feet : SREP-1313 Update isolation workflow to enforce policy Arn from backplane-api assume-role-sequence endpoint

Author: samanthajayasinghe

cmd/ocm-backplane/cloud/common.go

@@ -18,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
 	ocmsdk "github.com/openshift-online/ocm-sdk-go"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	BackplaneApi "github.com/openshift/backplane-api/pkg/client"
@@ -211,6 +212,8 @@ func (cfg *QueryConfig) getCloudCredentialsFromBackplaneAPI(ocmToken string) (bp
 type assumeChainResponse struct {
 	AssumptionSequence      []namedRoleArn `json:"assumptionSequence"`
 	CustomerRoleSessionName string         `json:"customerRoleSessionName"`
+	// SessionPolicyArn is the ARN of the session policy
+	SessionPolicyArn string `json:"sessionPolicyArn"`
 }
 
 type namedRoleArn struct {
@@ -319,6 +322,24 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
 		} else {
 			roleArnSession.RoleSessionName = email
 		}
+		// Default to no policy ARNs
+		roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
+		if namedRoleArnEntry.Name == CustomerRoleArnName {
+			roleArnSession.IsCustomerRole = true
+			// Add the session policy ARN for selected roles
+			if roleChainResponse.SessionPolicyArn != "" {
+				logger.Debugf("Adding session policy ARN for role %s: %s", namedRoleArnEntry.Name, roleChainResponse.SessionPolicyArn)
+				roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
+					{
+						Arn: aws.String(roleChainResponse.SessionPolicyArn),
+					},
+				}
+			}
+		} else {
+			roleArnSession.IsCustomerRole = false
+		}
+		roleArnSession.Name = namedRoleArnEntry.Name
+
 		assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
 	}
 
@@ -471,7 +492,7 @@ func isIsolatedBackplaneAccess(cluster *cmv1.Cluster, ocmConnection *ocmsdk.Conn
 	if strings.HasSuffix(baseDomain, "devshiftusgov.com") || strings.HasSuffix(baseDomain, "openshiftusgov.com") {
 		return false, nil
 	}
-	
+
 	if cluster.Hypershift().Enabled() {
 		return true, nil
 	}

cmd/ocm-backplane/cloud/common_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/golang/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -523,3 +524,167 @@ var _ = Describe("isIsolatedBackplaneAccess", func() {
 		})
 	})
 })
+
+var _ = Describe("PolicyARNs Integration", func() {
+	var (
+		testSessionPolicyArn string
+	)
+
+	BeforeEach(func() {
+		testSessionPolicyArn = "arn:aws:iam::123456789012:policy/TestSessionPolicy"
+	})
+
+	Context("when creating RoleArnSession with SessionPolicyArn", func() {
+		It("should set PolicyARNs for customer roles", func() {
+			// Test the logic from common.go lines 327-337
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			// Simulate the logic from getIsolatedCredentials
+			assumeRoleArnSessionSequence := make([]awsutil.RoleArnSession, 0, len(roleChainResponse.AssumptionSequence))
+			for _, namedRoleArnEntry := range roleChainResponse.AssumptionSequence {
+				roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn}
+				if namedRoleArnEntry.Name == CustomerRoleArnName || namedRoleArnEntry.Name == OrgRoleArnName {
+					roleArnSession.RoleSessionName = roleChainResponse.CustomerRoleSessionName
+				} else {
+					roleArnSession.RoleSessionName = "test@example.com"
+				}
+
+				// Default to no policy ARNs
+				roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
+				if namedRoleArnEntry.Name == CustomerRoleArnName {
+					roleArnSession.IsCustomerRole = true
+					// Add the session policy ARN for selected roles
+					if roleChainResponse.SessionPolicyArn != "" {
+						roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
+							{
+								Arn: aws.String(roleChainResponse.SessionPolicyArn),
+							},
+						}
+					}
+				} else {
+					roleArnSession.IsCustomerRole = false
+				}
+				roleArnSession.Name = namedRoleArnEntry.Name
+
+				assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
+			}
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+		})
+
+		It("should not set PolicyARNs for non-customer roles", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: "Support-Role-Arn",
+						Arn:  "arn:aws:iam::123456789012:role/support-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			// Simulate the logic from getIsolatedCredentials
+			assumeRoleArnSessionSequence := make([]awsutil.RoleArnSession, 0, len(roleChainResponse.AssumptionSequence))
+			for _, namedRoleArnEntry := range roleChainResponse.AssumptionSequence {
+				roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn}
+				if namedRoleArnEntry.Name == CustomerRoleArnName || namedRoleArnEntry.Name == OrgRoleArnName {
+					roleArnSession.RoleSessionName = roleChainResponse.CustomerRoleSessionName
+				} else {
+					roleArnSession.RoleSessionName = "test@example.com"
+				}
+
+				// Default to no policy ARNs
+				roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
+				if namedRoleArnEntry.Name == CustomerRoleArnName {
+					roleArnSession.IsCustomerRole = true
+					// Add the session policy ARN for selected roles
+					if roleChainResponse.SessionPolicyArn != "" {
+						roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
+							{
+								Arn: aws.String(roleChainResponse.SessionPolicyArn),
+							},
+						}
+					}
+				} else {
+					roleArnSession.IsCustomerRole = false
+				}
+				roleArnSession.Name = namedRoleArnEntry.Name
+
+				assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
+			}
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			supportRole := assumeRoleArnSessionSequence[0]
+			Expect(supportRole.IsCustomerRole).To(BeFalse())
+			Expect(supportRole.Name).To(Equal("Support-Role-Arn"))
+			Expect(len(supportRole.PolicyARNs)).To(Equal(0))
+		})
+
+		It("should handle empty SessionPolicyArn for customer roles", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        "", // Empty session policy ARN
+			}
+
+			// Simulate the logic from getIsolatedCredentials
+			assumeRoleArnSessionSequence := make([]awsutil.RoleArnSession, 0, len(roleChainResponse.AssumptionSequence))
+			for _, namedRoleArnEntry := range roleChainResponse.AssumptionSequence {
+				roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn}
+				if namedRoleArnEntry.Name == CustomerRoleArnName || namedRoleArnEntry.Name == OrgRoleArnName {
+					roleArnSession.RoleSessionName = roleChainResponse.CustomerRoleSessionName
+				} else {
+					roleArnSession.RoleSessionName = "test@example.com"
+				}
+
+				// Default to no policy ARNs
+				roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
+				if namedRoleArnEntry.Name == CustomerRoleArnName {
+					roleArnSession.IsCustomerRole = true
+					// Add the session policy ARN for selected roles
+					if roleChainResponse.SessionPolicyArn != "" {
+						roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
+							{
+								Arn: aws.String(roleChainResponse.SessionPolicyArn),
+							},
+						}
+					}
+				} else {
+					roleArnSession.IsCustomerRole = false
+				}
+				roleArnSession.Name = namedRoleArnEntry.Name
+
+				assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
+			}
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole.PolicyARNs)).To(Equal(0))
+		})
+	})
+})

