From 547a96be1cd22e30fad9e12b90e6305ca2c3b8fb Mon Sep 17 00:00:00 2001
From: Guillaume Demonet <guillaume.demonet@scality.com>
Date: Thu, 18 Jun 2020 23:01:03 +0200
Subject: [PATCH] salt, storage-operator: Limit allowed Salt states

Reduce to only state formulas in `metalk8s.volumes`.

Fixes: #1528
---
 .../salt/master/files/master-99-metalk8s.conf.j2  |  4 +++-
 tests/post/features/salt_api.feature              |  3 ++-
 tests/post/steps/test_salt_api.py                 | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2 b/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2
index 49865335f4..2a281e3af5 100644
--- a/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2
+++ b/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2
@@ -45,7 +45,9 @@ external_auth:
     storage-operator:
       - '*':
         - 'disk.dump'
-        - 'state.sls'
+        - 'state.sls':
+            kwargs:
+              mods: 'metalk8s\.volumes.*'
       - '@jobs'
 
 # `kubeconfig` file and `context` used by salt to interact with apiserver
diff --git a/tests/post/features/salt_api.feature b/tests/post/features/salt_api.feature
index 2959a78576..23179faaea 100644
--- a/tests/post/features/salt_api.feature
+++ b/tests/post/features/salt_api.feature
@@ -12,9 +12,10 @@ Feature: SaltAPI
     Scenario: Login to SaltAPI using a ServiceAccount
         Given the Kubernetes API is available
         When we login to SaltAPI with the ServiceAccount 'storage-operator'
-        Then we can invoke '["disk.dump", "state.sls"]' on '*'
+        Then we can invoke '["disk.dump", {"state.sls": {"kwargs": {"mods": r"metalk8s\.volumes.*"}}]' on '*'
         And we have '@jobs' perms
         And we can not ping all minions
+        And we can not run state 'test.nop' on '*'
 
     Scenario: Login to SaltAPI using an incorrect password
         Given the Kubernetes API is available
diff --git a/tests/post/steps/test_salt_api.py b/tests/post/steps/test_salt_api.py
index 02f42e350f..771cc91b9c 100644
--- a/tests/post/steps/test_salt_api.py
+++ b/tests/post/steps/test_salt_api.py
@@ -97,6 +97,21 @@ def ping_all_minions(host, context, negated):
         assert result_data['return'][0] != []
 
 
+@then(parsers.parse(
+    "we can{negated:Negation} run state '{module}' on '{targets}'",
+    extra_types={'Negation': _negation}
+))
+def run_state_on_targets(host, context, negated, module, targets):
+    result = _salt_call(context, 'state.sls', tgt=targets,
+                        kwarg={'mods': module})
+
+    if negated:
+        assert result.status_code == 401
+        assert 'No permission' in result.text
+    else:
+        assert result.status_code == 200
+
+
 @then('authentication fails')
 def authentication_fails(host, context):
     assert context['salt-api']['login-status-code'] == 401