-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create trigger for verifying cloud.gov origin #153
Changes from 1 commit
7375615
626a238
ca62f02
86fb787
8322ef0
e164e3c
59207aa
7cac43f
8a48949
2aaae05
f31f25b
7bbfbd7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,9 +23,33 @@ for db in ${DATABASES}; do | |
|
||
# Special case for uaadb, create totp seed table for use with MFA | ||
# Special case for Shibboleth, create storage records table for use with multi-zone Shibboleth | ||
# Special case for Shibboleth, create function and trigger that verifies origin uaa is set to cloud.gov IdP | ||
if [ "${db}" = "uaadb" ]; then | ||
psql_adm -d "${db}" -c "CREATE TABLE IF NOT EXISTS totp_seed ( username varchar(255) PRIMARY KEY, seed varchar(36), backup_code varchar(36) )" | ||
psql_adm -d "${db}" -c "CREATE TABLE IF NOT EXISTS storagerecords ( context varchar(255) NOT NULL, id varchar(255) NOT NULL, expires bigint DEFAULT NULL, value text NOT NULL, version bigint NOT NULL, PRIMARY KEY (context, id) )" | ||
|
||
psql_adm -d "${db}" -c << EOT | ||
CREATE OR REPLACE FUNCTION "f_isValidEmail"( text ) RETURNS BOOLEAN AS ' | ||
SELECT $1 ~ ''^[^@\s]+@[^@\s]+(\.[^@\s]+)+$'' AS RESULT | ||
' LANGUAGE sql | ||
EOT | ||
psql_adm -d "${db}" -c << EOT | ||
CREATE OR REPLACE FUNCTION "f_enforceCloudGovOrigin"( text ) RETURNS TRIGGER AS $$ | ||
BEGIN | ||
UPDATE users | ||
SET ( origin, externalId ) = ( 'cloud.gov', username ) | ||
WHERE "f_isValidEmail"( username ) AND | ||
origin = 'uaa' AND | ||
verified = false AND | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't this be:
That would indicate that the user has accepted the invite after those two conditions, yeah? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🤦♂️ YES |
||
created::date = passwd_lastmodified::date; | ||
END; | ||
$$ LANGUAGE plpgsql | ||
EOT | ||
psql_adm -d "${db}" -c << EOT | ||
CREATE TRIGGER enforce_cloud_gov_idp_origin_trigger | ||
AFTER INSERT OR UPDATE ON users | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can this be done just on UPDATE? since UAA inserts the user when it invites (and we never want to do anything then), and then presumably does an UPDATE to set their password / verified flag which is when we want to catch this? |
||
FOR EACH ROW EXECUTE PROCEDURE "f_enforceCloudGovOrigin"() | ||
EOT | ||
fi | ||
|
||
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your call on this, since I don't know the UAA internals, but some inline docs might be useful here. For example, it's not obvious to me why we need the email check, or what exactly the date comparison does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, added a comment above the
psql_adm
command.