Allow for some groups to access all GitHub applications

Members of the infrastructure org, who admin GitHub Enterprise; and the security
managers team, who do security audits, may require broad access to GitHub infra.

This commit allows for inviting them to their respective groups (`ghe_admins` and
`ghe_security-managers`), which will grant them access to any GitHub applications
we have defined. Instead of accepting `2 x <GitHub Organization>` invites they'll
only need to accept `1 + <GitHub Organization>` invites, where that `1 +` happens
when they're onboarded.

Jira: IAM-1021

Author: bheesham

tf/actions/gheGroups.js

@@ -1,6 +1,20 @@
 exports.onExecutePostLogin = async (event, api) => {
   console.log("Running action:", "gheGroups");
 
+  // There's a way for us to store these configs in a "friendlier" way, but the
+  // method we use may change.
+  //
+  // For now it's easier to hard-code these values until we resolve IAM-1499,
+  // "Change the way apps.yaml is accessed".
+  //
+  // TODO(bhee) If in a ~1yr (2026-04-07) we haven't made progress on IAM-1499
+  // or there's too much toil, we should consider stashing a yml file somewhere
+  // and `fetch`ing it here.
+  const GHE_ADMINS_GROUP = "mozilliansorg_ghe_admins";
+
+  // Used in tandem with `securityManagersAllowedApplications`.
+  const GHE_SECURITY_MANAGERS_GROUP = "mozilliansorg_ghe_security-managers";
+
   // Object of applications with a 1:1 mapping of clientID and related group
   const applicationGroupMapping = {
     // Dev applications
@@ -80,6 +94,15 @@ exports.onExecutePostLogin = async (event, api) => {
     JDiNCQVrXzw2ILureegz1T8c3OrUZCUb: "mozilliansorg_ghe_mozilla-firefox_users",
   };
 
+  // The applications to allow a member of `GHE_SECURITY_MANAGERS_GROUP` access
+  // to.
+  //
+  // Right now, defined as all applications. This may change at some point in
+  // the future.
+  const securityManagersAllowedApplications = Object.keys(
+    applicationGroupMapping
+  );
+
   // ClientID isn't mapped here, return callback() and proceed rules processing
   if (applicationGroupMapping[event.client.client_id] === undefined) {
     console.log("Not mapped");
@@ -169,52 +192,71 @@ exports.onExecutePostLogin = async (event, api) => {
     }
   };
 
-  const processProfile = (profile) => {
-    // Create a new URL object
+  const bail = (errorCode) => {
     const gheWikiUrl = new URL("https://wiki.mozilla.org/GitHub/SAML_issues");
-
-    // Set the tenant searchParam
     gheWikiUrl.searchParams.set("auth", event.tenant.id);
+    gheWikiUrl.searchParams.set("dbg", errorCode);
+    api.redirect.sendUserTo(gheWikiUrl.href);
+    return api.access.deny(`Access denied: See ${gheWikiUrl.href}`);
+  };
 
