From 6ce66eb5907025d4cf05899827d1b00c2a4cd556 Mon Sep 17 00:00:00 2001 From: vladimir Date: Thu, 6 Apr 2023 21:27:11 +0200 Subject: [PATCH] * Prevent access to users with roles: , and . Provide access only for roles: and . --- .circleci/ci/deployment.yml | 49 ----------------- .circleci/ci/service.yml | 21 ------- .circleci/config.yml | 107 ------------------------------------ bin/controller.keys.js | 16 +++--- changes.md | 3 + package.json | 2 +- 6 files changed, 13 insertions(+), 185 deletions(-) delete mode 100644 .circleci/ci/deployment.yml delete mode 100644 .circleci/ci/service.yml delete mode 100644 .circleci/config.yml diff --git a/.circleci/ci/deployment.yml b/.circleci/ci/deployment.yml deleted file mode 100644 index 55bbc103..00000000 --- a/.circleci/ci/deployment.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -kind: Deployment -apiVersion: extensions/v1beta1 -metadata: - name: ${CIRCLE_PROJECT_REPONAME}-${IMAGE_BRANCH} - labels: - name: ${CIRCLE_PROJECT_REPONAME}-${IMAGE_BRANCH} - git.name: ${CIRCLE_PROJECT_REPONAME} - git.owner: ${CIRCLE_PROJECT_USERNAME} - git.branch: ${IMAGE_BRANCH} -spec: - # how many pods and indicate which strategy we want for rolling update - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - name: ${CIRCLE_PROJECT_REPONAME}-${IMAGE_BRANCH} - git.name: ${CIRCLE_PROJECT_REPONAME} - git.owner: ${CIRCLE_PROJECT_USERNAME} - git.branch: ${IMAGE_BRANCH} - annotations: - container.apparmor.security.beta.kubernetes.io/sftp: runtime/default - spec: - serviceAccountName: "${GKE_NAMESPACE_SA}" - containers: - - name: sftp - image: "${IMAGE_REPO}/${TARGET}:${IMAGE_TAG}" - imagePullPolicy: Always - ports: - - name: ssh - containerPort: 22 - resources: {} - livenessProbe: - tcpSocket: - port: ssh - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - failureThreshold: 2 - successThreshold: 1 - readinessProbe: - tcpSocket: - port: ssh - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - failureThreshold: 2 - successThreshold: 1 \ No newline at end of file diff --git a/.circleci/ci/service.yml b/.circleci/ci/service.yml deleted file mode 100644 index 78625750..00000000 --- a/.circleci/ci/service.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: ${CIRCLE_PROJECT_REPONAME}-${IMAGE_BRANCH} - labels: - name: ${CIRCLE_PROJECT_REPONAME}-${IMAGE_BRANCH} - git.name: ${CIRCLE_PROJECT_REPONAME} - git.owner: ${CIRCLE_PROJECT_USERNAME} - git.branch: ${IMAGE_BRANCH} -spec: - type: LoadBalancer - ports: - - name: ssh - port: 22 - targetPort: 22 - selector: - name: ${CIRCLE_PROJECT_REPONAME}-${IMAGE_BRANCH} - git.name: ${CIRCLE_PROJECT_REPONAME} - git.branch: ${IMAGE_BRANCH} - diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 97ad5cb7..00000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,107 +0,0 @@ -defaults: &defaults - working_directory: /rabbit-ssh - docker: - - image: google/cloud-sdk:alpine - environment: - TARGET: rabbit-ssh - -version: 2 -jobs: - build: - <<: *defaults - steps: - - checkout - - run: mkdir -p workspace - - run: echo -n "$CIRCLE_BUILD_NUM-$(git rev-parse --short HEAD)" > workspace/_tag - - run: - name: Set IMAGE_REPO ENV Var - command: | - echo "export IMAGE_REPO=gcr.io/${GOOGLE_PROJECT_ID}" >> $BASH_ENV - echo "export IMAGE_BRANCH=$(echo $CIRCLE_BRANCH | tr -s '/' '-' | tr '[:upper:]' '[:lower:]' | tr -cd '[[:alnum:]].