screwdriver-api 6.0.8 → 6.0.10

package/config/custom-environment-variables.yaml

@@ -31,9 +31,16 @@ auth:
   whitelist:
     __name: SECRET_WHITELIST
     __format: json
+  allowList:
+    __name: SECRET_ALLOW_LIST
+    __format: json
   admins:
     __name: SECRET_ADMINS
     __format: json
+  sdAdmins:
+    __name: SECRET_SD_ADMINS
+    __format: json
+  authCheckById: AUTH_CHECK_BY_ID
   # Default session timeout (in minutes)
   sessionTimeout: SESSION_TIMEOUT
   # Oauth redirect uri, configure this if your app is not running at root under the host

package/config/default.yaml

@@ -32,10 +32,33 @@ auth:
   https: false
   # A flag to set if you want guests to browse your pipelines
   allowGuestAccess: false
-  # Whitelist of users able to authenticate against the system
+  # Deprecated. Instead, use allowList which is more secure.
+  # List of users able to authenticate against the system
   # if empty, it allows everyone
+  # Values should follow '{scmDisplayName:scmUsername}' format
+  # Ex: ['github:john', 'bitbucket:john']
   whitelist: []
+  # list of users able to authenticate against the system
+  # if empty, it allows everyone
+  # Values should follow '{scmDisplayName:scmUsername:scmUserId}' format
+  # Ex: ['github:john:12345', 'bitbucket:john:{98fsa1ba-0b91-4e3c-95ee-55899e933b0}']
+  allowList: []
+  # Deprecated. Instead, use sdAdmins which is more secure.
+  # List of users who should be given screwdriver admin privileges
+  # Values should follow '{scmDisplayName:scmUsername}' format
+  # Ex: ['github:john', 'bitbucket:john']
   admins: []
+  # List of users who should be given screwdriver admin privileges
+  # Values should follow '{scmDisplayName:scmUsername:scmUserId}' format
+  # Ex: ['github:john:12345', 'bitbucket:john:{98fsa1ba-0b91-4e3c-95ee-55899e933b0}']
+  sdAdmins: []
+  # When set to true
+  #  - grant admin privileges to the users listed in 'sdAdmins'
+  #  - only authenticate the users listed in 'allowList'
+  # When set to false, performs
+  #  - grant admin privileges to the users listed in 'admins'
+  #  - only authenticate the users listed in 'whitelist'
+  authCheckById: true
   # Default session timeout (in minutes)
   sessionTimeout: 120
   # SameSite Cookie Option

package/lib/server.js

@@ -201,7 +201,7 @@ module.exports = async config => {
         server.app.buildFactory.apiUri = server.info.uri;
         server.app.buildFactory.tokenGen = (buildId, metadata, scmContext, expiresIn, scope = ['temporal']) =>
             server.plugins.auth.generateToken(
-                server.plugins.auth.generateProfile(buildId, scmContext, scope, metadata),
+                server.plugins.auth.generateProfile(buildId, null, scmContext, scope, metadata),
                 expiresIn
             );
         server.app.buildFactory.executor.tokenGen = server.app.buildFactory.tokenGen;
@@ -209,7 +209,7 @@ module.exports = async config => {
         server.app.jobFactory.apiUri = server.info.uri;
         server.app.jobFactory.tokenGen = (username, metadata, scmContext, scope = ['user']) =>
             server.plugins.auth.generateToken(
-                server.plugins.auth.generateProfile(username, scmContext, scope, metadata)
+                server.plugins.auth.generateProfile(username, null, scmContext, scope, metadata)
             );
         server.app.jobFactory.executor.userTokenGen = server.app.jobFactory.tokenGen;
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "screwdriver-api",
-  "version": "6.0.8",
+  "version": "6.0.10",
   "description": "API server for the Screwdriver.cd service",
   "main": "index.js",
   "scripts": {

package/plugins/auth/index.js

@@ -60,8 +60,11 @@ const AUTH_PLUGIN_SCHEMA = joi.object().keys({
     jwtPrivateKey: joi.string().required(),
     jwtPublicKey: joi.string().required(),
     jwtQueueServicePublicKey: joi.string().required(),
+    authCheckById: JOI_BOOLEAN.default(true),
     whitelist: joi.array().default([]),
+    allowList: joi.array().default([]),
     admins: joi.array().default([]),
+    sdAdmins: joi.array().default([]),
     bell: joi.object().required(),
     scm: joi.object().required(),
     sessionTimeout: joi.number().integer().positive().default(120),
@@ -95,12 +98,13 @@ const authPlugin = {
          * Generates a profile for storage in cookie and jwt
          * @method generateProfile
          * @param  {String}        username   Username of the person
+         * @param  {String}        scmUserId  User ID in the SCM
          * @param  {String}        scmContext Scm to which the person logged in belongs
          * @param  {Array}         scope      Scope for this profile (usually build or user)
          * @param  {Object}        metadata   Additonal information to tag along with the login
          * @return {Object}                   The profile to be stored in jwt and/or cookie
          */
-        server.expose('generateProfile', (username, scmContext, scope, metadata) => {
+        server.expose('generateProfile', (username, scmUserId, scmContext, scope, metadata) => {
             const profile = { username, scmContext, scope, ...(metadata || {}) };
 
