feat: add role mappings for SAML configuration (#1210)

2023-08-11 19:07:39 +02:00
parent c7e1d30553
commit a6a124d2e6
8 changed files with 190 additions and 25 deletions
--- a/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
+++ b/packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
@@ -1,19 +1,27 @@
 import SamlAuthProvider from '../models/saml-auth-provider.ee';
 import User from '../models/user';
 import Identity from '../models/identity.ee';
+import SamlAuthProvidersRoleMapping from '../models/saml-auth-providers-role-mapping.ee';

-const getUser = (user: Record<string, unknown>, providerConfig: SamlAuthProvider) => ({
+const getUser = (
+  user: Record<string, unknown>,
+  providerConfig: SamlAuthProvider
+) => ({
  name: user[providerConfig.firstnameAttributeName],
  surname: user[providerConfig.surnameAttributeName],
  id: user.nameID,
  email: user[providerConfig.emailAttributeName],
-  role: user[providerConfig.roleAttributeName],
-})
+  role: user[providerConfig.roleAttributeName] as string | string[],
+});

-const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unknown>, samlAuthProvider: SamlAuthProvider) => {
+const findOrCreateUserBySamlIdentity = async (
+  userIdentity: Record<string, unknown>,
+  samlAuthProvider: SamlAuthProvider
+) => {
  const mappedUser = getUser(userIdentity, samlAuthProvider);
  const identity = await Identity.query().findOne({
    remote_id: mappedUser.id,
+    provider_type: 'saml',
  });

  if (identity) {
@@ -22,25 +30,38 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
    return user;
  }

-  const createdUser = await User.query().insertGraph({
-    fullName: [
-      mappedUser.name,
-      mappedUser.surname
-    ]
-      .filter(Boolean)
-      .join(' '),
-    email: mappedUser.email as string,
-    roleId: samlAuthProvider.defaultRoleId,
-    identities: [
+  const mappedRoles = Array.isArray(mappedUser.role)
+    ? mappedUser.role
+    : [mappedUser.role];
+
+  const samlAuthProviderRoleMapping = await samlAuthProvider
+    .$relatedQuery('samlAuthProvidersRoleMappings')
+    .whereIn('remote_role_name', mappedRoles)
+    .limit(1)
+    .first();
+
+  const createdUser = await User.query()
+    .insertGraph(
      {
-        remoteId: mappedUser.id as string,
-        providerId: samlAuthProvider.id,
-        providerType: 'saml'
+        fullName: [mappedUser.name, mappedUser.surname]
+          .filter(Boolean)
+          .join(' '),
+        email: mappedUser.email as string,
+        roleId:
+          samlAuthProviderRoleMapping.roleId || samlAuthProvider.defaultRoleId,
+        identities: [
+          {
+            remoteId: mappedUser.id as string,
+            providerId: samlAuthProvider.id,
+            providerType: 'saml',
+          },
+        ],
+      },
+      {
+        relate: ['identities'],
      }
-    ]
-  }, {
-    relate: ['identities']
-  }).returning('*');
+    )
+    .returning('*');

  return createdUser;
 };