add keppel.RBACPolicy.ForbiddenPermissions

majewsky · majewsky · commit 7563b4625c8d · 2025-03-27T16:20:34.000+01:00
diff --git a/docs/api-spec.md b/docs/api-spec.md
@@ -144,6 +144,7 @@ The following fields may be returned:
 | `accounts[].rbac_policies[].match_repository` | string | The RBAC policy applies to all repositories in this account whose name matches this regex. The leading account name and slash is stripped from the repository name before matching. The notes on regexes below apply. |
 | `accounts[].rbac_policies[].match_username` | string | The RBAC policy applies to all users whose name matches this regex. Refer to the [documentation of your auth driver](./drivers/) for the syntax of usernames. The notes on regexes below apply. |
 | `accounts[].rbac_policies[].permissions` | list of strings | The permissions granted by the RBAC policy. Acceptable values include `pull`, `push`, `delete`, `anonymous_pull` and `anonymous_first_pull`. When `pull`, `push` or `delete` are included, `match_username` is not empty. When `anonymous_pull` or `anonymous_first_pull` is included, `match_username` is empty. `anonymous_first_pull` is only relevant for external replica accounts and allows unauthenticated users to replicate tags. It should always be combined with an appropriate `match_*` rule. |
+| `accounts[].rbac_policies[].forbidden_permissions` | list of strings | The permissions forbidden by the RBAC policy. Acceptable values are the same as for the `permissions` field. This field takes precedence over `permissions`: Any permission listed here will never be given to matching users, even if another matching policy would grant it. |
 | `accounts[].replication` | object or omitted | Replication configuration for this account, if any. [See below](#replication-strategies) for details. |
 | `accounts[].platform_filter` | list of objects or omitted | Only allowed for replica accounts. If not empty, when replicating an image list manifest (i.e. a multi-architecture image), only submanifests matching one of the given platforms will be replicated. Each entry must have the same format as the `manifests[].platform` field in the [OCI Image Index Specification](https://github.com/opencontainers/image-spec/blob/master/image-index.md). |
 | `accounts[].validation` | object or omitted | Validation rules for this account. When included, pushing blobs and manifests not satisfying these validation rules may be rejected. |
diff --git a/internal/api/auth/api_test.go b/internal/api/auth/api_test.go
@@ -77,6 +77,11 @@ var (
 		UserNamePattern:   "correct.*",
 		Permissions:       []keppel.RBACPermission{keppel.GrantsPull},
 	}
+	policyForbidPush = keppel.RBACPolicy{
+		RepositoryPattern:    "fo+",
+		UserNamePattern:      "correct.*",
+		ForbiddenPermissions: []keppel.RBACPermission{keppel.GrantsPush},
+	}
 	policyPushMatches = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
 		UserNamePattern:   "correct.*",
@@ -414,6 +419,19 @@ var testCases = []TestCase{
 	{Scope: "repository:test1/foo:delete",
 		RBACPolicy:     &policyDeleteMatches,
 		GrantedActions: "delete"},
+	// negative RBAC policies can take away permissions
+	{Scope: "repository:test1/foo:pull",
+		RBACPolicy:     &policyForbidPush,
+		GrantedActions: "pull"},
+	{Scope: "repository:test1/foo:push",
+		RBACPolicy:     &policyForbidPush,
+		GrantedActions: ""},
+	{Scope: "repository:test1/foo:pull,push",
+		RBACPolicy:     &policyForbidPush,
+		GrantedActions: "pull"},
+	{Scope: "repository:test1/foo:delete",
+		RBACPolicy:     &policyForbidPush,
+		GrantedActions: "delete"},
 }
 
