Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle scenario when Entra Application have Group as member #34594

Merged
merged 12 commits into from May 15, 2024
Merged

Handle scenario when Entra Application have Group as member #34594

merged 12 commits into from May 15, 2024

Conversation

jingcheng16
Copy link
Contributor

@jingcheng16 jingcheng16 commented May 10, 2024
edited

Technical Summary

Ticket: https://dimagi.atlassian.net/browse/SAAS-15528

When get all roles from an entra application, Microsoft Graph can return User, Group, ServicePrincipal. We don't handle the ServicePrincipal for now, because it means another entra application, which is too complicated for now.

This PR add the support for Group. It will query all members of the group, and add all users in that group to the user_ids set. We won't consider members in the nested group, because Microsoft explicitly said: "When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups."

Review by commit 馃悺

Safety Assurance

Safety story

Tested on staging.
I've tested 4 scenarios:

  1. The enterprise application only have individual members
  2. The enterprise application only have groups
  3. The enterprise application have both individual members and groups
  4. The enterprise application have no group and no individual member

Automated test coverage

QA Plan

No QA ... ?

Rollback instructions

  • This PR can be reverted after deploy with no further considerations

Labels & Review

  • Risk label is set correctly
  • The set of people pinged as reviewers is appropriate for the level of risk of the change

@jingcheng16 jingcheng16 marked this pull request as ready for review May 10, 2024 03:58
@jingcheng16 jingcheng16 requested a review from biyeun as a code owner May 10, 2024 03:58
@jingcheng16 jingcheng16 added the product/all-users-all-environments Change impacts all users on all environments label May 10, 2024
@jingcheng16
Do not query user name with empty user id set
e6ea8aa
@jingcheng16
Only consider direct user in a group
4e0632b 
"When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups."
biyeun
biyeun reviewed May 13, 2024
View reviewed changes
corehq/apps/sso/utils/entra.py Outdated
else:
# Service Principal represents an application
# Which make the query too complicated
raise NotImplementedError("The application have Service Principal member")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how will the user see this error message if this is raised? Is this an error message the user will see directly? Also, should one ServicePrincipal member trigger a failure for the whole task?

Suggested rewrite of error message:

Suggested change
raise NotImplementedError("The application have Service Principal member")
raise NotImplementedError("ServicePrincipal members are not supported. Please include only Users or Groups as members of this SSO application.")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Biyeun, user won't see this error message, this will only be raised as MSGraphIssue.OTHER_ERROR, should we send this to user?

should one ServicePrincipal member trigger a failure for the whole task?

Are you saying we still processed other members in this idp but skip the Service Principal only?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Nested applications (ServicePrincipal members) are not supported. Please include only Users or Groups as members of this SSO application

We should send this to the user and we should not complete the task in this case, as the list of users would be incomplete

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in 451b524

jingcheng16 and others added 3 commits May 13, 2024 11:03
@jingcheng16 @biyeun
Update error message
bc607ef 
Co-authored-by: Biyeun <bbuczyk@dimagi.com>
@jingcheng16
lint
0094585
@jingcheng16
Send error message to user
451b524
biyeun
biyeun reviewed May 14, 2024
View reviewed changes
corehq/apps/sso/exceptions.py Outdated

class EntraUnsupportedType(Exception):
def __init__(self, message):
super().__init__(f"{message}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't message always a string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! You're right. Fixed in f65a830

@jingcheng16 jingcheng16 requested a review from biyeun May 14, 2024 23:41
@jingcheng16 jingcheng16 merged commit f085c61 into master May 15, 2024
13 checks passed
@jingcheng16 jingcheng16 deleted the jc/query-member-in-entra-group branch May 15, 2024 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@biyeun biyeun biyeun approved these changes

@millerdev millerdev Awaiting requested review from millerdev

@mjriley mjriley Awaiting requested review from mjriley

@gherceg gherceg Awaiting requested review from gherceg

Assignees
No one assigned
Labels
product/all-users-all-environments Change impacts all users on all environments
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jingcheng16 @biyeun