Adding rw mutexes for RBAC query proxy enforcement (#1537)

Signed-off-by: Moad Zardab <[email protected]> Co-authored-by: Moad Zardab <[email protected]> Co-authored-by: Thibault Mange <[email protected]>
stolostron · Jul 22, 2024 · ac37411 · ac37411
1 parent 934214e
commit ac37411
Showing 1 changed file with 37 additions and 4 deletions.
diff --git a/proxy/pkg/util/util.go b/proxy/pkg/util/util.go
@@ -19,6 +19,7 @@ import (
 	"regexp"
 	"sort"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/go-co-op/gocron"
@@ -53,9 +54,13 @@ type AccessReviewer interface {
 }
 
 var (
-	allManagedClusterNames      map[string]string
-	allManagedClusterLabelNames map[string]bool
-	accessReviewer              AccessReviewer
+	allManagedClusterNames    map[string]string
+	allManagedClusterNamesMtx sync.RWMutex
+
+	allManagedClusterLabelNames    map[string]bool
+	allManagedClusterLabelNamesMtx sync.RWMutex
+
+	accessReviewer AccessReviewer
 
 	managedLabelList   = proxyconfig.GetManagedClusterLabelList()
 	syncLabelList      = proxyconfig.GetSyncLabelList()
@@ -123,20 +128,29 @@ func addManagedClusterLabelNames(managedLabelList *proxyconfig.ManagedClusterLab
 	for _, key := range managedLabelList.LabelList {
 		if _, ok := allManagedClusterLabelNames[key]; !ok {
 			klog.Infof("added managedcluster label: %s", key)
+
+			allManagedClusterLabelNamesMtx.Lock()
 			allManagedClusterLabelNames[key] = true
+			allManagedClusterLabelNamesMtx.Unlock()
 
 		} else if slice.ContainsString(managedLabelList.IgnoreList, key, nil) {
 			klog.V(2).Infof("managedcluster label <%s> set to ignore, remove label from ignore list to enable.", key)
 
 		} else if isEnabled := allManagedClusterLabelNames[key]; !isEnabled {
 			klog.Infof("enabled managedcluster label: %s", key)
+
+			allManagedClusterLabelNamesMtx.Lock()
 			allManagedClusterLabelNames[key] = true
+			allManagedClusterLabelNamesMtx.Unlock()
+
 		}
 	}
 
 	managedLabelList.RegexLabelList = []string{}
 	regex := regexp.MustCompile(`[^\w]+`)
 
+	allManagedClusterLabelNamesMtx.RLock()
+	defer allManagedClusterLabelNamesMtx.RUnlock()
 	for key, isEnabled := range allManagedClusterLabelNames {
 		if isEnabled {
 			managedLabelList.RegexLabelList = append(
@@ -164,6 +178,8 @@ func ignoreManagedClusterLabelNames(managedLabelList *proxyconfig.ManagedCluster
 	managedLabelList.RegexLabelList = []string{}
 	regex := regexp.MustCompile(`[^\w]+`)
 
+	allManagedClusterLabelNamesMtx.RLock()
+	defer allManagedClusterLabelNamesMtx.RUnlock()
 	for key, isEnabled := range allManagedClusterLabelNames {
 		if isEnabled {
 			managedLabelList.RegexLabelList = append(
@@ -258,7 +274,11 @@ func GetManagedClusterEventHandler() cache.ResourceEventHandlerFuncs {
 		AddFunc: func(obj interface{}) {
 			clusterName := obj.(*clusterv1.ManagedCluster).Name
 			klog.Infof("added a managedcluster: %s \n", obj.(*clusterv1.ManagedCluster).Name)
+
+			allManagedClusterNamesMtx.Lock()
 			allManagedClusterNames[clusterName] = clusterName
+			allManagedClusterNamesMtx.Unlock()
+
 			CleanExpiredProjectInfo(1)
 
 			clusterLabels := obj.(*clusterv1.ManagedCluster).Labels
@@ -270,14 +290,21 @@ func GetManagedClusterEventHandler() cache.ResourceEventHandlerFuncs {
 		DeleteFunc: func(obj interface{}) {
 			clusterName := obj.(*clusterv1.ManagedCluster).Name
 			klog.Infof("deleted a managedcluster: %s \n", obj.(*clusterv1.ManagedCluster).Name)
+
+			allManagedClusterNamesMtx.Lock()
 			delete(allManagedClusterNames, clusterName)
+			allManagedClusterNamesMtx.Unlock()
+
 			CleanExpiredProjectInfo(1)
 		},
 
 		UpdateFunc: func(oldObj, newObj interface{}) {
 			clusterName := newObj.(*clusterv1.ManagedCluster).Name
 			klog.Infof("changed a managedcluster: %s \n", newObj.(*clusterv1.ManagedCluster).Name)
+
+			allManagedClusterNamesMtx.Lock()
 			allManagedClusterNames[clusterName] = clusterName
+			allManagedClusterNamesMtx.Unlock()
 
 			clusterLabels := newObj.(*clusterv1.ManagedCluster).Labels
 			if ok := shouldUpdateManagedClusterLabelNames(clusterLabels, managedLabelList); ok {
@@ -498,6 +525,8 @@ func getUserClusterList(projectList []string) []string {
 	}
 
 	for _, projectName := range projectList {
+		allManagedClusterLabelNamesMtx.RLock()
+		defer allManagedClusterLabelNamesMtx.RUnlock()
 		clusterName, ok := allManagedClusterNames[projectName]
 		if ok {
 			clusterList = append(clusterList, clusterName)
@@ -525,6 +554,9 @@ func GetUserMetricsACLs(userName string, token string, reqUrl string, accessRevi
 	//if metrics access contains a key  "*" then the corresponding
 	// value i.e acls  apply to all managedclusters
 	if allClusterAcls, found := metricsAccess["*"]; found {
+
+		allManagedClusterNamesMtx.RLock()
+		defer allManagedClusterNamesMtx.RUnlock()
 		for mcName := range allManagedClusterNames {
 			if clusterAcls, ok := metricsAccess[mcName]; ok {
 				for _, allClusterAclItem := range allClusterAcls {
@@ -584,8 +616,9 @@ func CanAccessAll(clusterNamespaces map[string][]string) bool {
 		return false
 	}
 
+	allManagedClusterNamesMtx.RLock()
+	defer allManagedClusterNamesMtx.RUnlock()
 	for _, clusterName := range allManagedClusterNames {
-
 		namespaces, contains := clusterNamespaces[clusterName]
 
 		//does not have access to the cluster