salman/igny8
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
38bc015d96818fd9fbc032af6dca4cf206485bcb
igny8/AWS_ADMIN_ACCOUNT_AUDIT_REPORT.md
IGNY8 VPS (Salman) 162947f3cc Apply ab0d6469: Add admin bulk actions across all models
2025-12-23 06:49:00 +00:00

602 lines
20 KiB
Markdown
Raw Blame History

# AWS-ADMIN Account & Superuser Audit Report
**Date**: December 20, 2025
**Scope**: Complete audit of aws-admin account, superuser permissions, and special configurations
**Environment**: Production IGNY8 Platform
---
## Executive Summary
The **aws-admin** account is a special system account with elevated privileges designed for platform administration, development, and system-level operations. This audit documents all special permissions, configurations, and security controls associated with this account.
### Current Status
- **Account Name**: AWS Admin
- **Account Slug**: `aws-admin`
- **Status**: Active
- **Plan**: Internal (System/Superuser) - unlimited resources
- **Credits**: 333
- **Users**: 1 user (developer role, superuser)
- **Created**: Via management command `create_aws_admin_tenant.py`
---
## 1. Backend Configuration
### 1.1 Account Model Special Permissions
**File**: `backend/igny8_core/auth/models.py`
**System Account Detection** (Line 155-158):
```python
def is_system_account(self):
"""Check if this account is a system account with highest access level."""
return self.slug in ['aws-admin', 'default-account', 'default']
```
**Special Behaviors**:
-**Cannot be deleted** - Soft delete is blocked with `PermissionDenied`
-**Unlimited access** - Bypasses all filtering restrictions
-**Multi-tenant access** - Can view/edit data across all accounts
**Account Slug Variants Recognized**:
1. `aws-admin` (primary)
2. `default-account` (legacy)
3. `default` (legacy)
---
### 1.2 User Model Special Permissions
**File**: `backend/igny8_core/auth/models.py`
**System Account User Detection** (Line 738-743):
```python
def is_system_account_user(self):
"""Check if user belongs to a system account with highest access level."""
try:
return self.account and self.account.is_system_account()
except (AttributeError, Exception):
return False
```
**Developer Role Detection** (Line 730-732):
```python
def is_developer(self):
"""Check if user is a developer/super admin with full access."""
return self.role == 'developer' or self.is_superuser
```
**Site Access Override** (Line 747-755):
```python
def get_accessible_sites(self):
"""Get all sites the user can access."""
if self.role in ['owner', 'admin', 'developer'] or self.is_superuser or self.is_system_account_user():
return base_sites # ALL sites in account
# Other users need explicit SiteUserAccess grants
```
---
### 1.3 Admin Panel Permissions
**File**: `backend/igny8_core/admin/base.py`
**QuerySet Filtering Bypass** (8 instances, Lines 18, 31, 43, 55, 72, 83, 93, 103):
```python
if request.user.is_superuser or (hasattr(request.user, 'is_developer') and request.user.is_developer()):
return qs # No filtering - see all data
```
**Special Privileges**:
- ✅ View all objects across all accounts
- ✅ Edit all objects across all accounts
- ✅ Delete all objects across all accounts
- ✅ Access all admin models without filtering
---
### 1.4 API Permissions
**File**: `backend/igny8_core/api/permissions.py`
#### HasTenantAccess Permission
**Bypass Conditions** (Lines 54-68):
1. `is_superuser == True` → ALLOWED
2. `role == 'developer'` → ALLOWED
3. `is_system_account_user() == True` → ALLOWED
#### IsSystemAccountOrDeveloper Permission
**File**: `backend/igny8_core/api/permissions.py` (Lines 190-208)
```python
class IsSystemAccountOrDeveloper(permissions.BasePermission):
"""
Allow only system accounts (aws-admin/default-account/default) or developer role.
Use for sensitive, globally-scoped settings like integration API keys.
