response_allow(req=body_dict)
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()