Add a service account. #130
Conversation
plietar
force-pushed
the
service-user
branch
from
4652b88
to
726b921
Compare
| @@ -0,0 +1,10 @@ | |||
| WITH inserted_user AS ( | |||
There was a problem hiding this comment.
I intentionally did not add a service role for the user. I don't think it is useful, and it opens the door to modifying that role through the API, which I'd rather avoid.
If we ever have a use case for it we can add it later as another migration.
| @@ -62,12 +51,22 @@ class BaseRoleService( | |||
| return saveRole(createRole.name, permissions) | |||
| } | |||
|
|
|||
| override fun createUsernameRole(username: String): Role | |||
There was a problem hiding this comment.
This renames and changes the semantics of getUsernameRole a bit.
I found it confusing that a method called get has side-effects. I also don't think there's ever a valid use-case for returning an existing role, and it was opening up the door to someone creating a GitHub account whose username collides with an existing role, thereby gaining all of that roles permissions.
|
It's not really ready yet, but if you are curious you can look at #131 for how this gets used. |
plietar
force-pushed
the
service-user
branch
from
726b921
to
ca88e5c
Compare
plietar
force-pushed
the
service-user
branch
from
ca88e5c
to
2915d60
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #130 +/- ##
==========================================
+ Coverage 96.71% 96.91% +0.19%
==========================================
Files 125 125
Lines 1156 1166 +10
Branches 317 319 +2
==========================================
+ Hits 1118 1130 +12
+ Misses 36 34 -2
Partials 2 2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
plietar
force-pushed
the
service-user
branch
4 times, most recently
from
438a85b
to
37f8836
Compare
As part of adding support for authentication from OIDC tokens for GitHub actions, we need a user that we can assign to the tokens we issue. This adds a new user source, called "service", and populates the database with one of these accounts. The service user is hidden from the API, and therefore is not visible in the control panel. Moreover, it cannot be given additional roles and permissions. The service user has the ADMIN role, but in practice when issuing the access tokens we will restrict the actual scopes given to each token. As a precaution, I added some checks to make sure the different user sources cannot use users created by another.
plietar
force-pushed
the
service-user
branch
from
37f8836
to
7381cec
Compare
As part of adding support for authentication from OIDC tokens for GitHub actions, we need a user that we can assign to the tokens we issue. This adds a new user source, called "service", and populates the database with one of these accounts.
The service user is hidden from the API, and therefore is not visible in the control panel. Moreover, it cannot be given additional roles and permissions.
The service user has the ADMIN role, but in practice when issuing the access tokens we will restrict the actual scopes given to each token. As a precaution, I added some checks to make sure the different user sources cannot use users created by another.