kobsio · ricoberger · Jun 13, 2022 · Jun 13, 2022 · Jun 13, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ NOTE: As semantic versioning states all 0.y.z releases can contain breaking chan
 ### Changed
 
 - [#346](https://github.com/kobsio/kobs/pull/346): [app] :warning: _Breaking change:_ :warning: Rework kobs architecture, by introducing a `hub` and a `satellite` component. This new architecture allows us to run the kobs `hub` component in a central cluster and access clusters / services (plugins) through the kobs `satellite` component. More information regarding the new kobs architecture can be found in the documentation at [kobs.io](https://kobs.io).
+- [#348](https://github.com/kobsio/kobs/pull/348): [app] Update permission handling.
 
 ## [v0.8.0](https://github.com/kobsio/kobs/releases/tag/v0.8.0) (2022-03-24)
 

diff --git a/deploy/helm/hub/Chart.yaml b/deploy/helm/hub/Chart.yaml
@@ -4,5 +4,5 @@ description: Kubernetes Observability Platform
 type: application
 home: https://kobs.io
 icon: https://kobs.io/assets/images/logo.svg
-version: 0.14.3
+version: 0.14.4
 appVersion: v0.8.0
diff --git a/deploy/helm/satellite/Chart.yaml b/deploy/helm/satellite/Chart.yaml
@@ -4,5 +4,5 @@ description: Kubernetes Observability Platform
 type: application
 home: https://kobs.io
 icon: https://kobs.io/assets/images/logo.svg
-version: 0.14.3
+version: 0.14.4
 appVersion: v0.8.0
diff --git a/deploy/helm/satellite/crds/kobs.io_teams.yaml b/deploy/helm/satellite/crds/kobs.io_teams.yaml
@@ -188,9 +188,6 @@ spec:
                         type:
                           type: string
                       required:
-                      - clusters
-                      - namespaces
-                      - satellites
                       - type
                       type: object
                     type: array
@@ -203,9 +200,12 @@ spec:
                           x-kubernetes-preserve-unknown-fields: true
                         satellite:
                           type: string
+                        type:
+                          type: string
                       required:
                       - name
                       - satellite
+                      - type
                       type: object
                     type: array
                   resources:
@@ -243,11 +243,6 @@ spec:
                     items:
                       type: string
                     type: array
-                required:
-                - applications
-                - plugins
-                - resources
-                - teams
                 type: object
               satellite:
                 type: string

diff --git a/deploy/helm/satellite/crds/kobs.io_users.yaml b/deploy/helm/satellite/crds/kobs.io_users.yaml
@@ -172,9 +172,6 @@ spec:
                         type:
                           type: string
                       required:
-                      - clusters
-                      - namespaces
-                      - satellites
                       - type
                       type: object
                     type: array
@@ -187,9 +184,12 @@ spec:
                           x-kubernetes-preserve-unknown-fields: true
                         satellite:
                           type: string
+                        type:
+                          type: string
                       required:
                       - name
                       - satellite
+                      - type
                       type: object
                     type: array
                   resources:
@@ -227,11 +227,6 @@ spec:
                     items:
                       type: string
                     type: array
-                required:
-                - applications
-                - plugins
-                - resources
-                - teams
                 type: object
               satellite:
                 type: string

diff --git a/deploy/kustomize/crds/kobs.io_teams.yaml b/deploy/kustomize/crds/kobs.io_teams.yaml
@@ -188,9 +188,6 @@ spec:
                         type:
                           type: string
                       required:
-                      - clusters
-                      - namespaces
-                      - satellites
                       - type
                       type: object
                     type: array
@@ -203,9 +200,12 @@ spec:
                           x-kubernetes-preserve-unknown-fields: true
                         satellite:
                           type: string
+                        type:
+                          type: string
                       required:
                       - name
                       - satellite
+                      - type
                       type: object
                     type: array
                   resources:
@@ -243,11 +243,6 @@ spec:
                     items:
                       type: string
                     type: array
-                required:
-                - applications
-                - plugins
-                - resources
-                - teams
                 type: object
               satellite:
                 type: string