 // TODO expect refresh_token when offline_token=true is given
diff --git a/internal/api/keppel/accounts_test.go b/internal/api/keppel/accounts_test.go
@@ -802,6 +802,8 @@ func TestPutAccountErrorCases(t *testing.T) {
 		RBACPolicyJSON assert.JSONObject
 		ErrorMessage   string
 	}{
+		// NOTE: Many testcases come in pairs where the problematic permission is
+		// in `permissions` the first time and in `forbidden_permissions` the second time.
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"match_repository": "library/.+",
@@ -815,6 +817,22 @@ func TestPutAccountErrorCases(t *testing.T) {
 			},
 			ErrorMessage: `"foo" is not a valid RBAC policy permission`,
 		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"permissions":           []string{"pull"},
+				"forbidden_permissions": []string{"push", "foo"},
+			},
+			ErrorMessage: `"foo" is not a valid RBAC policy permission`,
+		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"permissions":           []string{"pull"},
+				"forbidden_permissions": []string{"pull", "push"},
+			},
+			ErrorMessage: `"pull" cannot be granted and forbidden by the same RBAC policy`,
+		},
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"permissions": []string{"anonymous_pull"},
@@ -829,20 +847,42 @@ func TestPutAccountErrorCases(t *testing.T) {
 			},
 			ErrorMessage: `RBAC policy with "anonymous_pull" or "anonymous_first_pull" may not have the "match_username" attribute`,
 		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"match_username":        "foo",
+				"forbidden_permissions": []string{"anonymous_pull"},
+			},
+			ErrorMessage: `RBAC policy with "anonymous_pull" or "anonymous_first_pull" may not have the "match_username" attribute`,
+		},
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"match_repository": "library/.+",
 				"permissions":      []string{"pull"},
 			},
 			ErrorMessage: `RBAC policy with "pull" must have the "match_cidr" or "match_username" attribute`,
 		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"forbidden_permissions": []string{"pull"},
+			},
+			ErrorMessage: `RBAC policy with "pull" must have the "match_cidr" or "match_username" attribute`,
+		},
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"match_repository": "library/.+",
 				"permissions":      []string{"delete"},
 			},
 			ErrorMessage: `RBAC policy with "delete" must have the "match_username" attribute`,
 		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"forbidden_permissions": []string{"delete"},
+			},
+			ErrorMessage: `RBAC policy with "delete" must have the "match_username" attribute`,
+		},
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"match_repository": "library/.+",
@@ -872,13 +912,28 @@ func TestPutAccountErrorCases(t *testing.T) {
 			},
 			ErrorMessage: `RBAC policy with "anonymous_pull" or "anonymous_first_pull" may not have the "match_username" attribute`,
 		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"match_username":        "foo",
+				"forbidden_permissions": []string{"anonymous_first_pull"},
+			},
+			ErrorMessage: `RBAC policy with "anonymous_pull" or "anonymous_first_pull" may not have the "match_username" attribute`,
+		},
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"match_repository": "library/.+",
 				"permissions":      []string{"anonymous_first_pull"},
 			},
 			ErrorMessage: `RBAC policy with "anonymous_first_pull" may only be for external replica accounts`,
 		},
+		{
+			RBACPolicyJSON: assert.JSONObject{
+				"match_repository":      "library/.+",
+				"forbidden_permissions": []string{"anonymous_first_pull"},
+			},
+			ErrorMessage: `RBAC policy with "anonymous_first_pull" may only be for external replica accounts`,
+		},
 		{
 			RBACPolicyJSON: assert.JSONObject{
 				"match_repository": "*/library",
diff --git a/internal/auth/filter.go b/internal/auth/filter.go
@@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 
+	. "github.com/majewsky/gg/option"
 	"github.com/sapcc/go-bits/httpext"
 
 	"github.com/sapcc/keppel/internal/keppel"
@@ -188,46 +189,55 @@ func filterRepoActions(ip string, scope Scope, uid keppel.UserIdentity, audience
 		return nil, err
 	}
 
-	isAllowedAction := map[string]bool{
-		"pull":   uid.HasPermission(keppel.CanPullFromAccount, authTenantID),
-		"push":   uid.HasPermission(keppel.CanPushToAccount, authTenantID),
-		"delete": uid.HasPermission(keppel.CanDeleteFromAccount, authTenantID),
-	}
-
+	// collect permission overrides from matching RBAC policies
 	policies, err := keppel.ParseRBACPoliciesField(rbacPoliciesJSON)
 	if err != nil {
 		return nil, fmt.Errorf("while parsing account RBAC policies: %w", err)
 	}
+	permOverride := make(map[keppel.RBACPermission]Option[bool])
 	userName := uid.UserName()
 	for _, policy := range policies {
 		if !policy.Matches(ip, repoScope.RepositoryName, userName) {
 			continue
 		}
-
-		hasPerm := make(map[keppel.RBACPermission]bool)
+		// NOTE: forbidding overrides take precedence over granting overrides
 		for _, perm := range policy.Permissions {
-			hasPerm[perm] = true
-		}
-
-		if hasPerm[keppel.GrantsAnonymousPull] {
-			isAllowedAction["pull"] = true
-		}
-		if hasPerm[keppel.GrantsAnonymousFirstPull] {
-			isAllowedAction["anonymous_first_pull"] = true
-		}
-		if uid.UserType() != keppel.AnonymousUser {
-			if hasPerm[keppel.GrantsPull] {
-				isAllowedAction["pull"] = true
-			}
-			if hasPerm[keppel.GrantsPush] {
-				isAllowedAction["push"] = true
-			}
-			if hasPerm[keppel.GrantsDelete] {
-				isAllowedAction["delete"] = true
+			if permOverride[perm] != Some(false) {
+				permOverride[perm] = Some(true)
 			}
 		}
+		for _, perm := range policy.ForbiddenPermissions {
+			permOverride[perm] = Some(false)
+		}
+	}
+
+	// certain policies can never be granted to anonymous users by an RBAC policy
+	if uid.UserType() == keppel.AnonymousUser {
+		delete(permOverride, keppel.GrantsPull)
+		delete(permOverride, keppel.GrantsPush)
+		delete(permOverride, keppel.GrantsDelete)
+	}
+
+	// evaluate final permission set
+	isAllowedAction := map[string]bool{
+		"pull": permOverride[keppel.GrantsPull].UnwrapOr(
+			uid.HasPermission(keppel.CanPullFromAccount, authTenantID),
+		),
+		"push": permOverride[keppel.GrantsPush].UnwrapOr(
+			uid.HasPermission(keppel.CanPushToAccount, authTenantID),
+		),
+		"delete": permOverride[keppel.GrantsDelete].UnwrapOr(
+			uid.HasPermission(keppel.CanDeleteFromAccount, authTenantID),
+		),
+	}
+	if permOverride[keppel.GrantsAnonymousPull].UnwrapOr(false) {
+		isAllowedAction["pull"] = true
+	}
+	if isAllowedAction["pull"] {
+		isAllowedAction["anonymous_first_pull"] = permOverride[keppel.GrantsAnonymousFirstPull].UnwrapOr(false)
 	}
 
