diff --git a/docs/workflow-controller-configmap.yaml b/docs/workflow-controller-configmap.yaml index 0470c30536e0..60a531a7b9ff 100644 --- a/docs/workflow-controller-configmap.yaml +++ b/docs/workflow-controller-configmap.yaml @@ -232,7 +232,18 @@ data: # be in the form /oauth2/callback. It must be # browser-accessible. redirectUrl: https://argo-server/oauth2/callback - + # Enable RBAC. >= v2.11 + rbac: + # Rules in order of precedence. Maybe empty. + rules: + - anyOf: + - my-group + # Use this service account if any of the groups match. + serviceAccountRef: + name: my-service-account + # Use this default service account if none of the rules match. Typically either read-only, or no permissions at all. + defaultServiceAccountRef: + name: my-default-service-account # workflowRequirements restricts the Workflows that the controller will process. # Current options: # referenceOnly: Only Workflows using "workflowTemplateRef" will be processed. This allows the administrator of the controller diff --git a/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml b/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml index 538976b11a85..6fbde07ec358 100644 --- a/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml +++ b/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - sso : | + sso: | issuer: http://dex:5556/dex clientId: name: argo-server-sso @@ -9,6 +9,14 @@ data: name: argo-server-sso key: clientSecret redirectUrl: http://localhost:2746/oauth2/callback + rbac: + rules: + - anyOf: + - authors + serviceAccountRef: + name: argo-server + defaultServiceAccountRef: + name: argo-server kind: ConfigMap metadata: name: workflow-controller-configmap diff --git a/pkg/apiclient/argo-kube-client.go b/pkg/apiclient/argo-kube-client.go index f43455d292be..be3de63d6b14 100644 --- a/pkg/apiclient/argo-kube-client.go +++ b/pkg/apiclient/argo-kube-client.go @@ -44,7 +44,7 @@ func newArgoKubeClient(clientConfig clientcmd.ClientConfig, instanceIDService in if err != nil { return nil, nil, err } - gatekeeper, err := auth.NewGatekeeper(auth.Modes{auth.Server: true}, wfClient, kubeClient, restConfig, nil) + gatekeeper, err := auth.NewGatekeeper(auth.Modes{auth.Server: true}, wfClient, kubeClient, restConfig, nil, "unused") if err != nil { return nil, nil, err } diff --git a/pkg/apiclient/info/info.pb.go b/pkg/apiclient/info/info.pb.go index 0694bff16f4a..4cf8470db437 100644 --- a/pkg/apiclient/info/info.pb.go +++ b/pkg/apiclient/info/info.pb.go @@ -206,6 +206,7 @@ var xxx_messageInfo_GetUserInfoRequest proto.InternalMessageInfo type GetUserInfoResponse struct { Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"` + Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -258,6 +259,13 @@ func (m *GetUserInfoResponse) GetSubject() string { return "" } +func (m *GetUserInfoResponse) GetGroups() []string { + if m != nil { + return m.Groups + } + return nil +} + func init() { proto.RegisterType((*GetInfoRequest)(nil), "info.GetInfoRequest") proto.RegisterType((*InfoResponse)(nil), "info.InfoResponse") @@ -269,37 +277,38 @@ func init() { func init() { proto.RegisterFile("pkg/apiclient/info/info.proto", fileDescriptor_96940c93018255fa) } var fileDescriptor_96940c93018255fa = []byte{ - // 480 