Protect SCIM data (#451)

Audiences currently exposes all default attributes of a resource through the Proxy, including sensitive information. This PR limits the data and filters on the Audiences proxy to what is necessary for the UI: - **Limit data to what the UI need** - **Only filter by displayName containing filter string**
powerhome · Dec 12, 2024 · b662947 · benlangfeld · Dec 26, 2024 · b662947
1 parent 18cac2c
commit b662947
Show file tree

Hide file tree

Showing 11 changed files with 37 additions and 13 deletions.
diff --git a/audiences-react/docs/CHANGELOG.md b/audiences-react/docs/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Unreleased
 
+# Version 1.3.0 (2024-12-12)
+
+- Protect SCIM search from backend [#451](https://github.com/powerhome/audiences/pull/451)
+
 # Version 1.2.1 (2024-08-06)
 
 - Add error handling to audiences form [#372](https://github.com/powerhome/audiences/pull/372)

diff --git a/audiences-react/package.json b/audiences-react/package.json
@@ -1,6 +1,6 @@
 {
   "name": "audiences",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "Audiences SCIM client",
   "files": [
     "dist/*.*",

diff --git a/audiences-react/src/scim.ts b/audiences-react/src/scim.ts
@@ -11,7 +11,7 @@ export function useScim(): UseScimResources {
   const { get } = useFetch(uri)
 
   const filter = async (resourceId: string, displayName: string) => {
-    return await get(`${resourceId}?filter=displayName co "${displayName}"`)
+    return await get(`${resourceId}?filter=${displayName}`)
   }
 
   return { filter }

diff --git a/audiences/Gemfile.lock b/audiences/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    audiences (1.4.0)
+    audiences (1.5.0)
       rails (>= 6.0)
 
 GEM

diff --git a/audiences/app/controllers/audiences/scim_proxy_controller.rb b/audiences/app/controllers/audiences/scim_proxy_controller.rb
@@ -4,7 +4,11 @@ module Audiences
   class ScimProxyController < ApplicationController
     def get
       resources = Audiences::Scim.resource(params[:scim_path].to_sym)
-                                 .query(filter: params[:filter], startIndex: params[:startIndex], count: params[:count])
+                                 .query(
+                                   filter: "displayName co \"#{params[:filter]}\"",
+                                   startIndex: params[:startIndex], count: params[:count],
+                                   attributes: %w[id externalId displayName photos]
+                                 )
 
       render json: resources, except: %w[schemas meta]
     end

diff --git a/audiences/docs/CHANGELOG.md b/audiences/docs/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Unreleased
 
+# Version 1.5.0 (2024-12-12)
+
+- SCIM proxy will only return data used by the UI [#451](https://github.com/powerhome/audiences/pull/451)
+
 # Version 1.4.0 (2024-11-01)
 
 - Add authentication hooks for Audiences controllers [#438](https://github.com/powerhome/audiences/pull/438)

diff --git a/audiences/gemfiles/rails_6_1.gemfile.lock b/audiences/gemfiles/rails_6_1.gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    audiences (1.4.0)
+    audiences (1.5.0)
       rails (>= 6.0)
 
 GEM
@@ -139,7 +139,7 @@ GEM
     parser (3.3.5.0)
       ast (~> 2.4.1)
       racc
-    pg (1.5.8)
+    pg (1.5.9)
     psych (5.1.2)
       stringio
     public_suffix (6.0.1)

diff --git a/audiences/gemfiles/rails_7_0.gemfile.lock b/audiences/gemfiles/rails_7_0.gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    audiences (1.4.0)
+    audiences (1.5.0)
       rails (>= 6.0)
 
 GEM
@@ -145,7 +145,7 @@ GEM
     parser (3.3.5.0)
       ast (~> 2.4.1)
       racc
-    pg (1.5.8)
+    pg (1.5.9)
     psych (5.1.2)
       stringio
     public_suffix (6.0.1)

diff --git a/audiences/gemfiles/rails_7_1.gemfile.lock b/audiences/gemfiles/rails_7_1.gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    audiences (1.4.0)
+    audiences (1.5.0)
       rails (>= 6.0)
 
 GEM
@@ -157,7 +157,7 @@ GEM
     parser (3.3.5.0)
       ast (~> 2.4.1)
       racc
-    pg (1.5.8)
+    pg (1.5.9)
     psych (5.1.2)
       stringio
     public_suffix (6.0.1)

diff --git a/audiences/lib/audiences/version.rb b/audiences/lib/audiences/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Audiences
-  VERSION = "1.4.0"
+  VERSION = "1.5.0"
 end
diff --git a/audiences/spec/controllers/scim_proxy_controller_spec.rb b/audiences/spec/controllers/scim_proxy_controller_spec.rb
@@ -31,11 +31,11 @@
     it "proxies queries with arguments" do
       expect(resource_query).to(
         receive(:query)
-          .with(filter: "name eq John", startIndex: "12", count: "21")
+          .with(hash_including(filter: 'displayName co "John"', startIndex: "12", count: "21"))
           .and_return({ "response" => "body" })
       )
 
-      get :get, params: { scim_path: "MyResources", count: 21, startIndex: 12, filter: "name eq John" }
+      get :get, params: { scim_path: "MyResources", count: 21, startIndex: 12, filter: "John" }
 
       expect(response.parsed_body).to eq({ "response" => "body" })
     end
@@ -51,5 +51,17 @@
 
       expect(response.parsed_body).to eq({ "response" => "body" })
     end
+
+    it "only fetches less sensitive attributes" do
+      expect(resource_query).to(
+        receive(:query)
+          .with(hash_including(attributes: %w[id externalId displayName photos]))
+          .and_return({ "response" => "body" })
+      )
+
+      get :get, params: { scim_path: "MyResources", count: 21, startIndex: 12, filter: "name eq John" }
+
+      expect(response.parsed_body).to eq({ "response" => "body" })
+    end
   end
 end