@de-otio/trellis 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +6 -3
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* IdP-group → TenantRole resolution (T2 — JIT provisioning).
|
|
3
|
+
*
|
|
4
|
+
* Pure function over the user's IdP `groups` claim and the tenant's
|
|
5
|
+
* `TenantRoleMapping` rows. The lambda fetches the mappings; this module
|
|
6
|
+
* applies the priority + role-rank algorithm so unit tests don't need Prisma.
|
|
7
|
+
*
|
|
8
|
+
* Algorithm (per doc/02-technical/identity-federation/05-roles-and-permissions.md):
|
|
9
|
+
* - No `idpGroups` → defaultRole
|
|
10
|
+
* - No mappings match → defaultRole
|
|
11
|
+
* - Lowest `priority` wins (priority 0 beats priority 100)
|
|
12
|
+
* - Tie on priority → highest role rank wins
|
|
13
|
+
*
|
|
14
|
+
* Role rank: OWNER (4) > ADMIN (3) > MEMBER (2) > GUEST (1).
|
|
15
|
+
*/
|
|
16
|
+
import type { TenantRole } from "@prisma/client";
|
|
17
|
+
export interface RoleMappingInput {
|
|
18
|
+
idpGroupName: string;
|
|
19
|
+
tenantRole: TenantRole;
|
|
20
|
+
priority: number;
|
|
21
|
+
}
|
|
22
|
+
/**
|
|
23
|
+
* Resolve which TenantRole a federated user should be granted, given:
|
|
24
|
+
* - their IdP-emitted group identifiers
|
|
25
|
+
* - the tenant's configured role mappings
|
|
26
|
+
* - the tenant IdP's configured `defaultRole` (null = deny if no match)
|
|
27
|
+
*
|
|
28
|
+
* Returns null when no mapping matches and `defaultRole` is null — the
|
|
29
|
+
* caller treats this as "do not provision an org TenantMember".
|
|
30
|
+
*
|
|
31
|
+
* **OWNER cap (G2 M3):** OWNER is the single-OWNER invariant for a tenant
|
|
32
|
+
* and is only granted by tenant-creation flow + explicit transfer. A group
|
|
33
|
+
* mapping or default-role configured to OWNER is downgraded to ADMIN here
|
|
34
|
+
* as a defense-in-depth backstop. The role-mapping API (T5) must also
|
|
35
|
+
* reject OWNER on write, but this resolver enforces the invariant on read
|
|
36
|
+
* so a misconfigured row never escalates a federated user to OWNER.
|
|
37
|
+
*/
|
|
38
|
+
export declare function resolveTenantRole(idpGroups: ReadonlyArray<string>, mappings: ReadonlyArray<RoleMappingInput>, defaultRole: TenantRole | null): TenantRole | null;
|
|
39
|
+
//# sourceMappingURL=resolve-role.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resolve-role.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/resolve-role.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AASD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,aAAa,CAAC,MAAM,CAAC,EAChC,QAAQ,EAAE,aAAa,CAAC,gBAAgB,CAAC,EACzC,WAAW,EAAE,UAAU,GAAG,IAAI,GAC7B,UAAU,GAAG,IAAI,CAanB"}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* IdP-group → TenantRole resolution (T2 — JIT provisioning).
|
|
4
|
+
*
|
|
5
|
+
* Pure function over the user's IdP `groups` claim and the tenant's
|
|
6
|
+
* `TenantRoleMapping` rows. The lambda fetches the mappings; this module
|
|
7
|
+
* applies the priority + role-rank algorithm so unit tests don't need Prisma.
|
|
8
|
+
*
|
|
9
|
+
* Algorithm (per doc/02-technical/identity-federation/05-roles-and-permissions.md):
|
|
10
|
+
* - No `idpGroups` → defaultRole
|
|
11
|
+
* - No mappings match → defaultRole
|
|
12
|
+
* - Lowest `priority` wins (priority 0 beats priority 100)
|
|
13
|
+
* - Tie on priority → highest role rank wins
|
|
14
|
+
*
|
|
15
|
+
* Role rank: OWNER (4) > ADMIN (3) > MEMBER (2) > GUEST (1).
