Fix for unauthenticated secret access (#3289)

01b840c3 · Sebastian Florek · Marcin Maciaszczyk · cfc62d86 · 01b840c3 · 01b840c3
隐藏空白更改
内联并排

Showing with 25 addition and 2 deletion

src/app/backend/auth/api/common.go src/app/backend/auth/api/common.go +13 -2

src/app/backend/auth/api/types.go src/app/backend/auth/api/types.go +12 -0

未找到文件。
--- a/src/app/backend/auth/api/common.go
+++ b/src/app/backend/auth/api/common.go
@@ -34,9 +34,20 @@ func ToAuthenticationModes(modes []string) AuthenticationModes {
 	return result
 }

+// List of protected resources that should be filtered out from dashboard UI.
+var protectedResources = []ProtectedResource{
+	{EncryptionKeyHolderName, EncryptionKeyHolderNamespace},
+	{CertificateHolderSecretName, CertificateHolderSecretNamespace},
+}
+
 // ShouldRejectRequest returns true if url contains name and namespace of resource that should be filtered out from
 // dashboard.
 func ShouldRejectRequest(url string) bool {
-	// For now we have only one resource that should be checked
-	return strings.Contains(url, EncryptionKeyHolderName) && strings.Contains(url, EncryptionKeyHolderNamespace)
+	for _, protectedResource := range protectedResources {
+		if strings.Contains(url, protectedResource.ResourceName) && strings.Contains(url, protectedResource.ResourceNamespace) {
+			return true
+		}
+	}
+
+	return false
 }
--- a/src/app/backend/auth/api/types.go
+++ b/src/app/backend/auth/api/types.go
@@ -25,6 +25,10 @@ const (
 	EncryptionKeyHolderName      = "kubernetes-dashboard-key-holder"
 	EncryptionKeyHolderNamespace = "kube-system"

+	// Resource information that are used as certificate storage for custom certificates used by the user.
+	CertificateHolderSecretName      = "kubernetes-dashboard-certs"
+	CertificateHolderSecretNamespace = "kube-system"
+
 	// Expiration time (in seconds) of tokens generated by dashboard. Default: 15 min.
 	DefaultTokenTTL = 900
 )
@@ -32,6 +36,14 @@ const (
 // AuthenticationModes represents auth modes supported by dashboard.
 type AuthenticationModes map[AuthenticationMode]bool

+// ProtectedResource represents basic information about resource that should be filtered out from Dashboard UI.
+type ProtectedResource struct {
+  // ResourceName is a name of the protected resource.
+	ResourceName       string
+	// ResourceNamespace is a namespace of the protected resource. Should be empty if resource is non-namespaced.
+	ResourceNamespace  string
+}
+
 // IsEnabled returns true if given auth mode is supported, false otherwise.
 func (self AuthenticationModes) IsEnabled(mode AuthenticationMode) bool {
 	_, exists := self[mode]