search

secureCodeBox / engine

Part of the deprecated secureCodeBox v1, see secureCodeBox/secureCodeBox Repo for v2
Apache License 2.0
8 stars 7 forks source link

Configure multiple users, groups and tenants via the application.yaml config #115

Closed J12934 closed 4 years ago

J12934 commented 4 years ago

Currently the secureCodeBox has a pretty static default user, group and tenant config. You can create one admin user and one user for the scanner. Groups get created by default but you cant add new group or remove groups you don't need without changing the code. Tenants can only be created by hand via the UI.

This Pull Request allows to pass in a list of users, groups and tenants via the spring boot application.yaml config file. All elements in these lists will then be created on engine startup. Existing user accounts will not be changed.

The values are mostly intended to be used to create individual technical users for the different scanners connecting against the engine, not to setup actual human users, as the password for the account needs to be configured via the config. This would mean that a central instance would need to have access to all user passwords which would be bad.

The existing securecodebox.rest.user.scanner.user-id & securecodebox.rest.user.scanner.password are considered depracated andwill be removed with the next mayor release (v2).

The camunda.bpm.admin-user property is uneffected by this addition as it is a direct mechanism from camunda.

A example config might look something like the following:

  tenants:
    - id: companyInternal
      name: 'company Internal'
  users:
    - id: testUser
      password: 'password1'
      firstname: 'John'
      lastname: 'Doe'
      groups: ['user']
      tenants: []
    - id: testAdmin
      password: 'password1'
      firstname: 'Jane'
      lastname: 'Doe'
      groups: ['admin']
      tenants: []
    - id: nmapScanner
      password: 'password1'
      firstname: 'nmap'
      lastname: 'scanner'
      groups: ['scanner']
      tenants: []
    - id: amassScanner
      password: 'password1'
      firstname: 'amass'
      lastname: 'scanner'
      groups: ['scanner']
      tenants: []
    - id: sshScanner
      password: 'password1'
      firstname: 'ssh'
      lastname: 'scanner'
      groups: ['scanner']
      tenants: []
J12934 commented 4 years ago

Looks good in my opinion. But one question: where can i identify or find all possible ressource identifier to assign or configure the permissions of a group? Is there any camunda documentation thar we could reference to in the application.yaml?

I haven't found any great documentation on this. The closest Page I think is this one: https://docs.camunda.org/manual/7.12/user-guide/process-engine/authorization-service/ But it lacks a proper listing of the "technical" names / id of the permissions required to properly configure the engine.

Most of what I configured for the default group authorizations was based on the information provided by the Camunda UI and the Types of the Camunda Authorization Enums (e.g. https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/authorization/Permissions.java)