|
|
16
|
+
*/
|
|
17
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
|
+
exports.resolveTenantRole = resolveTenantRole;
|
|
19
|
+
const ROLE_RANK = {
|
|
20
|
+
OWNER: 4,
|
|
21
|
+
ADMIN: 3,
|
|
22
|
+
MEMBER: 2,
|
|
23
|
+
GUEST: 1,
|
|
24
|
+
};
|
|
25
|
+
/**
|
|
26
|
+
* Resolve which TenantRole a federated user should be granted, given:
|
|
27
|
+
* - their IdP-emitted group identifiers
|
|
28
|
+
* - the tenant's configured role mappings
|
|
29
|
+
* - the tenant IdP's configured `defaultRole` (null = deny if no match)
|
|
30
|
+
*
|
|
31
|
+
* Returns null when no mapping matches and `defaultRole` is null — the
|
|
32
|
+
* caller treats this as "do not provision an org TenantMember".
|
|
33
|
+
*
|
|
34
|
+
* **OWNER cap (G2 M3):** OWNER is the single-OWNER invariant for a tenant
|
|
35
|
+
* and is only granted by tenant-creation flow + explicit transfer. A group
|
|
36
|
+
* mapping or default-role configured to OWNER is downgraded to ADMIN here
|
|
37
|
+
* as a defense-in-depth backstop. The role-mapping API (T5) must also
|
|
38
|
+
* reject OWNER on write, but this resolver enforces the invariant on read
|
|
39
|
+
* so a misconfigured row never escalates a federated user to OWNER.
|
|
40
|
+
*/
|
|
41
|
+
function resolveTenantRole(idpGroups, mappings, defaultRole) {
|
|
42
|
+
if (idpGroups.length === 0)
|
|
43
|
+
return capOwner(defaultRole);
|
|
44
|
+
const groupSet = new Set(idpGroups);
|
|
45
|
+
const matches = mappings.filter((m) => groupSet.has(m.idpGroupName));
|
|
46
|
+
if (matches.length === 0)
|
|
47
|
+
return capOwner(defaultRole);
|
|
48
|
+
const sorted = [...matches].sort((a, b) => {
|
|
49
|
+
if (a.priority !== b.priority)
|
|
50
|
+
return a.priority - b.priority;
|
|
51
|
+
return ROLE_RANK[b.tenantRole] - ROLE_RANK[a.tenantRole];
|
|
52
|
+
});
|
|
53
|
+
return capOwner(sorted[0].tenantRole);
|
|
54
|
+
}
|
|
55
|
+
function capOwner(role) {
|
|
56
|
+
if (role === "OWNER")
|
|
57
|
+
return "ADMIN";
|
|
58
|
+
return role;
|
|
59
|
+
}
|
|
60
|
+
//# sourceMappingURL=resolve-role.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resolve-role.js","sourceRoot":"","sources":["../../../src/lib/tenant/resolve-role.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAiCH,8CAiBC;AAxCD,MAAM,SAAS,GAA+B;IAC5C,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,CAAC;CACT,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,iBAAiB,CAC/B,SAAgC,EAChC,QAAyC,EACzC,WAA8B;IAE9B,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC,WAAW,CAAC,CAAC;IAEzD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IACrE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC,WAAW,CAAC,CAAC;IAEvD,MAAM,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxC,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;YAAE,OAAO,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;QAC9D,OAAO,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,QAAQ,CAAC,IAAuB;IACvC,IAAI,IAAI,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tenant role-mapping CRUD.
|
|
3
|
+
*
|
|
4
|
+
* Endpoints (wired in routes/tenant-role-mappings.ts):
|
|
5
|
+
* GET /api/tenants/:id/role-mappings
|
|
6
|
+
* POST /api/tenants/:id/role-mappings
|
|
7
|
+
* PATCH /api/tenants/:id/role-mappings/:mappingId
|
|
8
|
+
* DELETE /api/tenants/:id/role-mappings/:mappingId
|
|
9
|
+
*
|
|
10
|
+
* Single-OWNER invariant: writes that target `tenantRole = OWNER` return 422.
|
|
11
|
+
* `resolveTenantRole` (T2) already caps OWNER → ADMIN as defense-in-depth, but
|
|
12
|
+
* we reject at write time so misconfiguration is loud rather than silent.
