Ensure only one Idp can be created for multi-ingress

Author: supersven

integration/test/API/Spar.hs

@@ -128,6 +128,11 @@ getIdp user idpId = do
   req <- baseRequest user Spar Versioned $ joinHttpPath ["identity-providers", idpId]
   submit "GET" req
 
+deleteIdp :: (HasCallStack, MakesValue user) => user -> String -> App Response
+deleteIdp user idpId = do
+  req <- baseRequest user Spar Versioned $ joinHttpPath ["identity-providers", idpId]
+  submit "DELETE" req
+
 -- | https://staging-nginz-https.zinfra.io/v7/api/swagger-ui/#/default/sso-team-metadata
 getSPMetadata :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
 getSPMetadata = (flip getSPMetadataWithZHost) Nothing

integration/test/Test/Spar/MultiIngressIdp.hs

@@ -78,6 +78,13 @@ testMultiIngressIdp = do
         resp.jsonBody %. "extraInfo.domain" `shouldMatch` Null
 
       -- From unconfigured to configured domain
+      updateIdpWithZHost owner (Just bertZHost) idpId2 idpmeta2 `bindResponse` \resp -> do
+        resp.status `shouldMatchInt` 409
+        resp.jsonBody %. "label" `shouldMatch` "idp-duplicate-domain-for-team"
+
+      deleteIdp owner idpId `bindResponse` \resp -> do
+        resp.status `shouldMatchInt` 204
+
       updateIdpWithZHost owner (Just bertZHost) idpId2 idpmeta2 `bindResponse` \resp -> do
         resp.status `shouldMatchInt` 200
         resp.jsonBody %. "extraInfo.domain" `shouldMatch` bertZHost
@@ -96,4 +103,49 @@ testMultiIngressIdp = do
         resp.jsonBody %. "extraInfo.domain" `shouldMatch` Null
 
 -- TODO: Test creation of two IDPs for the same domain -> should fail
+testMultiIngressAtMostIdpPerDomain :: (HasCallStack) => App ()
+testMultiIngressAtMostIdpPerDomain = do
+  withModifiedBackend
+    def
+      { sparCfg =
+          removeField "saml.spSsoUri"
+            >=> removeField "saml.spAppUri"
+            >=> removeField "saml.contacts"
+            >=> setField
+              "saml.spDomainConfigs"
+              ( object
+                  [ ernieZHost
+                      .= object
+                        [ "spAppUri" .= "https://webapp.ernie.example.com",
+                          "spSsoUri" .= "https://nginz-https.ernie.example.com/sso",
+                          "contacts" .= [object ["type" .= "ContactTechnical"]]
+                        ],
+                    bertZHost
+                      .= object
+                        [ "spAppUri" .= "https://webapp.bert.example.com",
+                          "spSsoUri" .= "https://nginz-https.bert.example.com/sso",
+                          "contacts" .= [object ["type" .= "ContactTechnical"]]
+                        ]
+                  ]
+              )
+      }
+    $ \domain -> do
+      (owner, tid, _) <- createTeam domain 1
+      void $ setTeamFeatureStatus owner tid "sso" "enabled"
+
+      SampleIdP idpmeta1 _pCreds _ _ <- makeSampleIdPMetadata
+      idpId1 <-
+        createIdpWithZHost owner (Just ernieZHost) idpmeta1 `bindResponse` \resp -> do
+          resp.status `shouldMatchInt` 201
+          resp.jsonBody %. "id" >>= asString
+
+      SampleIdP idpmeta2 _pCreds _ _ <- makeSampleIdPMetadata
+      void $ createIdpWithZHost owner (Just ernieZHost) idpmeta2 `bindResponse` \resp -> do
+        resp.status `shouldMatchInt` 409
+        resp.jsonBody %. "label" `shouldMatch` "idp-duplicate-domain-for-team"
+
+      updateIdpWithZHost owner (Just ernieZHost) idpId1 idpmeta2 `bindResponse` \resp -> do
+        resp.status `shouldMatchInt` 200
+        resp.jsonBody %. "extraInfo.domain" `shouldMatch` ernieZHost
+
 -- TODO: Test updating existing IDP such that two with the same domain would exist -> should fail

