From 126920f167fb832ce5767bab62fedd4a73927e2d Mon Sep 17 00:00:00 2001 From: Kevin McDermott Date: Mon, 24 Feb 2025 08:44:40 +0000 Subject: [PATCH] Validate userPrincipalName or userName and groupName This adds support for the change in Rancher to support the userNamePrincipal in GRBs. --- docs.md | 3 ++- go.mod | 2 +- go.sum | 4 ++-- .../v3/globalrolebinding/GlobalRoleBinding.md | 3 ++- .../v3/globalrolebinding/validator.go | 11 +++++++---- .../v3/globalrolebinding/validator_test.go | 15 +++++++++++++++ 6 files changed, 29 insertions(+), 9 deletions(-) diff --git a/docs.md b/docs.md index 72767602f..5c30b1d76 100644 --- a/docs.md +++ b/docs.md @@ -258,12 +258,13 @@ This escalation check is bypassed if a user has the `bind` verb on the GlobalRol #### Invalid Fields - Update Users cannot update the following fields after creation: - `userName` +- `userPrincipalName` - `groupPrincipalName` - `globalRoleName` #### Invalid Fields - Create -GlobalRoleBindings must have either `userName` or `groupPrincipalName`, but not both. +GlobalRoleBindings must have one of `userName`, `userPrincipalName` or `groupPrincipalName` but not all. All RoleTemplates which are referred to in the `inheritedClusterRoles` field must exist and not be locked. ### Mutation Checks diff --git a/go.mod b/go.mod index 9da6dca31..b2ebd99c6 100644 --- a/go.mod +++ b/go.mod @@ -43,7 +43,7 @@ require ( github.com/gorilla/mux v1.8.1 github.com/rancher/dynamiclistener v0.6.1 github.com/rancher/lasso v0.2.1 - github.com/rancher/rancher/pkg/apis v0.0.0-20250220153925-3abb578f42fe + github.com/rancher/rancher/pkg/apis v0.0.0-20250221133435-39dbf8bc4a01 github.com/rancher/rke v1.8.0-rc.1 github.com/rancher/wrangler/v3 v3.2.0-rc.3 github.com/robfig/cron v1.2.0 diff --git a/go.sum b/go.sum index 4846a64d3..ef26ef7f5 100644 --- a/go.sum +++ b/go.sum @@ -157,8 +157,8 @@ github.com/rancher/lasso v0.2.1 h1:SZTqMVQn8cAOqvwGBd1/EYOIJ/MGN+UfJrOWvHd4jHU= github.com/rancher/lasso v0.2.1/go.mod h1:KSV3jBXfdXqdCuMm2uC8kKB9q/wuDYb3h0eHZoRjShM= github.com/rancher/norman v0.5.1 h1:jbp49IcX2Hn+N2QA3MHdIXeUG0VgCSIjJs4xnqG+j90= github.com/rancher/norman v0.5.1/go.mod h1:qX/OG/4wY27xSAcSdRilUBxBumV6Ey2CWpAeaKnBQDs= -github.com/rancher/rancher/pkg/apis v0.0.0-20250220153925-3abb578f42fe h1:DNGD4RCs1k5PxAHUc1zA9FiEfowcejQQcGAItwUIDh4= -github.com/rancher/rancher/pkg/apis v0.0.0-20250220153925-3abb578f42fe/go.mod h1:0JtLfvgj4YiwddyHEvhF3yEK9k5c22CWs55DppqdP5o= +github.com/rancher/rancher/pkg/apis v0.0.0-20250221133435-39dbf8bc4a01 h1:Co4AuY4AUcGO7VgNkzD39VHCJvN09XQ0Ivg1sOec4Ts= +github.com/rancher/rancher/pkg/apis v0.0.0-20250221133435-39dbf8bc4a01/go.mod h1:0JtLfvgj4YiwddyHEvhF3yEK9k5c22CWs55DppqdP5o= github.com/rancher/rke v1.7.2 h1:+2fcl0gCjRHzf1ev9C9ptQ1pjYbDngC1Qv8V/0ki/dk= github.com/rancher/rke v1.7.2/go.mod h1:+x++Mvl0A3jIzNLiu8nkraqZXiHg6VPWv0Xl4iQCg+A= github.com/rancher/wrangler/v3 v3.2.0-rc.3 h1:MySHWLxLLrGrM2sq5YYp7Ol1kQqYt9lvIzjGR50UZ+c= diff --git a/pkg/resources/management.cattle.io/v3/globalrolebinding/GlobalRoleBinding.md b/pkg/resources/management.cattle.io/v3/globalrolebinding/GlobalRoleBinding.md