(feat) validate that secret is valid api token

tkashem · tkashem · commit f15269958c9a · 2019-06-26T18:45:06.000-04:00
Validate that a secret associated with a service account is a valid api token. This basically a copy of [1]. I ran into an issue while vendoring this package. [1] https://github.com/kubernetes/kubernetes/blob/master/pkg/serviceaccount/util.go
diff --git a/cmd/olm/main.go b/cmd/olm/main.go
@@ -162,6 +162,7 @@ func main() {
 		olm.WithResyncPeriod(*wakeupInterval),
 		olm.WithExternalClient(crClient),
 		olm.WithOperatorClient(opClient),
+		olm.WithRestConfig(config),
 	)
 	if err != nil {
 		log.Fatalf("error configuring operator: %s", err.Error())
diff --git a/pkg/controller/operators/olm/config.go b/pkg/controller/operators/olm/config.go
@@ -7,6 +7,7 @@ import (
 	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilclock "k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/client-go/rest"
 
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/internalversion"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned"
@@ -30,6 +31,7 @@ type operatorConfig struct {
 	strategyResolver  install.StrategyResolverInterface
 	apiReconciler     resolver.APIIntersectionReconciler
 	apiLabeler        labeler.Labeler
+	restConfig        *rest.Config
 }
 
 func (o *operatorConfig) apply(options []OperatorOption) {
@@ -67,6 +69,8 @@ func (o *operatorConfig) validate() (err error) {
 		err = newInvalidConfigError("api reconciler", "must not be nil")
 	case o.apiLabeler == nil:
 		err = newInvalidConfigError("api labeler", "must not be nil")
+	case o.restConfig == nil:
+		err = newInvalidConfigError("rest config", "must not be nil")
 	}
 
 	return
@@ -150,3 +154,9 @@ func WithAPILabeler(apiLabeler labeler.Labeler) OperatorOption {
 		config.apiLabeler = apiLabeler
 	}
 }
+
+func WithRestConfig(restConfig *rest.Config) OperatorOption {
+	return func(config *operatorConfig) {
+		config.restConfig = restConfig
+	}
+}
diff --git a/pkg/controller/operators/olm/operator.go b/pkg/controller/operators/olm/operator.go
@@ -19,10 +19,10 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/informers"
+	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
-	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	kagg "k8s.io/kube-aggregator/pkg/client/informers/externalversions"
 
@@ -55,25 +55,27 @@ var timeNow = func() metav1.Time { return metav1.NewTime(time.Now().UTC()) }
 type Operator struct {
 	queueinformer.Operator
 
-	clock            utilclock.Clock
-	logger           *logrus.Logger
-	opClient         operatorclient.ClientInterface
-	client           versioned.Interface
-	lister           operatorlister.OperatorLister
-	ogQueueSet       *queueinformer.ResourceQueueSet
-	csvQueueSet      *queueinformer.ResourceQueueSet
-	csvCopyQueueSet  *queueinformer.ResourceQueueSet
-	csvGCQueueSet    *queueinformer.ResourceQueueSet
-	apiServiceQueue  workqueue.RateLimitingInterface
-	csvIndexers      map[string]cache.Indexer
-	recorder         record.EventRecorder
-	resolver         install.StrategyResolverInterface
-	apiReconciler    resolver.APIIntersectionReconciler
-	apiLabeler       labeler.Labeler
-	csvSetGenerator  csvutility.SetGenerator
-	csvReplaceFinder csvutility.ReplaceFinder
-	csvNotification  csvutility.WatchNotification
-	serviceAccountSyncer *scoped.UserDefinedServiceAccountSyncer
+	clock                 utilclock.Clock
+	logger                *logrus.Logger
+	opClient              operatorclient.ClientInterface
+	client                versioned.Interface
+	lister                operatorlister.OperatorLister
+	ogQueueSet            *queueinformer.ResourceQueueSet
+	csvQueueSet           *queueinformer.ResourceQueueSet
+	csvCopyQueueSet       *queueinformer.ResourceQueueSet
+	csvGCQueueSet         *queueinformer.ResourceQueueSet
+	apiServiceQueue       workqueue.RateLimitingInterface
+	csvIndexers           map[string]cache.Indexer
+	recorder              record.EventRecorder
+	resolver              install.StrategyResolverInterface
+	apiReconciler         resolver.APIIntersectionReconciler
+	apiLabeler            labeler.Labeler
+	csvSetGenerator       csvutility.SetGenerator
+	csvReplaceFinder      csvutility.ReplaceFinder
+	csvNotification       csvutility.WatchNotification
+	serviceAccountSyncer  *scoped.UserDefinedServiceAccountSyncer
+	clientAttenuator      *scoped.ClientAttenuator
+	serviceAccountQuerier *scoped.UserDefinedServiceAccountQuerier
 }
 
