Change implementation to a stricter check (address CR)

gravitational · Oct 29, 2024 · a55eda3 · a55eda3
1 parent 1d3cc54
commit a55eda3
Show file tree

Hide file tree

Showing 5 changed files with 271 additions and 401 deletions.
diff --git a/api/types/role.go b/api/types/role.go
@@ -1150,14 +1150,14 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 		r.Spec.Deny.Namespaces = []string{defaults.Namespace}
 	}
 
-	// Validate request_mode kubernetes_resources fields are all valid.
+	// Validate request.kubernetes_resources fields are all valid.
 	if r.Spec.Allow.Request != nil {
-		if err := validateKubeResourcesForAccessRequestMode(r.Version, r.Spec.Allow.Request.KubernetesResources); err != nil {
+		if err := validateRequestKubeResources(r.Version, r.Spec.Allow.Request.KubernetesResources); err != nil {
 			return trace.Wrap(err)
 		}
 	}
 	if r.Spec.Deny.Request != nil {
-		if err := validateKubeResourcesForAccessRequestMode(r.Version, r.Spec.Deny.Request.KubernetesResources); err != nil {
+		if err := validateRequestKubeResources(r.Version, r.Spec.Deny.Request.KubernetesResources); err != nil {
 			return trace.Wrap(err)
 		}
 	}
@@ -1818,15 +1818,15 @@ func validateKubeResources(roleVersion string, kubeResources []KubernetesResourc
 	return nil
 }
 
-// validateKubeResourcesForAccessRequestMode validates each kubeResources entry for `allow.request.kubernetes_resources` field.
+// validateRequestKubeResources validates each kubeResources entry for `allow.request.kubernetes_resources` field.
 // Currently the only supported field for this particular field is:
 //   - Kind (belonging to KubernetesResourcesKinds)
 //
 // Mimics types.KubernetesResource data model, but opted to create own type as we don't support other fields yet.
-func validateKubeResourcesForAccessRequestMode(roleVersion string, kubeResources []RequestKubernetesResource) error {
+func validateRequestKubeResources(roleVersion string, kubeResources []RequestKubernetesResource) error {
 	for _, kubeResource := range kubeResources {
 		if !slices.Contains(KubernetesResourcesKinds, kubeResource.Kind) && kubeResource.Kind != Wildcard {
-			return trace.BadParameter("request_mode.kubernetes_resource kind %q is invalid or unsupported; Supported: %v", kubeResource.Kind, append([]string{Wildcard}, KubernetesResourcesKinds...))
+			return trace.BadParameter("request.kubernetes_resource kind %q is invalid or unsupported; Supported: %v", kubeResource.Kind, append([]string{Wildcard}, KubernetesResourcesKinds...))
 		}
 
 		// Only Pod resources are supported in role version <=V6.
@@ -1836,7 +1836,7 @@ func validateKubeResourcesForAccessRequestMode(roleVersion string, kubeResources
 		// Teleport does not support role versions < v3.
 		case V6, V5, V4, V3:
 			if kubeResource.Kind != KindKubePod {
-				return trace.BadParameter("request_mode.kubernetes_resources kind %q is not supported in role version %q. Upgrade the role version to %q", kubeResource.Kind, roleVersion, V7)
+				return trace.BadParameter("request.kubernetes_resources kind %q is not supported in role version %q. Upgrade the role version to %q", kubeResource.Kind, roleVersion, V7)
 			}
 		}
 	}