Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin ENV Update #316

Merged
merged 5 commits into from
May 14, 2024
Merged

Admin ENV Update #316

merged 5 commits into from
May 14, 2024

Conversation

vbhayden
Copy link
Contributor

#issue - There does not currently seem to be a way of specifying an admin user through environment variables.

This update will allow for two optional environment variables:

  • AUTH_ALLOW_ENV_ADMINS
  • AUTH_ENV_ADMIN_EMAILS

which will add the admin signature to their sheets when the corresponding users log in.

Security Impact: An improperly configured OIDC system may allow users to manually set their email address to that of the configured administrator.
Presumptive Impact: This will enable the use of an admin account for the Platform One deployment of CaSS, allowing for several PII concerns to be mitigated through the on-request removal of personal information.

@vbhayden vbhayden marked this pull request as ready for review May 1, 2024 17:23
@vbhayden
Copy link
Contributor Author

vbhayden commented May 1, 2024

Afternoon @Lomilar, this is the minor update to allow for an admin signature based on their email -- lmk if there are any adjustments needed etc.

Thanks!

@Lomilar
Copy link
Member

Lomilar commented May 14, 2024
edited
Loading 

       let considerUserAnAdmin = AUTH_ALLOW_ENV_ADMINS && AUTH_ENV_ADMIN_EMAILS.includes(email);

This can be easily broken by somehow setting my email address to ".com"

You'll want exact matching with a comma separated list of email addresses.

@vbhayden
Copy link
Contributor Author

That's how it works yeah, the AUTH_ENV_ADMIN_EMAILS is an array parsed from

function interpretAdminCSV(envCSV) {
    if (envCSV == undefined || typeof envCSV !== "string" || envCSV === "")
        return [];

    return envCSV.split(",");
}

const AUTH_ENV_ADMIN_EMAILS = interpretAdminCSV(process.env.AUTH_ENV_ADMIN_EMAILS);

making it an array inclusion check and not a string inclusion check etc.

@vbhayden
Copy link
Contributor Author

Updated the names to be less confusing with the const names vs. env names.

@Lomilar
Copy link
Member

Lomilar commented May 14, 2024

Got it.

@Lomilar Lomilar merged commit bc5fe2e into cassproject:master May 14, 2024
3 checks passed
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Lomilar added a commit that referenced this pull request May 14, 2024
@Lomilar
Release 1.5.56
56137b6 
* Merged PRs #307, #316 for P1 compatibility.
* OpenAPI swagger.json now validates.
* Updated libraries.
* Updated editor.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vbhayden @Lomilar @adl-trey