pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-17 18:36:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

add idp auto provision override on user

Browse Source
This commit is contained in:
miloschwartz
2025-09-05 16:14:01 -07:00
parent 90456339ca
commit b0bd9279fc
24 changed files with 744 additions and 317 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
server/auth/actions.ts
View File

@@ -100,7 +100,8 @@ export enum ActionsEnum {
getApiKey = "getApiKey",
createOrgDomain = "createOrgDomain",
deleteOrgDomain = "deleteOrgDomain",
restartOrgDomain = "restartOrgDomain"
restartOrgDomain = "restartOrgDomain",
updateOrgUser = "updateOrgUser"
}
export async function checkUserActionPermission(

3
server/db/pg/schema.ts
View File

@@ -213,7 +213,8 @@ export const userOrgs = pgTable("userOrgs", {
roleId: integer("roleId")
.notNull()
.references(() => roles.roleId),
isOwner: boolean("isOwner").notNull().default(false)
isOwner: boolean("isOwner").notNull().default(false),
autoProvisioned: boolean("autoProvisioned").default(false)
});
export const emailVerificationCodes = pgTable("emailVerificationCodes", {

20
server/db/sqlite/schema.ts
View File

@@ -107,7 +107,7 @@ export const resources = sqliteTable("resources", {
enableProxy: integer("enableProxy", { mode: "boolean" }).default(true),
skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
onDelete: "cascade"
}),
})
});
export const targets = sqliteTable("targets", {
@@ -143,8 +143,11 @@ export const exitNodes = sqliteTable("exitNodes", {
type: text("type").default("gerbil") // gerbil, remoteExitNode
});
export const siteResources = sqliteTable("siteResources", { // this is for the clients
siteResourceId: integer("siteResourceId").primaryKey({ autoIncrement: true }),
export const siteResources = sqliteTable("siteResources", {
// this is for the clients
siteResourceId: integer("siteResourceId").primaryKey({
autoIncrement: true
}),
siteId: integer("siteId")
.notNull()
.references(() => sites.siteId, { onDelete: "cascade" }),
@@ -156,7 +159,7 @@ export const siteResources = sqliteTable("siteResources", { // this is for the c
proxyPort: integer("proxyPort").notNull(),
destinationPort: integer("destinationPort").notNull(),
destinationIp: text("destinationIp").notNull(),
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true)
});
export const users = sqliteTable("user", {
@@ -260,7 +263,9 @@ export const clientSites = sqliteTable("clientSites", {
siteId: integer("siteId")
.notNull()
.references(() => sites.siteId, { onDelete: "cascade" }),
isRelayed: integer("isRelayed", { mode: "boolean" }).notNull().default(false),
isRelayed: integer("isRelayed", { mode: "boolean" })
.notNull()
.default(false),
endpoint: text("endpoint")
});
@@ -318,7 +323,10 @@ export const userOrgs = sqliteTable("userOrgs", {
roleId: integer("roleId")
.notNull()
.references(() => roles.roleId),
isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false)
isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
autoProvisioned: integer("autoProvisioned", {
mode: "boolean"
}).default(false)
});
export const emailVerificationCodes = sqliteTable("emailVerificationCodes", {

8
server/routers/external.ts
View File

@@ -582,6 +582,14 @@ authenticated.put(
user.createOrgUser
);
authenticated.post(
"/org/:orgId/user/:userId",
verifyOrgAccess,
verifyUserAccess,
verifyUserHasAction(ActionsEnum.updateOrgUser),
user.updateOrgUser
);
authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
authenticated.post(

