Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v16] Extend resource access request validation checks #48137

Merged
merged 1 commit into from
Nov 1, 2024
Merged

[v16] Extend resource access request validation checks #48137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions lib/services/access_request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
const (
maxAccessRequestReasonSize = 4096
maxResourcesPerRequest = 300
maxResourcesLength = 2048

// A day is sometimes 23 hours, sometimes 25 hours, usually 24 hours.
day = 24 * time.Hour
Expand Down Expand Up @@ -1157,16 +1158,25 @@ func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest
// deduplicate requested resource IDs
var deduplicated []types.ResourceID
seen := make(map[string]struct{})
resourcesLen := 0
for _, resource := range req.GetRequestedResourceIDs() {
id := types.ResourceIDToString(resource)
if _, isDuplicate := seen[id]; isDuplicate {
continue
}
seen[id] = struct{}{}
deduplicated = append(deduplicated, resource)
resourcesLen += len(id)
}
req.SetRequestedResourceIDs(deduplicated)

// In addition to capping the maximum number of resources in a single request,
// we also need to ensure that the sum of the resource IDs in the request doesn't
// get too big.
if resourcesLen > maxResourcesLength {
return trace.BadParameter("access request exceeds maximum length: try reducing the number of resources in the request")
}

// determine the roles which should be requested for a resource access
// request, and write them to the request
if err := m.setRolesForResourceRequest(ctx, req); err != nil {
Expand Down
13 changes: 12 additions & 1 deletion lib/services/access_request_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2150,7 +2150,7 @@ func (mcg mockClusterGetter) GetRemoteCluster(ctx context.Context, clusterName s
return nil, trace.NotFound("remote cluster %q was not found", clusterName)
}

func TestValidateDuplicateRequestedResources(t *testing.T) {
func TestValidateResourceRequestSizeLimits(t *testing.T) {
g := &mockGetter{
roles: make(map[string]types.Role),
userStates: make(map[string]*userloginstate.UserLoginState),
Expand Down Expand Up @@ -2212,6 +2212,17 @@ func TestValidateDuplicateRequestedResources(t *testing.T) {
require.Len(t, req.GetRequestedResourceIDs(), 2)
require.Equal(t, "/someCluster/node/resource1", types.ResourceIDToString(req.GetRequestedResourceIDs()[0]))
require.Equal(t, "/someCluster/node/resource2", types.ResourceIDToString(req.GetRequestedResourceIDs()[1]))

var requestedResourceIDs []types.ResourceID
for i := 0; i < 200; i++ {
requestedResourceIDs = append(requestedResourceIDs, types.ResourceID{
ClusterName: "someCluster",
Kind: "node",
Name: "resource" + strconv.Itoa(i),
})
}
req.SetRequestedResourceIDs(requestedResourceIDs)
require.ErrorContains(t, ValidateAccessRequestForUser(context.Background(), clock, g, req, identity, ExpandVars(true)), "access request exceeds maximum length")
}

func TestValidateAccessRequestClusterNames(t *testing.T) {
Expand Down
Loading