Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

16815 authz design #17094

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

16815 authz design #17094

wants to merge 5 commits into from
+190 −0

Conversation

jalbinson
Copy link
Collaborator

This PR documents a new design for authorizing endpoints in ReportStream.

Linked Issues

@jalbinson jalbinson requested a review from a team as a code owner January 17, 2025 19:54
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 17, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

@jalbinson
Copy link
Collaborator Author

Easy access to see how the page looks rendered
https://github.com/CDCgov/prime-reportstream/blob/platform/jamie/16815-authz-design/prime-router/docs/authz/authz-design.md

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 17, 2025
edited
Loading

Test Results

1 272 tests  ±0   1 268 ✅ ±0   7m 27s ⏱️ -9s
  165 suites ±0       4 💤 ±0 
  165 files   ±0       0 ❌ ±0 

Results for commit cfbe8ed. ± Comparison against base commit 1564839.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 17, 2025
edited
Loading

Integration Test Results

 60 files   60 suites   43m 34s ⏱️
428 tests 418 ✅ 10 💤 0 ❌
431 runs  421 ✅ 10 💤 0 ❌

Results for commit cfbe8ed.

♻️ This comment has been updated with latest results.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@arnejduranovic arnejduranovic added the platform Platform Team label Jan 21, 2025
arnejduranovic
arnejduranovic reviewed Jan 21, 2025
View reviewed changes
prime-router/docs/authz/authz-design.md

## Setting up a new user

In this system, setting up a new user would be quite easy. Create the user in Okta and then add it the required
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In this system, setting up a new user would be quite easy. Create the user in Okta and then add it the required
In this system, setting up a new user would be quite easy. Create the user in Okta and then add it to the required

prime-router/docs/authz/authz-design.md
}
```

We will also need to keep these profiles up to date, therefore, we would need some sort of daily job to check that groups
Copy link
Collaborator

@arnejduranovic arnejduranovic Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there may be more thinking to do here when we design this CLI (if we decide to go this way). Perhaps the CLI tool doesn't just update the profiles but we also use it to create/update applications as well (so a more full-featured CLI) and don't do anything in the Okta GUI for applications so as to not confuse things? Does this sound reasonable/plausible?

prime-router/docs/authz/authz-design.md

### Spring

In Spring we can leverage method security. This allows us to write custom predicates in SpEL (Spring expression language)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this only applies to Submission microservice at the moment, right?

prime-router/docs/authz/authz-design.md

| Scope | Actions | Okta Group |
|-------------|---------------------------------------------------------------|-------------------------|
| super_admin | Anything! (org membership does not matter) | ReportStream-SuperAdmin |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused about Okta Group as shown here? So a User (or App?) can be a member of these groups and in addition there will be groups for each Sender/Receiver Organization, like "CA_PHD"? If this is correct, can we update the claims example that's lower down to show how/where these groups would appear?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnejduranovic arnejduranovic arnejduranovic left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@arnejduranovic arnejduranovic

Labels
platform Platform Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Design and Document Modern and Secure AuthZ Strategy First Draft
2 participants
@jalbinson @arnejduranovic