Merge branch 'org-only-idp' into dev

server/middlewares/integration/index.ts

@@ -13,3 +13,4 @@ export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
+export * from "./verifyApiKeyIdpAccess";

server/middlewares/integration/verifyApiKeyIdpAccess.ts

@@ -0,0 +1,88 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { idp, idpOrg, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyIdpAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!idpId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any IDP in any org
+            return next();
+        }
+
+        const [idpRes] = await db
+            .select()
+            .from(idp)
+            .innerJoin(idpOrg, eq(idp.idpId, idpOrg.idpId))
+            .where(and(eq(idp.idpId, idpId), eq(idpOrg.orgId, orgId)))
+            .limit(1);
+
+        if (!idpRes || !idpRes.idp || !idpRes.idpOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `IdP with ID ${idpId} not found for organization ${orgId}`
+                )
+            );
+        }
+
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, idpRes.idpOrg.orgId)
+                    )
+                );
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying IDP access"
+            )
+        );
+    }
+}

server/private/routers/integration.ts

@@ -18,7 +18,8 @@ import * as logs from "#private/routers/auditLogs";
 import {
     verifyApiKeyHasAction,
     verifyApiKeyIsRoot,
-    verifyApiKeyOrgAccess
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess
 } from "@server/middlewares";
 import {
     verifyValidSubscription,
@@ -31,6 +32,8 @@ import {
     authenticated as a
 } from "@server/routers/integration";
 import { logActionAudit } from "#private/middlewares";
+import config from "#private/lib/config";
+import { build } from "@server/build";
 
 export const unauthenticated = ua;
 export const authenticated = a;
@@ -88,3 +91,49 @@ authenticated.get(
     logActionAudit(ActionsEnum.exportLogs),
     logs.exportAccessAuditLogs
 );
+
+authenticated.put(
+    "/org/:orgId/idp/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.createIdp),
+    logActionAudit(ActionsEnum.createIdp),
+    orgIdp.createOrgOidcIdp
+);
+
+authenticated.post(
+    "/org/:orgId/idp/:idpId/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateIdp),
+    logActionAudit(ActionsEnum.updateIdp),
+    orgIdp.updateOrgOidcIdp
+);
+
+authenticated.delete(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteIdp),
+    logActionAudit(ActionsEnum.deleteIdp),
+    orgIdp.deleteOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.getIdp),
+    orgIdp.getOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listIdps),
+    orgIdp.listOrgIdps
+);

server/private/routers/orgIdp/createOrgOidcIdp.ts

@@ -46,22 +46,23 @@ const bodySchema = z.strictObject({
     roleMapping: z.string().optional()
 });
 
-// registry.registerPath({
+registry.registerPath({
-//     method: "put",
+    method: "put",
-//     path: "/idp/oidc",
+    path: "/org/{orgId}/idp/oidc",
-//     description: "Create an OIDC IdP.",
+    description: "Create an OIDC IdP for a specific organization.",
-//     tags: [OpenAPITags.Idp],
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
-//     request: {
+    request: {
-//         body: {
+        params: paramsSchema,
-//             content: {
+        body: {
-//                 "application/json": {
+            content: {
-//                     schema: bodySchema
+                "application/json": {
-//                 }
+                    schema: bodySchema
-//             }
+                }
-//         }
+            }
-//     },
+        }
-//     responses: {}
+    },
-// });
+    responses: {}
+});
 
 export async function createOrgOidcIdp(
     req: Request,

server/private/routers/orgIdp/deleteOrgIdp.ts

@@ -32,9 +32,9 @@ const paramsSchema = z
 
 registry.registerPath({
     method: "delete",
-    path: "/idp/{idpId}",
+    path: "/org/{orgId}/idp/{idpId}",
-    description: "Delete IDP.",
+    description: "Delete IDP for a specific organization.",
-    tags: [OpenAPITags.Idp],
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
     request: {
         params: paramsSchema
     },

server/private/routers/orgIdp/getOrgIdp.ts

@@ -48,16 +48,16 @@ async function query(idpId: number, orgId: string) {
     return res;
 }
 