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x53, 0x4f, 0x6b, 0x13, 0x41, - 0x14, 0x67, 0xa3, 0xb6, 0x38, 0x29, 0x35, 0x9d, 0x06, 0xbb, 0x2e, 0x1a, 0xca, 0x9e, 0x8a, 0xe2, - 0x0c, 0xa9, 0x1e, 0x2c, 0x78, 0xd2, 0x43, 0x28, 0x88, 0x42, 0x44, 0x0f, 0xe2, 0x65, 0xb2, 0x7d, - 0x99, 0x4c, 0x77, 0x77, 0x66, 0x9d, 0x99, 0xdd, 0x22, 0x78, 0xf2, 0xea, 0xd1, 0xaf, 0xe2, 0x87, - 0xf0, 0x28, 0xf8, 0x05, 0x24, 0xf8, 0x41, 0x64, 0x27, 0xb3, 0xdd, 0x8d, 0x0d, 0x08, 0x5e, 0xc2, - 0x7b, 0xf3, 0xf2, 0x7e, 0xff, 0x78, 0x8b, 0xee, 0x15, 0x29, 0xa7, 0xac, 0x10, 0x49, 0x26, 0x40, - 0x5a, 0x2a, 0xe4, 0x5c, 0xb9, 0x1f, 0x52, 0x68, 0x65, 0x15, 0xbe, 0x5e, 0xd7, 0xd1, 0x43, 0x2e, - 0xec, 0xa2, 0x9c, 0x91, 0x44, 0xe5, 0x94, 0x2b, 0xae, 0xa8, 0x1b, 0xce, 0xca, 0xb9, 0xeb, 0x5c, - 0xe3, 0xaa, 0xd5, 0x52, 0x74, 0x97, 0x2b, 0xc5, 0x33, 0xa8, 0x61, 0x29, 0x93, 0x52, 0x59, 0x66, - 0x85, 0x92, 0xc6, 0x4f, 0x1f, 0xa7, 0x4f, 0x0c, 0x11, 0xaa, 0x9e, 0xe6, 0x2c, 0x59, 0x08, 0x09, - 0xfa, 0x23, 0xf5, 0x2a, 0x0c, 0xcd, 0xc1, 0x32, 0x5a, 0x8d, 0x29, 0x07, 0x09, 0x9a, 0x59, 0x38, - 0xf3, 0x5b, 0xcf, 0x3b, 0x12, 0x98, 0x76, 0xa4, 0xe7, 0xae, 0x68, 0x57, 0x2f, 0x94, 0x4e, 0xe7, - 0x99, 0xba, 0xa0, 0xd5, 0x98, 0x65, 0xc5, 0x82, 0x5d, 0x05, 0x89, 0x5b, 0x6a, 0x9a, 0x28, 0x0d, - 0x1b, 0x88, 0xe2, 0x01, 0xda, 0x9d, 0x80, 0x3d, 0x95, 0x73, 0x35, 0x85, 0x0f, 0x25, 0x18, 0x1b, - 0x7f, 0x09, 0xd0, 0xce, 0xaa, 0x37, 0x85, 0x92, 0x06, 0xf0, 0x7d, 0x34, 0xc8, 0x99, 0x64, 0x1c, - 0xce, 0x5e, 0xb2, 0x1c, 0x4c, 0xc1, 0x12, 0x08, 0x83, 0xc3, 0xe0, 0xe8, 0xe6, 0xf4, 0xca, 0x3b, - 0x7e, 0x85, 0x6e, 0x64, 0x42, 0xa6, 0x26, 0xec, 0x1d, 0x5e, 0x3b, 0xea, 0x1f, 0x9f, 0x90, 0xd6, - 0x07, 0x69, 0x7c, 0xb8, 0x82, 0x14, 0x29, 0x27, 0xb5, 0x0f, 0xd2, 0xf8, 0x20, 0x8d, 0x0f, 0xf2, - 0x42, 0xc8, 0x74, 0xba, 0xc2, 0x89, 0xf7, 0xd1, 0xde, 0x04, 0xec, 0x5b, 0xd0, 0x46, 0x28, 0xd9, - 0x48, 0x1c, 0x22, 0x3c, 0x01, 0xfb, 0xc6, 0x80, 0xee, 0x0a, 0x9f, 0xa0, 0xfd, 0xb5, 0x57, 0x2f, - 0xff, 0x36, 0xda, 0x12, 0xc6, 0x94, 0xa0, 0xbd, 0x68, 0xdf, 0xe1, 0x10, 0x6d, 0x9b, 0x72, 0x76, - 0x0e, 0x89, 0x0d, 0x7b, 0x6e, 0xd0, 0xb4, 0xc7, 0xdf, 0x7a, 0xa8, 0x5f, 0x43, 0xbc, 0x06, 0x5d, - 0x89, 0x04, 0xf0, 0x29, 0xda, 0xf6, 0x19, 0xe1, 0x21, 0x71, 0xd7, 0xb2, 0x1e, 0x59, 0x84, 0x57, - 0xaf, 0x5d, 0xda, 0x78, 0xf8, 0xf9, 0xe7, 0xef, 0xaf, 0xbd, 0x5d, 0xbc, 0xe3, 0xe2, 0xaf, 0xc6, - 0xee, 0xcc, 0xf0, 0x27, 0x84, 0x5a, 0x3b, 0xf8, 0xe0, 0x12, 0x6d, 0xdd, 0x60, 0xf4, 0xf4, 0xbf, - 0x72, 0xf3, 0x20, 0xf1, 0x81, 0xa3, 0xde, 0xc3, 0xb7, 0x1a, 0xea, 0xca, 0xf3, 0xbd, 0x47, 0xfd, - 0x4e, 0x42, 0x38, 0xbc, 0xa4, 0xff, 0x2b, 0xca, 0xe8, 0xce, 0x86, 0x89, 0xf7, 0x15, 0x3a, 0x70, - 0x8c, 0x07, 0x0d, 0x78, 0x69, 0x40, 0xd7, 0xff, 0x7e, 0x76, 0xf2, 0x7d, 0x39, 0x0a, 0x7e, 0x2c, - 0x47, 0xc1, 0xaf, 0xe5, 0x28, 0x78, 0xf7, 0xe0, 0x5f, 0x17, 0xdc, 0xf9, 0x04, 0x67, 0x5b, 0xee, - 0x18, 0x1f, 0xfd, 0x09, 0x00, 0x00, 0xff, 0xff, 0x23, 0x33, 0x1a, 0x8d, 0x9f, 0x03, 0x00, 0x00, + // 494 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x53, 0x4f, 0x6b, 0xd4, 0x40, + 0x14, 0x27, 0xbb, 0xda, 0xe2, 0x6c, 0xa9, 0xdb, 0xe9, 0x62, 0xe3, 0xa2, 0xcb, 0x92, 0x53, 0x51, + 0x9c, 0x61, 0xab, 0x07, 0x0b, 0x9e, 0xf4, 0xb0, 0x14, 0x44, 0x61, 0x45, 0x0f, 0x22, 0xc8, 0x6c, + 0xfa, 0x76, 0x76, 0x9a, 0x64, 0x26, 