|
|
13
|
+
*/
|
|
14
|
+
import type { Env } from "../../env";
|
|
15
|
+
import type { AuthContext } from "../auth/auth-context";
|
|
16
|
+
export declare class RoleMappingHandler {
|
|
17
|
+
/** GET — list all mappings for the tenant. */
|
|
18
|
+
handleList(tenantId: string, auth: AuthContext, env: Env): Promise<Response>;
|
|
19
|
+
/** POST — create a new mapping. Cannot map to OWNER. */
|
|
20
|
+
handleCreate(tenantId: string, request: Request, auth: AuthContext, env: Env): Promise<Response>;
|
|
21
|
+
/** PATCH — update tenantRole and/or priority of an existing mapping. */
|
|
22
|
+
handleUpdate(tenantId: string, mappingId: string, request: Request, auth: AuthContext, env: Env): Promise<Response>;
|
|
23
|
+
/** DELETE — remove a mapping. */
|
|
24
|
+
handleDelete(tenantId: string, mappingId: string, auth: AuthContext, env: Env): Promise<Response>;
|
|
25
|
+
}
|
|
26
|
+
//# sourceMappingURL=role-mapping-handler.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"role-mapping-handler.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/role-mapping-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAmBxD,qBAAa,kBAAkB;IAC7B,8CAA8C;IACxC,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAyBpB,wDAAwD;IAClD,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAkFpB,wEAAwE;IAClE,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAqFpB,iCAAiC;IAC3B,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;CAiCrB"}
|
|
@@ -0,0 +1,260 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Tenant role-mapping CRUD.
|
|
4
|
+
*
|
|
5
|
+
* Endpoints (wired in routes/tenant-role-mappings.ts):
|
|
6
|
+
* GET /api/tenants/:id/role-mappings
|
|
7
|
+
* POST /api/tenants/:id/role-mappings
|
|
8
|
+
* PATCH /api/tenants/:id/role-mappings/:mappingId
|
|
9
|
+
* DELETE /api/tenants/:id/role-mappings/:mappingId
|
|
10
|
+
*
|
|
11
|
+
* Single-OWNER invariant: writes that target `tenantRole = OWNER` return 422.
|
|
12
|
+
* `resolveTenantRole` (T2) already caps OWNER → ADMIN as defense-in-depth, but
|
|
13
|
+
* we reject at write time so misconfiguration is loud rather than silent.
|
|
14
|
+
*/
|
|
15
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
16
|
+
if (k2 === undefined) k2 = k;
|
|
17
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
18
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
19
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
20
|
+
}
|
|
21
|
+
Object.defineProperty(o, k2, desc);
|
|
22
|
+
}) : (function(o, m, k, k2) {
|
|
23
|
+
if (k2 === undefined) k2 = k;
|
|
24
|
+
o[k2] = m[k];
|
|
25
|
+
}));
|
|
26
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
27
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
28
|
+
}) : function(o, v) {
|
|
29
|
+
o["default"] = v;
|
|
30
|
+
});
|
|
31
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
32
|
+
var ownKeys = function(o) {
|
|
33
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
34
|
+
var ar = [];
|
|
35
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
36
|
+
return ar;
|
|
37
|
+
};
|
|
38
|
+
return ownKeys(o);
|
|
39
|
+
};
|
|
40
|
+
return function (mod) {
|
|
41
|
+
if (mod && mod.__esModule) return mod;
|
|
42
|
+
var result = {};
|
|
43
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
44
|
+
__setModuleDefault(result, mod);
|
|
45
|
+
return result;
|
|
46
|
+
};
|
|
47
|
+
})();
|
|
48
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
49
|
+
exports.RoleMappingHandler = void 0;
|
|
50
|
+
const auth_middleware_1 = require("../auth/auth-middleware");
|
|
51
|
+
const require_1 = require("../auth/require");
|
|
52
|
+
const audit_emit_1 = require("./audit-emit");
|
|
53
|
+
const JSON_HEADERS = { "content-type": "application/json" };
|
|
54
|
+
function jsonResponse(status, body) {
|
|
55
|
+
return new Response(JSON.stringify(body), { status, headers: JSON_HEADERS });
|
|
56
|
+
}
|
|
57
|
+
function unprocessable(message, remediation) {
|
|
58
|
+
return jsonResponse(422, {
|
|
59
|
+
error: "UNPROCESSABLE",
|
|
60
|
+
message,
|
|
61
|
+
...(remediation ? { remediation } : {}),
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
class RoleMappingHandler {
|
|
65
|
+
/** GET — list all mappings for the tenant. */
|
|
66
|
+
async handleList(tenantId, auth, env) {
|
|
67
|
+
const denied = (0, auth_middleware_1.requireActiveTenant)(auth, tenantId) ??
