CFE-882: Route external certificate validation

[chiragkyal]

Description

Updates route validations based on openshift/enhancements#1307 which introduces a new field in the route API externalCertificate behind the TP feature gate.

Changes

• ValidateRoute() has been updated to pass additional args (secrets lister and subjectaccessreviewer) to validate
  externalCertificate and the rbac required. Now it also does additional subject access review authorization checks to verify if the router SA has the correct permissions to parse externalCertificate. It also adds a hard requirement that the secret referenced in externalCertificate be present prior to creating the route.
• ValidateHostUpdate() has also been updated since updating route host/subdomain is also affected by updating
  certificates on the route. Now certificateChangeRequiresAuth() will always return true if the route has a externalCertificate set (check EP for additional info).
• ValidateHostExternalCertificate() has been introduced as part of the validations done during route updates, this function specifically checks if the user has the correct permissions on the custom-host sub-resource. Additional details can be found on the EP.

[openshift-ci-robot]

@chiragkyal: This pull request references CFE-882 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.15.0" version, but no target version was set.

Details

In response to this:

Description

Updates route validations based on openshift/enhancements#1307 which introduces a new field in the route API externalCertificate behind the TP feature gate.

Changes

• ValidateRoute() has been updated to pass additional args (secrets lister and subjectaccessreviewer) to validate
  externalCertificate and the rbac required. Now it also does additional subject access review authorization checks to verify if the router SA has the correct permissions to parse externalCertificate. It also adds a hard requirement that the secret referenced in externalCertificate be present prior to creating the route.
• ValidateHostUpdate() has also been updated since updating route host/subdomain is also affected by updating
  certificates on the route. Now certificateChangeRequiresAuth() will always return true if the route has a externalCertificate set (check EP for additional info).
• ValidateHostExternalCertificate() has been introduced as part of the validations done during route updates, this function specifically checks if the user has the correct permissions on the custom-host sub-resource. Additional details can be found on the EP.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[chiragkyal]

Continued from #1549

[chiragkyal]

/cc @alebedev87

[chiragkyal]

/assign @alebedev87

[candita]

/hold

[candita]

/assign @Miciah

[candita]

/unhold

[alebedev87]

Focus of this review was on the public functions and their signatures as they should be concise and meaningful. Also I took a glance at the test cases t understand the new logic but the test cases need some structural changes. Will have to do another re-iteration with the focus on the logic.

[alebedev87]

I see resolved comments which are said to be addressed but they are actually not. Maybe you forgot to push the latest changes? If yes, can you please do so? Thanks!

[chiragkyal]

@alebedev87 that's weird, I do have the latest changes pushed. Can you access bb12c49 commit and let me know please, if it's visible.

[alebedev87]

@chiragkyal : I can see the changes now, seems like a GitHub glitch as I refreshed the PR many times. Sorry about that, I continue the review!

[alebedev87]

Another iteration, not fully done with the review yet.

[chiragkyal]

/retest

[alebedev87]

Last iteration, some questions and remarks. Overall I think I'm close to the end :)

[alebedev87]

Why the cert is considered changed here? Shouldn't we check whether the name of the external certificate changed before setting certChanged=true?

[chiragkyal]

Because we cannot definitively verify if the content of the secret that is referenced has been modified.

The reason this also mentioned in the EP:

If the old route or the new route uses .spec.tls.externalCertificate this validation will always have the precondition certificateChangeRequiresAuth() return true since we cannot definitively verify if the content of the secret that is referenced has been modified. Since the previous validation func (ValidateHostExternalCertificate()) would have already validation user permissions, we can safely make this assumption.

[alebedev87]

I was wondering about the secret name, not the secret contents.

[alebedev87]

Can the external certificate secret name change?

[chiragkyal]

Yeah! The external certificate secret name can be changed, but the caveat here is even if the secret name remains the same, we need to assume that the secret content is changed, and hence, the certificate is changed.

[alebedev87]

but the caveat here is even if the secret name remains the same, we need to assume that the secret content is changed

True, we have no choice here but treat this as "always changed".

[Miciah]

I do see you added a comment for this caveat to ValidateHostUpdate, but perhaps it deserves a code comment in certificateChangeRequiresAuth as well.

[chiragkyal]

Okay, I've added a comment for certificateChangeRequiresAuth as well

[alebedev87]

/lgtm

[Miciah]

Is this test case correct?

