npm - @oneuptime/common - Versions diffs - 11.0.3 → 11.0.4 - Mend

@oneuptime/common 11.0.3 → 11.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/Models/DatabaseModels/GlobalSso.ts ADDED Viewed

@@ -0,0 +1,312 @@
+import User from "./User";
+import BaseModel from "./DatabaseBaseModel/DatabaseBaseModel";
+import Route from "../../Types/API/Route";
+import URL from "../../Types/API/URL";
+import ColumnAccessControl from "../../Types/Database/AccessControl/ColumnAccessControl";
+import TableAccessControl from "../../Types/Database/AccessControl/TableAccessControl";
+import TableEditionAccessControl from "../../Types/Database/AccessControl/TableEditionAccessControl";
+import ColumnLength from "../../Types/Database/ColumnLength";
+import ColumnType from "../../Types/Database/ColumnType";
+import CrudApiEndpoint from "../../Types/Database/CrudApiEndpoint";
+import TableColumn from "../../Types/Database/TableColumn";
+import TableColumnType from "../../Types/Database/TableColumnType";
+import TableMetadata from "../../Types/Database/TableMetadata";
+import IconProp from "../../Types/Icon/IconProp";
+import ObjectID from "../../Types/ObjectID";
+import DigestMethod from "../../Types/SSO/DigestMethod";
+import SignatureMethod from "../../Types/SSO/SignatureMethod";
+import { Column, Entity, JoinColumn, ManyToOne } from "typeorm";
+/*
+ * GlobalSSO is an instance-level (non-tenant) SAML 2.0 identity provider.
+ * It is configured by a master admin in the Admin Dashboard and is NOT scoped
+ * to any single project. It can be attached to specific projects (via
+ * GlobalSSOProject) or, when no project is attached, applies to every project
+ * the federated user is already a member of. Access is restricted to master
+ * admins through empty access-control arrays (master-admin/isRoot bypass).
+ */
+@TableEditionAccessControl({
+  requiresEnterprise: true,
+})
+@TableAccessControl({
+  create: [],
+  read: [],
+  delete: [],
+  update: [],
+})
+@CrudApiEndpoint(new Route("/global-sso"))
+@TableMetadata({
+  tableName: "GlobalSSO",
+  singularName: "Global SSO",
+  pluralName: "Global SSO",
+  icon: IconProp.Lock,
+  tableDescription:
+    "Instance-wide SAML SSO that can be connected to any project on this OneUptime server",
+})
+@Entity({
+  name: "GlobalSSO",
+})
+export default class GlobalSSO extends BaseModel {
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.ShortText,
+    title: "Name",
+    description: "Any friendly name of this SSO provider",
+    example: "Okta SAML (Company-wide)",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.ShortText,
+    length: ColumnLength.ShortText,
+  })
+  public name?: string = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.LongText,
+    title: "Description",
+    description: "Friendly description of this SSO provider",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.LongText,
+  })
+  public description?: string = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.ShortText,
+    title: "Signature Method",
+    description: "Signature Method used by this SSO provider",
+    example: "RSA-SHA256",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.ShortText,
+    length: ColumnLength.ShortText,
+  })
+  public signatureMethod?: SignatureMethod = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.ShortText,
+    title: "Digest Method",
+    description: "Digest Method used by this SSO provider",
+    example: "SHA256",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.ShortText,
+    length: ColumnLength.ShortText,
+  })
+  public digestMethod?: DigestMethod = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.LongURL,
+    title: "Sign on URL",
+    description: "Sign on URL (IdP SSO endpoint) of this SSO provider",
+    example: "https://example.com/saml/sso",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.LongURL,
+    transformer: URL.getDatabaseTransformer(),
+  })
+  public signOnURL?: URL = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.VeryLongText,
+    title: "Issuer URL",
+    description: "Issuer URL (Entity ID) of this SSO provider",
+    example: "https://example.com/saml/metadata",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.VeryLongText,
+  })
+  public issuerURL?: string = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: true,
+    type: TableColumnType.VeryLongText,
+    title: "Public Certificate",
+    description:
+      "Public X.509 signing certificate of this SSO provider used to validate SAML assertions",
+  })
+  @Column({
+    nullable: false,
+    type: ColumnType.VeryLongText,
+  })
+  public publicCertificate?: string = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    isDefaultValueColumn: true,
+    type: TableColumnType.Boolean,
+    title: "Disable Sign Up with SSO",
+    description:
+      "When enabled, users must be explicitly invited to a project before they can log in with this SSO provider. Brand new users are never created automatically.",
+    defaultValue: false,
+    example: true,
+  })
+  @Column({
+    type: ColumnType.Boolean,
+    default: false,
+  })
+  public disableSignUpWithSso?: boolean = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    isDefaultValueColumn: true,
+    type: TableColumnType.Boolean,
+    title: "Enabled",
+    description: "Is this SSO provider enabled?",
+    defaultValue: false,
+    example: true,
+  })
+  @Column({
+    type: ColumnType.Boolean,
+    default: false,
+  })
+  public isEnabled?: boolean = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    manyToOneRelationColumn: "createdByUserId",
+    type: TableColumnType.Entity,
+    modelType: User,
+    title: "Created by User",
+    description:
+      "Relation to User who created this object (if this object was created by a User)",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @ManyToOne(
+    () => {
+      return User;
+    },
+    {
+      eager: false,
+      nullable: true,
+      onDelete: "SET NULL",
+      orphanedRowAction: "nullify",
+    },
+  )
+  @JoinColumn({ name: "createdByUserId" })
+  public createdByUser?: User = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    type: TableColumnType.ObjectID,
+    title: "Created by User ID",
+    description:
+      "User ID who created this object (if this object was created by a User)",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: true,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public createdByUserId?: ObjectID = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    manyToOneRelationColumn: "deletedByUserId",
+    type: TableColumnType.Entity,
+    title: "Deleted by User",
+    modelType: User,
+    description:
+      "Relation to User who deleted this object (if this object was deleted by a User)",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @ManyToOne(
+    () => {
+      return User;
+    },
+    {
+      cascade: false,
+      eager: false,
+      nullable: true,
+      onDelete: "SET NULL",
+      orphanedRowAction: "nullify",
+    },
+  )
+  @JoinColumn({ name: "deletedByUserId" })
+  public deletedByUser?: User = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    type: TableColumnType.ObjectID,
+    title: "Deleted by User ID",
+    description:
+      "User ID who deleted this object (if this object was deleted by a User)",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: true,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public deletedByUserId?: ObjectID = undefined;
+}

