Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: CE-443 Automate COMS access requests #801

Merged
merged 9 commits into from
Dec 9, 2024
Merged

chore: CE-443 Automate COMS access requests #801

merged 9 commits into from
Dec 9, 2024

Conversation

mikevespi
Copy link
Contributor

@mikevespi mikevespi commented Dec 6, 2024
edited by github-actions bot
Loading

Add a check for COMS access on sign-in and request it if the user does not have it.

Description

A field coms_enrolled_ind was added to the officer table to indicate whether a user has permissions to access the COMS bucket. When a user logs in, if the indicator is false a request is made to the COMS API provisioning permissions for the user based on their role. Currently, READ_ONLY users are only given "READ" permissions, all other roles are given full CRUD permissions. The COMS endpoint used (PUT to /bucket docs ) provisions the requested permissions to the user whose credentials are being used to make the request, with the secretAccessKey allowing them to perform actions on the given bucket. This secretAccessKey is not user based, and as such the call to COMS is being done in the backend to avoid exposing that secret. The user roles are stripped off of the user object on the request itself to prevent users from being able wrongly assign extra permissions to themselves. In order to access that information a new backend decorator @User() was created. The @Token() decorator was updated to grab the token out of the headers if the authentication property is not present on the request object itself (which it was not for the incoming request). The COMS request requires new secrets that have been added to the chart.

Developers will need to add the following block to their backend .env files, with the appropriate values:

OBJECTSTORE_API_URL=
OBJECTSTORE_ACCESS_KEY=
OBJECTSTORE_BUCKET=
OBJECTSTORE_BUCKET_NAME=
OBJECTSTORE_KEY=
OBJECTSTORE_HTTPS_URL=
OBJECTSTORE_SECRET_KEY=

Fixes # (issue)

How Has This Been Tested?

Testing was done by creating a new bucket in dev and logging in with the coms_enrolled_ind flag set to false, and ensuring that signing into the app resulted in the call to COMS, that the appropriate permissions being provisioned for the user on that bucket, and that the users coms_enrolled_ind was set to true. This was repeated with the COS_OFFICER, CEEB and READ_ONLY roles, removing permissions in between tests.
The standard dev bucket was not tested on as I did not have MANAGE rights on the bucket and couldn't remove my permissions to re-run tests.

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Further comments

The COMS enrolled indicator value was added to the profile object in the store as requested in the ticket, however the flag in the store is not used for anything at this point. If there is no intent to use the check beyond login, it could likely be removed.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@mikevespi mikevespi closed this Dec 6, 2024
@mikevespi mikevespi reopened this Dec 6, 2024
@mikevespi mikevespi changed the title Ce 443 chore: CE-443 Automate COMS access requests Dec 6, 2024
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Dec 9, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

afwilcox
afwilcox approved these changes Dec 9, 2024
View reviewed changes
Copy link
Collaborator

@afwilcox afwilcox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great - good job!

@afwilcox afwilcox merged commit 174ef7f into release/0.6.9 Dec 9, 2024
19 checks passed
@afwilcox afwilcox deleted the CE-443 branch December 9, 2024 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@afwilcox afwilcox afwilcox approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mikevespi @afwilcox