 func NewOperator(ctx context.Context, options ...OperatorOption) (*Operator, error) {
@@ -106,25 +108,27 @@ func newOperatorWithConfig(ctx context.Context, config *operatorConfig) (*Operat
 	}
 
 	op := &Operator{
-		Operator:             queueOperator,
-		clock:                config.clock,
-		logger:               config.logger,
-		opClient:             config.operatorClient,
-		client:               config.externalClient,
-		ogQueueSet:           queueinformer.NewEmptyResourceQueueSet(),
-		csvQueueSet:          queueinformer.NewEmptyResourceQueueSet(),
-		csvCopyQueueSet:      queueinformer.NewEmptyResourceQueueSet(),
-		csvGCQueueSet:        queueinformer.NewEmptyResourceQueueSet(),
-		apiServiceQueue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "apiservice"),
-		resolver:             config.strategyResolver,
-		apiReconciler:        config.apiReconciler,
-		lister:               lister,
-		recorder:             eventRecorder,
-		apiLabeler:           config.apiLabeler,
-		csvIndexers:          map[string]cache.Indexer{},
-		csvSetGenerator:      csvutility.NewSetGenerator(config.logger, lister),
-		csvReplaceFinder:     csvutility.NewReplaceFinder(config.logger, config.externalClient),
-		serviceAccountSyncer: scoped.NewUserDefinedServiceAccountSyncer(config.logger, scheme, config.operatorClient, config.externalClient),
+		Operator:              queueOperator,
+		clock:                 config.clock,
+		logger:                config.logger,
+		opClient:              config.operatorClient,
+		client:                config.externalClient,
+		ogQueueSet:            queueinformer.NewEmptyResourceQueueSet(),
+		csvQueueSet:           queueinformer.NewEmptyResourceQueueSet(),
+		csvCopyQueueSet:       queueinformer.NewEmptyResourceQueueSet(),
+		csvGCQueueSet:         queueinformer.NewEmptyResourceQueueSet(),
+		apiServiceQueue:       workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "apiservice"),
+		resolver:              config.strategyResolver,
+		apiReconciler:         config.apiReconciler,
+		lister:                lister,
+		recorder:              eventRecorder,
+		apiLabeler:            config.apiLabeler,
+		csvIndexers:           map[string]cache.Indexer{},
+		csvSetGenerator:       csvutility.NewSetGenerator(config.logger, lister),
+		csvReplaceFinder:      csvutility.NewReplaceFinder(config.logger, config.externalClient),
+		serviceAccountSyncer:  scoped.NewUserDefinedServiceAccountSyncer(config.logger, scheme, config.operatorClient, config.externalClient),
+		clientAttenuator:      scoped.NewClientAttenuator(config.logger, config.restConfig, config.operatorClient, config.externalClient),
+		serviceAccountQuerier: scoped.NewUserDefinedServiceAccountQuerier(config.logger, config.externalClient),
 	}
 
 	// Set up syncing for namespace-scoped resources
@@ -1326,8 +1330,18 @@ func (a *Operator) parseStrategiesAndUpdateStatus(csv *v1alpha1.ClusterServiceVe
 		}
 	}
 