16
server/routers/idp/listIdps.ts
View File

@@ -1,11 +1,11 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { db, idpOidcConfig } from "@server/db";
import { domains, idp, orgDomains, users, idpOrg } from "@server/db";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import { sql } from "drizzle-orm";
import { eq, sql } from "drizzle-orm";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
@@ -33,10 +33,13 @@ async function query(limit: number, offset: number) {
idpId: idp.idpId,
name: idp.name,
type: idp.type,
orgCount: sql<number>`count(${idpOrg.orgId})`
variant: idpOidcConfig.variant,
orgCount: sql<number>`count(${idpOrg.orgId})`,
autoProvision: idp.autoProvision
})
.from(idp)
.leftJoin(idpOrg, sql`${idp.idpId} = ${idpOrg.idpId}`)
.leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
.groupBy(idp.idpId)
.limit(limit)
.offset(offset);
@@ -44,12 +47,7 @@ async function query(limit: number, offset: number) {
}
export type ListIdpsResponse = {
idps: Array<{
idpId: number;
name: string;
type: string;
orgCount: number;
}>;
idps: Awaited<ReturnType<typeof query>>;
pagination: {
total: number;
limit: number;

17
server/routers/idp/validateOidcCallback.ts
View File

@@ -354,8 +354,13 @@ export async function validateOidcCallback(
.from(userOrgs)
.where(eq(userOrgs.userId, userId!));
// Delete orgs that are no longer valid
const orgsToDelete = currentUserOrgs.filter(
// Filter to only auto-provisioned orgs for CRUD operations
const autoProvisionedOrgs = currentUserOrgs.filter(
(org) => org.autoProvisioned === true
);
// Delete auto-provisioned orgs that are no longer valid
const orgsToDelete = autoProvisionedOrgs.filter(
(currentOrg) =>
!userOrgInfo.some(
(newOrg) => newOrg.orgId === currentOrg.orgId
@@ -374,8 +379,8 @@ export async function validateOidcCallback(
);
}
// Update roles for existing orgs where the role has changed
const orgsToUpdate = currentUserOrgs.filter((currentOrg) => {
// Update roles for existing auto-provisioned orgs where the role has changed
const orgsToUpdate = autoProvisionedOrgs.filter((currentOrg) => {
const newOrg = userOrgInfo.find(
(newOrg) => newOrg.orgId === currentOrg.orgId
);
@@ -401,7 +406,7 @@ export async function validateOidcCallback(
}
}
// Add new orgs that don't exist yet
// Add new orgs that don't exist yet (these will be auto-provisioned)
const orgsToAdd = userOrgInfo.filter(
(newOrg) =>
!currentUserOrgs.some(
@@ -415,12 +420,14 @@ export async function validateOidcCallback(
userId: userId!,
orgId: org.orgId,
roleId: org.roleId,
autoProvisioned: true,
dateCreated: new Date().toISOString()
}))
);
}
// Loop through all the orgs and get the total number of users from the userOrgs table
// Use all current user orgs (both auto-provisioned and manually added) for counting
for (const org of currentUserOrgs) {
const userCount = await trx
.select()

18
server/routers/integration.ts
View File

@@ -24,7 +24,8 @@ import {
verifyApiKeyIsRoot,
verifyApiKeyClientAccess,
verifyClientsEnabled,
verifyApiKeySiteResourceAccess
verifyApiKeySiteResourceAccess,
verifyOrgAccess
} from "@server/middlewares";
import HttpCode from "@server/types/HttpCode";
import { Router } from "express";
@@ -469,6 +470,21 @@ authenticated.get(
user.listUsers
);
authenticated.put(
"/org/:orgId/user",
verifyApiKeyOrgAccess,
verifyApiKeyHasAction(ActionsEnum.createOrgUser),
user.createOrgUser
);
authenticated.post(
"/org/:orgId/user/:userId",
verifyApiKeyOrgAccess,
verifyApiKeyUserAccess,
verifyApiKeyHasAction(ActionsEnum.updateOrgUser),
user.updateOrgUser
);
authenticated.delete(
"/org/:orgId/user/:userId",
verifyApiKeyOrgAccess,