|
|
68
|
+
(0, require_1.requireCapability)(auth, require_1.Capability.RoleMappingEdit);
|
|
69
|
+
if (denied)
|
|
70
|
+
return denied;
|
|
71
|
+
const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
|
|
72
|
+
const db = createPrisma(env);
|
|
73
|
+
const mappings = await db.tenantRoleMapping.findMany({
|
|
74
|
+
where: { tenantId },
|
|
75
|
+
orderBy: [{ priority: "asc" }, { idpGroupName: "asc" }],
|
|
76
|
+
select: {
|
|
77
|
+
id: true,
|
|
78
|
+
idpGroupName: true,
|
|
79
|
+
tenantRole: true,
|
|
80
|
+
priority: true,
|
|
81
|
+
createdAt: true,
|
|
82
|
+
updatedAt: true,
|
|
83
|
+
},
|
|
84
|
+
});
|
|
85
|
+
return jsonResponse(200, { mappings });
|
|
86
|
+
}
|
|
87
|
+
/** POST — create a new mapping. Cannot map to OWNER. */
|
|
88
|
+
async handleCreate(tenantId, request, auth, env) {
|
|
89
|
+
const denied = (0, auth_middleware_1.requireActiveTenant)(auth, tenantId) ??
|
|
90
|
+
(0, require_1.requireCapability)(auth, require_1.Capability.RoleMappingEdit);
|
|
91
|
+
if (denied)
|
|
92
|
+
return denied;
|
|
93
|
+
const { z } = await Promise.resolve().then(() => __importStar(require("zod")));
|
|
94
|
+
let body;
|
|
95
|
+
try {
|
|
96
|
+
body = await request.json();
|
|
97
|
+
}
|
|
98
|
+
catch {
|
|
99
|
+
return jsonResponse(400, { error: "INVALID_JSON", message: "Body must be valid JSON" });
|
|
100
|
+
}
|
|
101
|
+
if (typeof body === "object" &&
|
|
102
|
+
body !== null &&
|
|
103
|
+
body.tenantRole === "OWNER") {
|
|
104
|
+
return unprocessable("Cannot map IdP groups to OWNER", `POST /api/tenants/${tenantId}/transfer-ownership`);
|
|
105
|
+
}
|
|
106
|
+
const schema = z.object({
|
|
107
|
+
idpGroupName: z.string().min(1).max(255),
|
|
108
|
+
tenantRole: z.enum(["ADMIN", "MEMBER", "GUEST"]),
|
|
109
|
+
priority: z.number().int().positive().max(100000),
|
|
110
|
+
});
|
|
111
|
+
const parsed = schema.safeParse(body);
|
|
112
|
+
if (!parsed.success) {
|
|
113
|
+
const msg = parsed.error.issues[0]?.message ?? "Invalid input";
|
|
114
|
+
return jsonResponse(400, { error: "VALIDATION_ERROR", message: msg });
|
|
115
|
+
}
|
|
116
|
+
const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
|
|
117
|
+
const db = createPrisma(env);
|
|
118
|
+
try {
|
|
119
|
+
const created = await db.tenantRoleMapping.create({
|
|
120
|
+
data: {
|
|
121
|
+
tenantId,
|
|
122
|
+
idpGroupName: parsed.data.idpGroupName,
|
|
123
|
+
tenantRole: parsed.data.tenantRole,
|
|
124
|
+
priority: parsed.data.priority,
|
|
125
|
+
},
|
|
126
|
+
select: {
|
|
127
|
+
id: true,
|
|
128
|
+
idpGroupName: true,
|
|
129
|
+
tenantRole: true,
|
|
130
|
+
priority: true,
|
|
131
|
+
},
|
|
132
|
+
});
|
|
133
|
+
(0, audit_emit_1.emitTenantAudit)({
|
|
134
|
+
tenantId,
|
|
135
|
+
actorUserId: auth.userId,
|
|
136
|
+
action: "role_mapping.create",
|
|
137
|
+
targetType: "role_mapping",
|
|
138
|
+
targetId: created.id,
|
|
139
|
+
metadata: {
|
|
140
|
+
idpGroupName: created.idpGroupName,
|
|
141
|
+
tenantRole: created.tenantRole,
|
|
142
|
+
},
|
|
143
|
+
});
|
|
144
|
+
return jsonResponse(201, created);
|
|
145
|
+
}
|
|
146
|
+
catch (err) {
|
|
147
|
+
if (err instanceof Error &&
|
|
148
|
+
err.code === "P2002") {
|
|
149
|
+
return jsonResponse(409, {
|
|
150
|
+
error: "DUPLICATE",
|
|
151
|
+
message: "A mapping for this idpGroupName already exists",
|
|
152
|
+
});
|
|
153
|
+
}
|
|
154
|
+
throw err;
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
/** PATCH — update tenantRole and/or priority of an existing mapping. */
|
|
158
|
+
async handleUpdate(tenantId, mappingId, request, auth, env) {
|
|
159
|
+
const denied = (0, auth_middleware_1.requireActiveTenant)(auth, tenantId) ??