"""
def has_permission(self, request, view):
account_slug = getattr(getattr(user, "account", None), "slug", None)
if user.role == "developer":
return True
if account_slug in ["aws-admin", "default-account", "default"]:
return True
return False
```
**Usage**: Protects sensitive endpoints like:
- Global integration settings
- System-wide API keys
- Platform configuration
#### Permission Bypasses Summary
| Permission Class | Bypass for Superuser | Bypass for Developer | Bypass for aws-admin |
|-----------------|---------------------|---------------------|---------------------|
| HasTenantAccess | ✅ Yes | ✅ Yes | ✅ Yes |
| IsViewerOrAbove | ✅ Yes | ✅ Yes | ✅ Yes (via developer) |
| IsEditorOrAbove | ✅ Yes | ✅ Yes | ✅ Yes (via developer) |
| IsAdminOrOwner | ✅ Yes | ✅ Yes | ✅ Yes (via developer) |
| IsSystemAccountOrDeveloper | ✅ Yes | ✅ Yes | ✅ Yes (explicit) |
---
### 1.5 Rate Limiting & Throttling
**File**: `backend/igny8_core/api/throttles.py`
**Current Status**: **DISABLED - All rate limiting bypassed**
**Throttle Bypass Logic** (Lines 22-39):
```python
def allow_request(self, request, view):
"""
Check if request should be throttled.
DISABLED - Always allow all requests.
"""
return True # ALWAYS ALLOWED
# OLD CODE (DISABLED):
# if request.user.is_superuser: return True
# if request.user.role == 'developer': return True
# if request.user.is_system_account_user(): return True
```
**Security Note**: Rate limiting is currently disabled for ALL users, not just aws-admin.
---
### 1.6 AI Settings & API Keys
**File**: `backend/igny8_core/ai/settings.py`
**Fallback to System Account** (Lines 53-65):
```python
# Fallback to system account (aws-admin, default-account, or default)
if not settings_obj:
from igny8_core.auth.models import Account
IntegrationSettings = apps.get_model('system', 'IntegrationSettings')
for slug in ['aws-admin', 'default-account', 'default']:
system_account = Account.objects.filter(slug=slug).first()
if system_account:
settings_obj = IntegrationSettings.objects.filter(account=system_account).first()
if settings_obj:
break
```
**Special Behavior**:
- If an account doesn't have integration settings, **aws-admin's settings are used as fallback**
- This allows system-wide default API keys (OpenAI, DALL-E, etc.)
---
### 1.7 Middleware Bypass
**File**: `backend/igny8_core/auth/middleware.py`
**Account Injection Bypass** (Lines 146-157):
```python
if getattr(user, 'is_superuser', False):
# Superuser - no filtering
return None
# Developer or system account user - no filtering
if hasattr(user, 'is_system_account_user') and user.is_system_account_user():
return None
```
**Effect**: Request-level account filtering disabled for aws-admin users.
---
### 1.8 Management Command
**File**: `backend/igny8_core/auth/management/commands/create_aws_admin_tenant.py`
**Purpose**: Creates or updates aws-admin account with unlimited resources
**What It Does**:
1. Creates/gets Enterprise plan with unlimited limits (999999 for all resources)
2. Creates/gets `aws-admin` account linked to Enterprise plan
3. Moves all superuser and developer role users to aws-admin account
4. Sets 999999 credits for the account
**Usage**:
```bash
python manage.py create_aws_admin_tenant
```
**Plan Limits** (Lines 26-40):
- max_users: 999,999
- max_sites: 999,999
- max_keywords: 999,999
- max_clusters: 999,999
- monthly_word_count_limit: 999,999,999
- daily_content_tasks: 999,999
- daily_ai_requests: 999,999
- monthly_ai_credit_limit: 999,999
- included_credits: 999,999
- All features enabled: `['ai_writer', 'image_gen', 'auto_publish', 'custom_prompts', 'unlimited']`
---
## 2. Frontend Configuration
### 2.1 Admin Menu Access
**File**: `frontend/src/layout/AppSidebar.tsx`
**Access Control** (Lines 46-52):
```tsx
const isAwsAdminAccount = Boolean(
user?.account?.slug === 'aws-admin' ||
user?.account?.slug === 'default-account' ||
user?.account?.slug === 'default' ||
user?.role === 'developer'
);
```
**Admin Section Display** (Lines 258-355):
- **System Dashboard** - `/admin/dashboard`
