Add a setting to disallow access to all namespaces

With the cluster resolver we allow access to all namespaces by default
if empty. This is not always desirable and we should have a way to only
allow explicitly  the namespaces that are allowed.

Let the user configure the `blocked-namespaces` setting to `*` to
disallow all namespaces by default and only allow access to namespaces
with the `allowed-namespaces` setting.

Signed-off-by: Chmouel Boudjnah <[email protected]>

Author: chmouel

docs/cluster-resolver.md

@@ -40,7 +40,7 @@ for the name, namespace and defaults that the resolver ships with.
 | `default-kind`       | The default resource kind to fetch if not specified in parameters.                                                                                  | `task`, `pipeline`                 |
 | `default-namespace`  | The default namespace to fetch resources from if not specified in parameters.                                                                       | `default`, `some-namespace`        |
 | `allowed-namespaces` | An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed.      | `default,some-namespace`, (empty)  |
-| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, (empty) |       
+| `blocked-namespaces` | An optional comma-separated list of namespaces which the resolver is blocked from accessing. If the value is a `*` all namespaces will be disallowed and allowed namespace will need to be explicitely listed in `allowed-namespaces`. Defaults to empty, meaning all namespaces are allowed. | `default,other-namespace`, `*`, (empty) |
 
 ## Usage
 

pkg/resolution/resolver/cluster/resolver.go

@@ -279,6 +279,14 @@ func populateParamsWithDefaults(ctx context.Context, origParams []pipelinev1.Par
 		return nil, fmt.Errorf("access to specified namespace %s is blocked", params[NamespaceParam])
 	}
 
+	if conf[AllowedNamespacesKey] != "" && isInCommaSeparatedList(params[NamespaceParam], conf[AllowedNamespacesKey]) {
+		return params, nil
+	}
+
+	if conf[BlockedNamespacesKey] != "" && conf[BlockedNamespacesKey] == "*" {
+		return nil, fmt.Errorf("only explicit allowed access to namespaces is allowed")
+	}
+
 	if conf[AllowedNamespacesKey] != "" && !isInCommaSeparatedList(params[NamespaceParam], conf[AllowedNamespacesKey]) {
 		return nil, fmt.Errorf("access to specified namespace %s is not allowed", params[NamespaceParam])
 	}

pkg/resolution/resolver/cluster/resolver_test.go

@@ -159,6 +159,30 @@ func TestValidateParamsFailure(t *testing.T) {
 			},
 			expectedErr: "access to specified namespace foo is blocked",
 		},
+		{
+			name: "blocked by star",
+			params: map[string]string{
+				cluster.KindParam:      "task",
+				cluster.NamespaceParam: "foo",
+				cluster.NameParam:      "baz",
+			},
+			conf: map[string]string{
+				cluster.BlockedNamespacesKey: "*",
+			},
+			expectedErr: "only explicit allowed access to namespaces is allowed",
+		},
+		{
+			name: "blocked by star but allowed explicitly",
+			params: map[string]string{
+				cluster.KindParam:      "task",
+				cluster.NamespaceParam: "foo",
+				cluster.NameParam:      "baz",
+			},
+			conf: map[string]string{
+				cluster.BlockedNamespacesKey: "*",
+				cluster.AllowedNamespacesKey: "foo",
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -178,6 +202,12 @@ func TestValidateParamsFailure(t *testing.T) {
 				})
 			}
 			err := resolver.ValidateParams(ctx, asParams)
+			if tc.expectedErr == "" {
+				if err != nil {
+					t.Fatalf("got unexpected error: %v", err)
+				}
+				return
+			}
 			if err == nil {
 				t.Fatalf("got no error, but expected: %s", tc.expectedErr)
 			}