0xce, 0x4c, 0x52, 0x04, 0x4f, 0x5e, 0x3d, 0xfa, 0x55, 0xfc, + 0x10, 0x1e, 0x05, 0xbf, 0x80, 0x2c, 0x7e, 0x10, 0xc9, 0x64, 0xd2, 0xcd, 0xda, 0x82, 0xe0, 0x25, + 0xbc, 0x3f, 0x79, 0xbf, 0x3f, 0x2f, 0x2f, 0xe8, 0x6e, 0x9e, 0x70, 0xca, 0x72, 0x11, 0xa7, 0x02, + 0xa4, 0xa5, 0x42, 0x2e, 0x94, 0x7b, 0x90, 0x5c, 0x2b, 0xab, 0xf0, 0xb5, 0x2a, 0x1e, 0x3e, 0xe0, + 0xc2, 0x2e, 0x8b, 0x39, 0x89, 0x55, 0x46, 0xb9, 0xe2, 0x8a, 0xba, 0xe6, 0xbc, 0x58, 0xb8, 0xcc, + 0x25, 0x2e, 0xaa, 0x87, 0x86, 0x77, 0xb8, 0x52, 0x3c, 0x85, 0x0a, 0x96, 0x32, 0x29, 0x95, 0x65, + 0x56, 0x28, 0x69, 0x7c, 0xf7, 0x51, 0xf2, 0xd8, 0x10, 0xa1, 0xaa, 0x6e, 0xc6, 0xe2, 0xa5, 0x90, + 0xa0, 0x3f, 0x52, 0xaf, 0xc2, 0xd0, 0x0c, 0x2c, 0xa3, 0xe5, 0x84, 0x72, 0x90, 0xa0, 0x99, 0x85, + 0x53, 0x3f, 0xf5, 0xac, 0x25, 0x81, 0x69, 0x47, 0x7a, 0xe6, 0x82, 0xf5, 0xe8, 0xb9, 0xd2, 0xc9, + 0x22, 0x55, 0xe7, 0xb4, 0x9c, 0xb0, 0x34, 0x5f, 0xb2, 0xcb, 0x20, 0xd1, 0x9a, 0x9a, 0xc6, 0x4a, + 0xc3, 0x15, 0x44, 0x51, 0x1f, 0xed, 0x4e, 0xc1, 0x9e, 0xc8, 0x85, 0x9a, 0xc1, 0x87, 0x02, 0x8c, + 0x8d, 0xbe, 0x04, 0x68, 0xa7, 0xce, 0x4d, 0xae, 0xa4, 0x01, 0x7c, 0x0f, 0xf5, 0x33, 0x26, 0x19, + 0x87, 0xd3, 0x17, 0x2c, 0x03, 0x93, 0xb3, 0x18, 0xc2, 0x60, 0x1c, 0x1c, 0xde, 0x98, 0x5d, 0xaa, + 0xe3, 0x97, 0xe8, 0x7a, 0x2a, 0x64, 0x62, 0xc2, 0xce, 0xb8, 0x7b, 0xd8, 0x3b, 0x3a, 0x26, 0x6b, + 0x1f, 0xa4, 0xf1, 0xe1, 0x02, 0x92, 0x27, 0x9c, 0x54, 0x3e, 0x48, 0xe3, 0x83, 0x34, 0x3e, 0xc8, + 0x73, 0x21, 0x93, 0x59, 0x8d, 0x13, 0xed, 0xa3, 0xbd, 0x29, 0xd8, 0x37, 0xa0, 0x8d, 0x50, 0xb2, + 0x91, 0x38, 0x40, 0x78, 0x0a, 0xf6, 0xb5, 0x01, 0xdd, 0x16, 0xfe, 0x1e, 0xed, 0x6f, 0x54, 0xbd, + 0xfc, 0x5b, 0x68, 0x4b, 0x18, 0x53, 0x80, 0xf6, 0xa2, 0x7d, 0x86, 0x43, 0xb4, 0x6d, 0x8a, 0xf9, + 0x19, 0xc4, 0x36, 0xec, 0xb8, 0x46, 0x93, 0x56, 0x13, 0x5c, 0xab, 0x22, 0x37, 0x61, 0x77, 0xdc, + 0xad, 0x26, 0xea, 0xec, 0xe8, 0x5b, 0x07, 0xf5, 0x2a, 0xe8, 0x57, 0xa0, 0x4b, 0x11, 0x03, 0x3e, + 0x41, 0xdb, 0x7e, 0x77, 0x78, 0x40, 0xdc, 0x15, 0x6d, 0xae, 0x72, 0x88, 0xeb, 0x6a, 0x5b, 0x4e, + 0x34, 0xf8, 0xfc, 0xf3, 0xf7, 0xd7, 0xce, 0x2e, 0xde, 0x71, 0x9f, 0xa5, 0x9c, 0xb8, 0xf3, 0xc3, + 0x9f, 0x10, 0x5a, 0xdb, 0xc4, 0x07, 0x17, 0x68, 0x9b, 0xc6, 0x87, 0x4f, 0xfe, 0x6b, 0x9f, 0x1e, + 0x24, 0x3a, 0x70, 0xd4, 0x7b, 0xf8, 0x66, 0x43, 0x5d, 0x7a, 0xbe, 0x77, 0xa8, 0xd7, 0xda, 0x1c, + 0x0e, 0x2f, 0xe8, 0xff, 0x5a, 0xf1, 0xf0, 0xf6, 0x15, 0x1d, 0xef, 0x2b, 0x74, 0xe0, 0x18, 0xf7, + 0x1b, 0xf0, 0xc2, 0x80, 0xae, 0xde, 0x7e, 0x7a, 0xfc, 0x7d, 0x35, 0x0a, 0x7e, 0xac, 0x46, 0xc1, + 0xaf, 0xd5, 0x28, 0x78, 0x7b, 0xff, 0x5f, 0x97, 0xdd, 0xfa, 0x35, 0xe7, 0x5b, 0xee, 0x48, 0x1f, + 0xfe, 0x09, 0x00, 0x00, 0xff, 0xff, 0xed, 0x5c, 0xb2, 0xa2, 0xb7, 0x03, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -607,6 +616,15 @@ func (m *GetUserInfoResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if len(m.Groups) > 0 { + for iNdEx := len(m.Groups) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.Groups[iNdEx]) + copy(dAtA[i:], m.Groups[iNdEx]) + i = encodeVarintInfo(dAtA, i, uint64(len(m.Groups[iNdEx]))) + i-- + dAtA[i] = 0x1a + } + } if len(m.Subject) > 0 { i -= len(m.Subject) copy(dAtA[i:], m.Subject) @@ -707,6 +725,12 @@ func (m *GetUserInfoResponse) Size() (n int) { if l > 0 { n += 1 + l + sovInfo(uint64(l)) } + if len(m.Groups) > 0 { + for _, s := range m.Groups { + l = len(s) + n += 1 + l + sovInfo(uint64(l)) + } + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -1094,6 +1118,38 @@ func (m *GetUserInfoResponse) Unmarshal(dAtA []byte) error { } m.Subject = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowInfo + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthInfo + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthInfo + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipInfo(dAtA[iNdEx:]) diff --git a/pkg/apiclient/info/info.proto b/pkg/apiclient/info/info.proto index e18085008a78..87f6f04a57a7 100644 --- a/pkg/apiclient/info/info.proto +++ b/pkg/apiclient/info/info.proto @@ -26,6 +26,7 @@ message GetUserInfoRequest { message GetUserInfoResponse { string issuer = 1; string subject = 2; + repeated string groups = 3; } service InfoService { diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go index 9d78de967b3e..50ea643604fc 100644 --- a/server/apiserver/argoserver.go +++ b/server/apiserver/argoserver.go @@ -104,7 +104,7 @@ func NewArgoServer(opts ArgoServerOpts) (*argoServer, error) { } else { log.Info("SSO disabled") } - gatekeeper, err := auth.NewGatekeeper(opts.AuthModes, opts.WfClientSet, opts.KubeClientset, opts.RestConfig, ssoIf) + gatekeeper, err := auth.NewGatekeeper(opts.AuthModes, opts.WfClientSet, opts.KubeClientset, opts.RestConfig, ssoIf, opts.Namespace) if err != nil { return nil, err } diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go index 4c9e3be48383..e20506264c1f 100644 --- a/server/auth/gatekeeper.go +++ b/server/auth/gatekeeper.go @@ -10,6 +10,7 @@ import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/metadata" "google.golang.org/grpc/status" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" @@ -41,13 +42,15 @@ type gatekeeper struct { kubeClient kubernetes.Interface restConfig *rest.Config ssoIf sso.Interface + // The namespace the server is installed in. + namespace string } -func NewGatekeeper(modes Modes, wfClient versioned.Interface, kubeClient kubernetes.Interface, restConfig *rest.Config, ssoIf sso.Interface) (Gatekeeper, error) { +func NewGatekeeper(modes Modes, wfClient versioned.Interface, kubeClient kubernetes.Interface, restConfig *rest.Config, ssoIf sso.Interface, namespace string) (Gatekeeper, error) { if len(modes) == 0 { return nil, fmt.Errorf("must specify at least one auth mode") } - return &gatekeeper{modes, wfClient, kubeClient, restConfig, ssoIf}, nil + return &gatekeeper{modes, wfClient, kubeClient, restConfig, ssoIf, namespace}, nil } func (s *gatekeeper) UnaryServerInterceptor() grpc.UnaryServerInterceptor { @@ -145,7 +148,37 @@ func (s gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubern if err != nil { return nil, nil, nil, status.Error(codes.Unauthenticated, err.Error()) } - return s.wfClient, s.kubeClient, claimSet, nil + serviceAccount, err := s.ssoIf.GetServiceAccount(claimSet.Groups) + if err != nil { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failed to get SSO RBAC service account ref: %v", err) + } else if serviceAccount != nil { + serviceAccount, err := s.kubeClient.CoreV1().ServiceAccounts(s.namespace).Get(serviceAccount.Name, metav1.GetOptions{}) + if