Merge pull request #434 from gthiemonge/fix_network_rbac

Disable wildcard RBAC for the provider network

Author: openshift-merge-bot[bot]

pkg/octavia/lb_mgmt_network.go

@@ -24,6 +24,7 @@ import (
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/external"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/routers"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/provider"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/rbacpolicies"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/rules"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/networks"
@@ -358,6 +359,35 @@ func ensureProvNetwork(client *gophercloud.ServiceClient, netDetails *octaviav1.
 		return nil, err
 	}
 
+	// Creating an external network adds a RBAC rule to allow all the tenants to use the network.
+	// Update this rule to make it accessible only by the owner of the network.
+	// This also fixes the already existing network after an update
+	listOpts := rbacpolicies.ListOpts{
+		TenantID:     serviceTenantID,
+		ObjectID:     provNet.ID,
+		TargetTenant: "*",
+	}
+	allPages, err := rbacpolicies.List(client, listOpts).AllPages()
+	if err != nil {
+		return nil, err
+	}
+
+	allRBACPolicies, err := rbacpolicies.ExtractRBACPolicies(allPages)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, rbacpolicy := range allRBACPolicies {
+		updateOpts := rbacpolicies.UpdateOpts{
+			TargetTenant: serviceTenantID,
+		}
+
+		_, err := rbacpolicies.Update(client, rbacpolicy.ID, updateOpts).Extract()
+		if err != nil {
+			log.Error(err, fmt.Sprintf("Cannot update RBAC policy %s", rbacpolicy.ID))
+		}
+	}
+
 	return provNet, nil
 }
 

tests/functional/neutron_api_fixture.go

@@ -25,26 +25,35 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/google/uuid"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/external"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/routers"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/quotas"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/rbacpolicies"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/networks"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/ports"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/subnets"
 
 	api "github.com/openstack-k8s-operators/lib-common/modules/test/apis"
+	"github.com/openstack-k8s-operators/octavia-operator/pkg/octavia"
 )
 
+type Network struct {
+	networks.Network
+	external.NetworkExternalExt
+}
+
 type NeutronAPIFixture struct {
 	api.APIFixture
 	Quotas         map[string]quotas.Quota
 	DefaultQuota   quotas.Quota
-	Networks       map[string]networks.Network
+	Networks       map[string]Network
 	Subnets        map[string]subnets.Subnet
 	SecGroups      map[string]groups.SecGroup
 	Ports          map[string]ports.Port
 	Routers        map[string]routers.Router
 	InterfaceInfos map[string]routers.InterfaceInfo
+	RBACs          map[string]rbacpolicies.RBACPolicy
 }
 
 func (f *NeutronAPIFixture) registerHandler(handler api.Handler) {
@@ -63,6 +72,8 @@ func (f *NeutronAPIFixture) Setup() {
 	f.registerHandler(api.Handler{Pattern: "/v2.0/routers/", Func: f.routerHandler})
 	f.registerHandler(api.Handler{Pattern: "/v2.0/routers", Func: f.routerHandler})
 	f.registerHandler(api.Handler{Pattern: "/v2.0/quotas/", Func: f.quotasHandler})
+	f.registerHandler(api.Handler{Pattern: "/v2.0/rbac-policies/", Func: f.rbacHandler})
+	f.registerHandler(api.Handler{Pattern: "/v2.0/rbac-policies", Func: f.rbacHandler})
 }
 
