From 01b840c3f361ccb36dee9a1170957ad03a4b4ab2 Mon Sep 17 00:00:00 2001 From: Sebastian Florek Date: Tue, 23 Oct 2018 08:46:54 +0200 Subject: [PATCH] Fix for unauthenticated secret access (#3289) --- src/app/backend/auth/api/common.go | 15 +++++++++++++-- src/app/backend/auth/api/types.go | 12 ++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/app/backend/auth/api/common.go b/src/app/backend/auth/api/common.go index 0bf9c3b44..bf3312f6d 100644 --- a/src/app/backend/auth/api/common.go +++ b/src/app/backend/auth/api/common.go @@ -34,9 +34,20 @@ func ToAuthenticationModes(modes []string) AuthenticationModes { return result } +// List of protected resources that should be filtered out from dashboard UI. +var protectedResources = []ProtectedResource{ + {EncryptionKeyHolderName, EncryptionKeyHolderNamespace}, + {CertificateHolderSecretName, CertificateHolderSecretNamespace}, +} + // ShouldRejectRequest returns true if url contains name and namespace of resource that should be filtered out from // dashboard. func ShouldRejectRequest(url string) bool { - // For now we have only one resource that should be checked - return strings.Contains(url, EncryptionKeyHolderName) && strings.Contains(url, EncryptionKeyHolderNamespace) + for _, protectedResource := range protectedResources { + if strings.Contains(url, protectedResource.ResourceName) && strings.Contains(url, protectedResource.ResourceNamespace) { + return true + } + } + + return false } diff --git a/src/app/backend/auth/api/types.go b/src/app/backend/auth/api/types.go index 146583c41..95f832bc2 100644 --- a/src/app/backend/auth/api/types.go +++ b/src/app/backend/auth/api/types.go @@ -25,6 +25,10 @@ const ( EncryptionKeyHolderName = "kubernetes-dashboard-key-holder" EncryptionKeyHolderNamespace = "kube-system" + // Resource information that are used as certificate storage for custom certificates used by the user. + CertificateHolderSecretName = "kubernetes-dashboard-certs" + CertificateHolderSecretNamespace = "kube-system" + // Expiration time (in seconds) of tokens generated by dashboard. Default: 15 min. DefaultTokenTTL = 900 ) @@ -32,6 +36,14 @@ const ( // AuthenticationModes represents auth modes supported by dashboard. type AuthenticationModes map[AuthenticationMode]bool +// ProtectedResource represents basic information about resource that should be filtered out from Dashboard UI. +type ProtectedResource struct { + // ResourceName is a name of the protected resource. + ResourceName string + // ResourceNamespace is a namespace of the protected resource. Should be empty if resource is non-namespaced. + ResourceNamespace string +} + // IsEnabled returns true if given auth mode is supported, false otherwise. func (self AuthenticationModes) IsEnabled(mode AuthenticationMode) bool { _, exists := self[mode] -- GitLab