diff --git a/deploy/kustomize/crds/kobs.io_users.yaml b/deploy/kustomize/crds/kobs.io_users.yaml
@@ -172,9 +172,6 @@ spec:
                         type:
                           type: string
                       required:
-                      - clusters
-                      - namespaces
-                      - satellites
                       - type
                       type: object
                     type: array
@@ -187,9 +184,12 @@ spec:
                           x-kubernetes-preserve-unknown-fields: true
                         satellite:
                           type: string
+                        type:
+                          type: string
                       required:
                       - name
                       - satellite
+                      - type
                       type: object
                     type: array
                   resources:
@@ -227,11 +227,6 @@ spec:
                     items:
                       type: string
                     type: array
-                required:
-                - applications
-                - plugins
-                - resources
-                - teams
                 type: object
               satellite:
                 type: string

diff --git a/pkg/hub/api/plugins/plugins.go b/pkg/hub/api/plugins/plugins.go
@@ -2,6 +2,7 @@ package plugins
 
 import (
 	"net/http"
+	"strings"
 
 	authContext "github.com/kobsio/kobs/pkg/hub/middleware/userauth/context"
 	"github.com/kobsio/kobs/pkg/hub/satellites"
@@ -41,6 +42,13 @@ func (router *Router) getPlugins(w http.ResponseWriter, r *http.Request) {
 func (router *Router) proxyPlugins(w http.ResponseWriter, r *http.Request) {
 	satelliteName := r.Header.Get("x-kobs-satellite")
 	pluginName := r.Header.Get("x-kobs-plugin")
+	pluginType := strings.Split(r.URL.RawPath, "/")
+
+	if len(pluginType) < 4 {
+		log.Warn(r.Context(), "The user is not authorized to access the plugin", zap.String("satellite", satelliteName), zap.String("plugin", pluginName), zap.Strings("pluginTypes", pluginType))
+		errresponse.Render(w, r, nil, http.StatusUnauthorized, "You are not authorized to access the plugin")
+		return
+	}
 
 	if satelliteName == "" && pluginName == "" {
 		satelliteName = r.URL.Query().Get("x-kobs-satellite")
@@ -49,20 +57,20 @@ func (router *Router) proxyPlugins(w http.ResponseWriter, r *http.Request) {
 
 	user, err := authContext.GetUser(r.Context())
 	if err != nil {
-		log.Warn(r.Context(), "The user is not authorized to access the plugin", zap.String("satellite", satelliteName), zap.String("plugin", pluginName), zap.Error(err))
+		log.Warn(r.Context(), "The user is not authorized to access the plugin", zap.String("satellite", satelliteName), zap.String("plugin", pluginName), zap.String("pluginType", pluginType[3]), zap.Error(err))
 		errresponse.Render(w, r, err, http.StatusUnauthorized, "You are not authorized to access the plugin")
 		return
 	}
 
-	if !user.HasPluginAccess(satelliteName, pluginName) {
-		log.Warn(r.Context(), "The user is not allowed to access the plugin", zap.String("satellite", satelliteName), zap.String("plugin", pluginName), zap.Error(err))
+	if !user.HasPluginAccess(satelliteName, pluginType[3], pluginName) {
+		log.Warn(r.Context(), "The user is not allowed to access the plugin", zap.String("satellite", satelliteName), zap.String("plugin", pluginName), zap.String("pluginType", pluginType[3]), zap.Error(err))
 		errresponse.Render(w, r, err, http.StatusForbidden, "You are not allowed to access the plugin")
 		return
 	}
 
 	satellite := router.satellitesClient.GetSatellite(satelliteName)
 	if satellite == nil {
-		log.Error(r.Context(), "Satellite was not found", zap.String("satellite", satelliteName), zap.String("plugin", pluginName))
+		log.Error(r.Context(), "Satellite was not found", zap.String("satellite", satelliteName), zap.String("plugin", pluginName), zap.String("pluginType", pluginType[3]))
 		errresponse.Render(w, r, nil, http.StatusInternalServerError, "Satellite was not found")
 		return
 	}

