rancher
diff --git a/‎docs.md‎
Lines changed: 10 additions & 0 deletions b/‎docs.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎pkg/codegen/main.go‎
Lines changed: 2 additions & 0 deletions b/‎pkg/codegen/main.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/generated/controllers/management.cattle.io/v3/interface.go‎
Lines changed: 5 additions & 0 deletions b/‎pkg/generated/controllers/management.cattle.io/v3/interface.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎pkg/generated/controllers/management.cattle.io/v3/userattribute.go‎
Lines changed: 39 additions & 0 deletions b/‎pkg/generated/controllers/management.cattle.io/v3/userattribute.go‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎pkg/generated/objects/management.cattle.io/v3/objects.go‎
Lines changed: 53 additions & 0 deletions b/‎pkg/generated/objects/management.cattle.io/v3/objects.go‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎pkg/resources/management.cattle.io/v3/users/User.md‎
Lines changed: 7 additions & 0 deletions b/‎pkg/resources/management.cattle.io/v3/users/User.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/resources/management.cattle.io/v3/users/validator.go‎
Lines changed: 134 additions & 0 deletions b/‎pkg/resources/management.cattle.io/v3/users/validator.go‎
Lines changed: 134 additions & 0 deletions
@@ -403,6 +403,16 @@ When a Token is updated, the following checks take place:
 
 - If set, `lastUsedAt` must be a valid date time according to RFC3339 (e.g. `2023-11-29T00:00:00Z`).
 
+## User
+
+### Validation Checks
+
+#### Update and Delete
+
+When a user is updated or deleted, a check occurs to ensure that the user making the request has permissions greater than or equal to the user being updated or deleted. To get the user's groups, the user's UserAttributes are checked. This is best effort, because UserAttributes are only updated when a User logs in, so it may not be perfectly up to date.
+
+If the user making the request has the verb `manage-users` for the resource `users`, then it is allowed to bypass the check. Note that the wildcard `*` includes the `manage-users` verb.
+
 ## UserAttribute
 
 ### Validation Checks
 
@@ -54,6 +54,7 @@ func main() {
 					v3.Feature{},
 					v3.Setting{},
 					v3.User{},
+					v3.UserAttribute{},
 				},
 			},
 			"provisioning.cattle.io": {
@@ -90,6 +91,7 @@ func main() {
 				&v3.NodeDriver{},
 				&v3.Project{},
 				&v3.Setting{},
+				&v3.User{},
 			},
 		},
 		"provisioning.cattle.io": {
 
@@ -643,3 +643,56 @@ func SettingFromRequest(request *admissionv1.AdmissionRequest) (*v3.Setting, err
 
