Validate invitation targetRefs to prevent privilege escalation (#107)

* Invitation validate direct user references
* Deduplicate getting objects from targetRef
* Update readme and local setup with added hook

Author: bastjan

README.md

@@ -163,6 +163,16 @@ EOF
 kubectl patch validatingwebhookconfiguration validating-webhook-configuration \
   -p '{
     "webhooks": [
+      {
+        "name": "validate-invitations.user.appuio.io",
+        "clientConfig": {
+          "caBundle": "'"$(base64 -w0 "./local-env/webhook-certs/tls.crt)"'",
+          "service": {
+            "namespace": "default",
+            "port": 9444
+          }
+        }
+      },
       {
         "name": "validate-users.appuio.io",
         "clientConfig": {

config/webhook/manifests.yaml

@@ -5,6 +5,26 @@ metadata:
   creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-user-appuio-io-v1-invitation
+  failurePolicy: Fail
+  name: validate-invitations.user.appuio.io
+  rules:
+  - apiGroups:
+    - user.appuio.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - invitations
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

controllers/invitation_redeem_controller.go

@@ -3,10 +3,8 @@ package controllers
 import (
 	"context"
 	"errors"
-	"fmt"
 
 	"go.uber.org/multierr"
-	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/record"
@@ -15,7 +13,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	userv1 "github.com/appuio/control-api/apis/user/v1"
-	controlv1 "github.com/appuio/control-api/apis/v1"
+	"github.com/appuio/control-api/controllers/targetref"
 )
 
 // InvitationRedeemReconciler reconciles invitations and adds a token to the status if required.
@@ -94,72 +92,20 @@ func (r *InvitationRedeemReconciler) SetupWithManager(mgr ctrl.Manager) error {
 }
 
 func addUserToTarget(ctx context.Context, c client.Client, user string, target userv1.TargetRef) error {
-	switch {
-	case target.APIGroup == "appuio.io" && target.Kind == "OrganizationMembers":
-		om := controlv1.OrganizationMembers{}
-		if err := c.Get(ctx, client.ObjectKey{Name: target.Name, Namespace: target.Namespace}, &om); err != nil {
-			return err
-		}
-		refs, added := ensure(om.Spec.UserRefs, controlv1.UserRef{Name: user})
-		om.Spec.UserRefs = refs
-		if added {
-			return c.Update(ctx, &om)
-		}
-		return nil
-	case target.APIGroup == "appuio.io" && target.Kind == "Team":
-		te := controlv1.Team{}
-		if err := c.Get(ctx, client.ObjectKey{Name: target.Name, Namespace: target.Namespace}, &te); err != nil {
-			return err
-		}
-		refs, added := ensure(te.Spec.UserRefs, controlv1.UserRef{Name: user})
-		te.Spec.UserRefs = refs
-		if added {
-			return c.Update(ctx, &te)
-		}
-		return nil
-	case target.APIGroup == rbacv1.GroupName && target.Kind == "ClusterRoleBinding":
-		crb := rbacv1.ClusterRoleBinding{}
-		if err := c.Get(ctx, client.ObjectKey{Name: target.Name}, &crb); err != nil {
-			return err
-		}
-		subjects, added := ensure(crb.Subjects, newSubject(user))
-		crb.Subjects = subjects
-		if added {
-			return c.Update(ctx, &crb)
-		}
-		return nil
-	case target.APIGroup == rbacv1.GroupName && target.Kind == "RoleBinding":
-		rb := rbacv1.RoleBinding{}
-		if err := c.Get(ctx, client.ObjectKey{Name: target.Name, Namespace: target.Namespace}, &rb); err != nil {
-			return err
-		}
-		subjects, added := ensure(rb.Subjects, newSubject(user))
-		rb.Subjects = subjects
-		if added {
-			return c.Update(ctx, &rb)
-		}
-		return nil
+	o, err := targetref.GetTarget(ctx, c, target)
+	if err != nil {
+		return err
 	}
 
-	return fmt.Errorf("unsupported target %q.%q", target.APIGroup, target.Kind)
-}
-
-// ensure ensures that the given element is present in the given slice.
-// If the element is already present, the original slice is returned.
-// If the element is not present, a new slice is returned with the element appended.
-func ensure[T comparable](s []T, e T) (ret []T, added bool) {
-	for _, v := range s {
-		if v == e {
-			return s, false
-		}
+	a, err := targetref.NewUserAccessor(o)
+	if err != nil {
+		return err
 	}
-	return append(s, e), true
-}
 
