From f3dc122c3f2cb6bb79e49d89154488d884cbdb86 Mon Sep 17 00:00:00 2001 From: bennettn4 Date: Wed, 26 Jun 2024 14:20:33 -0400 Subject: [PATCH 1/2] allow uami accounts to be serviceAccountAdmins UAMI accounts will not have oidc email field populated through token, need to be dynamically built Needed if Thurloe is running as an UAMI and needs service account admin whitelist --- .../dsde/workbench/sam/api/StandardSamUserDirectives.scala | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala index 5c0ef7378..bd32aa1f0 100644 --- a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala +++ b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala @@ -49,7 +49,10 @@ trait StandardSamUserDirectives extends SamUserDirectives with LazyLogging with def asAdminServiceUser: Directive0 = requireOidcHeaders.flatMap { oidcHeaders => Directives .mapInnerRoute { r => - if (!adminConfig.serviceAccountAdmins.contains(oidcHeaders.email)) { + if ( + !adminConfig.serviceAccountAdmins.contains(oidcHeaders.email) && + !adminConfig.serviceAccountAdmins.contains(WorkbenchEmail(s"${oidcHeaders.externalId.map(_.value).toOption.orNull}@uami.terra.bio")) + ) { reject(AuthorizationFailedRejection) } else { logger.info(s"Handling request for service admin account: ${oidcHeaders.email}") From ea359701ed0994c4ab517a75dafe378ab117b05c Mon Sep 17 00:00:00 2001 From: bennettn4 Date: Mon, 1 Jul 2024 10:29:33 -0400 Subject: [PATCH 2/2] boolean logic update and helper function Swapped boolean logic to allow if either condition is true as opposed to reject if both conditions are false Added helper function to verify email oidcHeader is empty to clean up logic in route slightly and remove edge case of null@uami.terra.bio being a potentially valid value in serviceAccountAdmin configuration --- .../sam/api/StandardSamUserDirectives.scala | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala index bd32aa1f0..4b0573bea 100644 --- a/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala +++ b/src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala @@ -50,13 +50,13 @@ trait StandardSamUserDirectives extends SamUserDirectives with LazyLogging with Directives .mapInnerRoute { r => if ( - !adminConfig.serviceAccountAdmins.contains(oidcHeaders.email) && - !adminConfig.serviceAccountAdmins.contains(WorkbenchEmail(s"${oidcHeaders.externalId.map(_.value).toOption.orNull}@uami.terra.bio")) + adminConfig.serviceAccountAdmins.contains(oidcHeaders.email) || + isServiceAccountAdminUami(oidcHeaders) ) { - reject(AuthorizationFailedRejection) - } else { logger.info(s"Handling request for service admin account: ${oidcHeaders.email}") r + } else { + reject(AuthorizationFailedRejection) } } .tflatMap(_ => logAdminServiceAdminUserRequestResult(oidcHeaders)) @@ -113,6 +113,11 @@ trait StandardSamUserDirectives extends SamUserDirectives with LazyLogging with ) } + private def isServiceAccountAdminUami(oidcHeaders: OIDCHeaders) = { + val maybeUamiEmail = oidcHeaders.externalId.map(b2cId => WorkbenchEmail(s"${b2cId.value}@uami.terra.bio")).toOption + oidcHeaders.email.value.isEmpty && maybeUamiEmail.isDefined && adminConfig.serviceAccountAdmins.contains(maybeUamiEmail.get) + } + private def logAdminServiceAdminUserRequestResult(oidcHeaders: OIDCHeaders): Directive0 = { def logRequest(unusedLogger: LoggingAdapter)(req: HttpRequest)(res: RouteResult): Unit = res match {