Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

INCIDEN-922: further access control #906

Merged
merged 11 commits into from
Sep 19, 2024
Merged

INCIDEN-922: further access control #906

merged 11 commits into from
Sep 19, 2024

Conversation

Ryan-Andrews99
Copy link
Contributor

@Ryan-Andrews99 Ryan-Andrews99 commented Sep 16, 2024
edited
Loading

Onboarding Feature Deployment

Warning

Pull requests merged to main will be released to production, please ensure the checklist below is complete

Before any work can be merged to main in must meet the definition of done and be ready to deploy. While many of these tasks will be automated, the reviewers must take the responsibility of confirming the checklist below has been completed before this ticket can be merged.

Checklist

  • this pull request meets the acceptance criteria of the ticket

  • this branch is up-to-date with the main branch

    git fetch --all && git rebase origin/main

  • these changes are backwards compatible (no breaking changes)

    • all methods signatures and return values are the same
    • any replaced methods are marked as @deprecated

  • tests have been written to cover any new or updated functionality

  • new configuration parameters have been deployed to all environments, see configuration management.

  • all external infrastructure dependencies have been updated in all environments

Changes

[ please list the changes this pull request is making ]

Added for new features

Changed for changes in existing functionality

  • This implements access controls for the backend lambdas to ensure the user making the request is authorised to update the specific user/service configuration
  • This also enforces that any requests made to this lambda will require an access token
  • Anywhere authorisation is not implemented, I have added a comment explaining why

Deprecated for soon-to-be removed features

Removed for now removed features

Fixed for any bug fixes

Security in case of vulnerabilities

@Ryan-Andrews99 Ryan-Andrews99 force-pushed the inciden-922-further-access-control branch from 90f1fc3 to d223a35 Compare September 16, 2024 10:11
@Ryan-Andrews99 Ryan-Andrews99 force-pushed the inciden-922-further-access-control branch from d223a35 to 51a0eba Compare September 16, 2024 10:18
@Ryan-Andrews99 Ryan-Andrews99 force-pushed the inciden-922-further-access-control branch from 51a0eba to a9e7177 Compare September 16, 2024 11:32
@Ryan-Andrews99
INCIDEN-922: Adds access token to listServices method
b16341a 
Our lambda on the backend will now expect an access token, so we
need to start passing it in the GET request. We already validate the
token so this is just a case of updating the interface and ensuring we pass
it through
@Ryan-Andrews99 Ryan-Andrews99 force-pushed the inciden-922-further-access-control branch from 795f3a5 to 9a0a7bc Compare September 18, 2024 12:54
@Ryan-Andrews99
INCIDEN-922: Adds authorisation to dynamoDb handlers
6b4467c 
We have purposely left getDynamoDBEntriesHandler handler without authorisation
as it is called when a useer may not have an access token present as part of the
forgot password flow. I have also removed including the userEmail in the error message
as this is unneccesary
@Ryan-Andrews99
INCIDEN-922: Adds comment to update lambdas
fce2285 
These lambdas are called by a step function, and the authorisation
happens before they are called. This means we do not need to implment
additonal authorisation here
@Ryan-Andrews99
INCIDEN-922: Adds userId test constant
e0a2c85
@Ryan-Andrews99
INCIDEN-922: Adds authorisation to getUser lambda
379b0a0 
This checks that the user Id included in the request body matches the
userId in the access token
@Ryan-Andrews99
INCIDEN-921: Adds authorisation to the update-client lambda
6330d6c
@Ryan-Andrews99
INCIDEN-922: Removes unused param from method interface
61e03a3 
The updateUser method does not use the cognitoUserId argument, and it is
redundant as the userId provided is the cognitoUserId with a `user#` prefix.
This also makes the lambda code less confusing as where we call the `/update-user`
endpoint the body does not include this value.
@Ryan-Andrews99
INCIDEN-922: Adds authorisation to update user handler
f9a0fd8 
This checks that the userId in the access token matches the userId
in the update request body, ensuring a user can only update their own
entries
@Ryan-Andrews99
INCIDEN-922: Adds access control to the getService handler [deploy]
ffb21b3
@Ryan-Andrews99
INCIDEN-922: Pass access token to delete entries methods [deploy]
ef5c25a 
We're now expecting an access token on the backend, so we
need to start passing it through here not to break any existing
functionality.
@Ryan-Andrews99 Ryan-Andrews99 force-pushed the inciden-922-further-access-control branch from 9a0a7bc to ef5c25a Compare September 18, 2024 13:13
@Ryan-Andrews99 Ryan-Andrews99 added this pull request to the merge queue Sep 19, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Sep 19, 2024
@Ryan-Andrews99 Ryan-Andrews99 added this pull request to the merge queue Sep 19, 2024
Merged via the queue into main with commit 0aa8820 Sep 19, 2024
16 checks passed
@Ryan-Andrews99 Ryan-Andrews99 deleted the inciden-922-further-access-control branch September 19, 2024 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CarlyG55 CarlyG55 CarlyG55 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Ryan-Andrews99 @CarlyG55