Merge pull request #1066 from Nike-Inc/add-admin-groups-CERB-2039

feat: makes the admin group a list of groups
Nike-Inc · Jan 20, 2023 · ce6bba0 · ce6bba0
2 parents 481bb81 + 9f379cf
commit ce6bba0
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 8 deletions.
diff --git a/cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java b/cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java
@@ -92,7 +92,7 @@ public class AuthenticationService {
   private final KmsService kmsService;
   private final KmsClientFactory kmsClientFactory;
   private final ObjectMapper objectMapper;
-  private final String adminGroup;
+  private final List<String> adminGroups;
   private final DateTimeSupplier dateTimeSupplier;
   private final AwsIamRoleArnParser awsIamRoleArnParser;
   private final AuthTokenService authTokenService;
@@ -116,7 +116,7 @@ public AuthenticationService(
       KmsClientFactory kmsClientFactory,
       ObjectMapper objectMapper,
       @Value("${cerberus.admin.roles:#{null}}") String adminRoleArns,
-      @Value("${cerberus.admin.group}") String adminGroup,
+      @Value("#{'${cerberus.admin.groups}'.split(',')}") List<String> adminGroups,
       @Value("${cerberus.auth.user.token.maxRefreshCount:#{0}}") int maxTokenRefreshCount,
       DateTimeSupplier dateTimeSupplier,
       AwsIamRoleArnParser awsIamRoleArnParser,
@@ -133,7 +133,7 @@ public AuthenticationService(
     this.kmsClientFactory = kmsClientFactory;
     this.objectMapper = objectMapper;
     this.adminRoleArns = adminRoleArns;
-    this.adminGroup = adminGroup;
+    this.adminGroups = adminGroups;
     this.dateTimeSupplier = dateTimeSupplier;
     this.awsIamRoleArnParser = awsIamRoleArnParser;
     this.maxTokenRefreshCount = maxTokenRefreshCount;
@@ -525,8 +525,11 @@ private AuthTokenResponse generateToken(
     meta.put(CerberusPrincipal.METADATA_KEY_USERNAME, username);
 
     boolean isAdmin = false;
-    if (userGroups.contains(this.adminGroup)) {
-      isAdmin = true;
+    for (String group : this.adminGroups) {
+      if (userGroups.contains(group)) {
+        isAdmin = true;
+        break;
+      }
     }
     meta.put(METADATA_KEY_IS_ADMIN, String.valueOf(isAdmin));
     meta.put(CerberusPrincipal.METADATA_KEY_GROUPS, StringUtils.join(userGroups, ','));

diff --git a/cerberus-web/src/main/resources/cerberus.yaml b/cerberus-web/src/main/resources/cerberus.yaml
@@ -57,9 +57,11 @@ cerberus:
   environmentName: TODO
   admin:
     # These are aws principal that you want to allow to use the admin API
+    # comma-separated string
     roles: ~
-    # The user group that the Cerberus operators belong to, this unlocks admin API perms
-    group: ~
+    # The user groups that the Cerberus operators belong to, this unlocks admin API perms
+    # comma-separated string
+    groups: ~
 
   encryption:
     # comma delimited list of the CMKs for a KMS key that the iam role that Cerberus runs as has access to.

diff --git a/cerberus-web/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java b/cerberus-web/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java
@@ -30,6 +30,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
 import com.nike.backstopper.exception.ApiException;
 import com.nike.cerberus.PrincipalType;
 import com.nike.cerberus.auth.connector.AuthConnector;
@@ -96,7 +97,7 @@ public void setup() {
             kmsClientFactory,
             objectMapper,
             "foo",
-            "groups",
+            Lists.newArrayList("group1", "group2", "group3"),
             MAX_LIMIT,
             dateTimeSupplier,
             awsIamRoleArnParser,