Merge pull request #1372 from Infisical/org-based-auth

Org-Level Auth Enforcement for SAML Orgs and Enhancements for SAML SSO
Infisical · Feb 9, 2024 · fb50375 · fb50375
2 parents eeaee44 + 069b0cd
commit fb50375
Show file tree

Hide file tree

Showing 113 changed files with 1,568 additions and 1,104 deletions.
diff --git a/backend/package.json b/backend/package.json
@@ -125,4 +125,4 @@
     "zod": "^3.22.4",
     "zod-to-json-schema": "^3.22.0"
   }
-}
+}
diff --git a/backend/src/@types/fastify.d.ts b/backend/src/@types/fastify.d.ts
@@ -51,13 +51,15 @@ declare module "fastify" {
     // used for mfa session authentication
     mfa: {
       userId: string;
+      orgId?: string;
       user: TUsers;
     };
     // identity injection. depending on which kinda of token the information is filled in auth
     auth: TAuthMode;
     permission: {
       type: ActorType;
       id: string;
+      orgId?: string;
     };
     // passport data
     passportUser: {

diff --git a/backend/src/db/migrations/20240204171758_org-based-auth.ts b/backend/src/db/migrations/20240204171758_org-based-auth.ts
@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    t.boolean("authEnforced").defaultTo(false);
+    t.index("slug");
+  });
+
+  await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+    t.datetime("lastUsed");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    t.dropColumn("authEnforced");
+    t.dropIndex("slug");
+  });
+
+  await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+    t.dropColumn("lastUsed");
+  });
+}
diff --git a/backend/src/db/schemas/organizations.ts b/backend/src/db/schemas/organizations.ts
@@ -13,7 +13,8 @@ export const OrganizationsSchema = z.object({
   customerId: z.string().nullable().optional(),
   slug: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  authEnforced: z.boolean().default(false).nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

diff --git a/backend/src/db/schemas/saml-configs.ts b/backend/src/db/schemas/saml-configs.ts
@@ -22,7 +22,8 @@ export const SamlConfigsSchema = z.object({
   certTag: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  orgId: z.string().uuid()
+  orgId: z.string().uuid(),
+  lastUsed: z.date().nullable().optional()
 });
 
 export type TSamlConfigs = z.infer<typeof SamlConfigsSchema>;

diff --git a/backend/src/ee/routes/v1/license-router.ts b/backend/src/ee/routes/v1/license-router.ts
@@ -22,6 +22,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgPlansTableByBillCycle({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         billingCycle: req.query.billingCycle
       });
@@ -43,6 +44,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const plan = await server.services.license.getOrgPlan({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return { plan };
@@ -85,6 +87,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.startOrgTrial({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         success_url: req.body.success_url
       });
@@ -106,6 +109,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.createOrganizationPortalSession({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -126,6 +130,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgBillingInfo({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -146,6 +151,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgPlanTable({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -166,6 +172,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgBillingDetails({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -190,6 +197,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.updateOrgBillingDetails({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         name: req.body.name,
         email: req.body.email
@@ -212,6 +220,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgPmtMethods({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -236,6 +245,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.addOrgPmtMethods({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         success_url: req.body.success_url,
         cancel_url: req.body.cancel_url
@@ -261,6 +271,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.delOrgPmtMethods({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         pmtMethodId: req.params.pmtMethodId
       });
@@ -284,6 +295,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgTaxIds({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -310,6 +322,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.addOrgTaxId({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         type: req.body.type,
         value: req.body.value
@@ -335,6 +348,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.delOrgTaxId({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId,
         taxId: req.params.taxId
       });
@@ -358,6 +372,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgTaxInvoices({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;
@@ -380,6 +395,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
       const data = await server.services.license.getOrgLicenses({
         actorId: req.permission.id,
         actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
         orgId: req.params.organizationId
       });
       return data;

diff --git a/backend/src/ee/routes/v1/org-role-router.ts b/backend/src/ee/routes/v1/org-role-router.ts
@@ -26,7 +26,12 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const role = await server.services.orgRole.createRole(req.permission.id, req.params.organizationId, req.body);
+      const role = await server.services.orgRole.createRole(
+        req.permission.id,
+        req.params.organizationId,
+        req.body,
+        req.permission.orgId
+      );
       return { role };
     }
   });
@@ -57,7 +62,8 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.id,
         req.params.organizationId,
         req.params.roleId,
-        req.body
+        req.body,
+        req.permission.orgId
       );
       return { role };
     }
@@ -82,7 +88,8 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
       const role = await server.services.orgRole.deleteRole(
         req.permission.id,
         req.params.organizationId,
-        req.params.roleId
+        req.params.roleId,
+        req.permission.orgId
       );
       return { role };
     }
@@ -107,7 +114,11 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const roles = await server.services.orgRole.listRoles(req.permission.id, req.params.organizationId);
+      const roles = await server.services.orgRole.listRoles(
+        req.permission.id,
+        req.params.organizationId,
+        req.permission.orgId
+      );
       return { data: { roles } };
     }
   });
@@ -130,7 +141,8 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const { permissions, membership } = await server.services.orgRole.getUserPermission(
         req.permission.id,
-        req.params.organizationId
+        req.params.organizationId,
+        req.permission.orgId
       );
       return { permissions, membership };
     }

diff --git a/backend/src/ee/routes/v1/project-role-router.ts b/backend/src/ee/routes/v1/project-role-router.ts
@@ -30,7 +30,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.type,
         req.permission.id,
         req.params.projectId,
-        req.body
+        req.body,
+        req.permission.orgId
       );
       return { role };
     }
@@ -63,7 +64,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.id,
         req.params.projectId,
         req.params.roleId,
-        req.body
+        req.body,
+        req.permission.orgId
       );
       return { role };
     }
@@ -89,7 +91,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         req.permission.type,
         req.permission.id,
         req.params.projectId,
-        req.params.roleId
+        req.params.roleId,
+        req.permission.orgId
       );
       return { role };
     }
@@ -117,7 +120,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       const roles = await server.services.projectRole.listRoles(
         req.permission.type,
         req.permission.id,
-        req.params.projectId
+        req.params.projectId,
+        req.permission.orgId
       );
       return { data: { roles } };
     }
@@ -143,7 +147,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const { permissions, membership } = await server.services.projectRole.getUserPermission(
         req.permission.id,
-        req.params.projectId
+        req.params.projectId,
+        req.permission.orgId
       );
       return { data: { permissions, membership } };
     }

diff --git a/backend/src/ee/routes/v1/project-router.ts b/backend/src/ee/routes/v1/project-router.ts
@@ -31,6 +31,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       const secretSnapshots = await server.services.snapshot.listSnapshots({
         actor: req.permission.type,
         actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
         projectId: req.params.workspaceId,
         ...req.query
       });
@@ -60,6 +61,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       const count = await server.services.snapshot.projectSecretSnapshotCount({
         actor: req.permission.type,
         actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
         projectId: req.params.workspaceId,
         environment: req.query.environment,
         path: req.query.path
@@ -112,6 +114,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const auditLogs = await server.services.auditLog.listProjectAuditLogs({
         actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
         projectId: req.params.workspaceId,
         ...req.query,
         auditLogActor: req.query.actor,