|
|
160
|
+
(0, require_1.requireCapability)(auth, require_1.Capability.RoleMappingEdit);
|
|
161
|
+
if (denied)
|
|
162
|
+
return denied;
|
|
163
|
+
const { z } = await Promise.resolve().then(() => __importStar(require("zod")));
|
|
164
|
+
let body;
|
|
165
|
+
try {
|
|
166
|
+
body = await request.json();
|
|
167
|
+
}
|
|
168
|
+
catch {
|
|
169
|
+
return jsonResponse(400, { error: "INVALID_JSON", message: "Body must be valid JSON" });
|
|
170
|
+
}
|
|
171
|
+
if (typeof body === "object" &&
|
|
172
|
+
body !== null &&
|
|
173
|
+
body.tenantRole === "OWNER") {
|
|
174
|
+
return unprocessable("Cannot map IdP groups to OWNER", `POST /api/tenants/${tenantId}/transfer-ownership`);
|
|
175
|
+
}
|
|
176
|
+
const schema = z
|
|
177
|
+
.object({
|
|
178
|
+
tenantRole: z.enum(["ADMIN", "MEMBER", "GUEST"]).optional(),
|
|
179
|
+
priority: z.number().int().positive().max(100000).optional(),
|
|
180
|
+
})
|
|
181
|
+
.refine((d) => d.tenantRole !== undefined || d.priority !== undefined, {
|
|
182
|
+
message: "At least one of tenantRole or priority is required",
|
|
183
|
+
});
|
|
184
|
+
const parsed = schema.safeParse(body);
|
|
185
|
+
if (!parsed.success) {
|
|
186
|
+
const msg = parsed.error.issues[0]?.message ?? "Invalid input";
|
|
187
|
+
return jsonResponse(400, { error: "VALIDATION_ERROR", message: msg });
|
|
188
|
+
}
|
|
189
|
+
const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
|
|
190
|
+
const db = createPrisma(env);
|
|
191
|
+
const existing = await db.tenantRoleMapping.findFirst({
|
|
192
|
+
where: { id: mappingId, tenantId },
|
|
193
|
+
select: { id: true, idpGroupName: true, tenantRole: true, priority: true },
|
|
194
|
+
});
|
|
195
|
+
if (!existing) {
|
|
196
|
+
return jsonResponse(404, { error: "NOT_FOUND", message: "Role mapping not found" });
|
|
197
|
+
}
|
|
198
|
+
const data = {};
|
|
199
|
+
if (parsed.data.tenantRole !== undefined) {
|
|
200
|
+
data.tenantRole = parsed.data.tenantRole;
|
|
201
|
+
}
|
|
202
|
+
if (parsed.data.priority !== undefined)
|
|
203
|
+
data.priority = parsed.data.priority;
|
|
204
|
+
const updated = await db.tenantRoleMapping.update({
|
|
205
|
+
where: { id: existing.id },
|
|
206
|
+
data,
|
|
207
|
+
select: {
|
|
208
|
+
id: true,
|
|
209
|
+
idpGroupName: true,
|
|
210
|
+
tenantRole: true,
|
|
211
|
+
priority: true,
|
|
212
|
+
},
|
|
213
|
+
});
|
|
214
|
+
(0, audit_emit_1.emitTenantAudit)({
|
|
215
|
+
tenantId,
|
|
216
|
+
actorUserId: auth.userId,
|
|
217
|
+
action: "role_mapping.update",
|
|
218
|
+
targetType: "role_mapping",
|
|
219
|
+
targetId: existing.id,
|
|
220
|
+
metadata: {
|
|
221
|
+
previousRole: existing.tenantRole,
|
|
222
|
+
previousPriority: existing.priority,
|
|
223
|
+
newRole: updated.tenantRole,
|
|
224
|
+
newPriority: updated.priority,
|
|
225
|
+
},
|
|
226
|
+
});
|
|
227
|
+
return jsonResponse(200, updated);
|
|
228
|
+
}
|
|
229
|
+
/** DELETE — remove a mapping. */
|
|
230
|
+
async handleDelete(tenantId, mappingId, auth, env) {
|
|
231
|
+
const denied = (0, auth_middleware_1.requireActiveTenant)(auth, tenantId) ??