err != nil { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failed to get SSO RBAC service account: %v", err) + } + if len(serviceAccount.Secrets) == 0 { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "expected at least one secret for SSO RBAC service account: %v", err) + } + secret, err := s.kubeClient.CoreV1().Secrets(s.namespace).Get(serviceAccount.Secrets[0].Name, metav1.GetOptions{}) + if err != nil { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failed to get SSO RBAC service account secret: %v", err) + } + restConfig, err := kubeconfig.GetRestConfig("Bearer " + string(secret.Data["token"])) + if err != nil { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failed to create SSO RBAC REST config: %v", err) + } + wfClient, err := versioned.NewForConfig(restConfig) + if err != nil { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failure to create SSO RBAC wfClientset with ClientConfig: %v", err) + } + kubeClient, err := kubernetes.NewForConfig(restConfig) + if err != nil { + return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failure to create SSO RBAC kubeClientset with ClientConfig: %v", err) + } + return wfClient, kubeClient, claimSet, nil + } else { + return s.wfClient, s.kubeClient, claimSet, nil + } default: panic("this should never happen") } diff --git a/server/auth/gatekeeper_test.go b/server/auth/gatekeeper_test.go index ad3b142a97e7..7197cadd5f4d 100644 --- a/server/auth/gatekeeper_test.go +++ b/server/auth/gatekeeper_test.go @@ -7,6 +7,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "google.golang.org/grpc/metadata" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/rest" @@ -17,20 +19,31 @@ import ( func TestServer_GetWFClient(t *testing.T) { wfClient := &fakewfclientset.Clientset{} - kubeClient := &fake.Clientset{} + kubeClient := fake.NewSimpleClientset( + &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{Name: "my-sa", Namespace: "my-ns"}, + Secrets: []corev1.ObjectReference{{Name: "my-secret"}}, + }, + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Name: "my-secret", Namespace: "my-ns"}, + Data: map[string][]byte{ + "token": {}, + }, + }, + ) t.Run("None", func(t *testing.T) { - _, err := NewGatekeeper(Modes{}, wfClient, kubeClient, nil, nil) + _, err := NewGatekeeper(Modes{}, wfClient, kubeClient, nil, nil, "") assert.Error(t, err) }) t.Run("Invalid", func(t *testing.T) { - g, err := NewGatekeeper(Modes{Client: true}, wfClient, kubeClient, nil, nil) + g, err := NewGatekeeper(Modes{Client: true}, wfClient, kubeClient, nil, nil, "") if assert.NoError(t, err) { _, err := g.Context(x("invalid")) assert.Error(t, err) } }) t.Run("NotAllowed", func(t *testing.T) { - g, err := NewGatekeeper(Modes{SSO: true}, wfClient, kubeClient, nil, nil) + g, err := NewGatekeeper(Modes{SSO: true}, wfClient, kubeClient, nil, nil, "") if assert.NoError(t, err) { _, err := g.Context(x("Bearer ")) assert.Error(t, err) @@ -38,7 +51,7 @@ func TestServer_GetWFClient(t *testing.T) { }) // not possible to unit test client auth today t.Run("Server", func(t *testing.T) { - g, err := NewGatekeeper(Modes{Server: true}, wfClient, kubeClient, &rest.Config{Username: "my-username"}, nil) + g, err := NewGatekeeper(Modes{Server: