Skip to content

Commit

Permalink
feat: add check for enterprise github cloud (#3069)
Browse files Browse the repository at this point in the history 
* feat: add check for enterprise github cloud

* moved configuration under scm

* feat: update scm-base/github version

---------

Co-authored-by: pritamstyz4ever <pritam.paul@yahooinc.com>
  • Loading branch information
@pritamstyz4ever
pritamstyz4ever and pritamstyz4ever committed Mar 25, 2024
1 parent e2cfd14 commit 114b910
Show file tree
Hide file tree
Showing 3 changed files with 123 additions and 4 deletions.
6 changes: 3 additions & 3 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@
"screwdriver-config-parser": "^9.0.0",
"screwdriver-coverage-bookend": "^2.0.0",
"screwdriver-coverage-sonar": "^4.1.1",
"screwdriver-data-schema": "^v23.0.0",
"screwdriver-data-schema": "^23.0.0",
"screwdriver-datastore-sequelize": "^8.1.1",
"screwdriver-executor-base": "^9.0.1",
"screwdriver-executor-docker": "^6.0.0",
Expand All @@ -118,9 +118,9 @@
"screwdriver-notifications-email": "^3.0.0",
"screwdriver-notifications-slack": "^5.0.0",
"screwdriver-request": "^2.0.1",
"screwdriver-scm-base": "^8.1.1",
"screwdriver-scm-base": "^8.2.0",
"screwdriver-scm-bitbucket": "^5.0.1",
"screwdriver-scm-github": "^12.2.4",
"screwdriver-scm-github": "^12.4.0",
"screwdriver-scm-gitlab": "^3.1.0",
"screwdriver-scm-router": "^7.0.0",
"screwdriver-template-validator": "^7.0.0",
Expand Down
13 changes: 13 additions & 0 deletions plugins/auth/login.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,19 @@ function addOAuthRoutes(config) {
return boom.forbidden(`User ${userDisplayName} is not allowed access`);
}

// check enterprise github cloud
if (config.scm.gheCloud) {
const isEnterpriseUser = await userFactory.scm.isEnterpriseUser({
token: accessToken,
login: username,
slug: config.scm.gheCloudSlug
});

if (!isEnterpriseUser) {
return boom.forbidden(`User ${username} is not allowed access`);
}
}

// Log that the user has authenticated
request.log(['auth'], `${userDisplayName} has logged in via OAuth`);

Expand Down
108 changes: 107 additions & 1 deletion test/plugins/auth.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ describe('auth plugin test', () => {
const hashingPassword = 'this_is_another_password_that_needs_to_be_atleast_32_characters';
const oauthRedirectUri = 'https://myhost.com/api';
const authPlugins = ['@hapi/cookie', '@hapi/bell', 'hapi-auth-jwt2', 'hapi-auth-bearer-token'];
const gheCloudSlug = 'ghec-slug';

beforeEach(async () => {
scm = {
Expand All @@ -96,7 +97,8 @@ describe('auth plugin test', () => {
}
},
autoDeployKeyGenerationEnabled: sinon.stub().returns(true),
decorateAuthor: sinon.stub()
decorateAuthor: sinon.stub(),
isEnterpriseUser: sinon.stub().resolves(false)
};
userFactoryMock = {
get: sinon.stub(),
Expand Down Expand Up @@ -751,6 +753,110 @@ describe('auth plugin test', () => {
assert.notCalled(userFactoryMock.create);
}));

describe('ghe cloud', () => {
beforeEach(async () => {
server = new hapi.Server({
port: 1234
});

server.app.userFactory = userFactoryMock;
server.app.collectionFactory = collectionFactoryMock;

authPlugins.forEach(async pluginName => {
/* eslint-disable global-require, import/no-dynamic-require */
await server.register({
plugin: require(pluginName)
});
/* eslint-enable global-require, import/no-dynamic-require */
});

await server.register({
/* eslint-disable global-require */
plugin: require('@hapi/crumb'),
/* eslint-enable global-require */
options: {
cookieOptions: {
isSecure: false
},
restful: true,
skip: request =>
// Skip crumb validation when the request is authorized with jwt or the route is under webhooks
!!request.headers.authorization ||
!!request.route.path.includes('/webhooks') ||
!!request.route.path.includes('/auth/')
}
});
});

afterEach(() => {
server = null;
});

describe('gheCloud flag', async () => {
beforeEach(async () => {
await server.register({
plugin,
options: {
cookiePassword,
encryptionPassword,
hashingPassword,
scm: {
...scm,
gheCloud: true,
gheCloudSlug
},
jwtPrivateKey,
jwtPublicKey,
jwtQueueServicePublicKey,
https: false,
allowGuestAccess: true,
sameSite: false,
bell: scm.scms,
path: '/'
}
});
});

it('returns 200 for enterprise users if gheCloud is enabled', () => {
userFactoryMock.get.resolves(null);
userFactoryMock.create.resolves({});
scm.isEnterpriseUser.resolves(true);
collectionFactoryMock.list.resolves([]);

return server.inject(options).then(reply => {
assert.equal(reply.statusCode, 302, 'Login route should be available');
assert.equal(reply.headers.location, '/v4/auth/token');
assert.calledWith(userFactoryMock.get, { username, scmContext });
assert.calledWith(userFactoryMock.create, {
username,
scmContext,
token
});
assert.calledWith(scm.isEnterpriseUser, {
token,
login: username,
slug: 'ghec-slug'
});
});
});
it('returns forbidden for non enterprise users if gheCloud is enabled', () => {
userFactoryMock.get.resolves(null);

return server.inject(options).then(reply => {
assert.equal(reply.statusCode, 403, 'Login route should be available');
assert.notOk(reply.result.token, 'Token not returned');
assert.equal(reply.result.message, `User ${username} is not allowed access`);
assert.notCalled(userFactoryMock.get);
assert.calledWith(scm.isEnterpriseUser, {
token,
login: username,
slug: 'ghec-slug'
});
});
});
});
});

describe('with whitelist', () => {
beforeEach(async () => {
server = new hapi.Server({
Expand Down

0 comments on commit 114b910

Please sign in to comment.