Add checks to backend for terminal proxy

Access to commandline terminals (cloud shells) has to be restricted to avoid privilege escalation issues. This commit adds the following checks: - Ensure webhooks expected by che-workspace-operator are installed - Ensures the user requesting a terminal is not a cluster admin (done by checking if they can read pods in a privileged namespace (openshift-operators). Adds an endpoint: /api/terminal/available/ that can be used to check if basic requirements for the proxy are met (workspace operator is running) Signed-off-by: Angel Misevski <amisevsk@redhat.com>
openshift · May 21, 2020 · ccdb51f · ccdb51f
1 parent a8eeb7a
commit ccdb51f
Show file tree

Hide file tree

Showing 6 changed files with 180 additions and 42 deletions.
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.4.1 // indirect
 	gopkg.in/yaml.v2 v2.2.4
 	helm.sh/helm/v3 v3.0.1
+	k8s.io/api v0.0.0-20191016110408-35e52d86657a
 	k8s.io/apiextensions-apiserver v0.0.0-20191016113550-5357c4baaf65
 	k8s.io/apimachinery v0.0.0-20191004115801-a2eda9f80ab8
 	k8s.io/cli-runtime v0.0.0-20191016114015-74ad18325ed5

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -225,7 +225,9 @@ func (s *Server) HTTPHandler() http.Handler {
 		TLSClientConfig: s.K8sProxyConfig.TLSClientConfig,
 		ClusterEndpoint: s.K8sProxyConfig.Endpoint,
 	}
-	handle(terminal.Endpoint, authHandlerWithUser(terminalProxy.Handle))
+	handle(terminal.Endpoint, authHandlerWithUser(terminalProxy.HandleProxy))
+
+	handleFunc(terminal.AvailableEndpoint, terminalProxy.HandleProxyEnabled)
 
 	if s.prometheusProxyEnabled() {
 		// Only proxy requests to the Prometheus API, not the UI.

diff --git a/pkg/terminal/auth.go b/pkg/terminal/auth.go
@@ -0,0 +1,27 @@
+package terminal
+
+import (
+	authv1 "k8s.io/api/authorization/v1"
+)
+
+func (p *Proxy) checkUserPermissions(token string) (bool, error) {
+	client, err := p.createTypedClient(token)
+	if err != nil {
+		return false, err
+	}
+
+	sar := &authv1.SelfSubjectAccessReview{
+		Spec:       authv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authv1.ResourceAttributes{
+				Namespace:   "openshift-operators",
+				Verb:        "get",
+				Resource:    "pods",
+			},
+		},
+	}
+	res, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(sar)
+	if err != nil || res == nil {
+		return false, err
+	}
+	return !res.Status.Allowed, nil
+}
diff --git a/pkg/terminal/client.go b/pkg/terminal/client.go
@@ -0,0 +1,56 @@
+package terminal
+
+import (
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+// createDynamicClient create dynamic client with the configured token to be used
+func (p *Proxy) createDynamicClient(token string) (dynamic.Interface, error) {
+	var tlsClientConfig rest.TLSClientConfig
+	if p.TLSClientConfig.InsecureSkipVerify {
+		// off-cluster mode
+		tlsClientConfig.Insecure = true
+	} else {
+		inCluster, err := rest.InClusterConfig()
+		if err != nil {
+			return nil, err
+		}
+		tlsClientConfig = inCluster.TLSClientConfig
+	}
+
+	config := &rest.Config{
+		Host:            p.ClusterEndpoint.Host,
+		TLSClientConfig: tlsClientConfig,
+		BearerToken:     token,
+	}
+
+	client, err := dynamic.NewForConfig(dynamic.ConfigFor(config))
+	if err != nil {
+		return nil, err
+	}
+	return client, nil
+}
+
+func (p *Proxy) createTypedClient(token string) (*kubernetes.Clientset, error) {
+	var tlsClientConfig rest.TLSClientConfig
+	if p.TLSClientConfig.InsecureSkipVerify {
+		// off-cluster mode
+		tlsClientConfig.Insecure = true
+	} else {
+		inCluster, err := rest.InClusterConfig()
+		if err != nil {
+			return nil, err
+		}
+		tlsClientConfig = inCluster.TLSClientConfig
+	}
+
+	config := &rest.Config{
+		Host:            p.ClusterEndpoint.Host,
+		TLSClientConfig: tlsClientConfig,
+		BearerToken:     token,
+	}
+
+	return kubernetes.NewForConfig(config)
+}
diff --git a/pkg/terminal/operator.go b/pkg/terminal/operator.go
@@ -0,0 +1,40 @@
+package terminal
+
+import (
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+const (
+	webhookName = "workspace.che.eclipse.org"
+)
+
+func workspaceOperatorIsRunning() (bool, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return false, err
+	}
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(webhookName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+
+	_, err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(webhookName, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
diff --git a/pkg/terminal/proxy.go b/pkg/terminal/proxy.go
@@ -7,19 +7,17 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/openshift/console/pkg/auth"
+	"github.com/openshift/console/pkg/proxy"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/rest"
-
-	"github.com/openshift/console/pkg/auth"
-	"github.com/openshift/console/pkg/proxy"
 )
 
