diff --git a/docs/webhook_events.md b/docs/webhook_events.md index 0630b4e96..ff8374dbd 100644 --- a/docs/webhook_events.md +++ b/docs/webhook_events.md @@ -690,7 +690,7 @@ If webhook is set to have Event Grid message format then the payload will look a "allowed_service_tags": [] }, "proxy_vm_sku": "Standard_B2s", - "require_admin_privileges": true + "require_admin_privileges": false } } ``` @@ -847,7 +847,7 @@ If webhook is set to have Event Grid message format then the payload will look a "type": "string" }, "require_admin_privileges": { - "default": true, + "default": false, "title": "Require Admin Privileges", "type": "boolean" }, @@ -6041,7 +6041,7 @@ If webhook is set to have Event Grid message format then the payload will look a "type": "string" }, "require_admin_privileges": { - "default": true, + "default": false, "title": "Require Admin Privileges", "type": "boolean" }, diff --git a/src/api-service/__app__/onefuzzlib/endpoint_authorization.py b/src/api-service/__app__/onefuzzlib/endpoint_authorization.py index dcb0808a7..990896fb3 100644 --- a/src/api-service/__app__/onefuzzlib/endpoint_authorization.py +++ b/src/api-service/__app__/onefuzzlib/endpoint_authorization.py @@ -113,7 +113,7 @@ def can_modify_config(req: func.HttpRequest, config: InstanceConfig) -> bool: def check_require_admins_impl( config: InstanceConfig, user_info: UserInfo ) -> Optional[Error]: - if config.require_admin_privileges: + if not config.require_admin_privileges: return None if config.admins is None: @@ -137,9 +137,9 @@ def check_require_admins(req: func.HttpRequest) -> Optional[Error]: # To make changes while still protecting against accidental changes to # pools, do the following: # - # 1. set `require_admin_privileges` to `True` + # 1. set `require_admin_privileges` to `False` # 2. make the change - # 3. set `require_admin_privileges` to `False` + # 3. set `require_admin_privileges` to `True` config = InstanceConfig.fetch() diff --git a/src/api-service/tests/test_auth_check.py b/src/api-service/tests/test_auth_check.py index 26f435e8e..a5d0d5cbe 100644 --- a/src/api-service/tests/test_auth_check.py +++ b/src/api-service/tests/test_auth_check.py @@ -71,7 +71,7 @@ class TestAdmin(unittest.TestCase): self.assertIsNone( check_require_admins_impl( InstanceConfig( - allowed_aad_tenants=[UUID(int=0)], require_admin_privileges=True + allowed_aad_tenants=[UUID(int=0)], require_admin_privileges=False ), UserInfo(), ) @@ -81,7 +81,7 @@ class TestAdmin(unittest.TestCase): self.assertIsNone( check_require_admins_impl( InstanceConfig( - allowed_aad_tenants=[UUID(int=0)], require_admin_privileges=True + allowed_aad_tenants=[UUID(int=0)], require_admin_privileges=False ), UserInfo(object_id=user1), ) @@ -92,7 +92,7 @@ class TestAdmin(unittest.TestCase): check_require_admins_impl( InstanceConfig( allowed_aad_tenants=[UUID(int=0)], - require_admin_privileges=False, + require_admin_privileges=True, admins=[user1], ), UserInfo(object_id=user1), @@ -104,7 +104,7 @@ class TestAdmin(unittest.TestCase): check_require_admins_impl( InstanceConfig( allowed_aad_tenants=[UUID(int=0)], - require_admin_privileges=False, + require_admin_privileges=True, admins=[user1], ), UserInfo(), @@ -116,7 +116,7 @@ class TestAdmin(unittest.TestCase): check_require_admins_impl( InstanceConfig( allowed_aad_tenants=[UUID(int=0)], - require_admin_privileges=False, + require_admin_privileges=True, admins=[user1], ), UserInfo(object_id=user2), diff --git a/src/pytypes/onefuzztypes/models.py b/src/pytypes/onefuzztypes/models.py index 34b17cd01..3f1adb13d 100644 --- a/src/pytypes/onefuzztypes/models.py +++ b/src/pytypes/onefuzztypes/models.py @@ -872,7 +872,7 @@ class InstanceConfig(BaseModel): admins: Optional[List[UUID]] = None # if set, only admins can manage pools or scalesets - require_admin_privileges: bool = Field(default=True) + require_admin_privileges: bool = Field(default=False) allowed_aad_tenants: List[UUID] network_config: NetworkConfig = Field(default_factory=NetworkConfig)