+	// If an admin has specified a service account to the operator group
+	// associated with the namespace then we should use a scoped client that is
+	// bound to the service account.
+	querierFunc := a.serviceAccountQuerier.NamespaceQuerier(csv.GetNamespace())
+	kubeclient, err := a.clientAttenuator.AttenuateOperatorClient(querierFunc)
+	if err != nil {
+		a.logger.Errorf("failed to get a client for operator deployment- %v", err)
+		return nil, nil
+	}
+
 	strName := strategy.GetStrategyName()
-	installer := a.resolver.InstallerForStrategy(strName, a.opClient, a.lister, csv, csv.Annotations, previousStrategy)
+	installer := a.resolver.InstallerForStrategy(strName, kubeclient, a.lister, csv, csv.Annotations, previousStrategy)
 	return installer, strategy
 }
 
diff --git a/pkg/controller/operators/olm/operator_test.go b/pkg/controller/operators/olm/operator_test.go
@@ -40,6 +40,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	k8sscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	apiregistrationfake "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake"
 
@@ -260,6 +261,7 @@ func NewFakeOperator(ctx context.Context, options ...fakeOperatorOption) (*Opera
 			strategyResolver:  &install.StrategyResolver{},
 			apiReconciler:     resolver.APIIntersectionReconcileFunc(resolver.ReconcileAPIIntersection),
 			apiLabeler:        labeler.Func(resolver.LabelSetsFor),
+			restConfig: 	   &rest.Config{},
 		},
 		recorder: &record.FakeRecorder{},
 		// default expected namespaces
diff --git a/pkg/lib/scoped/attenuator.go b/pkg/lib/scoped/attenuator.go
@@ -91,3 +91,36 @@ func (s *ClientAttenuator) AttenuateClient(querier ServiceAccountQuerierFunc) (k
 
 	return
 }
+
+// AttenuateOperatorClient returns a scoped operator client instance based on the
+// service account returned by the querier specified.
+func (s *ClientAttenuator) AttenuateOperatorClient(querier ServiceAccountQuerierFunc) (kubeclient operatorclient.ClientInterface, err error) {
+	if querier == nil {
+		err = errQuerierNotSpecified
+		return
+	}
+
+	reference, err := querier()
+	if err != nil {
+		return
+	}
+
+	if reference == nil {
+		// No service account/token has been provided. Return the default client(s).
+		kubeclient = s.kubeclient
+		return
+	}
+
+	token, err := s.retriever.Retrieve(reference)
+	if err != nil {
+		return
+	}
+
+	// Create client(s) bound to the user defined service account.
+	kubeclient, err = s.factory.NewOperatorClient(token)
+	if err != nil {
+		return
+	}
+
+	return
+}
diff --git a/pkg/lib/scoped/token_retriever.go b/pkg/lib/scoped/token_retriever.go
@@ -62,6 +62,12 @@ func getAPISecret(logger *logrus.Entry, kubeclient operatorclient.ClientInterfac
 			break
 		}
 
+		// Validate that this is a token for API access.
+		if !IsServiceAccountToken(secret, sa) {
+			logger.Warnf("skipping secret %s - %v", ref.Name, getErr)
+			continue
+		}
+
 		// The first eligible secret that has an API access token is returned.
 		APISecret = secret
 		break
diff --git a/pkg/lib/scoped/util.go b/pkg/lib/scoped/util.go
@@ -0,0 +1,26 @@
+package scoped
+
+import (
+	v1 "k8s.io/api/core/v1"
+)
+
+// IsServiceAccountToken returns true if the secret is a valid api token for the service account
+// This has been copied from https://github.com/kubernetes/kubernetes/blob/master/pkg/serviceaccount/util.go
+func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool {
+	if secret.Type != v1.SecretTypeServiceAccountToken {
+		return false
+	}
+
+	name := secret.Annotations[v1.ServiceAccountNameKey]
+	uid := secret.Annotations[v1.ServiceAccountUIDKey]
+	if name != sa.Name {
+		// Name must match
+		return false
+	}
+	if len(uid) > 0 && uid != string(sa.UID) {
+		// If UID is specified, it must match
+		return false
+	}
+
+	return true
+}

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,7 @@ func main() {`
`162`	`162`	`olm.WithResyncPeriod(*wakeupInterval),`
`163`	`163`	`olm.WithExternalClient(crClient),`
`164`	`164`	`olm.WithOperatorClient(opClient),`
	`165`	`+ olm.WithRestConfig(config),`
`165`	`166`	`)`
`166`	`167`	`if err != nil {`
`167`	`168`	`log.Fatalf("error configuring operator: %s", err.Error())`