feat: add support for user and groups impersonation

prometherion · web-flow · commit 1ccf00ff5539 · 2022-07-13T17:29:02.000+02:00
As Capsule Proxy proxies requests to the Kubernetes API server, it uses its own identity to impersonate the identity of the incoming request, towards the API server.
As of now, if the incoming request is in turn trying to impersonate a user and possibly groups, the impersonation headers are ignored and overridden by Capsule Proxy with the identity of the incoming request.

As such, Capsule Proxy proxies now requests to the API server impersonating on behalf of the identity of the incoming request, the user and the groups that that identity is trying to impersonate, if and only if, the token of that identity has required permissions bound.
diff --git a/Makefile b/Makefile
@@ -28,6 +28,7 @@ kind:
 
 capsule:
 	@echo "Installing capsule..."
+	@sleep 5
 	@helm repo add clastix https://clastix.github.io/charts
 	@helm upgrade --install --create-namespace --namespace capsule-system capsule clastix/capsule \
 		--set "manager.resources=null" \
@@ -55,7 +56,8 @@ ifeq ($(CAPSULE_PROXY_MODE),http)
 		--set "service.nodePort=" \
 		--set "kind=DaemonSet" \
 		--set "daemonset.hostNetwork=true" \
-		--set "serviceMonitor.enabled=false"
+		--set "serviceMonitor.enabled=false" \
+		--set "options.generateCertificates=false"
 else
 	@echo "Running in HTTPS mode"
 	@echo "capsule proxy certificates..."
diff --git a/e2e/kubectl-https-tests/namespaces/list.bats b/e2e/kubectl-https-tests/namespaces/list.bats
@@ -72,7 +72,7 @@ namespace/oil-staging"
   echo "User" >&3
   run kubectl --kubeconfig=${HACK_DIR}/alice.kubeconfig get namespace default
   [ $status -eq 1 ]
-  [ "${lines[0]}" = 'Error from server (Forbidden): namespaces "default" is forbidden: User "alice" cannot get resource "namespaces" in API group "" in the namespace "default"' ]
+  [ "${lines[0]}" = 'Error from server (NotFound): namespace "default" not found' ]
   run kubectl --kubeconfig=${HACK_DIR}/alice.kubeconfig --namespace default get pods
   [ $status -eq 1 ]
   [ "${lines[0]}" = 'Error from server (Forbidden): pods is forbidden: User "alice" cannot list resource "pods" in API group "" in the namespace "default"' ]
diff --git a/e2e/run.bash b/e2e/run.bash
@@ -7,7 +7,7 @@ HACK_DIR="$(git rev-parse --show-toplevel)/hack"
 export HACK_DIR
 
 echo ">>> Waiting for capsule-proxy pod to be ready for accepting requests"
-kubectl --namespace capsule-system wait --for=condition=ready --timeout=320s pod -l app.kubernetes.io/instance=capsule-proxy
+kubectl --namespace capsule-system wait --for=condition=ready --timeout=320s pod -l app.kubernetes.io/name=capsule-proxy
 
 echo ">>> Waiting for capsule pod to be ready for accepting requests"
 kubectl --namespace capsule-system wait --for=condition=ready --timeout=320s pod -l app.kubernetes.io/instance=capsule
diff --git a/internal/request/error.go b/internal/request/error.go
@@ -0,0 +1,18 @@
+// Copyright 2020-2021 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package request
+
+type ErrUnauthorized struct {
+	message string
+}
+
+func NewErrUnauthorized(message string) *ErrUnauthorized {
+	return &ErrUnauthorized{
+		message: message,
+	}
+}
+
+func (e *ErrUnauthorized) Error() string {
+	return e.message
+}
diff --git a/internal/request/http.go b/internal/request/http.go
@@ -11,6 +11,8 @@ import (
 
 	"github.com/golang-jwt/jwt"
 	authenticationv1 "k8s.io/api/authentication/v1"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -36,28 +38,85 @@ func (h http) GetHTTPRequest() *h.Request {
 	return h.Request
 }
 
+//nolint:funlen
 func (h http) GetUserAndGroups() (username string, groups []string, err error) {
 	switch h.getAuthType() {
 	case certificateBased:
 		pc := h.TLS.PeerCertificates
 		if len(pc) == 0 {
-			err = fmt.Errorf("no provided peer certificates")
-
-			return
+			return "", nil, fmt.Errorf("no provided peer certificates")
 		}
 
 		username, groups = pc[0].Subject.CommonName, pc[0].Subject.Organization
 	case bearerBased:
 		if h.isJwtToken() {
-			return h.processJwtClaims()
+			username, groups, err = h.processJwtClaims()
+
+			break
 		}
 