 // Network
@@ -83,9 +94,9 @@ func (f *NeutronAPIFixture) getNetwork(w http.ResponseWriter, r *http.Request) {
 	items := strings.Split(r.URL.Path, "/")
 	if len(items) == 4 {
 		var n struct {
-			Networks []networks.Network `json:"networks"`
+			Networks []Network `json:"networks"`
 		}
-		n.Networks = []networks.Network{}
+		n.Networks = []Network{}
 		query := r.URL.Query()
 		name := query["name"]
 		tenantID := query["tenant_id"]
@@ -118,7 +129,7 @@ func (f *NeutronAPIFixture) postNetwork(w http.ResponseWriter, r *http.Request)
 	}
 
 	var n struct {
-		Network networks.Network `json:"network"`
+		Network Network `json:"network"`
 	}
 
 	err = json.Unmarshal(bytes, &n)
@@ -131,6 +142,19 @@ func (f *NeutronAPIFixture) postNetwork(w http.ResponseWriter, r *http.Request)
 	n.Network.ID = networkID
 	f.Networks[networkID] = n.Network
 
+	// Note(gthiemonge) it seems that router:external is not correctly
+	// unmarshall by the go code, let's assume that only octavia-provider-net is
+	// an external network
+	if n.Network.Name == octavia.LbProvNetName {
+		rbacID := uuid.New().String()
+		f.RBACs[rbacID] = rbacpolicies.RBACPolicy{
+			ID:           rbacID,
+			ObjectID:     networkID,
+			TenantID:     n.Network.TenantID,
+			TargetTenant: "*",
+		}
+	}
+
 	bytes, err = json.Marshal(&n)
 	if err != nil {
 		f.InternalError(err, "Error during marshalling response", w, r)
@@ -624,6 +648,78 @@ func (f *NeutronAPIFixture) putQuotas(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprint(w, string(bytes))
 }
 
+func (f *NeutronAPIFixture) rbacHandler(w http.ResponseWriter, r *http.Request) {
+	f.LogRequest(r)
+	switch r.Method {
+	case "GET":
+		f.getRBAC(w, r)
+	case "PUT":
+		f.putRBAC(w, r)
+	default:
+		f.UnexpectedRequest(w, r)
+		return
+	}
+}
+
+func (f *NeutronAPIFixture) getRBAC(w http.ResponseWriter, r *http.Request) {
+	items := strings.Split(r.URL.Path, "/")
+	if len(items) == 4 {
+		var resp struct {
+			RBACs []rbacpolicies.RBACPolicy `json:"rbac_policies"`
+		}
+		resp.RBACs = []rbacpolicies.RBACPolicy{}
+		query := r.URL.Query()
+		objectID := query["object_id"][0]
+		tenantID := query["tenant_id"][0]
+		targetTenant := query["target_tenant"][0]
+		for _, rbac := range f.RBACs {
+			if objectID == rbac.ObjectID &&
+				tenantID == rbac.TenantID &&
+				targetTenant == rbac.TargetTenant {
+				resp.RBACs = append(resp.RBACs, rbac)
+			}
+		}
+		bytes, err := json.Marshal(&resp)
+		if err != nil {
+			f.InternalError(err, "Error during marshalling response", w, r)
+			return
+		}
+
+		w.Header().Add("Content-Type", "application/json")
+		w.WriteHeader(200)
+		fmt.Fprint(w, string(bytes))
+	}
+}
+
+func (f *NeutronAPIFixture) putRBAC(w http.ResponseWriter, r *http.Request) {
+	items := strings.Split(r.URL.Path, "/")
+	rbacID := items[len(items)-1]
+
+	bytes, err := io.ReadAll(r.Body)
+	if err != nil {
+		f.InternalError(err, "Error reading request body", w, r)
+		return
+	}
+	var rbac struct {
+		RBAC rbacpolicies.RBACPolicy `json:"rbac_policy"`
+	}
+	err = json.Unmarshal(bytes, &rbac)
+	if err != nil {
+		f.InternalError(err, "Error during unmarshalling request", w, r)
+		return
+	}
+	updatedRBAC := f.RBACs[rbacID]
+	if rbac.RBAC.TargetTenant != "" {
+		updatedRBAC.TargetTenant = rbac.RBAC.TargetTenant
+	}
+	f.APIFixture.Log.Info(fmt.Sprintf("Set RBAC %s to %+v\n", rbacID, updatedRBAC))
+	f.RBACs[rbacID] = updatedRBAC
+
+	w.Header().Add("Content-Type", "application/json")
+	w.WriteHeader(200)
+	fmt.Fprint(w, string(bytes))
+}
+
 func NewNeutronAPIFixtureWithServer(log logr.Logger) *NeutronAPIFixture {
 	server := &api.FakeAPIServer{}
 	server.Setup(log)
@@ -646,12 +742,13 @@ func AddNeutronAPIFixture(log logr.Logger, server *api.FakeAPIServer) *NeutronAP
 			SecurityGroupRule: 10,
 		},
 		Quotas:         map[string]quotas.Quota{},
-		Networks:       map[string]networks.Network{},
+		Networks:       map[string]Network{},
 		Subnets:        map[string]subnets.Subnet{},
 		SecGroups:      map[string]groups.SecGroup{},
 		Ports:          map[string]ports.Port{},
 		Routers:        map[string]routers.Router{},
 		InterfaceInfos: map[string]routers.InterfaceInfo{},
+		RBACs:          map[string]rbacpolicies.RBACPolicy{},
 	}
 	return fixture
 }