- **Account Management** - All accounts, subscriptions, limits
- **Billing Administration** - Invoices, payments, credit configs
- **User Administration** - All users, roles, activity logs
- **System Configuration** - System settings, AI settings, module settings
- **Monitoring** - System health, API monitor, debug status
- **Developer Tools** - Function testing, system testing
- **UI Elements** - Complete UI component library (22 pages)
**Total Admin Menu Items**: 50+ pages accessible only to aws-admin users
---
### 2.2 Route Protection
**File**: `frontend/src/components/auth/AdminGuard.tsx`
**Guard Logic** (Lines 12-18):
```tsx
export default function AdminGuard({ children }: AdminGuardProps) {
const { user } = useAuthStore();
const role = user?.role;
const accountSlug = user?.account?.slug;
const isSystemAccount = accountSlug === 'aws-admin' || accountSlug === 'default-account' || accountSlug === 'default';
const allowed = role === 'developer' || isSystemAccount;
if (!allowed) {
return <Navigate to="/" replace />; // Redirect to home
}
return <>{children}</>;
}
```
**Protected Routes**: All `/admin/*` routes wrapped with AdminGuard
---
### 2.3 API Status Indicator
**File**: `frontend/src/components/sidebar/ApiStatusIndicator.tsx`
**Visibility Control** (Lines 130-131):
```tsx
// Only show and run for aws-admin accounts
const isAwsAdmin = user?.account?.slug === 'aws-admin';
```
**Special Feature**:
- Real-time API health monitoring component
- Checks 100+ API endpoints across all modules
- Only visible/functional for aws-admin users
- Displays endpoint status (healthy/warning/error)
---
### 2.4 Debug Tools Access
**File**: `frontend/src/components/debug/ResourceDebugOverlay.tsx`
**Access Control** (Line 46):
```tsx
const isAdminOrDeveloper = user?.role === 'admin' || user?.role === 'developer';
```
**Debug Features Available**:
- Resource debugging overlay
- Network request inspection
- State inspection
- Performance monitoring
---
### 2.5 Protected Route Privileges
**File**: `frontend/src/components/auth/ProtectedRoute.tsx`
**Privileged Access** (Line 127):
```tsx
const isPrivileged = user?.role === 'developer' || user?.is_superuser;
```
**Special Behaviors**:
- Access to all routes regardless of module enable settings
- Bypass certain validation checks
- Access to system-level features
---
### 2.6 API Request Handling
**File**: `frontend/src/services/api.ts`
**Comment Blocks** (Lines 640-641, 788-789, 1011-1012, 1169-1170):
```typescript
// Always add site_id if there's an active site (even for admin/developer)
// The backend will respect it appropriately - admin/developer can still see all sites
```
**Behavior**:
- Frontend still sends `site_id` parameter
- Backend ignores it for aws-admin users (shows all data)
- This maintains consistent API interface while allowing privileged access
---
## 3. Security Analysis
### 3.1 Current User Details
**Retrieved from Database**:
```
Username: developer
Email: [from database]
Role: developer
Superuser: True
Account: AWS Admin (aws-admin)
Account Status: active
Account Credits: 333
```
---
### 3.2 Permission Matrix
| Operation | Regular User | Admin Role | Developer Role | Superuser | aws-admin User |
|-----------|-------------|------------|----------------|-----------|----------------|
| **View own account data** | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| **View other accounts** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| **Edit other accounts** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| **Delete accounts** | ❌ No | ❌ No | ⚠️ Limited | ✅ Yes | ✅ Yes (except self) |
| **Access Django admin** | ❌ No | ⚠️ Limited | ✅ Full | ✅ Full | ✅ Full |
| **Access admin dashboard** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| **View all users** | ❌ No | ⚠️ Own account | ✅ All | ✅ All | ✅ All |