|
|
232
|
+
(0, require_1.requireCapability)(auth, require_1.Capability.RoleMappingEdit);
|
|
233
|
+
if (denied)
|
|
234
|
+
return denied;
|
|
235
|
+
const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
|
|
236
|
+
const db = createPrisma(env);
|
|
237
|
+
const existing = await db.tenantRoleMapping.findFirst({
|
|
238
|
+
where: { id: mappingId, tenantId },
|
|
239
|
+
select: { id: true, idpGroupName: true, tenantRole: true },
|
|
240
|
+
});
|
|
241
|
+
if (!existing) {
|
|
242
|
+
return jsonResponse(404, { error: "NOT_FOUND", message: "Role mapping not found" });
|
|
243
|
+
}
|
|
244
|
+
await db.tenantRoleMapping.delete({ where: { id: existing.id } });
|
|
245
|
+
(0, audit_emit_1.emitTenantAudit)({
|
|
246
|
+
tenantId,
|
|
247
|
+
actorUserId: auth.userId,
|
|
248
|
+
action: "role_mapping.delete",
|
|
249
|
+
targetType: "role_mapping",
|
|
250
|
+
targetId: existing.id,
|
|
251
|
+
metadata: {
|
|
252
|
+
idpGroupName: existing.idpGroupName,
|
|
253
|
+
tenantRole: existing.tenantRole,
|
|
254
|
+
},
|
|
255
|
+
});
|
|
256
|
+
return new Response(null, { status: 204 });
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
exports.RoleMappingHandler = RoleMappingHandler;
|
|
260
|
+
//# sourceMappingURL=role-mapping-handler.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"role-mapping-handler.js","sourceRoot":"","sources":["../../../src/lib/tenant/role-mapping-handler.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKH,6DAA8D;AAC9D,6CAAgE;AAChE,6CAA+C;AAE/C,MAAM,YAAY,GAAG,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;AAE5D,SAAS,YAAY,CAAC,MAAc,EAAE,IAAa;IACjD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,aAAa,CAAC,OAAe,EAAE,WAAoB;IAC1D,OAAO,YAAY,CAAC,GAAG,EAAE;QACvB,KAAK,EAAE,eAAe;QACtB,OAAO;QACP,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxC,CAAC,CAAC;AACL,CAAC;AAED,MAAa,kBAAkB;IAC7B,8CAA8C;IAC9C,KAAK,CAAC,UAAU,CACd,QAAgB,EAChB,IAAiB,EACjB,GAAQ;QAER,MAAM,MAAM,GACV,IAAA,qCAAmB,EAAC,IAAI,EAAE,QAAQ,CAAC;YACnC,IAAA,2BAAiB,EAAC,IAAI,EAAE,oBAAU,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;QAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC;YACnD,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;YACvD,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI;gBACR,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,SAAS,EAAE,IAAI;gBACf,SAAS,EAAE,IAAI;aAChB;SACF,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,wDAAwD;IACxD,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,OAAgB,EAChB,IAAiB,EACjB,GAAQ;QAER,MAAM,MAAM,GACV,IAAA,qCAAmB,EAAC,IAAI,EAAE,QAAQ,CAAC;YACnC,IAAA,2BAAiB,EAAC,IAAI,EAAE,oBAAU,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,EAAE,CAAC,EAAE,GAAG,wDAAa,KAAK,GAAC,CAAC;QAClC,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC1F,CAAC;QAED,IACE,OAAO,IAAI,KAAK,QAAQ;YACxB,IAAI,KAAK,IAAI;YACZ,IAAgC,CAAC,UAAU,KAAK,OAAO,EACxD,CAAC;YACD,OAAO,aAAa,CAClB,gCAAgC,EAChC,qBAAqB,QAAQ,qBAAqB,CACnD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;YACtB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;YACxC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC;SAClD,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,eAAe,CAAC;YAC/D,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;QAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC;gBAChD,IAAI,EAAE;oBACJ,QAAQ;oBACR,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY;oBACtC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAwB;oBAChD,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ;iBAC/B;gBACD,MAAM,EAAE;oBACN,EAAE,EAAE,IAAI;oBACR,YAAY,EAAE,IAAI;oBAClB,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,IAAI;iBACf;aACF,CAAC,CAAC;YAEH,IAAA,4BAAe,EAAC;gBACd,QAAQ;gBACR,WAAW,EAAE,IAAI,CAAC,MAAM;gBACxB,MAAM,EAAE,qBAAqB;gBAC7B,UAAU,EAAE,cAAc;gBAC1B,QAAQ,EAAE,OAAO,CAAC,EAAE;gBACpB,QAAQ,EAAE;oBACR,YAAY,EAAE,OAAO,CAAC,YAAY;oBAClC,UAAU,EAAE,OAAO,CAAC,UAAU;iBAC/B;aACF,CAAC,CAAC;YAEH,OAAO,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IACE,GAAG,YAAY,KAAK;gBACnB,GAAyB,CAAC,IAAI,KAAK,OAAO,EAC3C,CAAC;gBACD,OAAO,YAAY,CAAC,GAAG,EAAE;oBACvB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,gDAAgD;iBAC1D,CAAC,CAAC;YACL,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,SAAiB,EACjB,OAAgB,EAChB,IAAiB,EACjB,GAAQ;QAER,MAAM,MAAM,GACV,IAAA,qCAAmB,EAAC,IAAI,EAAE,QAAQ,CAAC;YACnC,IAAA,2BAAiB,EAAC,IAAI,EAAE,oBAAU,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,EAAE,CAAC,EAAE,GAAG,wDAAa,KAAK,GAAC,CAAC;QAClC,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC1F,CAAC;QAED,IACE,OAAO,IAAI,KAAK,QAAQ;YACxB,IAAI,KAAK,IAAI;YACZ,IAAgC,CAAC,UAAU,KAAK,OAAO,EACxD,CAAC;YACD,OAAO,aAAa,CAClB,gCAAgC,EAChC,qBAAqB,QAAQ,qBAAqB,CACnD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,CAAC;aACb,MAAM,CAAC;YACN,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;YAC3D,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE;SAC7D,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,EAAE;YACrE,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAC;QAEL,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,eAAe,CAAC;YAC/D,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;QAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,SAAS,CAAC;YACpD,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;YAClC,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;SAC3E,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC;QACtF,CAAC;QAED,MAAM,IAAI,GAAwC,EAAE,CAAC;QACrD,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACzC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAwB,CAAC;QACzD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;QAE7E,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC;YAChD,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE;YAC1B,IAAI;YACJ,MAAM,EAAE;gBACN,EAAE,EAAE,IAAI;gBACR,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;aACf;SACF,CAAC,CAAC;QAEH,IAAA,4BAAe,EAAC;YACd,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,MAAM;YACxB,MAAM,EAAE,qBAAqB;YAC7B,UAAU,EAAE,cAAc;YAC1B,QAAQ,EAAE,QAAQ,CAAC,EAAE;YACrB,QAAQ,EAAE;gBACR,YAAY,EAAE,QAAQ,CAAC,UAAU;gBACjC,gBAAgB,EAAE,QAAQ,CAAC,QAAQ;gBACnC,OAAO,EAAE,OAAO,CAAC,UAAU;gBAC3B,WAAW,EAAE,OAAO,CAAC,QAAQ;aAC9B;SACF,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAED,iCAAiC;IACjC,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,SAAiB,EACjB,IAAiB,EACjB,GAAQ;QAER,MAAM,MAAM,GACV,IAAA,qCAAmB,EAAC,IAAI,EAAE,QAAQ,CAAC;YACnC,IAAA,2BAAiB,EAAC,IAAI,EAAE,oBAAU,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;QAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAE7B,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,SAAS,CAAC;YACpD,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE;YAClC,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;SAC3D,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC;QACtF,CAAC;QAED,MAAM,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAElE,IAAA,4BAAe,EAAC;YACd,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,MAAM;YACxB,MAAM,EAAE,qBAAqB;YAC7B,UAAU,EAAE,cAAc;YAC1B,QAAQ,EAAE,QAAQ,CAAC,EAAE;YACrB,QAAQ,EAAE;gBACR,YAAY,EAAE,QAAQ,CAAC,YAAY;gBACnC,UAAU,EAAE,QAAQ,CAAC,UAAU;aAChC;SACF,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7C,CAAC;CACF;AA1PD,gDA0PC"}
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Setup-status: machine-friendly tenant onboarding progress.
|
|
3
|
+
*
|
|
4
|
+
* `computeSetupStatus` is a pure function — it does no I/O and can be tested
|
|
5
|
+
* without a database. `loadSetupStatus` performs the Prisma query and calls
|
|
6
|
+
* `computeSetupStatus` with the results.
