feat(controller): add SkipImpersonationReview featuregate (#422)

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

internal/features/features.go

@@ -11,4 +11,12 @@ const (
 	// for resources in all tenant namespaces resulting in increased memory
 	// usage and cluster-wide RBAC permissions (list and watch).
 	ProxyAllNamespaced = "ProxyAllNamespaced"
+
+	// SkipImpersonationReview allows to skip the impersonation review
+	// for all requests containing impersonation headers (user and groups)
+	//
+	// DANGER: Enabling this flag allows any user to impersonate as any user or group
+	// essentially bypassing any authorization. Only use this option in trusted environments
+	// where authorization/authentication is offloaded to external systems.
+	SkipImpersonationReview = "SkipImpersonationReview"
 )

internal/options/kube.go

@@ -24,12 +24,13 @@ type kubeOpts struct {
 	url                        url.URL
 	ignoredGroups              []string
 	ignoredImpersonationGroups []string
+	skipImpersonationReview    bool
 	claimName                  string
 	impersonationGroupsRegexp  *regexp.Regexp
 	config                     *rest.Config
 }
 
-func NewKube(authTypes []request.AuthType, ignoredGroups []string, claimName string, config *rest.Config, ignoredImpersonationGroups []string, impersonationGroupsString string) (ListenerOpts, error) {
+func NewKube(authTypes []request.AuthType, ignoredGroups []string, claimName string, config *rest.Config, ignoredImpersonationGroups []string, impersonationGroupsString string, skipImpersonationReview bool) (ListenerOpts, error) {
 	u, err := url.Parse(config.Host)
 	if err != nil {
 		return nil, fmt.Errorf("cannot create Kubernetes Options due to failed URL parsing: %w", err)
@@ -49,6 +50,7 @@ func NewKube(authTypes []request.AuthType, ignoredGroups []string, claimName str
 		ignoredGroups:              ignoredGroups,
 		ignoredImpersonationGroups: ignoredImpersonationGroups,
 		impersonationGroupsRegexp:  impersonationGroupsRegexp,
+		skipImpersonationReview:    skipImpersonationReview,
 		claimName:                  claimName,
 		config:                     config,
 	}, nil
@@ -82,6 +84,10 @@ func (k kubeOpts) PreferredUsernameClaim() string {
 	return k.claimName
 }
 
+func (k kubeOpts) SkipImpersonationReview() bool {
+	return k.skipImpersonationReview
+}
+
 func (k kubeOpts) ReverseProxyTransport() (*http.Transport, error) {
 	transportConfig, err := k.config.TransportConfig()
 	if err != nil {

internal/options/listener.go

@@ -20,4 +20,5 @@ type ListenerOpts interface {
 	PreferredUsernameClaim() string
 	ReverseProxyTransport() (*http.Transport, error)
 	BearerToken() string
+	SkipImpersonationReview() bool
 }

internal/request/http.go

@@ -22,11 +22,12 @@ type http struct {
 	usernameClaimField         string
 	ignoredImpersonationGroups []string
 	impersonationGroupsRegexp  *regexp.Regexp
+	skipImpersonationReview    bool
 	client                     client.Writer
 }
 
-func NewHTTP(request *h.Request, authTypes []AuthType, usernameClaimField string, client client.Writer, ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp) Request {
-	return &http{Request: request, authTypes: authTypes, usernameClaimField: usernameClaimField, client: client, ignoredImpersonationGroups: ignoredImpersonationGroups, impersonationGroupsRegexp: impersonationGroupsRegexp}
+func NewHTTP(request *h.Request, authTypes []AuthType, usernameClaimField string, client client.Writer, ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp, skipImpersonationReview bool) Request {
+	return &http{Request: request, authTypes: authTypes, usernameClaimField: usernameClaimField, client: client, ignoredImpersonationGroups: ignoredImpersonationGroups, impersonationGroupsRegexp: impersonationGroupsRegexp, skipImpersonationReview: skipImpersonationReview}
 }
 
 func (h http) GetHTTPRequest() *h.Request {
@@ -49,14 +50,45 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
 
