Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support adding/removing superuser role via API #1078

Merged
merged 1 commit into from
Nov 26, 2023
Merged

Support adding/removing superuser role via API #1078

merged 1 commit into from
Nov 26, 2023
+253 −20

Conversation

ljdelight
Copy link
Contributor

Create endpoints and service startup code to support adding/removing superuser roles via the API. Only existing superuser are authorized to make the calls.

Check user grants to determine if they're a superuser:

  • Javascript
    • const isSuperUser = data.grants.some(grant => grant.role === -1);
  • Curl
    • curl -s -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/user/whoami' | jq '{userId: .id, grants: [.grants[] | select(.role == -1)]}'

Get the current superusers:

curl -i -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/superusers'

Show that a super cannot demote themselves:

$ curl -s -i -H "apiKey: $apiKey" -X DELETE 'http://localhost:9000/api/v2/superuser/2'
HTTP/1.1 403 Forbidden
Vary: Origin
Date: Fri, 24 Nov 2023 19:40:06 GMT
Content-Type: application/json
Content-Length: 71

{"status":"Forbidden","message":"A superuser cannot demote themselves"}

A super cannot demote the system superuser:

$ curl -s -i -H "apiKey: $apiKey" -X DELETE 'http://localhost:9000/api/v2/superuser/-999'
HTTP/1.1 403 Forbidden
Vary: Origin
Date: Fri, 24 Nov 2023 19:40:52 GMT
Content-Type: application/json
Content-Length: 85

{"status":"Forbidden","message":"The system super user is not allowed to be removed"}

Example showing what it looks like when uid=2 promotes uid=3 to a superuser. The user is fetched before and after to show that the backend user cache is updated.

$ curl -s -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/user/3' | jq '{userId: .id, grants: [.grants[] | select(.role == -1)]}'
{
  "userId": 3,
  "grants": []
}


$ curl -s -i -H "apiKey: $apiKey" -X PUT 'http://localhost:9000/api/v2/superuser/3'
HTTP/1.1 204 No Content
Vary: Origin
Date: Fri, 24 Nov 2023 19:41:58 GMT


$ curl -s -i -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/superusers'
HTTP/1.1 200 OK
Vary: Origin
Date: Fri, 24 Nov 2023 19:42:30 GMT
Content-Type: application/json
Content-Length: 10

[2,3,-999]


$ curl -s -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/user/3' | jq '{userId: .id, grants: [.grants[] | select(.role == -1)]}'
{
  "userId": 3,
  "grants": [
    {
      "id": 887,
      "name": "Grant superuser role on uid=3 (osm_id=18133), requested by uid=2",
      "grantee": {
        "granteeType": 5,
        "granteeId": 3
      },
      "role": -1,
      "target": {
        "objectType": 0,
        "objectId": 0
      }
    }
  ]
}

Example showing what it looks like when uid=3 removes the superuser role from uid=2. The user is fetched before and after to show that the backend user cache is updated.

$ curl -s -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/user/2' | jq '{userId: .id, grants: [.grants[] | select(.role == -1)]}'
{
  "userId": 2,
  "grants": [
    {
      "id": 879,
      "name": "User 2 has Superuser",
      "grantee": {
        "granteeType": 5,
        "granteeId": 2
      },
      "role": -1,
      "target": {
        "objectType": 0,
        "objectId": 0
      }
    }
  ]
}



$ curl -s -i -H "apiKey: $apiKey" -X DELETE 'http://localhost:9000/api/v2/superuser/2'
HTTP/1.1 204 No Content
Vary: Origin
Date: Fri, 24 Nov 2023 19:57:29 GMT


$ curl -s -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/user/2' | jq '{userId: .id, grants: [.grants[] | select(.role == -1)]}'
{
  "userId": 2,
  "grants": []
}


$ curl -s -i -H "apiKey: $apiKey" -X GET 'http://localhost:9000/api/v2/superusers'
HTTP/1.1 200 OK
Vary: Origin
Date: Fri, 24 Nov 2023 19:58:11 GMT
Content-Type: application/json
Content-Length: 8

[3,-999]

@ljdelight
Support adding/removing superuser role via API
f6a2f97 
Create endpoints and service startup code to support adding/removing
superuser roles via the API. Only existing superuser are authorized to
make the calls.
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 24, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@ljdelight ljdelight merged commit e7b00ab into main Nov 26, 2023
7 checks passed
@ljdelight ljdelight deleted the ljdelight/superusers branch November 26, 2023 01:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschwarz2030 jschwarz2030 jschwarz2030 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ljdelight @jschwarz2030