From ad1c8113ead6058868989234da09573cb2f94b91 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 16 Jun 2026 23:43:36 +0000 Subject: [PATCH] fix: allow default IdP validation in global mode policies --- server/lib/blueprints/resourcePolicies.ts | 27 ++++++++++++++----- .../routers/policy/createResourcePolicy.ts | 25 +++++++++++++++-- .../policy/setResourcePolicyAccessControl.ts | 24 ++++++++++++++--- 3 files changed, 63 insertions(+), 13 deletions(-) diff --git a/server/lib/blueprints/resourcePolicies.ts b/server/lib/blueprints/resourcePolicies.ts index f8d8d1269..2180bbdf8 100644 --- a/server/lib/blueprints/resourcePolicies.ts +++ b/server/lib/blueprints/resourcePolicies.ts @@ -74,13 +74,7 @@ export async function updateResourcePolicies( const [provider] = await trx .select() .from(idp) - .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId)) - .where( - and( - eq(idp.idpId, policyData["auto-login-idp"]), - eq(idpOrg.orgId, orgId) - ) - ) + .where(eq(idp.idpId, policyData["auto-login-idp"])) .limit(1); if (!provider) { @@ -88,6 +82,25 @@ export async function updateResourcePolicies( `Identity provider not found for policy '${policyNiceId}' in this organization` ); } + + if (process.env.IDENTITY_PROVIDER_MODE === "org") { + const [providerOrg] = await trx + .select() + .from(idpOrg) + .where( + and( + eq(idpOrg.idpId, policyData["auto-login-idp"]), + eq(idpOrg.orgId, orgId) + ) + ) + .limit(1); + + if (!providerOrg) { + throw new Error( + `Identity provider not found for policy '${policyNiceId}' in this organization` + ); + } + } } // Look up the admin role diff --git a/server/private/routers/policy/createResourcePolicy.ts b/server/private/routers/policy/createResourcePolicy.ts index 9f02b912c..b33e4eebf 100644 --- a/server/private/routers/policy/createResourcePolicy.ts +++ b/server/private/routers/policy/createResourcePolicy.ts @@ -207,8 +207,7 @@ export async function createResourcePolicy( const [provider] = await db .select() .from(idp) - .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId)) - .where(and(eq(idp.idpId, skipToIdpId), eq(idpOrg.orgId, orgId))) + .where(eq(idp.idpId, skipToIdpId)) .limit(1); if (!provider) { @@ -219,6 +218,28 @@ export async function createResourcePolicy( ) ); } + + if (process.env.IDENTITY_PROVIDER_MODE === "org") { + const [providerOrg] = await db + .select() + .from(idpOrg) + .where( + and( + eq(idpOrg.idpId, skipToIdpId), + eq(idpOrg.orgId, orgId) + ) + ) + .limit(1); + + if (!providerOrg) { + return next( + createHttpError( + HttpCode.INTERNAL_SERVER_ERROR, + "Identity provider not found in this organization" + ) + ); + } + } } const adminRole = await db diff --git a/server/routers/policy/setResourcePolicyAccessControl.ts b/server/routers/policy/setResourcePolicyAccessControl.ts index 6c0e19b68..552c31483 100644 --- a/server/routers/policy/setResourcePolicyAccessControl.ts +++ b/server/routers/policy/setResourcePolicyAccessControl.ts @@ -107,10 +107,7 @@ export async function setResourcePolicyAccessControl( const [provider] = await db .select() .from(idp) - .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId)) - .where( - and(eq(idp.idpId, idpId), eq(idpOrg.orgId, policy.orgId)) - ) + .where(eq(idp.idpId, idpId)) .limit(1); if (!provider) { @@ -121,6 +118,25 @@ export async function setResourcePolicyAccessControl( ) ); } + + if (process.env.IDENTITY_PROVIDER_MODE === "org") { + const [providerOrg] = await db + .select() + .from(idpOrg) + .where( + and(eq(idpOrg.idpId, idpId), eq(idpOrg.orgId, policy.orgId)) + ) + .limit(1); + + if (!providerOrg) { + return next( + createHttpError( + HttpCode.INTERNAL_SERVER_ERROR, + "Identity provider not found in this organization" + ) + ); + } + } } // Check if any of the roleIds are admin roles