From 13cf4eb7ad848efd62ded85ad96725c331b363da Mon Sep 17 00:00:00 2001 From: Vadym Popov Date: Thu, 12 Dec 2024 12:50:18 -0800 Subject: [PATCH] Restrict AutoUpdateVersion to be created/updated for cloud (#49008) * Restrict AutoUpdateVersion to be created/updated for cloud * Check builtin Admin role and Cloud feature * More informative error message * Remove KindAutoUpdateAgentRollout from editor role preset --- lib/auth/autoupdate/autoupdatev1/service.go | 28 +++++++++++++++++++++ lib/services/presets.go | 2 ++ 2 files changed, 30 insertions(+) diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go index aa9e29f2fabea..77baae74e4658 100644 --- a/lib/auth/autoupdate/autoupdatev1/service.go +++ b/lib/auth/autoupdate/autoupdatev1/service.go @@ -30,6 +30,7 @@ import ( apievents "github.com/gravitational/teleport/api/types/events" "github.com/gravitational/teleport/lib/authz" "github.com/gravitational/teleport/lib/events" + "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/services" ) @@ -292,6 +293,10 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate); err != nil { return nil, trace.Wrap(err) } @@ -333,6 +338,10 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbUpdate); err != nil { return nil, trace.Wrap(err) } @@ -374,6 +383,10 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate, types.VerbUpdate); err != nil { return nil, trace.Wrap(err) } @@ -415,6 +428,10 @@ func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.D return nil, trace.Wrap(err) } + if err := checkAdminCloudAccess(authCtx); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbDelete); err != nil { return nil, trace.Wrap(err) } @@ -589,3 +606,14 @@ func (s *Service) emitEvent(ctx context.Context, e apievents.AuditEvent) { ) } } + +// checkAdminCloudAccess validates if the given context has the builtin admin role if cloud feature is enabled. +func checkAdminCloudAccess(authCtx *authz.Context) error { + if modules.GetModules().Features().Cloud && !authz.HasBuiltinRole(*authCtx, string(types.RoleAdmin)) { + return trace.AccessDenied("This Teleport instance is running on Teleport Cloud. "+ + "The %q resource is managed by the Teleport Cloud team. You can use the %q resource to opt-in, "+ + "opt-out or configure update schedules.", + types.KindAutoUpdateVersion, types.KindAutoUpdateConfig) + } + return nil +} diff --git a/lib/services/presets.go b/lib/services/presets.go index 887545d164cf6..3da8d165e36f8 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -192,6 +192,8 @@ func NewPresetEditorRole() types.Role { types.NewRule(types.KindIdentityCenter, RW()), types.NewRule(types.KindContact, RW()), types.NewRule(types.KindWorkloadIdentity, RW()), + types.NewRule(types.KindAutoUpdateVersion, RW()), + types.NewRule(types.KindAutoUpdateConfig, RW()), }, }, },