Merge pull request #144 from hmcts/marty/DTSPO-15781-bugfix

Updating functions for role/group assignment to be more specific when searching for the base User group

apps.yaml

@@ -2,8 +2,6 @@ apps:
   - name: "My app101"
     externalUrl: "https://my-app.app-proxy-poc.sandbox.platform.hmcts.net"
     logoUrl: https://raw.githubusercontent.com/hmcts/azure-app-proxy/main/logos/incident-bot.png
-    appRoleAssignments:
-      - Test app
     internalUrl: "https://my-on-bau101.sandbox.platform.hmcts.net"
     userAssignmentRequired: true
     tls:
@@ -18,13 +16,17 @@ apps:
       optionalClaims:
         - name: "groups"
           additionalProperties: []
+    appRoleAssignments:
+      - Test app
+      - test_group_A
     appRoles:
       - displayName: "A first app role"
         description: "Some description"
         value: "testing"
         id: "aa9aaaaa-2aa8-49aa-954a-a3aaaa08aaa3"
         groups:
           - "test_group_A"
+          - "Test app"
       - displayName: "My second app role"
         description: "Some description"
         value: "testing_again"

src/applicationManager.test.ts

@@ -19,11 +19,12 @@ import { DefaultAzureCredential } from "@azure/identity";
 import { expect, describe, test, beforeAll, afterEach } from "vitest";
 import { defaultOnPremisesFlags } from "./configuration";
 import {
-  assignGroups,
+  assignUserRoleToGroups,
   readServicePrincipal,
   setUserAssignmentRequired,
   isAppRoleAssignedToGroup,
   getEntraGroupId,
+  getAppRoleId,
 } from "./servicePrincipalManager";
 import * as process from "process";
 
@@ -147,7 +148,8 @@ describe("applicationManager", () => {
       objectId: appDetails.servicePrincipalObjectId,
       assignmentRequired: false,
     });
-    await assignGroups({
+
+    await assignUserRoleToGroups({
       token,
       objectId: appDetails.servicePrincipalObjectId,
       groups: [groupNameForRoleAssignments],
@@ -187,14 +189,21 @@ describe("applicationManager", () => {
       applicationId: appDetails.applicationId,
     });
 
+    let testAppRoleId = await getAppRoleId({
+      token,
+      objectId: appDetails.servicePrincipalObjectId,
+      displayName: application.appRoles[0].displayName,
+    }); // Find app role id
+
     expect(application.appRoles[0].displayName).toEqual("Some name");
     expect(
       await isAppRoleAssignedToGroup({
         token,
         groupId: groupId,
         objectId: appDetails.servicePrincipalObjectId,
+        appRoleId: testAppRoleId,
       }),
-    ).toEqual(true);
+    ).toBeTruthy();
     expect(application.groupMembershipClaims).toEqual("SecurityGroup");
     expect(application.optionalClaims.saml2Token[0].name).toEqual("groups");
 

src/main.ts

@@ -16,7 +16,7 @@ import {
 } from "./applicationManager.js";
 import { loadApps } from "./configuration.js";
 import {
-  assignGroups,
+  assignUserRoleToGroups,
   setUserAssignmentRequired,
   enableSaml,
 } from "./servicePrincipalManager.js";
@@ -82,7 +82,8 @@ for await (const app of apps) {
       objectId: servicePrincipalObjectId,
       assignmentRequired: app.appRoleAssignmentRequired,
     });
-    await assignGroups({
+
+    await assignUserRoleToGroups({
       token,
       objectId: servicePrincipalObjectId,
       groups: app.appRoleAssignments,

src/servicePrincipalManager.ts

@@ -77,21 +77,33 @@ export async function findExistingServicePrincipal({
   return undefined;
 }
 
-async function getAppRoleId(objectId: string, token: string) {
-  const result = await fetch(
-    `https://graph.microsoft.com/beta/servicePrincipals/${objectId}/appRoles`,
-    {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${token}`,
-      },
+export async function getAppRoleId({
+  token,
+  objectId,
+  displayName,
+}: {
+  token: string;
+  objectId: string;
+  displayName: string;
+}) {
+  const url = `https://graph.microsoft.com/beta/servicePrincipals/${objectId}/appRoles`;
+
+  const result = await fetch(url, {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token}`,
     },
-  );
+  });
 
-  await errorHandler("finding app roles", result);
+  await errorHandler("finding app role Id", result);
 
   const body = await result.json();
-  return body.value[0].id;
+  var appRole = body.value.find(
+    (element: any) => element.displayName === displayName,
+  );
+
+  console.log("App Role Id for role:", displayName, "found:", appRole.id);
+  return appRole.id;
 }
 
 export async function getEntraGroupId(groupName: string, token: string) {
@@ -114,10 +126,12 @@ export async function isAppRoleAssignedToGroup({
   groupId,
   objectId,
   token,
+  appRoleId,
 }: {
   groupId: string;
   objectId: string;
   token: string;
+  appRoleId: string;
 }) {
   const result = await fetch(
     `https://graph.microsoft.com/v1.0/groups/${groupId}/appRoleAssignments?$filter=resourceId eq ${objectId}`,
@@ -129,14 +143,16 @@ export async function isAppRoleAssignedToGroup({
     },
   );
 
-  await errorHandler("finding if app role is already assigned", result);
+  await errorHandler("Checking if app role is already assigned", result);
 
   const body = await result.json();
+  const appRole =
+    body.value.find((element: any) => element.appRoleId === appRoleId) || false;
 
-  return body.value.length === 1;
+  return appRole;
 }
 
-async function assignGroup({
+async function assignRoleToGroup({
   group,
   token,
   objectId,
@@ -153,6 +169,7 @@ async function assignGroup({
     groupId,
     objectId,
     token,
+    appRoleId,
   });
 
   if (appRoleAssignedAlready) {
@@ -184,7 +201,7 @@ async function assignGroup({
   }
 }
 
-export async function assignGroups({
+export async function assignUserRoleToGroups({
   token,
   objectId,
   groups,
@@ -194,10 +211,14 @@ export async function assignGroups({
   token: string;
 }) {
   if (groups.length > 0) {
-    const appRoleId = await getAppRoleId(objectId, token);
+    const appRoleId = await getAppRoleId({
+      token,
+      objectId,
+      displayName: "User",
+    }); // Find User app role id
 
     for await (const group of groups) {
-      await assignGroup({ group, token, objectId, appRoleId });
+      await assignRoleToGroup({ group, token, objectId, appRoleId });
     }
   }
 }