-		return h.processBearerToken()
+		username, groups, err = h.processBearerToken()
 	case anonymousBased:
-		err = fmt.Errorf("capsule does not support unauthenticated users")
+		return "", nil, fmt.Errorf("capsule does not support unauthenticated users")
+	}
+	// In case of error, we're blocking the request flow here
+	if err != nil {
+		return "", nil, err
+	}
+	// In case the requester is asking for impersonation, we have to be sure that's allowed by creating a
+	// SubjectAccessReview with the requested data, before proceeding.
+	if impersonateUser := h.Request.Header.Get("Impersonate-User"); len(impersonateUser) > 0 {
+		ac := &authorizationv1.SubjectAccessReview{
+			Spec: authorizationv1.SubjectAccessReviewSpec{
+				ResourceAttributes: &authorizationv1.ResourceAttributes{
+					Verb:     "impersonate",
+					Resource: "users",
+					Name:     impersonateUser,
+				},
+				User:   username,
+				Groups: groups,
+			},
+		}
+		if err = h.client.Create(h.Request.Context(), ac); err != nil {
+			return "", nil, err
+		}
+
+		if !ac.Status.Allowed {
+			return "", nil, NewErrUnauthorized(fmt.Sprintf("the current user %s cannot impersonate the user %s", username, impersonateUser))
+		}
+		// The current user is allowed to perform authentication, allowing the override
+		username = impersonateUser
+	}
+
+	if impersonateGroups := h.Request.Header.Values("Impersonate-Group"); len(impersonateGroups) > 0 {
+		for _, impersonateGroup := range impersonateGroups {
+			ac := &authorizationv1.SubjectAccessReview{
+				Spec: authorizationv1.SubjectAccessReviewSpec{
+					ResourceAttributes: &authorizationv1.ResourceAttributes{
+						Verb:     "impersonate",
+						Resource: "groups",
+						Name:     impersonateGroup,
+					},
+					User:   username,
+					Groups: groups,
+				},
+			}
+			if err = h.client.Create(h.Request.Context(), ac); err != nil {
+				return "", nil, err
+			}
+
+			if !ac.Status.Allowed {
+				return "", nil, NewErrUnauthorized(fmt.Sprintf("the current user %s cannot impersonate the group %s", username, impersonateGroup))
+			}
+
+			if !sets.NewString(groups...).Has(impersonateGroup) {
+				// The current user is allowed to perform authentication, allowing the override
+				groups = append(groups, impersonateGroup)
+			}
+		}
 	}
 
-	return
+	return username, groups, nil
 }
 
 func (h http) processJwtClaims() (username string, groups []string, err error) {
diff --git a/internal/webserver/webserver.go b/internal/webserver/webserver.go
@@ -42,7 +42,7 @@ import (
 	"github.com/clastix/capsule-proxy/internal/options"
 	req "github.com/clastix/capsule-proxy/internal/request"
 	"github.com/clastix/capsule-proxy/internal/tenant"
-	serverr "github.com/clastix/capsule-proxy/internal/webserver/errors"
+	server "github.com/clastix/capsule-proxy/internal/webserver/errors"
 	"github.com/clastix/capsule-proxy/internal/webserver/middleware"
 )
 
@@ -143,6 +143,10 @@ func (n kubeFilter) reverseProxyMiddleware(next http.Handler) http.Handler {
 
 // nolint:interfacer
 func (n kubeFilter) handleRequest(request *http.Request, selector labels.Selector) {
+	// Sanitizing the impersonation
+	request.Header.Del("Impersonate-User")
+	request.Header.Del("Impersonate-Group")
+
 	q := request.URL.Query()
 	if e := q.Get("labelSelector"); len(e) > 0 {
 		n.log.V(4).Info("handling current labelSelector", "selector", e)
@@ -174,7 +178,14 @@ func (n kubeFilter) impersonateHandler(writer http.ResponseWriter, request *http
 	var err error
 
 	if username, groups, err = hr.GetUserAndGroups(); err != nil {
-		serverr.HandleError(writer, err, "cannot retrieve user and group")
+		msg := "cannot retrieve user and group"
+
+		var t *req.ErrUnauthorized
+		if errors.As(err, &t) {
+			server.HandleUnauthorized(writer, err, msg)
+		} else {
+			server.HandleError(writer, err, msg)
+		}
 	}
 
 	n.log.V(4).Info("impersonating for the current request", "username", username, "groups", groups)
@@ -231,7 +242,7 @@ func (n kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
 			username, groups, _ := proxyRequest.GetUserAndGroups()
 			proxyTenants, err := n.getTenantsForOwner(ctx, username, groups)
 			if err != nil {
-				serverr.HandleError(writer, err, "cannot list Tenant resources")
+				server.HandleError(writer, err, "cannot list Tenant resources")
 			}
 
 			var selector labels.Selector
@@ -245,7 +256,7 @@ func (n kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
 					_, _ = writer.Write(b)
 					panic(err.Error())
 				}
-				serverr.HandleError(writer, err, err.Error())
+				server.HandleError(writer, err, err.Error())
 			case selector == nil:
 				// if there's no selector, let it pass to the
 				n.impersonateHandler(writer, request)
