add pretty printing requirements list and fix rbac bug being too rest…

…rictive against unmatched policysets
gravitational · Mar 9, 2022 · 818d1a2 · 818d1a2
1 parent 62c2eb0
commit 818d1a2
Showing 1 changed file with 37 additions and 2 deletions.
diff --git a/lib/auth/session_access.go b/lib/auth/session_access.go
@@ -17,6 +17,7 @@ limitations under the License.
 package auth
 
 import (
+	"fmt"
 	"regexp"
 	"strings"
 
@@ -214,6 +215,39 @@ func (e *SessionAccessEvaluator) IsModerated() bool {
 	return e.hasPolicies()
 }
 
+func (e *SessionAccessEvaluator) PrettyRequirementsList() string {
+	s := "require all:"
+
+	for _, policySet := range e.policySets {
+		policies := e.extractApplicablePolicies(policySet)
+		if len(policies) == 0 {
+			continue
+		}
+
+		s += fmt.Sprintf("\n\t  one of (%v):", policySet.Name)
+
+		for _, require := range policies {
+			if !e.matchesKind(require.Kinds) {
+				s += fmt.Sprintf("\n\t    - %vx %v of type %v", require.Count, require.Filter, strings.Join(require.Modes, ","))
+			}
+		}
+	}
+
+	return s
+}
+
+func (e *SessionAccessEvaluator) extractApplicablePolicies(set *types.SessionTrackerPolicySet) []*types.SessionRequirePolicy {
+	var policies []*types.SessionRequirePolicy
+
+	for _, require := range set.RequireSessionJoin {
+		if e.matchesKind(require.Kinds) {
+			policies = append(policies, require)
+		}
+	}
+
+	return policies
+}
+
 // FulfilledFor checks if a given session may run with a list of participants.
 func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContext) (bool, PolicyOptions, error) {
 	supported, err := e.supportsSessionAccessControls()
@@ -232,13 +266,14 @@ func (e *SessionAccessEvaluator) FulfilledFor(participants []SessionAccessContex
 	// We need every policy set to match to allow the session.
 policySetLoop:
 	for _, policySet := range e.policySets {
-		if len(policySet.RequireSessionJoin) == 0 {
+		policies := e.extractApplicablePolicies(policySet)
+		if len(policies) == 0 {
 			continue
 		}
 
 		// Check every require policy to see if it's fulfilled.
 		// Only one needs to be checked to pass the policyset.
-		for _, requirePolicy := range policySet.RequireSessionJoin {
+		for _, requirePolicy := range policies {
 			// Count of how many additional participant matches we need to fulfill the policy.
 			left := requirePolicy.Count