search

GoogleCloudPlatform / policy-library

A library of constraint templates and sample constraints for Constraint Framework tools
Apache License 2.0
223 stars 128 forks source link

Make superglobbing more clear or automatic #416

Open Jberlinsky opened 2 years ago

Jberlinsky commented 2 years ago

Some policies (i.e. iam_allowed_bindings) automatically convert a string with the single character * to a super-glob (**). This is unclear to users, who might assume that a wildcard (*) would be valid throughout the string (which it is not -- it must be explicitly set as a superglob). For context, the specific use case I am trying to solve for is ensuring that only service accounts can be owners on projects -- for which I initially wrote a constraint as follows:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: deny_role_project_owner_to_users
  annotations:
    description: Ban any individual users from being granted Owner/Editor primative roles
    # This constraint is not certified by CIS.
    bundles.validator.forsetisecurity.org/cis-v1.1: 1.05
spec:
  severity: high
  match:
    target:
    - "organizations/**"
    exclude: [] # optional, default is no exclusions
  parameters:
    mode: denylist
    members:
    - "user:*"
    assetType: cloudresourcemanager.googleapis.com/Project
    role: roles/owner

This does not work as expected. A constraint that achieves the desired result reads as follows (note the one-character difference in the first members entry):

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
  name: deny_role_project_owner_to_users
  annotations:
    description: Ban any individual users from being granted Owner/Editor primative roles
    # This constraint is not certified by CIS.
    bundles.validator.forsetisecurity.org/cis-v1.1: 1.05
spec:
  severity: high
  match:
    target:
    - "organizations/**"
    exclude: [] # optional, default is no exclusions
  parameters:
    mode: denylist
    members:
    - "user:**"
    assetType: cloudresourcemanager.googleapis.com/Project
    role: roles/owner

I see two possible solutions here:

  1. Mention this developer experience friction in a README, or make it more clear in samples. This feels like a band-aid, but could be a stopgap to avoid farther-reaching changes.
  2. Ensuring that single wildcards are always converted to the super-glob as necessary -- for the particular policy I was working with, https://github.com/GoogleCloudPlatform/policy-library/blob/master/policies/templates/gcp_iam_allowed_bindings.yaml#L140 seems to only s/^\*$/\*\*/, and we might reasonably consider s/\*/\*\*/g to be the better solution.