diff --git a/README.md b/README.md index 33f5f84..fe343c6 100644 --- a/README.md +++ b/README.md @@ -63,16 +63,17 @@ The application secrets can be also passed in as [environment variables](https:/ "ClientSecret": "" }, "GitHubProvisioning": { - "AppId": , + "AppId": "", "ClientId": "", "PrivateKey": "" }, "ExemptUsers": [ "" - ] + ], + "SyncTriggerKey": "" } ``` ### GitHub Teams Configuration -Simply [create a team](https://docs.github.com/en/organizations/organizing-members-into-teams/creating-a-team) in your GitHub organization and fill the description field with your desired description and append `Entra: ` to the end of the description. This will tell the tool to synchronize membership of the team with the specified group. \ No newline at end of file +Simply [create a team](https://docs.github.com/en/organizations/organizing-members-into-teams/creating-a-team) in your GitHub organization and fill the description field with your desired description and append `Entra: ` to the end of the description. This will tell the tool to synchronize membership of the team with the specified group. diff --git a/Web/Controllers/SyncController.cs b/Web/Controllers/SyncController.cs index 0d4710b..3d81551 100644 --- a/Web/Controllers/SyncController.cs +++ b/Web/Controllers/SyncController.cs @@ -14,6 +14,7 @@ public class SyncController : Controller private readonly string _privateKeyPem; private readonly string _clientId; private readonly string _appId; + private readonly string? _syncTriggerKey; private readonly MicrosoftGraphService _microsoftGraph; private readonly ILogger _logger; public SyncController(IConfiguration configuration, MicrosoftGraphService microsoftGraph, ILoggerFactory loggerFactory) @@ -21,11 +22,28 @@ public SyncController(IConfiguration configuration, MicrosoftGraphService micros _privateKeyPem = Encoding.UTF8.GetString(Convert.FromBase64String(configuration["GitHubProvisioning:PrivateKey"])); _clientId = configuration["GitHubProvisioning:ClientId"]; _appId = configuration["GitHubProvisioning:AppId"]; + _syncTriggerKey = configuration["SyncTriggerKey"]; _microsoftGraph = microsoftGraph; _logger = loggerFactory.CreateLogger(); } public async Task Index() { + if (string.IsNullOrWhiteSpace(_syncTriggerKey)) + { + _logger.LogError("SyncTriggerKey is not configured. The /api/sync endpoint cannot be used."); + return new StatusCodeResult(StatusCodes.Status500InternalServerError); + } + + if (!Request.Headers.TryGetValue("X-Sync-Trigger-Key", out var providedKey)) + { + return new UnauthorizedResult(); + } + + if (!string.Equals(providedKey.FirstOrDefault(), _syncTriggerKey, StringComparison.Ordinal)) + { + return new UnauthorizedResult(); + } + var appClient = new GitHubClient(new ProductHeaderValue(Constants.UserAgent), new GitHubAppCredentialStore(long.Parse(_appId), _privateKeyPem));; var installations = await appClient.GitHubApps.GetAllInstallationsForCurrent(); diff --git a/Web/Program.cs b/Web/Program.cs index 840de00..155a9ad 100644 --- a/Web/Program.cs +++ b/Web/Program.cs @@ -18,6 +18,11 @@ Web.Helpers.Constants.ExtensionAttributeName = builder.Configuration["AzureAd:ExtensionAttributeName"]; Web.Helpers.Constants.ExemptUsers = builder.Configuration.GetSection("ExemptUsers").Get(); +if (string.IsNullOrWhiteSpace(builder.Configuration["SyncTriggerKey"])) +{ + Console.WriteLine("WARNING: SyncTriggerKey is not configured. The /api/sync endpoint will be unavailable."); +} + // Add services to the container. builder.Services.AddRazorPages(); builder.Services.AddControllers();