-')" >> $BASH_ENV - echo "export IMAGE_TAG=$(cat workspace/_tag)" >> $BASH_ENV - source $BASH_ENV - - run: echo "Building $IMAGE_REPO/$TARGET:$(cat workspace/_tag)" - - setup_remote_docker - - run: - name: Add apk - command: | - apk add --no-cache gettext docker - - run: - name: Store Service Account - command: echo ${GCLOUD_SERVICE_KEY} > workspace/gcloud-service-key.json - - run: - name: Set gcloud auth - command: | - gcloud auth activate-service-account --key-file=workspace/gcloud-service-key.json - gcloud --quiet config set project ${GOOGLE_PROJECT_ID} - gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE} - - run: - name: Parse CI files - command: | - envsubst < ci/deployment.yml > workspace/k8sdeploy.yml - envsubst < ci/service.yml > workspace/k8ssvc.yml - - persist_to_workspace: - root: workspace - paths: - - gcloud-service-key.json - - _tag - - k8sdeploy.yml - - k8ssvc.yml - - restore_cache: - keys: - - v1-{{ .Branch }} - paths: - - /caches/app.tar - - run: - name: Load Docker image layer cache - command: | - set +o pipefail - docker load -i /caches/app.tar | true - - run: - name: Build application Docker image - command: | - docker build --cache-from=app -t $IMAGE_REPO/$TARGET:$(cat workspace/_tag) . - - run: - name: Push image to Google GCR - command: | - gcloud auth configure-docker --quiet - docker images - docker push $IMAGE_REPO/$TARGET:$(cat workspace/_tag) - - run: - name: Save Docker image layer cache - command: | - mkdir -p /caches - docker save -o /caches/app.tar $IMAGE_REPO/$TARGET:$(cat workspace/_tag) - - save_cache: - key: v1-{{ .Branch }}-{{ epoch }} - paths: - - /caches/app.tar - deploy: - <<: *defaults - steps: - - attach_workspace: - at: /tmp/workspace - - run: - name: Set gcloud auth - command: | - gcloud auth activate-service-account --key-file=/tmp/workspace/gcloud-service-key.json - gcloud --quiet config set project ${GOOGLE_PROJECT_ID} - gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE} - - run: - name: Install kubectl - command: | - gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME} --region us-central1 --project ${GOOGLE_PROJECT_ID} - gcloud --quiet components install kubectl - - run: - name: Deploy to K8s - command: | - kubectl -n ${GKE_NAMESPACE} apply -f /tmp/workspace/k8ssvc.yml - kubectl -n ${GKE_NAMESPACE} apply -f /tmp/workspace/k8sdeploy.yml -workflows: - version: 2 - build_and_deploy: - jobs: - - build - - deploy: - requires: - - build \ No newline at end of file diff --git a/bin/controller.keys.js b/bin/controller.keys.js index 4510531f..17088af2 100755 --- a/bin/controller.keys.js +++ b/bin/controller.keys.js @@ -177,13 +177,15 @@ module.exports.updateKeys = function updateKeys(options, taskCallback) { // get just the permissions, add users to application ('object' === typeof body && body.length > 0 ? body : []).forEach(function(thisUser) { - - _applications[data.sshUser].users[thisUser.login] = { - _id: thisUser.login, - permissions: thisUser.permissions - }; - _users[thisUser.login] = _users[thisUser.login] || []; - _users[thisUser.login].push(data._id); + // provide access only for users with roles: `maintain` and `admin` + if (thisUser.role_name == 'maintain' || thisUser.role_name == 'admin') { + _applications[data.sshUser].users[thisUser.login] = { + _id: thisUser.login, + permissions: thisUser.permissions + }; + _users[thisUser.login] = _users[thisUser.login] || []; + _users[thisUser.login].push(data._id); + } }); callback(); diff --git a/changes.md b/changes.md index 4c82616f..18a8f0bd 100644 --- a/changes.md +++ b/changes.md @@ -1,3 +1,6 @@ +### 0.2.2 +* Prevent access to users with roles: `Read`, `Triage` and `Write`. Provide access only for roles: `Maintain` and `Admin`. + ### 0.2.1 * Fixed getPods endpoint for getting pods from all namespaces diff --git a/package.json b/package.json index d4f31ec7..7335f124 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "docker-sftp", - "version": "0.2.1", + "version": "0.2.2", "description": "SSH tunnels to containers", "main": "bin/server.js", "scripts": {