Merge pull request #757 from samanthajayasinghe/sesion-policy-prio

[SREP-1313] feat: Move the inline session policy to the last hop of the assume role sequence

Author: openshift-merge-bot[bot]

cmd/ocm-backplane/cloud/common.go

@@ -46,6 +46,10 @@ var GetCallerIdentity = func(client *sts.Client) error {
 	return err
 }
 
+// CheckEgressIP checks the egress IP of the client
+// This is a wrapper around checkEgressIPImpl to allow for easy mocking
+var CheckEgressIP = checkEgressIPImpl
+
 // QueryConfig Wrapper for the configuration needed for cloud requests
 type QueryConfig struct {
 	config.BackplaneConfiguration
@@ -313,6 +317,11 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
 		return aws.Credentials{}, fmt.Errorf("failed to unmarshal response: %w", err)
 	}
 
+	inlinePolicy, err := verifyTrustedIPAndGetPolicy(cfg)
+	if err != nil {
+		return aws.Credentials{}, err
+	}
+
 	assumeRoleArnSessionSequence := make([]awsutil.RoleArnSession, 0, len(roleChainResponse.AssumptionSequence))
 	for _, namedRoleArnEntry := range roleChainResponse.AssumptionSequence {
 		roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn}
@@ -325,6 +334,7 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
 		roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
 		if namedRoleArnEntry.Name == CustomerRoleArnName {
 			roleArnSession.IsCustomerRole = true
+
 			// Add the session policy ARN for selected roles
 			if roleChainResponse.SessionPolicyArn != "" {
 				logger.Debugf("Adding session policy ARN for role %s: %s", namedRoleArnEntry.Name, roleChainResponse.SessionPolicyArn)
@@ -333,7 +343,10 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
 						Arn: aws.String(roleChainResponse.SessionPolicyArn),
 					},
 				}
+			} else {
+				roleArnSession.Policy = &inlinePolicy
 			}
+
 		} else {
 			roleArnSession.IsCustomerRole = false
 		}
@@ -347,53 +360,60 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
 		Credentials: NewStaticCredentialsProvider(seedCredentials.AccessKeyID, seedCredentials.SecretAccessKey, seedCredentials.SessionToken),
 	})
 
+	targetCredentials, err := AssumeRoleSequence(
+		seedClient,
+		assumeRoleArnSessionSequence,
+		cfg.BackplaneConfiguration.ProxyURL,
+		awsutil.DefaultSTSClientProviderFunc,
+	)
+	if err != nil {
+		return aws.Credentials{}, fmt.Errorf("failed to assume role sequence: %w", err)
+	}
+	return targetCredentials, nil
+}
+
+// verifyTrustedIPAndGetPolicy verifies that the client IP is in the trusted IP range
+// and returns the inline policy for the trusted IPs
+func verifyTrustedIPAndGetPolicy(cfg *QueryConfig) (awsutil.PolicyDocument, error) {
 	var proxyURL *url.URL
 
 	if cfg.BackplaneConfiguration.ProxyURL != nil {
+		var err error
 		proxyURL, err = url.Parse(*cfg.BackplaneConfiguration.ProxyURL)
 		if err != nil {
-			return aws.Credentials{}, fmt.Errorf("failed to parse proxy URL: %w", err)
+			return awsutil.PolicyDocument{}, fmt.Errorf("failed to parse proxy URL: %w", err)
 		}
 	}
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			Proxy: http.ProxyURL(proxyURL),
 		},
 	}
-	clientIP, err := checkEgressIP(httpClient, "https://checkip.amazonaws.com/")
+	clientIP, err := CheckEgressIP(httpClient, "https://checkip.amazonaws.com/")
 	if err != nil {
-		return aws.Credentials{}, fmt.Errorf("failed to determine client IP: %w", err)
+		return awsutil.PolicyDocument{}, fmt.Errorf("failed to determine client IP: %w", err)
 	}
 
 	trustedRange, err := getTrustedIPList(cfg.OcmConnection)
 	if err != nil {
-		return aws.Credentials{}, err
+		return awsutil.PolicyDocument{}, err
 	}
 
 	err = verifyIPTrusted(clientIP, trustedRange)
 	if err != nil {
-		return aws.Credentials{}, err
+		return awsutil.PolicyDocument{}, err
 	}
 
 	inlinePolicy, err := getTrustedIPInlinePolicy(trustedRange)
 	if err != nil {
-		return aws.Credentials{}, fmt.Errorf("failed to build inline policy: %w", err)
+		return awsutil.PolicyDocument{}, fmt.Errorf("failed to build inline policy: %w", err)
 	}
 
