Support more than one google group for auth #652
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomrf1
commented
Dec 4, 2024
| @@ -15,9 +15,9 @@ import services.{Athena, Aws, CapiService, DynamoArchivedBannerDesigns, DynamoAr | |||
| import software.amazon.awssdk.services.dynamodb.DynamoDbClient | |||
| import software.amazon.awssdk.services.s3.model.GetObjectRequest | |||
|
|
|||
| class AppComponents(context: Context, stage: String) extends BuiltInComponentsFromContext(context) with AhcWSComponents with NoHttpFiltersComponents with AssetsComponents { | |||
| class AppComponents(context: Context, stage: String) extends BuiltInComponentsFromContext(context) with AhcWSComponents with NoHttpFiltersComponents with AssetsComponents with Filters { | |||
There was a problem hiding this comment.
adding the Filters trait here gives us access to the requireGroup method
tomrf1
commented
Dec 4, 2024
| @@ -50,7 +50,9 @@ class AppComponents(context: Context, stage: String) extends BuiltInComponentsFr | |||
|
|
|||
| private val requiredGoogleGroups: Set[String] = configuration.get[String]("googleAuth.requiredGroups").split(',').toSet | |||
|
|
|||
| private val authAction = new AuthAction[AnyContent](authConfig, controllers.routes.Login.loginAction, controllerComponents.parsers.default)(executionContext) | |||
There was a problem hiding this comment.
here we adapt authAction to also do the group checking
tomrf1
commented
Dec 4, 2024
| @@ -34,7 +33,7 @@ class Login( | |||
| * Looks up user's identity via Google | |||
| */ | |||
| def oauth2Callback: Action[AnyContent] = Action.async { implicit request => | |||
| processOauth2Callback(requiredGoogleGroups, googleGroupChecker) | |||
| processOauth2Callback() | |||
There was a problem hiding this comment.
this means we no longer check group membership during the initial google auth step, and we instead do it on every request
johnduffell
reviewed
Dec 9, 2024
| @@ -48,9 +48,15 @@ class AppComponents(context: Context, stage: String) extends BuiltInComponentsFr | |||
| ) | |||
| } | |||
|
|
|||
| private val twoFactorAuthEnforceGoogleGroup = configuration.get[String]("googleAuth.2faEnforceGroup") | |||
| private val requiredGoogleGroups: Set[String] = configuration.get[String]("googleAuth.requiredGroups").split(',').toSet | |||
There was a problem hiding this comment.
probably should have renamed this to allowedGroups as they are not all required any more
There was a problem hiding this comment.
That is a very good point - it would make it a lot clearer. I'm going to do this in a follow up PR
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We want to allow other groups (24/7 Support, Central Production) to access the RRCP. This is not currently possible - users have to be in the support.admin.console google group.
Before the change:
The server fetches a list of google groups from config. When logging in, a user must be a member of all the configured groups. This list includes a special group for enforcing 2fa, since users must also be in this group.
After the change:
When making any authorised request, a user must be in at least one of the configured groups.
Additionally, we also still need to check that the user is in the special 2fa group. So I have moved this into a separate config item, so that we can check membership of this group separately from the other list of groups.
The change
Previously the group checking was done in
Login.scalaat the point that a user logs in, with the line:processOauth2Callback(requiredGoogleGroups, googleGroupChecker)The google auth library would then use the
googleGroupCheckerto do the check - but this method requires a user to be in all groups, which is not what we want.Instead, we now do the group checking as part of the
authAction, which is created inAppComponents.scala. This method of group checking only requires one group to match.It's a bit confusing that the play google-auth library behaves in two different ways like this. But I can see examples of both methods in our repos.
Testing
Deployed to CODE, and temporarily removed a user from the support.admin.console google group to confirm their access was lost.