-    let errorCode;
-
-    // Confirm the user has the group defined from mozillians matching the application id
+  // Confirm the user has a githubUsername stored in mozillians and they have
+  // the correct access groups.
+  const processProfile = (profile) => {
+    // Get githubUsername from person api, otherwise we'll redirect
+    let githubUsername;
+    try {
+      githubUsername = profile.usernames.values["HACK#GITHUB"];
+      // If profile does not hold key/value for githubUsername
+      if (githubUsername === undefined) {
+        console.log("githubUsername is undefined");
+        return bail("ghnd");
+      } else if (githubUsername.length === 0) {
+        // If somehow dinopark allows a user to store an empty value
+        console.log("empty HACK#GITHUB");
+        return bail("ghnd");
+      }
+    } catch (err) {
+      console.log("Unable to do the githubUsername lookup: " + err);
+      return bail("ghul");
+    }
+    // Confirm the user has the group defined from mozillians matching the
+    // application's client id.
     if (
-      !event.user.app_metadata.groups?.includes(
+      event.user.app_metadata.groups?.includes(
         applicationGroupMapping[event.client.client_id]
       )
     ) {
-      errorCode = "ghgr";
-    } else {
-      // Get githubUsername from person api, otherwise we'll redirect
-      let githubUsername;
-
-      try {
-        githubUsername = profile.usernames.values["HACK#GITHUB"];
-        // If profile does not hold key/value for githubUsername
-        if (githubUsername === undefined) {
-          console.log("githubUsername is undefined");
-          errorCode = "ghnd";
-        } else if (githubUsername.length === 0) {
-          // If somehow dinopark allows a user to store an empty value
-          console.log("empty HACK#GITHUB");
-          errorCode = "ghnd";
-        }
-      } catch (err) {
-        console.log("Unable to do the githubUsername lookup: " + err);
-        errorCode = "ghul";
-      }
+      console.log(
+        `Granting access for ${githubUsername} (member of the mozillians GHE group)`
+      );
+      return;
     }
-
-    // confirm the user has a githubUsername stored in mozillians, otherwise redirect
-    if (errorCode) {
-      // Set the search parameter error code
-      gheWikiUrl.searchParams.set("dbg", errorCode);
-      // Redirect the user
-      api.redirect.sendUserTo(gheWikiUrl.href);
-      return api.access.deny(`Access denied: See ${gheWikiUrl.href}`);
+    // Or, the member is a part of the security managers group, with specific
+    // access to certain groups.
+    //
+    // See comments for `GHE_SECURITY_MANAGERS_GROUP` and
+    // `securityManagersAllowedApplications`.
+    if (
+      event.user.app_metadata.groups?.includes(GHE_SECURITY_MANAGERS_GROUP) &&
+      securityManagersAllowedApplications.includes(event.client.client_id)
+    ) {
+      console.log(
+        `Granting access for ${githubUsername} (member of the security managers group)`
+      );
+      return;
     }
-    return;
+    // Or, the member is a part of the admins group.
+    if (event.user.app_metadata.groups?.includes(GHE_ADMINS_GROUP)) {
+      console.log(
+        `Granting access for ${githubUsername} (member of the admins group)`
+      );
+      return;
+    }
+    console.log(
+      `Denying access to GHE, not a member; not in security; and not an admin`
+    );
+    return bail("ghgr");
   };
 
   // Main

tf/tests/gheGroups.test.js

@@ -388,3 +388,23 @@ test.each(applicationGroupEntries)(
     expect(api.access.deny).not.toHaveBeenCalled();
   }
 );
+
+test("Member should be allowed if a part of mozilliansorg_ghe_admins", async () => {
+  personResp = { usernames: { values: { "HACK#GITHUB": "jdoegithub" } } };
+  tokenResp = { access_token: "faketoken" };
+  _event.client.client_id = "9MR2UMAftbs6758Rmbs8yZ9Dj5AjeT0P";
+  _event.user.app_metadata.groups = ["mozilliansorg_ghe_admins"];
+  await onExecutePostLogin(_event, api);
+  expect(_event.transaction.redirect_uri).toBe(undefined);
+  expect(api.access.deny).not.toHaveBeenCalled();
+});
+
+test("Member should be allowed if a part of mozilliansorg_ghe_security-managers", async () => {
+  personResp = { usernames: { values: { "HACK#GITHUB": "jdoegithub" } } };
+  tokenResp = { access_token: "faketoken" };
+  _event.client.client_id = "9MR2UMAftbs6758Rmbs8yZ9Dj5AjeT0P";
+  _event.user.app_metadata.groups = ["mozilliansorg_ghe_security-managers"];
+  await onExecutePostLogin(_event, api);
+  expect(_event.transaction.redirect_uri).toBe(undefined);
+  expect(api.access.deny).not.toHaveBeenCalled();
+});