index 020d90eb4..165843d77 100644 --- a/pkg/resources/management.cattle.io/v3/globalrolebinding/GlobalRoleBinding.md +++ b/pkg/resources/management.cattle.io/v3/globalrolebinding/GlobalRoleBinding.md @@ -15,12 +15,13 @@ This escalation check is bypassed if a user has the `bind` verb on the GlobalRol ### Invalid Fields - Update Users cannot update the following fields after creation: - `userName` +- `userPrincipalName` - `groupPrincipalName` - `globalRoleName` ### Invalid Fields - Create -GlobalRoleBindings must have either `userName` or `groupPrincipalName`, but not both. +GlobalRoleBindings must have one of `userName`, `userPrincipalName` or `groupPrincipalName` but not all. All RoleTemplates which are referred to in the `inheritedClusterRoles` field must exist and not be locked. ## Mutation Checks diff --git a/pkg/resources/management.cattle.io/v3/globalrolebinding/validator.go b/pkg/resources/management.cattle.io/v3/globalrolebinding/validator.go index 1e5dc8062..f78435ecd 100644 --- a/pkg/resources/management.cattle.io/v3/globalrolebinding/validator.go +++ b/pkg/resources/management.cattle.io/v3/globalrolebinding/validator.go @@ -188,11 +188,14 @@ func validateUpdateFields(oldBinding, newBinding *v3.GlobalRoleBinding, fldPath // validateCreateFields checks if all required fields are present and valid. func (a *admitter) validateCreate(newBinding *v3.GlobalRoleBinding, globalRole *v3.GlobalRole, fldPath *field.Path) error { + hasUserTarget := newBinding.UserName != "" || newBinding.UserPrincipalName != "" + hasGroupTarget := newBinding.GroupPrincipalName != "" + switch { - case newBinding.UserName != "" && newBinding.GroupPrincipalName != "": - return field.Forbidden(fldPath, "bindings can not set both userName and groupPrincipalName") - case newBinding.UserName == "" && newBinding.GroupPrincipalName == "": - return field.Required(fldPath, "bindings must have either userName or groupPrincipalName set") + case hasUserTarget && hasGroupTarget: + return field.Forbidden(fldPath, "bindings can not set both userName/userPrincipalName and groupPrincipalName") + case (!hasUserTarget && !hasGroupTarget): + return field.Required(fldPath, "bindings must have either userName/userPrincipalName or groupPrincipalName set") } return a.validateGlobalRole(globalRole, fldPath) diff --git a/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go b/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go index cd086f203..b586adc71 100644 --- a/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go +++ b/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go @@ -119,6 +119,21 @@ func TestAdmit(t *testing.T) { }, allowed: false, }, + { + name: "create gr with user principal name", + args: args{ + newGRB: func() *v3.GlobalRoleBinding { + gr := newDefaultGRB() + gr.GlobalRoleName = baseGR.Name + gr.UserName = "" + gr.GroupPrincipalName = "" + gr.UserPrincipalName = "activedirectory_user://CN=test,CN=Users,DC=ad,DC=ians,DC=farm" + + return gr + }, + }, + allowed: true, + }, { name: "create gr refers to RT misc error", args: args{