             if (pluginOptions.jwtEnvironment) {
@@ -110,10 +114,13 @@ const authPlugin = {
             if (scmContext) {
                 const { scm } = pluginOptions;
                 const scmDisplayName = scm.getDisplayName({ scmContext });
-                const userDisplayName = `${scmDisplayName}:${username}`;
+                const userDisplayName = pluginOptions.authCheckById
+                    ? `${scmDisplayName}:${username}:${scmUserId}`
+                    : `${scmDisplayName}:${username}`;
+                const admins = pluginOptions.authCheckById ? pluginOptions.sdAdmins : pluginOptions.admins;
 
                 // Check admin
-                if (pluginOptions.admins.length > 0 && pluginOptions.admins.includes(userDisplayName)) {
+                if (admins.length > 0 && admins.includes(userDisplayName)) {
                     profile.scope.push('admin');
                 }
             }

package/plugins/auth/login.js

@@ -32,7 +32,13 @@ function addGuestRoute(config) {
                     }
 
                     const username = `guest/${uuidv4()}`;
-                    const profile = request.server.plugins.auth.generateProfile(username, null, ['user', 'guest'], {});
+                    const profile = request.server.plugins.auth.generateProfile(
+                        username,
+                        null,
+                        null,
+                        ['user', 'guest'],
+                        {}
+                    );
 
                     // Log that the user has authenticated
                     request.log(['auth'], `${username} has logged in`);
@@ -81,14 +87,23 @@ function addOAuthRoutes(config) {
                 const { userFactory } = request.server.app;
                 const { collectionFactory } = request.server.app;
                 const accessToken = request.auth.credentials.token;
-                const { username } = request.auth.credentials.profile;
-
-                const profile = request.server.plugins.auth.generateProfile(username, scmContext, ['user'], {});
+                const { username, id: scmUserId } = request.auth.credentials.profile;
+
+                const profile = request.server.plugins.auth.generateProfile(
+                    username,
+                    scmUserId,
+                    scmContext,
+                    ['user'],
+                    {}
+                );
                 const scmDisplayName = await userFactory.scm.getDisplayName({ scmContext });
-                const userDisplayName = `${scmDisplayName}:${username}`;
+                const userDisplayName = config.authCheckById
+                    ? `${scmDisplayName}:${username}:${scmUserId}`
+                    : `${scmDisplayName}:${username}`;
+                const allowList = config.authCheckById ? config.allowList : config.whitelist;
 
                 // Check whitelist
-                if (config.whitelist.length > 0 && !config.whitelist.includes(userDisplayName)) {
+                if (allowList.length > 0 && !allowList.includes(userDisplayName)) {
                     return boom.forbidden(`User ${userDisplayName} is not allowed access`);
                 }
 

package/plugins/auth/token.js

@@ -39,10 +39,12 @@ module.exports = () => ({
                 const job = await jobFactory.get(build.jobId);
                 const pipeline = pipelineFactory.get(job.pipelineId);
 
-                profile = request.server.plugins.auth.generateProfile(request.params.buildId, pipeline.scmContext, [
-                    'build',
-                    'impersonated'
-                ]);
+                profile = request.server.plugins.auth.generateProfile(
+                    request.params.buildId,
+                    null,
+                    pipeline.scmContext,
+                    ['build', 'impersonated']
+                );
                 profile.token = request.server.plugins.auth.generateToken(profile);
 
                 request.cookieAuth.set(profile);

package/plugins/builds/token.js

@@ -56,6 +56,7 @@ module.exports = () => ({
                     const token = request.server.plugins.auth.generateToken(
                         request.server.plugins.auth.generateProfile(
                             profile.username,
+                            null,
                             profile.scmContext,
                             ['build'],
                             jwtInfo

package/plugins/pipelines/caches/request.js

@@ -36,7 +36,7 @@ async function invoke(request) {
     const { username, scmContext } = auth.credentials;
 
     const token = request.server.plugins.auth.generateToken(
-        request.server.plugins.auth.generateProfile(username, scmContext, ['sdapi'], { pipelineId })
+        request.server.plugins.auth.generateProfile(username, null, scmContext, ['sdapi'], { pipelineId })
     );
 
     const options = {