Pentest

services/admin/handlers/addRolesToJWT.js

@@ -0,0 +1,25 @@
+import { getUser } from "../../app-api/getUser";
+
+const handler = async (event) => {
+    console.log("JWT claims before modification:", JSON.stringify(event));
+    try{
+        const userEmail = event.request.userAttributes.email;
+        const user = await getUser(userEmail);
+        const roles = [];
+        for (const role of user.roleList) {
+            roles.push(role.role)
+        }
+        event.response = event.response || {};
+        event.response.claimsOverrideDetails = event.response.claimsOverrideDetails || {};
+        event.response.claimsOverrideDetails.claimsToAddOrOverride = event.response.claimsOverrideDetails.claimsToAddOrOverride || {};
+
+        // Example of adding roles dynamically from DynamoDB to the JWT claims
+        event.response.claimsOverrideDetails.claimsToAddOrOverride['custom:user_roles'] = JSON.stringify(roles); // Add user roles
+    } catch(e) {
+        console.log("error updating id token claims", e)
+    }
+    console.log("JWT claims after modification:", JSON.stringify(event));
+    return event;
+};
+
+export { handler };

services/admin/handlers/batchUpdateCognitoUsers.js

@@ -0,0 +1,76 @@
+import AWS from "aws-sdk";
+const cognito = new AWS.CognitoIdentityServiceProvider();
+import { getUser } from "../../app-api/getUser";
+
+async function updateUserAttribute(userPoolId, username, roles) {
+    const params = {
+      UserPoolId: userPoolId,
+      Username: username,
+      UserAttributes: [
+        {
+          Name: 'custom:user_roles',
+          Value: JSON.stringify(roles)
+        }
+      ]
+    };
+
+    await cognito.adminUpdateUserAttributes(params).promise();
+  }
+
+async function processCognitoUsers() {
+  const userPoolId = process.env.USER_POOL_ID;
+  console.log("user pool id: ", userPoolId)
+  let paginationToken = null;
+  let counter = 0;
+  let hasRolesCounter = 0;
+  let noRolesCounter =0;
+  do {
+    const params = {
+      UserPoolId: userPoolId,
+      AttributesToGet: ['email'],
+      PaginationToken: paginationToken
+    };
+
+    const listUsersResponse = await cognito.listUsers(params).promise();
+    console.log(listUsersResponse.Users.length + " users found")
+
+    for (const user of listUsersResponse.Users) {
+      const emailAttribute = user.Attributes.find(attr => attr.Name === 'email');
+      if (emailAttribute) {
+        const userEmail = emailAttribute.Value;
+
+        try {
+          const externalUser = await getUser(userEmail);
+          let roles = [""];
+          let roleList;
+          try{
+            roleList = externalUser.roleList;
+          }catch(error) {
+            noRolesCounter ++
+            console.log(userEmail + " has no roles");
+          }
+          if (roleList && roleList.length > 0 && roleList[0] != null) {
+           roles = externalUser.roleList.map(role => role.role);
+           hasRolesCounter ++;
+          } else {
+            console.log("user parsing error for user" + userEmail)
+          }
+          await updateUserAttribute(userPoolId, user.Username, roles);
+        } catch (error) {
+          console.error(`Error processing user ${userEmail}:`, error);
+        }
+      }
+      counter++;
+    }
+
+    paginationToken = listUsersResponse.PaginationToken;
+  } while (paginationToken);
+  console.log(counter+ "users modified, "+ hasRolesCounter + "users had roles and "+ noRolesCounter + " users had no roles")
+}
+
+
+export const main = async () => {
+    await processCognitoUsers().catch(console.error);
+    console.log("function complete")
+}
+

services/admin/serverless.yml

@@ -4,17 +4,23 @@ frameworkVersion: "3"
 