+	// grant requested actions as possible
 	var result []string
 	for _, action := range scope.Actions {
 		if isAllowedAction[action] {
diff --git a/internal/keppel/rbac_policy.go b/internal/keppel/rbac_policy.go
@@ -33,10 +33,11 @@ import (
 // RBACPolicy is a policy granting user-defined access to repos in an account.
 // It is stored in serialized form in the RBACPoliciesJSON field of type Account.
 type RBACPolicy struct {
-	CidrPattern       string                  `json:"match_cidr,omitempty"`
-	RepositoryPattern regexpext.BoundedRegexp `json:"match_repository,omitempty"`
-	UserNamePattern   regexpext.BoundedRegexp `json:"match_username,omitempty"`
-	Permissions       []RBACPermission        `json:"permissions"`
+	CidrPattern          string                  `json:"match_cidr,omitempty"`
+	RepositoryPattern    regexpext.BoundedRegexp `json:"match_repository,omitempty"`
+	UserNamePattern      regexpext.BoundedRegexp `json:"match_username,omitempty"`
+	Permissions          []RBACPermission        `json:"permissions"`
+	ForbiddenPermissions []RBACPermission        `json:"forbidden_permissions,omitempty"`
 }
 
 // RBACPermission enumerates permissions that can be granted by an RBAC policy.
@@ -93,33 +94,48 @@ func (r *RBACPolicy) ValidateAndNormalize(strategy ReplicationStrategy) error {
 		}
 	}
 
-	hasPerm := make(map[RBACPermission]bool)
+	grantsPerm := make(map[RBACPermission]bool)
+	forbidsPerm := make(map[RBACPermission]bool)
+	refersToPerm := make(map[RBACPermission]bool)
 	for _, perm := range r.Permissions {
 		if !isRBACPermission[perm] {
 			return fmt.Errorf("%q is not a valid RBAC policy permission", perm)
 		}
-		hasPerm[perm] = true
+		grantsPerm[perm] = true
+		forbidsPerm[perm] = false
+		refersToPerm[perm] = true
+	}
+	for _, perm := range r.ForbiddenPermissions {
+		if !isRBACPermission[perm] {
+			return fmt.Errorf("%q is not a valid RBAC policy permission", perm)
+		}
+		if grantsPerm[perm] {
+			return fmt.Errorf("%q cannot be granted and forbidden by the same RBAC policy", perm)
+		}
+		grantsPerm[perm] = false
+		forbidsPerm[perm] = true
+		refersToPerm[perm] = true
 	}
 
-	if len(r.Permissions) == 0 {
+	if len(r.Permissions) == 0 && len(r.ForbiddenPermissions) == 0 {
 		return errors.New(`RBAC policy must grant at least one permission`)
 	}
 	if r.CidrPattern == "" && r.UserNamePattern == "" && r.RepositoryPattern == "" {
 		return errors.New(`RBAC policy must have at least one "match_..." attribute`)
 	}
-	if (hasPerm[GrantsAnonymousPull] || hasPerm[GrantsAnonymousFirstPull]) && r.UserNamePattern != "" {
+	if (refersToPerm[GrantsAnonymousPull] || refersToPerm[GrantsAnonymousFirstPull]) && r.UserNamePattern != "" {
 		return errors.New(`RBAC policy with "anonymous_pull" or "anonymous_first_pull" may not have the "match_username" attribute`)
 	}
-	if hasPerm[GrantsPull] && r.CidrPattern == "" && r.UserNamePattern == "" {
+	if refersToPerm[GrantsPull] && r.CidrPattern == "" && r.UserNamePattern == "" {
 		return errors.New(`RBAC policy with "pull" must have the "match_cidr" or "match_username" attribute`)
 	}
-	if hasPerm[GrantsPush] && !hasPerm[GrantsPull] {
+	if grantsPerm[GrantsPush] && !grantsPerm[GrantsPull] {
 		return errors.New(`RBAC policy with "push" must also grant "pull"`)
 	}
-	if hasPerm[GrantsDelete] && r.UserNamePattern == "" {
+	if refersToPerm[GrantsDelete] && r.UserNamePattern == "" {
 		return errors.New(`RBAC policy with "delete" must have the "match_username" attribute`)
 	}
-	if hasPerm[GrantsAnonymousFirstPull] && strategy != FromExternalOnFirstUseStrategy {
+	if refersToPerm[GrantsAnonymousFirstPull] && strategy != FromExternalOnFirstUseStrategy {
 		return errors.New(`RBAC policy with "anonymous_first_pull" may only be for external replica accounts`)
 	}
 
