Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TOAZ-363] Allow UAMI accounts to be added to service admin whitelist #1466

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from

Conversation

bennettn4
Copy link

Ticket: (https://broadworkbench.atlassian.net/browse/TOAZ-363)

What:

UAMI accounts do not have OIDC_email field populated through accesstoken, need to be dynamically built from b2cid

Why:

Needed if Thurloe is running as a user assigned managed identity on azure and needs service account admin whitelist

How:

Additional check in service account admin whitelist based UAMI email


PR checklist

  • I've followed the instructions if I've made any changes to the API, especially if they're breaking changes
  • I've filled out the Security Risk Assessment (requires Broad Internal network access) and attached the result to the JIRA ticket

UAMI accounts will not have oidc email field populated through token, need to be dynamically built
Needed if Thurloe is running as an UAMI and needs service account admin whitelist
Swapped boolean logic to allow if either condition is true as opposed to reject if both conditions are false
Added helper function to verify email oidcHeader is empty to clean up logic in route slightly and remove edge case of [email protected] being a potentially valid value in serviceAccountAdmin configuration
Copy link

sonarcloud bot commented Jul 1, 2024

@bennettn4 bennettn4 requested a review from dvoet July 2, 2024 02:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants