Merge pull request #11872 from Budibase/fix/microsoft-sec-advisory
Fix/microsoft sec advisory
This commit is contained in:
commit
abc02102f2
|
@ -18,7 +18,7 @@ export enum ViewName {
|
|||
ROUTING = "screen_routes",
|
||||
AUTOMATION_LOGS = "automation_logs",
|
||||
ACCOUNT_BY_EMAIL = "account_by_email",
|
||||
PLATFORM_USERS_LOWERCASE = "platform_users_lowercase",
|
||||
PLATFORM_USERS_LOWERCASE = "platform_users_lowercase_2",
|
||||
USER_BY_GROUP = "user_by_group",
|
||||
APP_BACKUP_BY_TRIGGER = "by_trigger",
|
||||
}
|
||||
|
|
|
@ -190,6 +190,10 @@ export const createPlatformUserView = async () => {
|
|||
if (doc.tenantId) {
|
||||
emit(doc._id.toLowerCase(), doc._id)
|
||||
}
|
||||
|
||||
if (doc.ssoId) {
|
||||
emit(doc.ssoId, doc._id)
|
||||
}
|
||||
}`
|
||||
await createPlatformView(viewJs, ViewName.PLATFORM_USERS_LOWERCASE)
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@ import {
|
|||
PlatformUser,
|
||||
PlatformUserByEmail,
|
||||
PlatformUserById,
|
||||
PlatformUserBySsoId,
|
||||
User,
|
||||
} from "@budibase/types"
|
||||
|
||||
|
@ -45,6 +46,20 @@ function newUserEmailDoc(
|
|||
}
|
||||
}
|
||||
|
||||
function newUserSsoIdDoc(
|
||||
ssoId: string,
|
||||
email: string,
|
||||
userId: string,
|
||||
tenantId: string
|
||||
): PlatformUserBySsoId {
|
||||
return {
|
||||
_id: ssoId,
|
||||
userId,
|
||||
email,
|
||||
tenantId,
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a new user id or email doc if it doesn't exist.
|
||||
*/
|
||||
|
@ -64,11 +79,24 @@ async function addUserDoc(emailOrId: string, newDocFn: () => PlatformUser) {
|
|||
}
|
||||
}
|
||||
|
||||
export async function addUser(tenantId: string, userId: string, email: string) {
|
||||
await Promise.all([
|
||||
export async function addUser(
|
||||
tenantId: string,
|
||||
userId: string,
|
||||
email: string,
|
||||
ssoId?: string
|
||||
) {
|
||||
const promises = [
|
||||
addUserDoc(userId, () => newUserIdDoc(userId, tenantId)),
|
||||
addUserDoc(email, () => newUserEmailDoc(userId, email, tenantId)),
|
||||
])
|
||||
]
|
||||
|
||||
if (ssoId) {
|
||||
promises.push(
|
||||
addUserDoc(ssoId, () => newUserSsoIdDoc(ssoId, email, userId, tenantId))
|
||||
)
|
||||
}
|
||||
|
||||
await Promise.all(promises)
|
||||
}
|
||||
|
||||
// DELETE
|
||||
|
|
|
@ -278,7 +278,12 @@ export class UserDB {
|
|||
builtUser._rev = response.rev
|
||||
|
||||
await eventHelpers.handleSaveEvents(builtUser, dbUser)
|
||||
await platform.users.addUser(tenantId, builtUser._id!, builtUser.email)
|
||||
await platform.users.addUser(
|
||||
tenantId,
|
||||
builtUser._id!,
|
||||
builtUser.email,
|
||||
builtUser.ssoId
|
||||
)
|
||||
await cache.user.invalidateUser(response.id)
|
||||
|
||||
await Promise.all(groupPromises)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
import { generator, uuid, quotas } from "."
|
||||
import { generator, quotas, uuid } from "."
|
||||
import { generateGlobalUserID } from "../../../../src/docIds"
|
||||
import {
|
||||
Account,
|
||||
|
@ -6,10 +6,11 @@ import {
|
|||
AccountSSOProviderType,
|
||||
AuthType,
|
||||
CloudAccount,
|
||||
Hosting,
|
||||
SSOAccount,
|
||||
CreateAccount,
|
||||
CreatePassswordAccount,
|
||||
CreateVerifiableSSOAccount,
|
||||
Hosting,
|
||||
SSOAccount,
|
||||
} from "@budibase/types"
|
||||
import sample from "lodash/sample"
|
||||
|
||||
|
@ -68,6 +69,23 @@ export function ssoAccount(account: Account = cloudAccount()): SSOAccount {
|
|||
}
|
||||
}
|
||||
|
||||
export function verifiableSsoAccount(
|
||||
account: Account = cloudAccount()
|
||||
): SSOAccount {
|
||||
return {
|
||||
...account,
|
||||
authType: AuthType.SSO,
|
||||
oauth2: {
|
||||
accessToken: generator.string(),
|
||||
refreshToken: generator.string(),
|
||||
},
|
||||
pictureUrl: generator.url(),
|
||||
provider: AccountSSOProvider.MICROSOFT,
|
||||
providerType: AccountSSOProviderType.MICROSOFT,
|
||||
thirdPartyProfile: { id: "abc123" },
|
||||
}
|
||||
}
|
||||
|
||||
export const cloudCreateAccount: CreatePassswordAccount = {
|
||||
email: "cloud@budibase.com",
|
||||
tenantId: "cloud",
|
||||
|
@ -91,6 +109,19 @@ export const cloudSSOCreateAccount: CreateAccount = {
|
|||
profession: "Software Engineer",
|
||||
}
|
||||
|
||||
export const cloudVerifiableSSOCreateAccount: CreateVerifiableSSOAccount = {