 	// In case the requester is asking for impersonation, we have to be sure that's allowed by creating a
 	// SubjectAccessReview with the requested data, before proceeding.
+	//nolint:nestif
 	if impersonateGroups := GetImpersonatingGroups(h.Request, h.ignoredImpersonationGroups, h.impersonationGroupsRegexp); len(impersonateGroups) > 0 {
-		for _, impersonateGroup := range impersonateGroups {
+		if !h.skipImpersonationReview {
+			for _, impersonateGroup := range impersonateGroups {
+				ac := &authorizationv1.SubjectAccessReview{
+					Spec: authorizationv1.SubjectAccessReviewSpec{
+						ResourceAttributes: &authorizationv1.ResourceAttributes{
+							Verb:     "impersonate",
+							Resource: "groups",
+							Name:     impersonateGroup,
+						},
+						User:   username,
+						Groups: groups,
+					},
+				}
+				if err = h.client.Create(h.Request.Context(), ac); err != nil {
+					return "", nil, err
+				}
+
+				if !ac.Status.Allowed {
+					return "", nil, NewErrUnauthorized(fmt.Sprintf("the current user %s cannot impersonate the group %s", username, impersonateGroup))
+				}
+			}
+		}
+
+		defer func() {
+			groups = impersonateGroups
+		}()
+	}
+
+	//nolint:nestif
+	if impersonateUser := GetImpersonatingUser(h.Request); len(impersonateUser) > 0 {
+		if !h.skipImpersonationReview {
 			ac := &authorizationv1.SubjectAccessReview{
 				Spec: authorizationv1.SubjectAccessReviewSpec{
 					ResourceAttributes: &authorizationv1.ResourceAttributes{
 						Verb:     "impersonate",
-						Resource: "groups",
-						Name:     impersonateGroup,
+						Resource: "users",
+						Name:     impersonateUser,
 					},
 					User:   username,
 					Groups: groups,
@@ -67,35 +99,10 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
 			}
 
 			if !ac.Status.Allowed {
-				return "", nil, NewErrUnauthorized(fmt.Sprintf("the current user %s cannot impersonate the group %s", username, impersonateGroup))
+				return "", nil, NewErrUnauthorized(fmt.Sprintf("the current user %s cannot impersonate the user %s", username, impersonateUser))
 			}
 		}
 
-		defer func() {
-			groups = impersonateGroups
-		}()
-	}
-
-	if impersonateUser := GetImpersonatingUser(h.Request); len(impersonateUser) > 0 {
-		ac := &authorizationv1.SubjectAccessReview{
-			Spec: authorizationv1.SubjectAccessReviewSpec{
-				ResourceAttributes: &authorizationv1.ResourceAttributes{
-					Verb:     "impersonate",
-					Resource: "users",
-					Name:     impersonateUser,
-				},
-				User:   username,
-				Groups: groups,
-			},
-		}
-		if err = h.client.Create(h.Request.Context(), ac); err != nil {
-			return "", nil, err
-		}
-
-		if !ac.Status.Allowed {
-			return "", nil, NewErrUnauthorized(fmt.Sprintf("the current user %s cannot impersonate the user %s", username, impersonateUser))
-		}
-
 		// Assign impersonate user after group impersonation with current user
 		// As defer func works in LIFO, if user is also impersonating groups, they will be set to correct value in the previous defer func.
 		// Otherwise, groups will be set to nil, meaning we are checking just user permissions.

internal/request/http_test.go

@@ -52,6 +52,7 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 		authTypes                 []request.AuthType
 		ignoreGroups              []string
 		ignoreImpersonationRegexp *regexp.Regexp
+		skipImpersonationReview   bool
 		usernameClaimField        string
 		client                    client.Writer
 	}
@@ -201,7 +202,7 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			req := request.NewHTTP(tc.fields.Request, tc.fields.authTypes, tc.fields.usernameClaimField, tc.fields.client, tc.fields.ignoreGroups, tc.fields.ignoreImpersonationRegexp)
+			req := request.NewHTTP(tc.fields.Request, tc.fields.authTypes, tc.fields.usernameClaimField, tc.fields.client, tc.fields.ignoreGroups, tc.fields.ignoreImpersonationRegexp, tc.fields.skipImpersonationReview)
 			gotUsername, gotGroups, err := req.GetUserAndGroups()
 			if (err != nil) != tc.wantErr {
 				t.Errorf("GetUserAndGroups() error = %v, wantErr %v", err, tc.wantErr)

internal/webserver/middleware/user_in_group.go

@@ -5,6 +5,7 @@ package middleware
 
 import (
 	"net/http"
+	"regexp"
 
 	"github.com/go-logr/logr"
 	"github.com/gorilla/mux"
@@ -15,11 +16,11 @@ import (
 	req "github.com/projectcapsule/capsule-proxy/internal/request"
 )
 
-func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, ignoredUserGroups sets.Set[string], fn func(writer http.ResponseWriter, request *http.Request)) mux.MiddlewareFunc {
+func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, ignoredUserGroups sets.Set[string], ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp, skipImpersonationReview bool, fn func(writer http.ResponseWriter, request *http.Request)) mux.MiddlewareFunc {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 			if ignoredUserGroups.Len() > 0 {
-				user, groups, err := req.NewHTTP(request, authTypes, claim, client, nil, nil).GetUserAndGroups()
+				user, groups, err := req.NewHTTP(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview).GetUserAndGroups()
 				if err != nil {
 					log.Error(err, "Cannot retrieve username and group from request")
 				}
@@ -39,10 +40,10 @@ func CheckUserInIgnoredGroupMiddleware(client client.Writer, log logr.Logger, cl
 	}
 }
 
