feat(sso): introduce authentication with SAML

2023-07-06 11:05:28 +00:00
parent 5176b8c322
commit a7104c41a2
28 changed files with 720 additions and 9 deletions
--- a/packages/backend/src/models/identity.ee.ts
+++ b/packages/backend/src/models/identity.ee.ts
@@ -0,0 +1,53 @@
+import Base from './base';
+import SamlAuthProvider from './saml-auth-provider.ee';
+import User from './user';
+
+class Identity extends Base {
+  id!: string;
+  remoteId!: string;
+  userId!: string;
+  providerId!: string;
+  providerType!: 'saml';
+
+  static tableName = 'identities';
+
+  static jsonSchema = {
+    type: 'object',
+    required: [
+      'providerId',
+      'remoteId',
+      'userId',
+      'providerType',
+    ],
+
+    properties: {
+      id: { type: 'string', format: 'uuid' },
+      userId: { type: 'string', format: 'uuid' },
+      remoteId: { type: 'string', minLength: 1 },
+      providerId: { type: 'string', format: 'uuid' },
+      providerType: { type: 'string', enum: ['saml'] },
+    },
+  };
+
+  static relationMappings = () => ({
+    user: {
+      relation: Base.BelongsToOneRelation,
+      modelClass: User,
+      join: {
+        from: 'users.id',
+        to: 'identities.user_id',
+      },
+    },
+    samlAuthProvider: {
+      relation: Base.BelongsToOneRelation,
+      modelClass: SamlAuthProvider,
+      join: {
+        from: 'saml_auth_providers.id',
+        to: 'identities.provider_id'
+      },
+    },
+  });
+
+}
+
+export default Identity;
--- a/packages/backend/src/models/saml-auth-provider.ee.ts
+++ b/packages/backend/src/models/saml-auth-provider.ee.ts
@@ -0,0 +1,79 @@
+import { URL } from 'node:url';
+import type { SamlConfig } from '@node-saml/passport-saml';
+import appConfig from '../config/app';
+import Base from './base';
+import Identity from './identity.ee';
+
+class SamlAuthProvider extends Base {
+  id!: string;
+  name: string;
+  certificate: string;
+  signatureAlgorithm: SamlConfig["signatureAlgorithm"];
+  issuer: string;
+  entryPoint: string;
+  firstnameAttributeName: string;
+  surnameAttributeName: string;
+  emailAttributeName: string;
+  roleAttributeName: string;
+  defaultRoleId: string;
+
+  static tableName = 'saml_auth_providers';
+
+  static jsonSchema = {
+    type: 'object',
+    required: [
+      'name',
+      'certificate',
+      'signatureAlgorithm',
+      'entryPoint',
+      'issuer',
+      'firstnameAttributeName',
+      'surnameAttributeName',
+      'emailAttributeName',
+      'roleAttributeName',
+      'defaultRoleId',
+    ],
+
+    properties: {
+      id: { type: 'string', format: 'uuid' },
+      name: { type: 'string', minLength: 1 },
+      certificate: { type: 'string', minLength: 1 },
+      signatureAlgorithm: { type: 'string', enum: ['sha1', 'sha256', 'sha512'] },
+      issuer: { type: 'string', minLength: 1 },
+      entryPoint: { type: 'string', minLength: 1 },
+      firstnameAttributeName: { type: 'string', minLength: 1 },
+      surnameAttributeName: { type: 'string', minLength: 1 },
+      emailAttributeName: { type: 'string', minLength: 1 },
+      roleAttributeName: { type: 'string', minLength: 1 },
+      defaultRoleId: { type: 'string', format: 'uuid' }
+    },
+  };
+
+  static relationMappings = () => ({
+    identities: {
+      relation: Base.HasOneRelation,
+      modelClass: Identity,
+      join: {
+        from: 'identities.provider_id',
+        to: 'saml_auth_providers.id',
+      },
+    },
+  });
+
+  get config(): SamlConfig {
+    const callbackUrl = new URL(
+      `/login/saml/${this.issuer}/callback`,
+      appConfig.baseUrl
+    ).toString();
+
+    return {
+      callbackUrl,
+      cert: this.certificate,
+      entryPoint: this.entryPoint,
+      issuer: this.issuer,
+      signatureAlgorithm: this.signatureAlgorithm,
+    }
+  }
+}
+
+export default SamlAuthProvider;
--- a/packages/backend/src/models/user.ts
+++ b/packages/backend/src/models/user.ts
@@ -14,6 +14,7 @@ import Step from './step';
 import Role from './role';
 import Permission from './permission';
 import Execution from './execution';
+import Identity from './identity.ee';
 import UsageData from './usage-data.ee';
 import Subscription from './subscription.ee';

@@ -36,18 +37,19 @@ class User extends Base {
  currentSubscription?: Subscription;
  role: Role;
  permissions: Permission[];
+  identities: Identity[];

  static tableName = 'users';

  static jsonSchema = {
    type: 'object',
-    required: ['fullName', 'email', 'password'],
+    required: ['fullName', 'email'],

    properties: {
      id: { type: 'string', format: 'uuid' },
      fullName: { type: 'string', minLength: 1 },
      email: { type: 'string', format: 'email', minLength: 1, maxLength: 255 },
-      password: { type: 'string', minLength: 1, maxLength: 255 },
+      password: { type: 'string' },
      resetPasswordToken: { type: 'string' },
      resetPasswordTokenSentAt: { type: 'string' },
      trialExpiryDate: { type: 'string' },
@@ -157,6 +159,14 @@ class User extends Base {
        to: 'permissions.id',
      },
    },
+    identities: {
+      relation: Base.HasManyRelation,
+      modelClass: Identity,
+      join: {
+        from: 'identities.user_id',
+        to: 'users.id',
+      }
+    }
  });

  login(password: string) {
@@ -191,7 +201,9 @@ class User extends Base {
  }

  async generateHash() {
-    this.password = await bcrypt.hash(this.password, 10);
+    if (this.password) {
+      this.password = await bcrypt.hash(this.password, 10);
+    }
  }

  async startTrialPeriod() {
@@ -265,9 +277,7 @@ class User extends Base {
  async $beforeUpdate(opt: ModelOptions, queryContext: QueryContext) {
    await super.$beforeUpdate(opt, queryContext);

-    if (this.password) {
-      await this.generateHash();
-    }
+    await this.generateHash();
  }

  async $afterInsert(queryContext: QueryContext) {