diff --git a/pkg/hub/api/teams/teams_test.go b/pkg/hub/api/teams/teams_test.go
@@ -71,7 +71,7 @@ func TestGetTeams(t *testing.T) {
 			name:               "get all teams",
 			url:                "/teams?all=true",
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "[{\"group\":\"team1\",\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}},{\"group\":\"team2\",\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}},{\"group\":\"team3\",\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}]\n",
+			expectedBody:       "[{\"group\":\"team1\",\"permissions\":{}},{\"group\":\"team2\",\"permissions\":{}},{\"group\":\"team3\",\"permissions\":{}}]\n",
 			prepare: func(t *testing.T, mockStoreClient *store.MockClient) {
 				mockStoreClient.On("GetTeams", mock.Anything).Return([]teamv1.TeamSpec{{Group: "team1"}, {Group: "team2"}, {Group: "team3"}, {Group: "team1"}, {Group: "team2"}}, nil)
 				mockStoreClient.AssertNotCalled(t, "GetTeamsByGroups", mock.Anything, mock.Anything)
@@ -99,7 +99,7 @@ func TestGetTeams(t *testing.T) {
 			name:               "get own teams",
 			url:                "/teams",
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "[{\"group\":\"team1\",\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}]\n",
+			expectedBody:       "[{\"group\":\"team1\",\"permissions\":{}}]\n",
 			prepare: func(t *testing.T, mockStoreClient *store.MockClient) {
 				mockStoreClient.AssertNotCalled(t, "GetTeams", mock.Anything)
 				mockStoreClient.On("GetTeamsByGroups", mock.Anything, []string{"team1"}).Return([]teamv1.TeamSpec{{Group: "team1"}, {Group: "team1"}}, nil)
@@ -181,7 +181,7 @@ func TestGetTeam(t *testing.T) {
 			name:               "get team",
 			url:                "/teams/team?group=team1",
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"group\":\"team1\",\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}\n",
+			expectedBody:       "{\"group\":\"team1\",\"permissions\":{}}\n",
 			prepare: func(t *testing.T, mockStoreClient *store.MockClient) {
 				mockStoreClient.On("GetTeamByGroup", mock.Anything, "team1").Return(&teamv1.TeamSpec{Group: "team1"}, nil)
 			},

diff --git a/pkg/hub/hub.go b/pkg/hub/hub.go
@@ -88,7 +88,7 @@ func New(debugUsername, debugPassword, hubAddress string, authEnabled bool, auth
 		r.Use(middleware.URLFormat)
 		r.Use(metrics.Metrics)
 		r.Use(httplog.Logger)
-		r.Use(userauth.Handler(authEnabled, authHeaderUser, authHeaderTeams, authSessionToken, authSessionInterval, nil))
+		r.Use(userauth.Handler(authEnabled, authHeaderUser, authHeaderTeams, authSessionToken, authSessionInterval, storeClient))
 		r.Use(render.SetContentType(render.ContentTypeJSON))
 
 		r.Mount("/auth", userauth.Mount(authLogoutRedirect))

diff --git a/pkg/hub/middleware/userauth/auth.go b/pkg/hub/middleware/userauth/auth.go
@@ -113,6 +113,8 @@ func (a *Auth) Handler(next http.Handler) http.Handler {
 				http.SetCookie(w, &http.Cookie{
 					Name:     "kobs-auth",
 					Value:    token,
+					Path:     "/",
+					Expires:  time.Now().Add(a.sessionInterval),
 					Secure:   true,
 					HttpOnly: true,
 				})
@@ -144,6 +146,8 @@ func (a *Auth) Handler(next http.Handler) http.Handler {
 					http.SetCookie(w, &http.Cookie{
 						Name:     "kobs-auth",
 						Value:    token,
+						Path:     "/",
+						Expires:  time.Now().Add(a.sessionInterval),
 						Secure:   true,
 						HttpOnly: true,
 					})
@@ -162,7 +166,7 @@ func (a *Auth) Handler(next http.Handler) http.Handler {
 				Permissions: userv1.Permissions{
 					Applications: []userv1.ApplicationPermissions{{Type: "all"}},
 					Teams:        []string{"*"},
-					Plugins:      []userv1.Plugin{{Satellite: "*", Name: "*"}},
+					Plugins:      []userv1.Plugin{{Satellite: "*", Type: "*", Name: "*"}},
 					Resources:    []userv1.Resources{{Satellites: []string{"*"}, Clusters: []string{"*"}, Namespaces: []string{"*"}, Resources: []string{"*"}, Verbs: []string{"*"}}},
 				},
 			})