|
||||
email: "cloud-sso@budibase.com",
|
||||
tenantId: "cloud-sso",
|
||||
hosting: Hosting.CLOUD,
|
||||
authType: AuthType.SSO,
|
||||
tenantName: "cloudsso",
|
||||
name: "Budi Armstrong",
|
||||
size: "10+",
|
||||
profession: "Software Engineer",
|
||||
provider: AccountSSOProvider.MICROSOFT,
|
||||
thirdPartyProfile: { id: "abc123" },
|
||||
}
|
||||
|
||||
export const selfCreateAccount: CreatePassswordAccount = {
|
||||
email: "self@budibase.com",
|
||||
tenantId: "self",
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
import { Account } from "../../documents"
|
||||
import { Account, AccountSSOProvider } from "../../documents"
|
||||
import { Hosting } from "../../sdk"
|
||||
|
||||
export interface CreateAccountRequest {
|
||||
|
@ -11,6 +11,8 @@ export interface CreateAccountRequest {
|
|||
tenantName?: string
|
||||
name?: string
|
||||
password: string
|
||||
provider?: AccountSSOProvider
|
||||
thirdPartyProfile: object
|
||||
}
|
||||
|
||||
export interface SearchAccountsRequest {
|
||||
|
|
|
@ -61,6 +61,7 @@ export interface CreateAdminUserRequest {
|
|||
email: string
|
||||
password: string
|
||||
tenantId: string
|
||||
ssoId?: string
|
||||
}
|
||||
|
||||
export interface CreateAdminUserResponse {
|
||||
|
|
|
@ -20,6 +20,11 @@ export interface CreatePassswordAccount extends CreateAccount {
|
|||
password: string
|
||||
}
|
||||
|
||||
export interface CreateVerifiableSSOAccount extends CreateAccount {
|
||||
provider?: AccountSSOProvider
|
||||
thirdPartyProfile?: any
|
||||
}
|
||||
|
||||
export const isCreatePasswordAccount = (
|
||||
account: CreateAccount
|
||||
): account is CreatePassswordAccount => account.authType === AuthType.PASSWORD
|
||||
|
@ -50,6 +55,8 @@ export interface Account extends CreateAccount {
|
|||
licenseKeyActivatedAt?: number
|
||||
licenseRequestedAt?: number
|
||||
licenseOverrides?: LicenseOverrides
|
||||
provider?: AccountSSOProvider
|
||||
providerType?: AccountSSOProviderType
|
||||
quotaUsage?: QuotaUsage
|
||||
offlineLicenseToken?: string
|
||||
}
|
||||
|
@ -87,6 +94,13 @@ export enum AccountSSOProvider {
|
|||
MICROSOFT = "microsoft",
|
||||
}
|
||||
|
||||
const verifiableSSOProviders: AccountSSOProvider[] = [
|
||||
AccountSSOProvider.MICROSOFT,
|
||||
]
|
||||
export function isVerifiableSSOProvider(provider: AccountSSOProvider): boolean {
|
||||
return verifiableSSOProviders.includes(provider)
|
||||
}
|
||||
|
||||
export interface AccountSSO {
|
||||
provider: AccountSSOProvider
|
||||
providerType: AccountSSOProviderType
|
||||
|
|
|
@ -55,6 +55,7 @@ export interface User extends Document {
|
|||
userGroups?: string[]
|
||||
onboardedAt?: string
|
||||
scimInfo?: { isSync: true } & Record<string, any>
|
||||
ssoId?: string
|
||||
}
|
||||
|
||||
export enum UserStatus {
|
||||
|
|
|
@ -15,4 +15,16 @@ export interface PlatformUserById extends Document {
|
|||
tenantId: string
|
||||
}
|
||||
|
||||
export type PlatformUser = PlatformUserByEmail | PlatformUserById
|
||||
/**
|
||||
* doc id is a unique SSO provider ID for the user
|
||||
*/
|
||||
export interface PlatformUserBySsoId extends Document {
|
||||
tenantId: string
|
||||
userId: string
|
||||
email: string
|
||||
}
|
||||
|
||||
export type PlatformUser =
|
||||
| PlatformUserByEmail
|
||||
| PlatformUserById
|
||||
| PlatformUserBySsoId
|
||||
|
|
|
@ -95,7 +95,7 @@ const parseBooleanParam = (param: any) => {
|
|||
export const adminUser = async (
|
||||
ctx: Ctx<CreateAdminUserRequest, CreateAdminUserResponse>
|
||||
) => {
|
||||
const { email, password, tenantId } = ctx.request.body
|
||||
const { email, password, tenantId, ssoId } = ctx.request.body
|
||||
|
||||
if (await platform.tenants.exists(tenantId)) {
|
||||
ctx.throw(403, "Organisation already exists.")
|
||||
|
@ -136,6 +136,7 @@ export const adminUser = async (
|
|||
global: true,
|
||||
},
|
||||
tenantId,
|
||||
ssoId,
|
||||
}
|
||||
try {
|
||||
// always bust checklist beforehand, if an error occurs but can proceed, don't get
|
||||
|
|
|
@ -14,6 +14,7 @@ function buildAdminInitValidation() {
|
|||
email: Joi.string().required(),
|
||||
password: Joi.string(),
|
||||
tenantId: Joi.string().required(),
|
||||
ssoId: Joi.string(),
|
||||
})
|
||||
.required()
|
||||
.unknown(false)
|
||||
|
|
Loading…
Reference in New Issue