Skip to content

Commit

Permalink
Restrict AutoUpdateVersion to be created/updated for cloud (#49008)
Browse files Browse the repository at this point in the history
* Restrict AutoUpdateVersion to be created/updated for cloud

* Check builtin Admin role and Cloud feature

* More informative error message

* Remove KindAutoUpdateAgentRollout from editor role preset
  • Loading branch information
vapopov committed Dec 13, 2024
1 parent c52e3e9 commit 68fa3fc
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
28 changes: 28 additions & 0 deletions lib/auth/autoupdate/autoupdatev1/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
apievents "github.com/gravitational/teleport/api/types/events"
"github.com/gravitational/teleport/lib/authz"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/services"
)

Expand Down Expand Up @@ -289,6 +290,10 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -330,6 +335,10 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -371,6 +380,10 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -412,6 +425,10 @@ func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.D
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbDelete); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -453,3 +470,14 @@ func (s *Service) emitEvent(ctx context.Context, e apievents.AuditEvent) {
)
}
}

// checkAdminCloudAccess validates if the given context has the builtin admin role if cloud feature is enabled.
func checkAdminCloudAccess(authCtx *authz.Context) error {
if modules.GetModules().Features().Cloud && !authz.HasBuiltinRole(*authCtx, string(types.RoleAdmin)) {
return trace.AccessDenied("This Teleport instance is running on Teleport Cloud. "+
"The %q resource is managed by the Teleport Cloud team. You can use the %q resource to opt-in, "+
"opt-out or configure update schedules.",
types.KindAutoUpdateVersion, types.KindAutoUpdateConfig)
}
return nil
}
2 changes: 2 additions & 0 deletions lib/services/presets.go
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,8 @@ func NewPresetEditorRole() types.Role {
types.NewRule(types.KindAccessMonitoringRule, RW()),
types.NewRule(types.KindAccessGraphSettings, RW()),
types.NewRule(types.KindSPIFFEFederation, RW()),
types.NewRule(types.KindAutoUpdateVersion, RW()),
types.NewRule(types.KindAutoUpdateConfig, RW()),
},
},
},
Expand Down

0 comments on commit 68fa3fc

Please sign in to comment.