 	return object, nil
 }
+
+// UserOldAndNewFromRequest gets the old and new User objects, respectively, from the webhook request.
+// If the request is a Delete operation, then the new object is the zero value for User.
+// Similarly, if the request is a Create operation, then the old object is the zero value for User.
+func UserOldAndNewFromRequest(request *admissionv1.AdmissionRequest) (*v3.User, *v3.User, error) {
+	if request == nil {
+		return nil, nil, fmt.Errorf("nil request")
+	}
+
+	object := &v3.User{}
+	oldObject := &v3.User{}
+
+	if request.Operation != admissionv1.Delete {
+		err := json.Unmarshal(request.Object.Raw, object)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to unmarshal request object: %w", err)
+		}
+	}
+
+	if request.Operation == admissionv1.Create {
+		return oldObject, object, nil
+	}
+
+	err := json.Unmarshal(request.OldObject.Raw, oldObject)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to unmarshal request oldObject: %w", err)
+	}
+
+	return oldObject, object, nil
+}
+
+// UserFromRequest returns a User object from the webhook request.
+// If the operation is a Delete operation, then the old object is returned.
+// Otherwise, the new object is returned.
+func UserFromRequest(request *admissionv1.AdmissionRequest) (*v3.User, error) {
+	if request == nil {
+		return nil, fmt.Errorf("nil request")
+	}
+
+	object := &v3.User{}
+	raw := request.Object.Raw
+
+	if request.Operation == admissionv1.Delete {
+		raw = request.OldObject.Raw
+	}
+
+	err := json.Unmarshal(raw, object)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal request object: %w", err)
+	}
+
+	return object, nil
+}
@@ -0,0 +1,7 @@
+## Validation Checks
+
+### Update and Delete
+
+When a user is updated or deleted, a check occurs to ensure that the user making the request has permissions greater than or equal to the user being updated or deleted. To get the user's groups, the user's UserAttributes are checked. This is best effort, because UserAttributes are only updated when a User logs in, so it may not be perfectly up to date.
+
+If the user making the request has the verb `manage-users` for the resource `users`, then it is allowed to bypass the check. Note that the wildcard `*` includes the `manage-users` verb.
@@ -0,0 +1,134 @@
+package users
+
+import (
+	"fmt"
+
+	v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	"github.com/rancher/webhook/pkg/admission"
+	"github.com/rancher/webhook/pkg/auth"
+	controllerv3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
+	objectsv3 "github.com/rancher/webhook/pkg/generated/objects/management.cattle.io/v3"
+	admissionv1 "k8s.io/api/admission/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authentication/user"
+	authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	"k8s.io/kubernetes/pkg/registry/rbac/validation"
+)
+
+var (
+	gvr = schema.GroupVersionResource{
+		Group:    "management.cattle.io",
+		Version:  "v3",
+		Resource: "users",
+	}
+	manageUsersVerb = "manage-users"
+)
+
+type admitter struct {
+	resolver           validation.AuthorizationRuleResolver
+	sar                authorizationv1.SubjectAccessReviewInterface
+	userAttributeCache controllerv3.UserAttributeCache
+}
+
+// Validator validates tokens.
+type Validator struct {
+	admitter admitter
+}
+
+// NewValidator returns a new Validator instance.
+func NewValidator(userAttributeCache controllerv3.UserAttributeCache, sar authorizationv1.SubjectAccessReviewInterface, defaultResolver validation.AuthorizationRuleResolver) *Validator {
+	return &Validator{
+		admitter: admitter{
+			resolver:           defaultResolver,
+			userAttributeCache: userAttributeCache,
+			sar:                sar,
+		},
+	}
+}
+
+// GVR returns the GroupVersionResource.
+func (v *Validator) GVR() schema.GroupVersionResource {
+	return gvr
+}
+
+// Operations returns list of operations handled by the validator.
+func (v *Validator) Operations() []admissionregistrationv1.OperationType {
+	return []admissionregistrationv1.OperationType{admissionregistrationv1.Update, admissionregistrationv1.Delete}
+}
+
+func (v *Validator) ValidatingWebhook(clientConfig admissionregistrationv1.WebhookClientConfig) []admissionregistrationv1.ValidatingWebhook {
+	return []admissionregistrationv1.ValidatingWebhook{
+		*admission.NewDefaultValidatingWebhook(v, clientConfig, admissionregistrationv1.ClusterScope, v.Operations()),
+	}
+}
+
+// Admitters returns the admitter objects.
+func (v *Validator) Admitters() []admission.Admitter {
+	return []admission.Admitter{&v.admitter}
+}
+
+func (a *admitter) Admit(request *admission.Request) (*admissionv1.AdmissionResponse, error) {
+	// Check if requester has manage-user verb
+	hasManageUsers, err := auth.RequestUserHasVerb(request, gvr, a.sar, manageUsersVerb, "", "")
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if requester has manage-users verb: %w", err)
+	}
+
+	if hasManageUsers {
+		return &admissionv1.AdmissionResponse{Allowed: true}, nil
+	}
+	userObj, err := objectsv3.UserFromRequest(&request.AdmissionRequest)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get current User from request: %w", err)
+	}
+
+	// Need the UserAttribute to find the groups
+	userAttribute, err := a.userAttributeCache.Get(userObj.Name)
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, fmt.Errorf("failed to get UserAttribute for %s: %w", userObj.Name, err)
+	}
+
+	userInfo := &user.DefaultInfo{
+		Name:   userObj.Name,
+		Groups: getGroupsFromUserAttribute(userAttribute),
+	}
+
+	// Get all rules for the user being modified
+	rules, err := a.resolver.RulesFor(userInfo, "")
+	if err != nil {
+		return nil, fmt.Errorf("failed to get rules for user %v: %w", userObj, err)
+	}
+
+	// Ensure that rules of the user being modified aren't greater than the rules of the user making the request
+	err = auth.ConfirmNoEscalation(request, rules, "", a.resolver)
+	if err != nil {
+		return &admissionv1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Status:  metav1.StatusFailure,
+				Reason:  "ConfirmNoEscalationError",
+				Message: fmt.Sprintf("request is attempting to modify user with more permissions than requester %v", err),
+			},
+		}, nil
+	}
+	return &admissionv1.AdmissionResponse{Allowed: true}, nil
+}
+
+// getGroupsFromUserAttributes gets the list of group principals from a UserAttribute.
+//
+// Warning: UserAttributes are only updated when a user logs in, so this may not have the up to date Group Principals.
+func getGroupsFromUserAttribute(userAttribute *v3.UserAttribute) []string {
+	result := []string{}
+	if userAttribute == nil {
+		return result
+	}
+	for _, principals := range userAttribute.GroupPrincipals {
+		for _, principal := range principals.Items {
+			result = append(result, principal.Name)
+		}
+	}
+	return result
+}