-	targetCredentials, err := AssumeRoleSequence(
-		seedClient,
-		assumeRoleArnSessionSequence,
-		cfg.BackplaneConfiguration.ProxyURL,
-		awsutil.DefaultSTSClientProviderFunc,
-		&inlinePolicy,
-	)
-	if err != nil {
-		return aws.Credentials{}, fmt.Errorf("failed to assume role sequence: %w", err)
-	}
-	return targetCredentials, nil
+	return inlinePolicy, nil
 }
 
-func checkEgressIP(client *http.Client, url string) (net.IP, error) {
+// checkEgressIPImpl checks the egress IP of the client
+func checkEgressIPImpl(client *http.Client, url string) (net.IP, error) {
 	resp, err := client.Get(url)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch IP: %w", err)

cmd/ocm-backplane/cloud/common_test.go

@@ -285,15 +285,15 @@ var _ = Describe("getIsolatedCredentials", func() {
 			defer server.Close()
 
 			client := &http.Client{}
-			ip, err := checkEgressIP(client, server.URL)
+			ip, err := CheckEgressIP(client, server.URL)
 
 			Expect(err).NotTo(HaveOccurred())
 			Expect(ip).To(Equal(net.ParseIP(mockIP)))
 		})
 		It("should return an error when the HTTP GET fails", func() {
 			client = &http.Client{}
 			// Invalid URL to force error
-			ip, err := checkEgressIP(client, "http://invalid_url")
+			ip, err := CheckEgressIP(client, "http://invalid_url")
 			Expect(err).To(HaveOccurred())
 			Expect(ip).To(BeNil())
 		})
@@ -303,7 +303,7 @@ var _ = Describe("getIsolatedCredentials", func() {
 			}))
 			client = server.Client()
 
-			ip, err := checkEgressIP(client, server.URL)
+			ip, err := CheckEgressIP(client, server.URL)
 			Expect(err).To(MatchError(ContainSubstring("failed to parse IP")))
 			Expect(ip).To(BeNil())
 		})
@@ -359,6 +359,85 @@ var _ = Describe("getIsolatedCredentials", func() {
 			Expect(err).To(BeNil())
 		})
 	})
+
+	Context("Execute verifyTrustedIPAndGetPolicy", func() {
+		It("should successfully verify IP and return policy when IP is in trusted range", func() {
+			// Mock the IP check to return a valid IP
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				fmt.Fprint(w, "209.10.10.10") // IP that matches our test trusted range
+			}))
+			defer server.Close()
+
+			// Override the checkEgressIP function to use our test server
+			originalCheckEgressIP := CheckEgressIP
+			CheckEgressIP = func(client *http.Client, url string) (net.IP, error) {
+				return originalCheckEgressIP(client, server.URL)
+			}
+			defer func() {
+				CheckEgressIP = originalCheckEgressIP
+			}()
+
+			// Set up expected trusted IP list
+			ip1 := cmv1.NewTrustedIp().ID("209.10.10.10").Enabled(true)
+			expectedIPList, err := cmv1.NewTrustedIpList().Items(ip1).Build()
+			Expect(err).To(BeNil())
+			mockOcmInterface.EXPECT().GetTrustedIPList(gomock.Any()).Return(expectedIPList, nil)
+
+			// Call the function
+			policy, err := verifyTrustedIPAndGetPolicy(&testQueryConfig)
+
+			// Verify success
+			Expect(err).To(BeNil())
+			Expect(policy.Version).To(Equal("2012-10-17"))
+			Expect(len(policy.Statement)).To(BeNumerically(">", 0))
+		})
+
+		It("should fail when client IP is not in trusted range", func() {
+			// Mock the IP check to return an untrusted IP
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				fmt.Fprint(w, "192.168.1.1") // IP that doesn't match our test trusted range
+			}))
+			defer server.Close()
+
+			// Override the checkEgressIP function to use our test server
+			originalCheckEgressIP := CheckEgressIP
+			CheckEgressIP = func(client *http.Client, url string) (net.IP, error) {
+				return originalCheckEgressIP(client, server.URL)
+			}
+			defer func() {
+				CheckEgressIP = originalCheckEgressIP
+			}()
+
+			// Set up expected trusted IP list (only has 209.x.x.x IPs)
+			ip1 := cmv1.NewTrustedIp().ID("209.10.10.10").Enabled(true)
+			expectedIPList, err := cmv1.NewTrustedIpList().Items(ip1).Build()
+			Expect(err).To(BeNil())
+			mockOcmInterface.EXPECT().GetTrustedIPList(gomock.Any()).Return(expectedIPList, nil)
+
+			// Call the function
+			_, err = verifyTrustedIPAndGetPolicy(&testQueryConfig)
+
+			// Verify failure
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("client IP 192.168.1.1 is not in the trusted IP range"))
+		})
+
+		It("should fail when proxy URL is invalid", func() {
+			// Set an invalid proxy URL
+			invalidProxyURL := "://invalid-url"
+			testQueryConfig.BackplaneConfiguration.ProxyURL = &invalidProxyURL
+
+			// Call the function
+			_, err := verifyTrustedIPAndGetPolicy(&testQueryConfig)
+
+			// Verify failure
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("failed to parse proxy URL"))
+
+			// Reset proxy URL
+			testQueryConfig.BackplaneConfiguration.ProxyURL = nil
+		})
+	})
 })
 