package/Models/DatabaseModels/GlobalSsoProject.ts ADDED Viewed

@@ -0,0 +1,268 @@
+import GlobalSSO from "./GlobalSso";
+import Project from "./Project";
+import Team from "./Team";
+import User from "./User";
+import BaseModel from "./DatabaseBaseModel/DatabaseBaseModel";
+import Route from "../../Types/API/Route";
+import ColumnAccessControl from "../../Types/Database/AccessControl/ColumnAccessControl";
+import TableAccessControl from "../../Types/Database/AccessControl/TableAccessControl";
+import TableEditionAccessControl from "../../Types/Database/AccessControl/TableEditionAccessControl";
+import ColumnType from "../../Types/Database/ColumnType";
+import CrudApiEndpoint from "../../Types/Database/CrudApiEndpoint";
+import TableColumn from "../../Types/Database/TableColumn";
+import TableColumnType from "../../Types/Database/TableColumnType";
+import TableMetadata from "../../Types/Database/TableMetadata";
+import IconProp from "../../Types/Icon/IconProp";
+import ObjectID from "../../Types/ObjectID";
+import {
+  Column,
+  Entity,
+  Index,
+  JoinColumn,
+  JoinTable,
+  ManyToMany,
+  ManyToOne,
+} from "typeorm";
+/*
+ * GlobalSSOProject attaches a GlobalSSO provider to a specific project and
+ * defines the default teams a federated user is provisioned into on first
+ * login. This is also the privilege-escalation allow-list: a SAML assertion
+ * can only ever provision a user into projects that a master admin has
+ * explicitly attached here. If a GlobalSSO has NO attached projects, it
+ * applies to all projects the user is already a member of (invite-first).
+ */
+@TableEditionAccessControl({
+  requiresEnterprise: true,
+})
+@TableAccessControl({
+  create: [],
+  read: [],
+  delete: [],
+  update: [],
+})
+@CrudApiEndpoint(new Route("/global-sso-project"))
+@TableMetadata({
+  tableName: "GlobalSSOProject",
+  singularName: "Global SSO Project",
+  pluralName: "Global SSO Projects",
+  icon: IconProp.Lock,
+  tableDescription:
+    "Attaches an instance-wide SAML SSO provider to a project with default teams",
+})
+@Entity({
+  name: "GlobalSSOProject",
+})
+export default class GlobalSSOProject extends BaseModel {
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    manyToOneRelationColumn: "globalSsoId",
+    type: TableColumnType.Entity,
+    modelType: GlobalSSO,
+    title: "Global SSO",
+    description:
+      "Relation to the Global SSO provider this attachment belongs to",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @ManyToOne(
+    () => {
+      return GlobalSSO;
+    },
+    {
+      eager: false,
+      nullable: false,
+      onDelete: "CASCADE",
+      orphanedRowAction: "nullify",
+    },
+  )
+  @JoinColumn({ name: "globalSsoId" })
+  public globalSso?: GlobalSSO = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @Index()
+  @TableColumn({
+    type: TableColumnType.ObjectID,
+    required: true,
+    canReadOnRelationQuery: true,
+    title: "Global SSO ID",
+    description: "ID of the Global SSO provider this attachment belongs to",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: false,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public globalSsoId?: ObjectID = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    manyToOneRelationColumn: "projectId",
+    type: TableColumnType.Entity,
+    modelType: Project,
+    title: "Project",
+    description: "Relation to the Project this SSO provider is attached to",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @ManyToOne(
+    () => {
+      return Project;
+    },
+    {
+      eager: false,
+      nullable: false,
+      onDelete: "CASCADE",
+      orphanedRowAction: "nullify",
+    },
+  )
+  @JoinColumn({ name: "projectId" })
+  public project?: Project = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @Index()
+  @TableColumn({
+    type: TableColumnType.ObjectID,
+    required: true,
+    canReadOnRelationQuery: true,
+    title: "Project ID",
+    description: "ID of the Project this SSO provider is attached to",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: false,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public projectId?: ObjectID = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    required: false,
+    type: TableColumnType.EntityArray,
+    modelType: Team,
+    title: "Default Teams",
+    description:
+      "Teams in this project that a federated user is added to on first SSO login",
+    example: [{ id: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e" }],
+  })
+  @ManyToMany(
+    () => {
+      return Team;
+    },
+    { eager: false },
+  )
+  @JoinTable({
+    name: "GlobalSSOProjectTeam",
+    inverseJoinColumn: {
+      name: "teamId",
+      referencedColumnName: "_id",
+    },
+    joinColumn: {
+      name: "globalSsoProjectId",
+      referencedColumnName: "_id",
+    },
+  })
+  public teams?: Array<Team> = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    isDefaultValueColumn: true,
+    type: TableColumnType.Boolean,
+    title: "Enabled",
+    description: "Is this project attachment enabled?",
+    defaultValue: true,
+    example: true,
+  })
+  @Column({
+    type: ColumnType.Boolean,
+    default: true,
+  })
+  public isEnabled?: boolean = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    type: TableColumnType.ObjectID,
+    title: "Created by User ID",
+    description: "User ID who created this object",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: true,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public createdByUserId?: ObjectID = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    manyToOneRelationColumn: "createdByUserId",
+    type: TableColumnType.Entity,
+    modelType: User,
+    title: "Created by User",
+    description: "Relation to User who created this object",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @ManyToOne(
+    () => {
+      return User;
+    },
+    {
+      eager: false,
+      nullable: true,
+      onDelete: "SET NULL",
+      orphanedRowAction: "nullify",
+    },
+  )
+  @JoinColumn({ name: "createdByUserId" })
+  public createdByUser?: User = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({
+    type: TableColumnType.ObjectID,
+    title: "Deleted by User ID",
+    description: "User ID who deleted this object",
+    example: "5f8b9c0d-e1a2-4b3c-8d5e-6f7a8b9c0d1e",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: true,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public deletedByUserId?: ObjectID = undefined;
+}