-// registry.registerPath({
+registry.registerPath({
-//     method: "get",
+    method: "get",
-//     path: "/idp/{idpId}",
+    path: "/org/:orgId/idp/:idpId",
-//     description: "Get an IDP by its IDP ID.",
+    description: "Get an IDP by its IDP ID for a specific organization.",
-//     tags: [OpenAPITags.Idp],
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
-//     request: {
+    request: {
-//         params: paramsSchema
+        params: paramsSchema
-//     },
+    },
-//     responses: {}
+    responses: {}
-// });
+});
 
 export async function getOrgIdp(
     req: Request,

server/private/routers/orgIdp/listOrgIdps.ts

@@ -62,16 +62,17 @@ async function query(orgId: string, limit: number, offset: number) {
     return res;
 }
 
-// registry.registerPath({
+registry.registerPath({
-//     method: "get",
+    method: "get",
-//     path: "/idp",
+    path: "/org/{orgId}/idp",
-//     description: "List all IDP in the system.",
+    description: "List all IDP for a specific organization.",
-//     tags: [OpenAPITags.Idp],
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
-//     request: {
+    request: {
-//         query: querySchema
+        query: querySchema,
-//     },
+        params: paramsSchema
-//     responses: {}
+    },
-// });
+    responses: {}
+});
 
 export async function listOrgIdps(
     req: Request,

server/private/routers/orgIdp/updateOrgOidcIdp.ts

@@ -53,23 +53,23 @@ export type UpdateOrgIdpResponse = {
     idpId: number;
 };
 
-// registry.registerPath({
+registry.registerPath({
-//     method: "post",
+    method: "post",
-//     path: "/idp/{idpId}/oidc",
+    path: "/org/{orgId}/idp/{idpId}/oidc",
-//     description: "Update an OIDC IdP.",
+    description: "Update an OIDC IdP for a specific organization.",
-//     tags: [OpenAPITags.Idp],
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
-//     request: {
+    request: {
-//         params: paramsSchema,
+        params: paramsSchema,
-//         body: {
+        body: {
-//             content: {
+            content: {
-//                 "application/json": {
+                "application/json": {
-//                     schema: bodySchema
+                    schema: bodySchema
-//                 }
+                }
-//             }
+            }
-//         }
+        }
-//     },
+    },
-//     responses: {}
+    responses: {}
-// });
+});
 
 export async function updateOrgOidcIdp(
     req: Request,

src/components/PermissionsSelectBox.tsx

@@ -114,6 +114,16 @@ function getActionsCategories(root: boolean) {
         }
     };
 
+    if (root || build === "saas" || env.flags.useOrgOnlyIdp) {
+        actionsByCategory["Identity Provider (IDP)"] = {
+            [t("actionCreateIdp")]: "createIdp",
+            [t("actionUpdateIdp")]: "updateIdp",
+            [t("actionDeleteIdp")]: "deleteIdp",
+            [t("actionListIdps")]: "listIdps",
+            [t("actionGetIdp")]: "getIdp"
+        };
+    }
+
     if (root) {
         actionsByCategory["Organization"] = {
             [t("actionListOrgs")]: "listOrgs",
@@ -128,24 +138,21 @@ function getActionsCategories(root: boolean) {
             ...actionsByCategory["Organization"]
         };
 
-        actionsByCategory["Identity Provider (IDP)"] = {
+        actionsByCategory["Identity Provider (IDP)"][t("actionCreateIdpOrg")] =
-            [t("actionCreateIdp")]: "createIdp",
+            "createIdpOrg";
-            [t("actionUpdateIdp")]: "updateIdp",
+        actionsByCategory["Identity Provider (IDP)"][t("actionDeleteIdpOrg")] =
-            [t("actionDeleteIdp")]: "deleteIdp",
+            "deleteIdpOrg";
-            [t("actionListIdps")]: "listIdps",
+        actionsByCategory["Identity Provider (IDP)"][t("actionListIdpOrgs")] =
-            [t("actionGetIdp")]: "getIdp",
+            "listIdpOrgs";
-            [t("actionCreateIdpOrg")]: "createIdpOrg",
+        actionsByCategory["Identity Provider (IDP)"][t("actionUpdateIdpOrg")] =
-            [t("actionDeleteIdpOrg")]: "deleteIdpOrg",
+            "updateIdpOrg";
-            [t("actionListIdpOrgs")]: "listIdpOrgs",
-            [t("actionUpdateIdpOrg")]: "updateIdpOrg"
-        };
 
         actionsByCategory["User"] = {
             [t("actionUpdateUser")]: "updateUser",
             [t("actionGetUser")]: "getUser"
         };
 
-        if (build == "saas") {
+        if (build === "saas") {
             actionsByCategory["SAAS"] = {
                 ["Send Usage Notification Email"]: "sendUsageNotification"
             };