 // newTestCluster assembles a *cmv1.Cluster while handling the error to help out with inline test-case generation
@@ -537,6 +616,19 @@ var _ = Describe("PolicyARNs Integration", func() {
 
 	// Helper function to simulate the getIsolatedCredentials logic
 	simulateGetIsolatedCredentialsLogic := func(roleChainResponse assumeChainResponse) []awsutil.RoleArnSession {
+		// Create a mock inline policy for testing
+		mockInlinePolicy := &awsutil.PolicyDocument{
+			Version: "2012-10-17",
+			Statement: []awsutil.PolicyStatement{
+				{
+					Sid:      "TestPolicy",
+					Effect:   "Allow",
+					Action:   []string{"s3:GetObject"},
+					Resource: aws.String("*"),
+				},
+			},
+		}
+
 		assumeRoleArnSessionSequence := make([]awsutil.RoleArnSession, 0, len(roleChainResponse.AssumptionSequence))
 		for _, namedRoleArnEntry := range roleChainResponse.AssumptionSequence {
 			roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn}
@@ -550,14 +642,18 @@ var _ = Describe("PolicyARNs Integration", func() {
 			roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
 			if namedRoleArnEntry.Name == CustomerRoleArnName {
 				roleArnSession.IsCustomerRole = true
+
 				// Add the session policy ARN for selected roles
 				if roleChainResponse.SessionPolicyArn != "" {
 					roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
 						{
 							Arn: aws.String(roleChainResponse.SessionPolicyArn),
 						},
 					}
+				} else {
+					roleArnSession.Policy = mockInlinePolicy
 				}
+
 			} else {
 				roleArnSession.IsCustomerRole = false
 			}
@@ -591,6 +687,8 @@ var _ = Describe("PolicyARNs Integration", func() {
 			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
 			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
 			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+			// Verify that Policy is nil when SessionPolicyArn is used
+			Expect(customerRole.Policy).To(BeNil())
 		})
 
 		It("should not set PolicyARNs for non-customer roles", func() {
@@ -613,6 +711,8 @@ var _ = Describe("PolicyARNs Integration", func() {
 			Expect(supportRole.IsCustomerRole).To(BeFalse())
 			Expect(supportRole.Name).To(Equal("Support-Role-Arn"))
 			Expect(len(supportRole.PolicyARNs)).To(Equal(0))
+			// Verify that Policy is nil for non-customer roles
+			Expect(supportRole.Policy).To(BeNil())
 		})
 
