From 39ba79560413525cee7da750e64be4997d484bb6 Mon Sep 17 00:00:00 2001
From: Tuan Dang <tony@infisical.com>
Date: Sun, 23 Jul 2023 13:05:37 +0700
Subject: [PATCH] Block inviting members to organization if SAML SSO is
 configured

---
 .../controllers/v1/membershipOrgController.ts | 13 ++++++++++++
 .../src/ee/controllers/v1/ssoController.ts    | 13 ++++++++++++
 .../src/pages/project/[id]/members/index.tsx  |  4 +++-
 .../OrgMembersTable/OrgMembersTable.tsx       | 21 ++++++++++++++++---
 4 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/backend/src/controllers/v1/membershipOrgController.ts b/backend/src/controllers/v1/membershipOrgController.ts
index b5669a6715..02b99537f1 100644
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@@ -1,6 +1,7 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
 import { MembershipOrg, Organization, User } from "../../models";
+import { SSOConfig } from "../../ee/models";
 import { deleteMembershipOrg as deleteMemberFromOrg } from "../../helpers/membershipOrg";
 import { createToken } from "../../helpers/auth";
 import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
@@ -110,6 +111,18 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
   }
 
   const plan = await EELicenseService.getPlan(organizationId);
+  
+  const ssoConfig = await SSOConfig.findOne({
+    organization: new Types.ObjectId(organizationId)
+  });
+
+  if (ssoConfig && ssoConfig.isActive) {
+    // case: SAML SSO is enabled for the organization
+    return res.status(400).send({
+      message:
+        "Failed to invite member due to SAML SSO configured for organization"
+    }); 
+  }
 
   if (plan.memberLimit !== null) {
     // case: limit imposed on number of members allowed
diff --git a/backend/src/ee/controllers/v1/ssoController.ts b/backend/src/ee/controllers/v1/ssoController.ts
index 601d81de4d..4837dfd15b 100644
--- a/backend/src/ee/controllers/v1/ssoController.ts
+++ b/backend/src/ee/controllers/v1/ssoController.ts
@@ -10,6 +10,7 @@ import { getSSOConfigHelper } from "../../helpers/organizations";
 import { client } from "../../../config";
 import { ResourceNotFoundError } from "../../../utils/errors";
 import { getSiteURL } from "../../../config";
+import { EELicenseService } from "../../services";
 
 /**
  * Redirect user to appropriate SSO endpoint after successful authentication
@@ -58,6 +59,12 @@ export const updateSSOConfig = async (req: Request, res: Response) => {
         cert,
         audience
     } = req.body;
+
+    const plan = await EELicenseService.getPlan(organizationId);
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to update SAML SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+    });
     
     interface PatchUpdate {
         authProvider?: string;
@@ -203,6 +210,12 @@ export const createSSOConfig = async (req: Request, res: Response) => {
         cert,
         audience
     } = req.body;
+
+    const plan = await EELicenseService.getPlan(organizationId);
+    
+    if (!plan.samlSSO) return res.status(400).send({
+        message: "Failed to create SAML SSO configuration due to plan restriction. Upgrade plan to add SSO configuration."
+    });
     
     const key = await BotOrgService.getSymmetricKey(
         new Types.ObjectId(organizationId)
diff --git a/frontend/src/pages/project/[id]/members/index.tsx b/frontend/src/pages/project/[id]/members/index.tsx
index e3284ae9e5..471c1bca7e 100644
--- a/frontend/src/pages/project/[id]/members/index.tsx
+++ b/frontend/src/pages/project/[id]/members/index.tsx
@@ -183,7 +183,9 @@ export default function Users() {
         <div className="ml-2 flex min-w-max flex-row items-start justify-start">
           <Button
             text={String(t("section.members.add-member"))}
-            onButtonPressed={openAddModal}
+            onButtonPressed={() => {
+              openAddModal();
+            }}
             color="mineshaft"
             size="md"
             icon={faPlus}
diff --git a/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx b/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx
index a995661c93..3a39560ca3 100644
--- a/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx
+++ b/frontend/src/views/Org/MembersPage/components/OrgMembersTable/OrgMembersTable.tsx
@@ -6,6 +6,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { yupResolver } from "@hookform/resolvers/yup";
 import * as yup from "yup";
 
+import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
 import {
   Button,
   DeleteActionModal,
@@ -26,9 +27,11 @@ import {
   Th,
   THead,
   Tr,
-  UpgradePlanModal} from "@app/components/v2";
-import { useWorkspace } from "@app/context";
+  UpgradePlanModal
+} from "@app/components/v2";
+import { useOrganization , useWorkspace } from "@app/context";
 import { usePopUp, useToggle } from "@app/hooks";
+import { useGetSSOConfig } from "@app/hooks/api";
 import { useFetchServerStatus } from "@app/hooks/api/serverDetails";
 import { OrgUser, Workspace } from "@app/hooks/api/types";
 
@@ -69,6 +72,9 @@ export const OrgMembersTable = ({
   setCompleteInviteLink
 }: Props) => {
   const router = useRouter();
+  const { createNotification } = useNotificationContext();
+  const { currentOrg } = useOrganization();
+  const { data: ssoConfig, isLoading: isLoadingSSOConfig } = useGetSSOConfig(currentOrg?._id ?? "");
   const [searchMemberFilter, setSearchMemberFilter] = useState("");
   const {data: serverDetails } = useFetchServerStatus()
   const { workspaces } = useWorkspace();
@@ -79,7 +85,7 @@ export const OrgMembersTable = ({
     "upgradePlan",
     "setUpEmail"
   ] as const);
-
+  
   useEffect(() => {
     if (router.query.action === "invite") {
       handlePopUpOpen("addMember");
@@ -152,6 +158,15 @@ export const OrgMembersTable = ({
         <Button
           leftIcon={<FontAwesomeIcon icon={faPlus} />}
           onClick={() => {
+            if (!isLoadingSSOConfig && ssoConfig && ssoConfig.isActive) {
+              createNotification({
+                text: "You cannot invite users when SAML SSO is configured for your organization",
+                type: "error"
+              });
+              
+              return;
+            }
+            
             if (isMoreUserNotAllowed) {
               handlePopUpOpen("upgradePlan");
             } else {