Require X-Sync-Trigger-Key header on /api/sync endpoint

README.md

@@ -63,16 +63,17 @@ The application secrets can be also passed in as [environment variables](https:/
     "ClientSecret": "<github_oauth_client_secret>"
   },
   "GitHubProvisioning": {
-    "AppId": <github_app_id>,
+    "AppId": "<github_app_id>",
     "ClientId": "<github_app_client_id>",
     "PrivateKey": "<base64_encoded_private_key>"
   },
   "ExemptUsers": [
     "<Case_Sensitive_List_Of_Users>"
-  ]
+  ],
+  "SyncTriggerKey": "<secret_key_to_trigger_sync>"
 }
 ```
 
 ### GitHub Teams Configuration
 
-Simply [create a team](https://docs.github.com/en/organizations/organizing-members-into-teams/creating-a-team) in your GitHub organization and fill the description field with your desired description and append `Entra: <entra_group_id>` to the end of the description. This will tell the tool to synchronize membership of the team with the specified group.
+Simply [create a team](https://docs.github.com/en/organizations/organizing-members-into-teams/creating-a-team) in your GitHub organization and fill the description field with your desired description and append `Entra: <entra_group_id>` to the end of the description. This will tell the tool to synchronize membership of the team with the specified group.

Web/Controllers/SyncController.cs

@@ -14,18 +14,36 @@ public class SyncController : Controller
         private readonly string _privateKeyPem;
         private readonly string _clientId;
         private readonly string _appId;
+        private readonly string? _syncTriggerKey;
         private readonly MicrosoftGraphService _microsoftGraph;
         private readonly ILogger _logger;
         public SyncController(IConfiguration configuration, MicrosoftGraphService microsoftGraph, ILoggerFactory loggerFactory)
         {
             _privateKeyPem = Encoding.UTF8.GetString(Convert.FromBase64String(configuration["GitHubProvisioning:PrivateKey"]));
             _clientId = configuration["GitHubProvisioning:ClientId"];
             _appId = configuration["GitHubProvisioning:AppId"];
+            _syncTriggerKey = configuration["SyncTriggerKey"];
             _microsoftGraph = microsoftGraph;
             _logger = loggerFactory.CreateLogger<SyncController>();
         }
         public async Task<IActionResult> Index()
         {
+            if (string.IsNullOrWhiteSpace(_syncTriggerKey))
+            {
+                _logger.LogError("SyncTriggerKey is not configured. The /api/sync endpoint cannot be used.");
+                return new StatusCodeResult(StatusCodes.Status500InternalServerError);
+            }
+
+            if (!Request.Headers.TryGetValue("X-Sync-Trigger-Key", out var providedKey))
+            {
+                return new UnauthorizedResult();
+            }
+
+            if (!string.Equals(providedKey.FirstOrDefault(), _syncTriggerKey, StringComparison.Ordinal))
+            {
+                return new UnauthorizedResult();
+            }
+
             var appClient = new GitHubClient(new ProductHeaderValue(Constants.UserAgent), new GitHubAppCredentialStore(long.Parse(_appId), _privateKeyPem));;
             var installations = await appClient.GitHubApps.GetAllInstallationsForCurrent();
 

Web/Program.cs

@@ -18,6 +18,11 @@
 Web.Helpers.Constants.ExtensionAttributeName = builder.Configuration["AzureAd:ExtensionAttributeName"];
 Web.Helpers.Constants.ExemptUsers = builder.Configuration.GetSection("ExemptUsers").Get<string[]>();
 
+if (string.IsNullOrWhiteSpace(builder.Configuration["SyncTriggerKey"]))
+{
+    Console.WriteLine("WARNING: SyncTriggerKey is not configured. The /api/sync endpoint will be unavailable.");
+}
+
 // Add services to the container.
 builder.Services.AddRazorPages();
 builder.Services.AddControllers();