services/spar/src/Spar/API.hs

@@ -621,6 +621,7 @@ idpCreate samlConfig zusr uncheckedMbHost (IdPMetadataValue rawIdpMetadata idpme
   let mbHost = filterMultiIngressZHost (samlConfig._cfgDomainConfigs) uncheckedMbHost
   teamid <- Brig.getZUsrCheckPerm zusr CreateUpdateDeleteIdp
   GalleyAccess.assertSSOEnabled teamid
+  guardMultiIngressDuplicateDomain teamid mbHost
   idp <-
     maybe (IdPConfigStore.newHandle teamid) (pure . IdPHandle . fromRange) mHandle
       >>= validateNewIdP apiversion idpmeta teamid mReplaces mbHost
@@ -629,6 +630,21 @@ idpCreate samlConfig zusr uncheckedMbHost (IdPMetadataValue rawIdpMetadata idpme
   forM_ mReplaces $ \replaces ->
     IdPConfigStore.setReplacedBy (Replaced replaces) (Replacing (idp ^. SAML.idpId))
   pure idp
+  where
+    -- Ensure that the domain is not in use by an existing IDP
+    guardMultiIngressDuplicateDomain ::
+      ( Member (Error SparError) r,
+        Member IdPConfigStore r
+      ) =>
+      TeamId ->
+      Maybe ZHostValue ->
+      Sem r ()
+    guardMultiIngressDuplicateDomain _teamId Nothing = pure ()
+    guardMultiIngressDuplicateDomain teamId (Just zHost) = do
+      idps <- IdPConfigStore.getConfigsByTeam teamId
+      let domains = idps ^.. traverse . SAML.idpExtraInfo . domain . _Just
+      when (zHost `elem` domains) $
+        throwSparSem SparIdPDomainInUse
 
 -- | Only return a ZHost when multi-ingress is configured and the host value is a configured domain
 filterMultiIngressZHost :: Either SAML.MultiIngressDomainConfig (Map Domain SAML.MultiIngressDomainConfig) -> Maybe ZHostValue -> Maybe ZHostValue
@@ -779,6 +795,8 @@ idpUpdateXML ::
 idpUpdateXML zusr mDomain raw idpmeta idpid mHandle = withDebugLog "idpUpdateXML" (Just . show . (^. SAML.idpId)) $ do
   (teamid, idp) <- validateIdPUpdate zusr idpmeta idpid
   GalleyAccess.assertSSOEnabled teamid
+  -- TODO: Move this into validateIdPUpdate?
+  guardMultiIngressDuplicateDomain teamid mDomain idpid
   IdPRawMetadataStore.store (idp ^. SAML.idpId) raw
   let idp' :: IdP = case mHandle of
         Just idpHandle -> idp & (SAML.idpExtraInfo . handle) .~ IdPHandle (fromRange idpHandle)
@@ -795,6 +813,25 @@ idpUpdateXML zusr mDomain raw idpmeta idpid mHandle = withDebugLog "idpUpdateXML
         WireIdPAPIV2 -> Just teamid
   forM_ (idp'' ^. SAML.idpExtraInfo . oldIssuers) (flip IdPConfigStore.deleteIssuer mbteamid)
   pure idp''
+  where
+    -- Ensure that the domain is not in use by an existing IDP
+    guardMultiIngressDuplicateDomain ::
+      ( Member (Error SparError) r,
+        Member IdPConfigStore r
+      ) =>
+      TeamId ->
+      Maybe ZHostValue ->
+      SAML.IdPId ->
+      Sem r ()
+    guardMultiIngressDuplicateDomain _teamId Nothing _ = pure ()
+    guardMultiIngressDuplicateDomain teamId (Just zHost) idpId = do
+      idps <- IdPConfigStore.getConfigsByTeam teamId
+      let otherIdpsOnSameDomain =
+            any
+              (\idp -> (idp ^. SAML.idpExtraInfo . domain) == (Just zHost) && (idp ^. SAML.idpId) /= idpId)
+              idps
+      when otherIdpsOnSameDomain $
+        throwSparSem SparIdPDomainInUse
 
 -- | Check that: idp id is valid; calling user is admin in that idp's home team; team id in
 -- new metainfo doesn't change; new issuer (if changed) is not in use anywhere else (except as

services/spar/src/Spar/Error.hs

@@ -115,6 +115,7 @@ data SparCustomError
     SparInternalError LText
   | -- | All errors returned from SCIM handlers are wrapped into 'SparScimError'
     SparScimError Scim.ScimError
+  | SparIdPDomainInUse
   deriving (Eq, Show)
 
 data SparProvisioningMoreThanOneIdP
@@ -234,6 +235,7 @@ renderSparError (SAML.CustomError (IdpDbError AttemptToGetV2IssuerViaV1API)) = R
 renderSparError (SAML.CustomError (IdpDbError IdpNonUnique)) = Right $ Wai.mkError status409 "idp-non-unique" "We have found multiple IdPs with the same issuer. Please contact customer support."
 renderSparError (SAML.CustomError (IdpDbError IdpWrongTeam)) = Right $ Wai.mkError status409 "idp-wrong-team" "The IdP is not part of this team."
 renderSparError (SAML.CustomError (IdpDbError IdpNotFound)) = renderSparError (SAML.CustomError (SparIdPNotFound ""))
+renderSparError (SAML.CustomError SparIdPDomainInUse) = Right $ Wai.mkError status409 "idp-duplicate-domain-for-team" "This team already has an IdP configured for this domain."
 -- Errors related to provisioning
 renderSparError (SAML.CustomError (SparProvisioningMoreThanOneIdP msg)) = Right $
   Wai.mkError status400 "more-than-one-idp" do