feat(controller): add impersonation group filter options (#375)

* feat(controller): add impersonation group filter options

Signed-off-by: Oliver Bähler <[email protected]>

* test(controller): add impersonation group filter options

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

internal/options/kube.go

@@ -9,6 +9,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"regexp"
 	"time"
 
 	"github.com/pkg/errors"
@@ -19,25 +20,37 @@ import (
 )
 
 type kubeOpts struct {
-	authTypes     []request.AuthType
-	url           url.URL
-	ignoredGroups []string
-	claimName     string
-	config        *rest.Config
+	authTypes                  []request.AuthType
+	url                        url.URL
+	ignoredGroups              []string
+	ignoredImpersonationGroups []string
+	claimName                  string
+	impersonationGroupsRegexp  *regexp.Regexp
+	config                     *rest.Config
 }
 
-func NewKube(authTypes []request.AuthType, ignoredGroups []string, claimName string, config *rest.Config) (ListenerOpts, error) {
+func NewKube(authTypes []request.AuthType, ignoredGroups []string, claimName string, config *rest.Config, ignoredImpersonationGroups []string, impersonationGroupsString string) (ListenerOpts, error) {
 	u, err := url.Parse(config.Host)
 	if err != nil {
 		return nil, fmt.Errorf("cannot create Kubernetes Options due to failed URL parsing: %w", err)
 	}
 
+	var impersonationGroupsRegexp *regexp.Regexp
+	if impersonationGroupsString != "" {
+		impersonationGroupsRegexp, err = regexp.Compile(impersonationGroupsString)
+		if err != nil {
+			return nil, fmt.Errorf("cannot create Kubernetes Options due to failed regexp compilation: %w", err)
+		}
+	}
+
 	return &kubeOpts{
-		authTypes:     authTypes,
-		url:           *u,
-		ignoredGroups: ignoredGroups,
-		claimName:     claimName,
-		config:        config,
+		authTypes:                  authTypes,
+		url:                        *u,
+		ignoredGroups:              ignoredGroups,
+		ignoredImpersonationGroups: ignoredImpersonationGroups,
+		impersonationGroupsRegexp:  impersonationGroupsRegexp,
+		claimName:                  claimName,
+		config:                     config,
 	}, nil
 }
 
@@ -57,6 +70,14 @@ func (k kubeOpts) IgnoredGroupNames() []string {
 	return k.ignoredGroups
 }
 
+func (k kubeOpts) IgnoredImpersonationsGroups() []string {
+	return k.ignoredImpersonationGroups
+}
+
+func (k kubeOpts) ImpersonationGroupsRegexp() *regexp.Regexp {
+	return k.impersonationGroupsRegexp
+}
+
 func (k kubeOpts) PreferredUsernameClaim() string {
 	return k.claimName
 }

internal/options/listener.go

@@ -6,6 +6,7 @@ package options
 import (
 	"net/http"
 	"net/url"
+	"regexp"
 
 	"github.com/projectcapsule/capsule-proxy/internal/request"
 )
@@ -14,6 +15,8 @@ type ListenerOpts interface {
 	AuthTypes() []request.AuthType
 	KubernetesControlPlaneURL() *url.URL
 	IgnoredGroupNames() []string
+	IgnoredImpersonationsGroups() []string
+	ImpersonationGroupsRegexp() *regexp.Regexp
 	PreferredUsernameClaim() string
 	ReverseProxyTransport() (*http.Transport, error)
 	BearerToken() string

internal/request/http.go

@@ -6,6 +6,7 @@ package request
 import (
 	"fmt"
 	h "net/http"
+	"regexp"
 	"strings"
 
 	authenticationv1 "k8s.io/api/authentication/v1"
@@ -16,13 +17,15 @@ import (
 
 type http struct {
 	*h.Request
-	authTypes          []AuthType
-	usernameClaimField string
-	client             client.Writer
+	authTypes                  []AuthType
+	usernameClaimField         string
+	ignoredImpersonationGroups []string
+	impersonationGroupsRegexp  *regexp.Regexp
+	client                     client.Writer
 }
 
-func NewHTTP(request *h.Request, authTypes []AuthType, usernameClaimField string, client client.Writer) Request {
-	return &http{Request: request, authTypes: authTypes, usernameClaimField: usernameClaimField, client: client}
+func NewHTTP(request *h.Request, authTypes []AuthType, usernameClaimField string, client client.Writer, ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp) Request {
+	return &http{Request: request, authTypes: authTypes, usernameClaimField: usernameClaimField, client: client, ignoredImpersonationGroups: ignoredImpersonationGroups, impersonationGroupsRegexp: impersonationGroupsRegexp}
 }
 
 func (h http) GetHTTPRequest() *h.Request {
@@ -45,7 +48,7 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
 