diff --git a/pkg/hub/middleware/userauth/auth_test.go b/pkg/hub/middleware/userauth/auth_test.go
@@ -86,7 +86,7 @@ func TestAuthHandler(t *testing.T) {
 			name:               "auth disabled",
 			auth:               Auth{enabled: false},
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"email\":\"\",\"teams\":[\"*\"],\"permissions\":{\"applications\":[{\"type\":\"all\",\"satellites\":null,\"clusters\":null,\"namespaces\":null}],\"teams\":[\"*\"],\"plugins\":[{\"satellite\":\"*\",\"name\":\"*\",\"permissions\":null}],\"resources\":[{\"satellites\":[\"*\"],\"clusters\":[\"*\"],\"namespaces\":[\"*\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}}\n",
+			expectedBody:       "{\"email\":\"\",\"teams\":[\"*\"],\"permissions\":{\"applications\":[{\"type\":\"all\"}],\"teams\":[\"*\"],\"plugins\":[{\"satellite\":\"*\",\"name\":\"*\",\"type\":\"*\",\"permissions\":null}],\"resources\":[{\"satellites\":[\"*\"],\"clusters\":[\"*\"],\"namespaces\":[\"*\"],\"resources\":[\"*\"],\"verbs\":[\"*\"]}]}}\n",
 			prepareRequest:     func(r *http.Request) {},
 			prepareStoreClient: func(mockStoreClient *store.MockClient) {},
 		},
@@ -145,7 +145,7 @@ func TestAuthHandler(t *testing.T) {
 			name:               "auth enabled, request without cookie, success",
 			auth:               Auth{enabled: true, headerUser: "X-Auth-Request-Email"},
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}\n",
+			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{}}\n",
 			prepareRequest: func(r *http.Request) {
 				r.Header.Add("X-Auth-Request-Email", "user1@kobs.io")
 			},
@@ -189,7 +189,7 @@ func TestAuthHandler(t *testing.T) {
 			name:               "auth enabled, request with cookie, validate token error, success",
 			auth:               Auth{enabled: true, headerUser: "X-Auth-Request-Email"},
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}\n",
+			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{}}\n",
 			prepareRequest: func(r *http.Request) {
 				token, _ := jwt.CreateToken(authContext.User{}, "sessionToken", 10*time.Second)
 				r.AddCookie(&http.Cookie{Name: "kobs-auth", Value: token})
@@ -204,7 +204,7 @@ func TestAuthHandler(t *testing.T) {
 			name:               "auth enabled, request with cookie, valid token, success",
 			auth:               Auth{enabled: true, headerUser: "X-Auth-Request-Email"},
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}\n",
+			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{}}\n",
 			prepareRequest: func(r *http.Request) {
 				token, _ := jwt.CreateToken(authContext.User{Email: "user1@kobs.io"}, "", 10*time.Minute)
 				r.AddCookie(&http.Cookie{Name: "kobs-auth", Value: token})

diff --git a/pkg/hub/middleware/userauth/context/context.go b/pkg/hub/middleware/userauth/context/context.go
@@ -77,11 +77,13 @@ func (u *User) HasTeamAccess(teamGroup string) bool {
 }
 
