Skip to content

Commit

Permalink
add KindIdentityCenterAccount rw verb to editor preset, KindIdentityC…
Browse files Browse the repository at this point in the history
…enterAccount and KindSAMLIdPServiceProvider to default implicit (#48103)
  • Loading branch information
flyinghermit authored Oct 30, 2024
1 parent 00db98b commit 49ad57e
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/services/presets.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ func NewPresetEditorRole() types.Role {
types.NewRule(types.KindNotification, RW()),
types.NewRule(types.KindStaticHostUser, RW()),
types.NewRule(types.KindUserTask, RW()),
types.NewRule(types.KindIdentityCenterAccount, RW()),
},
},
},
Expand Down
2 changes: 2 additions & 0 deletions lib/services/role.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ var DefaultImplicitRules = []types.Rule{
types.NewRule(types.KindUsageEvent, []string{types.VerbCreate}),
types.NewRule(types.KindVnetConfig, RO()),
types.NewRule(types.KindSPIFFEFederation, RO()),
types.NewRule(types.KindSAMLIdPServiceProvider, RO()),
types.NewRule(types.KindIdentityCenterAccount, RO()),
}

// DefaultCertAuthorityRules provides access the minimal set of resources
Expand Down
72 changes: 72 additions & 0 deletions lib/services/role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2441,6 +2441,78 @@ func TestCheckRuleAccess(t *testing.T) {
}
}

func TestDefaultImplicitRules(t *testing.T) {
type check struct {
hasAccess bool
verb string
namespace string
rule string
context testContext
}
testCases := []struct {
name string
role types.Role
checks []check
}{
{
name: "KindIdentityCenterAccount with NewPresetAccessRole",
role: NewPresetAccessRole(),
checks: []check{
{rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
},
},
{
name: "KindIdentityCenterAccount with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount",
role: newRole(func(r *types.RoleV6) {}),
checks: []check{
{rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
},
},
{
name: "KindSAMLIdPServiceProvider with NewPresetAccessRole",
role: NewPresetAccessRole(),
checks: []check{
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
},
},
{
name: "KindSAMLIdPServiceProvider with a custom role that does not explicitly target read and list verbs for KindSAMLIdPServiceProvider",
role: newRole(func(r *types.RoleV6) {}),
checks: []check{
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
{rule: types.KindSAMLIdPServiceProvider, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
},
},
}
for _, tc := range testCases {
roleSet := NewRoleSet(tc.role)
for _, check := range tc.checks {
result := roleSet.CheckAccessToRule(&check.context, check.namespace, check.rule, check.verb)
if check.hasAccess {
require.NoError(t, result)
} else {
require.True(t, trace.IsAccessDenied(result))
}

}
}
}

func TestMFAVerificationInterval(t *testing.T) {
testCases := []struct {
name string
Expand Down

0 comments on commit 49ad57e

Please sign in to comment.