Clean up and remove unused rules

rules/AccessRules.js

@@ -115,6 +115,12 @@ function AccessRules(user, context, callback) {
     // Use whatever is available from the group struct. Sometimes there's a race condition where user.app_metadata.*
     // isnt reintegrated to user.* for example
     var groups = user.app_metadata.groups || user.ldap_groups || user.groups || [];
+
+    // Inject the everyone group and filter duplicates
+    groups.push("everyone")
+    groups = groups.filter((value, index, array) => array.indexOf(value) === index);
+
+
     // This is used for authorized user/groups
     var authorized = false;
     // Defaut app requested aal to MEDIUM for all apps which do not have this set in access file

rules/README.md

@@ -43,15 +43,10 @@ This is the list of keys we're using for secrets (and abuse for certain configur
 - `force-ldap-logins-over-ldap.js` Ensure LDAP users only login with LDAP (i.e. "Staff uses Staff login"). This
   forbids using passwordless, GitHub, etc. login methods with a `@mozilla.com` email for example.
 - `CIS-Claims-fixups.js` Adds custom OIDC claims in our namespace, like groups or AAI
-- `CIS-New-User-hook.js` Invoke the Auth0 CIS Publisher hook with a user_id, in order to notify it of potentially new
   or modified users.
-- `Everyone-is-in-the-everyone-group.js` Adds all users in a group called `everyone` to function correctly with the
   apps.yml file, which assume you have this group, historically
 - `Global-Function-Declarations.js` A place to have a cache of functions. This cache dies when the webtasks die, so
   every 60s
-- `SAML-AWS-consolidatedbilling-readonly.js` Custom claim mapping for SAML
-- `SAML-AWS-mozillaiam-account-readonly.js` Ditto
-- `SAML-temporary-AWS-consolidatedbilling-admin.js` Ditto
 - `SAML-test-mozilla-com-google.js` Ditto
 - `SAML-thinksmart.js` Ditto
 - `gcp-gsuite-SAML-claims.js` Ditto
@@ -60,7 +55,6 @@ This is the list of keys we're using for secrets (and abuse for certain configur
 - `temporary-LDAP-re-reintegration.js` Temporary rule that reintegrates LDAP groups to the profile. This should be
   removed and replaced by person-api v2 calls eventually
   available.
-- `temporary-hris-connector.js` Temporary rule that fix the missing `hris_is_staff` group for Mozillians.org, until
   person-apiv2 is available.
 - `link-users-by-email-with-metadata.js` Links user profiles by primary email (GH [email protected] and FxA [email protected] become the same
   profile). The user profile to be main (ie main user_id) is decided by ratcheting logic.

rules/temporary-LDAP-re-reintegration.js

@@ -19,24 +19,4 @@ function temporaryLDAPReReintergration(user, context, callback) {
       }
     }
   }
-
-  // This is a work-around because the SSO Dashboard apps.yml authorization rules
-  // decided to have a group that's called `everyone` hardcoded, even though no such group exists
-  // This rule hard codes it for all users, as it is meant to represent, well, every user.
-  // Without this rule, users would otherwise be denied access when an RP has an authorization of "`everyone`" in the SSO Dashboard apps.yml
-  Array.prototype.push.apply(groups, ['everyone']);
-  Array.prototype.push.apply(groups, user.app_metadata.groups);
-  Array.prototype.push.apply(groups, user.groups);
-  groups = Array.from(new Set(groups));
-  user.groups = groups;
-  user.app_metadata.groups = groups;
-  auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
-     .then(function(){
-       console.log("reintegration complete for " + user.user_id);
-       return callback(null, user, context);
-     })
-     .catch(function(err){
-       console.log(err);
-       return callback(err);
-  });
 }