 const (
-	//Endpoint that Proxy is supposed to handle
-	Endpoint = "/api/terminal/"
+	// Endpoint that Proxy is supposed to handle
+	Endpoint          = "/api/terminal/"
+	AvailableEndpoint = "/api/terminal/available/"
 )
 
 // Proxy provides handlers to handle terminal related requests
@@ -42,21 +40,38 @@ var (
 	}
 )
 
-// Handle evaluates the namespace and workspace names from URL and after check that
+// HandleProxy evaluates the namespace and workspace names from URL and after check that
 // it's created by the current user - proxies the request there
-func (p *Proxy) Handle(user *auth.User, w http.ResponseWriter, r *http.Request) {
+func (p *Proxy) HandleProxy(user *auth.User, w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case
 		"GET",
 		"HEAD",
 		"OPTIONS",
 		"TRACE":
-		//These methods are considered as not vulnerable for CSRF attack, so the corresponding CSRF token check is skipped.
+		// These methods are considered as not vulnerable for CSRF attack, so the corresponding CSRF token check is skipped.
 		// But in terminal-proxy we must make sure that it's a request made by OpenShift Console
 		// before proxying request with passed token
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
+	operatorRunning, err := workspaceOperatorIsRunning()
+	if err != nil {
+		http.Error(w, "Failed to check workspace operator state. Cause: "+err.Error(), http.StatusInternalServerError)
+	}
+	if !operatorRunning {
+		http.Error(w, "Terminal endpoint is disabled: workspace operator is not deployed.", http.StatusForbidden)
+		return
+	}
+
+	enabledForUser, err := p.checkUserPermissions(user.Token)
+	if err != nil {
+		http.Error(w, "Failed to check workspace operator state. Cause: "+err.Error(), http.StatusInternalServerError)
+	}
+	if !enabledForUser {
+		http.Error(w, "Terminal is disabled for cluster-admin users.", http.StatusForbidden)
+		return
+	}
 
 	ok, namespace, workspaceName, path := stripTerminalAPIPrefix(r.URL.Path)
 	if !ok {
@@ -72,7 +87,7 @@ func (p *Proxy) Handle(user *auth.User, w http.ResponseWriter, r *http.Request)
 
 	userId := user.ID
 	if userId == "" {
-		//user id is missing, auth is used that does not support user info propagated, like OpenShift OAuth
+		// user id is missing, auth is used that does not support user info propagated, like OpenShift OAuth
 		userInfo, err := client.Resource(UserGroupVersionResource).Get("~", metav1.GetOptions{})
 		if err != nil {
 			http.Error(w, "Failed to retrieve the current user info. Cause: "+err.Error(), http.StatusInternalServerError)
@@ -81,7 +96,7 @@ func (p *Proxy) Handle(user *auth.User, w http.ResponseWriter, r *http.Request)
 