 		// Generated by Cursor
@@ -636,6 +736,69 @@ var _ = Describe("PolicyARNs Integration", func() {
 			Expect(customerRole.IsCustomerRole).To(BeTrue())
 			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
 			Expect(len(customerRole.PolicyARNs)).To(Equal(0))
+			// Verify that Policy is set when SessionPolicyArn is empty
+			Expect(customerRole.Policy).ToNot(BeNil())
+		})
+	})
+
+	Context("when verifying roleArnSession.Policy field behavior", func() {
+		It("should set Policy only for customer roles without SessionPolicyArn", func() {
+			// Test customer role with SessionPolicyArn - Policy should be nil
+			roleChainResponseWithArn := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponseWithArn)
+			customerRoleWithArn := assumeRoleArnSessionSequence[0]
+
+			Expect(customerRoleWithArn.IsCustomerRole).To(BeTrue())
+			Expect(customerRoleWithArn.Policy).To(BeNil()) // Policy should be nil when SessionPolicyArn is used
+			Expect(len(customerRoleWithArn.PolicyARNs)).To(Equal(1))
+
+			// Test customer role without SessionPolicyArn - Policy should be set
+			roleChainResponseWithoutArn := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        "", // Empty SessionPolicyArn
+			}
+
+			assumeRoleArnSessionSequence = simulateGetIsolatedCredentialsLogic(roleChainResponseWithoutArn)
+			customerRoleWithoutArn := assumeRoleArnSessionSequence[0]
+
+			Expect(customerRoleWithoutArn.IsCustomerRole).To(BeTrue())
+			Expect(customerRoleWithoutArn.Policy).ToNot(BeNil()) // Policy should be set when SessionPolicyArn is empty
+			Expect(len(customerRoleWithoutArn.PolicyARNs)).To(Equal(0))
+
+			// Test non-customer role - Policy should always be nil
+			roleChainResponseNonCustomer := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: "Support-Role-Arn",
+						Arn:  "arn:aws:iam::123456789012:role/support-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        "", // Empty SessionPolicyArn
+			}
+
+			assumeRoleArnSessionSequence = simulateGetIsolatedCredentialsLogic(roleChainResponseNonCustomer)
+			nonCustomerRole := assumeRoleArnSessionSequence[0]
+
+			Expect(nonCustomerRole.IsCustomerRole).To(BeFalse())
+			Expect(nonCustomerRole.Policy).To(BeNil()) // Policy should always be nil for non-customer roles
+			Expect(len(nonCustomerRole.PolicyARNs)).To(Equal(0))
 		})
 	})
 

pkg/awsutil/sts.go

@@ -132,6 +132,7 @@ type RoleArnSession struct {
 	RoleSessionName string
 	RoleArn         string
 	IsCustomerRole  bool
+	Policy          *PolicyDocument
 	PolicyARNs      []types.PolicyDescriptorType
 }
 
@@ -140,7 +141,6 @@ func AssumeRoleSequence(
 	roleArnSessionSequence []RoleArnSession,
 	proxyURL *string,
 	stsClientProviderFunc STSClientProviderFunc,
-	inlinePolicy *PolicyDocument,
 ) (aws.Credentials, error) {
 	if len(roleArnSessionSequence) == 0 {
 		return aws.Credentials{}, errors.New("role ARN sequence cannot be empty")
@@ -157,7 +157,7 @@ func AssumeRoleSequence(
 			roleArnSession.RoleSessionName,
 			roleArnSession.IsCustomerRole,
 		)
-		result, err := AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, inlinePolicy, roleArnSession.PolicyARNs)
+		result, err := AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, roleArnSession.Policy, roleArnSession.PolicyARNs)
 		retryCount := 0
 		for err != nil {
 			// IAM policy updates can take a few seconds to resolve, and the sts.Client in AWS' Go SDK doesn't refresh itself on retries.
@@ -170,7 +170,7 @@ func AssumeRoleSequence(
 					return aws.Credentials{}, fmt.Errorf("failed to create client with credentials for role %v: %w", roleArnSession.RoleArn, err)
 				}
 
-				result, err = AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, inlinePolicy, roleArnSession.PolicyARNs)
+				result, err = AssumeRole(nextClient, roleArnSession.RoleSessionName, roleArnSession.RoleArn, roleArnSession.Policy, roleArnSession.PolicyARNs)
 				if err != nil {
 					logger.Debugf("failed to create client with credentials for role %s: name:%s %v", roleArnSession.RoleArn, roleArnSession.Name, err)
 				}