UD-1664: Add check for unauthenticated or anonymous subjects within r…

…ole bindings Signed-off-by: Kevin Conner <kev.conner@getupcloud.com>
undistro · Aug 7, 2024 · c61c012 · c61c012
1 parent 1205318
commit c61c012
Show file tree

Hide file tree

Showing 3 changed files with 157 additions and 1 deletion.
diff --git a/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml b/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml
@@ -0,0 +1,33 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+id: M-411
+slug: role binding referencing anonymous or unauthenticated
+severity: Medium
+message: "Role Binding referencing anontmous user or unauthenticated group"
+match:
+  resources:
+    - group: "rbac.authorization.k8s.io"
+      version: v1
+      resource: rolebindings
+    - group: "rbac.authorization.k8s.io"
+      version: v1
+      resource: clusterrolebindings
+validations:
+  - expression: >
+      !has(object.subjects) ||
+      object.subjects.all(subject,
+        !(subject.kind == "User" && subject.name == "system:anonymous") &&
+        !(subject.kind == "Group" && subject.name == "system:unauthenticated")
+      )
diff --git a/...al/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml b/...al/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml
@@ -0,0 +1,123 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: "anonymous user in role binding"
+  pass: false
+  input: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: binding-name
+      namespace: binding-namespace
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: role-name
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: User
+      name: system:anonymous
+    - kind: ServiceAccount
+      name: zora-operator
+      namespace: zora-system
+
+- name: "anonymous user in cluster role binding"
+  pass: false
+  input: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: binding-name
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: role-name
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: User
+      name: system:anonymous
+    - kind: ServiceAccount
+      name: zora-operator
+      namespace: zora-system
+
+- name: "unauthenticated group in role binding"
+  pass: false
+  input: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: binding-name
+      namespace: binding-namespace
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: role-name
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: Group
+      name: system:unauthenticated
+    - kind: ServiceAccount
+      name: zora-operator
+      namespace: zora-system
+
+- name: "unauthenticated group in cluster role binding"
+  pass: false
+  input: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: binding-name
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: role-name
+    subjects:
+    - apiGroup: rbac.authorization.k8s.io
+      kind: Group
+      name: system:unauthenticated
+    - kind: ServiceAccount
+      name: zora-operator
+      namespace: zora-system
+
+- name: "valid role binding"
+  pass: true
+  input: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: binding-name
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: role-name
+    subjects:
+    - kind: ServiceAccount
+      name: zora-operator
+      namespace: zora-system
+
+- name: "valid cluster role binding"
+  pass: true
+  input: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: binding-name
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: role-name
+    subjects:
+    - kind: ServiceAccount
+      name: zora-operator
+      namespace: zora-system
diff --git a/pkg/loader/builtin_test.go b/pkg/loader/builtin_test.go
@@ -23,5 +23,5 @@ import (
 func TestBuiltins(t *testing.T) {
 	assert.NotNil(t, Builtins)
 	assert.Greater(t, len(Builtins), 0)
-	assert.Equal(t, len(Builtins), 34)
+	assert.Equal(t, 35, len(Builtins))
 }