| **Manage billing (all accounts)** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| **System settings** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| **API monitoring** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| **Debug tools** | ❌ No | ⚠️ Limited | ✅ Full | ✅ Full | ✅ Full |
| **Rate limiting** | ✅ Applied* | ✅ Applied* | ✅ Bypassed* | ✅ Bypassed* | ✅ Bypassed* |
| **Credit deduction** | ✅ Yes | ✅ Yes | ⚠️ Check needed | ⚠️ Check needed | ⚠️ Check needed |
| **AI API fallback** | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes (system default) |
*Currently all rate limiting is disabled globally
---
### 3.3 Security Strengths
#### ✅ Good Practices
1. **Multiple authentication layers** - Role, superuser, and account slug checks
2. **Explicit permission classes** - `IsSystemAccountOrDeveloper` for sensitive endpoints
3. **Frontend route guards** - AdminGuard prevents unauthorized access
4. **Account isolation** - Regular users strictly isolated to their account
5. **Cannot delete system account** - Protected from accidental deletion
6. **Audit trail** - Django admin logs all actions
7. **Middleware protection** - Request-level filtering for non-privileged users
---
### 3.4 Security Concerns & Recommendations
#### ⚠️ Areas for Improvement
**1. Rate Limiting Disabled** (HIGH PRIORITY)
- **Issue**: All rate limiting bypassed globally, not just for aws-admin
- **Risk**: API abuse, DoS attacks, resource exhaustion
- **Recommendation**: Re-enable rate limiting with proper exemptions for aws-admin
```python
# Recommended fix in throttles.py
def allow_request(self, request, view):
# Bypass for system accounts only
if request.user and request.user.is_authenticated:
if getattr(request.user, 'is_superuser', False):
return True
if hasattr(request.user, 'role') and request.user.role == 'developer':
return True
if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
return True
# Apply normal throttling for all other users
return super().allow_request(request, view)
```
**2. AI API Key Fallback** (MEDIUM PRIORITY)
- **Issue**: All accounts fall back to aws-admin's API keys if not configured
- **Risk**: Unexpected costs, quota exhaustion, key exposure
- **Recommendation**:
- Add explicit opt-in for fallback behavior
- Alert when fallback keys are used
- Track usage per account even with fallback keys
**3. Credit Deduction Unclear** (MEDIUM PRIORITY)
- **Issue**: Not clear if aws-admin users are charged credits for operations
- **Risk**: Potential cost tracking issues
- **Recommendation**:
- Audit credit deduction logic for system accounts
- Document whether aws-admin is exempt from credit charges
- If exempt, ensure credit balance never depletes
**4. Multiple System Account Slugs** (LOW PRIORITY)
- **Issue**: Three different slugs recognized (`aws-admin`, `default-account`, `default`)
- **Risk**: Confusion, inconsistent behavior
- **Recommendation**: Standardize on `aws-admin` only, deprecate others
**5. is_superuser Flag** (LOW PRIORITY)
- **Issue**: Both `is_superuser` flag and `developer` role grant same privileges
- **Risk**: Redundant permission checks, potential bypass
- **Recommendation**: Use one permission model (recommend role-based)
**6. UI Elements in Production** (INFORMATIONAL)
- **Issue**: 22 UI element demo pages accessible in admin menu
- **Risk**: Potential information disclosure
- **Recommendation**: Move to separate route or remove from production
---
### 3.5 Access Log Review Recommendations
**Recommended Monitoring**:
1. **Admin Actions** - Review `django_admin_log` table regularly
2. **API Access** - Log all requests from aws-admin users
3. **Failed Permissions** - Alert on permission denied for system account
4. **Multi-Account Data Access** - Log when aws-admin views other accounts' data
5. **System Settings Changes** - Require approval/notification for critical changes
**Suggested Audit Queries**:
```sql
-- All actions by aws-admin users (last 30 days)
SELECT * FROM django_admin_log
WHERE user_id IN (SELECT id FROM igny8_core_auth_user WHERE account_id = (SELECT id FROM igny8_core_auth_account WHERE slug='aws-admin'))
