Security improvements (#1328)

Author: BraisVQ

CHANGELOG.md

@@ -8,6 +8,7 @@
 ### Changed
 - Nexus storage change ([#1341](https://github.com/opendevstack/ods-core/issues/1341))
 
+- Security improvements ([#1328](https://github.com/opendevstack/ods-core/pull/1328))
 
 ### Fixed
 

create-projects/Jenkinsfile

@@ -80,7 +80,6 @@ podTemplate(
         sh(
           script: """./create-projects/create-projects.sh --verbose \
             --project=${projectId} \
-            --admins=${projectAdmins} \
             --groups=${projectGroups}""",
           label: 'Create OpenShift projects'
         )

create-projects/create-projects.sh

@@ -84,14 +84,16 @@ fi
 
 if [ -n "${PROJECT_GROUPS}" ]; then
   echo "Seeding special permission groups (${PROJECT_GROUPS}) ..."
+
+  cd_usergroup_role="edit-atlassian-team"
+  usergroup_role="edit"
+  admingroup_role="admin"
+  readonlygroup_role="view"
+
   for group in ${PROJECT_GROUPS//,/ }; do
     groupName=$(echo "${group}" | cut -d "=" -f1)
     groupValue=$(echo "${group}" | cut -d "=" -f2)
 
-    usergroup_role="edit"
-    admingroup_role="admin"
-    readonlygroup_role="view"
-
     if [ "${groupValue}" == "" ]; then
       continue
     fi
@@ -101,7 +103,7 @@ if [ -n "${PROJECT_GROUPS}" ]; then
     if [[ "${groupName}" == *USERGROUP* ]]; then
       oc policy add-role-to-group "${usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-dev"
       oc policy add-role-to-group "${usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-test"
-      oc policy add-role-to-group "${usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-cd"
+      oc policy add-role-to-group "${cd_usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-cd"
     elif [[ "${groupName}" == *ADMINGROUP* ]]; then
       oc policy add-role-to-group "${admingroup_role}" "${groupValue}" -n "${PROJECT_ID}-dev"
       oc policy add-role-to-group "${admingroup_role}" "${groupValue}" -n "${PROJECT_ID}-test"

create-projects/tests/run.sh

@@ -52,20 +52,16 @@ oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-cd'
 oc mock --verify
 
 echo ""
-echo "=== create-projects: With admins but no groups ==="
+echo "=== create-projects: Without admins and no groups ==="
 
 oc mock --receive='new-project' --times 3
 
-# Expect admins
-oc mock --receive 'policy add-role-to-user admin foo.bar@example.com -n foo-cd' --times 1
-oc mock --receive 'policy add-role-to-user admin baz.qux@example.com -n foo-cd' --times 1
-
 # Expect default view/edit setup
 oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-dev' --times 1
 oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-test' --times 1
 oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-cd' --times 1
 
-../create-projects.sh --project foo --admins foo.bar@example.com,baz.qux@example.com --groups=
+../create-projects.sh --project foo --groups=
 
 oc mock --verify
 
@@ -81,7 +77,7 @@ oc mock --receive 'policy add-role-to-group view baz -n foo-cd' --times 1
 
 oc mock --receive 'policy add-role-to-group edit foo -n foo-dev' --times 1
 oc mock --receive 'policy add-role-to-group edit foo -n foo-test' --times 1
-oc mock --receive 'policy add-role-to-group edit foo -n foo-cd' --times 1
+oc mock --receive 'policy add-role-to-group edit-atlassian-team foo -n foo-cd' --times 1
 
 oc mock --receive 'policy add-role-to-group admin bar -n foo-dev' --times 1
 oc mock --receive 'policy add-role-to-group admin bar -n foo-test' --times 1

jenkins/ocp-config/deploy/jenkins-master.yml

@@ -267,18 +267,6 @@ objects:
     name: '${JENKINS_SERVICE_NAME}'
     labels:
       template: ods-jenkins-template
-- apiVersion: authorization.openshift.io/v1
-  kind: RoleBinding
-  metadata:
-    name: '${JENKINS_SERVICE_NAME}_edit'
-    labels:
-      template: ods-jenkins-template
-  roleRef:
-    name: edit
-  subjects:
-    - kind: ServiceAccount
-      name: '${JENKINS_SERVICE_NAME}'
-      namespace: '${TAILOR_NAMESPACE}'
 - apiVersion: v1
   kind: Service
   metadata:

ods-setup/setup-ods-project.sh

@@ -78,6 +78,141 @@ if ! oc adm policy add-cluster-role-to-user self-provisioner system:serviceaccou
   exit 1
 fi
 