true}, wfClient, kubeClient, &rest.Config{Username: "my-username"}, nil, "") assert.NoError(t, err) ctx, err := g.Context(x("")) if assert.NoError(t, err) { @@ -49,14 +62,30 @@ func TestServer_GetWFClient(t *testing.T) { }) t.Run("SSO", func(t *testing.T) { ssoIf := &mocks.Interface{} - ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&jws.ClaimSet{}, nil) - g, err := NewGatekeeper(Modes{SSO: true}, wfClient, kubeClient, nil, ssoIf) + ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&jws.ClaimSet{Sub: "my-sub"}, nil) + ssoIf.On("GetServiceAccount", mock.Anything).Return(nil, nil) + g, err := NewGatekeeper(Modes{SSO: true}, wfClient, kubeClient, nil, ssoIf, "my-ns") if assert.NoError(t, err) { - ctx, err := g.Context(x("Bearer id_token:whatever")) + ctx, err := g.Context(x("Bearer id_token:")) if assert.NoError(t, err) { assert.Equal(t, wfClient, GetWfClient(ctx)) assert.Equal(t, kubeClient, GetKubeClient(ctx)) - assert.NotNil(t, GetClaimSet(ctx)) + if assert.NotNil(t, GetClaimSet(ctx)) { + assert.Equal(t, "my-sub", GetClaimSet(ctx).Sub) + } + } + } + }) + t.Run("SSO+RBAC", func(t *testing.T) { + ssoIf := &mocks.Interface{} + ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&jws.ClaimSet{Groups: []string{"my-group"}}, nil) + ssoIf.On("GetServiceAccount", []string{"my-group"}).Return(&corev1.LocalObjectReference{Name: "my-sa"}, nil) + g, err := NewGatekeeper(Modes{SSO: true}, wfClient, kubeClient, nil, ssoIf, "my-ns") + if assert.NoError(t, err) { + ctx, err := g.Context(x("Bearer id_token:")) + if assert.NoError(t, err) { + assert.NotEqual(t, wfClient, GetWfClient(ctx)) + assert.NotEqual(t, kubeClient, GetKubeClient(ctx)) } } }) diff --git a/server/auth/jws/claim_set.go b/server/auth/jws/claim_set.go index 76b2896e3dba..ae15d42ba6fd 100644 --- a/server/auth/jws/claim_set.go +++ b/server/auth/jws/claim_set.go @@ -1,6 +1,7 @@ package jws type ClaimSet struct { - Iss string `json:"iss"` - Sub string `json:"sub,omitempty"` + Iss string `json:"iss"` + Sub string `json:"sub,omitempty"` + Groups []string `json:"groups,omitempty"` } diff --git a/server/auth/rbac/config.go b/server/auth/rbac/config.go new file mode 100644 index 000000000000..501628213334 --- /dev/null +++ b/server/auth/rbac/config.go @@ -0,0 +1,50 @@ +package rbac + +import ( + "errors" + + corev1 "k8s.io/api/core/v1" +) + +type Config struct { + // A list of rules in order of precedence that we attempt to match. + Rules []Rule `json:"rules,omitempty"` + // If not rules match, or there are no rules, use this account. + DefaultServiceAccountRef *corev1.LocalObjectReference `json:"defaultServiceAccountRef,omitempty"` +} + +// Get the service account to use. It maybe nil - if the config is nil. +func (c *Config) GetServiceAccount(groups []string) (*corev1.LocalObjectReference, error) { + if c == nil { + return nil, nil + } + for _, r := range c.Rules { + if r.Matches(groups) { + return &r.ServiceAccountRef, nil + } + } + if c.DefaultServiceAccountRef != nil { + return c.DefaultServiceAccountRef, nil + } + return nil, errors.New("no RBAC rules match") +} + +type Rule struct { + // Match if the user has any of these groups. + AnyOf []string `json:"anyOf,omitempty"` + // The service account to use. + ServiceAccountRef