pkg/awsutil/sts.go

@@ -17,6 +17,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/openshift/backplane-cli/pkg/utils"
 )
 
@@ -97,12 +98,16 @@ func AssumeRole(
 	roleSessionName string,
 	roleArn string,
 	inlinePolicy *PolicyDocument,
+	policyARNs []types.PolicyDescriptorType,
 ) (aws.Credentials, error) {
 	assumeRoleProvider := stscreds.NewAssumeRoleProvider(stsClient, roleArn, func(options *stscreds.AssumeRoleOptions) {
 		options.RoleSessionName = roleSessionName
 		if inlinePolicy != nil {
 			options.Policy = aws.String(inlinePolicy.String())
 		}
+		if len(policyARNs) > 0 {
+			options.PolicyARNs = policyARNs
+		}
 	})
 	result, err := assumeRoleProvider.Retrieve(context.TODO())
 	if err != nil {
@@ -123,8 +128,11 @@ var DefaultSTSClientProviderFunc STSClientProviderFunc = func(optnFns ...func(op
 }
 
 type RoleArnSession struct {
+	Name            string
 	RoleSessionName string
 	RoleArn         string
+	IsCustomerRole  bool
+	PolicyARNs      []types.PolicyDescriptorType
 }
 
 func AssumeRoleSequence(
@@ -142,8 +150,14 @@ func AssumeRoleSequence(
 	var lastCredentials aws.Credentials
 
 	for i, roleArnSession := range roleArnSessionSequence {
-		logger.Debug("Assuming role in sequence: ", roleArnSession.RoleArn, " ", roleArnSession.RoleSessionName)
-		result, err := AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, inlinePolicy)
+
+		logger.Debugf("Assuming role in sequence name:%s role:%s sessionName:%s isCustomerRole:%t",
+			roleArnSession.Name,
+			roleArnSession.RoleArn,
+			roleArnSession.RoleSessionName,
+			roleArnSession.IsCustomerRole,
+		)
+		result, err := AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, inlinePolicy, roleArnSession.PolicyARNs)
 		retryCount := 0
 		for err != nil {
 			// IAM policy updates can take a few seconds to resolve, and the sts.Client in AWS' Go SDK doesn't refresh itself on retries.
@@ -156,7 +170,10 @@ func AssumeRoleSequence(
 					return aws.Credentials{}, fmt.Errorf("failed to create client with credentials for role %v: %w", roleArnSession.RoleArn, err)
 				}
 
-				result, err = AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, inlinePolicy)
+				result, err = AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, inlinePolicy, roleArnSession.PolicyARNs)
+				if err != nil {
+					logger.Debugf("failed to create client with credentials for role %s: name:%s %v", roleArnSession.RoleArn, roleArnSession.Name, err)
+				}
 				retryCount++
 			} else {
 				return aws.Credentials{}, fmt.Errorf("failed to assume role %v: %w", roleArnSession.RoleArn, err)
@@ -167,7 +184,7 @@ func AssumeRoleSequence(
 		if i < len(roleArnSessionSequence)-1 {
 			nextClient, err = createAssumeRoleSequenceClient(stsClientProviderFunc, lastCredentials, proxyURL)
 			if err != nil {
-				return aws.Credentials{}, fmt.Errorf("failed to create client with credentials for role %v: %w", roleArnSession.RoleArn, err)
+				return aws.Credentials{}, fmt.Errorf("failed to create client with credentials for role %v: name:%v %w", roleArnSession.RoleArn, roleArnSession.RoleSessionName, err)
 			}
 		}
 	}