Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make superglobbing more clear or automatic #416

Open
Jberlinsky opened this issue Nov 18, 2021 · 0 comments
Open

Make superglobbing more clear or automatic #416

Jberlinsky opened this issue Nov 18, 2021 · 0 comments

Comments

@Jberlinsky
Copy link

Jberlinsky commented Nov 18, 2021
edited

Some policies (i.e. iam_allowed_bindings) automatically convert a string with the single character * to a super-glob (**). This is unclear to users, who might assume that a wildcard (*) would be valid throughout the string (which it is not -- it must be explicitly set as a superglob). For context, the specific use case I am trying to solve for is ensuring that only service accounts can be owners on projects -- for which I initially wrote a constraint as follows:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: deny_role_project_owner_to_users
  annotations:
    description: Ban any individual users from being granted Owner/Editor primative roles
    # This constraint is not certified by CIS.
    bundles.validator.forsetisecurity.org/cis-v1.1: 1.05
spec:
  severity: high
  match:
    target:
    - "organizations/**"
    exclude: [] # optional, default is no exclusions
  parameters:
    mode: denylist
    members:
    - "user:*"
    assetType: cloudresourcemanager.googleapis.com/Project
    role: roles/owner

This does not work as expected. A constraint that achieves the desired result reads as follows (note the one-character difference in the first members entry):

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: deny_role_project_owner_to_users
  annotations:
    description: Ban any individual users from being granted Owner/Editor primative roles
    # This constraint is not certified by CIS.
    bundles.validator.forsetisecurity.org/cis-v1.1: 1.05
spec:
  severity: high
  match:
    target:
    - "organizations/**"
    exclude: [] # optional, default is no exclusions
  parameters:
    mode: denylist
    members:
    - "user:**"
    assetType: cloudresourcemanager.googleapis.com/Project
    role: roles/owner

I see two possible solutions here:

  1. Mention this developer experience friction in a README, or make it more clear in samples. This feels like a band-aid, but could be a stopgap to avoid farther-reaching changes.
  2. Ensuring that single wildcards are always converted to the super-glob as necessary -- for the particular policy I was working with, https://github.com/GoogleCloudPlatform/policy-library/blob/master/policies/templates/gcp_iam_allowed_bindings.yaml#L140 seems to only s/^\*$/\*\*/, and we might reasonably consider s/\*/\*\*/g to be the better solution.
@Jberlinsky Jberlinsky changed the title Make superglobbing more clear Make superglobbing more clear or automatic Nov 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jberlinsky