AND action_time > NOW() - INTERVAL '30 days'
ORDER BY action_time DESC;
-- All accounts accessed by developers
SELECT DISTINCT object_repr, content_type_id, action_flag
FROM django_admin_log
WHERE user_id IN (SELECT id FROM igny8_core_auth_user WHERE role='developer' OR is_superuser=true)
AND content_type_id = (SELECT id FROM django_content_type WHERE app_label='igny8_core_auth' AND model='account');
```
---
## 4. Compliance & Best Practices
### 4.1 Principle of Least Privilege
- ⚠️ **Current**: aws-admin has unlimited access to everything
-**Recommendation**: Consider creating sub-roles:
- **system-admin**: Account/user management only
- **billing-admin**: Billing and payments only
- **platform-admin**: System settings only
- **developer**: Full access (current state)
### 4.2 Separation of Duties
- ⚠️ **Current**: Single developer user has all permissions
-**Recommendation**:
- Create separate accounts for different admin tasks
- Require MFA for aws-admin users
- Log all sensitive operations with approval workflow
### 4.3 Data Protection
-**Good**: Account deletion protection for system account
-**Good**: Soft delete implementation preserves audit trail
- ⚠️ **Improvement**: Add data export restrictions for sensitive PII
---
## 5. Recommendations Summary
### Immediate Actions (Within 1 Week)
1.**Re-enable rate limiting** with proper system account exemptions
2.**Audit credit deduction** logic for aws-admin account
3.**Document** which operations are logged and where
### Short-term Actions (Within 1 Month)
1. ⚠️ **Review AI API key fallback** behavior and add tracking
2. ⚠️ **Standardize** system account slug to aws-admin only
3. ⚠️ **Implement** MFA requirement for aws-admin users
4. ⚠️ **Add alerts** for sensitive operations (account deletion, plan changes, etc.)
### Long-term Actions (Within 3 Months)
1. 📋 **Create sub-admin roles** with limited scope
2. 📋 **Implement approval workflow** for critical system changes
3. 📋 **Add audit dashboard** showing aws-admin activity
4. 📋 **Security review** of all permission bypass points
5. 📋 **Penetration testing** focused on privilege escalation
---
## 6. Conclusion
The **aws-admin** account is properly configured with extensive privileges necessary for platform administration. The implementation follows a clear pattern of permission checks across backend and frontend.
**Key Strengths**:
- Multi-layered permission checks
- System account protection from deletion
- Clear separation between system and tenant data
- Comprehensive admin interface
**Key Risks**:
- Global rate limiting disabled
- AI API key fallback may cause unexpected costs
- Multiple system account slugs create confusion
- No sub-admin roles for separation of duties
**Overall Security Posture**: **MODERATE**
- System account is properly protected and identified
- Permissions are consistently enforced
- Some security controls (rate limiting) need re-enabling
- Monitoring and audit trails need enhancement
---
## Appendix A: Code Locations Reference
### Backend Permission Checks
- `auth/models.py` - Lines 155-158, 738-743, 730-732, 747-755
- `admin/base.py` - Lines 18, 31, 43, 55, 72, 83, 93, 103
- `api/permissions.py` - Lines 54-68, 190-208
- `api/throttles.py` - Lines 22-39
- `api/base.py` - Lines 25, 34, 259
- `auth/middleware.py` - Lines 146, 155
- `ai/settings.py` - Lines 53-65
### Frontend Access Controls
- `layout/AppSidebar.tsx` - Lines 46-52, 258-355
- `components/auth/AdminGuard.tsx` - Lines 12-18
- `components/auth/ProtectedRoute.tsx` - Line 127
- `components/sidebar/ApiStatusIndicator.tsx` - Lines 130-131
- `components/debug/*` - Line 46
- `services/api.ts` - Multiple locations (640, 788, 1011, 1169)
### Management Commands
- `auth/management/commands/create_aws_admin_tenant.py` - Full file
---
**Report Generated**: December 20, 2025
**Generated By**: Security Audit Process
**Classification**: Internal Use Only
**Next Review Date**: March 20, 2026
---
*End of Audit Report*
Reference in New Issue View Git Blame Copy Permalink