 	// In case the requester is asking for impersonation, we have to be sure that's allowed by creating a
 	// SubjectAccessReview with the requested data, before proceeding.
-	if impersonateGroups := GetImpersonatingGroups(h.Request); len(impersonateGroups) > 0 {
+	if impersonateGroups := GetImpersonatingGroups(h.Request, h.ignoredImpersonationGroups, h.impersonationGroupsRegexp); len(impersonateGroups) > 0 {
 		for _, impersonateGroup := range impersonateGroups {
 			ac := &authorizationv1.SubjectAccessReview{
 				Spec: authorizationv1.SubjectAccessReviewSpec{

internal/request/http_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"
 	"reflect"
+	"regexp"
 	"sort"
 	"testing"
 
@@ -45,10 +46,12 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 	t.Parallel()
 
 	type fields struct {
-		Request            *http.Request
-		authTypes          []request.AuthType
-		usernameClaimField string
-		client             client.Writer
+		Request                   *http.Request
+		authTypes                 []request.AuthType
+		ignoreGroups              []string
+		ignoreImpersonationRegexp *regexp.Regexp
+		usernameClaimField        string
+		client                    client.Writer
 	}
 
 	tests := []struct {
@@ -95,7 +98,7 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 				}),
 			},
 			wantUsername: "ImpersonatedUser",
-			wantGroups:   []string{"group", "ImpersonatedGroup"},
+			wantGroups:   []string{"ImpersonatedGroup"},
 			wantErr:      false,
 		},
 		{
@@ -117,6 +120,44 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 			},
 			wantUsername: "",
 			wantGroups:   nil,
+			wantErr:      true,
+		},
+		{
+			name: "Certificate-Impersonation",
+			fields: fields{
+				Request: &http.Request{
+					Header: map[string][]string{
+						authenticationv1.ImpersonateGroupHeader: {"ImpersonatedGroup", "Regex:Group1", "Regex:Group2", "Regex:DropGroup1", "Regex:DropGroup2"},
+						authenticationv1.ImpersonateUserHeader:  {"ImpersonatedUser"},
+					},
+					TLS: &tls.ConnectionState{
+						PeerCertificates: []*x509.Certificate{
+							{
+								Subject: pkix.Name{
+									CommonName: "nobody",
+									Organization: []string{
+										"group",
+									},
+								},
+							},
+						},
+					},
+				},
+				ignoreImpersonationRegexp: regexp.MustCompile("Regex:.*"),
+				ignoreGroups:              []string{"Regex:DropGroup1", "Regex:DropGroup2"},
+				authTypes: []request.AuthType{
+					request.BearerToken,
+					request.TLSCertificate,
+				},
+				client: testClient(func(ctx context.Context, obj client.Object) error {
+					ac := obj.(*authorizationv1.SubjectAccessReview)
+					ac.Status.Allowed = true
+
+					return nil
+				}),
+			},
+			wantUsername: "ImpersonatedUser",
+			wantGroups:   []string{"Regex:Group1", "Regex:Group2"},
 			wantErr:      false,
 		},
 	}
@@ -126,7 +167,7 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			req := request.NewHTTP(tc.fields.Request, tc.fields.authTypes, tc.fields.usernameClaimField, tc.fields.client)
+			req := request.NewHTTP(tc.fields.Request, tc.fields.authTypes, tc.fields.usernameClaimField, tc.fields.client, tc.fields.ignoreGroups, tc.fields.ignoreImpersonationRegexp)
 			gotUsername, gotGroups, err := req.GetUserAndGroups()
 			if (err != nil) != tc.wantErr {
 				t.Errorf("GetUserAndGroups() error = %v, wantErr %v", err, tc.wantErr)

internal/request/impersonation.go

@@ -5,6 +5,7 @@ package request
 
 import (
 	nethttp "net/http"
+	"regexp"
 	"strings"
 
 	authenticationv1 "k8s.io/api/authentication/v1"
@@ -25,6 +26,42 @@ func GetImpersonatingUser(request *nethttp.Request) string {
 	return request.Header.Get(authenticationv1.ImpersonateUserHeader)
 }
 
-func GetImpersonatingGroups(request *nethttp.Request) []string {
-	return request.Header.Values(authenticationv1.ImpersonateGroupHeader)
+func GetImpersonatingGroups(request *nethttp.Request, ignoreImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp) []string {
+	groups := request.Header.Values(authenticationv1.ImpersonateGroupHeader)
+	if len(groups) > 0 {
+		if impersonationGroupsRegexp != nil {
+			groups = filterGroups(groups, impersonationGroupsRegexp)
+		}
+
+		if len(ignoreImpersonationGroups) > 0 {
+			groups = ignoreGroups(groups, regexp.MustCompile(strings.Join(ignoreImpersonationGroups, "|")))
+		}
+	}
+
+	return groups
+}
+
+func filterGroups(groups []string, impersonationGroupsRegexp *regexp.Regexp) []string {
+	filteredGroups := []string{}
+
+	for _, group := range groups {
+		if impersonationGroupsRegexp.MatchString(group) {
+			filteredGroups = append(filteredGroups, group)
+		}
+	}
+
+	return filteredGroups
+}
+
+func ignoreGroups(groups []string, ignoredGroupsRegexp *regexp.Regexp) []string {
+	ignoredGroups := []string{}
+
+	for _, group := range groups {
+		if !ignoredGroupsRegexp.MatchString(group) {
+			// If the group does NOT match the regex, include it in the filtered list
+			ignoredGroups = append(ignoredGroups, group)
+		}
+	}
+
+	return ignoredGroups
 }