 useDotenv: true
 
+variablesResolutionMode: 20210326
+
 package:
   individually: true
 
 plugins:
   - serverless-esbuild
   - serverless-dotenv-plugin
   - serverless-s3-bucket-helper
+
 custom:
   stage: ${opt:stage, self:provider.stage}
   iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
   oneMacTableName: onemac-${self:custom.stage}-one
+  userPoolName: ${self:custom.stage}-user-pool
+  userPoolId: ${cf:ui-auth-${self:custom.stage}.UserPoolId}
+
 provider:
   name: aws
   runtime: nodejs20.x
@@ -37,14 +43,29 @@ provider:
             - arn:aws:dynamodb:*:*:table/onemac-develop-one
             - arn:aws:dynamodb:*:*:table/${self:custom.oneMacTableName}
             - arn:aws:dynamodb:*:*:table/${self:custom.oneMacTableName}/index/*
+        - Effect: Allow
+          Action:
+            - cognito-idp:ListUsers
+            - cognito-idp:AdminUpdateUserAttributes
+          Resource: arn:aws:cognito-idp:${self:provider.region}:*:userpool/${self:custom.userPoolId}
+
   environment:
     NODE_OPTIONS: '--enable-source-maps'
     oneMacTableName: ${self:custom.oneMacTableName}
+    USER_POOL_ID: ${self:custom.userPoolId}
   layers:
       - ${cf:aws-sdk-v2-layer-${self:custom.stage}.AwsSdkV2LambdaLayerQualifiedArn}
 
+
 functions:
-
+  batchUpdateCognitoUsers: 
+    handler: ./handlers/batchUpdateCognitoUsers.main
+    timeout: 360
+
+  addRolesToJWT:
+    handler: ./handlers/addRolesToJWT.handler
+    timeout: 360
+
   resetData:
     handler: ./handlers/resetData.main
     timeout: 360

services/ui-src/src/Routes.tsx

@@ -4,6 +4,7 @@
 
 import React, { FC } from "react";
 import { Redirect, Route, Switch } from "react-router-dom";
+import jwt_decode from "jwt-decode";
 import { useFlags } from "launchdarkly-react-client-sdk";
 
 import {
@@ -68,6 +69,7 @@ import WaiverRenewalSubsequentSubmissionForm from "./page/waiver-renewal/WaiverR
 import WaiverAmendmentSubsequentSubmissionForm from "./page/waiver-amendment/WaiverAmendmentSubsequentSubmissionForm";
 import WaiverAppKSubsequentSubmissionForm from "./page/waiver-appendix-k/WaiverAppKSubsequentSubmissionForm";
 import DisableRaiWithdrawForm from "./page/disable-rai-withdraw/DisableRaiWithdrawForm";
+const ID_TOKEN_KEY: string = "idToken";
 
 type RouteSpec = {
   path: string;
@@ -139,17 +141,73 @@ const SignupGuardRouteListRenderer: FC<{ routes: RouteSpec[] }> = ({
   return <RouteListRenderer routes={routes} />;
 };
 
