From 472404f7006a4152e4eec76dee07324dd1e6e823 Mon Sep 17 00:00:00 2001 From: slimm609 Date: Mon, 20 Nov 2023 15:38:34 -0500 Subject: [PATCH 1/8] fix: fix authentication bypass for capsule-proxy - fix authentication bypass for capsule-proxy with leading token Signed-off-by: slimm609 --- internal/request/http.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/request/http.go b/internal/request/http.go index ef95f055..c72bef28 100644 --- a/internal/request/http.go +++ b/internal/request/http.go @@ -114,6 +114,10 @@ func (h http) processBearerToken() (username string, groups []string, err error) return "", nil, fmt.Errorf("cannot create TokenReview") } + if !tr.Status.Authenticated { + return "", nil, fmt.Errorf("cannot verify the token due to error") + } + if statusErr := tr.Status.Error; len(statusErr) > 0 { return "", nil, fmt.Errorf("cannot verify the token due to error") } From ac614c4e7fac9577b9f74652bc753db9482cea32 Mon Sep 17 00:00:00 2001 From: Dario Tranchitella Date: Thu, 23 Nov 2023 12:31:37 +0100 Subject: [PATCH 2/8] chore(helm): releasing v0.5.1 Signed-off-by: Dario Tranchitella --- charts/capsule-proxy/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/capsule-proxy/Chart.yaml b/charts/capsule-proxy/Chart.yaml index 06457a9e..52b8ed63 100644 --- a/charts/capsule-proxy/Chart.yaml +++ b/charts/capsule-proxy/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 0.4.5 +appVersion: 0.4.6 description: Helm Chart for Capsule Proxy, addon for Capsule, the multi-tenant Operator name: capsule-proxy type: application -version: 0.5.0 +version: 0.5.1 home: https://github.com/projectcapsule/capsule-proxy icon: https://github.com/projectcapsule/capsule/raw/main/assets/logo/capsule_small.png keywords: From 8730f72337ce0e4cafa05238a0d1a73ef0299acf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Nov 2023 22:52:38 +0100 Subject: [PATCH 3/8] ci(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (#341) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/11086d25041f77fe8fe7b9ea4e48e3b9192b8f19...1fc5bd396d372bee37d608f955b336615edf79c8) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 2 +- .github/workflows/helm-publish.yml | 2 +- .github/workflows/releaser.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 48a5256c..fac29895 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -36,7 +36,7 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Install Cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - name: Publish Capsule id: publish-capsule uses: peak-scale/github-actions/make-ko-publish@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0 diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml index 5968deef..8ce43c12 100644 --- a/.github/workflows/helm-publish.yml +++ b/.github/workflows/helm-publish.yml @@ -43,7 +43,7 @@ jobs: chart-digest: ${{ steps.helm_publish.outputs.digest }} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - name: "Extract Version" id: extract_version run: | diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index 381a383f..3ace46f3 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -28,7 +28,7 @@ jobs: - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 - name: Install Cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: From 9f6504847e8a35b878d2e4cf3a33d605690bfe15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Nov 2023 22:52:55 +0100 Subject: [PATCH 4/8] ci(deps): bump anchore/sbom-action from 0.14.3 to 0.15.0 (#343) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.14.3 to 0.15.0. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1...fd74a6fb98a204a1ad35bbfae0122c1a302ff88b) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/releaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index 3ace46f3..e8c1dda1 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 5 continue-on-error: true - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 - - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 + - uses: anchore/sbom-action/download-syft@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b - name: Install Cosign uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - name: Run GoReleaser From 712598ab9961719e276055f88f8b8ae1f0593cdf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Nov 2023 22:53:18 +0100 Subject: [PATCH 5/8] ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#340) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.1.4 to 3.0.1. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/compare/f32435541e24cd6a4700a7f52bb2ec59e80603b1...b35f285b9bb7e80de0967367cee66d3b6d50ceca) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/check-actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml index 3849f493..9414f0f4 100644 --- a/.github/workflows/check-actions.yml +++ b/.github/workflows/check-actions.yml @@ -16,7 +16,7 @@ jobs: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4 + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b35f285b9bb7e80de0967367cee66d3b6d50ceca # v3.0.1 with: # slsa-github-generator requires using a semver tag for reusable workflows. # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators From 65aa784bb5280f0b5792fe4c1054845b4c77a8c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 15:49:40 +0100 Subject: [PATCH 6/8] ci(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#352) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/compare/b35f285b9bb7e80de0967367cee66d3b6d50ceca...b1b635d24259e8a047a6ce7d6501ea432aa7a830) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/check-actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml index 9414f0f4..510a8486 100644 --- a/.github/workflows/check-actions.yml +++ b/.github/workflows/check-actions.yml @@ -16,7 +16,7 @@ jobs: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b35f285b9bb7e80de0967367cee66d3b6d50ceca # v3.0.1 + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b1b635d24259e8a047a6ce7d6501ea432aa7a830 # v3.0.2 with: # slsa-github-generator requires using a semver tag for reusable workflows. # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators From 0a390143b4ecb3a79b23c0bcb9394032d38c3370 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 15:49:54 +0100 Subject: [PATCH 7/8] ci(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 (#351) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.0 to 0.15.1. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/fd74a6fb98a204a1ad35bbfae0122c1a302ff88b...5ecf649a417b8ae17dc8383dc32d46c03f2312df) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/releaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index e8c1dda1..cf150b71 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 5 continue-on-error: true - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 - - uses: anchore/sbom-action/download-syft@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b + - uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df - name: Install Cosign uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - name: Run GoReleaser From d188f1242cf08ce1a7c38739bf9b6e434d871a3a Mon Sep 17 00:00:00 2001 From: maxgio92 Date: Wed, 6 Dec 2023 15:51:24 +0100 Subject: [PATCH 8/8] fix(internal/request): add missing impersonate groups for serviceaccounts (#350) When clients request to impersonate user, the group impersonation should be done only when also clients request explicitely to impersonate group. Nevertheless, an excpetion should be considered for service accounts. With service account built-in authenticator, requests made with service account token are authenticated as: - user name: system:serviceaccount:: - groups: - system:serviceaccounts - system:serviceaccounts: - system:authenticated (included for all authenticated users) This patch considers the case of service accounts adding the mentioned groups to the list of impersonate groups, when requests try to impersonate a service account's user. More details in the official documentation about service account authenticator [1] and user impersonation [2]. 1. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens 2. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation Signed-off-by: Massimiliano Giovagnoli Co-authored-by: Dario Tranchitella --- internal/request/http.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/internal/request/http.go b/internal/request/http.go index c72bef28..29370b74 100644 --- a/internal/request/http.go +++ b/internal/request/http.go @@ -10,6 +10,7 @@ import ( authenticationv1 "k8s.io/api/authentication/v1" authorizationv1 "k8s.io/api/authorization/v1" + "k8s.io/apiserver/pkg/authentication/serviceaccount" "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -97,6 +98,15 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) { defer func() { username = impersonateUser groups = nil + + // If the user is of a service account, replicate the work of the built-in service account token authenticator + // by appending the expected service account groups: + // - system:serviceaccounts: + // - system:serviceaccounts + if namespace, _, err := serviceaccount.SplitUsername(username); err == nil { + groups = append(groups, serviceaccount.AllServiceAccountsGroup) + groups = append(groups, fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, namespace)) + } }() }