Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-07-31 13:47:02 +02:00
Code Issues Projects Releases Wiki Activity

chore: SCIM guard for users (#6836)

Browse Source 
https://linear.app/unleash/issue/2-2093/api-should-not-allow-manual-management-of-scim-managed-users-in

Introduces a SCIM guard for SCIM users. SCIM users should be managed
exclusively by the SCIM client, not Unleash.

We decided to be restrictive for now, completely covering all of the
write methods, but may fine-tune some of this at a later stage.

Will eventually be followed up by a UI-centric PR.
This commit is contained in:
Nuno Góis 2024-04-12 08:23:35 +01:00 committed by GitHub
parent c773145cf6
commit f4ef06f69b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 179 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
frontend/src/component/admin/users/UsersList/ChangePassword/ChangePassword.tsx
View File

@ -13,6 +13,7 @@ import PasswordMatcher from 'component/user/common/ResetPasswordForm/PasswordMat
import type { IUser } from 'interfaces/user';
import useAdminUsersApi from 'hooks/api/actions/useAdminUsersApi/useAdminUsersApi';
import { UserAvatar } from 'component/common/UserAvatar/UserAvatar';
import useToast from 'hooks/useToast';
const StyledUserAvatar = styled(UserAvatar)(({ theme }) => ({
width: theme.spacing(5),
@ -36,6 +37,7 @@ const ChangePassword = ({
const [validPassword, setValidPassword] = useState(false);
const { classes: themeStyles } = useThemeStyles();
const { changePassword } = useAdminUsersApi();
const { setToastData } = useToast();
const updateField: React.ChangeEventHandler<HTMLInputElement> = (event) => {
setError(undefined);
@ -58,6 +60,11 @@ const ChangePassword = ({
await changePassword(user.id, data.password);
setData({});
closeDialog();
setToastData({
title: 'Password changed successfully',
text: 'The user can now sign in using the new password.',
type: 'success',
});
} catch (error: unknown) {
console.warn(error);
setError(PASSWORD_FORMAT_MESSAGE);

11
frontend/src/hooks/api/actions/useAdminUsersApi/useAdminUsersApi.ts
View File

@ -1,10 +1,4 @@
import useAPI from '../useApi/useApi';
import {
handleBadRequest,
handleForbidden,
handleNotFound,
handleUnauthorized,
} from './errorHandlers';
interface IUserPayload {
name: string;
@ -16,10 +10,7 @@ export const REMOVE_USER_ERROR = 'removeUser';
const useAdminUsersApi = () => {
const { loading, makeRequest, createRequest, errors } = useAPI({
handleBadRequest,
handleNotFound,
handleUnauthorized,
handleForbidden,
propagateErrors: true,
});
const addUser = async (user: IUserPayload) => {

2
src/lib/db/user-store.ts
View File

@ -22,6 +22,7 @@ const USER_COLUMNS_PUBLIC = [
'image_url',
'seen_at',
'is_service',
'scim_id',
];
const USER_COLUMNS = [...USER_COLUMNS_PUBLIC, 'login_attempts', 'created_at'];
@ -56,6 +57,7 @@ const rowToUser = (row) => {
seenAt: row.seen_at,
createdAt: row.created_at,
isService: row.is_service,
scimId: row.scim_id,
});
};

7
src/lib/openapi/spec/user-schema.ts
View File

@ -92,6 +92,13 @@ export const userSchema = {
type: 'string',
},
},
scimId: {
description:
'The SCIM ID of the user, only present if managed by SCIM',
type: 'string',
nullable: true,
example: '01HTMEXAMPLESCIMID7SWWGHN6',
},
},
components: {},
} as const;

41
src/lib/routes/admin-api/user-admin.ts
View File

@ -51,7 +51,7 @@ import {
type AdminCountSchema,
adminCountSchema,
} from '../../openapi/spec/admin-count-schema';
import { BadDataError } from '../../error';
import { BadDataError, ForbiddenError } from '../../error';
import {
createUserResponseSchema,
type CreateUserResponseSchema,
@ -81,6 +81,8 @@ export default class UserAdminController extends Controller {
readonly unleashUrl: string;
readonly isEnterprise: boolean;
constructor(
config: IUnleashConfig,
{
@ -116,6 +118,7 @@ export default class UserAdminController extends Controller {
this.logger = config.getLogger('routes/user-controller.ts');
this.unleashUrl = config.server.unleashUrl;
this.flagResolver = config.flagResolver;
this.isEnterprise = config.isEnterprise;
this.route({
method: 'post',
@ -402,6 +405,8 @@ export default class UserAdminController extends Controller {
): Promise<void> {
const { user } = req;
const receiver = req.body.id;
const receiverUser = await this.userService.getByEmail(receiver);
await this.throwIfScimUser(receiverUser);
const resetPasswordUrl =
await this.userService.createResetPasswordEmail(receiver, user);
@ -605,6 +610,7 @@ export default class UserAdminController extends Controller {
if (!Number.isInteger(Number(id))) {
throw new BadDataError('User id should be an integer');
}
await this.throwIfScimUser({ id: Number(id) });
const normalizedRootRole = Number.isInteger(Number(rootRole))
? Number(rootRole)
: (rootRole as RoleName);
@ -636,6 +642,7 @@ export default class UserAdminController extends Controller {
if (!Number.isInteger(Number(id))) {
throw new BadDataError('User id should be an integer');
}
await this.throwIfScimUser({ id: Number(id) });
await this.userService.deleteUser(+id, user);
res.status(200).send();
@ -658,6 +665,8 @@ export default class UserAdminController extends Controller {
const { id } = req.params;
const { password } = req.body;
await this.throwIfScimUser({ id: Number(id) });
await this.userService.changePassword(+id, password);
res.status(200).send();
}
@ -716,4 +725,34 @@ export default class UserAdminController extends Controller {
projectRoles,
});
}
async throwIfScimUser({
id,
scimId,
}: Pick<IUser, 'id' | 'scimId'>): Promise<void> {
if (!this.isEnterprise) return;
if (!this.flagResolver.isEnabled('scimApi')) return;
const isScimUser = await this.isScimUser({ id, scimId });
if (!isScimUser) return;
const { enabled } = await this.settingService.getWithDefault('scim', {
enabled: false,
});
if (!enabled) return;
throw new ForbiddenError(
'This user is managed by your SCIM provider and cannot be changed manually',
);
}
async isScimUser({
id,
scimId,
}: Pick<IUser, 'id' | 'scimId'>): Promise<boolean> {
return (
Boolean(scimId) ||
Boolean((await this.userService.getUser(id)).scimId)
);
}
}