+const isAdminUser = ()=> {
+  /* eslint-disable-next-line react-hooks/rules-of-hooks */
+  const context = useAppContext();
+  if(!context?.isAuthenticated) {
+    return false; 
+  }
+
+  let userRoles;
+  //authenticated users will have idToken in Local Storage
+  try{
+    const idTokenKey: string[] = Object.keys(localStorage).filter((k) =>
+      k.includes(ID_TOKEN_KEY)
+    );
+    const idToken: string | null =
+    idTokenKey && localStorage.getItem(idTokenKey[0]);
+    if (!idToken) return false;
+    const decodedIdToken: any = jwt_decode(idToken);
+     userRoles = decodedIdToken["custom:user_roles"];
+  } catch (error) {
+    console.error("error decoding idToken", error);
+    return false; 
+  }
+
+  const allowedRoles = [
+    "cmsroleapprover",
+    "systemadmin",
+    "statesystemadmin",
+    "helpdesk",
+    "cmsreviewer",
+    // "defaultcmsuser" 
+  ];
+
+  // only passes admin check if roles from jwt one of the "allowed roles"
+  if (userRoles) {
+    try {
+      userRoles = JSON.parse(userRoles);
+    } catch (error) {
+      console.error('Error parsing user_roles:', error);
+      userRoles = [];
+    }
+    for (let i = 0; i < userRoles.length; i++) {        
+      if (allowedRoles.includes(userRoles[i])) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
 const accessGuardRouteListRenderer: (
   accessKey: keyof UserRole,
   redirectAccessKey?: keyof UserRole,
-  redirectTo?: string
+  redirectTo?: string,
+  isAdminRoute?: boolean
 ) => FC<{ routes: RouteSpec[] }> =
-  (accessKey, redirectAccessKey, redirectTo) =>
+  (accessKey, redirectAccessKey, redirectTo, isAdminRoute) =>
   ({ routes }) => {
     const { userProfile: { userData: { roleList = [] } = {} } = {} } =
       useAppContext() ?? {};
     const roleObj = getUserRoleObj(roleList);
-
+    // Token based admin check will redirect if non admin user
+    if(isAdminRoute && redirectTo) {
+      if(!isAdminUser()){
+       return <Redirect to={redirectTo} />;
+      }
+    }
     if (roleObj[accessKey]) return <RouteListRenderer routes={routes} />;
     if (redirectAccessKey && redirectTo && roleObj[redirectAccessKey])
       return <Redirect to={redirectTo} />;
@@ -160,6 +218,7 @@ const ROUTE_LIST: RouteSpec[] = [
   { path: ROUTES.HOME, exact: true, component: Home },
   { path: ROUTES.FAQ, exact: true, component: FAQ },
   { path: ROUTES.DEVLOGIN, exact: true, component: DevLogin },
+
   {
     path: ROUTES.PROFILE,
     component: AuthenticatedRouteListRenderer,
@@ -173,7 +232,7 @@ const ROUTE_LIST: RouteSpec[] = [
         path: ROUTES.PROFILE + "/:userId",
         exact: true,
         component: UserPage,
-      },
+      }
     ],
   },
   {
@@ -196,16 +255,18 @@ const ROUTE_LIST: RouteSpec[] = [
       accessKey: "canAccessUserManagement",
       redirectAccessKey: "canAccessDashboard",
       redirectTo: ONEMAC_ROUTES.PACKAGE_LIST,
+      isAdminRoute: true,
       component: UserManagement,
     },
     {
       path: ONEMAC_ROUTES.PACKAGE_LIST,
       accessKey: "canAccessDashboard",
       redirectAccessKey: "canAccessUserManagement",
       redirectTo: ROUTES.USER_MANAGEMENT,
+      isAdminRoute: false,
       component: PackageList,
     },
-  ].map(({ path, accessKey, redirectAccessKey, redirectTo, component }) => ({
+  ].map(({ path, accessKey, redirectAccessKey, redirectTo, component, isAdminRoute }) => ({
     path,
     component: SignupGuardRouteListRenderer,
     routes: [
@@ -214,11 +275,12 @@ const ROUTE_LIST: RouteSpec[] = [
         component: accessGuardRouteListRenderer(
           accessKey as keyof UserRole,
           redirectAccessKey as keyof UserRole,
-          redirectTo
+          redirectTo,
+          isAdminRoute
         ),
-        routes: [{ path, exact: true, component }],
+        routes: [{ path, exact: true, component}],
       },
-    ],
+    ]
   })),
   // legacy triage screens, plus current OneMACForm forms
   ...[

services/ui-src/src/components/IdleTimerWrapper.tsx

@@ -78,11 +78,13 @@ const IdleTimerWrapper = () => {
     const tokenKey: string[] = Object.keys(localStorage).filter((k) =>
       k.includes(STORAGE_KEY)
     );
+
     const loginToken: string | null =
       tokenKey && localStorage.getItem(tokenKey[0]);
     if (!loginToken) return;
 
     const decodedToken: any = jwt_decode(loginToken);
+
     const epochAuthTime: number | undefined = decodedToken?.auth_time;
     if (!epochAuthTime) return;
 

services/ui-src/src/containers/UserManagement.js

@@ -106,6 +106,7 @@ const UserManagement = () => {
         console.log("Error while fetching user list.", error);
         setAlertCode(RESPONSE_CODE[error.message]);
       });
+  // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [userProfile.email, userStatus]);
 
   // Load the data from the backend.

services/ui-src/src/containers/UserPage.js

@@ -161,7 +161,7 @@ const UserPage = () => {
   const { userProfile, setUserInfo, updatePhoneNumber, userRole, userStatus } =
     useAppContext();
   const location = useLocation();
-  const { userId } = useParams() ?? {};
+  let { userId } = useParams() ?? {};
   const [profileData, setProfileData] = useState({});
   const [profileRole, setProfileRole] = useState("");
   const [profileStatus, setProfileStatus] = useState("");