tests/functional/octavia_controller_test.go

@@ -538,19 +538,27 @@ var _ = Describe("Octavia controller", func() {
 				},
 			}
 
-			resultNetworks := map[string]networks.Network{}
+			resultNetworks := map[string]Network{}
 			for _, network := range apiFixtures.Neutron.Networks {
 				resultNetworks[network.Name] = network
 			}
 			Expect(resultNetworks).To(HaveLen(2))
 			for name, expectedNetwork := range expectedNetworks {
 				network := resultNetworks[name]
-				Expect(network).ToNot(Equal(networks.Network{}), "Network %s doesn't appear to exist", name)
+				Expect(network).ToNot(Equal(Network{}), "Network %s doesn't appear to exist", name)
 				Expect(network.Description).To(Equal(expectedNetwork.Description))
 				Expect(network.TenantID).To(Equal(expectedNetwork.TenantID))
 				Expect(network.AvailabilityZoneHints).To(Equal(expectedNetwork.AvailabilityZoneHints))
 			}
 
+			Expect(apiFixtures.Neutron.RBACs).To(HaveLen(1))
+			for _, rbacPolicy := range apiFixtures.Neutron.RBACs {
+				providerNetwork := resultNetworks[octavia.LbProvNetName]
+				Expect(rbacPolicy.ObjectID).To(Equal(providerNetwork.ID))
+				Expect(rbacPolicy.TenantID).To(Equal(providerNetwork.TenantID))
+				Expect(rbacPolicy.TargetTenant).To(Equal(providerNetwork.TenantID))
+			}
+
 			lbMgmtPortAddress := ""
 			lbMgmtPortID := ""
 			for _, port := range apiFixtures.Neutron.Ports {
@@ -708,14 +716,14 @@ var _ = Describe("Octavia controller", func() {
 				},
 			}
 
-			resultNetworks := map[string]networks.Network{}
+			resultNetworks := map[string]Network{}
 			for _, network := range apiFixtures.Neutron.Networks {
 				resultNetworks[network.Name] = network
 			}
 			Expect(resultNetworks).To(HaveLen(3))
 			for name, expectedNetwork := range expectedNetworks {
 				network := resultNetworks[name]
-				Expect(network).ToNot(Equal(networks.Network{}), "Network %s doesn't appear to exist", name)
+				Expect(network).ToNot(Equal(Network{}), "Network %s doesn't appear to exist", name)
 				Expect(network.Description).To(Equal(expectedNetwork.Description))
 				Expect(network.TenantID).To(Equal(expectedNetwork.TenantID))
 				Expect(network.AvailabilityZoneHints).To(Equal(expectedNetwork.AvailabilityZoneHints))