Merge pull request #438 from dividehex/remove_unused_rules

Clean up and remove unused rules
mozilla-iam · Jul 10, 2023 · 31852c1 · 31852c1
2 parents d8fe5dd + ab77451
commit 31852c1
Show file tree

Hide file tree

Showing 24 changed files with 28 additions and 525 deletions.
diff --git a/rules/AccessRules.js b/rules/AccessRules.js
@@ -112,9 +112,33 @@ function AccessRules(user, context, callback) {
 
   // Process the access cache decision
   function access_decision(access_rules, access_file_conf) {
-    // Use whatever is available from the group struct. Sometimes there's a race condition where user.app_metadata.*
-    // isnt reintegrated to user.* for example
-    var groups = user.app_metadata.groups || user.ldap_groups || user.groups || [];
+    // Ensure we have the correct group data
+    user.app_metadata = user.app_metadata || {};
+    user.app_metadata.groups = user.app_metadata.groups || [];
+    user.identities = user.identities || [];
+    user.ldap_groups = user.ldap_groups || [];
+    user.groups = user.groups || [];
+
+    // With account linking its possible that LDAP is not the main account on contributor LDAP accounts
+    // Here we iterate over all possible user identities and build an array of all groups from them
+    var _profile;
+    var profile_groups = [];
+    for (var i = 0, len = user.identities.length;i<len;i++) {
+      _profile = user.identities[i];
+      if ('profileData' in _profile) {
+        if ('groups' in _profile.profileData) {
+          Array.prototype.push.apply(profile_groups, _profile.profileData.groups);
+        }
+      }
+    }
+
+    // Collect all variations of groups and merge them together for access evaluation
+    var groups = Array.prototype.concat(user.app_metadata.groups, user.ldap_groups, user.groups, profile_groups)
+
+    // Inject the everyone group and filter for duplicates
+    groups.push("everyone")
+    groups = groups.filter((value, index, array) => array.indexOf(value) === index);
+
     // This is used for authorized user/groups
     var authorized = false;
     // Defaut app requested aal to MEDIUM for all apps which do not have this set in access file

diff --git a/rules/Everyone-is-in-the-everyone-group.js b/rules/Everyone-is-in-the-everyone-group.js
diff --git a/rules/Everyone-is-in-the-everyone-group.json b/rules/Everyone-is-in-the-everyone-group.json
diff --git a/rules/GHE-Groups.js b/rules/GHE-Groups.js
@@ -53,6 +53,7 @@ function GHEGroups(user, context, callback) {
     'AgiLB9xCoW4beavY9z7UuvO36DLmdwJ1': 'mozilliansorg_ghe_mozilla-rally_users',
     'QfJVAjXlaGzpCo5S48J9D38QvIfhlYzF': 'mozilliansorg_ghe_mozilladatascience_users',
     'UwUgLsXH6YtrWLATQpTuil2iNilYGGhF': 'mozilliansorg_ghe_mozilla-services_users',
+    'RLPUxhCQsmmRHyOmDOGkLpu1mArNH3xn': 'mozilliansorg_ghe_firefoxux_users',
   };
 
   const fetch = require('[email protected]');

diff --git a/rules/HRIS-is-staff.js b/rules/HRIS-is-staff.js
diff --git a/rules/HRIS-is-staff.json b/rules/HRIS-is-staff.json
diff --git a/rules/temporary-update-at-conformance.js → rules/OIDC-conformance-workaround.js b/rules/temporary-update-at-conformance.js → rules/OIDC-conformance-workaround.js
diff --git a/rules/temporary-update-at-conformance.json → rules/OIDC-conformance-workaround.json b/rules/temporary-update-at-conformance.json → rules/OIDC-conformance-workaround.json
diff --git a/rules/README.md b/rules/README.md
@@ -43,24 +43,14 @@ This is the list of keys we're using for secrets (and abuse for certain configur
 - `force-ldap-logins-over-ldap.js` Ensure LDAP users only login with LDAP (i.e. "Staff uses Staff login"). This
   forbids using passwordless, GitHub, etc. login methods with a `@mozilla.com` email for example.
 - `CIS-Claims-fixups.js` Adds custom OIDC claims in our namespace, like groups or AAI
-- `CIS-New-User-hook.js` Invoke the Auth0 CIS Publisher hook with a user_id, in order to notify it of potentially new
   or modified users.
-- `Everyone-is-in-the-everyone-group.js` Adds all users in a group called `everyone` to function correctly with the
   apps.yml file, which assume you have this group, historically
 - `Global-Function-Declarations.js` A place to have a cache of functions. This cache dies when the webtasks die, so
   every 60s
-- `SAML-AWS-consolidatedbilling-readonly.js` Custom claim mapping for SAML
-- `SAML-AWS-mozillaiam-account-readonly.js` Ditto
-- `SAML-temporary-AWS-consolidatedbilling-admin.js` Ditto
 - `SAML-test-mozilla-com-google.js` Ditto
 - `SAML-thinksmart.js` Ditto
 - `gcp-gsuite-SAML-claims.js` Ditto
 - `default-deny-for-maintenance.js` A default "OFF" rule, that can be manually turned on to refuse all logins and
   indicate to the user that we're in maintenance mode. Used for emergencies only!
-- `temporary-LDAP-re-reintegration.js` Temporary rule that reintegrates LDAP groups to the profile. This should be
-  removed and replaced by person-api v2 calls eventually
-  available.
-- `temporary-hris-connector.js` Temporary rule that fix the missing `hris_is_staff` group for Mozillians.org, until
-  person-apiv2 is available.
 - `link-users-by-email-with-metadata.js` Links user profiles by primary email (GH [email protected] and FxA [email protected] become the same
   profile). The user profile to be main (ie main user_id) is decided by ratcheting logic.
diff --git a/rules/hris-is-staff overrides.js b/rules/hris-is-staff overrides.js
diff --git a/rules/hris-is-staff overrides.json b/rules/hris-is-staff overrides.json
diff --git a/rules/restricted-users.js b/rules/restricted-users.js
diff --git a/rules/restricted-users.json b/rules/restricted-users.json
diff --git a/rules/security-block-ips.js b/rules/security-block-ips.js
diff --git a/rules/security-block-ips.json b/rules/security-block-ips.json
diff --git a/rules/temporary-LDAP-re-reintegration.js b/rules/temporary-LDAP-re-reintegration.js
diff --git a/rules/temporary-LDAP-re-reintegration.json b/rules/temporary-LDAP-re-reintegration.json
diff --git a/tests/Everyone-is-in-the-everyone-group.test.js b/tests/Everyone-is-in-the-everyone-group.test.js