 		userId = string(userInfo.GetUID())
 		if userId == "" {
-			//uid is missing. it must be kube:admin
+			// uid is missing. it must be kube:admin
 			if "kube:admin" != userInfo.GetName() {
 				http.Error(w, "User must have UID to proceed authorization", http.StatusInternalServerError)
 				return
@@ -110,7 +125,30 @@ func (p *Proxy) Handle(user *auth.User, w http.ResponseWriter, r *http.Request)
 	p.proxyToWorkspace(terminalHost, path, user.Token, r, w)
 }
 
-//stripTerminalAPIPrefix strips path prefix that is expected for Terminal API request
+func (p *Proxy) HandleProxyEnabled(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
+		w.Header().Set("Allow", "GET")
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+
+	enabled, err := workspaceOperatorIsRunning()
+	if err != nil {
+		plog.Info("[available] Got error when checking user: %s", err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	if !enabled {
+		plog.Info("[available] Operator is not running, endpoint is disabled.")
+		w.WriteHeader(http.StatusServiceUnavailable)
+		return
+	}
+	plog.Info("[available] Terminal is available.")
+	w.WriteHeader(http.StatusNoContent)
+	return
+}
+
+// stripTerminalAPIPrefix strips path prefix that is expected for Terminal API request
 func stripTerminalAPIPrefix(requestPath string) (ok bool, namespace string, workspaceName string, path string) {
 	// URL is supposed to have the following format
 	// ->   /api/terminal/{namespace}/{workspace-name}/{path} < optional
@@ -128,7 +166,7 @@ func stripTerminalAPIPrefix(requestPath string) (ok bool, namespace string, work
 	}
 }
 
-//getBaseTerminalHost evaluates ideUrl from the specified workspace and extract host from it
+// getBaseTerminalHost evaluates ideUrl from the specified workspace and extract host from it
 func (p *Proxy) getBaseTerminalHost(ws *unstructured.Unstructured) (*url.URL, error) {
 	ideUrl, success, err := unstructured.NestedString(ws.UnstructuredContent(), "status", "ideUrl")
 	if !success {
@@ -161,7 +199,7 @@ func (p *Proxy) proxyToWorkspace(workspaceIdeHost *url.URL, path string, token s
 
 	r2.URL.Path = path
 
-	//TODO a new proxy per request is created. Must be revised and probably changed
+	// TODO a new proxy per request is created. Must be revised and probably changed
 	terminalProxy := proxy.NewProxy(&proxy.Config{
 		Endpoint:        workspaceIdeHost,
 		TLSClientConfig: p.TLSClientConfig,
@@ -170,29 +208,3 @@ func (p *Proxy) proxyToWorkspace(workspaceIdeHost *url.URL, path string, token s
 	terminalProxy.ServeHTTP(w, r2)
 }
 
-//createDynamicClient create dynamic client with the configured token to be used
-func (p *Proxy) createDynamicClient(token string) (dynamic.Interface, error) {
-	var tlsClientConfig rest.TLSClientConfig
-	if p.TLSClientConfig.InsecureSkipVerify {
-		//off-cluster mode
-		tlsClientConfig.Insecure = true
-	} else {
-		inCluster, err := rest.InClusterConfig()
-		if err != nil {
-			return nil, err
-		}
-		tlsClientConfig = inCluster.TLSClientConfig
-	}
-
-	config := &rest.Config{
-		Host:            p.ClusterEndpoint.Host,
-		TLSClientConfig: tlsClientConfig,
-		BearerToken:     token,
-	}
-
-	client, err := dynamic.NewForConfig(dynamic.ConfigFor(config))
-	if err != nil {
-		return nil, err
-	}
-	return client, nil
-}