Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict VEDA master realm access to members of Github team #13

Closed
alukach opened this issue Jan 17, 2025 · 2 comments
Closed

Restrict VEDA master realm access to members of Github team #13

alukach opened this issue Jan 17, 2025 · 2 comments
Assignees
@lahirujayathilake

Comments

@alukach
Copy link
Member

alukach commented Jan 17, 2025
edited
Loading

Currently, the VEDA master realm admin access is granted to anyone who is a member of the NASA-IMPACT GitHub organization. This is achieved via our custom GithubOrgIdentityProvider:

veda-keycloak/keycloak/providers/github-org-identity-provider/src/main/java/org/nasa/impact/keycloak/provider/GithubOrgIdentityProvider.java

Lines 51 to 64 in e2bfc70

private boolean checkOrganizationMembership(String accessToken, String organization, String username) {
// https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user
String orgUrl = apiUrl + String.format("/orgs/%s/members/%s", organization, username);
try {
SimpleHttp.Response response = SimpleHttp.doGet(orgUrl, session)
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.asResponse();
int statusCode = response.getStatus();
return statusCode == 204;
} catch (IOException e) {
throw new IdentityBrokerException("Could not verify organization membership", e);
}
}

We should alter this provider to additionally check for the membership of a team within the Github org, e.g. veda-auth. This will allow for a more narrowly scoped group of users to have such privileges.

API Docs: https://docs.github.com/en/rest/teams/members?apiVersion=2022-11-28#get-team-membership-for-a-user
@alukach alukach mentioned this issue Jan 23, 2025
Open
4 tasks
@j08lue j08lue mentioned this issue Jan 30, 2025
Closed
@lahirujayathilake lahirujayathilake mentioned this issue Feb 4, 2025
Merged
@lahirujayathilake
Copy link
Contributor

PR - #43

@alukach
Copy link
Member Author

alukach commented Feb 6, 2025

Closed by #43

@alukach alukach closed this as completed Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lahirujayathilake lahirujayathilake

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alukach @lahirujayathilake