6
src/lib/types/user.ts
View File

@ -14,6 +14,7 @@ export interface UserData {
loginAttempts?: number;
createdAt?: Date;
isService?: boolean;
scimId?: string;
}
export interface IUser {
@ -29,6 +30,7 @@ export interface IUser {
isAPI: boolean;
imageUrl?: string;
accountType?: AccountType;
scimId?: string;
}
export interface IProjectUser extends IUser {
@ -58,6 +60,8 @@ export default class User implements IUser {
accountType?: AccountType = 'User';
scimId?: string;
constructor({
id,
name,
@ -68,6 +72,7 @@ export default class User implements IUser {
loginAttempts,
createdAt,
isService,
scimId,
}: UserData) {
if (!id) {
throw new ValidationError('Id is required', [], undefined);
@ -85,6 +90,7 @@ export default class User implements IUser {
this.loginAttempts = loginAttempts;
this.createdAt = createdAt;
this.accountType = isService ? 'Service Account' : 'User';
this.scimId = scimId;
}
generateImageUrl(): string {

116
src/test/e2e/api/admin/user-admin.scim.e2e.test.ts Normal file
View File

@ -0,0 +1,116 @@
import {
type IUnleashTest,
setupAppWithCustomConfig,
} from '../../helpers/test-helper';
import dbInit, { type ITestDb } from '../../helpers/database-init';
import getLogger from '../../../fixtures/no-logger';
import type { IUnleashStores } from '../../../../lib/types';
let stores: IUnleashStores;
let db: ITestDb;
let app: IUnleashTest;
let scimUserId: number;
let regularUserId: number;
const scimUser = {
email: 'scim-user@test.com',
name: 'SCIM User',
scim_id: 'some-random-scim-id',
};
const regularUser = {
email: 'regular-user@test.com',
name: 'Regular User',
};
const scimGuardErrorMessage =
'This user is managed by your SCIM provider and cannot be changed manually';
beforeAll(async () => {
db = await dbInit('user_admin_scim', getLogger);
stores = db.stores;
app = await setupAppWithCustomConfig(stores, {
enterpriseVersion: 'enterprise',
experimental: {
flags: {
strictSchemaValidation: true,
scimApi: true,
},
},
});
await stores.settingStore.insert('scim', {
enabled: true,
});
scimUserId = (
await db.rawDatabase('users').insert(scimUser).returning('id')
)[0].id;
regularUserId = (
await db.rawDatabase('users').insert(regularUser).returning('id')
)[0].id;
});
afterAll(async () => {
await app.destroy();
await db.destroy();
});
test('fetching a SCIM user should include scimId', async () => {
const { body } = await app.request
.get(`/api/admin/user-admin/${scimUserId}`)
.expect(200);
expect(body.email).toBe(scimUser.email);
expect(body.scimId).toBe('some-random-scim-id');
});
test('fetching a regular user should not include scimId', async () => {
const { body } = await app.request
.get(`/api/admin/user-admin/${regularUserId}`)
.expect(200);
expect(body.email).toBe(regularUser.email);
expect(body.scimId).toBeFalsy();
});
test('should prevent editing a SCIM user', async () => {
const { body } = await app.request
.put(`/api/admin/user-admin/${scimUserId}`)
.send({
name: 'New name',
})
.expect(403);
expect(body.details[0].message).toBe(scimGuardErrorMessage);
});
test('should prevent deleting a SCIM user', async () => {
const { body } = await app.request
.delete(`/api/admin/user-admin/${scimUserId}`)
.expect(403);
expect(body.details[0].message).toBe(scimGuardErrorMessage);
});
test('should prevent changing password for a SCIM user', async () => {
const { body } = await app.request
.post(`/api/admin/user-admin/${scimUserId}/change-password`)
.send({
password: 'new-password',
})
.expect(403);
expect(body.details[0].message).toBe(scimGuardErrorMessage);
});
test('should prevent resetting password for a SCIM user', async () => {
const { body } = await app.request
.post(`/api/admin/user-admin/reset-password`)
.send({ id: scimUser.email })
.expect(403);
expect(body.details[0].message).toBe(scimGuardErrorMessage);
});