Skip to content

Commit

Permalink
Restrict AutoUpdateVersion to be created/updated for cloud (#49008) (#…
Browse files Browse the repository at this point in the history
…50242)

* Restrict AutoUpdateVersion to be created/updated for cloud

* Check builtin Admin role and Cloud feature

* More informative error message

* Remove KindAutoUpdateAgentRollout from editor role preset
  • Loading branch information
vapopov authored Dec 16, 2024
1 parent 059cfd6 commit 95ea0e9
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
28 changes: 28 additions & 0 deletions lib/auth/autoupdate/autoupdatev1/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
apievents "github.com/gravitational/teleport/api/types/events"
"github.com/gravitational/teleport/lib/authz"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/services"
)

Expand Down Expand Up @@ -292,6 +293,10 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -333,6 +338,10 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -374,6 +383,10 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -415,6 +428,10 @@ func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.D
return nil, trace.Wrap(err)
}

if err := checkAdminCloudAccess(authCtx); err != nil {
return nil, trace.Wrap(err)
}

if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbDelete); err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -589,3 +606,14 @@ func (s *Service) emitEvent(ctx context.Context, e apievents.AuditEvent) {
)
}
}

// checkAdminCloudAccess validates if the given context has the builtin admin role if cloud feature is enabled.
func checkAdminCloudAccess(authCtx *authz.Context) error {
if modules.GetModules().Features().Cloud && !authz.HasBuiltinRole(*authCtx, string(types.RoleAdmin)) {
return trace.AccessDenied("This Teleport instance is running on Teleport Cloud. "+
"The %q resource is managed by the Teleport Cloud team. You can use the %q resource to opt-in, "+
"opt-out or configure update schedules.",
types.KindAutoUpdateVersion, types.KindAutoUpdateConfig)
}
return nil
}
2 changes: 2 additions & 0 deletions lib/services/presets.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,8 @@ func NewPresetEditorRole() types.Role {
types.NewRule(types.KindIdentityCenter, RW()),
types.NewRule(types.KindContact, RW()),
types.NewRule(types.KindWorkloadIdentity, RW()),
types.NewRule(types.KindAutoUpdateVersion, RW()),
types.NewRule(types.KindAutoUpdateConfig, RW()),
},
},
},
Expand Down

0 comments on commit 95ea0e9

Please sign in to comment.