Skip to content

AB#60123: Switch to group-based access control #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
e-halinen merged 2 commits into from
Jul 10, 2025
Merged

AB#60123: Switch to group-based access control #123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f7d766e
AB#60123: Switch to assigned group-based access control
e-halinen May 30, 2025
0868f55
Merge branch 'development' into AB#60123_Switch_to_group_based_AC
e-halinen Jul 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions .env.dev
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,5 @@ API_CLIENT_ID=2411181397763460
API_CLIENT_SECRET=
REDIRECT_URI=https://dev.kartat.hsl.fi/kartta
LOGIN_PROVIDER_URI=https://hslid-uat.cinfra.fi
DOMAINS_ALLOWED_TO_GENERATE=
DOMAINS_ALLOWED_TO_LOGIN=

ROUTEMAP_TEST_GROUP=Karttageneraattori-test
GROUP_GENERATE=
GROUP_READONLY=
4 changes: 2 additions & 2 deletions .env.prod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ API_CLIENT_ID=2411181397763460
API_CLIENT_SECRET=
REDIRECT_URI=https://kartat.hsl.fi/kartta
LOGIN_PROVIDER_URI=https://id.hsl.fi
DOMAINS_ALLOWED_TO_GENERATE=
DOMAINS_ALLOWED_TO_LOGIN=
GROUP_GENERATE=
GROUP_READONLY=
4 changes: 2 additions & 2 deletions constants.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ module.exports = {
AZURE_STORAGE_KEY: secretsEnv.AZURE_STORAGE_KEY || '',
CLIENT_SECRET: secretsEnv.CLIENT_SECRET || '',
API_CLIENT_SECRET: secretsEnv.API_CLIENT_SECRET || '',
DOMAINS_ALLOWED_TO_LOGIN: secretsEnv.DOMAINS_ALLOWED_TO_LOGIN || '',
GROUP_GENERATE: secretsEnv.GROUP_GENERATE || '',
GROUP_READONLY: secretsEnv.GROUP_READONLY || '',
HSL_TESTING_HSLID_USERNAME: secretsEnv.HSL_TESTING_HSLID_USERNAME || '',
HSL_TESTING_HSLID_PASSWORD: secretsEnv.HSL_TESTING_HSLID_PASSWORD || '',
ROUTEMAP_TEST_GROUP: secretsEnv.ROUTEMAP_TEST_GROUP || '',
};
34 changes: 12 additions & 22 deletions scripts/auth/authEndpoints.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,19 @@ const { get, last, clone } = require('lodash');
const AuthService = require('./authService');
const validator = require('validator');

const { DOMAINS_ALLOWED_TO_LOGIN, ROUTEMAP_TEST_GROUP } = require('../../constants');
const { GROUP_GENERATE, GROUP_READONLY } = require('../../constants');

const allowedDomains = DOMAINS_ALLOWED_TO_LOGIN.split(',');
const hasAllowedGroup = async (userInfo) => {
const groups = get(userInfo, 'groups', {});

const hasAllowedDomain = async (userInfo) => {
const groups = get(userInfo, 'groups');

const emailValidationOptions = {
host_whitelist: allowedDomains,
};

if (groups.includes(ROUTEMAP_TEST_GROUP)) {
return true;
}

if (
!validator.isEmail(userInfo.email, emailValidationOptions) &&
!groups.includes(ROUTEMAP_TEST_GROUP)
) {
console.log(`User does not have allowed domain. Logging out.`);
if (!groups || !Array.isArray(groups)) {
console.log('User does not have valid groups assigned');
return false;
}

return true;
if (groups.includes(GROUP_GENERATE) || groups.includes(GROUP_READONLY)) {
return true;
}
return false;
};

const authorize = async (req, res, session) => {
Expand Down Expand Up @@ -63,7 +52,7 @@ const authorize = async (req, res, session) => {
if (session && tokenResponse.access_token) {
modifiedSession.accessToken = tokenResponse.access_token;
const userInfo = await AuthService.requestUserInfo(modifiedSession.accessToken);
const isAllowed = await hasAllowedDomain(userInfo);
const isAllowed = await hasAllowedGroup(userInfo);
if (!isAllowed) {
return {
status: 401,
Expand Down Expand Up @@ -100,7 +89,7 @@ const authorize = async (req, res, session) => {

const checkExistingSession = async (req, res, session) => {
if (session && session.accessToken) {
const isAllowed = await hasAllowedDomain(session);
const isAllowed = await hasAllowedGroup(session);
if (!isAllowed) {
await AuthService.logoutFromIdentityProvider(session.accessToken);
return {
Expand All @@ -111,6 +100,7 @@ const checkExistingSession = async (req, res, session) => {
const response = {
isOk: true,
email: session.email,
groups: session.groups,
};
return {
status: 200,
Expand Down
61 changes: 54 additions & 7 deletions scripts/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ const {
} = require('./joreStore');
const { downloadPostersFromCloud } = require('./cloudService');

const { REDIS_CONNECTION_STRING } = require('../constants');
const { REDIS_CONNECTION_STRING, GROUP_GENERATE } = require('../constants');

const PORT = 4000;

Expand Down Expand Up @@ -106,12 +106,40 @@ async function main() {
});

router.post('/builds', async (ctx) => {
const authResponse = await authEndpoints.checkExistingSession(
ctx.request,
ctx.response,
ctx.session,
);

if (!authResponse.body.isOk) {
ctx.throw(401, 'Not allowed.');
}

if (!authResponse.body.groups.includes(GROUP_GENERATE)) {
ctx.throw(403, 'User does not have permission to modify builds.');
}

const { title } = ctx.request.body;
const build = await addBuild({ title });
ctx.body = build;
});

router.put('/builds/:id', async (ctx) => {
const authResponse = await authEndpoints.checkExistingSession(
ctx.request,
ctx.response,
ctx.session,
);

if (!authResponse.body.isOk) {
ctx.throw(401, 'Not allowed.');
}

if (!authResponse.body.groups.includes(GROUP_GENERATE)) {
ctx.throw(403, 'User does not have permission to modify builds.');
}

const { id } = ctx.params;
const { status } = ctx.request.body;
const build = await updateBuild({
Expand All @@ -122,6 +150,20 @@ async function main() {
});

router.delete('/builds/:id', async (ctx) => {
const authResponse = await authEndpoints.checkExistingSession(
ctx.request,
ctx.response,
ctx.session,
);

if (!authResponse.body.isOk) {
ctx.throw(401, 'Not allowed.');
}

if (!authResponse.body.groups.includes(GROUP_GENERATE)) {
ctx.throw(403, 'User does not have permission to modify builds.');
}

const { id } = ctx.params;
const build = await removeBuild({ id });
ctx.body = build;
Expand All @@ -143,13 +185,18 @@ async function main() {
if (!authResponse.body.isOk) {
ctx.throw(401, 'Not allowed.');
}
const posters = [];
for (let i = 0; i < props.length; i++) {
// eslint-disable-next-line no-await-in-loop
const poster = await generatePoster(buildId, props[i]);
posters.push(poster);

if (!authResponse.body.groups.includes(GROUP_GENERATE)) {
ctx.throw(403, 'User does not have permission to generate posters.');
} else {
const posters = [];
for (let i = 0; i < props.length; i++) {
// eslint-disable-next-line no-await-in-loop
const poster = await generatePoster(buildId, props[i]);
posters.push(poster);
}
ctx.body = posters;
}
ctx.body = posters;
});

router.post('/cancelPoster', async (ctx) => {
Expand Down