Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
feat: makes the admin group a list of groups
Browse files Browse the repository at this point in the history
this will allow multiple groups to be granted access to
application-level admin
  • Loading branch information
jharen committed Jan 19, 2023
1 parent 481bb81 commit 9f379cf
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ public class AuthenticationService {
private final KmsService kmsService;
private final KmsClientFactory kmsClientFactory;
private final ObjectMapper objectMapper;
private final String adminGroup;
private final List<String> adminGroups;
private final DateTimeSupplier dateTimeSupplier;
private final AwsIamRoleArnParser awsIamRoleArnParser;
private final AuthTokenService authTokenService;
Expand All @@ -116,7 +116,7 @@ public AuthenticationService(
KmsClientFactory kmsClientFactory,
ObjectMapper objectMapper,
@Value("${cerberus.admin.roles:#{null}}") String adminRoleArns,
@Value("${cerberus.admin.group}") String adminGroup,
@Value("#{'${cerberus.admin.groups}'.split(',')}") List<String> adminGroups,
@Value("${cerberus.auth.user.token.maxRefreshCount:#{0}}") int maxTokenRefreshCount,
DateTimeSupplier dateTimeSupplier,
AwsIamRoleArnParser awsIamRoleArnParser,
Expand All @@ -133,7 +133,7 @@ public AuthenticationService(
this.kmsClientFactory = kmsClientFactory;
this.objectMapper = objectMapper;
this.adminRoleArns = adminRoleArns;
this.adminGroup = adminGroup;
this.adminGroups = adminGroups;
this.dateTimeSupplier = dateTimeSupplier;
this.awsIamRoleArnParser = awsIamRoleArnParser;
this.maxTokenRefreshCount = maxTokenRefreshCount;
Expand Down Expand Up @@ -525,8 +525,11 @@ private AuthTokenResponse generateToken(
meta.put(CerberusPrincipal.METADATA_KEY_USERNAME, username);

boolean isAdmin = false;
if (userGroups.contains(this.adminGroup)) {
isAdmin = true;
for (String group : this.adminGroups) {
if (userGroups.contains(group)) {
isAdmin = true;
break;
}
}
meta.put(METADATA_KEY_IS_ADMIN, String.valueOf(isAdmin));
meta.put(CerberusPrincipal.METADATA_KEY_GROUPS, StringUtils.join(userGroups, ','));
Expand Down
6 changes: 4 additions & 2 deletions cerberus-web/src/main/resources/cerberus.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,11 @@ cerberus:
environmentName: TODO
admin:
# These are aws principal that you want to allow to use the admin API
# comma-separated string
roles: ~
# The user group that the Cerberus operators belong to, this unlocks admin API perms
group: ~
# The user groups that the Cerberus operators belong to, this unlocks admin API perms
# comma-separated string
groups: ~

encryption:
# comma delimited list of the CMKs for a KMS key that the iam role that Cerberus runs as has access to.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Lists;
import com.nike.backstopper.exception.ApiException;
import com.nike.cerberus.PrincipalType;
import com.nike.cerberus.auth.connector.AuthConnector;
Expand Down Expand Up @@ -96,7 +97,7 @@ public void setup() {
kmsClientFactory,
objectMapper,
"foo",
"groups",
Lists.newArrayList("group1", "group2", "group3"),
MAX_LIMIT,
dateTimeSupplier,
awsIamRoleArnParser,
Expand Down

0 comments on commit 9f379cf

Please sign in to comment.