18
server/routers/user/createOrgUser.ts
View File

@@ -84,7 +84,14 @@ export async function createOrgUser(
}
const { orgId } = parsedParams.data;
const { username, email, name, type, idpId, roleId } = parsedBody.data;
const {
username,
email,
name,
type,
idpId,
roleId
} = parsedBody.data;
const [role] = await db
.select()
@@ -173,7 +180,8 @@ export async function createOrgUser(
.values({
orgId,
userId: existingUser.userId,
roleId: role.roleId
roleId: role.roleId,
autoProvisioned: false
})
.returning();
} else {
@@ -189,7 +197,7 @@ export async function createOrgUser(
type: "oidc",
idpId,
dateCreated: new Date().toISOString(),
emailVerified: true
emailVerified: true,
})
.returning();
@@ -198,7 +206,8 @@ export async function createOrgUser(
.values({
orgId,
userId: newUser.userId,
roleId: role.roleId
roleId: role.roleId,
autoProvisioned: false
})
.returning();
}
@@ -209,7 +218,6 @@ export async function createOrgUser(
.from(userOrgs)
.where(eq(userOrgs.orgId, orgId));
});
} else {
return next(
createHttpError(HttpCode.BAD_REQUEST, "User type is required")

10
server/routers/user/getOrgUser.ts
View File

@@ -1,6 +1,6 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { db, idp, idpOidcConfig } from "@server/db";
import { roles, userOrgs, users } from "@server/db";
import { and, eq } from "drizzle-orm";
import response from "@server/lib/response";
@@ -25,10 +25,18 @@ async function queryUser(orgId: string, userId: string) {
isOwner: userOrgs.isOwner,
isAdmin: roles.isAdmin,
twoFactorEnabled: users.twoFactorEnabled,
autoProvisioned: userOrgs.autoProvisioned,
idpId: users.idpId,
idpName: idp.name,
idpType: idp.type,
idpVariant: idpOidcConfig.variant,
idpAutoProvision: idp.autoProvision
})
.from(userOrgs)
.leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
.leftJoin(users, eq(userOrgs.userId, users.userId))
.leftJoin(idp, eq(users.idpId, idp.idpId))
.leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.limit(1);
return user;

1
server/routers/user/index.ts
View File

@@ -13,3 +13,4 @@ export * from "./removeInvitation";
export * from "./createOrgUser";
export * from "./adminUpdateUser2FA";
export * from "./adminGetUser";
export * from "./updateOrgUser";

5
server/routers/user/listUsers.ts
View File

@@ -1,6 +1,6 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { db, idpOidcConfig } from "@server/db";
import { idp, roles, userOrgs, users } from "@server/db";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
@@ -50,12 +50,15 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
isOwner: userOrgs.isOwner,
idpName: idp.name,
idpId: users.idpId,
idpType: idp.type,
idpVariant: idpOidcConfig.variant,
twoFactorEnabled: users.twoFactorEnabled,
})
.from(users)
.leftJoin(userOrgs, eq(users.userId, userOrgs.userId))
.leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
.leftJoin(idp, eq(users.idpId, idp.idpId))
.leftJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
.where(eq(userOrgs.orgId, orgId))
.limit(limit)
.offset(offset);

112
server/routers/user/updateOrgUser.ts Normal file
View File

@@ -0,0 +1,112 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db, userOrgs } from "@server/db";
import { and, eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
const paramsSchema = z
.object({
userId: z.string(),
orgId: z.string()
})
.strict();
const bodySchema = z
.object({
autoProvisioned: z.boolean().optional()
})
.strict()
.refine((data) => Object.keys(data).length > 0, {
message: "At least one field must be provided for update"
});
registry.registerPath({
method: "post",
path: "/org/{orgId}/user/{userId}",
description: "Update a user in an org.",
tags: [OpenAPITags.Org, OpenAPITags.User],
request: {
params: paramsSchema,
body: {
content: {
"application/json": {
schema: bodySchema
}
}
}
},
responses: {}
});
export async function updateOrgUser(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = paramsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const parsedBody = bodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { userId, orgId } = parsedParams.data;
const [existingUser] = await db
.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.limit(1);
if (!existingUser) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
"User not found in this organization"
)
);
}
const updateData = parsedBody.data;
const [updatedUser] = await db
.update(userOrgs)
.set({
...updateData
})
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.returning();
return response(res, {
data: updatedUser,
success: true,
error: false,
message: "Org user updated successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}