jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Per-user Ivanti identity for FP workflow filtering

Browse Source 
Each user can now have ivanti_first_name and ivanti_last_name configured in
User Management. The workflow sync queries all configured Ivanti identities
and fetches workflows for each. The GET endpoint filters workflows to only
show those belonging to the logged-in user's Ivanti identity.

Users without an Ivanti identity see all workflows (admin fallback).
If no users have identities configured, falls back to IVANTI_FIRST_NAME/
IVANTI_LAST_NAME from .env for backward compatibility.

Changes:
- Migration adds ivanti_first_name, ivanti_last_name to users table
- Users route accepts and returns the new fields
- User Management UI has Ivanti Identity input fields
- Workflow sync iterates all configured user identities
- Workflow GET filters by logged-in user's identity
This commit is contained in:
Jordan Ramos
2026-06-10 11:22:51 -06:00
parent 56ceb81ea5
commit 0f83f48cc6
5 changed files with 308 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
backend/routes/users.js
View File

@@ -10,11 +10,28 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
// All routes require Admin group
router.use(requireAuth(), requireGroup('Admin'));
// Get all users
/**
* GET /api/users
*
* Returns all user accounts ordered by creation date (newest first).
*
* @returns {Array<Object>} 200 - Array of user objects
* @returns {Object} 200[].id - User ID
* @returns {string} 200[].username - Username
* @returns {string} 200[].email - Email address
* @returns {string} 200[].group - Permission group (Admin, Standard_User, Leadership, Read_Only)
* @returns {string} 200[].bu_teams - Comma-separated BU team assignments
* @returns {Array<string>} 200[].teams - Parsed array of BU team assignments
* @returns {boolean} 200[].is_active - Whether the account is active
* @returns {string} 200[].created_at - ISO timestamp of account creation
* @returns {string|null} 200[].last_login - ISO timestamp of last login
* @returns {Object} 500 - { error: string }
*/
router.get('/', async (req, res) => {
try {
const { rows: users } = await pool.query(
`SELECT id, username, email, user_group AS "group", bu_teams, is_active, created_at, last_login
`SELECT id, username, email, user_group AS "group", bu_teams, is_active, created_at, last_login,
ivanti_first_name, ivanti_last_name
FROM users ORDER BY created_at DESC`
);
// Parse bu_teams into teams array for each user
@@ -29,11 +46,21 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
}
});
// Get single user
/**
* GET /api/users/:id
*
* Returns a single user account by ID.
*
* @param {string} req.params.id - User ID
* @returns {Object} 200 - User object with parsed teams array
* @returns {Object} 404 - { error: 'User not found' }
* @returns {Object} 500 - { error: string }
*/
router.get('/:id', async (req, res) => {
try {
const { rows } = await pool.query(
`SELECT id, username, email, user_group AS "group", bu_teams, is_active, created_at, last_login
`SELECT id, username, email, user_group AS "group", bu_teams, is_active, created_at, last_login,
ivanti_first_name, ivanti_last_name
FROM users WHERE id = $1`,
[req.params.id]
);
@@ -54,7 +81,21 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
}
});
// Create new user
/**
* POST /api/users
*
* Creates a new user account.
*
* @body {string} username - Required. Unique username
* @body {string} email - Required. Unique email address
* @body {string} password - Required. Plain-text password (hashed before storage)
* @body {string} [group='Read_Only'] - Permission group (Admin, Standard_User, Leadership, Read_Only)
* @body {string} [bu_teams=''] - Comma-separated BU team assignments (STEAM, ACCESS-ENG, ACCESS-OPS, INTELDEV)
* @returns {Object} 201 - { message: string, user: { id, username, email, group, bu_teams, teams } }
* @returns {Object} 400 - { error: string } if required fields missing or invalid group/teams
* @returns {Object} 409 - { error: string } if username or email already exists
* @returns {Object} 500 - { error: string }
*/
router.post('/', async (req, res) => {
const { username, email, password, group, bu_teams } = req.body;
const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
@@ -120,9 +161,28 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
}
});
// Update user
/**
* PATCH /api/users/:id
*
* Updates one or more fields on an existing user account. Only provided fields are modified.
*
* @param {string} req.params.id - User ID to update
* @body {string} [username] - New username
* @body {string} [email] - New email address
* @body {string} [password] - New plain-text password (hashed before storage)
* @body {string} [group] - New permission group (Admin, Standard_User, Leadership, Read_Only)
* @body {boolean} [is_active] - Whether the account is active (deactivation deletes sessions)
* @body {string} [bu_teams] - Comma-separated BU team assignments (STEAM, ACCESS-ENG, ACCESS-OPS, INTELDEV)
* @body {string} [ivanti_first_name] - Ivanti first name for finding correlation
* @body {string} [ivanti_last_name] - Ivanti last name for finding correlation
* @returns {Object} 200 - { message: 'User updated successfully' }
* @returns {Object} 400 - { error: string } if invalid group, self-demotion, self-deactivation, invalid teams, or no fields provided
* @returns {Object} 404 - { error: 'User not found' }
* @returns {Object} 409 - { error: string } if username or email already exists
* @returns {Object} 500 - { error: string }
*/
router.patch('/:id', async (req, res) => {
const { username, email, password, group, is_active, bu_teams } = req.body;
const { username, email, password, group, is_active, bu_teams, ivanti_first_name, ivanti_last_name } = req.body;
const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
const userId = req.params.id;
@@ -193,6 +253,14 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
updates.push(`bu_teams = $${paramIndex++}`);
values.push(bu_teams);
}
if (typeof ivanti_first_name === 'string') {
updates.push(`ivanti_first_name = $${paramIndex++}`);
values.push(ivanti_first_name.trim() || null);
}
if (typeof ivanti_last_name === 'string') {
updates.push(`ivanti_last_name = $${paramIndex++}`);
values.push(ivanti_last_name.trim() || null);
}
if (updates.length === 0) {
return res.status(400).json({ error: 'No fields to update' });
@@ -212,6 +280,8 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
if (typeof is_active === 'boolean') updatedFields.is_active = is_active;
if (password) updatedFields.password_changed = true;
if (typeof bu_teams === 'string') updatedFields.bu_teams = bu_teams;
if (typeof ivanti_first_name === 'string') updatedFields.ivanti_first_name = ivanti_first_name.trim() || null;
if (typeof ivanti_last_name === 'string') updatedFields.ivanti_last_name = ivanti_last_name.trim() || null;
logAudit({
userId: req.user.id,
@@ -270,7 +340,17 @@ function createUsersRouter(requireAuth, requireGroup, logAudit) {
}
});
// Delete user
/**
* DELETE /api/users/:id
*
* Deletes a user account and their associated sessions. Cannot delete your own account.
*
* @param {string} req.params.id - User ID to delete
* @returns {Object} 200 - { message: 'User deleted successfully' }
* @returns {Object} 400 - { error: string } if attempting self-deletion
* @returns {Object} 404 - { error: 'User not found' }
* @returns {Object} 500 - { error: string }
*/
router.delete('/:id', async (req, res) => {
const userId = req.params.id;