|
|
7
|
+
*/
|
|
8
|
+
import type { Env } from "../../env";
|
|
9
|
+
export type TenantStatusValue = "ok" | "created" | "missing";
|
|
10
|
+
export interface SetupTenantSection {
|
|
11
|
+
status: TenantStatusValue;
|
|
12
|
+
tenantId: string;
|
|
13
|
+
}
|
|
14
|
+
export type DomainStatus = "verified" | "pending" | "failed";
|
|
15
|
+
export interface SetupDomain {
|
|
16
|
+
domain: string;
|
|
17
|
+
verifiedAt: string | null;
|
|
18
|
+
status: DomainStatus;
|
|
19
|
+
}
|
|
20
|
+
export type IdpStatus = "ACTIVE" | "PENDING" | "DISABLED";
|
|
21
|
+
export interface SetupIdp {
|
|
22
|
+
kind: string;
|
|
23
|
+
status: IdpStatus;
|
|
24
|
+
issuerUrl: string | null;
|
|
25
|
+
}
|
|
26
|
+
export interface SetupRoleMapping {
|
|
27
|
+
id: string;
|
|
28
|
+
externalGroup: string;
|
|
29
|
+
tenantRole: string;
|
|
30
|
+
}
|
|
31
|
+
export type NextStepCode = "DOMAIN_REQUIRED" | "DOMAIN_VERIFICATION_PENDING" | "IDP_REQUIRED" | "ROLE_MAPPING_REQUIRED" | "TEST_SIGN_IN" | "COMPLETE";
|
|
32
|
+
export interface NextStep {
|
|
33
|
+
code: NextStepCode;
|
|
34
|
+
message: string;
|
|
35
|
+
endpoint: string;
|
|
36
|
+
remediation: string;
|
|
37
|
+
}
|
|
38
|
+
export interface SetupStatus {
|
|
39
|
+
tenant: SetupTenantSection;
|
|
40
|
+
domains: SetupDomain[];
|
|
41
|
+
idp: SetupIdp | null;
|
|
42
|
+
roleMappings: SetupRoleMapping[];
|
|
43
|
+
nextStep: NextStep;
|
|
44
|
+
}
|
|
45
|
+
export interface SetupStatusInputDomain {
|
|
46
|
+
domain: string;
|
|
47
|
+
verifiedAt: Date | null;
|
|
48
|
+
failedAt?: Date | null;
|
|
49
|
+
}
|
|
50
|
+
export interface SetupStatusInputIdp {
|
|
51
|
+
kind: string;
|
|
52
|
+
status: string;
|
|
53
|
+
issuerUrl: string | null;
|
|
54
|
+
}
|
|
55
|
+
export interface SetupStatusInputRoleMapping {
|
|
56
|
+
id: string;
|
|
57
|
+
externalGroup: string;
|
|
58
|
+
tenantRole: string;
|
|
59
|
+
}
|
|
60
|
+
export interface SetupStatusInput {
|
|
61
|
+
tenantId: string;
|
|
62
|
+
tenantExists: boolean;
|
|
63
|
+
/**
|
|
64
|
+
* Has at least one successful SSO sign-in been recorded?
|
|
65
|
+
* Trellis records the first successful federated sign-in so this flag
|
|
66
|
+
* can flip `TEST_SIGN_IN` → `COMPLETE`.
|
|
67
|
+
*/
|
|
68
|
+
hasTestSignIn: boolean;
|
|
69
|
+
domains: SetupStatusInputDomain[];
|
|
70
|
+
idp: SetupStatusInputIdp | null;
|
|
71
|
+
roleMappings: SetupStatusInputRoleMapping[];
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Deterministically derive the setup-status object from snapshot data.
|
|
75
|
+
* No side effects; safe to call in unit tests without any database.
|
|
76
|
+
*/
|
|
77
|
+
export declare function computeSetupStatus(input: SetupStatusInput): SetupStatus;
|
|
78
|
+
/**
|
|
79
|
+
* Fetch all data needed to compute setup-status in a single read transaction,
|
|
80
|
+
* then return the computed status object.
|
|
81
|
+
*/
|
|
82
|
+
export declare function loadSetupStatus(tenantId: string, env: Env): Promise<SetupStatus | null>;
|
|
83
|
+
//# sourceMappingURL=setup-status.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"setup-status.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/setup-status.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAIrC,MAAM,MAAM,iBAAiB,GAAG,IAAI,GAAG,SAAS,GAAG,SAAS,CAAC;AAE7D,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,SAAS,GAAG,QAAQ,CAAC;AAE7D,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,CAAC;AAE1D,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,CAAC;IAClB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,YAAY,GACpB,iBAAiB,GACjB,6BAA6B,GAC7B,cAAc,GACd,uBAAuB,GACvB,cAAc,GACd,UAAU,CAAC;AAEf,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,GAAG,EAAE,QAAQ,GAAG,IAAI,CAAC;IACrB,YAAY,EAAE,gBAAgB,EAAE,CAAC;IACjC,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAID,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB;;;;OAIG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,OAAO,EAAE,sBAAsB,EAAE,CAAC;IAClC,GAAG,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAChC,YAAY,EAAE,2BAA2B,EAAE,CAAC;CAC7C;AAID;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,GAAG,WAAW,CAmGvE;AAID;;;GAGG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAiD7B"}
|