prevent privilege escalation

pkg/authorization/api/helpers.go

@@ -0,0 +1,37 @@
+package api
+
+import (
+	"fmt"
+	"strings"
+
+	kutil "github.com/GoogleCloudPlatform/kubernetes/pkg/util"
+)
+
+func ExpandResources(rawResources kutil.StringSet) kutil.StringSet {
+	ret := kutil.StringSet{}
+	toVisit := rawResources.List()
+	visited := kutil.StringSet{}
+
+	for i := 0; i < len(toVisit); i++ {
+		currResource := toVisit[i]
+		if visited.Has(currResource) {
+			continue
+		}
+		visited.Insert(currResource)
+
+		if strings.Index(currResource, ResourceGroupPrefix+":") != 0 {
+			ret.Insert(strings.ToLower(currResource))
+			continue
+		}
+
+		if resourceTypes, exists := GroupsToResources[currResource]; exists {
+			toVisit = append(toVisit, resourceTypes...)
+		}
+	}
+
+	return ret
+}
+
+func (r PolicyRule) String() string {
+	return fmt.Sprintf("PolicyRule{Verbs:%v, Resources:%v, ResourceNames:%v, Restrictions:%v}", r.Verbs.List(), r.Resources.List(), r.ResourceNames.List(), r.AttributeRestrictions)
+}

pkg/authorization/api/register.go

@@ -16,6 +16,7 @@ func init() {
 		&SubjectAccessReviewResponse{},
 		&PolicyList{},
 		&PolicyBindingList{},
+		&RoleBindingList{},
 	)
 }
 
@@ -29,3 +30,4 @@ func (*ResourceAccessReviewResponse) IsAnAPIObject() {}
 func (*SubjectAccessReviewResponse) IsAnAPIObject()  {}
 func (*PolicyList) IsAnAPIObject()                   {}
 func (*PolicyBindingList) IsAnAPIObject()            {}
+func (*RoleBindingList) IsAnAPIObject()              {}

pkg/authorization/api/types.go

@@ -70,12 +70,12 @@ var (
 // about who the rule applies to or which namespace the rule applies to.
 type PolicyRule struct {
 	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
-	Verbs []string
+	Verbs kutil.StringSet
 	// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
 	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
 	AttributeRestrictions kruntime.EmbeddedObject
 	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
-	Resources []string
+	Resources kutil.StringSet `json:"resources"`
 	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
 	ResourceNames kutil.StringSet
 	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
@@ -100,9 +100,9 @@ type RoleBinding struct {
 	kapi.ObjectMeta
 
 	// UserNames holds all the usernames directly bound to the role
-	UserNames []string
+	Users kutil.StringSet
 	// GroupNames holds all the groups directly bound to the role
-	GroupNames []string
+	Groups kutil.StringSet
 
 	// Since Policy is a singleton, this is sufficient knowledge to locate a role
 	// RoleRefs can only reference the current namespace and the global namespace
@@ -208,3 +208,10 @@ type PolicyBindingList struct {
 	kapi.ListMeta
 	Items []PolicyBinding
 }
+
+// RoleBindingList is a collection of PolicyBindings
+type RoleBindingList struct {
+	kapi.TypeMeta
+	kapi.ListMeta
+	Items []RoleBinding
+}

pkg/authorization/api/v1beta1/conversion.go

@@ -17,12 +17,12 @@ func init() {
 				return err
 			}
 
-			out.Verbs = []string{}
-			out.Verbs = append(out.Verbs, in.Verbs...)
+			out.Resources = util.StringSet{}
+			out.Resources.Insert(in.Resources...)
+			out.Resources.Insert(in.ResourceKinds...)
 
-			out.Resources = []string{}
-			out.Resources = append(out.Resources, in.Resources...)
-			out.Resources = append(out.Resources, in.ResourceKinds...)
+			out.Verbs = util.StringSet{}
+			out.Verbs.Insert(in.Verbs...)
 
 			out.ResourceNames = util.NewStringSet(in.ResourceNames...)
 
@@ -35,11 +35,11 @@ func init() {
 				return err
 			}
 
-			out.Verbs = []string{}
-			out.Verbs = append(out.Verbs, in.Verbs...)
-
 			out.Resources = []string{}
-			out.Resources = append(out.Resources, in.Resources...)
+			out.Resources = append(out.Resources, in.Resources.List()...)
+
+			out.Verbs = []string{}
+			out.Verbs = append(out.Verbs, in.Verbs.List()...)
 
 			out.ResourceNames = in.ResourceNames.List()
 
@@ -57,6 +57,26 @@ func init() {
 			out.Roles = make([]NamedRole, 0, 0)
 			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
 		},
+		func(in *RoleBinding, out *newer.RoleBinding, s conversion.Scope) error {
+			if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil {
+				return err
+			}
+
+			out.Users = util.NewStringSet(in.UserNames...)
+			out.Groups = util.NewStringSet(in.GroupNames...)
+
+			return nil
+		},
+		func(in *newer.RoleBinding, out *RoleBinding, s conversion.Scope) error {
+			if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil {
+				return err
+			}
+
+			out.UserNames = in.Users.List()
+			out.GroupNames = in.Groups.List()
+
+			return nil
+		},
 		func(in *[]NamedRole, out *map[string]newer.Role, s conversion.Scope) error {
 			for _, curr := range *in {
 				newRole := &newer.Role{}

pkg/authorization/api/v1beta1/register.go

@@ -16,6 +16,7 @@ func init() {
 		&SubjectAccessReviewResponse{},
 		&PolicyList{},
 		&PolicyBindingList{},
+		&RoleBindingList{},
 	)
 }
 
@@ -29,3 +30,4 @@ func (*ResourceAccessReviewResponse) IsAnAPIObject() {}
 func (*SubjectAccessReviewResponse) IsAnAPIObject()  {}
 func (*PolicyList) IsAnAPIObject()                   {}
 func (*PolicyBindingList) IsAnAPIObject()            {}
+func (*RoleBindingList) IsAnAPIObject()              {}

pkg/authorization/api/v1beta1/types.go

@@ -168,3 +168,10 @@ type PolicyBindingList struct {
 	kapi.ListMeta `json:"metadata,omitempty"`
 	Items         []PolicyBinding `json:"items"`
 }
+
+// RoleBindingList is a collection of PolicyBindings
+type RoleBindingList struct {
+	kapi.TypeMeta
+	kapi.ListMeta
+	Items []RoleBinding
+}