package/Models/DatabaseModels/Index.ts CHANGED Viewed

@@ -172,6 +172,10 @@ import ProjectSmtpConfig from "./ProjectSmtpConfig";
 //SSO
 import ProjectSSO from "./ProjectSso";
 import ProjectOIDC from "./ProjectOidc";
+import GlobalSSO from "./GlobalSso";
+import GlobalOIDC from "./GlobalOidc";
+import GlobalSSOProject from "./GlobalSsoProject";
+import GlobalOIDCProject from "./GlobalOidcProject";
 import PromoCode from "./PromoCode";
 import EnterpriseLicense from "./EnterpriseLicense";
 import OpenSourceDeployment from "./OpenSourceDeployment";
@@ -583,6 +587,10 @@ const AllModelTypes: Array<{
   ProjectSSO,
   ProjectOIDC,
+  GlobalSSO,
+  GlobalOIDC,
+  GlobalSSOProject,
+  GlobalOIDCProject,
   StatusPageSSO,
   StatusPageOIDC,
   StatusPageSCIM,

package/Models/DatabaseModels/Project.ts CHANGED Viewed

@@ -677,6 +677,37 @@ export default class Project extends TenantModel {
   })
   public requireSsoForLogin?: boolean = undefined;
+  @ColumnAccessControl({
+    create: [],
+    read: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.ProjectMember,
+      Permission.Viewer,
+      Permission.ReadProject,
+      Permission.UnAuthorizedSsoUser,
+      Permission.ProjectUser,
+    ],
+    update: [
+      Permission.ProjectOwner,
+      Permission.ProjectAdmin,
+      Permission.EditProject,
+    ],
+  })
+  @TableColumn({
+    required: false,
+    type: TableColumnType.ObjectID,
+    title: "Require SSO with specific provider",
+    description:
+      "If set, SSO-enforced login for this project is only satisfied by an SSO token issued by this specific provider id (a Project SSO/OIDC or a Global SSO/OIDC). When null, any trusted SSO provider satisfies enforcement.",
+  })
+  @Column({
+    type: ColumnType.ObjectID,
+    nullable: true,
+    transformer: ObjectID.getDatabaseTransformer(),
+  })
+  public requireSsoWithSsoProviderId?: ObjectID = undefined;
   @ColumnAccessControl({
     create: [Permission.User],
     read: [],