internal/webserver/middleware/user_in_group.go

@@ -19,7 +19,7 @@ func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, cl
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 			if ignoredUserGroups.Len() > 0 {
-				user, groups, err := req.NewHTTP(request, authTypes, claim, client).GetUserAndGroups()
+				user, groups, err := req.NewHTTP(request, authTypes, claim, client, nil, nil).GetUserAndGroups()
 				if err != nil {
 					log.Error(err, "Cannot retrieve username and group from request")
 				}
@@ -42,7 +42,7 @@ func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, cl
 func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, impersonate func(http.ResponseWriter, *http.Request)) mux.MiddlewareFunc {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-			_, groups, err := req.NewHTTP(request, authTypes, claim, client).GetUserAndGroups()
+			_, groups, err := req.NewHTTP(request, authTypes, claim, client, nil, nil).GetUserAndGroups()
 			if err != nil {
 				log.Error(err, "Cannot retrieve username and group from request")
 			}

internal/webserver/webserver.go

@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/textproto"
+	"regexp"
 	"strings"
 	"time"
 
@@ -62,31 +63,35 @@ func NewKubeFilter(opts options.ListenerOpts, srv options.ServerOptions, rbRefle
 	reverseProxy.Transport = reverseProxyTransport
 
 	return &kubeFilter{
-		reader:                clientOverride,
-		writer:                client,
-		managerReader:         client,
-		allowedPaths:          sets.New("/api", "/apis", "/version"),
-		authTypes:             opts.AuthTypes(),
-		ignoredUserGroups:     sets.New(opts.IgnoredGroupNames()...),
-		reverseProxy:          reverseProxy,
-		bearerToken:           opts.BearerToken(),
-		usernameClaimField:    opts.PreferredUsernameClaim(),
-		serverOptions:         srv,
-		log:                   ctrl.Log.WithName("proxy"),
-		roleBindingsReflector: rbReflector,
+		reader:                     clientOverride,
+		writer:                     client,
+		managerReader:              client,
+		allowedPaths:               sets.New("/api", "/apis", "/version"),
+		authTypes:                  opts.AuthTypes(),
+		ignoredUserGroups:          sets.New(opts.IgnoredGroupNames()...),
+		ignoredImpersonationGroups: opts.IgnoredImpersonationsGroups(),
+		impersonationGroupsRegexp:  opts.ImpersonationGroupsRegexp(),
+		reverseProxy:               reverseProxy,
+		bearerToken:                opts.BearerToken(),
+		usernameClaimField:         opts.PreferredUsernameClaim(),
+		serverOptions:              srv,
+		log:                        ctrl.Log.WithName("proxy"),
+		roleBindingsReflector:      rbReflector,
 	}, nil
 }
 
 type kubeFilter struct {
-	allowedPaths          sets.Set[string]
-	authTypes             []req.AuthType
-	ignoredUserGroups     sets.Set[string]
-	reverseProxy          *httputil.ReverseProxy
-	bearerToken           string
-	usernameClaimField    string
-	serverOptions         options.ServerOptions
-	log                   logr.Logger
-	roleBindingsReflector *controllers.RoleBindingReflector
+	allowedPaths               sets.Set[string]
+	authTypes                  []req.AuthType
+	ignoredUserGroups          sets.Set[string]
+	ignoredImpersonationGroups []string
+	impersonationGroupsRegexp  *regexp.Regexp
+	reverseProxy               *httputil.ReverseProxy
+	bearerToken                string
+	usernameClaimField         string
+	serverOptions              options.ServerOptions
+	log                        logr.Logger
+	roleBindingsReflector      *controllers.RoleBindingReflector
 
 	managerReader, reader client.Reader
 	writer                client.Writer
@@ -172,7 +177,7 @@ func (n *kubeFilter) handleRequest(request *http.Request, selector labels.Select
 }
 
 func (n *kubeFilter) impersonateHandler(writer http.ResponseWriter, request *http.Request) {
-	hr := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer)
+	hr := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp)
 
 	username, groups, err := hr.GetUserAndGroups()
 	if err != nil {
@@ -243,7 +248,7 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
 			middleware.CheckUserInCapsuleGroupMiddleware(n.writer, n.log, n.usernameClaimField, n.authTypes, n.impersonateHandler),
 		)
 		sr.HandleFunc("", func(writer http.ResponseWriter, request *http.Request) {
-			proxyRequest := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer)
+			proxyRequest := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer, nil, nil)
 			username, groups, err := proxyRequest.GetUserAndGroups()
 			if err != nil {
 				server.HandleError(writer, err, "cannot retrieve user and group from the request")