From 466f0a112d6d2c17edf1769bf51afc986d9de41f Mon Sep 17 00:00:00 2001
From: "Oleksandr Kosse (EPAM)" <oleksandr_kosse@epam.com>
Date: Thu, 30 Nov 2023 09:51:32 +0000
Subject: [PATCH] [GONRG-8048] Partition service hardening

---
 devops/gc/deploy/README.md                    |  1 +
 .../templates/authorization-policy.yaml       | 29 +++++++++++++++++++
 .../templates/request-authentication.yaml     | 14 +++++++++
 devops/gc/deploy/values.yaml                  |  1 +
 4 files changed, 45 insertions(+)
 create mode 100644 devops/gc/deploy/templates/request-authentication.yaml

diff --git a/devops/gc/deploy/README.md b/devops/gc/deploy/README.md
index 78bb51811..6da9097cb 100644
--- a/devops/gc/deploy/README.md
+++ b/devops/gc/deploy/README.md
@@ -152,6 +152,7 @@ First you need to set variables in **values.yaml** file using any code editor. S
 **istio.bootstrapProxyCPU** | CPU request for Envoy sidecars | string | 10m | yes
 **istio.bootstrapProxyCPULimit** | CPU limit for Envoy sidecars | string | 100m | yes
 **istio.sidecarInject** | whether Istio sidecar will be injected. Setting to "false" reduces security, because disables authorization policy. | boolean | true | yes
+**istio.partitionEditors** | list of users who can edit partitions. If it is empty, the service allows all external GET requests and POST/PUT/PATCH for bootstrap k8s service account. It accepts gc accounts only | list | - | no
 
 ### Install the helm chart
 
diff --git a/devops/gc/deploy/templates/authorization-policy.yaml b/devops/gc/deploy/templates/authorization-policy.yaml
index eceaa73bb..e56dc999c 100644
--- a/devops/gc/deploy/templates/authorization-policy.yaml
+++ b/devops/gc/deploy/templates/authorization-policy.yaml
@@ -9,12 +9,32 @@ spec:
       app: {{ .Values.conf.appName | quote }}
   action: ALLOW
   rules:
+  {{- if .Values.istio.partitionEditors }}
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/{{ .Release.Namespace }}/sa/*
+    to:
+    - operation:
+        methods:
+        - GET
+        paths:
+        - /api/partition/v1/*
+  - to:
+    - operation:
+        methods:
+        - GET
+        paths:
+        - /api/partition/v1/info
+  {{- else }}
   - to:
     - operation:
         methods:
         - GET
         paths:
         - /api/partition/v1/*
+  {{- end }}
+
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -35,3 +55,12 @@ spec:
     - operation:
         paths:
         - /api/partition/v1/*
+  {{- if .Values.istio.partitionEditors }}
+  - to:
+    - operation:
+        paths:
+        - /api/partition/v1/*
+    when:
+    - key: request.auth.claims[email]
+      values: {{ .Values.istio.partitionEditors | toYaml | nindent 6}}
+  {{- end }}
diff --git a/devops/gc/deploy/templates/request-authentication.yaml b/devops/gc/deploy/templates/request-authentication.yaml
new file mode 100644
index 000000000..52c0cad42
--- /dev/null
+++ b/devops/gc/deploy/templates/request-authentication.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.istio.partitionEditors }}
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: {{ printf "%s-jwt-policy" .Values.conf.appName | quote }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.conf.appName | quote }}
+  jwtRules:
+  - issuer: https://accounts.google.com
+    jwksUri: https://www.googleapis.com/oauth2/v3/certs
+{{- end }}
diff --git a/devops/gc/deploy/values.yaml b/devops/gc/deploy/values.yaml
index ec3475be7..6cc4a8097 100644
--- a/devops/gc/deploy/values.yaml
+++ b/devops/gc/deploy/values.yaml
@@ -48,3 +48,4 @@ istio:
   bootstrapProxyCPU: "5m"
   bootstrapProxyCPULimit: "100m"
   sidecarInject: "true"
+  partitionEditors: []
-- 
GitLab