corev1.LocalObjectReference `json:"serviceAccountRef"` +} + +func (r Rule) Matches(groups []string) bool { + hasGroups := make(map[string]bool) + for _, g := range groups { + hasGroups[g] = true + } + for _, g := range r.AnyOf { + if hasGroups[g] { + return true + } + } + return false +} diff --git a/server/auth/rbac/config_test.go b/server/auth/rbac/config_test.go new file mode 100644 index 000000000000..d90d875adef3 --- /dev/null +++ b/server/auth/rbac/config_test.go @@ -0,0 +1,39 @@ +package rbac + +import ( + "testing" + + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" +) + +func TestConfig_GetServiceAccount(t *testing.T) { + t.Run("Nil", func(t *testing.T) { + var c *Config + ref, err := c.GetServiceAccount(nil) + assert.NoError(t, err) + assert.Nil(t, ref) + }) + t.Run("Empty", func(t *testing.T) { + _, err := (&Config{}).GetServiceAccount(nil) + assert.EqualError(t, err, "no RBAC rules match") + }) + t.Run("DefaultServiceAccount", func(t *testing.T) { + serviceAccountRef := &corev1.LocalObjectReference{Name: "my-sa"} + ref, err := (&Config{DefaultServiceAccountRef: serviceAccountRef}).GetServiceAccount(nil) + if assert.NoError(t, err) { + assert.Equal(t, serviceAccountRef, ref) + } + }) + t.Run("RulesNoMatch", func(t *testing.T) { + _, err := (&Config{Rules: []Rule{{}}}).GetServiceAccount(nil) + assert.EqualError(t, err, "no RBAC rules match") + }) + t.Run("RulesMatch", func(t *testing.T) { + serviceAccountRef := corev1.LocalObjectReference{Name: "my-sa"} + ref, err := (&Config{Rules: []Rule{{AnyOf: []string{"my-group"}, ServiceAccountRef: serviceAccountRef}}}).GetServiceAccount([]string{"my-group"}) + if assert.NoError(t, err) { + assert.Equal(t, &serviceAccountRef, ref) + } + }) +} diff --git a/server/auth/sso/mocks/Interface.go b/server/auth/sso/mocks/Interface.go index ee8464b0107b..93fcc5760eee 100644 --- a/server/auth/sso/mocks/Interface.go +++ b/server/auth/sso/mocks/Interface.go @@ -9,6 +9,8 @@ import ( jws "github.com/argoproj/argo/server/auth/jws" mock "github.com/stretchr/testify/mock" + + v1 "k8s.io/api/core/v1" ) // Interface is an autogenerated mock type for the Interface type @@ -39,6 +41,29 @@ func (_m *Interface) Authorize(ctx context.Context, authorization string) (*jws. return r0, r1 } +// GetServiceAccount provides a mock function with given fields: groups +func (_m *Interface) GetServiceAccount(groups []string) (*v1.LocalObjectReference, error) { + ret := _m.Called(groups) + + var r0 *v1.LocalObjectReference + if rf, ok := ret.Get(0).(func([]string) *v1.LocalObjectReference); ok { + r0 = rf(groups) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(*v1.LocalObjectReference) + } + } + + var r1 error + if rf, ok := ret.Get(1).(func([]string) error); ok { + r1 = rf(groups) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + // HandleCallback provides a mock function with given fields: writer, request func (_m *Interface) HandleCallback(writer http.ResponseWriter, request *http.Request) { _m.Called(writer, request) diff --git a/server/auth/sso/null_sso.go b/server/auth/sso/null_sso.go index 250a98012d92..c7f9890f6b73 100644 --- a/server/auth/sso/null_sso.go +++ b/server/auth/sso/null_sso.go @@ -5,6 +5,8 @@ import ( "fmt" "net/http" + v1 "k8s.io/api/core/v1" + "github.com/argoproj/argo/server/auth/jws" ) @@ -12,6 +14,10 @@ var NullSSO Interface = nullService{} type nullService struct{} +func (n nullService) GetServiceAccount([]string) (*v1.LocalObjectReference, error) { + return nil, fmt.Errorf("not implemented") +} + func (n nullService) Authorize(context.Context, string) (*jws.ClaimSet, error) { return nil, fmt.Errorf("not implemented") } diff --git a/server/auth/sso/sso.go b/server/auth/sso/sso.go index 86f90c33fa8d..eb64b9ada993 100644 --- a/server/auth/sso/sso.go +++ b/server/auth/sso/sso.go @@ -17,6 +17,7 @@ import ( corev1 "k8s.io/client-go/kubernetes/typed/core/v1" "github.com/argoproj/argo/server/auth/jws" + "github.com/argoproj/argo/server/auth/rbac" ) const Prefix = "Bearer id_token:" @@ -25,6 +26,7 @@ type Interface interface { Authorize(ctx context.Context, authorization string) (*jws.ClaimSet, error) HandleRedirect(writer http.ResponseWriter, request *http.Request) HandleCallback(writer http.ResponseWriter, request *http.Request) + GetServiceAccount(groups []string) (*apiv1.LocalObjectReference, error) } var _ Interface = &sso{} @@ -34,9 +36,15 @@ type sso struct { idTokenVerifier *oidc.IDTokenVerifier baseHRef string secure bool + rbacConfig *rbac.Config +} + +func (s *sso) GetServiceAccount(groups []string) (*apiv1.LocalObjectReference, error) { + return s.rbacConfig.GetServiceAccount(groups) } type Config struct { + RBAC *rbac.Config `json:"rbac,omitempty"` Issuer string `json:"issuer"` ClientID apiv1.SecretKeySelector `json:"clientId"` ClientSecret apiv1.SecretKeySelector `json:"clientSecret"` @@ -115,9 +123,14 @@ func newSso( Endpoint: provider.Endpoint(), Scopes: []string{oidc.ScopeOpenID}, } + // We need the 'groups' if RBAC is enabled. Not all provider support this non-standard claims, + // so we only do this if we really need it. + if c.RBAC != nil { + config.Scopes = append(config.Scopes, "groups") + } idTokenVerifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID}) - log.WithFields(log.Fields{"redirectUrl": config.RedirectURL, "issuer": c.Issuer, "clientId": c.ClientID}).Info("SSO configuration") - return &sso{config, idTokenVerifier, baseHRef, secure}, nil + log.WithFields(log.Fields{"redirectUrl": config.RedirectURL, "issuer": c.Issuer, "clientId": c.ClientID, "rbac": c.RBAC != nil}).Info("SSO configuration") + return &sso{config, idTokenVerifier, baseHRef, secure, c.RBAC}, nil } const stateCookieName = "oauthState" diff --git a/ui/src/app/userinfo/components/user-info.tsx b/ui/src/app/userinfo/components/user-info.tsx index 61b13daadf46..4974ef584a43 100644 --- a/ui/src/app/userinfo/components/user-info.tsx +++ b/ui/src/app/userinfo/components/user-info.tsx @@ -38,6 +38,7 @@ export class UserInfo extends BasePage, State> { <>

Issuer: {this.state.userInfo.issuer || '-'}

Subject: {this.state.userInfo.subject || '-'}

+ {this.state.userInfo.groups &&this.state.userInfo.group.length >0 && (<>

Groups:

)} )} diff --git a/ui/src/models/info.ts b/ui/src/models/info.ts index 5ddd827d005e..84927f32af5a 100644 --- a/ui/src/models/info.ts +++ b/ui/src/models/info.ts @@ -16,4 +16,5 @@ export interface Version { export interface GetUserInfoResponse { subject?: string; issuer?: string; + groups?: string[]; }