emerg: enable user-specific additional role grants

devksingh4 · devksingh4 · commit 9888ef7ec442 · 2024-11-12T21:39:11.000-06:00
diff --git a/src/config.ts b/src/config.ts
@@ -8,10 +8,12 @@ type ValueOrArray<T> = T | ArrayOfValueOrArray<T>;
 
 type GroupRoleMapping = Record<string, readonly AppRoles[]>;
 type AzureRoleMapping = Record<string, readonly AppRoles[]>;
+type UserRoleMapping = Record<string, readonly AppRoles[]>;
 
 export type ConfigType = {
   GroupRoleMapping: GroupRoleMapping;
   AzureRoleMapping: AzureRoleMapping;
+  UserRoleMapping: UserRoleMapping;
   ValidCorsOrigins: ValueOrArray<OriginType> | OriginFunction;
   AadValidClientId: string;
 };
@@ -51,6 +53,9 @@ const environmentConfig: EnvironmentConfigType = {
       "0": allAppRoles, // Dummy Group for development only
       "1": [], // Dummy Group for development only
     },
+    UserRoleMapping: {
+      "infra-unit-test-nogrp@acm.illinois.edu": [AppRoles.TICKET_SCANNER],
+    },
     AzureRoleMapping: { AutonomousWriters: [AppRoles.EVENTS_MANAGER] },
     ValidCorsOrigins: [
       "http://localhost:3000",
@@ -71,6 +76,9 @@ const environmentConfig: EnvironmentConfigType = {
         AppRoles.SSO_INVITE_USER,
       ], // Exec
     },
+    UserRoleMapping: {
+      "kaavyam2@illinois.edu": [AppRoles.TICKET_SCANNER],
+    },
     AzureRoleMapping: { AutonomousWriters: [AppRoles.EVENTS_MANAGER] },
     ValidCorsOrigins: [
       "https://acm.illinois.edu",
diff --git a/src/plugins/auth.ts b/src/plugins/auth.ts
@@ -192,6 +192,16 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
             });
           }
         }
+        // add user-specific role overrides
+        if (request.username && fastify.environmentConfig.UserRoleMapping) {
+          if (fastify.environmentConfig["UserRoleMapping"][request.username]) {
+            for (const role of fastify.environmentConfig["UserRoleMapping"][
+              request.username
+            ]) {
+              userRoles.add(role);
+            }
+          }
+        }
         if (
           expectedRoles.size > 0 &&
           intersection(userRoles, expectedRoles).size === 0
diff --git a/tests/unit/auth.test.ts b/tests/unit/auth.test.ts
@@ -5,9 +5,14 @@ import {
 } from "@aws-sdk/client-secrets-manager";
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/index.js";
-import { secretJson, secretObject, jwtPayload } from "./secret.testdata.js";
+import {
+  secretJson,
+  secretObject,
+  jwtPayload,
+  jwtPayloadNoGroups,
+} from "./secret.testdata.js";
 import jwt from "jsonwebtoken";
-import { allAppRoles } from "../../src/roles.js";
+import { allAppRoles, AppRoles } from "../../src/roles.js";
 
 const ddbMock = mockClient(SecretsManagerClient);
 
@@ -30,9 +35,16 @@ export function createJwt(date?: Date, group?: string) {
   }
   return jwt.sign(modifiedPayload, jwt_secret, { algorithm: "HS256" });
 }
+
+export function createJwtNoGroups() {
+  const modifiedPayload = jwtPayloadNoGroups;
+  return jwt.sign(modifiedPayload, jwt_secret, { algorithm: "HS256" });
+}
+
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 const testJwt = createJwt();
+const testJwtNoGroups = createJwtNoGroups();
 
 test("Test happy path", async () => {
   ddbMock.on(GetSecretValueCommand).resolves({
@@ -52,3 +64,22 @@ test("Test happy path", async () => {
     roles: allAppRoles,
   });
 });
+
+test("Test user-specific role grants", async () => {
+  ddbMock.on(GetSecretValueCommand).resolves({
+    SecretString: secretJson,
+  });
+  const response = await app.inject({
+    method: "GET",
+    url: "/api/v1/protected",
+    headers: {
+      authorization: `Bearer ${testJwtNoGroups}`,
+    },
+  });
+  expect(response.statusCode).toBe(200);
+  const jsonBody = await response.json();
+  expect(jsonBody).toEqual({
+    username: "infra-unit-test-nogrp@acm.illinois.edu",
+    roles: [AppRoles.TICKET_SCANNER],
+  });
+});
diff --git a/tests/unit/secret.testdata.ts b/tests/unit/secret.testdata.ts
@@ -36,4 +36,30 @@ const jwtPayload = {
   ver: "1.0",
 };
 
-export { secretJson, secretObject, jwtPayload };
+const jwtPayloadNoGroups = {
+  aud: "custom_jwt",
+  iss: "custom_jwt",
+  iat: Math.floor(Date.now() / 1000),
+  nbf: Math.floor(Date.now() / 1000),
+  exp: Math.floor(Date.now() / 1000) + 3600 * 24, // Token expires after 24 hour
+  acr: "1",
+  aio: "AXQAi/8TAAAA",
+  amr: ["pwd"],
+  appid: "your-app-id",
+  appidacr: "1",
+  email: "infra-unit-test-nogrp@acm.illinois.edu",
+  groups: [],
+  idp: "https://login.microsoftonline.com",
+  ipaddr: "192.168.1.1",
+  name: "John Doe",
+  oid: "00000000-0000-0000-0000-000000000000",
+  rh: "rh-value",
+  scp: "user_impersonation",
+  sub: "subject",
+  tid: "tenant-id",
+  unique_name: "infra-unit-test@acm.illinois.edu",
+  uti: "uti-value",
+  ver: "1.0",
+};
+
+export { secretJson, secretObject, jwtPayload, jwtPayloadNoGroups };