 // HasPluginAccess checks if the user has access to the given plugin.
-func (u *User) HasPluginAccess(satellite, plugin string) bool {
+func (u *User) HasPluginAccess(satellite, pluginType, pluginName string) bool {
 	for _, p := range u.Permissions.Plugins {
 		if p.Satellite == satellite || p.Satellite == "*" {
-			if p.Name == plugin || p.Name == "*" {
-				return true
+			if p.Type == pluginType || p.Type == "*" {
+				if p.Name == pluginName || p.Name == "*" {
+					return true
+				}
 			}
 		}
 	}

diff --git a/pkg/hub/middleware/userauth/context/context_test.go b/pkg/hub/middleware/userauth/context/context_test.go
@@ -11,7 +11,7 @@ import (
 
 func TestToString(t *testing.T) {
 	u := User{Email: "test1"}
-	require.Equal(t, "{\"email\":\"test1\",\"teams\":null,\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}", u.ToString())
+	require.Equal(t, "{\"email\":\"test1\",\"teams\":null,\"permissions\":{}}", u.ToString())
 }
 
 func TestHasApplicationAccess(t *testing.T) {
@@ -60,16 +60,18 @@ func TestHasPluginAccess(t *testing.T) {
 		user              User
 		expectedHasAccess bool
 	}{
-		{user: User{Email: "user1@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Name: "*"}}}}, expectedHasAccess: true},
-		{user: User{Email: "user2@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Name: "plugin1"}}}}, expectedHasAccess: true},
-		{user: User{Email: "user3@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Name: "plugin1"}, {Satellite: "*", Name: "plugin2"}}}}, expectedHasAccess: true},
-		{user: User{Email: "user4@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Name: "plugin2"}}}}, expectedHasAccess: false},
-		{user: User{Email: "user5@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Name: "plugin2"}, {Satellite: "*", Name: "*"}}}}, expectedHasAccess: true},
-		{user: User{Email: "user6@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "test-satellite1", Name: "*"}}}}, expectedHasAccess: true},
-		{user: User{Email: "user7@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "test-satellite2", Name: "*"}}}}, expectedHasAccess: false},
+		{user: User{Email: "user1@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "prometheus", Name: "*"}}}}, expectedHasAccess: true},
+		{user: User{Email: "user2@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "prometheus", Name: "plugin1"}}}}, expectedHasAccess: true},
+		{user: User{Email: "user3@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "prometheus", Name: "plugin1"}, {Satellite: "*", Type: "prometheus", Name: "plugin2"}}}}, expectedHasAccess: true},
+		{user: User{Email: "user4@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "prometheus", Name: "plugin2"}}}}, expectedHasAccess: false},
+		{user: User{Email: "user5@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "prometheus", Name: "plugin2"}, {Satellite: "*", Type: "prometheus", Name: "*"}}}}, expectedHasAccess: true},
+		{user: User{Email: "user6@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "test-satellite1", Type: "prometheus", Name: "*"}}}}, expectedHasAccess: true},
+		{user: User{Email: "user7@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "test-satellite2", Type: "prometheus", Name: "*"}}}}, expectedHasAccess: false},
+		{user: User{Email: "user1@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "klogs", Name: "*"}}}}, expectedHasAccess: false},
+		{user: User{Email: "user1@kobs.io", Permissions: userv1.Permissions{Plugins: []userv1.Plugin{{Satellite: "*", Type: "*", Name: "*"}}}}, expectedHasAccess: true},
 	} {
 		t.Run(tt.user.Email, func(t *testing.T) {
-			actualHasAccess := tt.user.HasPluginAccess("test-satellite1", "plugin1")
+			actualHasAccess := tt.user.HasPluginAccess("test-satellite1", "prometheus", "plugin1")
 			require.Equal(t, tt.expectedHasAccess, actualHasAccess)
 		})
 	}

diff --git a/pkg/hub/middleware/userauth/router_test.go b/pkg/hub/middleware/userauth/router_test.go
@@ -22,7 +22,7 @@ func TestUserAuthHandler(t *testing.T) {
 			name:               "get user",
 			user:               authContext.User{},
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"email\":\"\",\"teams\":null,\"permissions\":{\"applications\":null,\"teams\":null,\"plugins\":null,\"resources\":null}}\n",
+			expectedBody:       "{\"email\":\"\",\"teams\":null,\"permissions\":{}}\n",
 		},
 		{
 			name:               "could not get user",