Thumbnail

GovCMS new CI checks for roles and permissions

Thumbnail

Si Hobbs

|

There's a new CI check on GovCMS that has popped up on a couple of projects, here is the quick breakdown if it hits you on your next deploy.

We had some failures on a GovCMS SaaS project which was previously deploying ok. There is no official information about this that we have seen other than firewalled Freshdesk documentation. The new CI check is:

# Validate that known restricted permissions have not been committed
# to role definitions. This prevents permission elevation bypass.
# user.role.site_administrator.yml is omitted as this is provided by
# the govCMS profile and will need to be included on each site.
- GOVCMS_ROLE_PATTERN=${GOVCMS_ROLE_PATTERN:-user.role.*.yml}
- |
  find config/default -type f \( -name "$GOVCMS_ROLE_PATTERN" -not -name 'user.role.site_administrator.yml' \) -print0 | while read -d $'\0' file;
  do
	if [ $(cat $file | grep -c -e "administer permissions" -e "administer modules" -e "administer software updates") -ne 0 ]; then
	  echo "[fail] $file has restricted permissions";
	  exit 1;
	fi
	if [[ $(yq r $file 'is_admin') == 'true' ]]; then
	  echo "[fail] $file is listed as an admin role";
	  exit 1;
	fi
  done

What happens?

Your CI in Gitlab will fail with messages like:

    [fail] config/default/user.role.editor.yml is listed as an admin role

and 

    [fail] config/default/user.role.editor.yml has restricted permissions

Basically the CI is doing two new checks.

  • No role should have a special setting "is admin".
  • No role should have the administer permissions, administer modules or administer software updates.

Config deployments?

You can only fix this using the method below if you have config deployments already turned on. If you don't then you need to go through the process of converting your site to use config deployments.

Fix your Roles

To rectify do the following in your local development environment:

  1. If any of your roles are "Administrator role" at /admin/config/people/accounts then set this to None, and save the page.
  2. Go to the permissions page at /admin/people/permissions and for your administrator role select all the appropriate permissions except administer permissions, administer modules or administer software updates. Save the page.
  3. export your config to code.
  4. Push/deploy

Assigning roles?

Once your roles are fixed, can you give a role to an existing user? No, you need to put in a request to the helpdesk for that. So I recommend setting all your key editors up at once when starting a project to avoid painful tickets.

 

 

 

Add new comment

The content of this field is kept private and will not be shown publicly.

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.

Comments

  • Allowed HTML tags: <em> <strong> <cite> <blockquote cite> <ul type> <ol start type> <li> <dl> <dt> <dd> <p>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
  • Use [gist:#####] where ##### is your gist number to embed the gist
    You may also include a specific file within a multi-file gist with [gist:####:my_file].

Spread the word