+# Create a new role 'edit-atlassian-team' without secret-related resources access
+if ! oc get clusterrole edit-atlassian-team > /dev/null 2>&1; then
+  echo "You might not have enough rights to create the new role 'edit-atlassian-team'."
+  echo "This script needs to be run by a cluster admin."
+  
+  # Create a temporary file
+  TEMP_FILE=$(mktemp 2>/dev/null || echo "/tmp/tempfile_$$")
+  
+  # Get the edit role YAML and rename it
+  oc get clusterrole edit -o yaml | sed 's/name: edit/name: edit-atlassian-team/' > $TEMP_FILE
+  
+  # Process the YAML to remove secret-related resources, empty sections, and metadata fields
+  PROCESSED_FILE=$(mktemp 2>/dev/null || echo "/tmp/tempfile_$$")
+  
+  awk '
+  BEGIN { 
+    skip_current_group = 0; 
+    inside_api_group = 0;
+    api_group_buffer = "";
+    skip_section = 0;
+    in_metadata = 0;
+    contains_secret = 0;
+  }
+  
+  # Skip metadata fields and sections
+  /creationTimestamp:/ || /resourceVersion:/ || /uid:/ {
+    next;
+  }
+  
+  # Detect start of aggregationRule section and skip it
+  /^aggregationRule:/ {
+    skip_section = 1;
+    next;
+  }
+  
+  # Detect end of aggregationRule section (when we see apiVersion)
+  /^apiVersion:/ {
+    skip_section = 0;
+    print $0;
+    next;
+  }
+  
+  # Track if we are in metadata section
+  /^metadata:/ {
+    in_metadata = 1;
+    print $0;
+    next;
+  }
+  
+  # Detect start of annotations or labels in metadata and skip them
+  /^  annotations:/ || /^  labels:/ {
+    if (in_metadata) {
+      skip_section = 1;
+      next;
+    }
+  }
+  
+  # Detect when we leave annotations or labels section (any line with single indent level)
+  /^  [a-zA-Z]/ {
+    if (skip_section && in_metadata && $0 !~ /^  annotations:/ && $0 !~ /^  labels:/) {
+      skip_section = 0;
+    }
+  }
+  
+  # Detect end of metadata section
+  /^[a-zA-Z]/ && in_metadata && $0 !~ /^metadata:/ {
+    in_metadata = 0;
+  }
+  
+  # Skip lines while in a section we want to skip
+  {
+    if (skip_section) {
+      next;
+    }
+  }
+  
+  # Detect API Groups line
+  /^- apiGroups:/ {
+    # If we were previously in an API group, print it if it wasnt being skipped and has no secrets
+    if (inside_api_group && !skip_current_group && !contains_secret && api_group_buffer != "") {
+      print api_group_buffer;
+    }
+    
+    # Reset variables for new group
+    inside_api_group = 1;
+    api_group_buffer = $0;
+    skip_current_group = 0;
+    contains_secret = 0;
+    
+    # Check if this apiGroup itself contains "secret"
+    if ($0 ~ /secret/ || $0 ~ /external-secrets\.io/) {
+      skip_current_group = 1;
+    }
+    next;
+  }
+  
+  # Look for resources section that might contain secrets
+  /^  resources:/ {
+    api_group_buffer = api_group_buffer "\n" $0;
+    next;
+  }
+  
+  # Check for secret in resource names
+  /^  - / && inside_api_group {
+    # If this resource contains "secret", mark the group for skipping
+    if ($0 ~ /secret/) {
+      contains_secret = 1;
+    }
+    api_group_buffer = api_group_buffer "\n" $0;
+    next;
+  }
+  
+  # Process all other lines
+  {
+    if (inside_api_group) {
+      # Add to buffer
+      api_group_buffer = api_group_buffer "\n" $0;
+    } else {
+      # Not in an API group, print directly
+      print $0;
+    }
+  }
+  
+  END {
+    # Print the last API group if it wasnt being skipped and has no secrets
+    if (inside_api_group && !skip_current_group && !contains_secret && api_group_buffer != "") {
+      print api_group_buffer;
+    }
+  }' $TEMP_FILE > $PROCESSED_FILE
+  
+  # Create the role and clean up
+  oc create -f $PROCESSED_FILE
+  rm $TEMP_FILE $PROCESSED_FILE
+fi
+
 # Create cd-user secret
 cd ${SCRIPT_DIR}/ocp-config/cd-user
 ${TAILOR} -n ${NAMESPACE} apply ${NON_INTERACTIVE} ${REVEAL_SECRETS}