-func newSubject(user string) rbacv1.Subject {
-	return rbacv1.Subject{
-		Kind:     rbacv1.UserKind,
-		APIGroup: rbacv1.GroupName,
-		Name:     user,
+	added := a.EnsureUser(user)
+	if added {
+		return c.Update(ctx, o)
 	}
+
+	return nil
 }

controllers/targetref/targetref.go

@@ -0,0 +1,114 @@
+package targetref
+
+import (
+	"context"
+	"fmt"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	userv1 "github.com/appuio/control-api/apis/user/v1"
+	controlv1 "github.com/appuio/control-api/apis/v1"
+)
+
+// GetTarget returns the target object for the given TargetRef.
+// Returns an error if the target is not supported.
+func GetTarget(ctx context.Context, c client.Client, target userv1.TargetRef) (client.Object, error) {
+	var obj client.Object
+	switch {
+	case target.APIGroup == "appuio.io" && target.Kind == "OrganizationMembers":
+		obj = &controlv1.OrganizationMembers{}
+	case target.APIGroup == "appuio.io" && target.Kind == "Team":
+		obj = &controlv1.Team{}
+	case target.APIGroup == rbacv1.GroupName && target.Kind == "ClusterRoleBinding":
+		obj = &rbacv1.ClusterRoleBinding{}
+	case target.APIGroup == rbacv1.GroupName && target.Kind == "RoleBinding":
+		obj = &rbacv1.RoleBinding{}
+	default:
+		return nil, fmt.Errorf("unsupported target %q.%q", target.APIGroup, target.Kind)
+	}
+
+	err := c.Get(ctx, client.ObjectKey{Name: target.Name, Namespace: target.Namespace}, obj)
+	return obj, err
+}
+
+// UserAccessor is an interface for accessing users from objects supported by this project.
+type UserAccessor interface {
+	// EnsureUser adds the user to the object if it is not already present.
+	// Returns true if the user was added.
+	EnsureUser(user string) (added bool)
+	// HasUser returns true if the user is present in the object.
+	HasUser(user string) bool
+}
+
+// NewUserAccessor returns a UserAccessor for the given object or an error if the object is not supported.
+func NewUserAccessor(obj client.Object) (UserAccessor, error) {
+	switch o := obj.(type) {
+	case *controlv1.OrganizationMembers:
+		return &controlv1UserRefAccessor{userRefs: &o.Spec.UserRefs}, nil
+	case *controlv1.Team:
+		return &controlv1UserRefAccessor{userRefs: &o.Spec.UserRefs}, nil
+	case *rbacv1.ClusterRoleBinding:
+		return &rbacv1SubjectAccessor{subjects: &o.Subjects}, nil
+	case *rbacv1.RoleBinding:
+		return &rbacv1SubjectAccessor{subjects: &o.Subjects}, nil
+	default:
+		return nil, fmt.Errorf("unsupported object %T", obj)
+	}
+}
+
+type controlv1UserRefAccessor struct {
+	userRefs *[]controlv1.UserRef
+}
+
+var _ UserAccessor = &controlv1UserRefAccessor{}
+
+func (s *controlv1UserRefAccessor) HasUser(user string) bool {
+	return isInSlice(*s.userRefs, controlv1.UserRef{Name: user})
+}
+
+func (s *controlv1UserRefAccessor) EnsureUser(user string) (added bool) {
+	*s.userRefs, added = ensure(*s.userRefs, controlv1.UserRef{Name: user})
+	return
+}
+
+type rbacv1SubjectAccessor struct {
+	subjects *[]rbacv1.Subject
+}
+
+var _ UserAccessor = &rbacv1SubjectAccessor{}
+
+func (s *rbacv1SubjectAccessor) HasUser(user string) bool {
+	return isInSlice(*s.subjects, newSubject(user))
+}
+
+func (s *rbacv1SubjectAccessor) EnsureUser(user string) (added bool) {
+	*s.subjects, added = ensure(*s.subjects, newSubject(user))
+	return
+}
+
+func newSubject(user string) rbacv1.Subject {
+	return rbacv1.Subject{
+		Kind:     rbacv1.UserKind,
+		APIGroup: rbacv1.GroupName,
+		Name:     user,
+	}
+}
+
+func ensure[T comparable](s []T, e T) (ret []T, added bool) {
+	for _, v := range s {
+		if v == e {
+			return s, false
+		}
+	}
+	return append(s, e), true
+}
+
+func isInSlice[T comparable](s []T, e T) (found bool) {
+	for _, v := range s {
+		if v == e {
+			return true
+		}
+	}
+	return false
+}