		{
			name:           "no-certificate-changed-to-external-certificate-denied",
			host:           "host",
			expected:       "host",
			oldHost:        "host",
			tls:            &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "b"}},
			oldTLS:         &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: nil},
			wildcardPolicy: routev1.WildcardPolicyNone,
			allow:          false,
			errs:           1,

			opts: route.RouteValidationOptions{AllowExternalCertificates: true},
		},

The above test case fails if I add it to TestHostWithWildcardPolicies:

go test ./pkg/route/hostassignment -run TestHostWithWildcardPolicies
# github.com/openshift/library-go/pkg/route/hostassignment.test
guile: warning: failed to install locale
--- FAIL: TestHostWithWildcardPolicies (0.00s)
    --- FAIL: TestHostWithWildcardPolicies/no-certificate-changed-to-external-certificate-denied (0.00s)
        assignment_test.go:506: expected 1 errors, got 0: []

It seems to me that the logic in ValidateHostUpdate should be as follows:

Suggested change

	if opts.AllowExternalCertificates && route.Spec.TLS.ExternalCertificate != nil && older.Spec.TLS.ExternalCertificate != nil {
	errs = append(errs, apimachineryvalidation.ValidateImmutableField(route.Spec.TLS.ExternalCertificate.Name, older.Spec.TLS.ExternalCertificate.Name, field.NewPath("spec", "tls", "externalCertificate"))...)
	}
	if opts.AllowExternalCertificates {
	if route.Spec.TLS.ExternalCertificate == nil || older.Spec.TLS.ExternalCertificate == nil {
	errs = append(errs, apimachineryvalidation.ValidateImmutableField(route.Spec.TLS.ExternalCertificate, older.Spec.TLS.ExternalCertificate, field.NewPath("spec", "tls", "externalCertificate"))...)
	} else {
	errs = append(errs, apimachineryvalidation.ValidateImmutableField(route.Spec.TLS.ExternalCertificate.Name, older.Spec.TLS.ExternalCertificate.Name, field.NewPath("spec", "tls", "externalCertificate"))...)
	}
	}

You'll need to modify the "external-certificate-changed-to-certificate-denied" and "certificate-changed-to-external-certificate-denied" test cases to expect an additional error.

[chiragkyal]

Thanks for the suggestion and finding this edge case. I've updated the logic in ValidateHostUpdate as suggested, and also added the above test case along with "no-certificate-changed-to-external-certificate-allowed" test into TestHostWithWildcardPolicies

[Miciah]

It looks like this suggestion from the original PR got dropped: #1549 (comment)

[Miciah]

Is the AllowExternalCertificates flag (or perhaps this whole struct) destined to be removed when the feature graduates from tech preview to GA?

[chiragkyal]

That's correct. The AllowExternalCertificates flag (along with RouteValidationOptions struct) will be removed while graduating from TP -> GA.

[Miciah]

Ultimately, ValidateUpdate is going to call ValidateHostExternalCertificate and then call ValidateHostUpdate, right? This comment is helpful, but it still isn't quite clear why the logic in ValidateHostExternalCertificate cannot simply be added to ValidateHostUpdate.

[alebedev87]

Reminded me of my comment.

[chiragkyal]

The EP did mention about invoking ValidateHostExternalCertificate prior to ValidateHostUpdate, but it's body lacks the actual reason why we decided to choose this approach.

As per our discussion over Slack and further investigation, I've added a TODO to consider merging ValidateHostExternalCertificate function into ValidateHostUpdate later.

[openshift-ci]

@chiragkyal: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[Miciah]

Suggested change

	// we must assume that the secret content is changed, necessitating authentication.
	// we must assume that the secret content is changed, necessitating authorization.

[chiragkyal]

Covered in #1706

[Miciah]

I just noticed that the tests don't cover this case (i.e. creating a new route that specifies externalCertificate). These test cases would give you coverage:

		{
			name:           "create-with-external-certificate-denied",
			host:           "host",
			expected:       "host",
			tls:            &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "b"}},
			wildcardPolicy: routev1.WildcardPolicyNone,
			allow:          false,
			errs:           1,

			opts: route.RouteValidationOptions{AllowExternalCertificates: true},
		},
		{
			name:           "create-with-external-certificate-allowed",
			host:           "host",
			expected:       "host",
			tls:            &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "b"}},
			wildcardPolicy: routev1.WildcardPolicyNone,
			allow:          true,
			errs:           0,

			opts: route.RouteValidationOptions{AllowExternalCertificates: true},
		},

[chiragkyal]

Covered in #1706

[Miciah]

Excellent!
/approve
/lgtm

I added two comments since your last update, but they are very minor things. @alebedev87 might want to take another quick look after your most recent changes, so I'll add a hold just in case.
/hold

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87, chiragkyal, Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/route/OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/unhold