From 68fa3fca8b0f321012a03095015dd0110ae702e1 Mon Sep 17 00:00:00 2001 From: Vadym Popov Date: Thu, 12 Dec 2024 12:50:18 -0800 Subject: [PATCH] Restrict AutoUpdateVersion to be created/updated for cloud (#49008) * Restrict AutoUpdateVersion to be created/updated for cloud * Check builtin Admin role and Cloud feature * More informative error message * Remove KindAutoUpdateAgentRollout from editor role preset --- lib/auth/autoupdate/autoupdatev1/service.go | 28 +++++++++++++++++++++ lib/services/presets.go | 2 ++ 2 files changed, 30 insertions(+) diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go index e88ff95d87382..d32bae77181e7 100644 --- a/lib/auth/autoupdate/autoupdatev1/service.go +++ b/lib/auth/autoupdate/autoupdatev1/service.go @@ -30,6 +30,7 @@ import ( apievents "github.com/gravitational/teleport/api/types/events" "github.com/gravitational/teleport/lib/authz" "github.com/gravitational/teleport/lib/events" + "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/services" ) @@ -289,6 +290,10 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate); err != nil { return nil, trace.Wrap(err) } @@ -330,6 +335,10 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbUpdate); err != nil { return nil, trace.Wrap(err) } @@ -371,6 +380,10 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate, types.VerbUpdate); err != nil { return nil, trace.Wrap(err) } @@ -412,6 +425,10 @@ func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.D return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbDelete); err != nil { return nil, trace.Wrap(err) } @@ -453,3 +470,14 @@ func (s *Service) emitEvent(ctx context.Context, e apievents.AuditEvent) { ) } } + +// checkAdminCloudAccess validates if the given context has the builtin admin role if cloud feature is enabled. +func checkAdminCloudAccess(authCtx *authz.Context) error { + if modules.GetModules().Features().Cloud && !authz.HasBuiltinRole(*authCtx, string(types.RoleAdmin)) { + return trace.AccessDenied("This Teleport instance is running on Teleport Cloud. "+ + "The %q resource is managed by the Teleport Cloud team. You can use the %q resource to opt-in, "+ + "opt-out or configure update schedules.", + types.KindAutoUpdateVersion, types.KindAutoUpdateConfig) + } + return nil +} diff --git a/lib/services/presets.go b/lib/services/presets.go index 507155a7fd728..e1a0fbe75f212 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -178,6 +178,8 @@ func NewPresetEditorRole() types.Role { types.NewRule(types.KindAccessMonitoringRule, RW()), types.NewRule(types.KindAccessGraphSettings, RW()), types.NewRule(types.KindSPIFFEFederation, RW()), + types.NewRule(types.KindAutoUpdateVersion, RW()), + types.NewRule(types.KindAutoUpdateConfig, RW()), }, }, },