-func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, impersonate func(http.ResponseWriter, *http.Request)) mux.MiddlewareFunc {
+func CheckUserInCapsuleGroupMiddleware(client client.Writer, log logr.Logger, claim string, authTypes []req.AuthType, ignoredImpersonationGroups []string, impersonationGroupsRegexp *regexp.Regexp, skipImpersonationReview bool, impersonate func(http.ResponseWriter, *http.Request)) mux.MiddlewareFunc {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-			_, groups, err := req.NewHTTP(request, authTypes, claim, client, nil, nil).GetUserAndGroups()
+			_, groups, err := req.NewHTTP(request, authTypes, claim, client, ignoredImpersonationGroups, impersonationGroupsRegexp, skipImpersonationReview).GetUserAndGroups()
 			if err != nil {
 				log.Error(err, "Cannot retrieve username and group from request")
 			}

internal/webserver/webserver.go

@@ -75,6 +75,7 @@ func NewKubeFilter(opts options.ListenerOpts, srv options.ServerOptions, gates f
 		ignoredUserGroups:          sets.New(opts.IgnoredGroupNames()...),
 		ignoredImpersonationGroups: opts.IgnoredImpersonationsGroups(),
 		impersonationGroupsRegexp:  opts.ImpersonationGroupsRegexp(),
+		skipImpersonationReview:    opts.SkipImpersonationReview(),
 		reverseProxy:               reverseProxy,
 		bearerToken:                opts.BearerToken(),
 		usernameClaimField:         opts.PreferredUsernameClaim(),
@@ -90,6 +91,7 @@ type kubeFilter struct {
 	ignoredUserGroups          sets.Set[string]
 	ignoredImpersonationGroups []string
 	impersonationGroupsRegexp  *regexp.Regexp
+	skipImpersonationReview    bool
 	reverseProxy               *httputil.ReverseProxy
 	bearerToken                string
 	usernameClaimField         string
@@ -182,7 +184,7 @@ func (n *kubeFilter) handleRequest(request *http.Request, selector labels.Select
 }
 
 func (n *kubeFilter) impersonateHandler(writer http.ResponseWriter, request *http.Request) {
-	hr := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp)
+	hr := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview)
 
 	username, groups, err := hr.GetUserAndGroups()
 	if err != nil {
@@ -276,11 +278,11 @@ func (n *kubeFilter) registerModules(ctx context.Context, root *mux.Router) {
 		sr.Use(
 			middleware.CheckPaths(n.log, n.allowedPaths, n.impersonateHandler),
 			middleware.CheckJWTMiddleware(n.writer),
-			middleware.CheckUserInIgnoredGroupMiddleware(n.writer, n.log, n.usernameClaimField, n.authTypes, n.ignoredUserGroups, n.impersonateHandler),
-			middleware.CheckUserInCapsuleGroupMiddleware(n.writer, n.log, n.usernameClaimField, n.authTypes, n.impersonateHandler),
+			middleware.CheckUserInIgnoredGroupMiddleware(n.writer, n.log, n.usernameClaimField, n.authTypes, n.ignoredUserGroups, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.impersonateHandler),
+			middleware.CheckUserInCapsuleGroupMiddleware(n.writer, n.log, n.usernameClaimField, n.authTypes, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.impersonateHandler),
 		)
 		sr.HandleFunc("", func(writer http.ResponseWriter, request *http.Request) {
-			proxyRequest := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer, nil, nil)
+			proxyRequest := req.NewHTTP(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview)
 			username, groups, err := proxyRequest.GetUserAndGroups()
 			if err != nil {
 				server.HandleError(writer, err, "cannot retrieve user and group from the request")

main.go

@@ -66,6 +66,11 @@ func main() {
 			LockToDefault: false,
 			PreRelease:    featuregate.Alpha,
 		},
+		features.SkipImpersonationReview: {
+			Default:       false,
+			LockToDefault: false,
+			PreRelease:    featuregate.Alpha,
+		},
 	}))
 
 	authTypes := []request.AuthType{
@@ -150,6 +155,10 @@ First match is used and can be specified multiple times as comma separated value
 		log.Info(fmt.Sprintf("The Groups dropped for impersonation %s", ignoreImpersonationGroups))
 	}
 
+	if gates.Enabled(features.SkipImpersonationReview) {
+		log.Info("SECURITY IMPLICATION: Skipping Impersonation reviews are enabled!")
+	}
+
 	log.Info("---")
 	log.Info("Creating the manager")
 
@@ -209,7 +218,7 @@ First match is used and can be specified multiple times as comma separated value
 
 	var listenerOpts options.ListenerOpts
 
-	if listenerOpts, err = options.NewKube(authTypes, ignoredUserGroups, usernameClaimField, config, ignoreImpersonationGroups, impersonationGroupsRegexp); err != nil {
+	if listenerOpts, err = options.NewKube(authTypes, ignoredUserGroups, usernameClaimField, config, ignoreImpersonationGroups, impersonationGroupsRegexp, gates.Enabled(features.SkipImpersonationReview)); err != nil {
 		log.Error(err, "cannot create Kubernetes options")
 		os.Exit(1)
 	}