Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a JSON file to store permission scopes required for ScubaGear #1380

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

MichaelHicks-MSFT
Copy link

@MichaelHicks-MSFT MichaelHicks-MSFT commented Oct 28, 2024

🗣 Description

Permissions file containing current SCuBAGear permissions mapping.

💭 Motivation and context

Added permissions file to allow centralized management of all SCuBAGear Microsoft Graph permissions.

🧪 Testing

Testing was conducted across commercial and gcchigh tenants. Created PowerShell code that imported the JSON file and made connections to Microsoft Graph utilizing the permission scopes defined under Permission within the ScubaGearGraphScopes section of the file.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All relevant functional tests passed.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • Feature branch has been rebased against changes from parent branch, as needed

    Use Rebase branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch

  • Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@buidav buidav added the enhancement This issue or pull request will add new or improve existing functionality label Oct 28, 2024
@buidav buidav added this to the Kraken milestone Oct 28, 2024
@buidav buidav linked an issue Oct 28, 2024 that may be closed by this pull request
Copy link
Collaborator

@tkol2022 tkol2022 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Can you move the file from the /Connection folder to a new /Permissions folder instead?
  • I noticed you removed the ScubaGearSPPermissions node. In the future ScubaGear will have a utility script that helps users register a service principal to run the tool. Is the thought that our new utility script can just filter the GraphCmdLetPermissions node for entries that are of runtype = application and just use that list to create the needed permissions for the service principal in Entra Id?
  • We need to add the following REST APIs as entries to the GraphCmdLetPermissions node along with their associated required permissions. Entra Id now includes direct calls to REST APIs without Cmdlets and therefore we need to ensure those permissions are represented.
    • /beta/roleManagement/directory/roleEligibilityScheduleInstances
    • /beta/roleManagement/directory/roleAssignmentScheduleInstances
    • /beta/identityGovernance/privilegedAccess/group/eligibilityScheduleInstances
    • /beta/privilegedAccess/aadGroups/resources

@schrolla schrolla removed the request for review from mitchelbaker-cisa November 4, 2024 18:16
@mitchelbaker-cisa mitchelbaker-cisa changed the title Create ScubaGear-Permissions.json Create a JSON file to store permission scopes required for ScubaGear Nov 5, 2024
Copy link
Collaborator

@schrolla schrolla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor recommendation for the format as we've had code trip over string vs list values before when it isn't consistent.

{
"description": "This section contains the needed Microsoft Graph permissions if aad is selected when running ScubaGear for the ProductName parameter",
"url": "https://github.com/cisagov/ScubaGear/blob/main/docs/prerequisites/interactive.md#application-permissions",
"Product": "aad",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Product key appears to accept values that are either a single string or a list of strings. Recommend making it require a list that can include a singleton or empty set to ease processing. I note that runType and cmdlet can similarly contain a single value, but are always represented as a list, so changing Product to match would provide more internal consistency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Abstract out permissions to a separate JSON file
5 participants