jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add backend team enforcement via requireTeam() middleware

Browse Source 
Introduce server-side team-scoped data access enforcement:

- Add TEAM_TO_IVANTI/IVANTI_TO_TEAM mapping to helpers/teams.js
- Add requireTeam() middleware to middleware/auth.js
  - Admin bypass (req.teamScope = null)
  - 403 for users with no team assignment
  - Populates req.teamScope with short and ivanti name arrays
- Ivanti findings: replace client ?teams= param with req.teamScope filtering
  on GET /, /counts, /counts/history, /fp-workflow-counts, POST /sync
  - Override and note endpoints verify finding is in team scope
- Compliance: add requireTeam() router-level, validate ?team= param against scope
  on GET /items and GET /summary
- CARD: validate teamName param on GET /teams/:teamName/assets
- Todo queue: verify findings belong to user's teams on POST /batch
- Clarify IVANTI_BU_FILTER comment (sync-level vs query-time filtering)
- Update 14 test files to include requireTeam in auth middleware mocks
This commit is contained in:
Jordan Ramos
2026-06-24 11:36:25 -06:00
parent ab66d7d813
commit a003091b6a
20 changed files with 239 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
backend/helpers/teams.js
View File

@@ -1,8 +1,41 @@
// Shared BU team constants and validation
// Shared BU team constants, validation, and name mapping.
// Used by user management routes, auth middleware, and frontend-facing endpoints.
const KNOWN_TEAMS = ['STEAM', 'ACCESS-ENG', 'ACCESS-OPS', 'INTELDEV'];
// Mapping between short team names (stored on users) and full Ivanti BU identifiers
// (used in ivanti_findings.bu_ownership column).
const TEAM_TO_IVANTI = {
'STEAM': 'NTS-AEO-STEAM',
'ACCESS-ENG': 'NTS-AEO-ACCESS-ENG',
'ACCESS-OPS': 'NTS-AEO-ACCESS-OPS',
'INTELDEV': 'NTS-AEO-INTELDEV'
};
const IVANTI_TO_TEAM = Object.fromEntries(
Object.entries(TEAM_TO_IVANTI).map(([k, v]) => [v, k])
);
/**
* Convert a short team name to the full Ivanti BU identifier.
* Returns the input unchanged if no mapping exists.
* @param {string} shortName - e.g. 'STEAM'
* @returns {string} e.g. 'NTS-AEO-STEAM'
*/
function teamToIvanti(shortName) {
return TEAM_TO_IVANTI[shortName] || shortName;
}
/**
* Convert a full Ivanti BU identifier to the short team name.
* Returns the input unchanged if no mapping exists.
* @param {string} ivantiName - e.g. 'NTS-AEO-STEAM'
* @returns {string} e.g. 'STEAM'
*/
function ivantiToTeam(ivantiName) {
return IVANTI_TO_TEAM[ivantiName] || ivantiName;
}
/**
* Parse and validate a comma-separated teams string.
* @param {string} teamsString - Comma-separated team identifiers (e.g. 'STEAM,ACCESS-ENG')
@@ -23,4 +56,4 @@ function validateTeams(teamsString) {
};
}
module.exports = { KNOWN_TEAMS, validateTeams };
module.exports = { KNOWN_TEAMS, TEAM_TO_IVANTI, IVANTI_TO_TEAM, teamToIvanti, ivantiToTeam, validateTeams };